GitLab

Firmware update feature needs a new FIP called `fwu_fip.bin` that
includes Secure(SCP_BL2U, BL2U) and Normal world(NS_BL2U) images
along with the FWU_CERT certificate in order for NS_BL1U to load
the images and help the Firmware update process to complete.

This patch adds the capability to support the new target `fwu_fip`
which includes above mentioned FWU images in the make files.

The new target of `fwu_fip` and its dependencies are included for
compilation only when `TRUSTED_BOARD_BOOT` is defined.

Change-Id: Ie780e3aac6cbd0edfaff3f9af96a2332bd69edbc

Firmware Update (FWU) introduces a new set of images called
SCP_BL2U, BL2U and NS_BL2U, which can be packed in a FWU FIP file.

This patch introduces new UUIDs for the Firmware Update images
and extends the 'fip'create' tool so that these new images can be
packed in a FIP file.

Change-Id: I7c60211b4f3cc265411efb131e6d3c624768f522

Firmware Update requires an X509v3 certificate which contains
hashes for SCP_BL2U, BL2U and NS_BL2U images as extensions.

This patch extends the Chain of Trust definition in the
'cert_create' tool to include the Firmware Update certificate
and the required extensions (including command line options).
A new field in the extension structure will be used to indicate
that the extension is optional. In the case of an image hash
extension, this field will tell the tool that the hash should
be included in the certificate, but filled with zeros.

Change-Id: I1f77a66b018826b71745910771f38d9cf6050388

This patch adds support for Firmware update in BL2U for ARM
platforms such that TZC initialization is performed on all
ARM platforms and (optionally) transfer of SCP_BL2U image on
ARM CSS platforms.

BL2U specific functions are added to handle early_platform and
plat_arch setup. The MMU is configured to map in the BL2U
code/data area and other required memory.

Change-Id: I57863295a608cc06e6cbf078b7ce34cbd9733e4f

The Firmware Update (FWU) feature needs support for an optional
secure world image, BL2U, to allow additional secure world
initialization required by FWU, for example DDR initialization.

This patch adds generic framework support to create BL2U.

NOTE: A platform makefile must supply additional `BL2U_SOURCES`
      to build the bl2u target. A subsequent patch adds bl2u
      support for ARM platforms.

Change-Id: If2ce036199bb40b39b7f91a9332106bcd4e25413

This patch adds Firmware Update support for ARM platforms.

New files arm_bl1_fwu.c and juno_bl1_setup.c were added to provide
platform specific Firmware update code.

BL1 now includes mmap entry for `ARM_MAP_NS_DRAM1` to map DRAM for
authenticating NS_BL2U image(For both FVP and JUNO platform).

Change-Id: Ie116cd83f5dc00aa53d904c2f1beb23d58926555

Firmware update(a.k.a FWU) feature is part of the TBB architecture.
BL1 is responsible for carrying out the FWU process if platform
specific code detects that it is needed.

This patch adds support for FWU feature support in BL1 which is
included by enabling `TRUSTED_BOARD_BOOT` compile time flag.

This patch adds bl1_fwu.c which contains all the core operations
of FWU, which are; SMC handler, image copy, authentication, execution
and resumption. It also adds bl1.h introducing #defines for all
BL1 SMCs.

Following platform porting functions are introduced:

int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
unsigned int flags);
	This function can be used to add platform specific memory checks
	for the provided base/size for the given security state.
	The weak definition will invoke `assert()` and return -ENOMEM.

__dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
	This function can be used to initiate platform specific procedure
	to mark completion of the FWU process.
	The weak definition waits forever calling `wfi()`.

plat_bl1_common.c contains weak definitions for above functions.

FWU process starts when platform detects it and return the image_id
other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
`bl1_main()`.

NOTE: User MUST provide platform specific real definition for
bl1_plat_mem_check() in order to use it for Firmware update.

Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed

As of now BL1 loads and execute BL2 based on hard coded information
provided in BL1. But due to addition of support for upcoming Firmware
Update feature, BL1 now require more flexible approach to load and
run different images using information provided by the platform.

