In debug builds, the TSP prints its image base address and size.
The base address displayed corresponds to the start address of the
read-only section, as defined in the linker script.
This patch changes this to use the BL32_BASE address instead, which is
the same address as __RO_START__ at the moment but has the advantage
to be independent of the linker symbols defined in the linker script
as well as the layout and order of the sections.
Change-Id: I032d8d50df712c014cbbcaa84a9615796ec902cc
At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.
This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.
This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.
- When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
the read-only section still looks like this (padding omitted):
| ... |
+-------------------+
| Exception vectors |
+-------------------+
| Read-only data |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script provides the limits of the whole
read-only section.
- When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
read-only data are swapped, such that the code and exception
vectors are contiguous, followed by the read-only data. This
gives the following new layout (padding omitted):
| ... |
+-------------------+
| Read-only data |
+-------------------+
| Exception vectors |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script now exports 2 sets of addresses
instead: the limits of the code and the limits of the read-only
data. Refer to the Firmware Design guide for more details. This
provides platform code with a finer-grained view of the image
layout and allows it to map these 2 regions with the appropriate
access permissions.
Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
This patch introduces the round_up() and round_down() macros,
which round up (respectively down) a value to a given boundary.
The boundary must be a power of two.
Change-Id: I589dd1074aeb5ec730dd523b4ebf098d55a7e967
This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.
For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.
bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.
Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9
This patch adds a new linker symbol in BL1's linker script named
'__BL1_ROM_END__', which marks the end of BL1's ROM content. This
covers BL1's code, read-only data and read-write data to relocate
in Trusted SRAM. The address of this new linker symbol is exported
to C code through the 'BL1_ROM_END' macro.
The section related to linker symbols in the Firmware Design guide
has been updated and improved.
Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7
This patch introduces the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping
attributes in the translation table library to specify the
access permissions for instruction execution of a memory region.
These new attributes should be used only for normal, read-only
memory regions. For other types of memory, the translation table
library still enforces the following rules, regardless of the
MT_EXECUTE/MT_EXECUTE_NEVER attribute:
- Device memory is always marked as execute-never.
- Read-write normal memory is always marked as execute-never.
Change-Id: I8bd27800a8c1d8ac1559910caf4a4840cf25b8b0
This patch clarifies the mmap_desc() function by adding some comments
and reorganising its code. No functional change has been introduced.
Change-Id: I873493be17b4e60a89c1dc087dd908b425065401
This patch introduces the arm_setup_page_tables() function to
set up page tables on ARM platforms. It replaces the
arm_configure_mmu_elx() functions and does the same thing except
that it doesn't enable the MMU at the end. The idea is to reduce
the amount of per-EL code that is generated by the C preprocessor
by splitting the memory regions definitions and page tables creation
(which is generic) from the MMU enablement (which is the only per-EL
configuration).
As a consequence, the call to the enable_mmu_elx() function has been
moved up into the plat_arch_setup() hook. Any other ARM standard
platforms that use the functions `arm_configure_mmu_elx()` must be
updated.
Change-Id: I6f12a20ce4e5187b3849a8574aac841a136de83d
The per-cpu stacks should be aligned to the cache-line size and
the `declare_stack` helper in asm_macros.S macro assumed a
cache-line size of 64 bytes. The platform defines the cache-line
size via CACHE_WRITEBACK_GRANULE macro. This patch modifies
`declare_stack` helper macro to derive stack alignment from the
platform defined macro.
Change-Id: I1e1b00fc8806ecc88190ed169f4c8d3dd25fe95b
The legacy GIC driver assumes that the SGIs and PPIs are Group0 during
initialization. This is true if the driver is the first one to initialize
the GIC hardware after reset. But in some cases, earlier BL stages could
have already initialized the GIC hardware which means that SGI and PPI
configuration are not the expected reset values causing assertion failure
in `gicd_set_ipriorityr()`. This patch explicitly resets the SGI and PPI
to Group0 prior to their initialization in the driver. The same patch is
not done in the GICv2-only driver because unlike in the legacy driver,
`gicd_set_ipriorityr()` of GICv2 driver doesn't enforce this policy and
the appropriate group is set irrespective of the initial value.
