This patch fixes the name of the Cortex-ares errata function which was
previously named `cortex_a72_errata_report` which was an error.
Change-Id: Ia124df4628261021baa8d9a30308bc286d45712b
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch fixes an array overrun in CSS scmi driver if the
system power domain level is less than 2. This was reported from
https://scan.coverity.com/projects/arm-software-arm-trusted-firmware
CID 308492
Change-Id: I3a59c700490816718d20c71141281f19b2b7e7f7
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds experimental support for TBB to the HiKey960 board. To
build and test with TBB modify the uefi-tools project platforms.config
+ATF_BUILDFLAGS=TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 SAVE_KEYS=1 \
MBEDTLS_DIR=./mbedtls
Signed-off-by: Teddy Reed <teddy@casualhacking.io>
The AXP805 PMIC used with H6 is capable of shutting down the system.
Add support for using it to shut down the system power.
The original placeholder power off code is moved to A64 code, as it's
still TODO to implement PMIC operations for A64.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
The OTT reference design of Allwinner H6 SoC uses an X-Powers AXP805
PMIC.
Add initial code for it.
Currently it's only detected.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Allwinner 64-bit SoCs all use the Mentor Graphics MI2CV I2C controller
core, with inverted clear quirk.
Add a glue driver for this.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
The I2C controller on Allwinner SoCs after A31 has a inverted interrupt
clear flag, which needs to be written 1 (rather than 0 on Marvell SoCs
and old Allwinner SoCs) to clear.
Add such a quirk to mi2cv driver common code.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
As the ATF may need to do some power initialization on Allwinner
platform with AXP PMICs, call the PMIC setup code in BL31.
Stub of PMIC setup code is added, to prevent undefined reference.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
The patch 7b56928 unified the FWU mechanism on FVP and Juno
platforms due to issues with MCC firmware not preserving the
NVFLAGS. With MCCv150 firmware, this issue is resolved. Also
writing to the NOR flash while executing from the same flash
in Bypass mode had some stability issues. Hence, since the
MCC firmware issue is resolved, this patch reverts to the
NVFLAGS mechanism to detect FWU. Also, with the introduction
of SDS (Shared Data Structure) by the SCP, the reset syndrome
needs to queried from the appropriate SDS field.
Change-Id: If9c08f1afaaa4fcf197f3186887068103855f554
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
Signed-off-by: Soby Mathew <Soby.Mathew@arm.com>
After introducing the Mbed TLS shared heap optimisation, reducing BL2
size by 3 pages didn't leave enough space for growth. We give 1 page
back to maximum BL2 size.
Change-Id: I4f05432f00b923693160f69a4e4ec310a37a2b16
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Adds an undocumented build option that enables non-secure access to
the PL011 UART1.
This allows a custom build where the UART can be used as a serial debug
port for WinDbg (or other debugger) connection.
This option is not documented in the user guide, as it is provided as a
convenience for Windows debugging, and not intended for general use.
In particular, enabling non-secure access to the UART might allow
a denial of service attack!
Change-Id: I4cd7d59c2cac897cc654ab5e1188ff031114ed3c
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Signed-off-by: Evan Lloyd <evan.lloyd@arm.com>
A cache flush is added in BL1, in Mbed TLS shared heap code. Thus, we
ensure that the heap info written to the DTB always gets written back to
memory. Hence, sharing this info with other images is guaranteed.
Change-Id: I0faada31fe7a83854cd5e2cf277ba519e3f050d5
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
In Mbed TLS shared heap code, an additional sanity check is introduced
in BL2. Currently, when BL2 shares heap with BL1, it expects the heap
info to be found in the DTB. If for any reason the DTB is missing, BL2
cannot have the heap address and, hence, Mbed TLS cannot proceed. So,
BL2 cannot continue executing and it will eventually crash. With this
change we ensure that if the DTB is missing BL2 will panic() instead of
having an unpredictable crash.
Change-Id: I3045ae43e54b7fe53f23e7c2d4d00e3477b6a446
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
This patch, firstly, makes the error messages consistent to how printed
strings are usually formatted. Secondly, it removes an unnecessary #if
directive.
Change-Id: Idbb8ef0070562634766b683ac65f8160c9d109e6
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The specification requires that, after wakeup from a CPU suspend, the
dispatcher must mask all events on the CPU. This patch adds the feature
to the SDEI dispatcher by subscribing to the PSCI suspend to power down
event, and masking all events on the PE.