This patch adds new mechanism to load and execute images based on
platform provided image id's. BL1 now queries the platform to fetch
the image id of the next image to be loaded and executed. In order
to achieve this, a new struct image_desc_t was added which holds the
information about images, such as: ep_info and image_info.

This patch introduces following platform porting functions:

unsigned int bl1_plat_get_next_image_id(void);
	This is used to identify the next image to be loaded
	and executed by BL1.

struct image_desc *bl1_plat_get_image_desc(unsigned int image_id);
	This is used to retrieve the image_desc for given image_id.

void bl1_plat_set_ep_info(unsigned int image_id,
struct entry_point_info *ep_info);
	This function allows platforms to update ep_info for given
	image_id.

The plat_bl1_common.c file provides default weak implementations of
all above functions, the `bl1_plat_get_image_desc()` always return
BL2 image descriptor, the `bl1_plat_get_next_image_id()` always return
BL2 image ID and `bl1_plat_set_ep_info()` is empty and just returns.
These functions gets compiled into all BL1 platforms by default.

Platform setup in BL1, using `bl1_platform_setup()`, is now done
_after_ the initialization of authentication module. This change
provides the opportunity to use authentication while doing the
platform setup in BL1.

In order to store secure/non-secure context, BL31 uses percpu_data[]
to store context pointer for each core. In case of BL1 only the
primary CPU will be active hence percpu_data[] is not required to
store the context pointer.

This patch introduce bl1_cpu_context[] and bl1_cpu_context_ptr[] to
store the context and context pointers respectively. It also also
re-defines cm_get_context() and cm_set_context() for BL1 in
bl1/bl1_context_mgmt.c.

BL1 now follows the BL31 pattern of using SP_EL0 for the C runtime
environment, to support resuming execution from a previously saved
context.

NOTE: THE `bl1_plat_set_bl2_ep_info()` PLATFORM PORTING FUNCTION IS
      NO LONGER CALLED BY BL1 COMMON CODE. PLATFORMS THAT OVERRIDE
      THIS FUNCTION MAY NEED TO IMPLEMENT `bl1_plat_set_ep_info()`
      INSTEAD TO MAINTAIN EXISTING BEHAVIOUR.

Change-Id: Ieee4c124b951c2e9bc1c1013fa2073221195d881

The upcoming Firmware Update feature needs transitioning across
Secure/Normal worlds to complete the FWU process and hence requires
context management code to perform this task.

Currently context management code is part of BL31 stage only.
This patch moves the code from (include)/bl31 to (include)/common.
Some function declarations/definitions and macros have also moved
to different files to help code sharing.

Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c

This patch adds support for secure setup of the SoC on CSS
platforms in BL1.

This change is required to provide memory access to normal
world images that take part in upcoming Firmware Update feature.

Change-Id: Ib202fb6cb82622c1874b700637d82ea72575e6fe

The primary usage of `RUN_IMAGE` SMC function id, used by BL2 is to
make a request to BL1 to execute BL31. But BL2 also uses it as
opcode to check if it is allowed to execute which is not the
intended usage of `RUN_IMAGE` SMC.

This patch removes the usage of `RUN_IMAGE` as opcode passed to
next EL to check if it is allowed to execute.

Change-Id: I6aebe0415ade3f43401a4c8a323457f032673657

This patch adds `uppercase` macro to prepare IMAGE_BLxx defines
used for conditional compilation and to prepare variables used
for defining BL source and linker file names.

This change is needed for upcoming BL images that can have names
which uses both letters and numbers.

Change-Id: I05ce9bcd0d221a54db92c0fe3ad28e9e0080ed2e

Include psci.h from tegra platform header

The `plat/nvidia/tegra/include/tegra_private.h` file uses resources
from psci.h (for example, psci_power_state_t) but does not explicitly
include psci.h. This does not currently cause a problem since psci.h
is indirectly included via other headers. However, this may not be
the case in future.

