The current SPM is a prototype that only supports one secure partition
in EL0. The objective of SPM is to have multiple partitions. The current
MM interface isn't adequate for this, so it is needed to modify heavily
the code to add proper support for it.
However, there are platforms which are already using this (like SGI) and
removing the code would break it. For this reason, the current SPM code
has been duplicated in order to temporarily preserve compatibility. All
new improvements/changes to SPM will be done in the non-deprecated copy,
that may change without notice.
The new build option SPM_DEPRECATED has been introduced to select the SPM
implementation. It defaults to 1, that selects the deprecated SPM.
Change-Id: Ic9f80b53b450e97b4d3f47e4ef4a138ee8d87443
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Now that we have switched to using the stack in MULTI_CONSOLE_API
framework functions and have factored all code involved in crash
reporting out into a separate file, there's really no reason to keep the
main framework code in assembly anymore. This patch rewrites it in C
which allows us to have a single implementation across aarch32/64 and
should be much easier to maintain going forward.
Change-Id: I6c85a01e89a79e8b233f3f8bee812f0dbd026221
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch makes the build system link the console framework code by
default, like it already does with other common libraries (e.g. cache
helpers). This should not make a difference in practice since TF is
linked with --gc-sections, so the linker will garbage collect all
functions and data that are not referenced by any other code. Thus, if a
platform doesn't want to include console code for size reasons and
doesn't make any references to console functions, the code will not be
included in the final binary.
To avoid compatibility issues with older platform ports, only make this
change for the MULTI_CONSOLE_API.
Change-Id: I153a9dbe680d57aadb860d1c829759ba701130d3
Signed-off-by: Julius Werner <jwerner@chromium.org>
It's better to have them in a separate file instead of having them spread
across the Makefile. This is what the stack protector is already doing.
Change-Id: Id30742c0af10de5ea6d10674ca25bf52b0f2b262
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Commit <ee1ba6d4ddf1> ("Makefile: Support totally quiet output with -s")
broke verbose (V=1) builds on Windows. This patch fixes it by adding
helpers to silence echo prints in a OS-dependent way.
Change-Id: I24669150457516e9fb34fa32fa103398efe8082d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
"-s" is a command line option to the make tool, to suppress normal output,
something to the effect of prepending every line with '@' in the Makefile.
However with our V={0|1} support, we now print the shortened command line
output in any case (even with V=1, in addition to the long line!).
Normally -s helps to not miss non-fatal warnings, which tend to scroll out
of the window easily.
Introduce a new Makefile variable ECHO, to control the shortened output.
We only set it in the (current default) V=0 case, and replace every
occurence of "@echo" with that variable.
When the user specifies "-s", we set ECHO to some magic string which
changes the output line into a comment, so the output is suppressed.
Beside suppressing every output for "-s", we also avoid the redundant
short output when compiling with V=1.
This changes the output to:
==========
$ make -s PLAT=.... bl31
Built build/.../release/bl31.bin
==========
$ make PLAT=.... bl31
...
CC lib/libc/strncmp.c
CC lib/libc/strnlen.c
...
==========
$ make V=1 PLAT=.... bl31
...
gcc -DDEBUG=0 .... -o build/.../release/libc/strncmp.o
gcc -DDEBUG=0 .... -o build/.../release/libc/strnlen.o
...
==========
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
When attempting to compile TF-A with "SPD=something ARCH=aarch32", the
following error message is printed:
Makefile:291: *** recipe commences before first target. Stop.
This is because the call to the error function is indented using a tab
whereas it's not part of a rule's recipe. Replace the tab by spaces.
Change-Id: Ic9b603837a0e43f2f7070cb39137541c332365d2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
code which allows platforms to place this memory in an appropriate
section to be reclaimed later. This features is primarily targeted for
BL31. Appropriate documentation updates are also done.
Change-Id: If0ca062851614805d769c332c771083d46599194
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The code of LOAD_IMAGE_V2=0 has been removed.
Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old driver is now in deprecated_console.S, in a similar way to the
AArch64 driver.
