This patch updates the user guide instructions for
RESET_TO_SP_MIN and RESET_TO_BL31 cases. The load
address for BL31 had to be updated because of increase
in code size. Also, information about PIE support when
RESET_TO_BL31=1 for FVP is added.
In the case of RESET_TO_SP_MIN, the RVBAR address
was wrong in the instruction. This is also corrected
in the patch.
Change-Id: I65fe6d28c5cf79bee0a11fbde320d49fcc1aacf5
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Crash reporting via the default consoles registered by MULTI_CONSOLE_API
has been broken since commit d35cc34 (Console: Use callee-saved
registers), which was introduced to allow console drivers written in C.
It's not really possible with the current crash reporting framework to
support console drivers in C, however we should make sure that the
existing assembly drivers that do support crash reporting continue to
work through the MULTI_CONSOLE_API.
This patch fixes the problem by creating custom console_putc() and
console_flush() implementations for the crash reporting case that do not
use the stack. Platforms that want to use this feature will have to link
plat/common/aarch64/crash_console_helpers.S explicitly.
Also update the documentation to better reflect the new reality (of this
being an option rather than the expected default for most platforms).
Change-Id: Id0c761e5e2fddaf25c277bc7b8ab603946ca73cb
Signed-off-by: Julius Werner <jwerner@chromium.org>
i.MX8MQ is new SOC of NXP's i.MX8M family based on
A53. It can provide industry-leading audio, voice
and video processing for applications that scale
from consumer home audio to industrial building
automation and mobile computers
this patchset add the basic supoort to boot up
the 4 X A53. more feature will be added later.
Signed-off-by: Bai Ping <ping.bai@nxp.com>
Add description for memory layouts used by EspressoBin v7 (DDR4)
Change-Id: I199d8b52580b26e560f14b503a6e99d32de4f284
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Reviewed-on: http://vgitil04.il.marvell.com:8080/61279
Reviewed-by: Stefan Chulski <stefanc@marvell.com>
Tested-by: iSoC Platform CI <ykjenk@marvell.com>
The default Raspberry Pi 3 memory mapping for ATF is geared towards
the use of uboot + Linux. This creates issues when trying to use
ATF with an UEFI payload and Windows on ARM64.
We therefore introduce new build option RPI3_USE_UEFI_MAP, that
enables the build process to use an alternate memory mapping that
is compatible with UEFI + Windows (as well as UEFI + Linux).
FixesARM-software/tf-issues#649
Signed-off-by: Pete Batard <pete@akeo.ie>
Add a dependency for building EL3 exception handling framework(EHF)
module with the secure partition manager(SPM).
The EHF module is needed for raising the core's running priority
before the core enters the secure partition, and lowering it
subsequently on exit from the secure partition.
Change-Id: Icbe2d0a63f00b46dc593ff3d86b676c9333506c3
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
Some OSes (e.g. Ubuntu 18.04 LTS on Raspberry Pi 3) may disable the
runtime UART in a manner that prevents the system from rebooting if
ATF tries to send runtime messages there.
Also, we don't want the firmware to share the UART with normal
world, as this can be a DoS attack vector into the secure world.
This patch fixes these 2 issues by introducing new build option
RPI3_RUNTIME_UART, that disables the runtime UART by default.
FixesARM-software/tf-issues#647
Signed-off-by: Pete Batard <pete@akeo.ie>
Xilinx is introducing Versal, an adaptive compute acceleration platform
(ACAP), built on 7nm FinFET process technology. Versal ACAPs combine Scalar
Processing Engines, Adaptable Hardware Engines, and Intelligent Engines with
leading-edge memory and interfacing technologies to deliver powerful
heterogeneous acceleration for any application. The Versal AI Core series has
five devices, offering 128 to 400 AI Engines. The series includes dual-core Arm
Cortex-A72 application processors, dual-core Arm Cortex-R5 real-time
processors, 256KB of on-chip memory with ECC, more than 1,900 DSP engines
optimized for high-precision floating point with low latency.