This patch explicitly includes psci.h from tegra_private.h

Change-Id: Ia991147898dbd117c1d3496a95850995a5554c05

Initialize VTTBR_EL2 when bypassing EL2

In the situation that EL1 is selected as the exception level for the
next image upon BL31 exit for a processor that supports EL2, the
context management code must configure all essential EL2 register
state to ensure correct execution of EL1.

VTTBR_EL2 should be part of this set of EL2 registers because:
 - The ARMv8-A architecture does not define a reset value for this
   register.
 - Cache maintenance operations depend on VTTBR_EL2.VMID even when
   non-secure EL1&0 stage 2 address translation are disabled.

This patch initializes the VTTBR_EL2 register to 0 when bypassing EL2
to address this issue. Note that this bug has not yet manifested
itself on FVP or Juno because VTTBR_EL2.VMID resets to 0 on the
Cortex-A53 and Cortex-A57.

Change-Id: I58ce2d16a71687126f437577a506d93cb5eecf33

Remove the assert for TZC base during initialization

Fix issue in Floating point register restore

Modify TSP and ARM standard platforms for new GIC drivers v2

Fix SP804 delay timer on FVP

The `fpregs_context_restore()` function used to restore the floating point
regsiter context had a typo error wherein it was doing `str` instead of
`ldr` for a register. This issue remained undetected becuase none of the ARM
Standard development platforms save and restore the floating point register
context when a context switch is done. This patch corrects the issue.

Change-Id: Id178e0ba254a5e0a4a844f54b39d71dc34e0f6ea

Earlier the TSP only ever expected to be preempted during Standard SMC
processing. If a S-EL1 interrupt triggered while in the normal world, it
will routed to S-EL1 `synchronously` for handling. The `synchronous` S-EL1
interrupt handler `tsp_sel1_intr_entry` used to panic if this S-EL1 interrupt
was preempted by another higher priority pending interrupt which should be
handled in EL3 e.g. Group0 interrupt in GICv3.

With this patch, the `tsp_sel1_intr_entry` now expects `TSP_PREEMPTED` as the
return code from the `tsp_common_int_handler` in addition to 0 (interrupt
successfully handled) and in both cases it issues an SMC with id
`TSP_HANDLED_S_EL1_INTR`. The TSPD switches the context and returns back
to normal world. In case a higher priority EL3 interrupt was pending, the
execution will be routed to EL3 where interrupt will be handled. On return
back to normal world, the pending S-EL1 interrupt which was preempted will
get routed to S-EL1 to be handled `synchronously` via `tsp_sel1_intr_entry`.

Change-Id: I2087c7fedb37746fbd9200cdda9b6dba93e16201

This patch enables support for EL3 interrupts in the Interrupt Management
Framework (IMF) of ARM Trusted Firmware. Please note that although the
registration of the EL3 interrupt type is now supported, it has not been
tested on any of the ARM Standard platforms.

Change-Id: If4dcdc7584621522a2f3ea13ea9b1ad0a76bb8a1

Suport for ARM GIC v2.0 and v3.0 drivers has been reworked to create three
separate drivers instead of providing a single driver that can work on both
versions of the GIC architecture. These drivers correspond to the following
software use cases:

1. A GICv2 only driver that can run only on ARM GIC v2.0 implementations
   e.g. GIC-400

2. A GICv3 only driver that can run only on ARM GIC v3.0 implementations
   e.g. GIC-500 in a mode where all interrupt regimes use GICv3 features

3. A deprecated GICv3 driver that operates in legacy mode. This driver can
   operate only in the GICv2 mode in the secure world. On a GICv3 system, this
   driver allows normal world to run in either GICv3 mode (asymmetric mode)
   or in the GICv2 mode. Both modes of operation are deprecated on GICv3
   systems.

ARM platforms implement both versions of the GIC architecture. This patch adds a
layer of abstraction to help ARM platform ports chose the right GIC driver and
corresponding platform support. This is as described below:

1. A set of ARM common functions have been introduced to initialise the GIC and
   the driver during cold and warm boot. These functions are prefixed as
   "plat_arm_gic_". Weak definitions of these functions have been provided for
   each type of driver.