Change-Id: I9fe1d1bc2a58379ba7bba953a8d8b275fc18902c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
If BL32 isn't present or it fails to initialize the current code prints
an error message in both debug and release builds. This is too verbose
for release builds, so it has been converted into a warning.
Also, it was missing a newline at the end of the message.
Change-Id: I91e18d5d5864dbb19d47ecd54f174d2d8c06296c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The Marvell A8K SoCs use the MI2CV IP core from Mentor Graphics, which
is also used by Allwinner.
As Mentor Graphics allows a lot of customization, the MI2CV in the two
SoC families are not compatible, and driver modifications are needed.
Extract the common code to a MI2CV driver.
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
The I2C controller found in Marvell A8K SoCs (and some older SoCs) mux
status and baudrate registers into the same address, however, it's a
vendor customization, and the original IP core by Mentor Graphics uses
two different addresses for the two registers.
Use anonymous union in the driver, in order to ease code sharing for
other SoC vendors that use this IP core (Allwinner SoCs that are newly
introduced to mainline ATF use this core).
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
With the current implementation, it's possible for a contender to
observe accesses in the Critical Section before acquiring or releasing
the lock. Insert fencing in the locking and release codes to prevent any
reorder.
FixesARM-software/tf-issues#609
Change-Id: I773b82aa41dd544a2d3dbacb9a4b42c9eb767bbb
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
'dmb ld' is not a recognized instruction for ARMv7. Since generic code
may use 'dmb ld', alias it to 'dmb' when building for ARMv7.
Change-Id: I502f360cb6412897ca9580b725d9f79469a7612e
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:
* By setting bit 11 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 9 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:
* By setting bit 18 (Disable speculative store buffering) of
`ACTLR_EL3`
* By setting bit 17 (Disable speculative memory disambiguation) of
`ACTLR_EL3`
Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.
Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The current functions to disable and enable Dynamic Code Optimizer
(DCO) assume that all denver cores are in the same cluster. They
ignore AFF1 field of the mpidr_el1 register, which leads to
incorect logical core id calculation.
This patch calls the platform handler, plat_my_core_pos(), to get
the logical core id to disable/enable DCO for the core.
Original change by: Krishna Sitaraman <ksitaraman@nvidia.com>
Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds me to various maintainer activities in the ATF tree
associated with the NXP i.MX7 generally and WaARP7 in particular.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch describes the boot-flow and building of the WaRP7 TF-A port.
What it describes is booting and unsigned TF-A.
A very brief section has been added on signing BL2 which is in no-way
comprehensive. For a comprehensive description of the signing process try
the Boundary Devices blog on the matter.
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Previous changes in this series made the necessary driver additions and
updates. With those changes in-place we can add the platform.mk and
bl2_el3_setup.c to drive the boot process.
After this commit its possible to build a fully-functional TF-A for the
WaRP7 and boot from the BootROM to the Linux command prompt in secure or
non-secure mode.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch adds a callback into the BootROM's provided High Assurance Boot
(HAB) failsafe function when panicking i.e. the call is done without making
use of stack.
The HAB failsafe function allows a piece of software to call into the
BootROM and place the processor into failsafe mode.
Failsafe mode is a special mode which presents a serial download protocol
interface over UART or USB at the time of writing.
If the board has been set into secure mode, then only a signed binary can
be used to recover the board.
Thus failsafe gives a putatively secure method of performing a secure
recovery over UART or USB.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>
This patch adds entries to the mem params array for
- BL32
- BL32_EXTRA1
- BL32_EXTRA2
- BL33
- HW_CONFIG_ID
BL32 is marked as bootable to indicate that OPTEE is the thing that should
be booted next.
In our model OPTEE chain-loads onto u-boot so only BL32 is bootable.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This commit adds support for parsing a FIP pre-loaded by a previous
boot-phase such as u-boot or via ATF reading directly from eMMC.
[bod: squashing several patches from Rui, Jun and bod]
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
In order to link even a basic image we need to declare
REGISTER_BL_IMAGE_DESCS. This patch declares an empty structure which is
passed to REGISTER_BL_IMAGE_DESCS(). Later patches will add in some
meaningful data.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Soby Mathew
Teddy Reed
Dimitris Papastamos
Jeenu Viswambharan
Icenowy Zheng
Sathees Balya
John Tsichritzis
Alexei Fedorov
Antonio Nino Diaz
Varun Wadekar
Bryan O'Donoghue
Jens Wiklander