Also, add a disclaimer to explain that the current implementation of SPM
is a prototype that is going to undergo a lot of rework.
Change-Id: I303c1e61c51d9f286cc599fea565fc9ba5a996bf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old SMCs SP_MEMORY_ATTRIBUTES_{GET,SET}_AARCH64 have been removed in
favour of SPRT_MEMORY_PERM_ATTR_{GET,SET}_AARCH64.
Change-Id: Idb93cfa5461d0098df941037c5653f7c44b65227
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This buffer is where all the responses from Secure Partitions are stored
until they are requested.
Change-Id: Iafeb8f0848c5ff6f3e187060cd3a47702484dc45
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Introduce SMCs that open and close handles according to the SPCI
specification.
Change-Id: I65f365f15612e01aa445e783e96e48ae275c39fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove interfaces based on MM_COMMUNICATE.
Change-Id: I628c884b91d9f4758269ea2c4dedc37a66bb93cf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Load SP and RD from package instead of relying on RD being already
loaded in memory and the SP being loaded as a BL32 image.
Change-Id: I18d4fbf4597656c6a7e878e1d7c01a8a324f3f8a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This tool packages Secure Partitions and Resource Descriptor blobs into
a simple file that can be loaded by SPM.
Change-Id: If3800064f30bdc3d7fc6a15ffbb3007ef632bcaa
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is retrieved from the resource description now.
Change-Id: Iaae23945eb2c45305cdc6442853e42f4e04fe094
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This information is defined by the Secure Partition in the resource
description.
Change-Id: Ia7db90c5de8360a596106880d3f6a632a88d3ea8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Introduce helpers to create resource description struct, as well as code
to load the information from DTB files.
Change-Id: I0f5bb94eb8b01c6cb53fe807a9db0c05a70d7a43
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The structures and associated definitions are in different files so that
the definitions can be used inside DTS files while the structs are
private to SPM. They follow the SPRT specification.
Change-Id: Id6a629040a086c482b9d9fa1883b8aa6bbee619f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
Armv8.5 feature, this can be implemented by CPUs implementing earlier
version of the architecture.
With this patch, when both PSTATE.SSBS is implemented and
DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
indicate that mitigation on the PE is either permanently enabled or not
required.
When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
of every BL stage. This means that EL3 always executes with mitigation
applied.
For Cortex A76, if the PE implements SSBS, the existing mitigation (by
using a different vector table, and tweaking CPU ACTLR2) is not used.
Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
console_unregister() has always returned a pointer to the console that
was removed on success, not just an integer. Fix the C prototype to
match the assembly implementation.
Change-Id: Iafc43de0767a5c87c9ae5c3aba53761dd28d51e6
Signed-off-by: Julius Werner <jwerner@chromium.org>
- Update CPU frequency on AP807 to 2GHz for SAR 0x0.
- Increase AVS to 0.88V for 2GHz clock
Change-Id: Ic945b682ab2f8543e34294bfc56c3eae2c5e0c8e
Signed-off-by: Christine Gharzuzi <chrisg@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
For platforms using multi-threaded CPUs, there can be upto four
platform power domain levels. At present, there are three platform
power domain levels that are defined for the CSS platforms. Define a
fourth level 'ARM_PWR_LVL3' as well to provide support for an
additional platform power domain level.
Change-Id: I40cc17a10f4690a560776f504364fd7277a7e72a
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
The CSS_SYSTEM_PWR_DMN_LVL macro that defines the system power domain
level is fixed at ARM_PWR_LVL2 for all CSS platforms. However, the
system power domain level can be different for CSS platforms that
use multi-threaded CPUs.
So, in preparation towards adding support for platforms that use
multi-threaded CPUs, refactor the definition of CSS_SYSTEM_PWR_DMN_LVL
such that CSS_SYSTEM_PWR_DMN_LVL is uniquely defined for each of the
CSS platform.
Change-Id: Ia837b13f6865e71da01780993c048b45b7f36d85
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Initial Spectre Variant 1 mitigations (CVE-2017-5753).
A potential speculative data leak was found in PSCI code, this depends
on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
function. This is considered very low-risk. This patch adds a macro to
mitigate this. Note not all code paths could be analyzed with current
tools.
Add a macro which makes a variable 'speculation safe', using the
__builtin_speculation_safe_value function of GCC and llvm. This will be
available in GCC 9, and is planned for llvm, but is not currently in
mainline GCC or llvm. In order to implement this mitigation the compiler
must support this builtin. Support is indicated by the
__HAVE_SPECULATION_SAFE_VALUE flag.
The -mtrack-speculation option maintains a 'tracker' register, which
determines if the processor is in false speculation at any point. This
adds instructions and increases code size, but avoids the performance
impact of a hard barrier.
Without the -mtrack-speculation option, __builtin_speculation_safe_value
expands to a
ISB
DSB SY
sequence after a conditional branch, before the
speculation safe variable is used. With -mtrack-speculation a
CSEL tracker, tracker, XZR, [cond];
AND safeval,tracker;
CSDB
sequence is added instead, clearing the vulnerable variable by
AND'ing it with the tracker register, which is zero during speculative
execution. [cond] are the status flags which will only be true during
speculative execution. For more information on
__builtin_speculation_safe_value and the -mtrack-speculation option see
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations
The -mtracking option was not added, as the performance impact of the
mitigation is low, and there is only one occurence.
Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
The headers forked at some point in the past and have diverged a lot. In
order to make it easier to share code between TF-A-Tests and TF-A, this
patch synchronises most of the definitions in the mentioned headers.
This is not a complete sync, it has to be followed by more cleanup.
This patch also removes the read helpers for the AArch32 instructions
ats1cpr and ats1hr (they are write-only).
Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This reverts commit 6f512a3dfd.
According to the 'Cortex-A57 MPCore Software Developers Errata Notice':
This bug will only affect secure AArch64 EL3. If the above
conditions occur, the CPU will not invalidate the targeted EL3 TLB
entries and incorrect translations might occur.
For this reason it is not needed in AArch32.
Change-Id: I6f7b333817515499723e8f306145790ad6af9975
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Provide new APIs to add new regions without specifying the base VA.
- `mmap_add_region_alloc_va` adds a static region to mmap choosing as
base VA the first possible address after all the currently mapped
regions. It is aligned to an appropriate boundary in relation to the
size and base PA of the requested region. No attempt is made to fill
any unused VA holes.
- `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
`mmap_add_region_alloc_va` does, but it's dynamic instead of static.
- `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
maps them in the same way as `mmap_add_region_alloc_va` and fills
their `base_va` field. A helper macro has been created to help create
the array, called `MAP_REGION_ALLOC_VA`.
Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
ARM CoreLink DMC-620 Dynamic Memory Controller includes a TZC controller
to setup secure or non-secure regions of DRAM memory. The TZC controller
allows to setup upto eight such regions of memory in DRAM. This driver
provides helper functions to setup the TZC controller within DMC-620.
Change-Id: Iee7692417c2080052bdb7b1c2873a024bc5d1d10
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Migrate Marvell platforms from legacy console API to
multi-console API.
Change-Id: I647f5f49148b463a257a747af05b5f0c967f267c
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
When compiling assembly files, stdint.h is not included.
UINT32_C and UINT64_C are then not defined.
A new GENMASK macro for assembly is then created.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
These issues wer found by sparse:
drivers/st/clk/stm32mp1_clk.c:1524:19:
warning: incorrect type in assignment (different base types)
expected restricted fdt32_t const [usertype] *pkcs_cell
got unsigned int const [usertype] *
plat/st/stm32mp1/plat_image_load.c:13:6:
warning: symbol 'plat_flush_next_bl_params' was not declared.
Should it be static?
plat/st/stm32mp1/plat_image_load.c:21:16:
warning: symbol 'plat_get_bl_image_load_info' was not declared.
Should it be static?
plat/st/stm32mp1/plat_image_load.c:29:13:
warning: symbol 'plat_get_next_bl_params' was not declared.
Should it be static?
plat/st/stm32mp1/bl2_io_storage.c:40:10:
warning: symbol 'block_buffer' was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
These warnings were issued by sparse:
plat/st/stm32mp1/stm32mp1_pm.c:365:36:
warning: incorrect type in initializer (different modifiers)
expected void ( *[noreturn] pwr_domain_pwr_down_wfi )( ... )
got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:366:23:
warning: incorrect type in initializer (different modifiers)
expected void ( *[noreturn] system_off )( ... )
got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:367:25:
warning: incorrect type in initializer (different modifiers)
expected void ( *[noreturn] system_reset )( ... )
got void ( [noreturn] *<noident> )( ... )
This cannot be changed the other way in all platforms pm drivers
or else there is a compilation error:
plat/st/stm32mp1/stm32mp1_pm.c:234:1: error: attributes should be specified
before the declarator in a function definition
Signed-off-by: Yann Gautier <yann.gautier@st.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
On AArch32, ARM_DRAM1_BASE and ARM_DRAM1_SIZE constants are currently
32-bit values (because they are suffixed with UL and the value
0x80000000 fits in a unsigned long int, i.e. a 32-bit value). When
summing them up, the result overflows the maximum value that can be
encoded in a 32-bit value so it wraps around and does not result in
the expected value.
This patch changes the suffix of these constants into ULL so that they
always are 64-bit values.
Change-Id: I3b19b1805e35cc7e43050458df379081b1e882d5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
fdtw_read_cells() can only read one or two cells, sometimes it may be
needed to read more cells from one property.
Change-Id: Ie70dc76d1540cd6a04787cde7cccb4d1bafc7282
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The macro EL_IMPLEMENTED() has been deprecated in favour of the new
function el_implemented().
Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add supprot for Marvell platforms based on Armada-37xx SoC.
This includes support for the official Armada-3720 modular
development board and EspressoBin community board.
The Armada-37xx SoC contains dual Cortex-A53 Application CPU,
single secure CPU (Cortex-M3) and the following interfaces:
- SATA 3.0
- USB 3.0 and USB 2.0
- PCIe
- SDIO (supports boot from eMMC)
- SPI
- UART
- I2c
- Gigabit Ethernet
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Version 1.4.7 introduces a big performance hit to functions that access
the FDT. Downgrade the library to version 1.4.6-9, before the changes
that introduce the problem. Version 1.4.6 isn't used because one of the
libfdt files (fdt_overlay.c) is missing the license header. This
problem is also fixed in 1.4.6-9.
This version corresponds to commit <aadd0b65c987> checks: centralize
printing of property names in failure messages.
FixesARM-software/tf-issues#643
Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces Position Independant Executable(PIE) support
in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
dynamic linker is implemented which supports fixing up Global Offset
Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
helper function implements this linker and this needs to be called
early in the boot sequence prior to invoking C functions. The GOT is
placed in the RO section of BL31 binary for improved security and the
BL31 linker script is modified to export the appropriate symbols
required for the dynamic linker.
The C compiler always generates PC relative addresses to linker symbols
and hence referencing symbols exporting constants are a problem when
relocating the binary. Hence the reference to the
`__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
at runtime based on start and end addresses.
Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Previously the errata reporting was optional for CPU operation
files and this was achieved by making use of weak reference to
resolve to 0 if the symbol is not defined. This is error prone
when adding new CPU operation files and weak references are
problematic when fixing up dynamic relocations. Hence this patch
removes the weak reference and makes it mandatory for the CPU
operation files to define the errata reporting function.
Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch fixes up the AArch64 assembly code to use
adrp/adr instructions instead of ldr instruction for
reference to symbols. This allows these assembly
sequences to be Position Independant. Note that the
the reference to sizes have been replaced with
calculation of size at runtime. This is because size
is a constant value and does not depend on execution
address and using PC relative instructions for loading
them makes them relative to execution address. Also
we cannot use `ldr` instruction to load size as it
generates a dynamic relocation entry which must *not*
be fixed up and it is difficult for a dynamic loader
to differentiate which entries need to be skipped.
Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds a utility function to return
the address of a symbol. By default, the compiler
generates adr/adrp instruction pair to return
the reference and this utility is used to override
this compiler generated to code and use `ldr`
instruction.
This is needed for Position Independent Executable
when it needs to reference a symbol which is constant
and does not depend on the execute address of the
binary.
For example, on the FVP, the GICv3 register context is
stored in a secure carveout (arm_el3_tzc_dram) within
DDR and does not relocate with the BL image. Now if
BL31 is executing at a different address other than
the compiled address, using adrp/adr instructions to
reference this memory will not work as they generate an
address that is PC relative. The way to get around this
problem is to reference it as non-PC relative (i.e
non-relocatable location) via `ldr` instruction.
Change-Id: I5008a951b007144258121690afb68dc8e12ee6f7
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This function is not related to Arm platforms and can be reused by other
platforms if needed.
Change-Id: Ia9c328ce57ce7e917b825a9e09a42b0abb1a53e8
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There are several platforms using arm_setup_page_tables(), which is
supposed to be Arm platform only. This creates several dependency
problems between platforms.
This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
v2 makefile. This way it is possible to detect from C code which version
is being used and include the correct header.
The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
moved to a common folder. This way, when in doubt, this header can be
used to guarantee compatibility, as it includes the correct header based
on XLAT_TABLES_LIB_V2.
This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
that is now locked in xlat lib v2) and ZynqMP (where it was added as a
workaround).
Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
It has only been tested with a system clock of 24 MHz.
It has only been implemented for the multi console API.
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some of the SGx platforms use System Identification (SID) registers
for platform identification. Add support for these registers in css.
Change-Id: If00b18744a31ff2cf14338f18c8c680eb69c9027
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
The current version of libfdt (1.4.2) has been modified to integrate it
in this repository. In order to do a clean import it is needed to remove
the current version first.
