1. 04 Dec, 2015 3 commits
    • Soby Mathew's avatar
      Enable use of FIQs and IRQs as TSP interrupts · 02446137
      Soby Mathew authored
      On a GICv2 system, interrupts that should be handled in the secure world are
      typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
      as IRQs instead. The mechanism for handling both types of interrupts is the same
      in both cases. This patch enables the TSP to run on a GICv3 system by:
      
      1. adding support for handling IRQs in the exception handling code.
      2. removing use of "fiq" in the names of data structures, macros and functions.
      
      The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
      new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
      former build flag is defined, it will be used to define the value for the
      new build flag. The documentation is also updated accordingly.
      
      Change-Id: I1807d371f41c3656322dd259340a57649833065e
      02446137
    • Soby Mathew's avatar
      Unify interrupt return paths from TSP into the TSPD · 404dba53
      Soby Mathew authored
      The TSP is expected to pass control back to EL3 if it gets preempted due to
      an interrupt while handling a Standard SMC in the following scenarios:
      
      1. An FIQ preempts Standard SMC execution and that FIQ is not a TSP Secure
         timer interrupt or is preempted by a higher priority interrupt by the time
         the TSP acknowledges it. In this case, the TSP issues an SMC with the ID
         as `TSP_EL3_FIQ`. Currently this case is never expected to happen as only
         the TSP Secure Timer is expected to generate FIQ.
      
      2. An IRQ preempts Standard SMC execution and in this case the TSP issues
         an SMC with the ID as `TSP_PREEMPTED`.
      
      In both the cases, the TSPD hands control back to the normal world and returns
      returns an error code to the normal world to indicate that the standard SMC it
      had issued has been preempted but not completed.
      
      This patch unifies the handling of these two cases in the TSPD and ensures that
      the TSP only uses TSP_PREEMPTED instead of separate SMC IDs. Also instead of 2
      separate error codes, SMC_PREEMPTED and TSP_EL3_FIQ, only SMC_PREEMPTED is
      returned as error code back to the normal world.
      
      Background information: On a GICv3 system, when the secure world has affinity
      routing enabled, in 2. an FIQ will preempt TSP execution instead of an IRQ. The
      FIQ could be a result of a Group 0 or a Group 1 NS interrupt. In both case, the
      TSPD passes control back to the normal world upon receipt of the TSP_PREEMPTED
      SMC. A Group 0 interrupt will immediately preempt execution to EL3 where it
      will be handled. This allows for unified interrupt handling in TSP for both
      GICv3 and GICv2 systems.
      
      Change-Id: I9895344db74b188021e3f6a694701ad272fb40d4
      404dba53
    • Soby Mathew's avatar
      Rename GICv3 interrupt group macros · 03ffb6bd
      Soby Mathew authored
      This patch renames the GICv3 interrupt group macros from
      INT_TYPE_G0, INT_TYPE_G1S and INT_TYPE_G1NS to INTR_GROUP0,
      INTR_GROUP1S and INTR_GROUP1NS respectively.
      
      Change-Id: I40c66f589ce6234fa42205adcd91f7d6ad8f33d4
      03ffb6bd
  2. 02 Dec, 2015 5 commits
    • danh-arm's avatar
      Merge pull request #446 from vikramkanigiri/vk/tzc-400 · f3974ea5
      danh-arm authored
      Fix TZC-400 peripheral detection
      f3974ea5
    • danh-arm's avatar
      Merge pull request #449 from jcastillo-arm/jc/tbb_oid · 3138dac6
      danh-arm authored
      TBB: add ARM OIDs
      3138dac6
    • danh-arm's avatar
      Merge pull request #444 from jcastillo-arm/jc/tbb_wdog · 38d8fddf
      danh-arm authored
      Jc/tbb wdog
      38d8fddf
    • Juan Castillo's avatar
      TBB: add Trusted Watchdog support on ARM platforms · 7b4c1405
      Juan Castillo authored
      This patch adds watchdog support on ARM platforms (FVP and Juno).
      A secure instance of SP805 is used as Trusted Watchdog. It is
      entirely managed in BL1, being enabled in the early platform setup
      hook and disabled in the exit hook. By default, the watchdog is
      enabled in every build (even when TBB is disabled).
      
