The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.
This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.
As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.
A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.
Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.
The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.
IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.
Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
This patch fixes the build time condition deciding whether the
read-write data should be relocated from ROM to RAM. It was incorrectly
using __DATA_ROM_START__, which is a linker symbol and not a compiler
build flag. As a result, the relocation code was always compiled out.
This bug has been introduced by the following patch:
"Rationalize reset handling code"
Change-Id: I1c8d49de32f791551ab4ac832bd45101d6934045
This patch adds support for SYSTEM_SUSPEND API as mentioned in the PSCI 1.0
specification. This API, on being invoked on the last running core on a
supported platform, will put the system into a low power mode with memory
retention.
The psci_afflvl_suspend() internal API has been reused as most of the actions
to suspend a system are the same as invoking the PSCI CPU_SUSPEND API with the
target affinity level as 'system'. This API needs the 'power state' parameter
for the target low power state. This parameter is not passed by the caller of
the SYSTEM_SUSPEND API. Hence, the platform needs to implement the
get_sys_suspend_power_state() platform function to provide this information.
Also, the platform also needs to add support for suspending the system to the
existing 'plat_pm_ops' functions: affinst_suspend() and
affinst_suspend_finish().
Change-Id: Ib6bf10809cb4e9b92f463755608889aedd83cef5
Add SP804 delay timer support to the FVP BSP.
This commit simply provides the 3 constants needed by the SP804
delay timer driver and calls sp804_timer_init() in
bl2_platform_setup(). The BSP does not currently use the delay
timer functions.
Note that the FVP SP804 is a normal world accessible peripheral
and should not be used by the secure world after transition
to the normal world.
Change-Id: I5f91d2ac9eb336fd81943b3bb388860dfb5f2b39
Co-authored-by: Dan Handley <dan.handley@arm.com>
Add a delay timer driver for the ARM SP804 dual timer.
This driver only uses the first timer, called timer 1 in the
SP804 Technical Reference Manual (ARM DDI 0271D).
To use this driver, the BSP must provide three constants:
* The base address of the SP804 dual timer
* The clock multiplier
* The clock divider
The BSP is responsible for calling sp804_timer_init(). The SP804
driver instantiates a constant timer_ops_t and calls the generic
timer_init().
Change-Id: I49ba0a52bdf6072f403d1d0a20e305151d4bc086
Co-authored-by: Dan Handley <dan.handley@arm.com>
The API is simple. The BSP or specific timer driver creates an
instance of timer_ops_t, fills in the timer specific data, then calls
timer_init(). The timer specific data includes a function pointer
to return the timer value and a clock multiplier/divider. The ratio
of the multiplier and the divider is the clock frequency in MHz.
After that, mdelay() or udelay() can be called to delay execution for
the specified time (milliseconds or microseconds, respectively).
Change-Id: Icf8a295e1d25874f789bf28b7412156329dc975c
Co-authored-by: Dan Handley <dan.handley@arm.com>
For CSS based platforms, the constants MHU_SECURE_BASE and
MHU_SECURE_SIZE used to define the extents of the Trusted Mailboxes.
As such, they were misnamed because the mailboxes are completely
unrelated to the MHU hardware.
This patch removes the MHU_SECURE_BASE and MHU_SECURE_SIZE #defines.
The address of the Trusted Mailboxes is now relative to the base of
the Trusted SRAM.
This patch also introduces a new constant, SCP_COM_SHARED_MEM_BASE,
which is the address of the first memory region used for communication
between AP and SCP. This is used by the BOM and SCPI protocols.
Change-Id: Ib200f057b19816bf05e834d111271c3ea777291f
Add a comment explaining what the SCP boot configuration information
is on CSS based platforms like Juno. Also express its address
relatively to the base of the Trusted SRAM rather than hard-coding it.
Change-Id: I82cf708a284c8b8212933074ea8c37bdf48b403b
The attempt to run the CPU reset code as soon as possible after reset
results in highly complex conditional code relating to the
RESET_TO_BL31 option.
This patch relaxes this requirement a little. In the BL1, BL3-1 and
PSCI entrypoints code, the sequence of operations is now as follows:
1) Detect whether it is a cold or warm boot;
2) For cold boot, detect whether it is the primary or a secondary
CPU. This is needed to handle multiple CPUs entering cold reset
simultaneously;
3) Run the CPU init code.
This patch also abstracts the EL3 registers initialisation done by
the BL1, BL3-1 and PSCI entrypoints into common code.
This improves code re-use and consolidates the code flows for
different types of systems.
NOTE: THE FUNCTION plat_secondary_cold_boot() IS NOW EXPECTED TO
NEVER RETURN. THIS PATCH FORCES PLATFORM PORTS THAT RELIED ON THE
FORMER RETRY LOOP AT THE CALL SITE TO MODIFY THEIR IMPLEMENTATION.
OTHERWISE, SECONDARY CPUS WILL PANIC.
Change-Id: If5ecd74d75bee700b1bd718d23d7556b8f863546
This patch removes the FIRST_RESET_HANDLER_CALL build flag and its
use in ARM development platforms. If a different reset handling
behavior is required between the first and subsequent invocations
of the reset handling code, this should be detected at runtime.
On Juno, the platform reset handler is now always compiled in.
