GitLab

T210 is the latest chip in the Tegra family of SoCs from NVIDIA. It is an
ARM v8 dual-cluster (A57/A53) SoC, with any one of the clusters being active
at a given point in time.

This patch adds support to boot the Trusted Firmware on T210 SoCs. The patch
also adds support to boot secondary CPUs, enter/exit core power states for
all CPUs in the slow/fast clusters. The support to switch between clusters
is still not available in this patch and would be available later.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

There has been a breaking change in the communication protocols used
between the AP cores and the SCP on CSS based platforms like Juno.
This means both the AP Trusted Firmware and SCP firmware must be
updated at the same time.

In case the user forgets to update the SCP ROM firmware, this patch
detects when it still uses the previous version of the communication
protocol. It will then output a comprehensive error message that helps
trouble-shoot the issue.

Change-Id: I7baf8f05ec0b7d8df25e0ee53df61fe7be0207c2

The communication protocol used between the AP cores and the SCP
in CSS-based platforms like Juno has undergone a number of changes.
This patch makes the required modifications to the SCP Boot Protocol,
SCPI Protocol and MHU driver code in shared CSS platform code so that
the AP cores are still able to communicate with the SCP.

This patch focuses on the mandatory changes to make it work. The
design of this code needs to be improved but this will come in
a subsequent patch.

The main changes are:

 - MHU communication protocol

   - The command ID and payload size are no longer written into the
     MHU registers directly. Instead, they are stored in the payload
     area. The MHU registers are now used only as a doorbell to kick
     off messages. Same goes for any command result, the AP has to
     pick it up from the payload area.

 - SCP Boot Protocol

   - The BL3-0 image is now expected to embed a checksum. This
     checksum must be passed to the SCP, which uses it to check the
     integrity of the image it received.

   - The BL3-0 image used to be transferred a block (4KB)
     at a time. The SCP now supports receiving up to 128KB at a
     time, which is more than the size of the BL3-0 image.
     Therefore, the image is now sent in one go.

   - The command IDs have changed.

 - SCPI Protocol

   - The size of the SCPI payload has been reduced down from 512
     bytes to 256 bytes. This changes the base address of the
     AP-to-SCP payload area.

   - For commands that have a response, the response is the same SCPI
     header that was sent, except for the size and the status, which
     both must be updated appropriately. Success/Failure of a command
     is determined by looking at the updated status code.

   - Some command IDs have changed.

NOTE: THIS PATCH BREAKS COMPATIBILITY WITH FORMER VERSIONS OF THE SCP
FIRMWARE AND THUS REQUIRES AN UPDATE OF THIS BINARY. THE LATEST SCP
BINARY CAN BE OBTAINED FROM THE ARM CONNECTED COMMUNITY WEBSITE.

Change-Id: Ia5f6b95fe32401ee04a3805035748e8ef6718da7

Move the Juno port from plat/juno to plat/arm/board/juno. Also rename
some of the files so they are consistently prefixed with juno_.
Update the platform makefiles accordingly.

Change-Id: I0af6cb52a5fee7ef209107a1188b76a3c33a2a9f

Major update to the Juno platform port to use the common platform code
in (include/)plat/arm/* and (include/)plat/common/*. This mainly
consists of removing duplicated code but also introduces some small
behavioural changes where there was unnecessary variation between the
FVP and Juno ports. See earlier commit titled `Add common ARM and CSS
platform code` for details.

Also move the ARM SoC specific security setup (i.e. NIC-400 and PCIe
initialization) from BL1 to `plat_arm_security_setup()` in BL2,
where the other security setup is done.

Change-Id: Ic9fe01bae8ed382bfb04fc5839a4cfff332eb124

Move the FVP port from plat/fvp to plat/arm/board/fvp. Also rename
some of the files so they are consistently prefixed with fvp_.
Update the platform makefiles accordingly.

Change-Id: I7569affc3127d66405f1548fc81b878a858e61b7

Major update to the FVP platform port to use the common platform code
in (include/)plat/arm/* and (include/)plat/common/*. This mainly
consists of removing duplicated code but also introduces some small
behavioural changes where there was unnecessary variation between the
FVP and Juno ports. See earlier commit titled `Add common ARM and CSS
platform code` for details.

