Coverity scan done for the coreboot project found the issue:
Coverity (*** CID 1385418: Memory - illegal accesses (OVERRUN))
Coverity (*** CID 1385419: Memory - corruptions (OVERRUN))
Fix the Converity error issue with store_cru[] loop needs to be one
element bigger.
Fixes: ARM-software/tf-issues#544
Change-Id: I420f0a660b24baaa5fc5e78fca242cf750c9bbc7
Signed-off-by: Caesar Wang <wxt@rock-chips.com>
MAP_TSP_MEM could be either in SRAM or DRAM. When MAP_TSP_MEM is in
DRAM, it's overlapped with MAP_DDR.
Since MAP_OPTEE_PAGEABLE isn't used in SRAM case, just remove it.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Some toolchain distributions install both the BFD and GOLD linkers under
the names <target>-ld.bfd and <target>-ld.gold. <target>-ld will then be
a symlink that may point to either one of these.
Trusted Firmware should always be linked with the BFD linker, since GOLD
is meant primarily for userspace programs and doesn't support many of
the more obscure linker script features that may be needed for firmware.
With this patch the Makefile will auto-detect if ld.bfd is available and
use it explicitly in that case.
Change-Id: I7017055f67db3bd57d191d20a7af06ca646937d7
Signed-off-by: Julius Werner <jwerner@chromium.org>
The CnP bit documentation in the Firmware Design Guide incorrectly
used the term "Page Entries" instead of "Processing Elements".
Fix that.
Change-Id: Ie44ee99c281b7b1a9ad90fba2c7d109f12425507
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
With the old system `checkpatch.pl` gets one sole input that consists of
the commit message and commit diff of each commit between BASE_COMMIT
and HEAD. It also filters out changes in some files, which makes `git
format-patch` completely ignore that commit, even the commit message.
With the new system the commit message and commit diff are analyzed
separately. This means that, even if all the files modified by a commit
are filtered out, the commit message will still be analyzed.
Also, all commits are analyzed individually. This way it's easier to
know which commit caused the problem, and there are no warnings about
repeated "Signed-off-by" lines.
Change-Id: Ic676a0b76801bb2607141a8d73dc3a942dc01c0e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch implements a fast path for this SMC call on affected PEs by
detecting and returning immediately after executing the workaround.
NOTE: The MMU disable/enable workaround now assumes that the MMU was
enabled on entry to EL3. This is a valid assumption as the code turns
on the MMU after reset and leaves it on until the core powers off.
Change-Id: I13c336d06a52297620a9760fb2461b4d606a30b3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
In the initial implementation of this workaround we used a dedicated
workaround context to save/restore state. This patch reduces the
footprint as no additional context is needed.
Additionally, this patch reduces the memory loads and stores by 20%,
reduces the instruction count and exploits static branch prediction to
optimize the SMC path.
Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
On some platforms it may be necessary to discover the SMCCC version
via a PSCI features call.
Change-Id: I95281ac2263ca9aefda1809eb03464fbdb8ac24d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
SMCCC v1.1 comes with a relaxed calling convention for AArch64
callers. The caller only needs to save x0-x3 before doing an SMC
call.
This patch adds support for SMCCC_VERSION and SMCCC_ARCH_FEATURES.
Refer to "Firmware Interfaces for mitigating CVE_2017_5715 System
Software on Arm Systems"[0] for more information.
[0] https://developer.arm.com/-/media/developer/pdf/ARM%20DEN%200070A%20Firmware%20interfaces%20for%20mitigating%20CVE-2017-5715_V1.0.pdf
Change-Id: If5b1c55c17d6c5c7cb9c2c3ed355d3a91cdad0a9
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
In preparation for SMCCC v1.1 support, save x4 to x29 unconditionally.
Previously we expected callers coming from AArch64 mode to preserve
x8-x17. This is no longer the case with SMCCC v1.1 as AArch64 callers
only need to save x0-x3.
Change-Id: Ie62d620776533969ff4a02c635422f1b9208be9c
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch maps the devices in the first GB of the system address map
on the FVP into the S-EL1&0 translation regime when SPM support is
enabled. This grants the Secure Partition access to the devices in
this region, for example the memory-mapped Generic Timer device.
Change-Id: I3aeea65f859ecbe83efde2acee20c55500c451bc
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Commit 880b9e8b4c (Add padding at the end
of the last entry) added code using toc_entry pointer, whose memory is
already freed via variable buf. This causes enormous padding on openSUSE.
Free the memory buffer only after padding is done.
Signed-off-by: Andreas Färber <afaerber@suse.de>
`assert(e)` was used in place of `if (e) ERROR()` when sec_protect()
was ported from hikey fork so the logic should have been reversed.
Fixes: 3d5d9f5a ("hikey: configure the top 16MB of DRAM as secure")
Fixes: 52988b38 ("hikey: configure 4 MB of secure DRAM for OP-TEE
Secure Data Path")
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Tested-by: Victor Chong <victor.chong@linaro.org>
This disables the redistributor before either of the pwr_dm_suspend
functions are called. This is because the rdist save code in the
rk3399 rockchip_soc_sys_pwr_dm_suspend function requires that each
redistributor be disabled before saving state.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
Delay functions like udelay() are often used to ensure that the
necessary time passed to allow some asynchronous event to finish, such
as the stabilization delay for a power rail. For these use cases it is
not very problematic if the delay is slightly longer than requested,
but it is critical that the delay must never be shorter.