Change-Id: Ib57209c322576c451d466d7406a94adbf01ab8fd
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.
The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.
The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.
Sample output of a backtrace at EL3:
BACKTRACE: START: function_name
0: EL3: 0x798
1: EL3: 0x538
2: EL3: 0x550
3: EL3: 0x55c
4: EL3: 0x568
5: EL3: 0x5a8
6: EL3: 0xf4
BACKTRACE: END: function_name
In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.
Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
At the moment the AArch32 instruction set isn't specified in the command
line, which means that the compiler is free to choose the one it sees
fit. This decision may change between compiler versions, so it is better
to specify it manually.
The build option AARCH32_INSTRUCTION_SET has been introduced for this
reason. This option can be set to T32 or A32 to pass the correct flags
to the compiler.
The current behaviour is to default to T32 due to it's smaller size.
Change-Id: I02297eb1d9404b5868ff7c054fbff9b3cda7fdb6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
armclang replaces calls to printf by calls to one of the symbols
__0printf, __1printf or __2printf. This patch adds new functions with
these names that internally call printf so that the Trusted Firmware can
be compiled with this compiler.
Change-Id: I06a0e3e5001232fe5b2577615666ddd66e81eef0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.
With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.
Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Romlib is a new image that is stored in ROM and contains the code of
several libraries that can be shared between different images. All
the functions within in the library are accessed using a jump table
which allows to update the romlib image whithout changing the binary
compatibility. This jump table can be also stored in RAM and it can
allow to patch a romlib with potential bugs fixes..
Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Mbebtls include paths are controlled by the user using the variable
MBEDTLS_DIR and they are out of the TF source tree. Since these
includes have a different origin it is better to move them to a
different variable.
This change makes easier for the romlib Makefile to parse the include
paths.
Change-Id: I3e4c99300f1012bc7f88c6b9f5bc0ec1f7b5aa8d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF Makefile was linking all the objects files generated for the
c library instead of creating a static library that could be
used in the linking stage.
Change-Id: I721daea097e9b13cbb42c9f8eaa2af8fea0799cf
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch adds all the make macros needed to create a library archive
and to use it in the link stage.
Change-Id: I26597bfd6543649d0b68a9b1e06aec1ba353e6de
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch allows the user to override the value of the LD Makefile
variable. This feature can be used to force the use of the new Clang
linker.
Change-Id: I97ffeb18e48fa75346702a479d7dc1e8abcb3621
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Alignment fault checking is always enabled in TF (by setting the
SCTLR.A bit). Thus, all instructions that load or store one or more
registers have an alignment check that the address being accessed is
aligned to the size of the data element(s) being accessed. If this
check fails it causes an Alignment fault, which is taken as a Data
Abort exception.
The compiler needs to be aware that it must not emit load and store
instructions resulting in unaligned accesses. It already is for
AArch64 builds (see commit fa1d37122c "Add -mstrict-align to the gcc
options"), this patch does the same for AArch32 builds.
Change-Id: Ic885796bc6ed0ff392aae2d49f3a13f517e0169f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This is an add-on feature that allows processing
device tree with external includes.
"-Iinclude" is also added to INCLUDES.
It allows inclusion of dt-bindings files either in dts files or drivers,
as those files will be in include/dt-bindings/.
"-i fdts" is added to the DTC command line.
As the pre-processed files are in build directory, the DT source directory
has to be explicitely included, to manages /include/ directives.
fixesarm-software/tf-issues#595
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The ARMv8.4 RAS extensions introduce architectural support for software
to inject faults into the system in order to test fault-handling
software. This patch introduces the build option FAULT_HANDLING_SUPPORT
to allow for lower ELs to use registers in the Standard Error Record to
inject fault. The build option RAS_EXTENSIONS must also be enabled along
with fault injection.
This feature is intended for testing purposes only, and is advisable to
keep disabled for production images.
Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.
This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.
With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.