Change-Id: I2cab8c8e5632280d282fa7a2f2339768a0ad1e0f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The definitions FAIL_CONTROL_*_SHIFT were incorrect, they have been
fixed.
The types tzc_region_attributes_t and tzc_action_t have been removed and
replaced by unsigned int because it is not allowed to do logical
operations on enums.
Also, fix some address definitions in arm_def.h.
Change-Id: Id37941d76883f9fe5045a5f0a4224c133c504d8b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The "Reduced Serial Bus" is an Allwinner specific bus, bearing many
similarities with I2C. It sports a much higher bus frequency, though,
(typically 3 MHz) and requires much less handholding for the typical
task of manipulating slave registers (fire-and-forget).
On most A64 boards this bus is used to connect the PMIC to the SoC.
This driver provides basic primitives to read and write slave registers,
it will be later used by the PMIC code.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The `finish_console_register` macro is used by the multi console
framework to register the `console_t` driver callbacks. It relied
on weak references to the `ldr` instruction to populate 0 to the
callback in case the driver has not defined the appropriate
function. Use of `ldr` instruction to load absolute address to a
reference makes the binary position dependant. These instructions
should be replaced with adrp/adr instruction for position independant
executable(PIE). But adrp/adr instructions don't work well with weak
references as described in GNU ld bugzilla issue 22589.
This patch defines a new version of `finish_console_register` macro
which can spcify which driver callbacks are valid and deprecates the
old one. If any of the argument is not specified, then the macro
populates 0 for that callback. Hence the functionality of the previous
deprecated macro is preserved. The USE_FINISH_CONSOLE_REG_2 define
is used to select the new variant of the macro and will be removed
once the deprecated variant is removed.
All the upstream console drivers have been migrated to use the new
macro in this patch.
NOTE: Platforms be aware that the new variant of the
`finish_console_register` should be used and the old variant is
deprecated.
Change-Id: Ia6a67aaf2aa3ba93932992d683587bbd0ad25259
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Add 16-bit variant of mmio_clrsetbits function
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
When HW_ASSISTED_COHERENCY is enabled we can use spinlocks
instead of using the more complex and slower bakery algorithm.
Change-Id: I9d791a70050d599241169b9160a67e57d5506564
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Pointer authentication is an Armv8.3 feature that introduces
instructions that can be used to authenticate and verify pointers.
Pointer authentication instructions are allowed to be accessed from all
ELs but only when EL3 explicitly allows for it; otherwise, their usage
will trap to EL3. Since EL3 doesn't have trap handling in place, this
patch unconditionally disables all related traps to EL3 to avoid
potential misconfiguration leading to an unhandled EL3 exception.
FixesARM-software/tf-issues#629
Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
macro jump_if_cpu_midr is used commonly by many arm platform.
It has now been relocated to common place to remove duplication
of code.
Change-Id: Ic0876097dbc085df4f90eadb4b7687dde7c726da
Signed-off-by: Deepak Pandey <Deepak.Pandey@arm.com>
Whereas the GPT table is read with io_block, the binaries to be loaded
(e.g. BL33) cannot use it, as it is not suitable to read them block by
block, or the boot time would be very bad.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This IO is required to read binaries with STM32 header.
This header is added with the stm32image tool.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
To boot on eMMC or SD-cards, STM32MP1 platform needs:
- GPT_IMAGE_ID to read GPT table on those devices
- STM32_IMAGE_ID and IO_TYPE_STM32IMAGE to read images with STM32 header
- IO_TYPE_MMC to have a IO for MMC devices
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This driver is for the STMicroelectronics sdmmc2 IP
which is in STM32MP1 SoC.
It uses the MMC framework, and can address either eMMC or SD-card.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The object pool allocator provides a simplistic interface to manage
allocation in a fixed-size static array. The caller creates a static
"object pool" out of such an array and may then call pool_alloc() to
get the next available object within the pool. There is also a variant
to get multiple consecutive objects: pool_alloc_n().
Note that this interface does not provide any way to free the objects
afterwards. This is by design and it is not a limitation. We do not
want to introduce complexity induced by memory freeing, such as
use-after-free bugs, memory fragmentation and so on.
Change-Id: Iefc2e153767851fbde5841a295f92ae48adda71f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This file is shared between FVP and all CSS platforms. While it may be
true that some definitions can be common, it doesn't make sense
conceptually. For example, the stack size depends on the platform and so
does the SRAM size.
After removing them, there are not enough common definitions to justify
having this header, so the other definitions have been moved to the
platform_def.h of FVP, board_css_def.h and arm_def.h.
Change-Id: Ifbf4b017227f9dfefa1a430f67d7d6baae6a4ba1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The definitions of the logging macros are reordered to be consistent
with the definitions of the log levels.
Change-Id: I6ff07b93eb64786ff147d39014d1c8e15db28444
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This way it can be reused by other platforms if needed.
Note that this driver is designed to work with the Versatile Express NOR
flash of Juno and FVP. In said platforms, the memory is organized as an
interleaved memory of two chips with a 16 bit word.
Any platform that wishes to reuse it with a different configuration will
need to modify the driver so that it is more generic.
Change-Id: Ic721758425864e0cf42b7b9b04bf0d9513b6022e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Before switching to new API the scp_bl2 handler was invoked from
bl2/bl2_image_load.c which was removed. Invoke the platform specific
scp_bl2 handler in analogy to ARM and HiSilicon.
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Map the initialization code for BL31 to overlap with the memory
required for the secondary cores stack. Once BL31 has been
initialized the memory can be remapped to RW data so that it can
be used for secondary cores stacks. By moving code from .text to
.text.init the size of the BL31 image is decreased by a page.
Split arm_common.ld.S into two linker scripts, one for tzc_dram
(arm_tzc_dram.ld.S) and one for reclaiming initialization code
(arm_reclaim_init.ld.S) so that platforms can chose which memory
regions they wish to include.
Change-Id: I648e88f3eda1aa71765744cf34343ecda9320b32
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
code which allows platforms to place this memory in an appropriate
section to be reclaimed later. This features is primarily targeted for
BL31. Appropriate documentation updates are also done.
Change-Id: If0ca062851614805d769c332c771083d46599194
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This option makes it hard to optimize the memory definitions of all Arm
platforms because any change in the common defines must work in all of
them. The best thing to do is to remove it and move the definition to
each platform's header.
FVP, SGI and SGM were using the definitions in board_arm_def.h. The
definitions have been copied to each platform's platform_def.h. Juno
was already using the ones in platform_def.h, so there have been no
changes.
Change-Id: I9aecd11bbc72a3d0d7aad1ef9934d8df21dcfaf2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Respect official response type and update response to follow
official specification.
All the MMC_RESPONSE_R(_x) are replaced with each corresponding define.
Partly revert 2a82a9c95f for dw_mmc.c:
Responses R1, R1B and R5 have CRC.
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
- Migrate to bl2_early_platform_setup2().
- Remove references to removed build options.
- Use private definition of bl31_params_t.
This is an incomplete migration, the platform doesn't currently compile.
Change-Id: I1ae477b1f2489f49b651528050fdf06e4a55e425
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Remove references to removed build options.
- Remove support for legacy GIC driver.
- Remove support for LOAD_IMAGE_V2=0.
Change-Id: I72f8c05620bdf4a682765e6e53e2c04ca749a3d5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The affected interfaces are bl31_early_platform_setup(),
sp_min_early_platform_setup() and bl2_early_platform_setup().
Change-Id: I50c01ec68bcbe97fe4e5d101bcd0f763358b8e1e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The code of LOAD_IMAGE_V2=0 has been removed.
Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Allow AArch32 to use the multi console driver by adding the
required functions
Change-Id: I9e69f18965f320074cf75442d6b0de891aef7936
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
PAR register used here is a 64 bit register.
On AARCH32 BIT macro is BIT_32.
PAR_ADDR_MASK should then use BIT_64 to avoid overflow.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The patch 7b56928 unified the FWU mechanism on FVP and Juno
platforms due to issues with MCC firmware not preserving the
NVFLAGS. With MCCv150 firmware, this issue is resolved. Also
writing to the NOR flash while executing from the same flash
in Bypass mode had some stability issues. Hence, since the
MCC firmware issue is resolved, this patch reverts to the
NVFLAGS mechanism to detect FWU. Also, with the introduction
of SDS (Shared Data Structure) by the SCP, the reset syndrome
needs to queried from the appropriate SDS field.
Change-Id: If9c08f1afaaa4fcf197f3186887068103855f554
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
Signed-off-by: Soby Mathew <Soby.Mathew@arm.com>
After introducing the Mbed TLS shared heap optimisation, reducing BL2
size by 3 pages didn't leave enough space for growth. We give 1 page
back to maximum BL2 size.
Change-Id: I4f05432f00b923693160f69a4e4ec310a37a2b16
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Marvell A8K SoCs use the MI2CV IP core from Mentor Graphics, which
is also used by Allwinner.
As Mentor Graphics allows a lot of customization, the MI2CV in the two
SoC families are not compatible, and driver modifications are needed.
Extract the common code to a MI2CV driver.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
'dmb ld' is not a recognized instruction for ARMv7. Since generic code
may use 'dmb ld', alias it to 'dmb' when building for ARMv7.
Change-Id: I502f360cb6412897ca9580b725d9f79469a7612e
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:
* By setting bit 11 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 9 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:
* By setting bit 18 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 17 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.
Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Add response flag into ID definition so that driver does not
need to handle it again.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch reduces BL2 size by 12kB. Thanks to the shared Mbed TLS heap
between BL1 and BL2, BL2 now requires less memory since it doesn't need
to allocate a heap anymore.
Change-Id: I58a15f8c424273650c9f55112abe88105b6cdbae
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch introduces the shared Mbed TLS heap optimisation for Arm
platforms. The objective is the Mbed TLS heap to be shared between BL1
and BL2 so as to not allocate the heap memory twice. To achieve that,
the patch introduces all the necessary helpers for implementing this
optimisation. It also applies it for FVP.
Change-Id: I6d85eaa1361517b7490956b2ac50f5fa0d0bb008
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Mbed TLS drivers, in order to work, need a heap for internal usage.
This heap, instead of being directly referenced by the drivers, now it
is being accessed indirectly through a pointer. Also, the heap, instead
of being part of the drivers, now it is being received through the
plat_get_mbedtls_heap() function. This function requests a heap from the
current BL image which utilises the Mbed TLS drivers.
Those changes create the opportunity for the Mbed TLS heap to be shared
among different images, thus saving memory. A default heap
implementation is provided but it can be overridden by a platform
specific, optimised implemenetation.
Change-Id: I286a1f10097a9cdcbcd312201eea576c18d157fa
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch enables handling PMU overflow IRQ by GIC SPI's
directly in EL3. Also implement additional SMC routine,
which can disable the solution on demand in runtime.
Since it is possible to configure PMU interrupt trigger type
in the MADT ACPI table, it is enough to set it only once in EL3
during initialization.
Change-Id: Ie76aa62ccc4fd7cabfec9e3d5ed9970ada1c1b2a
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
This patch introduces new helper routines that allow
configuring the individual IRQs to be edge/level-triggered
via GICD_ICFGR registers. This is helpful to modify
the default configuration of the non-secure GIC SPI's, which
are all set during initialization to be level-sensitive.
Change-Id: I23deb4a0381691a686a3cda52405aa1dfd5e56f2
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Kostya Porotchkin <kostap@marvell.com>
Rename a8k_common.h to armada_common.h to keep the same header
name across all other Marvell Armada platforms.
This is especially useful since various Marvell platforms may
use common platform files and share the driver modules.
Change-Id: I7262105201123d54ccddef9aad4097518f1e38ef
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
When any of these functions is called the backtrace will be printed to
the console.
Change-Id: Id60842df824b320c485a9323ed6b80600f4ebe35
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.
The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.
The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.
Sample output of a backtrace at EL3:
BACKTRACE: START: function_name
0: EL3: 0x798
1: EL3: 0x538
2: EL3: 0x550
3: EL3: 0x55c
4: EL3: 0x568
5: EL3: 0x5a8
6: EL3: 0xf4
BACKTRACE: END: function_name
In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.
Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The C standard says that printf() has to return the number of characters
it has printed.
Change-Id: I0ef50b1d6766d140724ac0a2fa2c5d023431f984
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The codebase was using non-standard headers. It is needed to replace
them by the correct ones so that we can use the new libc headers.
Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d
Acked-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Only leave the parts relevant to the Trusted Firmware.
Change-Id: I0444c16e402f6c1629211d03bf6cb32ca3dbcf59
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Taken from http://git.simple-cc.org/scc/ from the following commit:
67508ad14af314cea2229783d3c084f28c41daf0
Permission has been granted from the author to use them under the
license BSD-3-Clause instead of ISC.
Change-Id: I65c0ce3ab60c49d34a57533af12a74bd7bde88e5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove code specific to FreeBSD so that they can be used in this
repository.
Change-Id: I5c11eb5b3c05a7fb91aed08371a1f7a0e6122a94
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Remove all files that don't have only Arm copyright. This is the first
step to cleanup the C library in this repository. They will be re-added
in the following patches.
Change-Id: I72c40a1620d1df3228fc397ec695d569a20245fd
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I707dbec9b34b802397e99da2f5ae738165d6feba
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I76cacf6e1d73b09510561b5090c2bb66d81bec88
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code are also fixed.
No functional changes.
Change-Id: I19786070af7bc5e1f6d15bdba93e22a4451d8fe9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These changes address most of the required MISRA rules. In the process,
some from generic code is also fixed.