      A new ARM platform specific build option `ARM_DISABLE_TRUSTED_WDOG`
      has been introduced to allow the user to disable the watchdog at
      build time. This feature may be used for testing or debugging
      purposes.
      
      Specific error handlers for Juno and FVP are also provided in this
      patch. These handlers will be called after an image load or
      authentication error. On FVP, the Table of Contents (ToC) in the FIP
      is erased. On Juno, the corresponding error code is stored in the
      V2M Non-Volatile flags register. In both cases, the CPU spins until
      a watchdog reset is generated after 256 seconds (as specified in
      the TBBR document).
      
      Change-Id: I9ca11dcb0fe15af5dbc5407ab3cf05add962f4b4
      7b4c1405
    • Juan Castillo's avatar
      TBB: add ARM OIDs · bf6863c6
      Juan Castillo authored
      This patch adds ARM specific OIDs which will be used to extract
      the extension data from the certificates. These OIDs are arranged
      as a subtree whose root node has been specifically allocated for
      ARM Ltd.
      
          { iso(1) identified-organization(3) dod(6) internet(1)
            private(4) enterprise(1) 4128 }
      
      Change-Id: Ice20b3c8a31ddefe9102f3bd42f7429986f3ac34
      bf6863c6
  3. 01 Dec, 2015 3 commits
  4. 27 Nov, 2015 3 commits
    • Vikram Kanigiri's avatar
      Fix TZC-400 peripheral detection · 609ebce4
      Vikram Kanigiri authored
      The TZC-400 driver implementation incorrectly uses the component
      ID registers to detect the TZC-400 peripheral. As all ARM
      peripherals share the same component ID, it doesn't allow to
      uniquely identify the TZC-400 peripheral. This patch fixes the
      TZC-400 driver by relying on the `part_number_0` and
      `part_number_1` fields in the `PID` registers instead.
      The `tzc_read_component_id` function has been replaced by
      `tzc_read_peripheral_id`, which reads the 'part_number' values
      and compares them with the TZC-400 peripheral ID.
      
      Also, it adds a debug assertion to detect when the TZC driver
      initialisation function is called multiple times.
      
      Change-Id: I35949f6501a51c0a794144cd1c3a6db62440dce6
      609ebce4
    • Juan Castillo's avatar
      Add a simple ARM SP805 watchdog driver · 38041973
      Juan Castillo authored
      Based on SP805 Programmer's model (ARM DDI 0270B). This driver
      provides three public APIs:
      
          void sp805_start(uintptr_t base, unsigned long ticks);
          void sp805_stop(uintptr_t base);
          void sp805_refresh(uintptr_t base, unsigned long ticks);
      
      Upon start, the watchdog starts counting down from the number of
      ticks specified. When the count reaches 0 an interrupt is triggered.
      The watchdog restarts counting down from the number of ticks
      specified. If the count reaches 0 again, the system is reset. A
      mechanism to handle the interrupt has not been implemented. Instead,
      the API to refresh the watchdog should be used instead to prevent a
      system reset.
      
      Change-Id: I799d53f8d1213b10b341a4a67fde6486e89a3dab
      38041973
    • Juan Castillo's avatar
      Add basic NOR flash driver for ARM platforms · 9784dbda
      Juan Castillo authored
      FVP and Juno platforms include a NOR flash memory to store and
      load the FIP, the kernel or a ramdisk. This NOR flash is arranged
      as 2 x 16 bit flash devices and can be programmed using CFI
      standard commands.
      
      This patch provides a basic API to write single 32 bit words of
      data into the NOR flash. Functions to lock/unlock blocks against
      erase or write operations are also provided.
      
