Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).
This was fixed in Linux, FreeBSD, OpenBSD and Optee OS:
679db7080129fb48ace43a08873eceabfd092aa1
It is demonstrated in a SafeSide example:
https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cchttps://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
* changes:
plat: xilinx: Move pm_client.h to common directory
plat: xilinx: versal: Make silicon default build target
xilinx: versal: Wire silicon default setup
versal: Increase OCM memory size for DEBUG builds
plat: xilinx: versal: Dont set IOU switch clock
arm64: versal: Adjust cpu clock for versal virtual
xilinx: versal: Add support for PM_GET_OPERATING_CHARACTERISTIC EEMI call
plat: versal: Add Get_ChipID API
plat: xilinx: versal: Add load Pdi API support
xilinx: versal: Add feature check API
xilinx: versal: Implement set wakeup source for client
plat: xilinx: versal: Add GET_CALLBACK_DATA function
xilinx: versal: Add PSCI APIs for system shutdown & reset
xilinx: versal: Add PSCI APIs for suspend/resume
xilinx: versal: Remove no_pmc ops to ON power domain
xilinx: versal: Add set wakeup source API
xilinx: versal: Add client wakeup API
xilinx: versal: Add query data API
xilinx: versal: Add request wakeup API
xilinx: versal: Add PM_INIT_FINALIZE API for versal
xilinx: versal: Add support of PM_GET_TRUSTZONE_VERSION API
xilinx: versal: enable ipi mailbox service
xilinx: move ipi mailbox svc to xilinx common
plat: xilinx: versal: Implement PM IOCTL API
xilinx: versal: Implement power down/restart related EEMI API
xilinx: versal: Add SMC handler for EEMI API
xilinx: versal: Implement PLL related PM APIs
xilinx: versal: Implement clock related PM APIs
xilinx: versal: Implement pin control related PM APIs
xilinx: versal: Implement reset related PM APIs
xilinx: versal: Implement device related PM APIs
xilinx: versal: Add support for suspend related APIs
xilinx: versal: Add get_api_version support
xilinx: Add support to send PM API to PMC using IPI for versal
plat: xilinx: versal: Move versal_def.h to include directory
plat: xilinx: versal: Move versal_private.h to include directory
plat: xilinx: zynqmp: Use GIC framework for warm restart
Moving the FDT helper functions to the common/ directory exposed the file
to MISRA checking, which is mandatory for common code.
Fix the complaints that the test suite reported.
Change-Id: Ica8c8a95218bba5a3fd92a55407de24df58e8476
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
* changes:
Tegra194: platform handler for entering CPU standby state
Tegra194: memctrl: force viw and vifalr/w transactions as non-coherent
Tegra194: memctrl: fix bug in client order id reg value generation
Tegra194: memctrl: enable mc coalescer
Tegra194: update scratch registers used to read boot parameters
Tegra194: implement system shutdown/reset handlers
Tegra194: mce: support for shutdown and reboot
Tegra194: request CG7 before checking if SC7 is allowed
Tegra194: config to enable/disable strict checking mode
Tegra194: remove unused platform configs
Tegra194: restore XUSB stream IDs on System Resume
Remove the general BL31 mmap region: it duplicates the existing static
mapping for the entire SRAM region. Use the helper definitions when
applicable to simplify the code and add the MT_EXECUTE_NEVER flag.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: I7a6b79e50e4b5c698774229530dd3d2a89e94a6d
Add new flags for storage support that must be used in the build
command line. Add the complete build steps for an OP-TEE configuration.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Change-Id: I0c682f6eb0aab83aa929f4ba734d3151c264aeed
Remove second flash node as only one must be used
by QSPI NOR driver.
Change-Id: I48189f2fdf4e0455aabe7d4cd9b2f3d36bb9cfb5
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
STM32MP1 platform is able to boot from SPI-NOR devices.
These modifications add this support using the new
SPI-NOR framework.
Change-Id: I75ff9eba4661f9fb87ce24ced2bacbf8558ebe44
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
STM32MP1 platform is able to boot from SPI-NAND devices.
These modifications add this support using the new
SPI-NAND framework.