No functional changes.
Change-Id: I6235a355e006f0b1c7c1c4d811b3964a64d0434f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.
With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.
Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
If the system is in near idle conditions, this erratum could cause a
deadlock or data corruption. This patch applies the workaround that
prevents this.
This DSU erratum affects only the DSUs that contain the ACP interface
and it was fixed in r2p0. The workaround is applied only to the DSUs
that are actually affected.
Link to respective Arm documentation:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html
Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The translation library is useful elsewhere. Even though this repository
doesn't exercise the EL2 support of the library, it is better to have it
here as well to make it easier to maintain.
enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
functions are still present, but they are behind ERROR_DEPRECATED and
they call the new functions enable_mmu_svc_mon() and
enable_mmu_direct_svc_mon().
Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Migrate dw_mmc driver from emmc framework to mmc framework. The
emmc framework will be abandoned.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
mmc_read_blocks()/mmc_write_blocks() derived from io_block_ops_t
type. It means that lba param should be integer type, not
unsigned integer type.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Changed the names for consistency with the rest of the library. Introduced
new helpers that manipulate the active translation tables context.
Change-Id: Icaca56b67fcf6a96e88aa3c7e47411162e8e6856
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Romlib is a new image that is stored in ROM and contains the code of
several libraries that can be shared between different images. All
the functions within in the library are accessed using a jump table
which allows to update the romlib image whithout changing the binary
compatibility. This jump table can be also stored in RAM and it can
allow to patch a romlib with potential bugs fixes..
Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF Makefile was linking all the objects files generated for the
c library instead of creating a static library that could be
used in the linking stage.
Change-Id: I721daea097e9b13cbb42c9f8eaa2af8fea0799cf
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF won't build since no memory region is specified
for when SEPARATE_CODE_AND_RODATA=0 it still relies on
the ARM_MAP_BL_RO_DATA region which is never defined for
this case. Create memory region combining code and RO data for
when the build flag SEPARATE_CODE_AND_RODATA=0 to fix this
Change-Id: I6c129eb0833497710cce55e76b8908ce03e0a638
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This would enable us to write semantically sensible code.
Change-Id: Ie7c75f9c024f671a037448f5c0922174fff3f0ce
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Set the function pointers in the console struct and the functions
they point to to const since they only need to be defined when
the console is being initialised and should not be changed after
Change-Id: I0574307111e3ab2f13d1a4a74c3fa75532dfa4be
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The SGI platforms need to allocate memory for CPER buffers. These
platform buffers would be placed between the shared reserved memory
and the per cpu stack memory, thus the need to redefine stack base
pointer for these platforms. This patch allows each board in ARM
platform to define the PLAT_SP_IMAGE_STACK_BASE.
Change-Id: Ib5465448b860ab7ab0f645f7cb278a67acce7be9
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Include arm_spm_def.h in the platform_def.h file. Without this
inclusion, we get build errors like
In file included from services/std_svc/spm/sp_setup.c:12:0:
services/std_svc/spm/sp_setup.c: In function 'spm_sp_setup':
services/std_svc/spm/sp_setup.c:61:57: error: 'PLAT_SPM_BUF_BASE'
undeclared (first use in this function)
write_ctx_reg(get_gpregs_ctx(ctx), CTX_GPREG_X0, PLAT_SPM_BUF_BASE);
Now that the platform_def.h includes arm_spm_def.h, remove inclusion
of platform_def.h in arm_spm_def.h to remove the circular dependency.
Change-Id: I5225c8ca33fd8d288849524395e436c3d56daf17
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Those device tree files are taken from STM32MP1 U-Boot and Linux.
And they are updated to fit TF-A needs.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
The DDR driver is under dual license, BSD and GPLv2.
The configuration parameters are taken from device tree.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
If a PMIC companion chip is present on board, it has to be configured
for regulators supplies.
This check is done with board DT configuration.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
The management of pinctrl nodes of device tree is also added.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
The clock driver is under dual license, BSD and GPLv2.
The clock driver uses device tree, so a minimal support for this is added.
The required files for driver and DTS files are in include/dt-bindings/.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
STM32MP1 is a microprocessor designed by STMicroelectronics,
based on a dual Arm Cortex-A7.
It is an Armv7-A platform, using dedicated code from TF-A.
STM32MP1 uses BL2 compiled with BL2_AT_EL3.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
Change arm_setup_page_tables() to take a variable number of memory
regions. Remove coherent memory region from BL1, BL2 and BL2U as
their coherent memory region doesn't contain anything and
therefore has a size of 0. Add check to ensure this
doesn't change without us knowing.
Change-Id: I790054e3b20b056dda1043a4a67bd7ac2d6a3bc0
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This also gets rid of MISRA violations for Rule 8.3 and 8.4.
Change-Id: I45bba011b16f90953dd4b260fcd58381f978eedc
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
BL2U is running out of stack during firmware update. Increase
stack size to prevent this
Change-Id: I9b1a4e237a00172c6738c84b455b3878ab184cb8
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Add missing parentheses to fix MISRA C-2012 Rule 12.1.
Also, the result of a comparison is an essentially boolean value, it
isn't needed to return 1 or 0 depending on it.
Also, fix header guards (MISRA C-2012 Rule 21.1).
Change-Id: I90c0bcdeb2787c1ca659fc9a981808ece7958de3
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
utils_def.h already has U() and ULL(), but not UL(), which is needed for
types like uinptr_t and u_register_t.
Also added L() and LL() for signed values.
Change-Id: I0654df80d57149ff49507c52f1b27f3d500486a0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Uncontainable errors are the most severe form of errors, which typically
mean that the system state can't be trusted any more. This further means
that normal error recovery process can't be followed, and an orderly
shutdown of the system is often desirable.
This patch allows for the platform to define a handler for Uncontainable
errors received. Due to the nature of Uncontainable error, the handler
is expected to initiate an orderly shutdown of the system, and therefore
is not expected to return. A default implementation is added which falls
back to platform unhandled exception.
Also fix ras_arch.h header guards.
Change-Id: I072e336a391a0b382e77e627eb9e40729d488b55
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add common Marvell ARMADA platform components.
This patch also includes common components for Marvell
ARMADA 8K platforms.
Change-Id: I42192fdc6525a42e46b3ac2ad63c83db9bcbfeaf
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add i2c driver for A8K SoC family.
Change-Id: I5932b2fce286d84fc3ad5a74c4c456001faa3196
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add thermal driver for A8K SoC family.
The termal unit data is used by Marvell DRAM initialization
code for optimizing the memory controller configuration
Change-Id: Iad92689fa6e4224a89d872e9aa015393abd9cf73
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add LLC (L3) cache management drivers for Marvell SoCs
AP806, AP807 and AP810
Change-Id: Ic70710f9bc5b6b48395d62212df7011e2fbb5894
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add ModularChip and MCI drivers for A8K SoC family.
ModularChip drivers include support for the internal building
blocks of Marvell ARMADA SoCs - APN806, APN807 and CP110
Change-Id: I9559343788fa2e5eb47e6384a4a7d47408787c02
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add address decoding unit drivers for Marvell SoCs.
Address decoding flow and address translation units chart
are located at docs/marvell/misc/mvebu-a8k-addr-map.txt
Change-Id: Id6ce311fa1f4f112df3adfac5d20449f495f71ed
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Define the values as unsigned int or unsigned long long based on the
actual size of the register. This prevents subtle issues caused by
having a type that is too small. For example:
#define OPTION_ENABLE 0x3
#define OPTION_SHIFT 32
uint64_t mask = OPTION_ENABLE << OPTION_SHIFT;
Because OPTION_ENABLE fits in an int, the value is considered an int.
This means that, after shifting it 32 places to the left, the final
result is 0. The correct way to define the values is:
#define OPTION_ENABLE ULL(0x3)
#define OPTION_SHIFT U(32)
In this case, the compiler is forced to use a 64 bit value from the
start, so shifting it 32 places to the left results in the expected
value.
Change-Id: Ieaf2ffc2d8caa48c622db011f2aef549e713e019
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This library can be used in other projects. All comments that talk about
the Trusted Firmware should be talking about the library itself.
Change-Id: I3b98d42f7132be72c1f8a4900acfaa78dbd2daa2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This allows other parts of the code to reuse it. No functional changes.
Change-Id: Ib052ae235c422d9179958bd3016c3e678779ae9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Most registers are 64-bit wide, even in AArch32 mode:
- MAIR_ELx is equivalent to MAIR0 and MAIR1.
- TTBR is 64 bit in both AArch64 and AArch32.
The only difference is the TCR register, which is 32 bit in AArch32 and
in EL3 in AArch64. For consistency with the rest of ELs in AArch64, it
makes sense to also have it as a 64-bit value.
Change-Id: I2274d66a28876702e7085df5f8aad0e7ec139da9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Exception Level is now detected at runtime. This means that it is not
needed to hardcode the EL used by each image.
This doesn't result in a substantial increase of the image size because
the initialization functions that aren't used are garbage-collected by
the linker.
In AArch32 the current EL has been changed from EL3 to EL1 because the
the AArch32 PL1&0 translation regime behaves more like the AArch64 EL1&0
translation regime than the EL3 one.
Change-Id: I941404299ebe7666ca17619207c923b49a55cb73
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Even if the log output is too low for a message to be printed out on
the console by the debug macros, it should still be evaluated by the
compiler to get some type checking and validation of the format
specifiers. To do so, introduce the no_tf_log() macro that encloses
the call to tf_log() in an always-false condition.
This avoids the problem of discovering build issues only when we build
the firmware with the right LOG_LEVEL value.
Change-Id: Ic0fd252ab691d0187fd925756a4837aca1cbfd7b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The ARM_INSTANTIATE_LOCK macro defines a lock meant to be further
manipulated using the arm_lock_init/get/release() macros. It has 2
variants, depending on the BL image it is compiled for. One version
defines the lock variable with internal linkage whereas the other one,
with external linkage.
Code that uses these macros is not compliant with MISRA rule 8.4 because
when using the external linkage version, there is no visible declaration
for the lock variable.
This patch defines the arm_lock variable with internal linkage in both
cases. This fits well the way these macros are used in the code today,
where the lock is not used outside of the translation unit it is
defined in.
Change-Id: I213a74a2a6088a4f1e9a61a319ca7579c2001320
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This check was added to ensure the correct behaviour of fill_constants
macro. This macro has been verified and it is known his correct
behaviour. The check generates an error when the clang assembler is
used, so it is better to remove the check.
Change-Id: I3447ff9e9e5ee5cf0502f65e53c3d105d9396b8b
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This directive is not implemented by clang assembler. The traditional
way to implement structs in assembly is using two macros for every field,
one for the offset, and another one for the size. For every field, the
offset can be calculated using the size and offset of the previous field.
Change-Id: Iacc6781e8f302fb925898737b8e85ab4e88a51cc
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.
This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.
Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
These directives are only used when stabs debugging information
is used, but we use ELF which uses DWARF debugging information.
Clang assembler doesn't support these directives, and removing
them makes the code more compatible with clang.
Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Clang linker doesn't support NEXT. As we are not using the MEMORY command
to define discontinuous memory for the output file in any of the linker
scripts, ALIGN and NEXT are equivalent.
Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32
Change-Id: Ia34f5155e1cdb67161191f69e8d1248cbaa39e1a
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This change is largely based on existing eMMC framework by Haojian Zhuang
(@hzhuang1).
The MMC framework supports both eMMC and SD card devices. It was
written as a new framework since breaking few eMMC framework APIs.
At card probe and after the reset to idle command (CMD0), a Send
Interface Condition Command is sent (CMD8) to distinguish between
eMMC and SD card devices. eMMC devices go through the same
sequence as in the former eMMC framework. Else the framework
uses commands dedicated to SD-cards for init or frequency switch.
A structure is created to share info with the driver. It stores:
- the MMC type (eMMC, SD or SD HC)
- the device size
- the max frequency supported by the device
- the block size: 512 for eMMC and SD-HC and read from CSD
structure for older SD-cards
Restriction to align buffers on block size has been removed.
Cache maintenance was removed and is expected to be done in the platform
or device driver.
The MMC framework includes some MISRA compliance coding style
maybe not yet ported in the existing eMMC framework.
FixesARM-software/tf-issues#597
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Casting a pointer to a struct uuid into a pointer to uint32_t may
result in a pointer that is not correctly aligned, which constitutes
an undefined behaviour. In the case of TF, this also generates a data
abort because alignment fault checking is enabled (through the SCTLR.A
bit).
This patch modifies the SMC_UUID_RET() macro to read the uuid
structure without any pointer aliasing. A helper function then
combines every set of 4 bytes into a 32-bit value suitable to be
returned through the x0-x3 registers.
This fixes a violation of MISRA rule 11.3.
Change-Id: I53ee73bb4cb332f4d8286055ceceb6f347caa080
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Instead of having one big file with all the code, it's better to have
a few smaller files that are more manageable:
- xlat_tables_core.c: Code related to the core functionality of the
library (map and unmap regions, initialize xlat context).
- xlat_tables_context.c: Instantiation of the active image context
as well as APIs to manipulate it.
- xlat_tables_utils.c: Helper code that isn't part of the core
functionality (change attributes, debug print messages).
Change-Id: I3ea956fc1afd7473c0bb5e7c6aab3b2e5d88c711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
At present, the function provided by the translation library to enable
MMU constructs appropriate values for translation library, and programs
them to the right registers. The construction of initial values,
however, is only required once as both the primary and secondaries
program the same values.