      Change-Id: I1da7ad3105b1ea409c976adc863954787cbd90d2
      9784dbda
  5. 26 Nov, 2015 14 commits
    • Sandrine Bailleux's avatar
      User Guide: Remove reference to porting guide · dc2d4038
      Sandrine Bailleux authored
      The implications of the 'PROGRAMMABLE_RESET_ADDRESS' build option on
      the platform porting layer are simple enough to be described in the
      User Guide directly. This patch removes the reference to the Porting
      Guide.
      
      Change-Id: I7f753b18abd20effc4fd30836609e1fd51d9221d
      dc2d4038
    • Sandrine Bailleux's avatar
      Introduce COLD_BOOT_SINGLE_CPU build option · a9bec67d
      Sandrine Bailleux authored
      This patch introduces a new build option named COLD_BOOT_SINGLE_CPU,
      which allows platforms that only release a single CPU out of reset to
      slightly optimise their cold boot code, both in terms of code size
      and performance.
      
      COLD_BOOT_SINGLE_CPU defaults to 0, which assumes that the platform
      may release several CPUs out of reset. In this case, the cold reset
      code needs to coordinate all CPUs via the usual primary/secondary
      CPU distinction.
      
      If a platform guarantees that only a single CPU will ever be released
      out of reset, there is no need to arbitrate execution ; the notion of
      primary and secondary CPUs itself no longer exists. Such platforms
      may set COLD_BOOT_SINGLE_CPU to 1 in order to compile out the
      primary/secondary CPU identification in the cold reset code.
      
      All ARM standard platforms can release several CPUs out of reset
      so they use COLD_BOOT_SINGLE_CPU=0. However, on CSS platforms like
      Juno, bringing up more than one CPU at reset should only be attempted
      when booting an EL3 payload, as it is not fully supported in the
      normal boot flow.
      
      For platforms using COLD_BOOT_SINGLE_CPU=1, the following 2 platform
      APIs become optional:
        - plat_secondary_cold_boot_setup();
        - plat_is_my_cpu_primary().
      The Porting Guide has been updated to reflect that.
      
      User Guide updated as well.
      
      Change-Id: Ic5b474e61b7aec1377d1e0b6925d17dfc376c46b
      a9bec67d
    • Sandrine Bailleux's avatar
      Document the EL3 payload support · aba2f1e0
      Sandrine Bailleux authored
       - Document the new build option EL3_PAYLOAD_BASE
      
       - Document the EL3 payload boot flow
      
       - Document the FVP model parameters to boot an EL3 payload
      
      Change-Id: Ie6535914a9a68626e4401659bee4fcfd53d4bd37
      aba2f1e0
    • Sandrine Bailleux's avatar
      FVP: Do not power off secondary CPUs when booting an EL3 payload · cdf14088
      Sandrine Bailleux authored
      Normally, in the FVP port, secondary CPUs are immediately powered
      down if they are powered on at reset. However, when booting an EL3
      payload, we need to keep them powered on as the requirement is for
      all CPUs to enter the EL3 payload image. This patch puts them in a
      holding pen instead of powering them off.
      
      Change-Id: I6526a88b907a0ddb820bead72f1d350a99b1692c
      cdf14088
    • Sandrine Bailleux's avatar
      CSS: Put secondary CPUs in a pen when booting an EL3 payload · 2bc42067
      Sandrine Bailleux authored
      By default, only the primary CPU is powered on by SCP on CSS
      platforms. Secondary CPUs are then powered on later using PSCI
      calls.
      
      However, it is possible to power on more than one CPU at boot time
      using platform specific settings. In this case, several CPUs will
      enter the Trusted Firmware and execute the cold boot path code.
      This is currently not supported and secondary CPUs will panic.
      
      This patch preserves this behaviour in the normal boot flow.
      However, when booting an EL3 payload, secondary CPUs are now held in
      a pen until their mailbox is populated, at which point they jump to
      this address. Note that, since all CPUs share the same mailbox, they
      will all be released from their holding pen at the same time and the
      EL3 payload is responsible to arbitrate execution between CPUs if
      required.
      