FixesARM-software/tf-issues#396
Change-Id: I521d35caa37470ce542c796c2ba99716e4763105
With the introduction of commit `96103d5a`, the Certificate
Generation tool is not able to generate FWU certificate and
while doing so it does segmentation fault.
This happens because it is now required to pass non-volatile
counter values to the `cert_create` tool from the command line
for creating the trusted firmware certificates.
But in case of creating FWU certificate these counter values are not
being passed to the tool and as a consequence the `cert_create` tool
try to use the NULL argument and errors out with Segmentation fault.
This patch fixes this issue by providing a check before using the
command line argument passed in the case of `EXT_TYPE_NVCOUNTER`
certificate extension.
Change-Id: Ie17d0c1502b52aaa8500f3659c2da2448ab0347a
This patch enables optional PSCI functions `PSCI_STAT_COUNT` and
`PSCI_STAT_RESIDENCY` for ARM standard platforms. The optional platform
API 'translate_power_state_by_mpidr()' is implemented for the Juno
platform. 'validate_power_state()' on Juno downgrades PSCI CPU_SUSPEND
requests for the system power level to the cluster power level.
Hence, it is not suitable for validating the 'power_state' parameter
passed in a PSCI_STAT_COUNT/RESIDENCY call.
Change-Id: I9548322676fa468d22912392f2325c2a9f96e4d2
This patch adds following optional PSCI STAT functions:
- PSCI_STAT_RESIDENCY: This call returns the amount of time spent
in power_state in microseconds, by the node represented by the
`target_cpu` and the highest level of `power_state`.
- PSCI_STAT_COUNT: This call returns the number of times a
`power_state` has been used by the node represented by the
`target_cpu` and the highest power level of `power_state`.
These APIs provides residency statistics for power states that has
been used by the platform. They are implemented according to v1.0
of the PSCI specification.
By default this optional feature is disabled in the PSCI
implementation. To enable it, set the boolean flag
`ENABLE_PSCI_STAT` to 1. This also sets `ENABLE_PMF` to 1.
Change-Id: Ie62e9d37d6d416ccb1813acd7f616d1ddd3e8aff
This patch adds Performance Measurement Framework(PMF) in the
ARM Trusted Firmware. PMF is implemented as a library and the
SMC interface is provided through ARM SiP service.
The PMF provides capturing, storing, dumping and retrieving the
time-stamps, by enabling the development of services by different
providers, that can be easily integrated into ARM Trusted Firmware.
The PMF capture and retrieval APIs can also do appropriate cache
maintenance operations to the timestamp memory when the caller
indicates so.
`pmf_main.c` consists of core functions that implement service
registration, initialization, storing, dumping and retrieving
the time-stamp.
`pmf_smc.c` consists SMC handling for registered PMF services.
`pmf.h` consists of the macros that can be used by the PMF service
providers to register service and declare time-stamp functions.
`pmf_helpers.h` consists of internal macros that are used by `pmf.h`
By default this feature is disabled in the ARM trusted firmware.
To enable it set the boolean flag `ENABLE_PMF` to 1.
NOTE: The caller is responsible for specifying the appropriate cache
maintenance flags and for acquiring/releasing appropriate locks
before/after capturing/retrieving the time-stamps.
Change-Id: Ib45219ac07c2a81b9726ef6bd9c190cc55e81854
Add build time option 'cadence1' for ZYNQMP_CONSOLE to select the 2nd
UART available in the SoC.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
OPTEE to execute in aarch64 bit mode, set it accordingly
when execution transitions from EL3 to EL1
Change-Id: I59f2f940bdc1aac10543045b006a137d107ec95f
Signed-off-by: Ashutosh Singh <ashutosh.singh@arm.com>
In GICv3 mode, the non secure group1 interrupts are signalled via the
FIQ line in EL3. To support waking up from CPU_SUSPEND to standby on
these systems, EL3 should route FIQ to EL3 temporarily before wfi and
restore the original setting after resume. This patch makes this change
for the CSS platforms in the `css_cpu_standby` psci pm ops hook.
