SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.
However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.
With this patch:
- SDEI interrupts and calls to sdei_dispatch_event prepares the NS
context for event dispatch, then sets a jump point, and immediately
exits EL3. This results in the client handler executing in
Non-secure.
- When the SDEI client completes the dispatched event, the SDEI
dispatcher does a longjmp to the jump pointer created earlier. For
the caller of the sdei_dispatch_event() in particular, this would
appear as if call returned successfully.
The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.
Documentation updated.
NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.
Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch introduces setjmp() and ongjmp() primitives to enable
standard setjmp/longjmp style execution. Both APIs parameters take a
pointer to struct jmpbuf type, which hosts CPU registers saved/restored
during jump.
As per the standard usage:
- setjmp() return 0 when a jump is setup; and a non-zero value when
returning from jump.
- The caller of setjmp() must not return, or otherwise update stack
pointer since.
Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currently, the dispatcher reads from SCR_EL3 register directly to
determine the EL of SDEI client. This is with the assumption that
SCR_EL3 is not modified throughout. However, with RAS work flows, it's
possible that SCR_EL3 register contains values corresponding to Secure
world, and therefore EL determination can go wrong. To mitigate this,
always read the register from the saved Non-secure context.
Change-Id: Ic85e4021deb18eb58757f676f9a001174998543a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current macros only allow to define dynamic and statically-bound
SDEI events. However, there ought be a mechanism to define SDEI events
that are explicitly dispatched; i.e., events that are dispatched as a
result of a previous secure interrupt or other exception
This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit
event. They must be placed under private mappings. Only the priority
flags are allowed to be additionally specified.
Documentation updated.
Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The XN, PXN and UXN bits are part of the upper attributes, not the
lower attributes.
Change-Id: Ia5e83f06f2a8de88b551f55f1d36d694918ccbc0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch reads the chipid registers directly instead of making
pm call when running at BL32. User should ensure that these registers
should always be accessed from APU in their system configuration.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
This patch builds ATF to DDR if SPD is enabled as it cant fit in
On chip memory(OCM) with SPD enabled. This solves the issue
of build failure with SPD enabled for ZynqMP platform.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Currently TF-A doesn't initialise CNTFRQ register in CNTCTLBase
frame of the system timer. ARM ARM states that "The instance of
the register in the CNTCTLBase frame must be programmed with this
value as part of system initialization."
The psci_arch_setup() updates the CNTFRQ system register but
according to the ARM ARM, this instance of the register is
independent of the memory mapped instance. This is only an issue
for Normal world software which relies on the memory mapped
instance rather than the system register one.
This patch resolves the issue for ARM platforms.
The patch also solves a related issue on Juno, wherein
CNTBaseN.CNTFRQ can be written and does not reflect the value of
the register in CNTCTLBase frame. Hence this patch additionally
updates CNTFRQ register in the Non Secure frame of the CNTBaseN.
FixesARM-Software/tf-issues#593
Change-Id: I09cebb6633688b34d5b1bc349fbde4751025b350
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
While it would be useful to have a device tree based build, the
required components are not in place yet, so support just a simple
statically defined configuration to begin with.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
These functions are used for the PSCI implementation and are needed to
build BL31, but we cannot implement them until we add several more drivers
related to ti-sci so these are only stubs for now.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Do proper initialization of GIC V3. This will allow CP15 access to GIC
from "normal world" (aka HLOS) via mrc/mcr calls.
K3 SoC family uses GICv3 compliant GIC500 without compatibility for
legacy GICv2.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Provide K3_TIMER_FREQUENCY for the platform configuration if the GTC
clock is selected statically and override option if the platform has a
different configuration.
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Benjamin Fair <b-fair@ti.com>
This library will be used to properly set up mappings from different
bootloaders at different exception levels. It ensures that memory mapped
devices such as UARTs are still accessible and memory regions have the
correct access permissions.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
These functions describe the layout of the cores and clusters in order to
support the PSCI framework.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Because there is no BL2, BL31 must determine the entrypoint and memory
location of BL32 and BL33 on its own.
BL32_BASE and PRELOADED_BL33_BASE will be set in the corresponding board
makefile. We also allow a DTB address to be specified for cases when BL33
is a Linux image.