This means it is now executed twice on the cold boot path, first in
BL1 then in BL3-1, and it has the same behavior in both cases. It is
also executed twice on the warm boot path, first in BL1 then in the
PSCI entrypoint code.
Also update the documentation to reflect this change.
NOTE: THIS PATCH MAY FORCE PLATFORM PORTS THAT USE THE
FIRST_RESET_HANDLER_CALL BUILD OPTION TO FIX THEIR RESET HANDLER.
Change-Id: Ie5c17dbbd0932f5fa3b446efc6e590798a5beae2
This patch adds driver for the 16550 UART interface. The driver is exposed
as a console, which platforms can use to dump their boot/crash logs.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch fixes the incorrect bit width used to extract the primary
cpu id from `ap_data` exported by scp at SCP_BOOT_CFG_ADDR in
platform_is_primary_cpu().
Change-Id: I14abb361685f31164ecce0755fc1a145903b27aa
The ARM GIC driver treats the entire contents of the GICC_HPPIR as the interrupt
ID instead of just bits[9:0]. This could result in an SGI being treated as a
Group 1 interrupt on a GICv2 system.
This patch introduces a mask to retrieve only the ID from a read of GICC_HPPIR,
GICC_IAR and similar registers. The value read from these registers is masked
with this constant prior to use as an interrupt ID.
FixesARM-software/tf-issues#306
Change-Id: Ie3885157de33b71df9781a41f6ef015a30c4608d
Major update to the FVP platform port to use the common platform code
in (include/)plat/arm/* and (include/)plat/common/*. This mainly
consists of removing duplicated code but also introduces some small
behavioural changes where there was unnecessary variation between the
FVP and Juno ports. See earlier commit titled `Add common ARM and CSS
platform code` for details.
Also add support for Foundation FVP version 9.1 during FVP config
setup to prevent a warning being emitted in the console.
Change-Id: I254ca854987642ce09d1b924c9fd410a6e13e3bc
This major change pulls out the common functionality from the
FVP and Juno platform ports into the following categories:
* (include/)plat/common. Common platform porting functionality that
typically may be used by all platforms.
* (include/)plat/arm/common. Common platform porting functionality
that may be used by all ARM standard platforms. This includes all
ARM development platforms like FVP and Juno but may also include
non-ARM-owned platforms.
* (include/)plat/arm/board/common. Common platform porting
functionality for ARM development platforms at the board
(off SoC) level.
* (include/)plat/arm/css/common. Common platform porting
functionality at the ARM Compute SubSystem (CSS) level. Juno
is an example of a CSS-based platform.
* (include/)plat/arm/soc/common. Common platform porting
functionality at the ARM SoC level, which is not already defined
at the ARM CSS level.
No guarantees are made about the backward compatibility of
functionality provided in (include/)plat/arm.
Also remove any unnecessary variation between the ARM development
platform ports, including:
* Unify the way BL2 passes `bl31_params_t` to BL3-1. Use the
Juno implementation, which copies the information from BL2 memory
instead of expecting it to persist in shared memory.
* Unify the TZC configuration. There is no need to add a region
for SCP in Juno; it's enough to simply not allow any access to
this reserved region. Also set region 0 to provide no access by
default instead of assuming this is the case.
* Unify the number of memory map regions required for ARM
development platforms, although the actual ranges mapped for each
platform may be different. For the FVP port, this reduces the
mapped peripheral address space.
These latter changes will only be observed when the platform ports
are migrated to use the new common platform code in subsequent
patches.
Change-Id: Id9c269dd3dc6e74533d0e5116fdd826d53946dc8
Add extern declarations of linker symbols to bl_common.h. These are
used by platform ports to determine the memory layout of BL images.
Adding the declarations to this file facilitates removal of these
declarations from the platform porting source files in subsequent
patches.
Also remove the linker symbol declarations from common TSP source
code.
Change-Id: I8ed0426bc815317c4536b588e4e78bc15b4fe91c
Some assembly files containing macros are included like header files
into other assembly files. This will cause assembler errors if they
are included multiple times.
Add header guards to assembly macro files to avoid assembler errors.
Change-Id: Ia632e767ed7df7bf507b294982b8d730a6f8fe69
The required platform constant PLATFORM_CACHE_LINE_SIZE is
unnecessary since CACHE_WRITEBACK_GRANULE effectively provides the
same information. CACHE_WRITEBACK_GRANULE is preferred since this
is an architecturally defined term and allows comparison with the
corresponding hardware register value.
Replace all usage of PLATFORM_CACHE_LINE_SIZE with
CACHE_WRITEBACK_GRANULE.
Also, add a runtime assert in BL1 to check that the provided
CACHE_WRITEBACK_GRANULE matches the value provided in CTR_EL0.
Change-Id: If87286be78068424217b9f3689be358356500dcd
Region 0 is special in TZC-400. It is possible to set the access
permissions for this but not the address range or filters to which
the permissions apply. Add a function for setting the region 0
access permissions.
Also add some VERBOSE logging and allow assembly files to include
the TZC header.
Change-Id: I4389261ba10a6e5e2e43ee93d55318dc507b6648
This patch removes the need for a shared buffer between the EL3 and S-EL1
levels. We now use the CPU registers, x0-x7, while passing data between
the two levels. Since TLK is a 32-bit Trusted OS, tlkd has to unpack the
arguments in the x0-x7 registers. TLK in turn gets these values via r0-r7.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
In order for the symbol table in the ELF file to contain the size of
functions written in assembly, it is necessary to report it to the
assembler using the .size directive.