Also add support for Foundation FVP version 9.1 during FVP config
setup to prevent a warning being emitted in the console.

Change-Id: I254ca854987642ce09d1b924c9fd410a6e13e3bc

This major change pulls out the common functionality from the
FVP and Juno platform ports into the following categories:

*   (include/)plat/common. Common platform porting functionality that
typically may be used by all platforms.

*   (include/)plat/arm/common. Common platform porting functionality
that may be used by all ARM standard platforms. This includes all
ARM development platforms like FVP and Juno but may also include
non-ARM-owned platforms.

*   (include/)plat/arm/board/common. Common platform porting
functionality for ARM development platforms at the board
(off SoC) level.

*   (include/)plat/arm/css/common. Common platform porting
functionality at the ARM Compute SubSystem (CSS) level. Juno
is an example of a CSS-based platform.

*   (include/)plat/arm/soc/common. Common platform porting
functionality at the ARM SoC level, which is not already defined
at the ARM CSS level.

No guarantees are made about the backward compatibility of
functionality provided in (include/)plat/arm.

Also remove any unnecessary variation between the ARM development
platform ports, including:

*   Unify the way BL2 passes `bl31_params_t` to BL3-1. Use the
Juno implementation, which copies the information from BL2 memory
instead of expecting it to persist in shared memory.

*   Unify the TZC configuration. There is no need to add a region
for SCP in Juno; it's enough to simply not allow any access to
this reserved region. Also set region 0 to provide no access by
default instead of assuming this is the case.

*   Unify the number of memory map regions required for ARM
development platforms, although the actual ranges mapped for each
platform may be different. For the FVP port, this reduces the
mapped peripheral address space.

These latter changes will only be observed when the platform ports
are migrated to use the new common platform code in subsequent
patches.

Change-Id: Id9c269dd3dc6e74533d0e5116fdd826d53946dc8

Some assembly files containing macros are included like header files
into other assembly files. This will cause assembler errors if they
are included multiple times.

Add header guards to assembly macro files to avoid assembler errors.

Change-Id: Ia632e767ed7df7bf507b294982b8d730a6f8fe69

The required platform constant PLATFORM_CACHE_LINE_SIZE is
unnecessary since CACHE_WRITEBACK_GRANULE effectively provides the
same information. CACHE_WRITEBACK_GRANULE is preferred since this
is an architecturally defined term and allows comparison with the
corresponding hardware register value.

Replace all usage of PLATFORM_CACHE_LINE_SIZE with
CACHE_WRITEBACK_GRANULE.

Also, add a runtime assert in BL1 to check that the provided
CACHE_WRITEBACK_GRANULE matches the value provided in CTR_EL0.

Change-Id: If87286be78068424217b9f3689be358356500dcd

In order for the symbol table in the ELF file to contain the size of
functions written in assembly, it is necessary to report it to the
assembler using the .size directive.

To fulfil the above requirements, this patch introduces an 'endfunc'
macro which contains the .endfunc and .size directives. It also adds
a .func directive to the 'func' assembler macro.

The .func/.endfunc have been used so the assembler can fail if
endfunc is omitted.

Fixes ARM-Software/tf-issues#295

Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc
Signed-off-by: Kévin Petit <kevin.petit@arm.com>

For Juno r0, the platform reset handler needs to:
 - Implement the workaround for defect #831273
 - Increase the L2 Data and Tag RAM latencies for Cortex-A57.

Defect #831273 does not affect Juno r1. Also, the default value
for the L2 Tag RAM latency for Cortex-A57 is suitable on Juno r1.
The L2 Data RAM latency for Cortex-A57 still needs to be
increased, though.

This patch modifies the Juno platform reset handler to detect
the board revision and skip the unnecessary steps on Juno r1.
The behaviour on Juno r0 is unchanged.

Change-Id: I27542917223e680ef923ee860900806ffcd0357b

This patch updates the FVP and Juno platform ports to use the common
driver for ARM Cache Coherent Interconnects.