Additionally, the MMU-enabling function is written in C, which means
there's an active stack at the time of enabling MMU. On some systems,
like Arm DynamIQ, having active stack while enabling MMU during warm
boot might lead to coherency problems.
This patch addresses both the above problems by:
- Splitting the MMU-enabling function into two: one that sets up
values to be programmed into the registers, and another one that
takes the pre-computed values and writes to the appropriate
registers. With this, the primary effectively calls both functions
to have the MMU enabled, but secondaries only need to call the
latter.
- Rewriting the function that enables MMU in assembly so that it
doesn't use stack.
This patch fixes a bunch of MISRA issues on the way.
Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The meaning of them wasn't clear in the header file, it was needed to
search the code for the places where they are used.
Add parentheses to macros in the same header.
Change-Id: I700bc0fd75ccfc0a34f439cb3b2692861bb73b9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This is to fix a number of Coverity Scan DEADCODE defects, CID numbers
listed below, as reported from
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware
CID 267023
CID 267022
CID 267020
Change-Id: I2963a799b210149e84ccab5c5b9082267ddfe337
Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
The values defined in this type are used in logical operations, which
goes against MISRA Rule 10.1: "Operands shall not be of an inappropriate
essential type".
Now, `unsigned int` is used instead. This also allows us to move the
dynamic mapping bit from 30 to 31. It was an undefined behaviour in the
past because an enum is signed by default, and bit 31 corresponds to the
sign bit. It is undefined behaviour to modify the sign bit. Now, bit 31
is free to use as it was originally meant to be.
mmap_attr_t is now defined as an `unsigned int` for backwards
compatibility.
Change-Id: I6b31218c14b9c7fdabebe432de7fae6e90a97f34
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.
However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.
With this patch:
- SDEI interrupts and calls to sdei_dispatch_event prepares the NS
context for event dispatch, then sets a jump point, and immediately
exits EL3. This results in the client handler executing in
Non-secure.
- When the SDEI client completes the dispatched event, the SDEI
dispatcher does a longjmp to the jump pointer created earlier. For
the caller of the sdei_dispatch_event() in particular, this would
appear as if call returned successfully.
The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.
Documentation updated.
NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.
Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch introduces setjmp() and ongjmp() primitives to enable
standard setjmp/longjmp style execution. Both APIs parameters take a
pointer to struct jmpbuf type, which hosts CPU registers saved/restored
during jump.
As per the standard usage:
- setjmp() return 0 when a jump is setup; and a non-zero value when
returning from jump.
- The caller of setjmp() must not return, or otherwise update stack
pointer since.
Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current macros only allow to define dynamic and statically-bound
SDEI events. However, there ought be a mechanism to define SDEI events
that are explicitly dispatched; i.e., events that are dispatched as a
result of a previous secure interrupt or other exception
This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit
event. They must be placed under private mappings. Only the priority
flags are allowed to be additionally specified.
Documentation updated.
Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
It may be needed to enter the Secure Partition through other means than
an MM_COMMUNICATE SMC. This patch enables this behaviour by extracting
the necessary code from mm_communicate() and allowing other parts of the
code to use it.
Change-Id: I59f6638d22d9c9d0baff0984f39d056298a8dc8e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Currently TF-A doesn't initialise CNTFRQ register in CNTCTLBase
frame of the system timer. ARM ARM states that "The instance of
the register in the CNTCTLBase frame must be programmed with this
value as part of system initialization."
The psci_arch_setup() updates the CNTFRQ system register but
according to the ARM ARM, this instance of the register is
independent of the memory mapped instance. This is only an issue
for Normal world software which relies on the memory mapped
instance rather than the system register one.
This patch resolves the issue for ARM platforms.
The patch also solves a related issue on Juno, wherein
CNTBaseN.CNTFRQ can be written and does not reflect the value of
the register in CNTCTLBase frame. Hence this patch additionally
updates CNTFRQ register in the Non Secure frame of the CNTBaseN.
FixesARM-Software/tf-issues#593
Change-Id: I09cebb6633688b34d5b1bc349fbde4751025b350
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size reserved for BL2 has been increased.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Having these definitions in board_arm_def.h forces to
all the arm platforms to use the same definition for
PLAT_ARM_MEM_PROT_ADDR.
This macro also enables the mem-protect mechanism,
which means that all the arm platform has enabled
mem-protect and they cannot get rid of it.
Change-Id: Id29d2c51cbe6edc15f010a9f5a20c42266c48a08
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
When applying some MISRA rules, lots of issues are raised with BIT macro
on AARCH32, and cast on uint32_t would be required (Rule 10.3).
The macros BIT_32 and BIT_64 are then created for 32bit and 64bit.
Then the BIT macro defaults on BIT_64 on AARCH64,
and on BIT_32 on AARCH32.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Import GENMASK_32 and GENMASK_64 macros from optee-os (permissive license).
And default GENMASK is set to GENMASK_32 for AARCH32,
and to GENMASK_64 for 64bit arch.
fixesarm-software/tf-issues#596
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.
Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
The translation tables allocated for the Secure Partition do not need
to be treated as a special case. They can be put amongst the other
tables mapping BL31's general purpose memory. They will be mapped with
the same attributes as them, which is fine.
The explicit alignment constraint in BL31's linker script to pad the
last page of memory allocated to the Secure Partition's translation
tables is useless too, as page tables are per se pages, thus their
end address is naturally aligned on a page-boundary.
In fact, this patch does not change the existing behaviour. Since
patch 22282bb68a ("SPM: Move all SP-related info to SP context
struct"), the secure_partition.c file has been renamed into sp_xlat.c
but the linker script has not been properly updated. As a result, the
SP translation tables are not specifically put at the start of the
xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__
symbols have the same value, the size of the resulting mmap_region
covering these xlat tables is 0 and so it is ignored.
Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The function xlat_arch_is_granule_size_supported() can be used to check
if a specific granule size is supported. In Armv8, AArch32 only supports
4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the
implementation, which is detected at runtime.
The function xlat_arch_get_max_supported_granule_size() returns the max
granule size supported by the implementation.
Even though right now they are only used by SPM, they may be useful in
other places in the future. This patch moves the code currently in SPM
to the xlat tables lib so that it can be reused.
Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Use a _ prefix for Macro arguments to prevent that argument from
hiding variables of the same name in the outer scope
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Conflict with function name and variable name within that function.
Change the name of the function from image_size to get_image_size
to remove conflict and make the function fit the normal project
naming convention.
Rule 5.3: An identifier declared in an inner scope shall not
hide an identifier declared in an outer scope
Fixed For:
make LOG_LEVEL=50 PLAT=fvp
Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
On TI platforms the UART is disabled by default and must be explicitly
enabled using the MDR1 register.
NOTE: The original definition of
http://www.ti.com/lit/ds/symlink/pc16550d.pdf has no MDR register, but
many TI SoCs implementing 16550 do have a quirky MDR register
implemented. So, this should be enabled with TI_16550_MDR_QUIRK
NOTE: In such implementation, the CSR register does not exist.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
For the BL2_AT_EL3 configuration, move BL2 higher up to make more
space for BL31. Adjust the BL31 limit to be up to BL2 base. This is
because BL2 is always resident for the BL2_AT_EL3 configuration and
thus we cannot overlay it with BL31.
Change-Id: I71e89863ed48f5159e8b619f49c7c73b253397aa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
When dynamic mitigation is used, the SDEI handler is required to
execute with the mitigation enabled by default, regardless of the
mitigation state for lower ELs. This means that if the kernel or
hypervisor explicitly disables the mitigation and then later when the
event is dispatched, the dispatcher will remember the mitigation state
for the lower ELs but force the mitigation to be on during the SDEI
handler execution. When the SDEI handler returns, it will restore the
mitigation state.
This behaviour is described in "Firmware interfaces for mitigating
cache speculation vulnerabilities System Software on Arm Systems"[0].
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in
"Firmware interfaces for mitigating cache speculation vulnerabilities
System Software on Arm Systems"[0].
Dynamic mitigation for CVE-2018-3639 is enabled/disabled by
setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`.
NOTE: The generic code that implements dynamic mitigation does not
currently implement the expected semantics when dispatching an SDEI
event to a lower EL. This will be fixed in a separate patch.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The workaround uses the instruction patching feature of the Ares cpu.
Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Move all information related to a Secure Partition to the struct
secure_partition_context_t.
This requires an in-depth refactor because most of the previous code of
SPM relied on global information.
Change-Id: I0a23e93817dcc191ce1d7506b8bc671d376123c4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function can be currently accessed through the wrappers
cm_init_context_by_index() and cm_init_my_context(). However, they only
work on contexts that are associated to a CPU.
By making this function public, it is possible to set up a context that
isn't associated to any CPU. For consistency, it has been renamed to
cm_setup_context().
Change-Id: Ib2146105abc8137bab08745a8adb30ca2c4cedf4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch adds soc_fw_config, tos_fw_config and nt_fw_config to the FVP.
The config files are placeholders and do not have any useful bindings
defined. The tos_fw_config is packaged in FIP and loaded by BL2 only
if SPD=tspd. The load address of these configs are specified in tb_fw_config
via new bindings defined for these configs. Currently, in FVP, the
soc_fw_config and tos_fw_config is loaded in the page between BL2_BASE
and ARM_SHARED_RAM. This memory was typically used for BL32 when
ARM_TSP_RAM_LOCATION=tsram but since we cannot fit BL32 in that
space anymore, it should be safe to use this memory for these configs.
There is also a runtime check in arm_bl2_dyn_cfg_init() which ensures
that this overlap doesn't happen.
The previous arm_dyn_get_hwconfig_info() is modified to accept configs
other than hw_config and hence renamed to arm_dyn_get_config_load_info().
The patch also corrects the definition of ARM_TB_FW_CONFIG_LIMIT to be
BL2_BASE.
Change-Id: I03a137d9fa1f92c862c254be808b8330cfd17a5a
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
necessary cert tool support and changes to default chain of trust are made
for these configs.
Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds capability to FVP to disable authentication dynamically
via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
the TB_FW_CONFIG for the `disable_auth` property and invokes the
`load_dyn_disable_auth()` API to disable authentication if the
property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
FVP as it is a development platform. Note that the TB_FW_CONFIG has to
be authenticated by BL1 irrespective of these settings.
The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
rather than in bl2_platform_setup() as we need to get the value of
`disable_auth` property prior to authentication of any image by BL2.
Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
In 'console_set_scope' and when registering a console, field 'flags' of
'console_t' is assigned a 32-bit value. However, when it is actually
used, the functions perform 64-bit reads to access its value. This patch
changes all 64-bit reads to 32-bit reads.
Change-Id: I181349371409e60065335f078857946fa3c32dc1
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This reverts commit 2f18aa1fa3.
It is causing some tests to fail. Until the cause is found and fixed, it
is needed to remove this commit from master.
Change-Id: Ic5ff7a841903a15613e00379e87cbbd8a0e85152
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SGI-575's NSRAM is neither in the same place nor the same size as Juno's.
Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
Signed-off-by: Chris Kay <chris.kay@arm.com>
The bounds check in ARM_CASSERT_MMAP does not take into account the
array sentinel in plat_arm_mmap. This commit fixes this, and adds an
additional check to ensure the number of entries in the array is
within the bounds of PLAT_ARM_MMAP_ENTRIES.
Change-Id: Ie6df10c0aa0890d62826bc3224ad7b3e36fd53e2
Signed-off-by: Chris Kay <chris.kay@arm.com>
There are three calls to mmap_add_region() that always occur in
arm_setup_page_tables(), and two further calls based on whether coherent
memory is enabled, and whether SPM is enabled in BL31.
This commit adapts the ARM_BL_REGIONS definition to match the number of
calls made inside arm_setup_page_tables() so that the MAX_MMAP_REGIONS
is realigned with what is actually occurring.
Change-Id: I7adc05951abccf2cbd5c86280eb874911e6a1566
Signed-off-by: Chris Kay <chris.kay@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size of BL31 has been increased in builds with SPM.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the multi console driver, allowing to register the same console more
than once may result in an infinte loop when putc is called.
If, for example, a boot message is trying to be printed, but the
consoles in the loop in the linked list are runtime consoles, putc will
iterate forever looking for a console that can print boot messages (or
a NULL pointer that will never come).
This loop in the linked list can occur after restoring the system from a
system suspend. The boot console is registered during the cold boot in
BL31, but the runtime console is registered even in the warm boot path.
Consoles are always added to the start of the linked list when they are
registered, so this it what should happen if they were actually
different structures:
console_list -> NULL
console_list -> BOOT -> NULL
console_list -> RUNTIME -> BOOT -> NULL
console_list -> RUNTIME -> RUNTIME -> BOOT -> NULL
In practice, the two runtime consoles are the same one, so they create
this loop:
console_list -> RUNTIME -. X -> BOOT -> NULL
^ |
`----'
This patch adds an assertion to detect this problem. The assertion will
fail whenever the same structure tries to be registered while being on
the list.
In order to assert this, console_is_registered() has been implemented.
It returns 1 if the specified console is registered, 0 if not.
Change-Id: I922485e743775ca9bd1af9cbd491ddd360526a6d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When TF is compiled for aarch32 MAX_VIRT_ADDR_SPACE_SIZE is 2^32 in some cases,
which makes the test (size) <= MAX_VIRT_ADDR_SPACE_SIZE a tautology because
uintptr_t is a 32 bit value. The cast remove the warning for clang.
Change-Id: I1345f3400f8fbbe4ffd3caa990a90e7ba593dba5
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
- Assign 0x10 for RAS exceptions on ARM platforms, and install
EHF priority descriptor.
