The code to check for the presence of the TRNG service relies on
toolchain garbage collection, which is not enabled with -O0.
Add #ifdef guards around the call to the TRNG service handler to
cover builds without optimisation as well.
Change-Id: I08ece2005ea1c8fa96afa13904a851dec6b24216
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
* changes:
plat/arm: fvp: Protect GICR frames for fused/unused cores
doc: Build option to protect GICR frame
plat/arm: fvp: Do not map GIC region in BL1 and BL2
Currently, BLs are mapping the GIC memory region as read-write
for all cores on boot-up.
This opens up the security hole where the active core can write
the GICR frame of fused/inactive core. To avoid this issue, disable
the GICR frame of all inactive cores as below:
1. After primary CPU boots up, map GICR region of all cores as
read-only.
2. After primary CPU boots up, map its GICR region as read-write
and initialize its redistributor interface.
3. After secondary CPU boots up, map its GICR region as read-write
and initialize its redistributor interface.
4. All unused/fused core's redistributor regions remain read-only and
write attempt to such protected regions results in an exception.
As mentioned above, this patch offers only the GICR memory-mapped
region protection considering there is no facility at the GIC IP
level to avoid writing the redistributor area.
These changes are currently done in BL31 of Arm FVP and guarded under
the flag 'FVP_GICR_REGION_PROTECTION'.
As of now, this patch is tested manually as below:
1. Disable the FVP cores (core 1, 2, 3) with core 0 as an active core.
2. Verify data abort triggered by manually updating the ‘GICR_CTLR’
register of core 1’s(fused) redistributor from core 0(active).
Change-Id: I86c99c7b41bae137b2011cf2ac17fad0a26e776d
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Added a build option 'FVP_GICR_REGION_PROTECTION' to make
redistributor frame of fused/unused cores as read only.
Change-Id: Ie85f86e2465b93321a92a888ce8712a3144e4ccb
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
GIC memory region is not getting used in BL1 and BL2.
Hence avoid its mapping in BL1 and BL2 that freed some
page table entries to map other memory regions in the
future.
Retains mapping of CCN interconnect region in BL1 and BL2
overlapped with the GIC memory region.
Change-Id: I880dd0690f94b140e59e4ff0c0d436961b9cb0a7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This allows Matterhorn cores to operate at their optimal OPPs.
Signed-off-by: Usama Arif <usama.arif@arm.com>
Change-Id: I2e1b784da10154a1f1f65dd0e3a39213e7683116
So far the ARM platform Makefile would require that RESET_TO_BL31 is set
when we ask for the ARM_LINUX_KERNEL_AS_BL33 feature.
There is no real technical reason for that, and the one place in the
code where this was needed has been fixed.
Remove the requirement of those two options to be always enabled
together.
This enables the direct kernel boot feature for the Foundation FVP
(as described in the documentation), which requires a BL1/FIP
combination to boot, so cannot use RESET_TO_BL31.
Change-Id: I6814797b6431b6614d684bab3c5830bfd9481851
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
At the moment we have the somewhat artifical limitation of
ARM_LINUX_KERNEL_AS_BL33 only being used together with RESET_TO_BL31.
However there does not seem to be a good technical reason for that,
it was probably just to differentate between two different boot flows.
Move the initial register setup for ARM_LINUX_KERNEL_AS_BL33 out of the
RESET_TO_BL31 #ifdef, so that we initialise the registers in any case.
This allows to use a preloaded kernel image when using BL1 and FIP.
Change-Id: I832df272d3829f077661f4ee6d3dd9a276a0118f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
TZC_400_REGION_ATTR_FILTER_BIT_ALL is a simple constant definition, so
it can't get the real filter number to construct the bit flag for all
existing filters. If the platform doesn't have 4 filters, passing
FILTER_BIT_ALL to tzc400_configure_region() will cause assertion or
misconfiguration. So adjust the bit flag against the real filter
number.
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: Ie5c48303485f3b5015772961ee7c34746121ee84
The filters parameter passed to tzc400_configure_region() is supposed
to be filter bit flag without bit shift, so the macros
TZC_400_REGION_ATTR_FILTER_BIT and TZC_400_REGION_ATTR_FILTER_BIT_ALL
should always construct the value without any shift.
It is not a functional issue for TZC_REGION_ATTR_F_EN_SHIFT is lucky
to be 0.
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: I5d363c462b8517256523f637e670eefa56722afd
The structure has been modified to specify the memory
size in bytes instead of Gigabytes.
Signed-off-by: Manoj Kumar <manoj.kumar3@arm.com>
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Change-Id: I3384677d79af4f3cf55d3c353b6c20bb827b5ae7
This adds the TRNG Firmware Interface Service to the standard
service dispatcher. This includes a method for dispatching entropy
requests to platforms and includes an entropy pool implementation to
avoid dropping any entropy requested from the platform.