When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, any External Abort routed to EL3 is reported as an unhandled
exception and cause a panic. This patch enables ARM Trusted Firmware to
handle External Aborts routed to EL3.
With this patch, when an External Abort is received at EL3, its handling
is delegated to plat_ea_handler() function. Platforms can provide their
own implementation of this function. This patch adds a weak definition
of the said function that prints out a message and just panics.
In order to support handling External Aborts at EL3, the build option
HANDLE_EA_EL3_FIRST must be set to 1.
Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to
compilation; this patch fixes that too.
Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The C standards specify that this macro is used to
disable asserts but, in our code, the assert macro
is controlled with ENABLE_ASSERTIONS. Having this macro
here creates confusion about the behaviour of assert.
Change-Id: Iab8689a14dc2b8790729857d56585ce43c0c4f51
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Due to differences in the bitfields of the SMC IDs, it is not possible
to support SMCCC 1.X and 2.0 at the same time.
The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
option that specifies the major version of the SMCCC that the Trusted
Firmware supports. The only two allowed values are 1 and 2, and it
defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.
Note: Support for SMCCC v2.0 is an experimental feature to enable
prototyping of secure partition specifications. Support for this
convention is disabled by default and could be removed without notice.
Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In some use-cases BL2 will be stored in eXecute In Place (XIP) memory,
like BL1. In these use-cases, it is necessary to initialize the RW sections
in RAM, while leaving the RO sections in place. This patch enable this
use-case with a new build option, BL2_IN_XIP_MEM. For now, this option
is only supported when BL2_AT_EL3 is 1.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
The Makefile was missing a check to verify that the value of
`ENABLE_SPM` is boolean.
Change-Id: I97222e4df9ae2fbd89cdb3263956dca52d360993
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Include stack_protector's makefile after including platform.mk
to allow platforms override ENABLE_STACK_PROTECTOR
FixesARM-software/tf-issues#567
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
For platforms that have not migrated to MULTI_CONSOLE_API == 1, there
are a lot of confusing deprecated declaration warnings relating to
use of console_init() and console_uninit(). Some of these relate to use
by the generic code, not the platform code. These functions are not really
deprecated but *removed* when MULTI_CONSOLE_API == 1.
This patch consolidates these warnings into a single preprocessor warning.
The __deprecated attribute is removed from the console_init() and
console_uninit() declarations.
For preprocessor warnings like this to not cause fatal build errors,
this patch adds -Wno-error=cpp to the build flags when
ERROR_DEPRECATED == 0.
This option (and -Wno-error=deprecated-declarations) is now added to
CPPFLAGS instead of TF_CFLAGS to ensure the build flags are used in the
assembler as well as the compiler.
This patch also disentangles the MULTI_CONSOLE_API and ERROR_DEPRECATED
build flags by defaulting MULTI_CONSOLE_API to 0 instead of
ERROR_DEPRECATED. This allows platforms that have not migrated to
MULTI_CONSOLE_API to use ERROR_DEPRECATED == 1 to emit a more meaningful
build error.
Finally, this patch bans use of MULTI_CONSOLE_API == 1 and AARCH32, since
the AArch32 console implementation does not support
MULTI_CONSOLE_API == 1.
Change-Id: If762165ddcb90c28aa7a4951aba70cb15c2b709c
Signed-off-by: Dan Handley <dan.handley@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined.
Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch makes some minor changes to `MAKE_DTBS` make macro
and adds `dtbs` target to the `all` make target.
Change-Id: I1c5b4a603ada31d2dac2ed73da9ff707b410dd11
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds an argument to bl1_plat_post/pre_image_load() APIs
to make it more future proof. The default implementation of
these are moved to `plat_bl1_common.c` file.
These APIs are now invoked appropriately in the FWU code path prior
to or post image loading by BL1 and are not restricted
to LOAD_IMAGE_V2.
The patch also reorganizes some common platform files. The previous
`plat_bl2_el3_common.c` and `platform_helpers_default.c` files are
merged into a new `plat_bl_common.c` file.
