For the BL2_AT_EL3 configuration, move BL2 higher up to make more
space for BL31. Adjust the BL31 limit to be up to BL2 base. This is
because BL2 is always resident for the BL2_AT_EL3 configuration and
thus we cannot overlay it with BL31.
Change-Id: I71e89863ed48f5159e8b619f49c7c73b253397aa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch updates the firmware design guide for the BL memory
layout change on ARM platforms.
Change-Id: Icbfe7249484bb8b4ba3c94421172d42f27605c52
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
From TF-A v1.5, FVP supports loading the kernel FDT through
firmware as part of dynamic configuration feature. This means
that the FDT no longer needs to be loaded via Model parameters.
This patch updates the user guide to reflect the same.
Change-Id: I79833beeaae44a1564f6512c3a473625e5959f65
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
In the porting guide, fix the function name and the argument type to
reflect the code.
Change-Id: Iac8d69af403194de5586bc0d5890da531e3c8da2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The instructions to boot the bootwrapped kernel were outdated.
Also, the bootwrapped kernel boot flow isn't really useful. It was meant
to be a replacement for the Trusted Firmware-A, not to be used as the next
step during boot.
The instructions have been removed in favour of the new build option
ARM_LINUX_KERNEL_AS_BL33. This new system directly boots the Linux
kernel from BL31, and requires RESET_TO_BL31 to be 1. Also, the kernel
has to be preloaded in memory, so PRELOADED_BL33_BASE has to be set to its
address. This way, the runtime services of the Trusted Firmware-A are
available for the kernel in the least possible amount of time.
This new system requires the DTB to be patched so that the kernel knows
where the ramdisk is. A short script to add this information to the DTB
has been added to the User Guide. The information related to it can be
found in the following file in the Linux kernel tree:
``Documentation/devicetree/bindings/chosen.txt``
Change-Id: Ide135580959e09f6aa8e4425f37ea55d97439178
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Normally, BL33 needs to contain a boot loader like U-Boot or UEFI that
eventually gives control to the OS. However, in some cases, this boot
sequence may be too slow. For example, when doing tests in a
cycle-accurate emulator, the user may only be interested in the
interaction between the Trusted Firmware and the OS, not in the boot
process itself.
The new option ARM_LINUX_KERNEL_AS_BL33 allows BL33 to contain the Linux
kernel image by changing the value of registers x0-x3 to the values
expected by the kernel. This option requires the device tree blob (DTB)
to be present in memory. Its address must be specified in the newly
introduced ARM_PRELOADED_DTB_BASE build option. For now, it only supports
AArch64 kernels.
This option is only available when RESET_TO_BL31=1. For this reason
the BL33 binary must be preloaded in memory and PRELOADED_BL33_BASE must
be used.
For example, if the kernel is loaded at 0x80080000 and the DTB is loaded
at address 0x82000000, the firmware could be built like this:
CROSS_COMPILE=aarch64-linux-gnu- \
make PLAT=fvp DEBUG=1 \
RESET_TO_BL31=1 \
ARM_LINUX_KERNEL_AS_BL33=1 \
PRELOADED_BL33_BASE=0x80080000 \
ARM_PRELOADED_DTB_BASE=0x82000000 \
all fip
Change-Id: If9dc847c65ae2d0c27b51f0fd44fc06b28497db9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The ARMv8.4 RAS extensions introduce architectural support for software
to inject faults into the system in order to test fault-handling
software. This patch introduces the build option FAULT_HANDLING_SUPPORT
to allow for lower ELs to use registers in the Standard Error Record to
inject fault. The build option RAS_EXTENSIONS must also be enabled along
with fault injection.
This feature is intended for testing purposes only, and is advisable to
keep disabled for production images.
Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.
This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.
With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.
When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Due to differences in the bitfields of the SMC IDs, it is not possible
to support SMCCC 1.X and 2.0 at the same time.
The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
option that specifies the major version of the SMCCC that the Trusted
Firmware supports. The only two allowed values are 1 and 2, and it
defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.