This patch adds Virtual QEMU platform support for
this SoC "versal_virt".
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
This option allows the Trusted Firmware to directly jump to Linux
kernel for aarch32 without the need of an intermediate loader such
as U-Boot.
Similar to AArch64 ARM_LINUX_KERNEL_AS_BL33 only available with
RESET_TO_SP_MIN=1 as well as BL33 and DTB are preloaded in memory.
Change-Id: I908bc1633696be1caad0ce2f099c34215c8e0633
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Platforms that wish to use the sample functions have to add the file to
their Makefile. It is not included by default.
Change-Id: I713617bb58dc218967199248f68da86241d7ec40
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
When a device tree blob is present at a known address, instead of, for
example, relying on the user modifying the Linux command line to warn
about the memory reserved for the Trusted Firmware, pass it on the DTB.
The current code deletes the memory reserved for the default bootstrap
of the Raspberry Pi and adds the region used by the Trusted Firmware.
This system replaces the previous one consisting on adding
``memmap=16M$256M`` to the Linux command line. It's also meant to be
used by U-Boot and any other bootloader that understands DTB files.
Change-Id: I13ee528475fb043d6e8d9e9f24228e37ac3ac436
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some of COMPHY parameters depends on the hw connection between the SoC
and the PHY, which can vary on different boards e.g. due to different
wires length. Define the "porting layer" with some defaults
parameters. It ease updating static values which needs to be updated due
to board differences, which are now grouped in one place.
Example porting layer for a8k-db is under:
plat/marvell/a8k/a80x0/board/phy-porting-layer.h
If for some boards parameters are not defined (missing
phy-porting-layer.h), the default values are used
(drivers/marvell/comphy/phy-default-porting-layer.h)
and the following compilation warning is show:
"Using default comphy params - you may need to suit them to your board".
The common COMPHY driver code is extracted in order to be shared with
future COMPHY driver for A3700 SoC platforms
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Signed-off-by: Igal Liberman <igall@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Reference code:
==============
rar_gen3: IPL and Secure Monitor Rev1.0.22
https://github.com/renesas-rcar/arm-trusted-firmware [rcar_gen3]
Author: Takuya Sakata <takuya.sakata.wz@bp.renesas.com>
Date: Thu Aug 30 21:26:41 2018 +0900
Update IPL and Secure Monitor Rev1.0.22
General Information:
===================
This port has been tested on the Salvator-X Soc_id r8a7795 revision
ES1.1 (uses an SPD).
Build Tested:
-------------
ATFW_OPT="LSI=H3 RCAR_DRAM_SPLIT=1 RCAR_LOSSY_ENABLE=1"
MBEDTLS_DIR=$mbedtls
$ make clean bl2 bl31 rcar PLAT=rcar ${ATFW_OPT} SPD=opteed
Other dependencies:
------------------
* mbed_tls:
git@github.com:ARMmbed/mbedtls.git [devel]
Merge: 68dbc94 f34a4c1
Author: Simon Butcher <simon.butcher@arm.com>
Date: Thu Aug 30 00:57:28 2018 +0100
* optee_os:
https://github.com/BayLibre/optee_os
Until it gets merged into OP-TEE, the port requires Renesas' Trusted
Environment with a modification to support power management.
Author: Jorge Ramirez-Ortiz <jramirez@baylibre.com>
Date: Thu Aug 30 16:49:49 2018 +0200
plat-rcar: cpu-suspend: handle the power level
Signed-off-by: Jorge Ramirez-Ortiz <jramirez@baylibre.com>
* u-boot:
The port has beent tested using mainline uboot.
Author: Fabio Estevam <festevam@gmail.com>
Date: Tue Sep 4 10:23:12 2018 -0300
*linux:
The port has beent tested using mainline kernel.