NOTE: The addition of an argument to the above mentioned platform APIs
is not expected to have a great impact because these APIs were only
recently added and are unlikely to be used.
Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Commit 21b818c05f (BL31: Introduce
Exception Handling Framework) introduced the build option
EL3_EXCEPTION_HANDLING, but missed to pass that to the build command
line. This patch fixes that.
Change-Id: I0a1be2c7b41a81e748ad7d6cf795aab7f6d19193
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
When we add a new callback, we need to duplicate fallbacks among
plat/common/{aarch32,aarch64}/platform_helpers.S This is tedious.
I created a new C file, then moved 3 functions:
plat_error_handler
bl2_plat_preload_setup
plat_try_next_boot_source
They are called from C, so I do not see a good reason to implement
them in assembly.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
In the next commit, I need the image name in lowercase because
output files are generally named in lowercase.
Unfortunately, TOOL_ADD_IMG takes the first argument in uppercase
since we generally use uppercase Make variables.
make_helpers/build_macros.mk provides 'uppercase' macro to convert
a string into uppercase, but 'lowercase' does not exist. We can
implement it if we like, but it would be more straightforward to
change the argument of TOOL_ADD_IMG.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Now FIP_ADD_IMG takes care of both fiptool and cert_create
symmetrically. Rename it so that it matches the behavior.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The build system supports generating two FIP images, fip and fwu_fip.
Accordingly, we have similar build macros.
FIP_ADD_PAYLOAD <--> FWU_FIP_ADD_PAYLOAD
CERT_ADD_CMD_OPT <--> FWU_CERT_ADD_CMD_OPT
FIP_ADD_IMG <--> FWU_FIP_ADD_IMG
The duplicated code increases the maintenance burden. Also, the build
rule of BL2U looks clumsy - we want to call MAKE_BL to compile it from
source files, but we want to put it in fwu_fip. We can not do it in a
single macro call since the current MAKE_BL does not support fwu_fip.
To refactor those in a clean way is to support one more argument to
specify the FIP prefix. If it is empty, the images are targeted to
fip, whereas if the argument is "FWU_", targeted to fwu_fip.
The build macros prefixed with FWU_ go away.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This complicated if-conditional combo was introduced by commit
70d1fc5383 ("Fix build error when `BL32` is not defined") in order
to fix the compile error of "make all" when SPD=opteed is given.
The requirement for the build system is like follows:
- If both BL32 and BL32_SOURCES are defined, the former takes
precedence.
- If BL32 is undefined but BL32_SOURCES is defined, we compile
BL32 from the source files.
- We want to let the build fail if neither of them is defined,
but we want to check it only when we are building FIP.
Refactor the code to not call FIP_ADD_IMG twice. The behavior is
still the same.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
We use $(call MAKE_TOOL_ARGS,...) or $(call FIP_ADD_IMG,...) where we
expect externally built images. The difference between the two is
check_* target. It now checks if the given path exists, so it is a
good thing to use $(call FIP_ADD_IMG,...) in all the places.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Some toolchain distributions install both the BFD and GOLD linkers under
the names <target>-ld.bfd and <target>-ld.gold. <target>-ld will then be
a symlink that may point to either one of these.
Trusted Firmware should always be linked with the BFD linker, since GOLD
is meant primarily for userspace programs and doesn't support many of
the more obscure linker script features that may be needed for firmware.
With this patch the Makefile will auto-detect if ld.bfd is available and
use it explicitly in that case.
Change-Id: I7017055f67db3bd57d191d20a7af06ca646937d7
Signed-off-by: Julius Werner <jwerner@chromium.org>
With the old system `checkpatch.pl` gets one sole input that consists of
the commit message and commit diff of each commit between BASE_COMMIT
and HEAD. It also filters out changes in some files, which makes `git
format-patch` completely ignore that commit, even the commit message.
With the new system the commit message and commit diff are analyzed
separately. This means that, even if all the files modified by a commit
are filtered out, the commit message will still be analyzed.