- Call the common RAS initialisation from ARM BL31 setup.
- Add empty definitions for platform error records and RAS interrupts.
Change-Id: I0675f299b7840be4c83a9c7a81073a95c605dc90
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The ARMv8.4 RAS extensions introduce architectural support for software
to inject faults into the system in order to test fault-handling
software. This patch introduces the build option FAULT_HANDLING_SUPPORT
to allow for lower ELs to use registers in the Standard Error Record to
inject fault. The build option RAS_EXTENSIONS must also be enabled along
with fault injection.
This feature is intended for testing purposes only, and is advisable to
keep disabled for production images.
Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
EHF currently allows for registering interrupt handlers for a defined
priority ranges. This is primarily targeted at various EL3 dispatchers
to own ranges of secure interrupt priorities in order to delegate
execution to lower ELs.
The RAS support added by earlier patches necessitates registering
handlers based on interrupt number so that error handling agents shall
receive and handle specific Error Recovery or Fault Handling interrupts
at EL3.
This patch introduces a macro, RAS_INTERRUPTS() to declare an array of
interrupt numbers and handlers. Error handling agents can use this macro
to register handlers for individual RAS interrupts. The array is
expected to be sorted in the increasing order of interrupt numbers.
As part of RAS initialisation, the list of all RAS interrupts are sorted
based on their ID so that, given an interrupt, its handler can be looked
up with a simple binary search.
For an error handling agent that wants to handle a RAS interrupt,
platform must:
- Define PLAT_RAS_PRI to be the priority of all RAS exceptions.
- Enumerate interrupts to have the GIC driver program individual EL3
interrupts to the required priority range. This is required by EHF
even before this patch.
Documentation to follow.
Change-Id: I9471e4887ff541f8a7a63309e9cd8f771f76aeda
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Previous patches added frameworks for handling RAS errors. This patch
introduces features that the platform can use to enumerate and iterate
RAS nodes:
- The REGISTER_RAS_NODES() can be used to expose an array of
ras_node_info_t structures. Each ras_node_info_t describes a RAS
node, along with handlers for probing the node for error, and if
did record an error, another handler to handle it.
- The macro for_each_ras_node() can be used to iterate over the
registered RAS nodes, probe for, and handle any errors.
The common platform EA handler has been amended using error handling
primitives introduced by both this and previous patches.
Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The ARMv8 RAS Extensions introduced Standard Error Records which are a
set of standard registers through which:
- Platform can configure RAS node policy; e.g., notification
mechanism;
- RAS nodes can record and expose error information for error handling
agents.
Standard Error Records can either be accessed via. memory-mapped
or System registers. This patch adds helper functions to access
registers and fields within an error record.
Change-Id: I6594ba799f4a1789d7b1e45b3e17fd40e7e0ba5c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.
This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.
With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.
When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, any External Abort routed to EL3 is reported as an unhandled
exception and cause a panic. This patch enables ARM Trusted Firmware to
handle External Aborts routed to EL3.
With this patch, when an External Abort is received at EL3, its handling
is delegated to plat_ea_handler() function. Platforms can provide their
own implementation of this function. This patch adds a weak definition
of the said function that prints out a message and just panics.
In order to support handling External Aborts at EL3, the build option
HANDLE_EA_EL3_FIRST must be set to 1.
Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to
compilation; this patch fixes that too.
Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Previously mem_protect used to be only supported from BL2. This is not
helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates
mem_protect from el3_runtime firmware on ARM Platforms specifically
when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent
in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap
tables temporarily and then the protected regions are then cleared. This
avoids the need to map the non secure DRAM permanently to BL31/sp_min.
The stack size is also increased, because DYNAMIC_XLAT_TABLES require
a bigger stack.
Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Since commit 031dbb1224 ("AArch32: Add essential Arch helpers"),
it is difficult to use consistent format strings for printf() family
between aarch32 and aarch64.
For example, uint64_t is defined as 'unsigned long long' for aarch32
and as 'unsigned long' for aarch64. Likewise, uintptr_t is defined
as 'unsigned int' for aarch32, and as 'unsigned long' for aarch64.
A problem typically arises when you use printf() in common code.
One solution could be, to cast the arguments to a type long enough
for both architectures. For example, if 'val' is uint64_t type,
like this:
printf("val = %llx\n", (unsigned long long)val);
Or, somebody may suggest to use a macro provided by <inttypes.h>,
like this:
printf("val = %" PRIx64 "\n", val);
But, both would make the code ugly.
The solution adopted in Linux kernel is to use the same typedefs for
all architectures. The fixed integer types in the kernel-space have
been unified into int-ll64, like follows:
typedef signed char int8_t;
typedef unsigned char uint8_t;
typedef signed short int16_t;
typedef unsigned short uint16_t;
typedef signed int int32_t;
typedef unsigned int uint32_t;
typedef signed long long int64_t;
typedef unsigned long long uint64_t;
[ Linux commit: 0c79a8e29b5fcbcbfd611daf9d500cfad8370fcf ]
This gets along with the codebase shared between 32 bit and 64 bit,
with the data model called ILP32, LP64, respectively.
The width for primitive types is defined as follows:
ILP32 LP64
int 32 32
long 32 64
long long 64 64
pointer 32 64
'long long' is 64 bit for both, so it is used for defining uint64_t.
'long' has the same width as pointer, so for uintptr_t.
We still need an ifdef conditional for (s)size_t.
All 64 bit architectures use "unsigned long" size_t, and most 32 bit
architectures use "unsigned int" size_t. H8/300, S/390 are known as
exceptions; they use "unsigned long" size_t despite their architecture
is 32 bit.
One idea for simplification might be to define size_t as 'unsigned long'
across architectures, then forbid the use of "%z" string format.
However, this would cause a distortion between size_t and sizeof()
operator. We have unknowledge about the native type of sizeof(), so
we need a guess of it anyway. I want the following formula to always
return 1:
__builtin_types_compatible_p(size_t, typeof(sizeof(int)))
Fortunately, ARM is probably a majority case. As far as I know, all
32 bit ARM compilers use "unsigned int" size_t.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
u_register_t is preferred rather than uint64_t. This is more
consistent with the aarch32 implementation.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
According to the ARMv8 ARM issue C.a:
AP[1] is valid only for stage 1 of a translation regime that can
support two VA ranges. It is RES 1 when stage 1 translations can
support only one VA range.
This means that, even though this bit is ignored, it should be set to 1
in the EL3 and EL2 translation regimes.
For translation regimes consisting on EL0 and a higher regime this bit
selects between control at EL0 or at the higher Exception level. The
regimes that support two VA ranges are EL1&0 and EL2&0 (the later one
is only available since ARMv8.1).
This fix has to be applied to both versions of the translation tables
library.
Change-Id: If19aaf588551bac7aeb6e9a686cf0c2068e7c181
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Due to differences in the bitfields of the SMC IDs, it is not possible
to support SMCCC 1.X and 2.0 at the same time.
The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
option that specifies the major version of the SMCCC that the Trusted
Firmware supports. The only two allowed values are 1 and 2, and it
defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.
Note: Support for SMCCC v2.0 is an experimental feature to enable
prototyping of secure partition specifications. Support for this
convention is disabled by default and could be removed without notice.
Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
Change-Id: Ie4cd6011b3e4fdcdd94ccb97a7e941f3b5b7aeb8
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers
Fixed for:
make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.5: An external object or function shall be declared
once in one and only one file.
Change-Id: I7c3d4ec7d3ba763fdb4600008ba10b4b93ecdfce
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
A fix for errata 843419 may be available in revision r0p4 of the
Cortex-A53 processor. The presence of the fix is determined by checking
bit 8 in the REVIDR register.
If the fix is present we report ERRATA_NOT_APPLIES which silences the
erroneous 'missing workaround' warning.
Change-Id: Ibd2a478df3e2a6325442a6a48a0bb0259dcfc1d7
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
This patch allows the ARM Platforms to specify the TZC regions to be
specified to the ARM TZC helpers in arm_tzc400.c and arm_tzc_dmc500.c.
If the regions are not specified then the default TZC region will be
configured by these helpers.
This override mechanism allows specifying special regions for TZMP1
usecase.
Signed-off-by: Summer Qin <summer.qin@arm.com>
Some low end platforms using DMC500 memory controller do not have
CCI(Cache Coherent Interconnect) interface and only have non-coherent
system interface support. Hence this patch makes the system interface
count configurable from the platforms.
Change-Id: I6d54c90eb72fd18026c6470c1f7fd26c59dc4b9a
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
For the adr instruction, it require the label's offset from the
address of this instruction must be in the range +/-1MB. If the
option "BL2_IN_XIP_MEM" is set to '1', in some cases, BL2's RW
memory will not in the range of +/-1MB from BL2's RO memory region.
so we need to use ldr instruction to cover this case.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
In some use-cases BL2 will be stored in eXecute In Place (XIP) memory,
like BL1. In these use-cases, it is necessary to initialize the RW sections
in RAM, while leaving the RO sections in place. This patch enable this
use-case with a new build option, BL2_IN_XIP_MEM. For now, this option
is only supported when BL2_AT_EL3 is 1.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Use the console_pl011_core_* functions directly in the crash console
callbacks.
This bypasses the MULTI_CONSOLE_API for the crash console (UART1), but
allows using the crash console before the C runtime has been initialized
(eg to call ASM_ASSERT). This retains backwards compatibility with respect
to functionality when the old API is used.
Use the MULTI_CONSOLE_API to register UART0 as the boot and runtime
console.
FixesARM-software/tf-issues#572
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.
Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
- Interrupt configuration is a 2-bit field, so the field shift has to
be double that of the bit number.
- Interrupt configuration (level- or edge-trigger) is specified in the
MSB of the field, not LSB.
Fixes applied to both GICv2 and GICv3 drivers.
FixesARM-software/tf-issues#570
Change-Id: Ia6ae6ed9ba9fb0e3eb0f921a833af48e365ba359
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add crash_console_init declaration to console.h
Only enable MULTI_CONSOLE_API for AArch64
FixesARM-software/tf-issues#571
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.
Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.
Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`,
return either:
* -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called
requires firmware mitigation for CVE-2017-5715 but the mitigation
is not compiled in.
* 0 to indicate that firmware mitigation is required, or
* 1 to indicate that no firmware mitigation is required.
This patch complies with v1.2 of the firmware interfaces
specification (ARM DEN 0070A).
Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A72 and A73.
Change-Id: Ide24fb6efc77c548e4296295adc38dca87d042ee
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch removes default platform implementations of sp_min
platform APIs from plat/common/aarch32/plat_common.c. The APIs
are now implemented in `plat_sp_min_common.c` file within the
same folder.
The ARM platform layer had a weak definition of sp_min_platform_setup2()
which conflicted with the weak definition in the common file. Hence this
patch fixes that by introducing a `plat_arm_` version of the API thus
allowing individual boards within ARM platforms to override it if they
wish to.
FixesARM-software/tf-issues#559
Change-Id: I11a74ecae8191878ccc7ea03f12bdd5ae88faba5
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Emit runtime warnings when intializing the GIC drivers using the
deprecated method of defining integer interrupt arrays in the GIC driver
data structures; interrupt_prop_t arrays should be used instead. This
helps platforms detect that they have migration work to do. Previously,
no warning was emitted in this case. This affects both the GICv2 and GICv3
drivers.
Also use the __deprecated attribute to emit a build time warning if these
deprecated fields are used. These warnings are suppressed in the GIC
driver compatibility functions but will be visible if platforms use them.
Change-Id: I6b6b8f6c3b4920c448b6dcb82fc18442cfdf6c7a
Signed-off-by: Dan Handley <dan.handley@arm.com>
For platforms that have not migrated to MULTI_CONSOLE_API == 1, there
are a lot of confusing deprecated declaration warnings relating to
use of console_init() and console_uninit(). Some of these relate to use
by the generic code, not the platform code. These functions are not really
deprecated but *removed* when MULTI_CONSOLE_API == 1.
This patch consolidates these warnings into a single preprocessor warning.
The __deprecated attribute is removed from the console_init() and
console_uninit() declarations.
For preprocessor warnings like this to not cause fatal build errors,
this patch adds -Wno-error=cpp to the build flags when
ERROR_DEPRECATED == 0.
This option (and -Wno-error=deprecated-declarations) is now added to
CPPFLAGS instead of TF_CFLAGS to ensure the build flags are used in the
assembler as well as the compiler.
This patch also disentangles the MULTI_CONSOLE_API and ERROR_DEPRECATED
build flags by defaulting MULTI_CONSOLE_API to 0 instead of
ERROR_DEPRECATED. This allows platforms that have not migrated to
MULTI_CONSOLE_API to use ERROR_DEPRECATED == 1 to emit a more meaningful
build error.
Finally, this patch bans use of MULTI_CONSOLE_API == 1 and AARCH32, since
the AArch32 console implementation does not support
MULTI_CONSOLE_API == 1.
Change-Id: If762165ddcb90c28aa7a4951aba70cb15c2b709c
Signed-off-by: Dan Handley <dan.handley@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=juno LOG_LEVEL=50 all
Change-Id: Ic8f611da734f356566e8208053296e6c62b54709
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Fixed for:
make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all
Change-Id: I48201c9ef022f6bd42ea8644529afce70f9b3f22
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.4: A compatible declaration shall be visible when
an object or function with external linkage is defined.
Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Rule 8.3: All declarations of an object or function shall
use the same names and type qualifiers.
Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
MISRA C-2012 Rule 7.3 violation: lowercase l shall not be used as literal suffixes.