Change-Id: Ibf3295d16e2f08da490847c1457bc839e1bac144
NODE_IPI_APU is the node ID of APU's IPI device. If APU should be
woken-up on an IPI from FPD power down, this node shall be set as
the wake-up source upon suspend.
Signed-off-by: Mirela Simonovic <mirela.simonovic@aggios.com>
- Fix the function documentation.
Since commit 16948ae1, load_image() uses image IDs rather than image
names.
- Clarify the consequences of a null entry point argument.
- Slightly reorganize the code to remove an unnecessary 'if' statement.
Change-Id: Iebea3149a37f23d3b847a37a206ed23f7e8ec717
At the moment, the top Makefile specifies the options to pass to the
checkpatch script in order to check the coding style. The checkpatch
script also supports reading its options from a configuration file
rather than from the command line.
This patch makes use of this feature and moves the checkpatch options
out of the Makefile. This simplifies the Makefile and makes things
clearer.
This patch also adds some more checkpatch options:
--showfile
--ignore FILE_PATH_CHANGES
--ignore AVOID_EXTERNS
--ignore NEW_TYPEDEFS
--ignore VOLATILE
The rationale behind each of these options has been documented
in the configuration file.
Change-Id: I423e1abe5670c0f57046cbf705f89a8463898676
A production ROM with TBB enabled must have the ability to boot test software
before a real ROTPK is deployed (e.g. manufacturing mode). Previously the
function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed.
This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags`
parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK
in certificate is used without verifying against the platform value.
FixesARM-software/tf-issues#381
Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb
Building TF with ERROR_DEPRECATED=1 fails because of a missing
semi-column. This patch fixes this syntax error.
Change-Id: I98515840ce74245b0a0215805f85c8e399094f68
* Move libfdt API headers to include/lib/libfdt
* Add libfdt.mk helper makefile
* Remove unused libfdt files
* Minor changes to fdt.h and libfdt.h to make them C99 compliant
Co-Authored-By: Jens Wiklander <jens.wiklander@linaro.org>
Change-Id: I425842c2b111dcd5fb6908cc698064de4f77220e
Exclude documentation files from the `make checkcodebase` target
(these files were already excluded from checkpatch).
Also exclude libfdt files to prepare for import of this library.
Change-Id: Iee597ed66494de2b11cf84096f771f1f04472d5b
* Move stdlib header files from include/stdlib to include/lib/stdlib for
consistency with other library headers.
* Fix checkpatch paths to continue excluding stdlib files.
* Create stdlib.mk to define the stdlib source files and include directories.
* Include stdlib.mk from the top level Makefile.
* Update stdlib header path in the fip_create Makefile.
* Update porting-guide.md with the new paths.
Change-Id: Ia92c2dc572e9efb54a783e306b5ceb2ce24d27fa
Replaced placeholder implementation of plat_set_nv_ctr for FVP
platforms by a working one.
On FVP, the mapping of region DEVICE2 has been changed from RO to RW
to prevent exceptions when writing to the NV counter, which is
contained in this region.
Change-Id: I56a49631432ce13905572378cbdf106f69c82f57
The system registers that are saved and restored in CPU context include
AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
AArch64-only (i.e. on hardware that does not implement AArch32, or at
least not at EL1 and higher ELs) platform leads to an exception. This patch
introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
include these AArch32 systems registers in the cpu context or not. By default
this build option is set to 1 to ensure compatibility. AArch64-only platforms
must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
verify this.
FixesARM-software/tf-issues#386
Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
As of commit e1ea9290bb, if the attributes of an inner memory region
are different than the outer region, new page tables are generated
regardless of how "restrictive" they are. This patch removes an
out-dated comment still referring to the old priority system based
on which attributes were more restrictive.
Change-Id: Ie7fc1629c90ea91fe50315145f6de2f3995e5e00
This patch adds ARM Cortex-A73 MPCore Processor support
in the CPU specific operations framework. It also includes
this support for the Base FVP port.
Change-Id: I0e26b594f2ec1d28eb815db9810c682e3885716d
Sandrine Bailleux
Soby Mathew
danh-arm
Yatharth Kochar
Soren Brinkmann
Ashutosh Singh
Jens Wiklander
David Wang
Mirela Simonovic
Antonio Nino Diaz