To fulfil the above requirements, this patch introduces an 'endfunc'
macro which contains the .endfunc and .size directives. It also adds
a .func directive to the 'func' assembler macro.
The .func/.endfunc have been used so the assembler can fail if
endfunc is omitted.
FixesARM-Software/tf-issues#295
Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc
Signed-off-by: Kévin Petit <kevin.petit@arm.com>
This patch adds support to open/close secure sessions with Trusted
Apps and later send commands/events. Modify TLK_NUM_FID to indicate
the total number of FIDs available to the NS world.
Change-Id: I3f1153dfa5510bd44fc25f1fee85cae475b1abf1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch allows servicing of the non-secure world IRQs when the
CPU is in the secure world. Once the interrupt is handled, the
non-secure world issues the Resume FID to allow the secure payload
complete the preempted standard FID.
Change-Id: Ia52c41adf45014ab51d8447bed6605ca2f935587
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds functionality to translate virtual addresses from
secure or non-secure worlds. This functionality helps Trusted Apps
to share virtual addresses directly and allows the NS world to
pass virtual addresses to TLK directly.
Change-Id: I77b0892963e0e839c448b5d0532920fb7e54dc8e
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch registers NS memory buffer with the secure payload using
two different functions IDs - REGISTER_LOGBUF, REGISTER_REQBUF.
a. The SP uses the log-buffer to store its activity logs, in a
pre-decided format. This helps in debugging secure payload's issues.
b. The SP uses the req-buffer to get the parameters required by
sessions with Trusted Applications.
Change-Id: I6b0247cf7790524132ee0da24f1f35b1fccec5d5
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
TLK Dispatcher (tlkd) is based on the tspd and is the glue required
to run TLK as a Secure Payload with the Trusted Firmware.
Change-Id: I69e573d26d52342eb049feef773dd7d2a506f4ab
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch removes the `owner` field in bakery_lock_t structure which
is the data structure used in the bakery lock implementation that uses
coherent memory. The assertions to protect against recursive lock
acquisition were based on the 'owner' field. They are now done based
on the bakery lock ticket number. These assertions are also added
to the bakery lock implementation that uses normal memory as well.
Change-Id: If4850a00dffd3977e218c0f0a8d145808f36b470
This patch optimizes the data structure used with the bakery lock
implementation for coherent memory to save memory and minimize memory
accesses. These optimizations were already part of the bakery lock
implementation for normal memory and this patch now implements
it for the coherent memory implementation as well. Also
included in the patch is a cleanup to use the do-while loop while
waiting for other contenders to finish choosing their tickets.
Change-Id: Iedb305473133dc8f12126726d8329b67888b70f1
This patch updates the FVP and Juno platform ports to use the common
driver for ARM Cache Coherent Interconnects.
Change-Id: Ib142f456b9b673600592616a2ec99e9b230d6542
Even though both CCI-400 and CCI-500 IPs have different configurations
with respect to the number and types of supported interfaces, their
register offsets and programming sequences are similar. This patch
creates a common driver for enabling and disabling snoop transactions
and DVMs with both the IPs.
New platform ports which implement one of these IPs should use this
common driver. Existing platform ports which implement CCI-400 should
migrate to the common driver as the standalone CCI-400 will be
deprecated in the future.
Change-Id: I3ccd0eb7b062922d2e4a374ff8c21e79fa357556
This patch defines the ARRAY_SIZE macro for calculating number of elements
in an array and uses it where appropriate.
Change-Id: I72746a9229f0b259323972b498b9a3999731bc9b
The cpu-ops pointer was initialized before enabling the data cache in the cold
and warm boot paths. This required a DCIVAC cache maintenance operation to
invalidate any stale cache lines resident in other cpus.
This patch moves this initialization to the bl31_arch_setup() function
which is always called after the data cache and MMU has been enabled.
This change removes the need:
1. for the DCIVAC cache maintenance operation.
2. to initialise the CPU ops upon resumption from a PSCI CPU_SUSPEND
call since memory contents are always preserved in this case.
Change-Id: Ibb2fa2f7460d1a1f1e721242025e382734c204c6
This patch modifies the declarations of the functions printf() et al.
and adds the right GCC attribute to request the compiler to check
the type of the arguments passed to these functions against the given
format string. This will ensure that the compiler outputs warning
messages like the following whenever it detects an inconsistency:
file.c:42: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
It also fixes the type mismatch inconsistencies that it revealed
across the code base.
NOTE: THIS PATCH MAY FORCE PLATFORM PORTS OR SP/SPDS THAT USE THE
PRINTF FAMILY OF FUNCTIONS TO FIX ANY TYPE MISMATCH INCONSISTENCIES.
Change-Id: If36bb54ec7d6dd2cb4791d89b02a24ac13fd2df6
This patch removes the plat_get_max_afflvl() platform API
and instead replaces it with a platform macro PLATFORM_MAX_AFFLVL.
This is done because the maximum affinity level for a platform
is a static value and it is more efficient for it to be defined
as a platform macro.