Note: Support for SMCCC v2.0 is an experimental feature to enable
prototyping of secure partition specifications. Support for this
convention is disabled by default and could be removed without notice.
Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add TZMP1 support on Juno and increase the BL2 size accordingly due to the
extra data structures to describe the TZC regions and the additional code.
Signed-off-by: Summer Qin <summer.qin@arm.com>
This patch introduce TF-A support for NXP's ls1043a platform.
more details information of ls1043a chip and ls1043ardb board
can be found at docs/plat/ls1043a.rst.
Boot sequence on ls1043a is: bootrom loads bl1 firstly, then bl1
loads bl2, bl2 will load bl31, bl32 and bl33, bl31 will boot
bl32(tee os) and bl33(u-boot or uefi), bl33 boot Linux kernel.
Now TF-A on ls1043ardb platform has the following features in this patch:
* Support boot from Nor flash.
* TF-A can boot bl33 which runs in el2 of non-secure world.
* TF-A boot OPTee OS.
* Support PSCI
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Signed-off-by: Chenyin.Ha <Chenyin.Ha@nxp.com>
Signed-off-by: Chenhui Zhao <chenhui.zhao@nxp.com>
Signed-off-by: jiaheng.fan <jiaheng.fan@nxp.com>
Signed-off-by: Wen He <wen.he_1@nxp.com>
In some use-cases BL2 will be stored in eXecute In Place (XIP) memory,
like BL1. In these use-cases, it is necessary to initialize the RW sections
in RAM, while leaving the RO sections in place. This patch enable this
use-case with a new build option, BL2_IN_XIP_MEM. For now, this option
is only supported when BL2_AT_EL3 is 1.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Only return -1 if the workaround for CVE-2017-5715 is not compiled in.
Change-Id: I1bd07c57d22b4a13cf51b35be141a1f1ffb065ff
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Switch to the new console APIs enabled by setting MULTI_CONSOLE_API=1.
The crash console doesn't use this API, it uses internally the core
functions of the 16550 console.
`bl31_plat_runtime_setup` is no longer needed. When this platform port
was introduced, that function used to disable the console. It was needed
to override that behaviour. The new behaviour is to switch to the
runtime console. The console is registered for all scopes (boot, crash
and runtime) in `rpi3_console_init` so it is not needed to override the
default behaviour anymore.
Update documentation.
Change-Id: If2ee8f91044216183b7ef142e5c05ad6220ae92f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.
Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.
Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Following Out of Box testing for v1.5 release:
Update host OS version to Ubuntu 16.04
Clarify configuration files needed for checkpatch
Add note on using Linaro precompiled binaries
Change-Id: Ia4ae61e01128ddff1a288972ddf84b79370fa52c
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
The CI has been updated to run tests against the AEMv8-A RevC
model, FVP_Base_RevC-2xAEMv8A, which is available from the Fast
Model releases on Connected Community [1].
Additionally, the CI now also includes the Cortex-A55x4, Cortex-A75x4
and Cortex-A55x4-A75x4 Base models.
[1] https://developer.arm.com/products/system-design/fixed-virtual-platforms
Change-Id: I57806f3b2a8121211490a7aa0089dcae566d8635
Signed-off-by: David Cunado <david.cunado@arm.com>
Updated change-log.rst with summary of changes since
release v1.4.
Change-Id: I56b5a30d13a5a7099942535cbaeff0e2a5c5804e
Signed-off-by: David Cunado <david.cunado@arm.com>
Update Arm Trusted Firmware references in the upstream documents to
Trusted Firmware-A (TF-A). This is for consistency with and
disambiguation from Trusted Firmware-M (TF-M).
Also update other Arm trademarks, e.g. ARM->Arm, ARMv8->Armv8-A.
Change-Id: I8bb0e18af29c6744eeea2dc6c08f2c10b20ede22
Signed-off-by: Dan Handley <dan.handley@arm.com>
Signed-off-by: David Cunado <david.cunado@arm.com>
This patch updates the `firmware-design.rst` document for
changes in ARM-TF for supporting dynamic configuration features
as presented in `Secure Firmware BoF SFO'17`[1].