This patch resolves this for the ULL() macro by using ULL suffix instead
of the ull suffix.
Change-Id: Ia8183c399e74677e676956e8653e82375d0e0a01
Signed-off-by: David Cunado <david.cunado@arm.com>
When a Yielding SMC is preempted, it's possible that Non-secure world is
resumed afterwards. In this case, Non-secure execution would find itself
in a state where the SMC has returned. However, the dispatcher might not
get an opportunity to populate the corrected return code for having
been preempted, and therefore the caller of the Yielding SMC cannot
reliably determine whether the SMC had successfully completed or had
been preempted.
To solve this, this patch introduces a new parameter to the
ehf_allow_ns_preemption() API. An SPD, through this parameter, would
provide the expected error code when a Yielding SMC is preempted. EHF
can then populate the specified value in x0 of the Non-secure context so
that the caller of the Yielding SMC correctly identifies the SMC return
as a preemption.
Documentation updates to follow.
Change-Id: Ia9c3f8f03f9d72d81aa235eaae2ee0374b972e1e
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch also fixes the assumption that the counters are disabled on
the resume path. This is incorrect as the AMU counters are enabled
early in the CPU reset function before `cpuamu_context_restore()`
runs.
Change-Id: I38a94eb166a523f00de18e86860434ffccff2131
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch also fixes `cpuamu_write_cpuamcntenclr_el0()` to use an MSR
instruction instead of an MRS instruction.
Change-Id: Ia6531f64b5ebc60ba432124eaa8d8eaccba40ed0
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Implement helpers to test if the core supports SPE/SVE. We have a
similar helper for AMU and this patch makes all extensions consistent
in their implementation.
Change-Id: I3e6f7522535ca358259ad142550b19fcb883ca67
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
When the MMU is enabled and the translation tables are mapped, data
read/writes to the translation tables are made using the attributes
specified in the translation tables themselves. However, the MMU
performs table walks with the attributes specified in TCR_ELx. They are
completely independent, so special care has to be taken to make sure
that they are the same.
This has to be done manually because it is not practical to have a test
in the code. Such a test would need to know the virtual memory region
that contains the translation tables and check that for all of the
tables the attributes match the ones in TCR_ELx. As the tables may not
even be mapped at all, this isn't a test that can be made generic.
The flags used by enable_mmu_xxx() have been moved to the same header
where the functions are.
Also, some comments in the linker scripts related to the translation
tables have been fixed.
Change-Id: I1754768bffdae75f53561b1c4a5baf043b45a304
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The patch adds the necessary changes to load HW_CONFIG in BL2 for
ARM Platforms :
1. The load address of HW_CONFIG is specified via the `hw_config_addr`
property in TB_FW_CONFIG is loaded by BL1. The `hw_config_max_size`
property defines the maximum size to be expected for the HW_CONFIG.
The `arm_dyn_cfg_helpers.c` and corresponding header implements
utility functions to parse these DT properties defined.
The `arm_dyn_cfg.c` implements wrappers to these helpers to enable
them to be invoked from ARM platform layer.
2. `HW_CONFIG` is added to the `bl2_mem_params_descs[]` array which is
the list of images to be loaded by BL2.
3. The `libfdt` sources are now included when BL2 is built
4. A new helper `populate_next_bl_params_config()` is introduced in
desc_image_load.c to populate the subsequent executable BL images
with the `hw_config` and the corresponding `fw_config` if available.
The `plat_get_next_bl_params()` API for ARM platforms is modified to
invoke this new helper.
5. The implementation of `bl2_early_platform_setup2()` is modified to
consider `arg0` as well in addition to `arg1` passed from BL1.
6. Bump up the BL2 size for Juno to accommodate the inclusion of libfdt.
Change-Id: I80f1554adec41753e0d179a5237364f04fe13a3f
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch modifies the bl1_platform_setup() API to load and authenticate
TB_FW_CONFIG in BL1. The load address of the same is passed on to BL2 in
`arg0` of entrypoint info. The fvp_io_storage.c and arm_io_storage.c also
adds entries corresponding to TB_FW_CONFIG. A helper function
`arm_load_tb_fw_config()` is added to load and authenticate TB_FW_CONFIG
if present.
Change-Id: Ie7bce667b3fad2b1a083bbcbc0a773f9f04254b1
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The `bl1_init_bl2_mem_layout()` API is now deprecated. The default weak
implementation of `bl1_plat_handle_post_image_load()` calculates the
BL2 memory layout and populates the same in x1(r1). This ensures
compatibility for the deprecated API.
Change-Id: Id44bdc1f572dc42ee6ceef4036b3a46803689315
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch migrates the ARM Standard platforms to the new BL
handover interface. The arm_blx_early_platform_setup() functions
are also modified to take in 4 arguments. The `ARM_BL31_PLAT_PARAM_VAL`
value passed to BL31 from BL2 is now in arg3 in preparation of dynamic
configuration arguments.
Change-Id: I33e8e61325a19e7a7127b1ff203c3b86921bf153
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch introduces a new BL handover interface. It essentially allows
passing 4 arguments between the different BL stages. Effort has been made
so as to be compatible with the previous handover interface. The previous
blx_early_platform_setup() platform API is now deprecated and the new
blx_early_platform_setup2() variant is introduced. The weak compatiblity
implementation for the new API is done in the `plat_bl_common.c` file.
Some of the new arguments in the new API will be reserved for generic
code use when dynamic configuration support is implemented. Otherwise
the other registers are available for platform use.
Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds image IDs to `hw_config` and `tb_fw_config` and
includes them in the default Chain Of Trust (CoT).
Change-Id: If7bb3e9be8a5e48be76614b35bf43d58fc7fed12
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch updates the `fiptool` and `cert_create` for the
`hw_config` and `tb_fw_config` dynamic configuration files.
The necessary UUIDs and OIDs are assigned to these files and
the `cert_create` is updated to generate appropriate hashes
and include them in the "Trusted Boot FW Certificate". The
`fiptool` is updated to allow the configs to be specified
via cmdline and included in the generated FIP.
Change-Id: I940e751a49621ae681d14e162aa1f5697eb0cb15
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds an argument to bl1_plat_post/pre_image_load() APIs
to make it more future proof. The default implementation of
these are moved to `plat_bl1_common.c` file.
These APIs are now invoked appropriately in the FWU code path prior
to or post image loading by BL1 and are not restricted
to LOAD_IMAGE_V2.
The patch also reorganizes some common platform files. The previous
`plat_bl2_el3_common.c` and `platform_helpers_default.c` files are
merged into a new `plat_bl_common.c` file.
NOTE: The addition of an argument to the above mentioned platform APIs
is not expected to have a great impact because these APIs were only
recently added and are unlikely to be used.
Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Hynix ufs has deviations on hi36xx platform which will result
in ufs bursts transfer failures at a very low probability.
To fix the problem, the Hynix device must set the register
VS_DebugSaveConfigTime to 0x10, which will set time reference
for SaveConfigTime is 250 ns. The time reference for SaveConfigTime
is 40 ns by default.
Signed-off-by: fengbaopeng <fengbaopeng@hisilicon.com>
According to the SMC Calling Convention (ARM DEN0028B):
The Unknown SMC Function Identifier is a sign-extended value of
(-1) that is returned in R0, W0 or X0 register.
The value wasn't sign-extended because it was defined as a 32-bit
unsigned value (0xFFFFFFFF).
SMC_PREEMPT has been redefined as -2 for the same reason.
NOTE: This might be a compatibility break for some AArch64 platforms
that don't follow the previous version of the SMCCC (ARM DEN0028A)
correctly. That document specifies that only the bottom 32 bits of the
returned value must be checked. If a platform relies on the top 32 bits
of the result being 0 (so that SMC_UNK is 0x00000000FFFFFFFF), it will
have to fix its code to comply with the SMCCC.
Change-Id: I7f7b109f6b30c114fe570aa0ead3c335383cb54d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When ARM Trusted Firmware is built with EL3_EXCEPTION_HANDLING=1,
EL3 interrupts (INTR_TYPE_EL3) will always preempt both Non-secure and
secure execution.
The interrupt management framework currently treats EL3 interrupt
routing as valid. For the above reason, this patch makes them invalid
when EL3_EXCEPTION_HANDLING is in effect.
Change-Id: I95bca8f5dc8df8eb0ff6f305cfba098611522a39
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add 'lr_svc' as a boot parameter in AArch32 bl1. This is used by Optee
and Trusty to get the non-secure entry point on AArch32 platforms.
This change is not ported in AArch64 mode where the BL31, not BL32,
is in charge of booting the non secure image (BL33).
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
These APIs are used by platforms that need to decompress images.
image_decompress_init():
This registers a temporary buffer and a decompressor callback.
This should be called from platform init code.
image_decompress_prepare():
This should be called before each compressed image is loaded. The
best location to call this will be bl*_plat_handle_pre_image_load().
image_decompress():
This should be called after each compressed image is loaded. The
best location to call this will be bl*_plat_handle_post_image_load().
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Just like bl2_, add pre/post image load handlers for BL1. No argument
is needed since BL2 is the only image loaded by BL1.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
There are cases where we need to manipulate image information before
the load. For example, for decompressing data, we cannot load the
compressed images to their final destination. Instead, we need to
load them to the temporary buffer for the decompressor.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This commit adds some more files to use zlib from TF.
To use zlib, ->zalloc and ->zfree hooks are needed. The implementation
depends on the system. For user-space, the libc provides malloc() and
friends. Unfortunately, ARM Trusted Firmware does not provide malloc()
or any concept of dynamic memory allocation.
I implemented very simple calloc() and free() for this. Stupidly,
zfree() never frees memory, but it works enough for this.
The purpose of using zlib is to implement gunzip() - this function
takes compressed data from in_buf, then dumps the decompressed data
to oub_buf. The work_buf is used for memory allocation during the
decompress. Upon exit, it updates in_buf and out_buf. If successful,
in_buf points to the end of input data, out_buf to the end of the
decompressed data.
To use this feature, you need to do:
- include lib/zlib/zlib.mk from your platform.mk
- add $(ZLIB_SOURCES) to your BL*_SOURCES
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Add amu_context_save() and amu_context_restore() functions for aarch32
Change-Id: I4df83d447adeaa9d9f203e16dc5a919ffc04d87a
Signed-off-by: Joel Hutton <joel.hutton@arm.com>
In the initial implementation of this workaround we used a dedicated
workaround context to save/restore state. This patch reduces the
footprint as no additional context is needed.
Additionally, this patch reduces the memory loads and stores by 20%,
reduces the instruction count and exploits static branch prediction to
optimize the SMC path.
Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
SMCCC v1.1 comes with a relaxed calling convention for AArch64
callers. The caller only needs to save x0-x3 before doing an SMC
call.
This patch adds support for SMCCC_VERSION and SMCCC_ARCH_FEATURES.
Refer to "Firmware Interfaces for mitigating CVE_2017_5715 System
Software on Arm Systems"[0] for more information.
[0] https://developer.arm.com/-/media/developer/pdf/ARM%20DEN%200070A%20Firmware%20interfaces%20for%20mitigating%20CVE-2017-5715_V1.0.pdf
Change-Id: If5b1c55c17d6c5c7cb9c2c3ed355d3a91cdad0a9
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The current div_round_up() implementation relies on round_up() which
only works correctly for boundaries that are a power of 2. It is
documented as such, but this still seems dangerously easy to overlook,
especially since many other environments (e.g. the Linux kernel) have a
similar macro without these limitations.
There is a different way to calculate this that can deal with all kinds
of divisors without other drawbacks, so let's just use that instead.
Change-Id: Id382736683f5d4e880ef00c53cfa23a2f9208440
Signed-off-by: Julius Werner <jwerner@chromium.org>
The secure_partition_boot_info_t structure is used to communicate boot
parameters with the StandaloneMM code executing at S-EL0 through a
shared buffer. Certain data types used for members of this structure
are opaque with their size depending on the toolchain being used.
Declare the members of the structure with explicit width based data
types, which would maintain compatibility across toolchains.
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
coreboot supports an in-memory console to store firmware logs even when
no serial console is available. It is widely supported by
coreboot-compatible bootloaders (including SeaBIOS and GRUB) and can be
read by the Linux kernel.
This patch allows BL31 to add its own log messages to this console. The
driver will be registered automatically if coreboot support is compiled
in and detects the presence of a console buffer in the coreboot tables.
Change-Id: I31254dfa0c2fdeb7454634134b5707b4b4154907
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch adds the foundation for a platform-independent coreboot
support library that can be shared by all platforms that boot BL31 from
coreboot (acting as BL2). It adds code to parse the "coreboot table", a
data structure that coreboot uses to communicate different kinds of
information to later-stage firmware and certain OS drivers.
As a first small use case for this information, allow platforms to
access the serial console configuration used by coreboot, removing the
need to hardcode base address and divisors and allowing Trusted Firmware
to benefit from coreboot's user configuration (e.g. which UART to pick
and which baud rate to use).
Change-Id: I2bfb39cd2609ce6640b844ab68df6c9ae3f28e9e
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch updates the Cadence CDNS console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.
Change-Id: I2ef8fb0d6ab72696997db1e0243a533499569d6b
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch updates the ARM PL011 console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.
Change-Id: Ic34e4158addbb0c5fae500c9cff899c05a4f4206
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch updates the TI 16550 console driver to support the new
console API. The driver will continue to support the old API as well by
checking the MULTI_CONSOLE_API compile-time flag.