Change-Id: I0d5448bdc4bde153c1209e8043846c0f935ae5ba
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Include the required FMC2 pinmux definition for the
NAND management.
Change-Id: I80333deacdf3444b2f21f17f2fb5919e569a3591
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
STM32MP1 platform is able to boot from raw NAND devices.
These modifications add this support using the new
raw NAND framework.
Change-Id: I9e9c2b03930f98a5ac23f2b6b41945bef43e5043
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
For STM32MP1, the address space is 4GB, which can be first divided
in 4 parts of 1GB. This LVL1 table is already mapped regardless
of MAX_XLAT_TABLES.
Fixing typo: Replace Ko to KB.
BL2/sp_min for platform STM32MP1 requires 4 MMU translation tables:
- a level2 table and a level3 table for identity mapped SYSRAM
- a level2 table mapping 2MB of BootROM runtime resources
- a level2 table mapping 2MB of secure DDR (case BL32 is OP-TEE)
Change-Id: If80cbd4fccc7689b39dd540d6649b1313557f326
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Device size could be more than 4GB, we must
define size as unsigned long long.
Change-Id: I52055cf5c1c15ff18ab9e157aa9b73c8b4fb7b63
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Add a new entry to find register properties by name and
include new assert functions to limit address cells to 1
and size cells to 1.
Change-Id: Ide59a795a05fb2af36bd07fec15e5a3adf196226
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Adds compilation flags to specify which drivers will be
embedded in the generated firmware.
Change-Id: Ie9decc89c3f26cf17e7148a3a4cf337fd35940f7
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Add the standard CLAMP macro. It ensures that
x is between the limits set by low and high.
If low is greater than high the result is undefined.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Change-Id: Ia173bb9ca51bc8d9a8ec573bbc15636a94f881f4
Imported from the LLVM compiler_rt library on master branch as of
30 Oct 2018 (SVN revision: r345645).
This is to get the __popcountsi2(si_int a) and __popcountdi2(di_int a)
builtin which are required by a driver that uses a __builtin_popcount().
Change-Id: I8e0d97cebdd90d224690c8ce1b02e657acdddb25
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
SPI-NOR framework is based on SPI-MEM framework using
spi_mem_op execution interface.
It implements read functions and allows NOR configuration
up to quad mode.
Default management is 1 data line but it can be overridden
by platform.
It also includes specific quad mode configuration for
Spansion, Micron and Macronix memories.
Change-Id: If49502b899b4a75f6ebc3190f6bde1013651197f
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
This framework supports SPI-NAND and is based on the
SPI-MEM framework for SPI operations. It uses a common high
level access using the io_mtd.
It is limited to the read functionalities.
Default behavior is the basic one data line operation
but it could be overridden by platform.
Change-Id: Icb4e0887c4003a826f47c876479dd004a323a32b
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
The raw NAND framework supports SLC NAND devices.
It introduces a new high level interface (io_mtd) that
defines operations a driver can register to the NAND framework.
This interface will fill in the io_mtd device specification:
- device_size
- erase_size
that could be used by the io_storage interface.
NAND core source file integrates the standard read loop that
performs NAND device read operations using a skip bad block strategy.
A platform buffer must be defined in case of unaligned
data. This buffer must fit to the maximum device page size
defined by PLATFORM_MTD_MAX_PAGE_SIZE.
The raw_nand.c source file embeds the specific NAND operations
to read data.
The read command is a raw page read without any ECC correction.
This can be overridden by a low level driver.
No generic support for write or erase command or software
ECC correction.
NAND ONFI detection is available and can be enabled using
NAND_ONFI_DETECT=1.
For non-ONFI NAND management, platform can define required
information.
Change-Id: Id80e9864456cf47f02b74938cf25d99261da8e82
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
* changes:
zynqmp: pm: clock: Move custom flags to typeflags
zynqmp: pm: clock: Add support for custom type flags
plat: xilinx: zynqmp: Add GET_CALLBACK_DATA function
zynqmp: pm: Remove CLK_TOPSW_LSBUS from invalid clock list
The LLVM linker replaces the GNU linker as default for the link on Clang
builds. It is possible to override the default linker by setting the LD build
flag.