Also, all commits are analyzed individually. This way it's easier to
know which commit caused the problem, and there are no warnings about
repeated "Signed-off-by" lines.
Change-Id: Ic676a0b76801bb2607141a8d73dc3a942dc01c0e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the Makefile we use findstring to locate gcc toolchains
that have PIE enabled by default.
Unfortunately the result of findstring is compared against
an integer, 1, rather than a non-empty string; the logic to
disable PIE then doesn't get applied.
This patch fixes the flag test.
Fixes: f7ec31db2d ("Disable PIE compilation option")
Change-Id: I4cd2866974e313d6b408f9681311d78a208ab468
Signed-off-by: Steve Capper <steve.capper@arm.com>
It is better to not include BL2 in FIP when using `BL2 at EL3` as
platforms using this config would not have the capability to parse the
FIP format in Boot ROM and BL2 needs to be loaded independently. This
patch does the required changes for the same.
Change-Id: Iad285c247b3440e2d827fef97c3dd81f5c09cabc
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch enables BL2 to execute at the highest exception level
without any dependancy on TF BL1. This enables platforms which already
have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
stages without need for BL1. This is not currently possible because
BL2 executes at S-EL1 and cannot jump straight to EL3.
Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
ARM TF does not work correctly if built with a version of gcc
that is configured to use PIE by default (e.g. Debian Stretch).
This patch identifies when such a version of gcc is being used
(by searching for --enable-default-pie) and adds -fno-PIE option
to TF_CFLAGS.
fixesarm-software/tf-issues#519
Change-Id: I2322122c49841746d35d152694e14f6f73beb0fd
Signed-off-by: David Cunado <david.cunado@arm.com>
Co-Authored-by: Evan Lloyd <evan.lloyd@arm.com>
Tested-by: Steve Capper <steve.capper@arm.com>
Tested-by: Alexei Fedorov <alexei.fedorov@arm.com>
This patch overhauls the console API to allow for multiple console
instances of different drivers that are active at the same time. Instead
of binding to well-known function names (like console_core_init),
consoles now provide a register function (e.g. console_16550_register())
that will hook them into the list of active consoles. All console
operations will be dispatched to all consoles currently in the list.
The new API will be selected by the build-time option MULTI_CONSOLE_API,
which defaults to ${ERROR_DEPRECATED} for now. The old console API code
will be retained to stay backwards-compatible to older platforms, but
should no longer be used for any newly added platforms and can hopefully
be removed at some point in the future.
The new console API is intended to be used for both normal (bootup) and
crash use cases, freeing platforms of the need to set up the crash
console separately. Consoles can be individually configured to be active
active at boot (until first handoff to EL2), at runtime (after first
handoff to EL2), and/or after a crash. Console drivers should set a sane
default upon registration that can be overridden with the
console_set_scope() call. Code to hook up the crash reporting mechanism
to this framework will be added with a later patch.
This patch only affects AArch64, but the new API could easily be ported
to AArch32 as well if desired.
Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
to one EL3 will check to see if the Scalable Vector Extension (SVE) is
implemented when entering and exiting the Non-secure world.
If SVE is implemented, EL3 will do the following:
- Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
- Exit from Non-secure world: SIMD, FP and SVE functionality is
disabled. As SIMD and FP registers are part of the SVE Z-registers
then any use of SIMD / FP functionality would corrupt the SVE
registers.
The build option default is 1. The SVE functionality is only supported
on AArch64 and so the build option is set to zero when the target
archiecture is AArch32.
This build option is not compatible with the CTX_INCLUDE_FPREGS - an
assert will be raised on platforms where SVE is implemented and both
ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
Also note this change prevents secure world use of FP&SIMD registers on
SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
such platforms unless ENABLE_SVE_FOR_NS is set to 0.
Additionally, on the first entry into the Non-secure world the SVE
functionality is enabled and the SVE Z-register length is set to the
maximum size allowed by the architecture. This includes the use case
where EL2 is implemented but not used.
Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
Signed-off-by: David Cunado <david.cunado@arm.com>
This patch fixes a couple of issues for AArch32 builds on ARM reference
platforms :
1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
the BL31 memory is empty when built for AArch32. Hence this patch allocates
BL32 to the memory region occupied by BL31 for AArch32 builds.
As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
be used to control the load address of BL32 in AArch32 mode which was
never the intention of the macro anyway.
2. A static assert is added to sp_min linker script to check that the progbits
are within the bounds expected when overlaid with other images.
3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
involved when building Juno for AArch32 mode, the build option SPD needed to
specifed. This patch corrects this and also updates the documentation in the
user-guide.
4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
a result the previous assumption that BL31 must be always present is removed
and the certificates for BL31 is only generated if `NEED_BL31` is defined.
Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The Cortex A75 has 5 AMU counters. The first three counters are fixed
and the remaining two are programmable.
A new build option is introduced, `ENABLE_AMU`. When set, the fixed
counters will be enabled for use by lower ELs. The programmable
counters are currently disabled.
Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Commit 26e63c4450 broke the Makefile for ARMv8-A AArch32 platforms.
This patch fixes it.
Change-Id: I49b8eb5b88f3a131aa4c8642ef970e92d90b6dd2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Factor out SPE operations in a separate file. Use the publish
subscribe framework to drain the SPE buffers before entering secure
world. Additionally, enable SPE before entering normal world.
A side effect of this change is that the profiling buffers are now
only drained when a transition from normal world to secure world
happens. Previously they were drained also on return from secure
world, which is unnecessary as SPE is not supported in S-EL1.
Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:
- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.
A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.
The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:
- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
Secure Partition.
- Implementing a well defined interface that is used by the normal world
and other secure services for accessing the services exported by a
Secure Partition.
- Implementing a well defined interface that is used by a Secure
Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
Partition to fulfil a service request.
Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
External build environment shall sets directive ARM_ARCH_MAJOR to 7
to specify a target ARMv7-A core.
As ARM-TF expects AARCH to be set, ARM_ARCH_MAJOR==7 mandates
AARCH=aarch32.
The toolchain target architecture/cpu is delegated after the platform
configuration is parsed. Platform shall define target core through
ARM_CORTEX_A<x>=yes, <x> being 5, 7, 9, 12, 15 and/or 17.
Platform can bypass ARM_CORTEX_A<x>=yes directive and provide straight
the toolchain target directive through MARCH32_DIRECTIVE.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Some platforms (for ex. UniPhier) want to create files in the very
top of the build directory. Add ${BUILD_PLAT} so such files can
depend on it.
Make existing directory targets depend on ${BUILD_PLAT} because
they are sub-directories of ${BUILD_PLAT}.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The back end GIC driver converts and assigns the interrupt type to
suitable group.
For GICv2, a build option GICV2_G0_FOR_EL3 is introduced, which
determines to which type Group 0 interrupts maps to.
- When the build option is set 0 (the default), Group 0 interrupts are
meant for Secure EL1. This is presently the case.
- Otherwise, Group 0 interrupts are meant for EL3. This means the SPD
will have to synchronously hand over the interrupt to Secure EL1.
The query API allows the platform to query whether the platform supports
interrupts of a given type.
API documentation updated.
Change-Id: I60fdb4053ffe0bd006b3b20914914ebd311fc858
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This is a revamp of the original approach in:
https://github.com/ARM-software/arm-trusted-firmware/pull/747
Current build system has no means to automatically generate dtbs from
dts, instead, stores the dtbs in the fdts/ folder. While this makes
perfect sense for many reference platforms, this becomes a minor
breakage in development flow for newer platforms.
However, this can be solved by providing a rule for the dtbs while
building the ATF binaries by purely describing which dts sources we
need.
For example, with this change, we will now be able to describe the
dtbs we need for the platform in the corresponding platform.mk file:
FDT_SOURCES += fdts/abc.dts
This should be able to generate the abc.dtb appropriately.
Since device trees are specification of hardware, we don't tie the rule
to any specific BL, instead a generic rule is introduced.