Change-Id: I60a44b7ba3c35c74561824c04b8dbe3e3039324c
Signed-off-by: Julius Werner <jwerner@chromium.org>
A per-cpu vbar is installed that implements the workaround by
invalidating the branch target buffer (BTB) directly in the case of A9
and A17 and indirectly by invalidating the icache in the case of A15.
For Cortex A57 and A72 there is currently no workaround implemented
when EL3 is in AArch32 mode so report it as missing.
For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are
no changes since there is currently no upstream AArch32 EL3 support
for these CPUs.
Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch introduces two workarounds for ARMv7 systems. The
workarounds need to be applied prior to any `branch` instruction in
secure world. This is achieved using a custom vector table where each
entry is an `add sp, sp, #1` instruction.
On entry to monitor mode, once the sequence of `ADD` instructions is
executed, the branch target buffer (BTB) is invalidated. The bottom
bits of `SP` are then used to decode the exception entry type.
A side effect of this change is that the exception vectors are
installed before the CPU specific reset function. This is now
consistent with how it is done on AArch64.
Note, on AArch32 systems, the exception vectors are typically tightly
integrated with the secure payload (e.g. the Trusted OS). This
workaround will need porting to each secure payload that requires it.
The patch to modify the AArch32 per-cpu vbar to the corresponding
workaround vector table according to the CPU type will be done in a
later patch.
Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch change the name of the section containing the functions
defined in assembly files from text.* to text.asm.*. This change
makes possible to select in the linker script the functions
defined in those files.
Change-Id: If35e44ef1b43ffd951dfac5e052db75d7198e2e0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch add supports for the new API added for BL2 at EL3 for
FVP. We don't have a non-TF Boot ROM for FVP, but this option can be
tested setting specific parameters in the model.
The bl2 image is loaded directly in memory instead of being loaded
by a non-TF Boot ROM and the reset address is changed:
--data cluster0.cpu0=bl2.bin@0x4001000
-C cluster0.cpu0.RVBAR=0x4001000
These parameters mean that in the cold boot path the processor will
jump to BL2 again. For this reason, BL2 is loaded in dram in this
case, to avoid other images reclaiming BL2 memory.
Change-Id: Ieb2ff8535a9e67ccebcd8c2212cad366e7776422
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch enables BL2 to execute at the highest exception level
without any dependancy on TF BL1. This enables platforms which already
have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
stages without need for BL1. This is not currently possible because
BL2 executes at S-EL1 and cannot jump straight to EL3.
Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Add some macros according to JEDEC Standard Embedded Multi-Media
Card (eMMC) Electrical Standard (5.1)": Table 145 - Bus Mode
Selection.
Change-Id: Iaa45e0582653ef4290efd60d039f0bdc420eeb47
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
typedef mem_region_t mem_region_t;
... seems to work because they belong to different name-spaces,
but humans are confused even if compilers are not.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
On some build configurations BL31 is running out of space. Now that
TSP is moved to secure dram, we have a bit of additional space to use
in BL31.
Change-Id: Ib89fcd8bae99c85c9c5e5d9228bb42fb7048dcb6
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Signed-off-by: David Cunado <david.cunado@arm.com>
On some systems, the AMU counters might reset to 0 when a CPU
powerdown happens. This behaviour conflicts with the intended
use-case of AMU as lower ELs are only expected to see non-decreasing
counter values.
Change-Id: If25519965d4e6e47e09225d0e732947986cbb5ec
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Add some AMU helper functions to allow configuring, reading and
writing of the Group 0 and Group 1 counters. Documentation for these
helpers will come in a separate patch.
Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
A new platform macro `PLAT_AMU_GROUP1_COUNTERS_MASK` controls which
group 1 counters should be enabled. The maximum number of group 1
counters supported by AMUv1 is 16 so the mask can be at most 0xffff.
If the platform does not define this mask, no group 1 counters are
enabled.
A related platform macro `PLAT_AMU_GROUP1_NR_COUNTERS` is used by
generic code to allocate an array to save and restore the counters on
CPU suspend.
Change-Id: I6d135badf4846292de931a43bb563077f42bb47b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The suspend hook is published at the start of a CPU powerdown
operation. The resume hook is published at the end of a CPU powerup
operation.
Change-Id: I50c05e2dde0d33834095ac41b4fcea4c161bb434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A75.
Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.
This is achieved by using 3 vector tables. There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround. The
additional tables are `vbar0` and `vbar1`.
The sequence of events for handling a single exception is
as follows:
1) Install vector table `vbar0` which saves the CPU context on entry
to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
with the MMU disabled and I$ enabled. This is the default vector table.
2) Before doing an ERET into Secure-EL1, switch vbar to point to
another vector table `vbar1`. This is required to restore EL3 state
when returning from the workaround, before proceeding with normal EL3
exception handling.
3) While in Secure-EL1, the `BPIALL` instruction is executed and an
SMC call back to EL3 is performed.
4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
restored. The vbar is switched to point to `vbar0` in preparation to
handle further exceptions. Finally a branch to the runtime vector
table entry is taken to complete the handling of the original
exception.
This workaround is enabled by default on the affected CPUs.
NOTE
====
There are 4 different stubs in Secure-EL1. Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError. Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.
Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
and enabling the MMU. To achieve this without performing any branch
instruction, a per-cpu vbar is installed which executes the workaround
and then branches off to the corresponding vector entry in the main
vector table. A side effect of this change is that the main vbar is
configured before any reset handling. This is to allow the per-cpu
reset function to override the vbar setting.
This workaround is enabled by default on the affected CPUs.
Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Rename SP_VERSION macros to MM_VERSION, which is the name used in the MM
specification [1]. Also, a few more helper macros have been added.
MM-specific definitions have been moved to their own header file.
[1] http://infocenter.arm.com/help/topic/com.arm.doc.den0060a/DEN0060A_ARM_MM_Interface_Specification.pdf
Change-Id: Ia10e48c7e81a7a1f5eeca29a5270cae740a4a88a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch adds support to receive function ID with NS world's
memory ranges to provide the memory snapshot to TLK.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
To allow BL31 to grow in SRAM, move TSP in TZC secured DRAM
by default.
Increase the BL31 max limit by one page.
Change-Id: Idd3479be02f0f9bafac2f275376d7db0c2015431
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
With this patch, ARM platforms are expected to define the macros
PLAT_ARM_SDEI_PRIVATE_EVENTS and PLAT_ARM_SDEI_SHARED_EVENTS as a list
of private and shared events, respectively. This allows for individual
platforms to define their own events.
Change-Id: I66851fdcbff83fd9568c2777ade9eb12df284b49
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch overhauls the console API to allow for multiple console
instances of different drivers that are active at the same time. Instead
of binding to well-known function names (like console_core_init),
consoles now provide a register function (e.g. console_16550_register())
that will hook them into the list of active consoles. All console
operations will be dispatched to all consoles currently in the list.
The new API will be selected by the build-time option MULTI_CONSOLE_API,
which defaults to ${ERROR_DEPRECATED} for now. The old console API code
will be retained to stay backwards-compatible to older platforms, but
should no longer be used for any newly added platforms and can hopefully
be removed at some point in the future.
The new console API is intended to be used for both normal (bootup) and
crash use cases, freeing platforms of the need to set up the crash
console separately. Consoles can be individually configured to be active
active at boot (until first handoff to EL2), at runtime (after first
handoff to EL2), and/or after a crash. Console drivers should set a sane
default upon registration that can be overridden with the
console_set_scope() call. Code to hook up the crash reporting mechanism
to this framework will be added with a later patch.
This patch only affects AArch64, but the new API could easily be ported
to AArch32 as well if desired.
Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
Signed-off-by: Julius Werner <jwerner@chromium.org>
In assembly code it can be useful to have a constant for the width of a
register in the current architecture, so this patch adds one to
<utils_def.h> and replaces the existing custom one in crash_reporting.S
with that. It also fixes up the BIT() macro in the same file so that it
can be safely used in assembly code.
Change-Id: I10513a311f3379e767396e6ddfbae8d2d8201464
Signed-off-by: Julius Werner <jwerner@chromium.org>
A new platform define, `PLAT_SP_IMAGE_XLAT_SECTION_NAME`, has been
introduced to select the section where the translation tables used by
the S-EL1/S-EL0 are placed.
This define has been used to move the translation tables to DRAM secured
by TrustZone.
Most of the extra needed space in BL31 when SPM is enabled is due to the
large size of the translation tables. By moving them to this memory
region we can save 44 KiB.
A new argument has been added to REGISTER_XLAT_CONTEXT2() to specify the
region where the translation tables have to be placed by the linker.
Change-Id: Ia81709b4227cb8c92601f0caf258f624c0467719
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Previously the cache flush happened in 2 different places in code
depending on whether TRUSTED_BOARD_BOOT is enabled or not. This
patch unifies this code path for both the cases. The `load_image()`
function is now made an internal static function.
Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The defines have been renamed to match the names used in the
documentation.
Change-Id: I2f18b65112d2db040a89d5a8522e9790c3e21628
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
to one EL3 will check to see if the Scalable Vector Extension (SVE) is
implemented when entering and exiting the Non-secure world.
If SVE is implemented, EL3 will do the following:
- Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
- Exit from Non-secure world: SIMD, FP and SVE functionality is
disabled. As SIMD and FP registers are part of the SVE Z-registers
then any use of SIMD / FP functionality would corrupt the SVE
registers.
The build option default is 1. The SVE functionality is only supported
on AArch64 and so the build option is set to zero when the target
archiecture is AArch32.
This build option is not compatible with the CTX_INCLUDE_FPREGS - an
assert will be raised on platforms where SVE is implemented and both
ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
Also note this change prevents secure world use of FP&SIMD registers on
SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
such platforms unless ENABLE_SVE_FOR_NS is set to 0.
Additionally, on the first entry into the Non-secure world the SVE
functionality is enabled and the SVE Z-register length is set to the
maximum size allowed by the architecture. This includes the use case
where EL2 is implemented but not used.
Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
Signed-off-by: David Cunado <david.cunado@arm.com>
This patch fixes a couple of issues for AArch32 builds on ARM reference
platforms :
1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
the BL31 memory is empty when built for AArch32. Hence this patch allocates
BL32 to the memory region occupied by BL31 for AArch32 builds.
As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
be used to control the load address of BL32 in AArch32 mode which was
never the intention of the macro anyway.
2. A static assert is added to sp_min linker script to check that the progbits
are within the bounds expected when overlaid with other images.
3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
involved when building Juno for AArch32 mode, the build option SPD needed to
specifed. This patch corrects this and also updates the documentation in the
user-guide.
4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
a result the previous assumption that BL31 must be always present is removed
and the certificates for BL31 is only generated if `NEED_BL31` is defined.
Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
When defining different sections in linker scripts it is needed to align
them to multiples of the page size. In most linker scripts this is done
by aligning to the hardcoded value 4096 instead of PAGE_SIZE.
This may be confusing when taking a look at all the codebase, as 4096
is used in some parts that aren't meant to be a multiple of the page
size.
Change-Id: I36c6f461c7782437a58d13d37ec8b822a1663ec1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The `ENABLE_AMU` build option can be used to enable the
architecturally defined AMU counters. At present, there is no support
for the auxiliary counter group.
Change-Id: Ifc7532ef836f83e629f2a146739ab61e75c4abc8
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The `ENABLE_AMU` build option can be used to enable the
architecturally defined AMU counters. At present, there is no support
for the auxiliary counter group.
Change-Id: I7ea0c0a00327f463199d1b0a481f01dadb09d312
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The Cortex A75 has 5 AMU counters. The first three counters are fixed
and the remaining two are programmable.
A new build option is introduced, `ENABLE_AMU`. When set, the fixed
counters will be enabled for use by lower ELs. The programmable
counters are currently disabled.
Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
The flag support the following values:
- sha256 (default)
- sha384
- sha512
Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
Factor out SPE operations in a separate file. Use the publish
subscribe framework to drain the SPE buffers before entering secure
world. Additionally, enable SPE before entering normal world.
A side effect of this change is that the profiling buffers are now
only drained when a transition from normal world to secure world
happens. Previously they were drained also on return from secure
world, which is unnecessary as SPE is not supported in S-EL1.
Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Register count is currently declared as unsigned, where as there are
asserts in place to check it being negative during unregister. These are
flagged as never being true.
Change-Id: I34f00f0ac5bf88205791e9c1298a175dababe7c8
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
If an implementation of ARMv8.2 includes ARMv8.2-LPA, the value 0b0110
is permitted in ID_AA64MMFR0_EL1.PARange, which means that the Physical
Address range supported is 52 bits (4 PiB). It is a reserved value
otherwise.
Change-Id: Ie0147218e9650aa09f0034a9ee03c1cca8db908a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The FPEXC32_EL2 register controls SIMD and FP functionality when the
lower ELs are executing in AArch32 mode. It is architecturally mapped
to AArch32 system register FPEXC.
This patch removes FPEXC32_EL2 register from the System Register context
and adds it to the floating-point context. EL3 only saves / restores the
floating-point context if the build option CTX_INCLUDE_FPREGS is set to 1.
The rationale for this change is that if the Secure world is using FP
functionality and EL3 is not managing the FP context, then the Secure
world will save / restore the appropriate FP registers.
NOTE - this is a break in behaviour in the unlikely case that
CTX_INCLUDE_FPREGS is set to 0 and the platform contains an AArch32
Secure Payload that modifies FPEXC, but does not save and restore
this register
Change-Id: Iab80abcbfe302752d52b323b4abcc334b585c184
Signed-off-by: David Cunado <david.cunado@arm.com>
This allows for other EL3 components to schedule an SDEI event dispatch
to Normal world upon the next ERET. The API usage constrains are set out
in the SDEI dispatcher documentation.