2. Each platform includes the sources that implement the right functions
   directly into the its makefile. The FVP can be instantiated with different
   versions of the GIC architecture. It uses the FVP_USE_GIC_DRIVER build option
   to specify which of the three drivers should be included in the build.

3. A list of secure interrupts has to be provided to initialise each of the
  three GIC drivers. For GIC v3.0 the interrupt ids have to be further
  categorised as Group 0 and Group 1 Secure interrupts. For GIC v2.0, the two
  types are merged and treated as Group 0 interrupts.

  The two lists of interrupts are exported from the platform_def.h. The lists
  are constructed by adding a list of board specific interrupt ids to a list of
  ids common to all ARM platforms and Compute sub-systems.

This patch also makes some fields of `arm_config` data structure in FVP redundant
and these unused fields are removed.

Change-Id: Ibc8c087be7a8a6b041b78c2c3bd0c648cd2035d8

This patch adds platform helpers for the new GICv2 and GICv3 drivers in
plat_gicv2.c and plat_gicv3.c. The platforms can include the appropriate
file in their build according to the GIC driver to be used. The existing
plat_gic.c is only meant for the legacy GIC driver.

In the case of ARM platforms, the major changes are as follows:

1. The crash reporting helper macro `arm_print_gic_regs` that prints the GIC CPU
   interface register values has been modified to detect the type of CPU
   interface being used (System register or memory mappped interface) before
   using the right interface to print the registers.

2. The power management helper function that is called after a core is powered
   up has been further refactored. This is to highlight that the per-cpu
   distributor interface should be initialised only when the core was originally
   powered down using the CPU_OFF PSCI API and not when the CPU_SUSPEND PSCI API
   was used.

3. In the case of CSS platforms, the system power domain restore helper
   `arm_system_pwr_domain_resume()` is now only invoked in the `suspend_finish`
   handler as the system power domain is always expected to be initialized when
   the `on_finish` handler is invoked.

Change-Id: I7fc27d61fc6c2a60cea2436b676c5737d0257df6

Add CCI-400 specific driver to deprecated driver list

Add compile time `__warn_deprecated` flag to public api's in CCI-400
specific driver so that user is aware of the driver being deprecated.
Similarly, it also adds an error message when `ERROR_DEPRECATED` is set
to prevent succesful compilation if CCI-400 specific driver is used.

Change-Id: Id7e61a560262abc01cbbd432ca85b9bf448a194d

When resuming from system suspend the TZC needs to be
re-initialized. Hence the assertion for TZC base address
to detect re-initialization is removed.

Change-Id: I53d64146f6c919e95526441bb997f7b309c68141

Tegra new platform apis v2

This patch modifies the Tegra port to support the new platform
APIs so that we can disable the compat layer. This includes
modifications to the power management and platform topology code.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

On a GICv2 system, interrupts that should be handled in the secure world are
typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
as IRQs instead. The mechanism for handling both types of interrupts is the same
in both cases. This patch enables the TSP to run on a GICv3 system by:

1. adding support for handling IRQs in the exception handling code.
2. removing use of "fiq" in the names of data structures, macros and functions.

The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
former build flag is defined, it will be used to define the value for the
new build flag. The documentation is also updated accordingly.

Change-Id: I1807d371f41c3656322dd259340a57649833065e

The TSP is expected to pass control back to EL3 if it gets preempted due to
an interrupt while handling a Standard SMC in the following scenarios:

1. An FIQ preempts Standard SMC execution and that FIQ is not a TSP Secure
   timer interrupt or is preempted by a higher priority interrupt by the time
   the TSP acknowledges it. In this case, the TSP issues an SMC with the ID
   as `TSP_EL3_FIQ`. Currently this case is never expected to happen as only
   the TSP Secure Timer is expected to generate FIQ.