Further, this approach allows us to generate appropriate dtbs which may be
need to be regenerated when a common dtsi gets updated, by just
restricting changes to the dtsi alone, instead of synchronizing all the
dtbs as well.
If dtc is not available in default paths, but is available in an
alternate location, it can be chosen by overriding the DTC variable
such as 'make DTC=~/dtc/dtc ....`
NOTE: dtbs are built only with the explicit make dtbs command. The rule
is only available if the platform defines a FDT_SOURCES variable.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
This patch gives users control over logging messages printed from the C
code using the LOG macros defined in debug.h Users now have the ability
to reduce the log_level at run time using the tf_log_set_max_level()
function. The default prefix string can be defined by platform by
overriding the `plat_log_get_prefix()` platform API which is also
introduced in this patch.
The new log framework results in saving of some RO data. For example,
when BL1 is built for FVP with LOG_LEVEL=LOG_LEVEL_VERBOSE, resulted
in saving 384 bytes of RO data and increase of 8 bytes of RW data. The
framework also adds about 108 bytes of code to the release build of FVP.
FixesARM-software/tf-issues#462
Change-Id: I476013d9c3deedfdd4c8b0b0f125665ba6250554
Co-authored-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
TRUSTED_BOARD_BOOT and GENERATE_COT is not
compatible with EL3_PAYLOAD_BASE
Change-Id: I538c77e1f6c7da400d30ae4d633b8fcc55742202
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
The current build system and driver requires the CCI product to be
specified at build time. The device constraints can be determined at run
time from its ID registers, obviating the need for specifying them
ahead.
This patch adds changes to identify and validate CCI at run time. Some
global variables are renamed to be in line with the rest of the code
base.
The build option ARM_CCI_PRODUCT_ID is now removed, and user guide is
updated.
Change-Id: Ibb765e349d3bc95ff3eb9a64bde1207ab710a93d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Use TF_LDFLAGS from the Makefiles, and still append LDFLAGS as well to
the compiler's invocation. This allows passing extra options from the
make command line using LDFLAGS.
Document new LDFLAGS Makefile option.
Change-Id: I88c5ac26ca12ac2b2d60a6f150ae027639991f27
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html
Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.
Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769
Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419
The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.
Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.
Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
SPE is only supported in non-secure state. Accesses to SPE specific
registers from SEL1 will trap to EL3. During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained. This is to
avoid a potential invalid memory access in SEL1.
SPE is architecturally specified only for AArch64.
Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
It doesn't make sense to use the `-pedantic` flag when building the
Trusted Firmware as we use GNU extensions and so our code is not
fully ISO C compliant. This flag only makes sense if the code intends to
be ISO C compliant.
Change-Id: I6273564112759ff57f03b273f5349733a5f38aef
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Only the compiler is switched to ARM Compiler 6. The assembler and linker
are provided by the GCC toolchain.
ARM Compiler 6 is used to build TF when the base name of the path assigned
to `CC` matches the string 'armclang'.
`CROSS_COMPILE` is still needed and should point to the appropriate
GCC toolchain.
Tested with ARM CC 6.7.
Change-Id: Ib359bf9c1e8aeed3f662668e44830864f3fe7b4a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Only the compiler is switched to clang. The assembler and linker are
provided by the GCC toolchain.
clang is used to build TF when the base name of the path assigned to
`CC` contains the string 'clang'.
`CROSS_COMPILE` is still needed and should point to the appropriate
GCC toolchain.
Tested with clang 3.9.x and 4.0.x.
Change-Id: I53236d64e3c83ad27fc843bae5fcdae30f2e325e
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Tools are built using the compiler specified in `HOSTCC` instead of
reusing the `CC` variable. By default, gcc is used.
Change-Id: I83636a375c61f4804b4e80784db9d061fe20af87
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Since TF uses GCC extensions, switch the C environment
from c99 to gnu99.
This change allows armclang to build TF.
Change-Id: Iaacb2726ba1458af59faf607ae9405d6eedb9962
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>