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 16 11:52:37 2018 -0700
Linux 4.19-rc4
Overview
---------
BOOTROM starts the cpu at EL3; In this port BL2 will therefore be entered
at this exception level (the Renesas' ATF reference tree [1] resets into
EL1 before entering BL2 - see its bl2.ld.S)
BL2 initializes DDR (and i2c to talk to the PMIC on some platforms)
before determining the boot reason (cold or warm).
During suspend all CPUs are switched off and the DDR is put in
backup mode (some kind of self-refresh mode). This means that BL2 is
always entered in a cold boot scenario.
Once BL2 boots, it determines the boot reason, writes it to shared
memory (BOOT_KIND_BASE) together with the BL31 parameters
(PARAMS_BASE) and jumps to BL31.
To all effects, BL31 is as if it is being entered in reset mode since
it still needs to initialize the rest of the cores; this is the reason
behind using direct shared memory access to BOOT_KIND_BASE and
PARAMS_BASE instead of using registers to get to those locations (see
el3_common_macros.S and bl31_entrypoint.S for the RESET_TO_BL31 use
case).
Depending on the boot reason BL31 initializes the rest of the cores:
in case of suspend, it uses a MBOX memory region to recover the
program counters.
[1] https://github.com/renesas-rcar/arm-trusted-firmware
Tests
-----
* cpuidle
-------
enable kernel's cpuidle arm_idle driver and boot
* system suspend
--------------
$ cat suspend.sh
#!/bin/bash
i2cset -f -y 7 0x30 0x20 0x0F
read -p "Switch off SW23 and press return " foo
echo mem > /sys/power/state
* cpu hotplug:
------------
$ cat offline.sh
#!/bin/bash
nbr=$1
echo 0 > /sys/devices/system/cpu/cpu$nbr/online
printf "ONLINE: " && cat /sys/devices/system/cpu/online
printf "OFFLINE: " && cat /sys/devices/system/cpu/offline
$ cat online.sh
#!/bin/bash
nbr=$1
echo 1 > /sys/devices/system/cpu/cpu$nbr/online
printf "ONLINE: " && cat /sys/devices/system/cpu/online
printf "OFFLINE: " && cat /sys/devices/system/cpu/offline
Signed-off-by: ldts <jramirez@baylibre.com>
Pointer authentication is an Armv8.3 feature that introduces
instructions that can be used to authenticate and verify pointers.
Pointer authentication instructions are allowed to be accessed from all
ELs but only when EL3 explicitly allows for it; otherwise, their usage
will trap to EL3. Since EL3 doesn't have trap handling in place, this
patch unconditionally disables all related traps to EL3 to avoid
potential misconfiguration leading to an unhandled EL3 exception.
FixesARM-software/tf-issues#629
Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The BLE is the pre-TF-A boot stage required by Marvell Armada
BootROM for bringing up DRAM and allow the boot image copy to it.
Since this is not a standard boot level and only uses the TF-A
as a build environment, it was introduced out of source tree.
However it turns out that such remote location introduces additional
complexity to the upstream TF-A build process.
In order to simplify the build environment the BLE source folder
is relocated from the external repository to A8K platform directory.
The build documentation is updated accordingly.
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
code which allows platforms to place this memory in an appropriate
section to be reclaimed later. This features is primarily targeted for
BL31. Appropriate documentation updates are also done.
Change-Id: If0ca062851614805d769c332c771083d46599194
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This option makes it hard to optimize the memory definitions of all Arm
platforms because any change in the common defines must work in all of
them. The best thing to do is to remove it and move the definition to
each platform's header.
FVP, SGI and SGM were using the definitions in board_arm_def.h. The
definitions have been copied to each platform's platform_def.h. Juno
was already using the ones in platform_def.h, so there have been no
changes.
Change-Id: I9aecd11bbc72a3d0d7aad1ef9934d8df21dcfaf2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Information regarding platform compatibility policy
is added to the documentation.
Change-Id: If9f2a11160f81354ee2c678f0fca9d67fc7366e6
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The code of LOAD_IMAGE_V2=0 has been removed.
Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
A compatibility script has been provided for about 2 years. Users should
have migrated to fiptool by now so remove the compat script.
Change-Id: I643e0c40a9e3fb428bad3be04a82cb431aad74dc
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
- Linaro binaries: 18.04
- mbed TLS library: 2.12.0
- FVP model versions: 11.4 build 37
This patch updates the user guide documentation to reflect these
changes to the dependencies.
Change-Id: I454782ca43a0db43aeeef2ab3622f4dea9dfec55
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch describes the boot-flow and building of the WaRP7 TF-A port.
What it describes is booting and unsigned TF-A.
A very brief section has been added on signing BL2 which is in no-way
comprehensive. For a comprehensive description of the signing process try
the Boundary Devices blog on the matter.
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
This patch introduces the shared Mbed TLS heap optimisation for Arm
platforms. The objective is the Mbed TLS heap to be shared between BL1
and BL2 so as to not allocate the heap memory twice. To achieve that,
the patch introduces all the necessary helpers for implementing this
optimisation. It also applies it for FVP.
Change-Id: I6d85eaa1361517b7490956b2ac50f5fa0d0bb008
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The Mbed TLS drivers, in order to work, need a heap for internal usage.
This heap, instead of being directly referenced by the drivers, now it
is being accessed indirectly through a pointer. Also, the heap, instead
of being part of the drivers, now it is being received through the
plat_get_mbedtls_heap() function. This function requests a heap from the
current BL image which utilises the Mbed TLS drivers.
Those changes create the opportunity for the Mbed TLS heap to be shared
among different images, thus saving memory. A default heap
implementation is provided but it can be overridden by a platform
specific, optimised implemenetation.
Change-Id: I286a1f10097a9cdcbcd312201eea576c18d157fa
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Update build manual
- remove irrelevant platforms and environemnt variables
- add links to BLE and mv_ddr Github repositories
Change-Id: Ie389c61f014751cdc0459b3f78c70ede694d27b8
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.
The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.
The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.
Sample output of a backtrace at EL3:
BACKTRACE: START: function_name
0: EL3: 0x798
1: EL3: 0x538
2: EL3: 0x550
3: EL3: 0x55c
4: EL3: 0x568
5: EL3: 0x5a8
6: EL3: 0xf4
BACKTRACE: END: function_name
In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.
Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
At the moment the AArch32 instruction set isn't specified in the command
line, which means that the compiler is free to choose the one it sees
fit. This decision may change between compiler versions, so it is better
to specify it manually.
The build option AARCH32_INSTRUCTION_SET has been introduced for this
reason. This option can be set to T32 or A32 to pass the correct flags
to the compiler.
The current behaviour is to default to T32 due to it's smaller size.
Change-Id: I02297eb1d9404b5868ff7c054fbff9b3cda7fdb6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch fixes a bug in the context management code that causes it to
ignore the HANDLE_EA_EL3_FIRST compile-time option and instead always
configure SCR_EL3 to force all external aborts to trap into EL3. The
code used #ifdef to read compile-time option declared with add_define in
the Makefile... however, those options are always defined, they're just
defined to either 0 or 1, so #if is the correct syntax to check for
them. Also update the documentation to match.
This bug has existed since the Nov 2017 commit 76454abf4 (AArch64:
Introduce External Abort handling), which changed the
HANDLE_EA_EL3_FIRST option to use add_define.
Change-Id: I7189f41d0daee78fa2fcf4066323e663e1e04d3d
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Taken from http://git.simple-cc.org/scc/ from the following commit:
67508ad14af314cea2229783d3c084f28c41daf0
Permission has been granted from the author to use them under the
license BSD-3-Clause instead of ISC.
Change-Id: I65c0ce3ab60c49d34a57533af12a74bd7bde88e5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.
With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.
Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
If the system is in near idle conditions, this erratum could cause a
deadlock or data corruption. This patch applies the workaround that
prevents this.