      Change-Id: I83737e0c9f15ca5e73afbed2e9c761bc580735b9
      2bc42067
    • Sandrine Bailleux's avatar
      CSS: Enable booting of EL3 payloads · 4c117f6c
      Sandrine Bailleux authored
      This patch adds support for booting EL3 payloads on CSS platforms,
      for example Juno. In this scenario, the Trusted Firmware follows
      its normal boot flow up to the point where it would normally pass
      control to the BL31 image. At this point, it jumps to the EL3
      payload entry point address instead.
      
      Before handing over to the EL3 payload, the data SCP writes for AP
      at the beginning of the Trusted SRAM is restored, i.e. we zero the
      first 128 bytes and restore the SCP Boot configuration. The latter
      is saved before transferring the BL30 image to SCP and is restored
      just after the transfer (in BL2). The goal is to make it appear that
      the EL3 payload is the first piece of software to run on the target.
      
      The BL31 entrypoint info structure is updated to make the primary
      CPU jump to the EL3 payload instead of the BL31 image.
      
      The mailbox is populated with the EL3 payload entrypoint address,
      which releases the secondary CPUs out of their holding pen (if the
      SCP has powered them on). The arm_program_trusted_mailbox() function
      has been exported for this purpose.
      
      The TZC-400 configuration in BL2 is simplified: it grants secure
      access only to the whole DRAM. Other security initialization is
      unchanged.
      
      This alternative boot flow is disabled by default. A new build option
      EL3_PAYLOAD_BASE has been introduced to enable it and provide the EL3
      payload's entry point address. The build system has been modified
      such that BL31 and BL33 are not compiled and/or not put in the FIP in
      this case, as those images are not used in this boot flow.
      
      Change-Id: Id2e26fa57988bbc32323a0effd022ab42f5b5077
      4c117f6c
    • Sandrine Bailleux's avatar
      Pass the entry point info to bl1_plat_prepare_exit() · 862b5dc2
      Sandrine Bailleux authored
      This patch modifies the prototype of the bl1_plat_prepare_exit()
      platform API to pass the address of the entry point info structure
      received from BL2. The structure contains information that can be
      useful, depending on the kind of clean up or bookkeeping operations
      to perform.
      
      The weak implementation of this function ignores this argument to
      preserve platform backwards compatibility.
      
      NOTE: THIS PATCH MAY BREAK PLATFORM PORTS THAT ARE RELYING ON THE
      FORMER PROTOTYPE OF THE BL1_PLAT_PREPARE_EXIT() API.
      
      Change-Id: I3fc18f637de06c85719c4ee84c85d6a4572a0fdb
      862b5dc2
    • Sandrine Bailleux's avatar
      Introduce SPIN_ON_BL1_EXIT build flag · 35e8c766
      Sandrine Bailleux authored
      This patch introduces a new build flag, SPIN_ON_BL1_EXIT, which
      puts an infinite loop in BL1. It is intended to help debugging
      the post-BL2 phase of the Trusted Firmware by stopping execution
      in BL1 just before handing over to BL31. At this point, the
      developer may take control of the target using a debugger.
      
      This feature is disabled by default and can be enabled by
      rebuilding BL1 with SPIN_ON_BL1_EXIT=1.
      
      User Guide updated accordingly.
      
      Change-Id: I6b6779d5949c9e5571dd371255520ef1ac39685c
      35e8c766
    • Soby Mathew's avatar
      Remove the IMF_READ_INTERRUPT_ID build option · 54718418
      Soby Mathew authored
      The IMF_READ_INTERRUPT_ID build option enables a feature where the interrupt
      ID of the highest priority pending interrupt is passed as a parameter to the
      interrupt handler registered for that type of interrupt. This additional read
      of highest pending interrupt id from GIC is problematic as it is possible that
      the original interrupt may get deasserted and another interrupt of different
      type maybe become the highest pending interrupt. Hence it is safer to prevent
      such behaviour by removing the IMF_READ_INTERRUPT_ID build option.
      
      The `id` parameter of the interrupt handler `interrupt_type_handler_t` is
      now made a reserved parameter with this patch. It will always contain
      INTR_ID_UNAVAILABLE.
      