The current udelay() implementation contains two hazards that may cause
the delay to be slightly shorter than intended: Firstly, the amount of
ticks to wait is calculated with an integer division, which may cut off
the last fraction of ticks needed. Secondly, the delay may be short by a
fraction of a tick because we do not know whether the initial ("start")
sample of the timer was near the start or near the end of the current
tick. Thus, if the code intends to wait for one tick, it might read the
timer value close to the end of the current tick and then read it again
right after the start of the next tick, concluding that the duration of
a full tick has passed when it in fact was just a fraction of it.
This patch rounds up the division and always adds one extra tick to
counteract both problems and ensure that delays will always be larger
but never smaller than requested.
Change-Id: Ic5fe5f858b5cdf3c0dbf3e488d4d5702d9569433
Signed-off-by: Julius Werner <jwerner@chromium.org>
Add off/on argument to SMC_FC_CPU_SUSPEND SMC_FC_CPU_RESUME and pass
1 when called from the cpu on/off hooks.
Change-Id: Ie233c446fd38b3ff8546e445a8d86a15d2816093
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The secure physical timer is inacessible from 32-bit S-EL1 (when EL3
is 64-bit) so trusty will use the non-secure physical timer in this
case. Linux will use the virtual timer instead of the physical timer
when started in EL1.
Change-Id: Ie49348d9a27e5287676dd4a77f678ecbd6c2309f
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The original patch has been partly merged. This adds the missing
pieces.
Change-Id: I77fd434feab396ff05d9b8e0c1761e4dd588a701
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Add smc calls to return gic base address and print to the debug
console. Allows running a generic trusty binary.
Change-Id: I4b6540f140f11432cdff43c3f5a2097df09dc9d1
Signed-off-by: Arve Hjønnevåg <arve@android.com>
UniPhier platform implements non-TF boot ROM. Prior to the BL2-AT-EL3
support, BL1 (worked as a pseudo ROM) was needed just for ensuring BL2
is entered at EL1-S. Now, this platform is able to avoid this waste.
Enable the BL2_AT_EL3 option, and remove BL1.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The warm boot mailbox code is compiled if PROGRAMMABLE_RESET_ADDRESS
is disabled.
The warm boot mailbox is useless for UniPhier SoC family because BL1
is not the first image. The UniPhier platform implements non-TF ROM,
then BL1 works as a pseudo ROM, so it is never executed in the warm
boot.
The reset vector address is not actually programmable for UniPhier
platform, but it should not hurt to enable PROGRAMMABLE_RESET_ADDRESS
to disable the mailbox and remove pointless plat_get_my_entrypoint.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Update the memory firewall configuration to reserve 4 MB of secure RAM
for use by the kernel and OP-TEE as the Secure Data Path pool.
Note that this address range (0x3E800000 - 0x3EC00000) falls in the
range already set aside by UEFI (which reserves the upper 32 MB of the
1GB DRAM for OP-TEE [1]) and was previously unused.
[1] https://github.com/96boards-hikey/edk2/blob/hikey/HisiPkg/HiKeyPkg/Library/HiKeyLib/HiKeyMem.c#L44
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Acked-by: Victor Chong <victor.chong@linaro.org>
DRAM region 0x3f000000 - 0x3fffffff is reserved for OP-TEE and should
therefore be accessible only from secure world.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Acked-by: Victor Chong <victor.chong@linaro.org>
We were looping for MAX_WAIT_COUNT in several places without any
delays, so this adds the delays to make those loops more predictable.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
The code was accidentally restoring the QOS on suspend and saving the
QOS on resume. This is the opposite of what we want.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
If the GIC loses power during suspend, which the restore code was
written for, exit early in the post restore power sequence. This
prevents an assert from tripping, and the power sequence isn't needed
in this case anyways.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
This brings ATF into line with the kernel on the timeout for power
domains turning on. We could actually timeout (when we shouldn't) on
resume when turning power domains on. The guaranteed maximum delay is
now 10ms.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
In the Makefile we use findstring to locate gcc toolchains
that have PIE enabled by default.
Unfortunately the result of findstring is compared against
an integer, 1, rather than a non-empty string; the logic to
disable PIE then doesn't get applied.
This patch fixes the flag test.
Fixes: f7ec31db2d ("Disable PIE compilation option")
Change-Id: I4cd2866974e313d6b408f9681311d78a208ab468
Signed-off-by: Steve Capper <steve.capper@arm.com>
The current div_round_up() implementation relies on round_up() which
only works correctly for boundaries that are a power of 2. It is
documented as such, but this still seems dangerously easy to overlook,
especially since many other environments (e.g. the Linux kernel) have a
similar macro without these limitations.
There is a different way to calculate this that can deal with all kinds
of divisors without other drawbacks, so let's just use that instead.
Change-Id: Id382736683f5d4e880ef00c53cfa23a2f9208440
Signed-off-by: Julius Werner <jwerner@chromium.org>
The secure_partition_boot_info_t structure is used to communicate boot
parameters with the StandaloneMM code executing at S-EL0 through a
shared buffer. Certain data types used for members of this structure
are opaque with their size depending on the toolchain being used.
Declare the members of the structure with explicit width based data
types, which would maintain compatibility across toolchains.
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>