This DSU erratum affects only the DSUs that contain the ACP interface
and it was fixed in r2p0. The workaround is applied only to the DSUs
that are actually affected.
Link to respective Arm documentation:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html
Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
Change-Id: I341440701b7e5e3555e604dd9d0a356795e6c4fb
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Add address decoding unit drivers for Marvell SoCs.
Address decoding flow and address translation units chart
are located at docs/marvell/misc/mvebu-a8k-addr-map.txt
Change-Id: Id6ce311fa1f4f112df3adfac5d20449f495f71ed
Signed-off-by: Hanna Hawa <hannah@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
The Non-secure DRAM region shouldn't be protected in the range specified
in the Linux command line with memmap.
This change also increases the size of the Secure DRAM region.
Change-Id: I306e9e443a84b834c99739f54a534a3ca3be2424
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
In the memory map of the documentation the kernel only had 16MiB of
allocated space. This leaves very little room for growth, so the
addresses of the DTB and the kernel have been interchanged.
The documentation has been updated to reflect this change.
Change-Id: Ib6eab69f047fa88561fb755397ce3a0b356c8860
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add information about direct Linux kernel boot for kernels that support
PSCI.
Change-Id: I05f76aa36398edabf411cb25a646437af1862e6e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
It uses the hardware RNG in a similar way as Juno (it gets 128 bits of
entropy and does xor on them).
It is disabled by default.
Change-Id: I8b3adb61f5a5623716e0e8b6799404c68dd94c60
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
There is no way to boot BL31 at the addresses specified in the platform
memory map unless an extra loader is used at address 0x00000000. It is
better to remove it to prevent confusion. Having it enabled was a bug.
Change-Id: I3229fbc080f5996cff47efce8e799bae94e0d5cb
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add a new default makefile target to concatenate BL1 and the FIP and
generate armstub8.bin. This way it isn't needed to do it manually.
Documentation updated to reflect the changes.
Change-Id: Id5b5b1b7b9f87767db63fd01180ddfea855a7207
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Running optee_test failed because SEC_DRAM0_SIZE is too small. Previous
is 2 MB. We enlarge it to 11 MB for passing the test. Also we reduce
the NS_DRAM0_SIZE from 13MB to 4MB so that the whole section is still
fit in 16MB.
This commit also modified the document to reflect the changes we've
made in code.
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Implement minimal interrupt routing functions. All interrupts are
treated as non-secure interrupts to be handled by the non-secure world.
Add note to the documentation about disabling FIQs qhen using OP-TEE
with Linux.
Change-Id: I937096542d973925e43ae946c5d0b306d0d95a94
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The user guide didn't contain any information about the
requirements of the clang version needed by TF, which is
at least 4.0.
Change-Id: I1ea120aca0fb2c0950fbeaf6978c654ec277afde
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Add paragraph for how to enable Trusted Board Boot for rpi3
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
For Trusted Board Boot we enlarge the BL1 size from 64k to 128k.
Tested-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
The H6 is Allwinner's most recent SoC. It shares most peripherals with the
other ARMv8 Allwinner SoCs (A64/H5), but has a completely different memory
map.
Introduce a separate platform target, which includes a different header
file to cater for the address differences. Also add the new build target
to the documentation.
The new ATF platform name is "sun50i_h6".
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Update documentation to reflect the current state of the library.
Change-Id: Ic72f90ee322d2ebd6ea7f4296315700d6bc434e6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Add two empty lines to denote the paragraphs properly and improve
readability.
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch is an attempt to run Trusted OS (OP-TEE OS being one of them) along
side BL31 image.
ATF supports multiple SPD's that can take dispatcher name (opteed for OP-TEE OS)
as an input using the 'SPD=<dispatcher name>' option during bl31 build.
Signed-off-by: Amit Singh Tomar <amittomer25@gmail.com>
Having an active stack while enabling MMU has shown coherency problems.