Change-Id: I71cadb3cb377a507652eca9e0d68714c973026e9
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch removes the Neoverse N1 CPU errata workaround for
bug 1542419 as the bug is not present in Rainier R0P0 core.
Change-Id: Icaca299b13ef830b2ee5129576aae655a6288e69
Signed-off-by: Manoj Kumar <manoj.kumar3@arm.com>
In DDR controller PWRTMG register, the mask for field SELFREF_TO_X32 is
wrong. This field is from bit 16 to 23.
Change-Id: Id336fb08c88f0a153df186dd819e41af72febb88
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Secure pl061 qemu driver allows to rize the GPIO pin
from the secure world to reboot and power down
virtual machine.
Do not define secure-gpio for sbsa-ref platform due to
reboot is done via sbsa-ec watchdog.
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Change-Id: I508d7c5cf4c75cb169b34b00682a76f6761d3869
The NUM_APID value was derived from kernel device tree sources, but I
made a conversion mistake: the amount of bytes in the APID map is the
total size of the "core" register range (0x1100) minus the offset of the
APID map in that range (0x900). This is of course 0x1100 - 0x900 = 0x800
and not 0x200, so the amount of 4-byte integers it can fit is not 0x80
but 0x200. Fix this and make the math more explicit so it can be more
easily factored out and adjusted if that becomes necessary for a future
SoC.
Also fix a dangerous typo in REG_APID_MAP() where the macro would
reference a random variable `i` rather than its argument (`apid`), and
we just got lucky that the only caller in the current code happened to
pass in a variable called `i` as that argument.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I049dd044fa5aeb65be0e7b12150afd6eb4bac0fa
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: I2e94a0b227ec39f6f4530dc50bb477999d27730f
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: I9cb581574d46de73c3d6917ebf78935fc5ac075a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: I8c3b92751d1ce226c966f7c81fedd83f0846865e
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
From commit: 21571b1d140ae7bb44e94c0afba2ec61456b275b
The coding guidelines[1] in TF-A forbid the use of ato*() functions
in favour of strto*(). However, the TF-A libc does not provide an
implementation of strto*(), making this rule impossible to satisfy.
Also made small changes to fit into TF-A project. Added the source
files to the libc makefile
[1] https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#libc-functions-that-are-banned-or-to-be-used-with-caution
Change-Id: Ica95bf5da722913834fe90bf3fe743aa34e01e80
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
ESPI register offset should also be shifted right by REG##R_SHIFT to
keep consistent.
It is not a functional issue, for GICD_OFFSET_64() is only used for
GICD_IROUTER<E>, and IROUTER_SHIFT is 0.
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: I76eee5c50e4300890e78e80bddde135ce88daa2d
Add debug log for the maximum supported INTID of SPI and eSPI on the
current GIC implementation.
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: Ie45ab1d85b39658c4ca4bc54ee433ac44e41d03f
The GICv3 architecture allows GICD_TYPER.ITLinesNumber to be 31, so
the maximum possible value for num_ints is 1024. The value must be
limited to (MAX_SPI_ID + 1), or GICD_OFFSET() will consider it as ESPI
INTID and return wrong register address.
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: Iddcb83d3e5d241b39f4176c19c2bceaa2c3dd653
In function gicv3_spis_config_defaults(), the variable num_ints is set
to (maximum SPI INTID + 1), while num_eints is set to (maximum ESPI
INTID). It introduces not only inconsistency to the code, but also
logical bug in the "for" loops, for the INTID of num_eints is also
valid and the check should be inclusive.
Fix this by setting num_eints to (maximum ESPI INTID + 1) as well.
Fix similar issues in gicv3_distif_save() and
gicv3_distif_init_restore().
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: I4425777d17e84e85f38853603340bd348640154f
RESTORE/SAVE_GICD_EREGS uses (int_id - (MIN_ESPI_ID - MIN_SPI_ID)) to
get the context array index for ESPI, which will override the space of
standard SPI starting from (MIN_SPI_ID + MIN_SPI_ID).
However, using TOTAL_SPI_INTR_NUM to replace the above MIN_SPI_ID
cannot totally fix the issue, for TOTAL_SPI_INTR_NUM is not well
aligned and the array index will be rounded down by the shifting
operation if being shifted more than 2 bits. It will cause buffer
override again when the existing maximum SPI reaches 1019.
So round up TOTAL_SPI_INTR_NUM with (1 << REG##R_SHIFT) for GICD
context arrays.