NOTE: PLATFORM PORTS NEED TO BE UPDATED ON MERGE OF THIS COMMIT
FixesARM-Software/tf-issues#265
Change-Id: I31d89b30c2ccda30d28271154d869060d50df7bf
This patch provides an API to access the authentication module that
will be used to verify the authenticity of the images loaded into
memory as part of the Trusted Board Boot process.
To include the authentication module as part of the build, set the
boolean build option TRUSTED_BOARD_BOOT. One single authentication
module must be registered at build time by setting the build option
AUTH_MOD=<mod_name>. All authentication modules will be located in
'common/auth/<mod_name>' and must present the <mod_name>.mk file that
will be included by the build system to compile the module sources.
To create an authentication module, an instance of auth_mod_t called
'auth_mod' must be declared in the module sources. The initialization
and verification functions provided by the module will be exported
through the function pointers specified when declaring this instance.
If an authentication module includes third party sources that do not
adhere to the C99 standard, the -pedantic option may be removed from
the build options by setting the flag DISABLE_PEDANTIC in the module
file <mod_name>.mk.
Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd
This patch adds the missing features to the C library included
in the Trusted Firmware to build PolarSSL:
- strcasecmp() function
- exit() function
- sscanf()* function
- time.h header file (and its dependencies)
* NOTE: the sscanf() function is not a real implementation. It just
returns the number of expected arguments by counting the number of
'%' characters present in the formar string. This return value is
good enough for PolarSSL because during the certificate parsing
only the return value is checked. The certificate validity period
is ignored.
Change-Id: I43bb3742f26f0bd458272fccc3d72a7f2176ab3d
This patch adds the function plat_match_rotpk() to the platform
porting layer to provide a Root Of Trust Public key (ROTPK)
verification mechanism. This function is called during the
Trusted Board Boot process and receives a supposed valid copy
of the ROTPK as a parameter, usually obtained from an external
source (for instance, a certificate). It returns 0 (success) if
that key matches the actual ROTPK stored in the system or any
other value otherwise.
The mechanism to access the actual ROTPK stored in the system
is platform specific and should be implemented as part of this
function. The format of the ROTPK is also platform specific
(to save memory, some platforms might store a hash of the key
instead of the whole key).
TRUSTED_BOARD_BOOT build option has been added to allow the user
to enable the Trusted Board Boot features. The implementation of
the plat_match_rotpk() funtion is mandatory when Trusted Board
Boot is enabled.
For development purposes, FVP and Juno ports provide a dummy
function that returns always success (valid key). A safe trusted
boot implementation should provide a proper matching function.
Documentation updated accordingly.
Change-Id: I74ff12bc2b041556c48533375527d9e8c035b8c3
This patch extends the FIP tool to include the certificates
generated by the 'cert_create' tool.
If GENERATE_COT build option is enabled, the Makefile adds the
certificates as dependencies to create the FIP file. Thus, make
target 'fip' will also build the certificates as part of the
Trusted Firmware build process.
Change-Id: I5eee500da7f7be6cfb6e3df0423599739d260074
This patch adds support to call the reset_handler() function in BL3-1 in the
cold and warm boot paths when another Boot ROM reset_handler() has already run.
This means the BL1 and BL3-1 versions of the CPU and platform specific reset
handlers may execute different code to each other. This enables a developer to
perform additional actions or undo actions already performed during the first
call of the reset handlers e.g. apply additional errata workarounds.
Typically, the reset handler will be first called from the BL1 Boot ROM. Any
additional functionality can be added to the reset handler when it is called
from BL3-1 resident in RW memory. The constant FIRST_RESET_HANDLER_CALL is used
to identify whether this is the first version of the reset handler code to be
executed or an overridden version of the code.
The Cortex-A57 errata workarounds are applied only if they have not already been
applied.
FixesARM-software/tf-issue#275
Change-Id: Id295f106e4fda23d6736debdade2ac7f2a9a9053
This patch provides an option to specify a interrupt routing model
where non-secure interrupts (IRQs) are routed to EL3 instead of S-EL1.
When such an interrupt occurs, the TSPD arranges a return to
the normal world after saving any necessary context. The interrupt
routing model to route IRQs to EL3 is enabled only during STD SMC
processing. Thus the pre-emption of S-EL1 is disabled during Fast SMC
and Secure Interrupt processing.
A new build option TSPD_ROUTE_NS_INT_EL3 is introduced to change
the non secure interrupt target execution level to EL3.
FixesARM-software/tf-issues#225
Change-Id: Ia1e779fbbb6d627091e665c73fa6315637cfdd32
This patch:
* Bumps the PSCI VERSION to 1.0. This means that
the PSCI_VERSION API will now return the value 0x00010000
to indicate the version as 1.0. The firmware remains
compatible with PSCI v0.2 clients.
* The firmware design guide is updated to document the
APIs supported by the Trusted Firmware generic code.
* The FVP Device Tree Sources (dts) and Blobs(dtb) are also
updated to add "psci-1.0" and "psci-0.2" to the list of
compatible PSCI versions.
Change-Id: Iafc2f549c92651dcd65d7e24a8aae35790d00f8a
This patch implements the PSCI_FEATURES function which is a mandatory
API in the PSCI 1.0 specification. A capability variable is
constructed during initialization by examining the plat_pm_ops and
spd_pm_ops exported by the platform and the Secure Payload Dispatcher.