Documentation to follow.
Change-Id: Id534bae0fd85afc94523490098c81f85c4e8f019
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Support SDEI on ARM platforms using frameworks implemented in earlier
patches by defining and exporting SDEI events: this patch defines the
standard event 0, and a handful of shared and private dynamic events.
Change-Id: I9d3d92a92cff646b8cc55eabda78e140deaa24e1
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Define number of priority bits, and allocate priority levels for SDEI.
Change-Id: Ib6bb6c5c09397f7caef950c4caed5a737b3d4112
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Provide a strong definition for plat_sdei_validate_sdei_entrypoint()
which translates client address to Physical Address, and then validating
the address to be present in DRAM.
Change-Id: Ib93eb66b413d638aa5524d1b3de36aa16d38ea11
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The function arm_validate_ns_entrypoint() validates a given non-secure
physical address. This function however specifically returns PSCI error
codes.
Non-secure physical address validation is potentially useful across ARM
platforms, even for non-PSCI use cases. Therefore make this function
common by returning 0 for success or -1 otherwise.
Having made the function common, make arm_validate_psci_entrypoint() a
wrapper around arm_validate_ns_entrypoint() which only translates return
value into PSCI error codes. This wrapper is now used where
arm_validate_ns_entrypoint() was currently used for PSCI entry point
validation.
Change-Id: Ic781fc3105d6d199fd8f53f01aba5baea0ebc310
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The implementation currently supports only interrupt-based SDEI events,
and supports all interfaces as defined by SDEI specification version
1.0 [1].
Introduce the build option SDEI_SUPPORT to include SDEI dispatcher in
BL31.
Update user guide and porting guide. SDEI documentation to follow.
[1] http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf
Change-Id: I758b733084e4ea3b27ac77d0259705565842241a
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
On GICv3 systems, as a side effect of adding provision to handle EL3
interrupts (unconditionally routing FIQs to EL3), pending Non-secure
interrupts (signalled as FIQs) may preempt execution in lower Secure ELs
[1]. This will inadvertently disrupt the semantics of Fast SMC
(previously called Atomic SMC) calls.
To retain semantics of Fast SMCs, the GIC PMR must be programmed to
prevent Non-secure interrupts from preempting Secure execution. To that
effect, two new functions in the Exception Handling Framework subscribe
to events introduced in an earlier commit:
- Upon 'cm_exited_normal_world', the Non-secure PMR is stashed, and
the PMR is programmed to the highest Non-secure interrupt priority.
- Upon 'cm_entering_normal_world', the previously stashed Non-secure
PMR is restored.
The above sequence however prevents Yielding SMCs from being preempted
by Non-secure interrupts as intended. To facilitate this, the public API
exc_allow_ns_preemption() is introduced that programs the PMR to the
original Non-secure PMR value. Another API
exc_is_ns_preemption_allowed() is also introduced to check if
exc_allow_ns_preemption() had been called previously.
API documentation to follow.
[1] On GICv2 systems, this isn't a problem as, unlike GICv3, pending NS
IRQs during Secure execution are signalled as IRQs, which aren't
routed to EL3.
Change-Id: Ief96b162b0067179b1012332cd991ee1b3051dd0
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
EHF is a framework that allows dispatching of EL3 interrupts to their
respective handlers in EL3.
This framework facilitates the firmware-first error handling policy in
which asynchronous exceptions may be routed to EL3. Such exceptions may
be handed over to respective exception handlers. Individual handlers
might further delegate exception handling to lower ELs.
The framework associates the delegated execution to lower ELs with a
priority value. For interrupts, this corresponds to the priorities
programmed in GIC; for other types of exceptions, viz. SErrors or
Synchronous External Aborts, individual dispatchers shall explicitly
associate delegation to a secure priority. In order to prevent lower
priority interrupts from preempting higher priority execution, the
framework provides helpers to control preemption by virtue of
programming Priority Mask register in the interrupt controller.
This commit allows for handling interrupts targeted at EL3. Exception
handlers own interrupts by assigning them a range of secure priorities,
and registering handlers for each priority range it owns.
Support for exception handling in BL31 image is enabled by setting the
build option EL3_EXCEPTION_HANDLING=1.
Documentation to follow.
NOTE: The framework assumes the priority scheme supported by platform
interrupt controller is compliant with that of ARM GIC architecture (v2
or later).
Change-Id: I7224337e4cea47c6ca7d7a4ca22a3716939f7e42
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Acknowledging interrupt shall return a raw value from the interrupt
controller in which the actual interrupt ID may be encoded. Add a
platform API to extract the actual interrupt ID from the raw value
obtained from interrupt controller.
Document the new function. Also clarify the semantics of interrupt
acknowledge.
Change-Id: I818dad7be47661658b16f9807877d259eb127405
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This initial port of the Secure Partitions Manager to FVP supports BL31
in both SRAM and Trusted DRAM.
A document with instructions to build the SPM has been added.
Change-Id: I4ea83ff0a659be77f2cd72eaf2302cdf8ba98b32
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:
- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.
A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.
The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:
- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
Secure Partition.
- Implementing a well defined interface that is used by the normal world
and other secure services for accessing the services exported by a
Secure Partition.
- Implementing a well defined interface that is used by a Secure
Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
Partition to fulfil a service request.
Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This function can be useful to setup TCR_ELx by callers that don't use
the translation tables library to setup the system registers related
to them. By making it common, it can be reused whenever it is needed
without duplicating code.
Change-Id: Ibfada9e846d2a6cd113b1925ac911bb27327d375
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some SoCs integrate a GIC in version 1 that is currently not supported
by the trusted firmware. This change hijacks GICv2 driver to handle the
GICv1 as GICv1 is compatible enough with GICv2 as far as the platform
does not attempt to play with virtualization support or some GICv2
specific power features.
Note that current trusted firmware does not use these GICv2 features
that are not available in GICv1 Security Extension.
Change-Id: Ic2cb3055f1319a83455571d6d918661da583f179
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
ARMv7-A Virtualization extensions brings new instructions and resources
that were supported by later architectures. Reference ARM ARM Issue C.c
[DDI0406C_C].
ERET and extended MSR/MRS instructions, as specified in [DDI0406C_C] in
ID_PFR1 description of bits[15:12] (Virtualization Extensions):
A value of 0b0001 implies implementation of the HVC, ERET, MRS
(Banked register), and MSR (Banked register) instructions. The ID_ISARs
do not identify whether these instructions are implemented.
UDIV/SDIV were introduced with the Virtualization extensions, even if
not strictly related to the virtualization extensions.
If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
shall define ARMV7_SUPPORTS_VIRTUALIZATION to enable virtualization
extension related resources.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
As Cortex-A9 needs to manually enable program flow prediction,
do not reset SCTLR[Z] at entry. Platform should enable it only
once MMU is enabled.
Change-Id: I34e1ee2da73221903f7767f23bc6fc10ad01e3de
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
These macros are only defined for corresponding image,
and they are undefined for other images. It means that we have
to use ifdef or defined() instead of relying on being 0 by default.
Change-Id: Iad11efab9830ddf471599b46286e1c56581ef5a7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Change sizeof call so it references a static type instead of return of
a function in order to be MISRA compliant.
Change-Id: I6f1adb206073d6cd200156e281b8d76249e3af0e
Signed-off-by: Joel Hutton <joel.hutton@arm.com>
Add events that trigger before entry to normal/secure world. The
events trigger after the normal/secure context has been restored.
Similarly add events that trigger after leaving normal/secure world.
The events trigger after the normal/secure context has been saved.
Change-Id: I1b48a7ea005d56b1f25e2b5313d77e67d2f02bc5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For Trusted Board Boot, BL2 needs more space to support the ECDSA
and ECDSA+RSA algorithms.
Change-Id: Ie7eda9a1315ce836dbc6d18d6588f8d17891a92d
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
These hooks are intended to allow one platform to try load
images from alternative places. There is a hook to initialize
the sequence of boot locations and a hook to pass to the next
sequence.
Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This allows other EL3 components to subscribe to CPU on events.
Update Firmware Design guide to list psci_cpu_on_finish as an available
event.
Change-Id: Ida774afe0f9cdce4021933fcc33a9527ba7aaae2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This light-weight framework enables some EL3 components to publish
events which other EL3 components can subscribe to. Publisher can
optionally pass opaque data for subscribers. The order in which
subscribers are called is not defined.
Firmware design updated.
Change-Id: I24a3a70b2b1dedcb1f73cf48313818aebf75ebb6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The implementation is the same as those used to disable it in EL3.
Change-Id: Ibfe7e69034a691fbf57477c5a76a8cdca28f6b26
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces a new API in the translation tables library
(v2), that allows to change the memory attributes of a memory
region. It may be used to change its execution permissions and
data access permissions.
As a prerequisite, the memory must be already mapped. Moreover, it
must be mapped at the finest granularity (currently 4 KB).
Change-Id: I242a8c6f0f3ef2b0a81a61e28706540462faca3c
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces a new API in the translation tables library
(v2), that allows to query the memory attributes of a memory block
or a memory page.
Change-Id: I45a8b39a53da39e7617cbac4bff5658dc1b20a11
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Previously, in AArch32, `IMAGE_XLAT_DEFAULT_REGIME` wasn't defined. The
translation regime is only used in the AArch64 port of the translation
tables library v2, so this is not a problem for now, but future patches
will use it.
`IMAGE_EL` isn't used in AArch32, so it isn't needed to define it.
Change-Id: I4acdb01a58658956ab94bd82ed5b7fee1aa6ba90
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The GIC driver initialization currently allows an array of interrupts to
be configured as secure. Future use cases would require more interrupt
configuration other than just security, such as priority.
This patch introduces a new interrupt property array as part of both
GICv2 and GICv3 driver data. The platform can populate the array with
interrupt numbers and respective properties. The corresponding driver
initialization iterates through the array, and applies interrupt
configuration as required.
This capability, and the current way of supplying array (or arrays, in
case of GICv3) of secure interrupts, are however mutually exclusive.
Henceforth, the platform should supply either:
- A list of interrupts to be mapped as secure (the current way).
Platforms that do this will continue working as they were. With this
patch, this scheme is deprecated.
- A list of interrupt properties (properties include interrupt group).
Individual interrupt properties are specified via. descriptors of
type 'interrupt_prop_desc_t', which can be populated with the macro
INTR_PROP_DESC().
A run time assert checks that the platform doesn't specify both.
Henceforth the old scheme of providing list of secure interrupts is
deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
that the interrupt properties are supplied instead of an array of secure
interrupts.
Add a section to firmware design about configuring secure interrupts.
FixesARM-software/tf-issues#262
Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The helpers perform read-modify-write on GIC*_ICFGR registers, but don't
serialise callers. Any serialisation must be taken care of by the
callers.
Change-Id: I71995f82ff2c7f70d37af0ede30d6ee18682fd3f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
An earlier patch added provision for the platform to provide secure
interrupt properties. ARM platforms already has a list of interrupts
that fall into different secure groups.
This patch defines macros that enumerate interrupt properties in the
same fashion, and points the driver driver data to a list of interrupt
properties rather than list of secure interrupts on ARM platforms. The
deprecated interrupt list definitions are however retained to support
legacy builds.
Configuration applied to individual interrupts remain unchanged, so no
runtime behaviour change expected.
NOTE: Platforms that use the arm/common function
plat_arm_gic_driver_init() must replace their PLAT_ARM_G1S_IRQS and
PLAT_ARM_G0_IRQS macro definitions with PLAT_ARM_G1S_IRQ_PROPS and
PLAT_ARM_G0_IRQ_PROPS macros respectively, using the provided
INTR_PROP_DESC macro.
Change-Id: I24d643b83e3333753a3ba97d4b6fb71e16bb0952
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
SPIs can be routed to either a specific PE, or to any one of all
available PEs.
API documentation updated.
Change-Id: I28675f634568aaf4ea1aa8aa7ebf25b419a963ed
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The back end GIC driver converts and assigns the interrupt type to
suitable group.
For GICv2, a build option GICV2_G0_FOR_EL3 is introduced, which
determines to which type Group 0 interrupts maps to.
- When the build option is set 0 (the default), Group 0 interrupts are
meant for Secure EL1. This is presently the case.
- Otherwise, Group 0 interrupts are meant for EL3. This means the SPD
will have to synchronously hand over the interrupt to Secure EL1.
The query API allows the platform to query whether the platform supports
interrupts of a given type.
API documentation updated.
Change-Id: I60fdb4053ffe0bd006b3b20914914ebd311fc858
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
These APIs allow the GIC implementation to categorize interrupt numbers
into SPIs, PPIs, and SGIs. The default implementations for GICv2 and
GICv3 follows interrupt numbering as specified by the ARM GIC
architecture.
API documentation updated.
Change-Id: Ia6aa379dc955994333232e6138f259535d4fa087
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The PE target mask is used to translate linear PE index (returned by
platform core position) to a bit mask used when targeting interrupts to
a PE, viz. when raising SGIs and routing SPIs.
The platform shall:
- Populate the driver data with a pointer to array that's to contain
per-PE target masks.
- Invoke the new driver API 'gicv2_set_pe_target_mask()' during
per-CPU initialization so that the driver populates the target mask
for that CPU.
Platforms that don't intend to target interrupts or raise SGIs need not
populate this.
Change-Id: Ic0db54da86915e9dccd82fff51479bc3c1fdc968
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Document the API in separate platform interrupt controller API document.
Change-Id: If18f208e10a8a243f5c59d226fcf48e985941949
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>