      Fixes ARM-software/tf-issues#307
      
      Change-Id: I2173aae1dd37edad7ba6bdfb1a99868635fa34de
      54718418
    • Achin Gupta's avatar
      Merge pull request #439 from soby-mathew/sm/new-gic-driver · b39908af
      Achin Gupta authored
      Introduce new GICv3 and GICv2 drivers
      b39908af
    • Soby Mathew's avatar
      Deprecate the GIC Legacy driver. · 23a45010
      Soby Mathew authored
      This patch deprecates the legacy ARM GIC driver and related header files
      (arm_gic.h, gic_v2.h, gic_v3.h). For GICv2 systems, platform ports should
      use the GICv2 driver in include/drivers/arm/gicv2.h and for GICv3 systems,
      platform ports should use the GICv3 driver in include/drivers/arm/gicv3.h
      
      NOTE: The ARM Legacy GIC drivers have been deprecated with this patch.
      Platform ports are encouraged to migrate to the new GIC drivers.
      
      Change-Id: Ic0460ef0427b54a6aac476279a7f29b81943e942
      23a45010
    • Soby Mathew's avatar
      Add ARM GICv2 driver · 464ce2bb
      Soby Mathew authored
      This patch adds a driver for ARM GICv2 systems, example GIC-400. Unlike
      the existing GIC driver in `include/drivers/arm/arm_gic.h`, this driver
      is optimised for GICv2 and does not support GICv3 systems in GICv2
      compatibility mode. The driver interface has been implemented in
      `drivers/arm/gic/v2/gicv2_main.c`. The corresponding header is in
      `include/drivers/arm/gicv2.h`. Helper functions are implemented in
      `drivers/arm/gic/v2/gicv2_helpers.c` and are accessible through the
      `drivers/arm/gic/v2/gicv2_private.h` header.
      
      Change-Id: I09fffa4e621fb99ba3c01204839894816cd89a2a
      464ce2bb
    • Achin Gupta's avatar
      Add ARM GICv3 driver without support for legacy operation · df373737
      Achin Gupta authored
      This patch adds a driver for ARM GICv3 systems that need to run software
      stacks where affinity routing is enabled across all privileged exception
      levels for both security states. This driver is a partial implementation
      of the ARM Generic Interrupt Controller Architecture Specification, GIC
      architecture version 3.0 and version 4.0 (ARM IHI 0069A). The driver does
      not cater for legacy support of interrupts and asymmetric configurations.
      
      The existing GIC driver has been preserved unchanged. The common code for
      GICv2 and GICv3 systems has been refactored into a new file,
      `drivers/arm/gic/common/gic_common.c`. The corresponding header is in
      `include/drivers/arm/gic_common.h`.
      
      The driver interface is implemented in `drivers/arm/gic/v3/gicv3_main.c`.
      The corresponding header is in `include/drivers/arm/gicv3.h`. Helper
      functions are implemented in `drivers/arm/gic/v3/arm_gicv3_helpers.c`
      and are accessible through the `drivers/arm/gic/v3/gicv3_private.h`
      header.
      
      Change-Id: I8c3c834a1d049d05b776b4dcb76b18ccb927444a
      df373737
    • Achin Gupta's avatar
      Merge pull request #438 from soby-mathew/sm/error_deprecate · 5b33041c
      Achin Gupta authored
      Replace build macro WARN_DEPRECATED with ERROR_DEPRECATED
      5b33041c
  6. 24 Nov, 2015 1 commit
    • Soby Mathew's avatar
      Replace build macro WARN_DEPRECATED with ERROR_DEPRECATED · 7a24cba5
      Soby Mathew authored
      This patch changes the build time behaviour when using deprecated API within
      Trusted Firmware. Previously the use of deprecated APIs would only trigger a
      build warning (which was always treated as a build error), when
      WARN_DEPRECATED = 1. Now, the use of deprecated C declarations will always
      trigger a build time warning. Whether this warning is treated as error or not
      is determined by the build flag ERROR_DEPRECATED which is disabled by default.
      When the build flag ERROR_DEPRECATED=1, the invocation of deprecated API or
      inclusion of deprecated headers will result in a build error.
      