This is used by the PSCI FEATURES function to determine which
PSCI APIs are supported by the platform.
Change-Id: I147ffc1bd5d90b469bd3cc4bbe0a20e95c247df7
This patch reworks the PSCI MIGRATE, MIGRATE_INFO_TYPE and
MIGRATE_INFO_UP_CPU support for Trusted Firmware. The
implementation does the appropriate validation of parameters
and invokes the appropriate hook exported by the SPD.
The TSP is a MP Trusted OS. Hence the ability to actually
migrate a Trusted OS has not been implemented. The
corresponding function is not populated in the spd_pm_hooks
structure for the TSPD.
The `spd_pm_ops_t` has undergone changes with this patch.
SPD PORTS MAY NEED TO BE UPDATED.
FixesARM-software/tf-issues#249
Change-Id: Iabd87521bf7c530a5e4506b6d3bfd4f1bf87604f
This patch adds support to return SUCCESS if a pending interrupt is
detected during a CPU_SUSPEND call to a power down state. The check
is performed as late as possible without losing the ability to return
to the caller. This reduces the overhead incurred by a CPU in
undergoing a complete power cycle when a wakeup interrupt is already
pending.
FixesARM-Software/tf-issues#102
Change-Id: I1aff04a74b704a2f529734428030d1d10750fd4b
This patch allows the platform to validate the power_state and
entrypoint information from the normal world early on in PSCI
calls so that we can return the error safely. New optional
pm_ops hooks `validate_power_state` and `validate_ns_entrypoint`
are introduced to do this.
As a result of these changes, all the other pm_ops handlers except
the PSCI_ON handler are expected to be successful. Also, the PSCI
implementation will now assert if a PSCI API is invoked without the
corresponding pm_ops handler being registered by the platform.
NOTE : PLATFORM PORTS WILL BREAK ON MERGE OF THIS COMMIT. The
pm hooks have 2 additional optional callbacks and the return type
of the other hooks have changed.
FixesARM-Software/tf-issues#229
Change-Id: I036bc0cff2349187c7b8b687b9ee0620aa7e24dc
This patch adds support to save the "power state" parameter before the
affinity level specific handlers are called in a CPU_SUSPEND call.
This avoids the need to pass the power_state as a parameter to the
handlers and Secure Payload Dispatcher (SPD) suspend spd_pm_ops.
The power_state arguments in the spd_pm_ops operations are now reserved
and must not be used. The SPD can query the relevant power_state fields
by using the psci_get_suspend_afflvl() & psci_get_suspend_stateid() APIs.
NOTE: THIS PATCH WILL BREAK THE SPD_PM_OPS INTERFACE. HENCE THE SECURE
PAYLOAD DISPATCHERS WILL NEED TO BE REWORKED TO USE THE NEW INTERFACE.
Change-Id: I1293d7dc8cf29cfa6a086a009eee41bcbf2f238e
This patch removes the non-secure entry point information being passed
to the platform pm_ops which is not needed. Also, it removes the `mpidr`
parameter for platform pm hooks which are meant to do power management
operations only on the current cpu.
NOTE: PLATFORM PORTS MUST BE UPDATED AFTER MERGING THIS COMMIT.
Change-Id: If632376a990b7f3b355f910e78771884bf6b12e7
This patch moves the bakery locks out of coherent memory to normal memory.
This implies that the lock information needs to be placed on a separate cache
line for each cpu. Hence the bakery_lock_info_t structure is allocated in the
per-cpu data so as to minimize memory wastage. A similar platform per-cpu
data is introduced for the platform locks.
As a result of the above changes, the bakery lock api is completely changed.
Earlier, a reference to the lock structure was passed to the lock implementation.
Now a unique-id (essentially an index into the per-cpu data array) and an offset
into the per-cpu data for bakery_info_t needs to be passed to the lock
implementation.
Change-Id: I1e76216277448713c6c98b4c2de4fb54198b39e0
This patch adds helper macros for barrier operations that specify
the type of barrier (dmb, dsb) and the shareability domain (system,
inner-shareable) it affects.
Change-Id: I4bf95103e79da212c4fbdbc13d91ad8ac385d9f5
This patch fixes a crash due to corruption of cpu_ops
data structure. During the secondary CPU boot, after the
cpu_ops has been initialized in the per cpu-data, the
dcache lines need to invalidated so that the update in
memory can be seen later on when the dcaches are turned ON.
Also, after initializing the psci per cpu data, the dcache
lines are flushed so that they are written back to memory
and dirty dcache lines are avoided.
FixesARM-Software/tf-issues#271
Change-Id: Ia90f55e9882690ead61226eea5a5a9146d35f313
Calls to system register read accessors functions may be optimised
out by the compiler if called twice in a row for the same register.
This is because the compiler is not aware that the result from
the instruction may be modified by external agents. Therefore, if
nothing modifies the register between the 2 reads as far as the
compiler knows then it might consider that it is useless to read
it twice and emit only 1 call.
This behaviour is faulty for registers that may not have the same
value if read twice in succession. E.g.: counters, timer
control/countdown registers, GICv3 interrupt status registers and
so on.
The same problem happens for calls to system register write
accessors functions. The compiler might optimise out some calls
if it considers that it will produce the same result. Again, this
behaviour is faulty for cases where intermediate writes to these
registers make a difference in the system.