2. An IRQ preempts Standard SMC execution and in this case the TSP issues
   an SMC with the ID as `TSP_PREEMPTED`.

In both the cases, the TSPD hands control back to the normal world and returns
returns an error code to the normal world to indicate that the standard SMC it
had issued has been preempted but not completed.

This patch unifies the handling of these two cases in the TSPD and ensures that
the TSP only uses TSP_PREEMPTED instead of separate SMC IDs. Also instead of 2
separate error codes, SMC_PREEMPTED and TSP_EL3_FIQ, only SMC_PREEMPTED is
returned as error code back to the normal world.

Background information: On a GICv3 system, when the secure world has affinity
routing enabled, in 2. an FIQ will preempt TSP execution instead of an IRQ. The
FIQ could be a result of a Group 0 or a Group 1 NS interrupt. In both case, the
TSPD passes control back to the normal world upon receipt of the TSP_PREEMPTED
SMC. A Group 0 interrupt will immediately preempt execution to EL3 where it
will be handled. This allows for unified interrupt handling in TSP for both
GICv3 and GICv2 systems.

Change-Id: I9895344db74b188021e3f6a694701ad272fb40d4

This patch renames the GICv3 interrupt group macros from
INT_TYPE_G0, INT_TYPE_G1S and INT_TYPE_G1NS to INTR_GROUP0,
INTR_GROUP1S and INTR_GROUP1NS respectively.

Change-Id: I40c66f589ce6234fa42205adcd91f7d6ad8f33d4

This patch fixes several issues with the SP804 delay timer on FVP:

* By default, the SP804 dual timer on FVP runs at 32 KHz. In order
  to run the timer at 35 MHz (as specified in the FVP user manual)
  the Overwrite bit in the SP810 control register must be set.

* The CLKMULT and CLKDIV definitions are mixed up:

      delta(us) = delta(ticks) * T(us) = delta(ticks) / f(MHz)

  From the delay function:

      delta_us = (delta * ops->clk_mult) / ops->clk_div;

  Matching both expressions:

      1 / f(MHz) = ops->clk_mult / ops->clk_div

  And consequently:

      f(MHz) = ops->clk_div / ops->clk_mult

  Which, for a 35 MHz timer, translates to:

      ops->clk_div = 35
      ops->clk_mult = 1

* The comment in the delay timer header file has been corrected:
  The ratio of the multiplier and the divider is the clock period
  in microseconds, not the frequency.

Change-Id: Iffd5ce0a5a28fa47c0720c0336d81b678ff8fdf1

Fix TZC-400 peripheral detection

TBB: add ARM OIDs

Jc/tbb wdog

This patch adds watchdog support on ARM platforms (FVP and Juno).
A secure instance of SP805 is used as Trusted Watchdog. It is
entirely managed in BL1, being enabled in the early platform setup
hook and disabled in the exit hook. By default, the watchdog is
enabled in every build (even when TBB is disabled).

A new ARM platform specific build option `ARM_DISABLE_TRUSTED_WDOG`
has been introduced to allow the user to disable the watchdog at
build time. This feature may be used for testing or debugging
purposes.

Specific error handlers for Juno and FVP are also provided in this
patch. These handlers will be called after an image load or
authentication error. On FVP, the Table of Contents (ToC) in the FIP
is erased. On Juno, the corresponding error code is stored in the
V2M Non-Volatile flags register. In both cases, the CPU spins until
a watchdog reset is generated after 256 seconds (as specified in
the TBBR document).

Change-Id: I9ca11dcb0fe15af5dbc5407ab3cf05add962f4b4

This patch adds ARM specific OIDs which will be used to extract
the extension data from the certificates. These OIDs are arranged
as a subtree whose root node has been specifically allocated for
ARM Ltd.

    { iso(1) identified-organization(3) dod(6) internet(1)
      private(4) enterprise(1) 4128 }

Change-Id: Ice20b3c8a31ddefe9102f3bd42f7429986f3ac34

Add support to boot EL3 payloads and only a single CPU at cold reset