FVP: Allow BL3-2 to sit in the secure region of DRAM

This patch allows the secure payload (BL3-2) to be loaded in the DRAM region secured by the TrustZone controller (top 16 MB of DRAM1). The location of BL3-2 can be selected at build time by setting the build flag FVP_TSP_RAM_LOCATION to one of the following options: - 'tsram' : Trusted SRAM (this is the default option) - 'tdram' : Trusted DRAM - 'dram' : Secure region in DRAM1 (top 16MB configured by the TrustZone controller) The number of MMU tables in BL3-2 depends on its location in memory: 3 in case it is loaded in DRAM, 2 otherwise. Documentation updated accordingly. Fixes ARM-software/tf-issues#212 Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a

FVP: Allow BL3-2 to sit in the secure region of DRAM
This patch allows the secure payload (BL3-2) to be loaded in the DRAM region secured by the TrustZone controller (top 16 MB of DRAM1). The location of BL3-2 can be selected at build time by setting the build flag FVP_TSP_RAM_LOCATION to one of the following options: - 'tsram' : Trusted SRAM (this is the default option) - 'tdram' : Trusted DRAM - 'dram' : Secure region in DRAM1 (top 16MB configured by the TrustZone controller) The number of MMU tables in BL3-2 depends on its location in memory: 3 in case it is loaded in DRAM, 2 otherwise. Documentation updated accordingly. Fixes ARM-software/tf-issues#212 Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a
513dd3a0 · Juan Castillo · 6fd9eaf3 · 513dd3a0 · 513dd3a0 · 513dd3a0
Commit 513dd3a0 authored Dec 19, 2014 by Juan Castillo
--- a/Makefile
+++ b/Makefile
@@ -357,7 +357,7 @@ $(eval PREREQUISITES := $(1).d)
 $(1) : $(2)
 	@echo "  PP      $$<"
-	$$(Q)$$(AS) $$(ASFLAGS) -P -E -o $$@ $$<
+	$$(Q)$$(AS) $$(ASFLAGS) -P -E -D__LINKER__ -o $$@ $$<
 $(PREREQUISITES) : $(2)
 	@echo "  DEPS    $$@"

--- a/docs/firmware-design.md
+++ b/docs/firmware-design.md
@@ -1212,14 +1212,19 @@ The following list describes the memory layout on the FVP:
 *   BL2 is loaded below BL3-1.
-*   The TSP is loaded as the BL3-2 image at the base of either the Trusted
+*   BL3-2 can be loaded in one of the following locations:
-    SRAM or Trusted DRAM. When loaded into Trusted SRAM, its NOBITS sections
-    are allowed to overlay BL2.
-This memory layout is designed to give the BL3-2 image as much memory as
+    *   Trusted SRAM
-possible when it is loaded into Trusted SRAM. Depending on the location of the
+    *   Trusted DRAM
-TSP, it will result in different memory maps, illustrated by the following
+    *   Secure region of DRAM (top 16MB of DRAM configured by the TrustZone
-diagrams.
+        controller)
+When BL3-2 is loaded into Trusted SRAM, its NOBITS sections are allowed to
+overlay BL2. This memory layout is designed to give the BL3-2 image as much
+memory as possible when it is loaded into Trusted SRAM.
+The location of the BL3-2 image will result in different memory maps. This is
+illustrated in the following diagrams using the TSP as an example.
 **TSP in Trusted SRAM (default option):**
@@ -1267,8 +1272,37 @@ diagrams.
               | BL1 (ro) |
    0x00000000 +----------+
-Loading the TSP image in Trusted DRAM doesn't change the memory layout of the
+**TSP in the TZC-Secured DRAM:**
-other boot loader images in Trusted SRAM.
+                   DRAM
+    0xffffffff +----------+
+               |  BL3-2   |  (secure)
+    0xff000000 +----------+
+               |          |
+               :          :  (non-secure)
+               |          |
+    0x80000000 +----------+
+               Trusted SRAM
+    0x04040000 +----------+  loaded by BL2  ------------------
+               | BL1 (rw) |  <<<<<<<<<<<<<  |  BL3-1 NOBITS  |
+               |----------|  <<<<<<<<<<<<<  |----------------|
+               |          |  <<<<<<<<<<<<<  | BL3-1 PROGBITS |
+               |----------|                 ------------------
+               |   BL2    |
+               |----------|
+               |          |
+    0x04001000 +----------+
+               |  Shared  |
+    0x04000000 +----------+
+               Trusted ROM
+    0x04000000 +----------+
+               | BL1 (ro) |
+    0x00000000 +----------+
+Moving the TSP image out of the Trusted SRAM doesn't change the memory layout
+of the other boot loader images in Trusted SRAM.
 ####  Memory layout on Juno ARM development platform