This patch fixes the problem by making these assembly register
accesses volatile.
FixesARM-software/tf-issues#273
Change-Id: I33903bc4cc4eea8a8d87bc2c757909fbb0138925
This patch fixes the array size of mpidr_aff_map_nodes_t which
was less by one element.
FixesARM-software/tf-issues#264
Change-Id: I48264f6f9e7046a3d0f4cbcd63b9ba49657e8818
This patch introduces several improvements to the ARM GIC driver:
* In function gicd_set_itargetsr(), target CPU is specified using
the same bit mask detailed in the GICD_ITARGETSRn register instead
of the CPU linear ID, removing the dependency between bit position
and linear ID in the platform porting. The current CPU bit mask
may be obtained by reading GICD_ITARGETSR0.
* PPIs and SGIs are initialized in arm_gic_pcpu_distif_setup().
SPIs are initialized in arm_gic_distif_setup().
* By default, non secure interrupts are assigned the maximum
priority allowed to a non secure interrupt (defined by
GIC_HIGHEST_NS_PRIORITY).
* GICR base address is allowed to be NULL for GICv1 and GICv2.
Change-Id: Ie2837fe860d43b2282e582dfdb13c39c6186f232
Prior to this patch, the errata workarounds were applied for any version
of the CPU in the release build and in the debug build an assert
failure resulted when the revision did not match. This patch applies
errata workarounds in the Cortex-A57 reset handler only if the 'variant'
and 'revision' fields read from the MIDR_EL1 match. In the debug build,
a warning message is printed for each errata workaround which is not
applied.
The patch modifies the register usage in 'reset_handler` so
as to adhere to ARM procedure calling standards.
FixesARM-software/tf-issues#242
Change-Id: I51b1f876474599db885afa03346e38a476f84c29
This patch configures the TrustZone Controller in Juno to split
the 2GB DDR-DRAM memory at 0x80000000 into Secure and Non-Secure
regions:
- Secure DDR-DRAM: top 16 MB, except for the last 2 MB which are
used by the SCP for DDR retraining
- Non-Secure DDR-DRAM: remaining DRAM starting at base address
Build option PLAT_TSP_LOCATION selects the location of the secure
payload (BL3-2):
- 'tsram' : Trusted SRAM (default option)
- 'dram' : Secure region in the DDR-DRAM (set by the TrustZone
controller)
The MMU memory map has been updated to give BL2 permission to load
BL3-2 into the DDR-DRAM secure region.
FixesARM-software/tf-issues#233
Change-Id: I6843fc32ef90aadd3ea6ac4c7f314f8ecbd5d07b
This patch uses the IMAGE_BL<x> constants to create translation tables specific
to a boot loader stage. This allows each stage to create mappings only for areas
in the memory map that it needs.
FixesARM-software/tf-issues#209
Change-Id: Ie4861407ddf9317f0fb890fc7575eaa88d0de51c
This patch resets the value of CNTVOFF_EL2 before exit to EL1 on
warm boot. This needs to be done if only the Trusted Firmware exits
to EL1 instead of EL2, otherwise the hypervisor would be responsible
for this.
FixesARM-software/tf-issues#240
Change-Id: I79d54831356cf3215bcf1f251c373bd8f89db0e0
This patch gathers miscellaneous minor fixes to the documentation, and comments
in the source code.
Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Co-Authored-By: Dan Handley <dan.handley@arm.com>
This patch adds the initial port of the ARM Trusted Firmware on the Juno
development platform. This port does not support a BL3-2 image or any PSCI APIs
apart from PSCI_VERSION and PSCI_CPU_ON. It enables workarounds for selected
Cortex-A57 (#806969 & #813420) errata and implements the workaround for a Juno
platform errata (Defect id 831273).
Change-Id: Ib3d92df3af53820cfbb2977582ed0d7abf6ef893
This patch adds workarounds for selected errata which affect the Cortex-A57 r0p0
part. Each workaround has a build time flag which should be used by the platform
port to enable or disable the corresponding workaround. The workarounds are
disabled by default. An assertion is raised if the platform enables a workaround
which does not match the CPU revision at runtime.
Change-Id: I9ae96b01c6ff733d04dc733bd4e67dbf77b29fb0
This patch adds handlers for dumping Cortex-A57 and Cortex-A53 specific register
state to the CPU specific operations framework. The contents of CPUECTLR_EL1 are
dumped currently.
Change-Id: I63d3dbfc4ac52fef5e25a8cf6b937c6f0975c8ab
This patch adds CPU core and cluster power down sequences to the CPU specific
operations framework introduced in a earlier patch. Cortex-A53, Cortex-A57 and
generic AEM sequences have been added. The latter is suitable for the
Foundation and Base AEM FVPs. A pointer to each CPU's operations structure is
saved in the per-cpu data so that it can be easily accessed during power down
seqeunces.
An optional platform API has been introduced to allow a platform to disable the
Accelerator Coherency Port (ACP) during a cluster power down sequence. The weak
definition of this function (plat_disable_acp()) does not take any action. It
should be overriden with a strong definition if the ACP is present on a
platform.
Change-Id: I8d09bd40d2f528a28d2d3f19b77101178778685d
This patch introduces a framework which will allow CPUs to perform
implementation defined actions after a CPU reset, during a CPU or cluster power
down, and when a crash occurs. CPU specific reset handlers have been implemented
in this patch. Other handlers will be implemented in subsequent patches.