The patch also updates the TF-A doc.
Change-Id: Ic08552b9994d4fa8f0d4863e67a2726c1dce2e35
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
This patch implements a handler to enter the standby state on
Tegra194 platforms. On receiving a CPU_STANDBY state request,
the platform handler issues TEGRA_NVG_CORE_C6 request to the
MCE firmware to take the CPU into the standby state.
Change-Id: I703a96ec12205853ddb3c3871b23e338e1f60687
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Force memory transactions from viw and viflar/w as non-coherent from
no-override. This is necessary as iso clients shouldn't use coherent
path and stage-2 smmu mappings won't mark transactions as non-coherent.
For native case, no-override works. But, not for virtualization case.
Change-Id: I1a8fc17787c8d0f8579bdaeeb719084993e27276
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Client order id reset values are incorrectly and'ed with
mc_client_order_id macro, which resulted in getting reg value as
always zero. Updated mc_client_order_id macro to avoid and'ing outside
the macro, to take the reg value and update specific bit field
as necessary.
Change-Id: I880be6e4291d7cd58cf70d7c247a4044e57edd9e
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
This patch enable the Memory Controller's "Coalescer" feature to
improve performance of memory transactions.
Change-Id: I50ba0354116284f85d9e170c293ce77e9f3fb4d8
Signed-off-by: Pritesh Raithatha <praithatha@nvidia.com>
This patch changes SCRATCH_BOOT_PARAMS_ADDR macro to use SECURE_SCRATCH_RSV81
instead of SECURE_SCRATCH_RSV44. The previous level bootloader changed this
setting, so update here to keep both components in sync.
Change-Id: I4e0c1b54fc69482d5513a8608d0bf616677e1bdd
Signed-off-by: steven kao <skao@nvidia.com>
This patch implements the PSCI system shutdown and reset handlers,
that in turn issue the MCE commands.
Change-Id: Ia9c831674d7be615a6e336abca42f397e4455572
Signed-off-by: Vignesh Radhakrishnan <vigneshr@nvidia.com>
This patch adds support for shutdown/reboot handlers to the MCE
driver.
ATF communicates with mce using nvg interface for shutdown &
reboot. Both shutdown and reboot use the same nvg index.
However, the 1st bit of the nvg data argument differentiates
whether its a shutdown or reboot.
Change-Id: Id2d1b0c4fec55abf69b7f8adb65ca70bfa920e73
Signed-off-by: Vignesh Radhakrishnan <vigneshr@nvidia.com>
Currently firmware seems to be checking if we can get into system
suspend after checking if CC6 & C7 is allowed. For system suspend
to be triggered, the firmware needs to request for CG7 as well.
This patch fixes this anomaly.
Change-Id: I39c4c50092a4288f4f3fa4b0b1d5026be50f058f
Signed-off-by: Vignesh Radhakrishnan <vigneshr@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds a new configuration option to the platform makefiles
that disables/enables strict checking mode. The config is enabled
by default.
Change-Id: I727dd0facee88d9517bf6956eaf9163eba25c8bb
Signed-off-by: Steven Kao <skao@nvidia.com>
The stream IDs for XUSB programmed during cold boot are lost on System
Suspend. This patch restores the XUSB stream IDs on System Resume.
NOTE: THE WARMBOOT CODE NEEDS TO MAKE SURE THAT THE XUSB MODULE IS OUT
OF RESET AND THE CLOCKS ARE ENABLED, BEFORE POWERING ON THE CPU, DURING
SYSTEM RESUME.
Change-Id: Ibd5f1e5ebacffa6b29b625f4c41ecf204afa8191
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Anthony Steinhauser
Sandrine Bailleux
Soby Mathew
Andre Przywara
Manish Pandey
Olivier Deprez
Samuel Holland
Lionel Debieve
Nicolas Le Bayon
Mark Dykes
Ambroise Vincent
laurenw-arm
Varun Wadekar
Krishna Reddy
Pritesh Raithatha
steven kao
Vignesh Radhakrishnan