--- a/docs/user-guide.md
+++ b/docs/user-guide.md
@@ -248,8 +248,9 @@ performed.
 #### FVP specific build options
 *   `FVP_TSP_RAM_LOCATION`: location of the TSP binary. Options:
-    -   `tsram` (default) : Trusted SRAM
+    -   `tsram` : Trusted SRAM (default option)
    -   `tdram` : Trusted DRAM
+    -   `dram`  : Secure region in DRAM (configured by the TrustZone controller)
 For a better understanding of FVP options, the FVP memory map is explained in
 the [Firmware Design].

--- a/plat/fvp/fvp_def.h
+++ b/plat/fvp/fvp_def.h
@@ -36,8 +36,29 @@
 #define FVP_PRIMARY_CPU			0x0
 /* Memory location options for TSP */
-#define FVP_IN_TRUSTED_SRAM		0
+#define FVP_TRUSTED_SRAM_ID		0
-#define FVP_IN_TRUSTED_DRAM		1
+#define FVP_TRUSTED_DRAM_ID		1
+#define FVP_DRAM_ID			2
+/*
+ * Some of the definitions in this file use the 'ull' suffix in order to avoid
+ * subtle integer overflow errors due to implicit integer type promotion when
+ * working with 32-bit values.
+ *
+ * The TSP linker script includes some of these definitions to define the BL3-2
+ * memory map, but the GNU LD does not support the 'ull' suffix, causing the
+ * build process to fail. To solve this problem, the auxiliary macro MAKE_ULL(x)
+ * will add the 'ull' suffix only when the macro __LINKER__  is not defined
+ * (__LINKER__ is defined in the command line to preprocess the linker script).
+ * Constants in the linker script will not have the 'ull' suffix, but this is
+ * not a problem since the linker evaluates all constant expressions to 64 bit
+ * (assuming the target architecture is 64 bit).
+ */
+#ifndef __LINKER__
+  #define MAKE_ULL(x)			x##ull
+#else
+  #define MAKE_ULL(x)			x
+#endif
 /*******************************************************************************
 * FVP memory map related constants
@@ -79,12 +100,12 @@
 #define NSRAM_BASE		0x2e000000
 #define NSRAM_SIZE		0x10000
-#define DRAM1_BASE		0x80000000ull
+#define DRAM1_BASE		MAKE_ULL(0x80000000)
-#define DRAM1_SIZE		0x80000000ull
+#define DRAM1_SIZE		MAKE_ULL(0x80000000)
 #define DRAM1_END		(DRAM1_BASE + DRAM1_SIZE - 1)
 /* Define the top 16 MB of DRAM1 as secure */
-#define DRAM1_SEC_SIZE		0x01000000ull
+#define DRAM1_SEC_SIZE		MAKE_ULL(0x01000000)
 #define DRAM1_SEC_BASE		(DRAM1_BASE + DRAM1_SIZE - DRAM1_SEC_SIZE)
 #define DRAM1_SEC_END		(DRAM1_SEC_BASE + DRAM1_SEC_SIZE - 1)
@@ -95,8 +116,8 @@
 #define DRAM_BASE		DRAM1_BASE
 #define DRAM_SIZE		DRAM1_SIZE
-#define DRAM2_BASE		0x880000000ull
+#define DRAM2_BASE		MAKE_ULL(0x880000000)
-#define DRAM2_SIZE		0x780000000ull
+#define DRAM2_SIZE		MAKE_ULL(0x780000000)
 #define DRAM2_END		(DRAM2_BASE + DRAM2_SIZE - 1)
 #define PCIE_EXP_BASE		0x40000000