      Also the deprecated context management helpers in context_mgmt.c are now
      conditionally compiled depending on the value of ERROR_DEPRECATED flag
      so that the APIs themselves do not result in a build error when the
      ERROR_DEPRECATED flag is set.
      
      NOTE: Build systems that use the macro WARN_DEPRECATED must migrate to
      using ERROR_DEPRECATED, otherwise deprecated API usage will no longer
      trigger a build error.
      
      Change-Id: I843bceef6bde979af7e9b51dddf861035ec7965a
      7a24cba5
  7. 19 Nov, 2015 5 commits
  8. 17 Nov, 2015 1 commit
    • Juan Castillo's avatar
      Fix build error when `BL32` is not defined · 70d1fc53
      Juan Castillo authored
      If an SPD wants to use a prebuilt binary as BL32 image (for example,
      the OPTEE Dispatcher), it must point the `BL32` variable to the
      image file. This dependency should apply only to the `fip` target.
      However, it also applies to the `all` target at the moment. If the
      user tries to build all individual TF images using `make all`
      without setting BL32, the build fails. The following command will
      throw the error:
      
          make CROSS_COMPILE=aarch64-linux-gnu- SPD=opteed all
          ...
          ...
          aarch64-linux-gnu-gcc: fatal error: no input files
          compilation terminated.
          make: *** [build/fvp/release/bl32/bl32.ld] Error 1
      
      The reason is that the build system checks if BL32 is defined, and
      if it is not, it will try to build BL32 from source. If the SPD
      makefile does not provide support for that (as is the case of the
      OPTEE Dispatcher, since OPTEE is provided as an external binary),
      the build will fail.
      
      This patch fixes the issue by checking if `BL32_SOURCES` has been
      defined by the SPD before attempting to build BL32 from source.
      If neither `BL32` nor `BL32_SOURCES` is defined when building the
      FIP, a warning message will be printed and the process aborted.
      
      Fixes ARM-software/tf-issues#333
      
      Change-Id: I5e801ad333103ed9b042e5c4757424c8df2ff6e4
      70d1fc53
  9. 13 Nov, 2015 2 commits
    • Vikram Kanigiri's avatar
      Add missing RES1 bit in SCTLR_EL1 · 6cd12daa
      Vikram Kanigiri authored
      As per Section D7.2.81 in the ARMv8-A Reference Manual (DDI0487A Issue A.h),
      bits[29:28], bits[23:22], bit[20] and bit[11] in the SCTLR_EL1 are RES1. This
      patch adds the missing bit[20] to the SCTLR_EL1_RES1 macro.
      
      Change-Id: I827982fa2856d04def6b22d8200a79fe6922a28e
      6cd12daa
    • Juan Castillo's avatar
      Add NULL pointer check before reading BL32 entry point information · 5ea8aa72
      Juan Castillo authored
      BL2 is responsible for loading BL32 and passing a pointer to the
      BL32 entrypoint info to BL31 in the BL31 parameters. If no BL32
      image is loaded, a NULL pointer is passed. The platform is
      responsible for accessing BL31 parameters and extracting the
      corresponding BL32 EP info.
      
      In ARM platforms, arm_bl31_early_platform_setup() dereferences the
      pointer to the BL32 EP info without checking first if the pointer
      is NULL. This will cause an exception if a BL32 entrypoint has not
      been populated by BL2. FVP and Juno are not affected because they
      always define BL32_BASE, irrespective of whether a BL32 image is
      included in the FIP or not.
      
      This patches fixes the issue by checking the BL32 ep_info pointer
      before trying to access the data.
      
      If `RESET_TO_BL31` is enabled, the BL32 entrypoint is not
      populated if BL32_BASE is not defined.
      
      NOTE: Maintainers of partner platforms should check for this issue
      in their ports.
      
      Fixes ARM-software/tf-issues#320
      
      Change-Id: I31456155503f2765766e8b7cd30ab4a40958fb96
      5ea8aa72
  10. 11 Nov, 2015 2 commits
  11. 10 Nov, 2015 1 commit