The patch also updates the user-guide for 2 build options for FVP
pertaining to dynamic config.
[1] https://www.slideshare.net/linaroorg/bof-device-tree-and-secure-firmware-bof-sfo17310
Change-Id: Ic099cf41e7f1a98718c39854e6286d884011d445
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Since non-TF ROM is used in HiKey960 platform (Hisilicon Hi3660 SoC),
replace BL1 by BL2_EL3 in normal boot mode.
When flush images in recovery mode, keep to use BL1.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Since non-TF ROM is used in HiKey platform (Hisilicon Hi6220 SoC),
replace BL1 by BL2_EL3 in normal boot mode.
When we recovery images in recovery mode, keep to use BL1.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
FVPs that model DynamIQ configuration implements all CPUs in a single
cluster. I.e., such models have a single cluster with more than 4 CPUs.
This differs from existing default build configuration for FVP where up
to 4 CPUs are assumed per cluster.
To allow building for DynamIQ configuration, promote the macro
FVP_MAX_CPUS_PER_CLUSTER as a build option to have it set from the build
command line. The value of the build option defaults to 4.
Change-Id: Idc3853bc95f680869b434b011c2dbd733e40c6ce
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
MISRA C-2012 Rule 7.3 violation: lowercase l shall not be used as literal suffixes.
This patch resolves this for the ULL() macro by using ULL suffix instead
of the ull suffix.
Change-Id: Ia8183c399e74677e676956e8653e82375d0e0a01
Signed-off-by: David Cunado <david.cunado@arm.com>
To make exception handling amongst Secure components, require that SDEI
exception priorities must be assigned the lowest among Secure
priorities. Clarify documentation to this effect.
Change-Id: I92524b7b7e9b3fa06a10c86372bc3c4dd18c00ad
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The `bl1_init_bl2_mem_layout()` API is now deprecated. The default weak
implementation of `bl1_plat_handle_post_image_load()` calculates the
BL2 memory layout and populates the same in x1(r1). This ensures
compatibility for the deprecated API.
Change-Id: Id44bdc1f572dc42ee6ceef4036b3a46803689315
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds an argument to bl1_plat_post/pre_image_load() APIs
to make it more future proof. The default implementation of
these are moved to `plat_bl1_common.c` file.
These APIs are now invoked appropriately in the FWU code path prior
to or post image loading by BL1 and are not restricted
to LOAD_IMAGE_V2.
The patch also reorganizes some common platform files. The previous
`plat_bl2_el3_common.c` and `platform_helpers_default.c` files are
merged into a new `plat_bl_common.c` file.
NOTE: The addition of an argument to the above mentioned platform APIs
is not expected to have a great impact because these APIs were only
recently added and are unlikely to be used.
Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The Arm Trusted Firmware is built by default for ARMv8-A version 8.0.
However, the Foundation FVP runs by default in the highest version of
the architecture it supports. This causes problems when trying to run
the Arm Trusted Firmware on it.
This patch adds a note to the User Guide about this problem.
Change-Id: I0220fe1a9c66c2292149ad4a7ffe5e27ba08ab28
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how
Non-secure interrupt affects TSPs execution. When TSP is executing:
1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received
at the TSP's exception vector, and TSP voluntarily preempts itself.
2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a
trap to EL3, which preempts TSP execution.
When EL3 exception handling is in place (i.e.,
EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system
with GICv3, pending NS interrupts while TSP is executing will be
signalled as FIQ (which traps to EL3). This situation necessitates the
same treatment applied to case (2) above.
Therefore, when EL3 exception handling is in place, additionally
require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1.
Strictly speaking, this is not required on a system with GICv2, but the
same model is uniformly followed regardless, for simplicity.
Relevant documentation updated.
Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Dimitris Papastamos
Soby Mathew
Antonio Nino Diaz
Sandrine Bailleux
Jeenu Viswambharan
Summer Qin
Jiafei Pan
Joel Hutton
David Cunado
Dan Handley
Arve Hjønnevåg
Haojian Zhuang