Also moved cpu_helpers.S to the new directory lib/cpus/aarch64/.
Change-Id: I1ca1bade4d101d11a898fb30fea2669f9b37b956
This patch provides a workaround for the ASM_ASSERT label issue
and also reworks the use of labels in assembly macros.
If the caller of the ASM_ASSERT macro happened to use the
label '1' to jump past the ASM_ASSERT macro, it would not have
worked since the ASM_ASSERT macro internally used the same label.
Hence, as a workaround, this patch makes the label a high
number in the expectation that the caller will never use it.
Also updated the other assembly macros using numerical labels to
named lables.
Change-Id: Iec892359db84f2391ad2a83a92141c4d7049776a
This patch implements the following cleanups in PSCI generic code:
1. It reworks the affinity level specific handlers in the PSCI implementation
such that.
a. Usage of the 'rc' local variable is restricted to only where it is
absolutely needed
b. 'plat_state' local variable is defined only when a direct invocation of
plat_get_phys_state() does not suffice.
c. If a platform handler is not registered then the level specific handler
returns early.
2. It limits the use of the mpidr_aff_map_nodes_t typedef to declaration of
arrays of the type instead of using it in function prototypes as well.
3. It removes dangling declarations of __psci_cpu_off() and
__psci_cpu_suspend(). The definitions of these functions were removed in
earlier patches.
Change-Id: I51e851967c148be9c2eeda3a3c41878f7b4d6978
This patch adds APIs to find, save and retrieve the highest affinity level which
will enter or exit from the physical OFF state during a PSCI power management
operation. The level is stored in per-cpu data.
It then reworks the PSCI implementation to perform cache maintenance only
when the handler for the highest affinity level to enter/exit the OFF state is
called.
For example. during a CPU_SUSPEND operation, state management is done prior to
calling the affinity level specific handlers. The highest affinity level which
will be turned off is determined using the psci_find_max_phys_off_afflvl()
API. This level is saved using the psci_set_max_phys_off_afflvl() API. In the
code that does generic handling for each level, prior to performing cache
maintenance it is first determined if the current affinity level matches the
value returned by psci_get_max_phys_off_afflvl(). Cache maintenance is done if
the values match.
This change allows the last CPU in a cluster to perform cache maintenance
independently. Earlier, cache maintenance was started in the level 0 handler and
finished in the level 1 handler. This change in approach will facilitate
implementation of tf-issues#98.
Change-Id: I57233f0a27b3ddd6ddca6deb6a88b234525b0ae6
This patch adds a structure defined by the PSCI service to the per-CPU data
array. The structure is used to save the 'power_state' parameter specified
during a 'cpu_suspend' call on the current CPU. This parameter was being saved
in the cpu node in the PSCI topology tree earlier.
The existing API to return the state id specified during a PSCI CPU_SUSPEND call
i.e. psci_get_suspend_stateid(mpidr) has been renamed to
psci_get_suspend_stateid_by_mpidr(mpidr). The new psci_get_suspend_stateid() API
returns the state id of the current cpu.
The psci_get_suspend_afflvl() API has been changed to return the target affinity
level of the current CPU. This was specified using the 'mpidr' parameter in the
old implementation.
The behaviour of the get_power_on_target_afflvl() has been tweaked such that
traversal of the PSCI topology tree to locate the affinity instance node for the
current CPU is done only in the debug build as it is an expensive operation.
Change-Id: Iaad49db75abda471f6a82d697ee6e0df554c4caf
This patch adds a macro which will flush the contents of the specified member of
the per-CPU data structure to the PoC. This is required to enable an update of a
per-CPU data member to be visible to all observers.
Change-Id: I20e0feb9b9f345dc5a1162e88adc7956a7ad7a64
This patch adds support for SYSTEM_OFF and SYSTEM_RESET PSCI
operations. A platform should export handlers to complete the
requested operation. The FVP port exports fvp_system_off() and
fvp_system_reset() as an example.
If the SPD provides a power management hook for system off and
system reset, then the SPD is notified about the corresponding
operation so it can do some bookkeeping. The TSPD exports
tspd_system_off() and tspd_system_reset() for that purpose.
Versatile Express shutdown and reset methods have been removed
from the FDT as new PSCI sys_poweroff and sys_reset services
have been added. For those kernels that do not support yet these
PSCI services (i.e. GICv3 kernel), the original dtsi files have
been renamed to *-no_psci.dtsi.
FixesARM-software/tf-issues#218
Change-Id: Ic8a3bf801db979099ab7029162af041c4e8330c8
* Move TSP platform porting functions to new file:
include/bl32/tsp/platform_tsp.h.
* Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
TSP interrupt handling code, instead of depending on the FVP
specific definition IRQ_SEC_PHY_TIMER.
* Rename TSP platform porting functions from bl32_* to tsp_*, and
definitions from BL32_* to TSP_*.
* Update generic TSP code to use new platform porting function names
and definitions.
* Update FVP port accordingly and move all TSP source files to:
plat/fvp/tsp/.
* Update porting guide with above changes.
Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
BE UPDATED
FixesARM-software/tf-issues#167
Change-Id: Ic0ff8caf72aebb378d378193d2f017599fc6b78f
Move the TSP private declarations out of tsp.h and into a new
header, tsp_private.h. This clarifies the TSP interface to the TSPD.