--- a/plat/fvp/include/platform_def.h
+++ b/plat/fvp/include/platform_def.h
@@ -128,19 +128,25 @@
 * BL32 specific defines.
 ******************************************************************************/
 /*
- * On FVP, the TSP can execute either from Trusted SRAM or Trusted DRAM.
+ * On FVP, the TSP can execute from Trusted SRAM, Trusted DRAM or the DRAM
+ * region secured by the TrustZone controller.
 */
-#if FVP_TSP_RAM_LOCATION_ID == FVP_IN_TRUSTED_SRAM
+#if FVP_TSP_RAM_LOCATION_ID == FVP_TRUSTED_SRAM_ID
 # define TSP_SEC_MEM_BASE		FVP_TRUSTED_SRAM_BASE
 # define TSP_SEC_MEM_SIZE		FVP_TRUSTED_SRAM_SIZE
 # define TSP_PROGBITS_LIMIT		BL2_BASE
 # define BL32_BASE			FVP_TRUSTED_SRAM_BASE
 # define BL32_LIMIT			BL31_BASE
-#elif FVP_TSP_RAM_LOCATION_ID == FVP_IN_TRUSTED_DRAM
+#elif FVP_TSP_RAM_LOCATION_ID == FVP_TRUSTED_DRAM_ID
 # define TSP_SEC_MEM_BASE		FVP_TRUSTED_DRAM_BASE
 # define TSP_SEC_MEM_SIZE		FVP_TRUSTED_DRAM_SIZE
 # define BL32_BASE			FVP_TRUSTED_DRAM_BASE
 # define BL32_LIMIT			(FVP_TRUSTED_DRAM_BASE + (1 << 21))
+#elif FVP_TSP_RAM_LOCATION_ID == FVP_DRAM_ID
+# define TSP_SEC_MEM_BASE		DRAM1_SEC_BASE
+# define TSP_SEC_MEM_SIZE		DRAM1_SEC_SIZE
+# define BL32_BASE			DRAM1_SEC_BASE
+# define BL32_LIMIT			(DRAM1_SEC_BASE + DRAM1_SEC_SIZE)
 #else
 # error "Unsupported FVP_TSP_RAM_LOCATION_ID value"
 #endif
@@ -154,11 +160,21 @@
 * Platform specific page table and MMU setup constants
 ******************************************************************************/
 #define ADDR_SPACE_SIZE			(1ull << 32)
-#if IMAGE_BL2
+#if IMAGE_BL1
+# define MAX_XLAT_TABLES		2
+#elif IMAGE_BL2
 # define MAX_XLAT_TABLES		3
-#else
+#elif IMAGE_BL31
 # define MAX_XLAT_TABLES		2
+#elif IMAGE_BL32
+# if FVP_TSP_RAM_LOCATION_ID == FVP_DRAM_ID
+#  define MAX_XLAT_TABLES		3
+# else
+#  define MAX_XLAT_TABLES		2
+# endif
 #endif
 #define MAX_MMAP_REGIONS		16
 /*******************************************************************************

--- a/plat/fvp/platform.mk
+++ b/plat/fvp/platform.mk
@@ -32,9 +32,11 @@
 # Trusted SRAM is the default.
 FVP_TSP_RAM_LOCATION	:=	tsram
 ifeq (${FVP_TSP_RAM_LOCATION}, tsram)
-  FVP_TSP_RAM_LOCATION_ID := FVP_IN_TRUSTED_SRAM
+  FVP_TSP_RAM_LOCATION_ID := FVP_TRUSTED_SRAM_ID
 else ifeq (${FVP_TSP_RAM_LOCATION}, tdram)
-  FVP_TSP_RAM_LOCATION_ID := FVP_IN_TRUSTED_DRAM
+  FVP_TSP_RAM_LOCATION_ID := FVP_TRUSTED_DRAM_ID
+else ifeq (${FVP_TSP_RAM_LOCATION}, dram)
+  FVP_TSP_RAM_LOCATION_ID := FVP_DRAM_ID
 else
  $(error "Unsupported FVP_TSP_RAM_LOCATION value")
 endif