This patch builds on top of translation library changes that introduces
MMU-enabling without using stacks.
Previously, with HW_ASSISTED_COHERENCY, data caches were disabled while
enabling MMU only because of active stack. Now that we can enable MMU
without using stack, we can enable both MMU and data caches at the same
time.
NOTE: Since this feature depends on using translation table library v2,
disallow using translation table library v1 with HW_ASSISTED_COHERENCY.
FixesARM-software/tf-issues#566
Change-Id: Ie55aba0c23ee9c5109eb3454cb8fa45d74f8bbb2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Currenly the CNTFRQ register and system timer is initialized in BL31 for
use by the normal world. During firmware update, the NS-BL1 or NS-BL2U
may need to access the system timer. Hence this patch duplicates the
CNTFRQ and system timer initialization in BL1 as well.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I1ede78b4ae64080fb418cb93f3e48b26d7b724dc
In the porting guide, there are blue boxes that describe the argument
types and the return type of each function. A small typo caused some of
these boxes not being properly rendered.
In the user guide, small typos were fixed that caused random text being
unintentionally rendered as bold. Also, a slight rewording was done in
the section describing the DYN_DISABLE_AUTH flag.
Change-Id: I57303ca609436a82162fa9b42c06b0d5a63da6df
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The values defined in this type are used in logical operations, which
goes against MISRA Rule 10.1: "Operands shall not be of an inappropriate
essential type".
Now, `unsigned int` is used instead. This also allows us to move the
dynamic mapping bit from 30 to 31. It was an undefined behaviour in the
past because an enum is signed by default, and bit 31 corresponds to the
sign bit. It is undefined behaviour to modify the sign bit. Now, bit 31
is free to use as it was originally meant to be.
mmap_attr_t is now defined as an `unsigned int` for backwards
compatibility.
Change-Id: I6b31218c14b9c7fdabebe432de7fae6e90a97f34
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.
However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.
With this patch:
- SDEI interrupts and calls to sdei_dispatch_event prepares the NS
context for event dispatch, then sets a jump point, and immediately
exits EL3. This results in the client handler executing in
Non-secure.
- When the SDEI client completes the dispatched event, the SDEI
dispatcher does a longjmp to the jump pointer created earlier. For
the caller of the sdei_dispatch_event() in particular, this would
appear as if call returned successfully.
The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.
Documentation updated.
NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.
Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The current macros only allow to define dynamic and statically-bound
SDEI events. However, there ought be a mechanism to define SDEI events
that are explicitly dispatched; i.e., events that are dispatched as a
result of a previous secure interrupt or other exception
This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit
event. They must be placed under private mappings. Only the priority
flags are allowed to be additionally specified.
Documentation updated.
Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add Makefile and plaform definations file.
My thanks to Daniel Thompson and Ard Biesheuvel for the bits and pieces
I've taken from their earlier work regarding build and deploy steps for
Developerbox based on Synquacer SoCs. They deserve much of the credit
for this work although, since I assembled and tested things, any blame
is probably mine.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Create the baseline Makefile, platform definitions file and platform
specific assembly macros file. This includes first set of constants
for the platform including cache sizes and linker format and a stub for
BL31 and the basic memory layout
K3 SoC family of processors do not use require a BL1 or BL2 binary,
since such functions are provided by an system controller on the SoC.
This lowers the burden of ATF to purely managing the local ARM cores
themselves.
Signed-off-by: Benjamin Fair <b-fair@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
NXP's i.MX8QM is an ARMv8 SoC with 2 clusters, 2 Cortex-A72
cores in one cluster and 4 Cortex-A53 in the other cluster,
and also has system controller (Cortex-M4) inside, documentation
can be found in below link:
https://www.nxp.com/products/processors-and-microcontrollers/
applications-processors/i.mx-applications-processors/i.mx-8-processors:IMX8-SERIES
This patch adds support for booting up SMP linux kernel (v4.9).