Change-Id: I39af346eeba3350cadcac56c02d97a5cb978c28b
The TZC-400 driver previously allowed the possibility of multiple
controller instances to be present in the same executable. This
was unnecessary since there will only ever be one instance.
This change simplifies the tzc_init() function to only take the
base address argument needed by implementation, conforming to the
driver initialization model of other drivers. It also hides some
of the implementation details that were previously exposed by the
API.
The FVP port has been updated accordingly.
THIS CHANGE REQUIRES ALL PLATFORM PORTS THAT USE THE TZC-400
DRIVER TO BE UPDATED
FixesARM-software/tf-issues#181
Change-Id: I7b721edf947064989958d8f457d6462d92e742c8
Move the remaining IO storage source file (io_storage.c) from the
lib to the drivers directory. This requires that platform ports
explicitly add this file to the list of source files.
Also move the IO header files to a new sub-directory, include/io.
Change-Id: I862b1252a796b3bcac0d93e50b11e7fb2ded93d6
The intent of io_init() was to allow platform ports to provide
a data object (io_plat_data_t) to the IO storage framework to
allocate into. The abstraction was incomplete because io_plat_data_t
uses a platform defined constant and the IO storage framework
internally allocates other arrays using platform defined constants.
This change simplifies the implementation by instantiating the
supporting objects in the IO storage framework itself. There is now
no need for the platform to call io_init().
The FVP port has been updated accordingly.
THIS CHANGE REQUIRES ALL PLATFORM PORTS THAT USE THE IO STORAGE
FRAMEWORK TO BE UDPATED.
Change-Id: Ib48ac334de9e538064734334c773f8b43df3a7dc
* Create cci_init() function in CCI-400 driver to allow platform
to provide arguments needed by the driver (i.e. base address
and cluster indices for the ACE slave interfaces).
* Rename cci_(en|dis)able_coherency to
cci_(en|dis)able_cluster_coherency to make it clear that
the driver only enables/disables the coherency of CPU
clusters and not other devices connected to the CCI-400.
* Update FVP port to use new cci_init() function and remove
unnecessary CCI defintions from platform_def.h. Also rename
fvp_cci_setup() to fvp_cci_enable() to more clearly
differentiate between CCI initialization and enabling.
THIS CHANGE REQUIRES PLATFORM PORTS THAT USE THE CCI-400 DRIVER
TO BE UPDATED
FixesARM-software/tf-issues#168
Change-Id: I1946a51409b91217b92285b6375082619f607fec
Create new LOG_LEVEL build option, which controls the amount of
console output compiled into the build. This should be one of the
following:
0 (LOG_LEVEL_NONE)
10 (LOG_LEVEL_NOTICE)
20 (LOG_LEVEL_ERROR)
30 (LOG_LEVEL_WARNING)
40 (LOG_LEVEL_INFO)
50 (LOG_LEVEL_VERBOSE)
All log output up to and including the log level is compiled into the
build. The default value is 40 in debug builds and 20 in release
builds.
Complement the existing INFO, WARN and ERROR console output macros
with NOTICE and VERBOSE macros, which are conditionally compiled in
depending on the value of LOG_LEVEL.
FixesARM-software/tf-issues#232
Change-Id: I951e2f333e7b90fc4b1060741d9a6db699d5aa72
This patch further optimizes the EL3 register state stored in
cpu_context. The 2 registers which are removed from cpu_context are:
* cntfrq_el0 is the system timer register which is writable
only in EL3 and it can be programmed during cold/warm boot. Hence
it need not be saved to cpu_context.
* cptr_el3 controls access to Trace, Floating-point, and Advanced
SIMD functionality and it is programmed every time during cold
and warm boot. The current BL3-1 implementation does not need to
modify the access controls during normal execution and hence
they are expected to remain static.
FixesARM-software/tf-issues#197
Change-Id: I599ceee3b73a7dcfd37069fd41b60e3d397a7b18
Assert a valid security state using the macro sec_state_is_valid().
Replace assert() with panic() in those cases that might arise
because of runtime errors and not programming errors.
Replace panic() with assert() in those cases that might arise
because of programming errors.
FixesARM-software/tf-issues#96
Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
This patch adds the CPUECTLR_EL1 register and the CCI Snoop Control
register to the list of registers being reported when an unhandled
exception occurs.
Change-Id: I2d997f2d6ef3d7fa1fad5efe3364dc9058f9f22c
This patch reworks the crash reporting mechanism to further
optimise the stack and code size. The reporting makes use
of assembly console functions to avoid calling C Runtime
to report the CPU state. The crash buffer requirement is
reduced to 64 bytes with this implementation. The crash
buffer is now part of per-cpu data which makes retrieving
the crash buffer trivial.
Also now panic() will use crash reporting if
invoked from BL3-1.
FixesARM-software/tf-issues#199
Change-Id: I79d27a4524583d723483165dc40801f45e627da5
The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.
FixesARM-software/tf-issues#95
Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
Juan Castillo
Sandrine Bailleux
danh-arm
Soby Mathew
Ryan Harkin
Achin Gupta
Varun Wadekar
Kévin Petit
Vikram Kanigiri
Yatharth Kochar
Andrew Thoelke
Jens Wiklander