NOTE: It is possible to pull in this information from device tree as
well, however libfdt does not contain the required hooks to make this
happen at this point in time.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
The K3 family of SoCs has multiple interconnects. The key interconnect
for high performance processors is the MSMC3 interconnect. This is
an io-coherent interconnect which exports multiple ports for each
processor cluster.
Sometimes, port 0 of the MSMC may not have an ARM cluster OR is isolated
such that the instance of ATF does not manage it. Define macros
in platform_def.h to help handle this.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Create the baseline Makefile, platform definitions file and platform
specific assembly macros file. This includes first set of constants
for the platform including cache sizes and linker format and a stub for
BL31 and the basic memory layout
K3 SoC family of processors do not use require a BL1 or BL2 binary,
since such functions are provided by an system controller on the SoC.
This lowers the burden of ATF to purely managing the local ARM cores
themselves.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size reserved for BL2 has been increased.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
NXP's i.MX8QM is an ARMv8 SoC with 2 clusters, 2 Cortex-A72
cores in one cluster and 4 Cortex-A53 in the other cluster,
and also has system controller (Cortex-M4) inside, documentation
can be found in below link:
https://www.nxp.com/products/processors-and-microcontrollers/
applications-processors/i.mx-applications-processors/i.mx-8-processors:IMX8-SERIES
This patch adds support for booting up SMP linux kernel (v4.9).
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8QX is an ARMv8 SoC with 4 Cortex-A35 cores and
system controller (Cortex-M4) inside, documentation can
be found in below link:
https://www.nxp.com/products/processors-and-microcontrollers/
applications-processors/i.mx-applications-processors/i.mx-8-processors:IMX8-SERIES
This patch adds support for booting up SMP linux kernel (v4.9).
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8 SoCs have system controller (M4 core)
which takes control of clock management, power management,
partition management, PAD management etc., other
clusters like Cortex-A35 can send out command via MU
(Message Unit) to system controller for clock/power
management etc..
This patch adds basic IPC(inter-processor communication) support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
This is an add-on feature that allows processing
device tree with external includes.
"-Iinclude" is also added to INCLUDES.
It allows inclusion of dt-bindings files either in dts files or drivers,
as those files will be in include/dt-bindings/.
"-i fdts" is added to the DTC command line.
As the pre-processed files are in build directory, the DT source directory
has to be explicitely included, to manages /include/ directives.
fixesarm-software/tf-issues#595
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
To build with the new release, we pick couple of more files from mbedTLS
library.
Change-Id: I77dfe5723284cb26d4e5c717fb0e6f6dd803cb6b
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Only use synchronous calls to enter the Secure Partition in order to
simplify the SMC handling code.
Change-Id: Ia501a045585ee0836b9151141ad3bd11d0971be2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In Arm platforms, when using dynamic configuration, the necessary
parameters are made available as a DTB. The DTB is loaded by BL1 and,
later on, is parsed by BL1, BL2 or even both, depending on when
information from the DTB is needed.
When the DTB is going to be parsed, it must be validated first, to
ensure that it is properly structured. If an invalid DTB is detected
then:
- BL1 prints a diagnostic but allows execution to continue,
- BL2 prints a diagnostic and panics.
Now the behaviour of BL1 is changed so for it also to panic. Thus, the
behaviour of BL1 and BL2 is now similar.
Keep in mind that if BL1 only loads the DTB but it doesn't need to
read/write it, then it doesn't validate it. The validation is done only
when the DTB is actually going to be accessed.
Change-Id: Idcae6092e6dbeab7248dd5e041d6cbb7784fe410
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Some peripherals are TrustZone aware, so they need to be configured to
be accessible from non-secure world, as we don't need any of them being
exclusive to the secure world.
This affects some clocks, DMA channels and the Secure Peripheral
Controller (SPC). The latter controls access to most devices, but is not
active unless booting with the secure boot fuse burnt.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Jeenu Viswambharan
Dimitris Papastamos
Antonio Nino Diaz
Siva Durga Prasad Paladugu
Soby Mathew
Nishanth Menon
Benjamin Fair
Ying-Chun Liu (PaulLiu)
Anson Huang
Yann Gautier
John Tsichritzis
Andre Przywara