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: I5be2837c42f381a62f8d46a4ecd778009b1fe059
In function gicv3_rdistif_probe(), line #1322 implies
gicv3_driver_data->mpidr_to_core_pos() may be null, but the original
code uses this interface to get current CPU index unconditionally.
It is better to use MPIDR to probe GICR which does not depend on
gicv3_driver_data->mpidr_to_core_pos().
Signed-off-by: Heyi Guo <guoheyi@linux.alibaba.com>
Change-Id: I64add055385040fe0a56b977e2299608e2309a6e
Increase the core count and add respective entries in DTS.
Add Klein assembly file to cpu sources for core initialization.
Add SCMI entries for cores.
Signed-off-by: Avinash Mehta <avinash.mehta@arm.com>
Change-Id: I14dc1d87df6dcc8d560ade833ce1f92507054747
When building TF-A with USE_ROMLIB=1 and -j make options, the build fails with the following error:
make[1]: *** No rule to make target '/build/juno/debug/romlib/romlib.bin', needed by 'bl1_romlib.bin'.
This patch fixes that issue.
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
Change-Id: I0cca416f3f50f400759164e0735c2d6b520ebf84
* changes:
docs: marvell: Replace ESPRESSObin-Ultra TF-A build example by full example how to build production release of Marvell firmware image
docs: marvell: Fix description of flash-image.bin image
docs: marvell: Add information into CLOCKSPRESET option how to identify CPU frequency
docs: marvell: Reformat DDR_TOPOLOGY option and mention EspressoBin-Ultra board
docs: marvell: Move Supported Marvell platforms to PLAT build option
* changes:
docs: marvell: Update info about WTMI_IMG option
plat: marvell: armada: a3k: Remove unused variable WTMI_SYSINIT_IMG from Makefile
plat: marvell: armada: Show informative build messages and blank lines
plat: marvell: armada: Move definition of mrvl_flash target to common marvell_common.mk file
plat: marvell: armada: a3k: Use $(Q) instead of @
plat: marvell: armada: a3k: Add a new target mrvl_uart which builds UART image
plat: marvell: armada: a3k: Build UART image files directly in $(BUILD_UART) subdirectory
plat: marvell: armada: a3k: Build intermediate files in $(BUILD_PLAT) directory
plat: marvell: armada: a3k: Correctly set DDR_TOPOLOGY and CLOCKSPRESET for WTMI
plat: marvell: armada: a3k: Allow use of the system Crypto++ library
docs: marvell: Update info about WTP and MV_DDR_PATH parameters
plat: marvell: armada: a3k: Add checks that WTP, MV_DDR_PATH and CRYPTOPP_PATH are correctly defined
docs: marvell: Update mv-ddr-marvell and A3700-utils-marvell branches
ESPRESSObin-Ultra TF-A build example was now just a copy+paste of previous
mentioned example. It produced debug binary with custom log level, which
was not described. So rather replace this duplicate build example by a full
example with all steps how to build production release of Marvell firmware
image for EspressoBin with 1GHz CPU and 1GB DDR4 RAM.
Signed-off-by: Pali Rohár <pali@kernel.org>
Change-Id: Ief1b8bc96a3035ebd8421bd68dca5eb5c8d8fd52
Reformat list of boards, remove unsupported OcteonTX2 and mention
supported Turris MOX board.
Signed-off-by: Pali Rohár <pali@kernel.org>
Change-Id: I22cea7f77fd078554c7f0ed4108781626209e563
* changes:
allwinner: Leave CPU power alone during BL31 setup
allwinner: psci: Invert check in .validate_ns_entrypoint
allwinner: psci: Drop MPIDR check from .pwr_domain_on
allwinner: psci: Drop .get_node_hw_state callback
AMU counters are used for monitoring the CPU performance. RD-N2 platform
has architected AMU available for each core. Enable the use of AMU by
non-secure OS for supporting the use of counters for processor
performance control (ACPI CPPC).
Change-Id: I5cc749cf63c18fc5c7563dd754c2f42990a97e23
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
AMU counters are used for monitoring the CPU performance. RD-V1 platform
has architected AMU available for each core. Enable the use of AMU by
non-secure OS for supporting the use of counters for processor
performance control (ACPI CPPC).
Change-Id: I4003d21407953f65b3ce99eaa8f496d6052546e0
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
Some of the PSCI platform callbacks were restricted on RD-V1 platform
because the idle was not functional. Now that it is functional, remove
all the restrictions on the use PSCI platform callbacks.
Change-Id: I4cb97cb54de7ee166c30f28df8fea653b6b425c7
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
It does not have to be supported by the current shell used in Makefile.
Replace it by a simple echo with implicit newline.
Signed-off-by: Pali Rohár <pali@kernel.org>
Change-Id: I97fe44986ac36d3079d5258c67f0c9184537e7f0