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8QX is an ARMv8 SoC with 4 Cortex-A35 cores and
system controller (Cortex-M4) inside, documentation can
be found in below link:
https://www.nxp.com/products/processors-and-microcontrollers/
applications-processors/i.mx-applications-processors/i.mx-8-processors:IMX8-SERIES
This patch adds support for booting up SMP linux kernel (v4.9).
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
To build with the new release, we pick couple of more files from mbedTLS
library.
Change-Id: I77dfe5723284cb26d4e5c717fb0e6f6dd803cb6b
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The Allwinner A64 SoC is quite popular on single board computers.
It comes with four Cortex-A53 cores in a singe cluster and the usual
peripherals for set-top box/tablet SoC.
The ATF platform target is called "sun50i_a64".
[Andre: adapted to amended directory layout, removed unneeded definitions ]
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Changed the ordering of the log levels in the documentation to
mate the code
Change-Id: Ief1930b73d833fdf675b039c98046591c0c264c1
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The order of the arguments of memmap was swapped. The old command was
reserving 256 MiB from the 16 MiB barrier, it should be reserving only
16 MiB at the 256 MiB barrier.
It worked because the memory used by the Trusted Firmware was reserved
anyway.
Change-Id: I3fefcfc0105ecf05ba5606517bc3236f4eb24ceb
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
For the BL2_AT_EL3 configuration, move BL2 higher up to make more
space for BL31. Adjust the BL31 limit to be up to BL2 base. This is
because BL2 is always resident for the BL2_AT_EL3 configuration and
thus we cannot overlay it with BL31.
Change-Id: I71e89863ed48f5159e8b619f49c7c73b253397aa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
This patch updates the firmware design guide for the BL memory
layout change on ARM platforms.
Change-Id: Icbfe7249484bb8b4ba3c94421172d42f27605c52
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
From TF-A v1.5, FVP supports loading the kernel FDT through
firmware as part of dynamic configuration feature. This means
that the FDT no longer needs to be loaded via Model parameters.
This patch updates the user guide to reflect the same.
Change-Id: I79833beeaae44a1564f6512c3a473625e5959f65
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
In the porting guide, fix the function name and the argument type to
reflect the code.
Change-Id: Iac8d69af403194de5586bc0d5890da531e3c8da2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The instructions to boot the bootwrapped kernel were outdated.
Also, the bootwrapped kernel boot flow isn't really useful. It was meant
to be a replacement for the Trusted Firmware-A, not to be used as the next
step during boot.
The instructions have been removed in favour of the new build option
ARM_LINUX_KERNEL_AS_BL33. This new system directly boots the Linux
kernel from BL31, and requires RESET_TO_BL31 to be 1. Also, the kernel
has to be preloaded in memory, so PRELOADED_BL33_BASE has to be set to its
address. This way, the runtime services of the Trusted Firmware-A are
available for the kernel in the least possible amount of time.
This new system requires the DTB to be patched so that the kernel knows
where the ramdisk is. A short script to add this information to the DTB
has been added to the User Guide. The information related to it can be
found in the following file in the Linux kernel tree:
``Documentation/devicetree/bindings/chosen.txt``
Change-Id: Ide135580959e09f6aa8e4425f37ea55d97439178
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Soby Mathew
Antonio Niño Díaz
Ding Tao
Julius Werner
Bai Ping
Konstantin Porotchkin
Jeenu Viswambharan
Pete Batard
Sughosh Ganu
Siva Durga Prasad Paladugu
Manish Pandey
Yann Gautier
Grzegorz Jaszczyk
Jorge Ramirez-Ortiz
John Tsichritzis
Daniel Boulby
Joanna Farley
Roberto Vargas
dp-arm
Sandrine Bailleux
David Cunado
Bryan O'Donoghue
Douglas Raillard
Sathees Balya
danh-arm
Ying-Chun Liu (PaulLiu)
Andre Przywara
Amit Singh Tomar
Sumit Garg
Nishanth Menon
Anson Huang
Samuel Holland