Change-Id: Ib142f456b9b673600592616a2ec99e9b230d6542

This patch defines the ARRAY_SIZE macro for calculating number of elements
in an array and uses it where appropriate.

Change-Id: I72746a9229f0b259323972b498b9a3999731bc9b

Cortex-A57 erratum #806969 applies to revision r0p0 of the CPU
but does not manifest itself on Juno r0. It is not applicable
to Juno r1 in any case.

This patch modifies the Juno platform Makefile to no longer
compile this erratum workaround in.

Change-Id: I32b16835b2ac897e639e869ab2b78b62a51a0139

This patch modifies the declarations of the functions printf() et al.
and adds the right GCC attribute to request the compiler to check
the type of the arguments passed to these functions against the given
format string. This will ensure that the compiler outputs warning
messages like the following whenever it detects an inconsistency:

 file.c:42: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’

It also fixes the type mismatch inconsistencies that it revealed
across the code base.

NOTE: THIS PATCH MAY FORCE PLATFORM PORTS OR SP/SPDS THAT USE THE
PRINTF FAMILY OF FUNCTIONS TO FIX ANY TYPE MISMATCH INCONSISTENCIES.

Change-Id: If36bb54ec7d6dd2cb4791d89b02a24ac13fd2df6

All coding style violations have been fixed in a previous patch and
since then, each individual patch has been checked in this regard.
However, the latest version of the checkpatch.pl script from the Linux
kernel is more advanced and it is able to flag new errors in the
Trusted Firmware codebase. This patch fixes them.

Change-Id: I1f332f2440984be85d36b231bb83260368987077

By default the SMMU for the DMA-330 is configured to mark some stream IDs
as always belonging to the Secure world. As a result, if EL1 software turns
the SMMU on, certain Non-Secure accesses get rewritten as Secure, making
them bypass translation and access Secure physical addresses directly.

Since the current Juno board firmware configures the DMA-330 hardware as
Non-Secure, rewrite the SMMU's default SSD table as well to prevent any
unexpected behaviour in EL1.

Change-Id: Iaa81d883eecf28d80eb182b9ce475684bf9c718c

This patch removes the plat_get_max_afflvl() platform API
and instead replaces it with a platform macro PLATFORM_MAX_AFFLVL.
This is done because the maximum affinity level for a platform
is a static value and it is more efficient for it to be defined
as a platform macro.

NOTE: PLATFORM PORTS NEED TO BE UPDATED ON MERGE OF THIS COMMIT

Fixes ARM-Software/tf-issues#265

Change-Id: I31d89b30c2ccda30d28271154d869060d50df7bf

This patch defines MAX_MMAP_REGIONS separately for each BL stage
as per its requirements. This minimizes the size of the mmap[]
array.

Fixes ARM-Software/tf-issues#201

Change-Id: I19b15e1a91a8365b2ecf24e2cd71937cb73916b2

This patch adds support to authenticate the Trusted Key certificate
and the BL3-x certificates and images at BL2.

Change-Id: I69a8c13a14c8da8b75f93097d3a4576aed71c5dd

This patch moves fvp_io_setup() to bl2_early_platform_setup() in order
to allow BL2 to use the IO framework before bl2_platform_setup().

Change-Id: I75e1a772ab5f9b4727f6727822a2527c30f3c63d

This patch adds support to authenticate the BL2 content certificate
and image using the authentication module in BL1.

The FIP driver has been extended to include the BL2 certificate
UUID.

FVP and Juno ports include the BL2 certificate FIP file
definition.

Change-Id: I32680e9bd123c8db4a4193c14448c9b32b0e9325

This patch implements an authentication module based on the
PolarSSL library (v1.3.9) to verify the Chain of Trust when
Trusted Boot is enabled.

PolarSSL sources must be fetched separately. The POLARSSL_DIR
build option may be used to indicate the path to the PolarSSL
main directory (this directory must contain the 'include' and
'library' subdirectories).

To be able to build PolarSSL sources as a part of the Trusted
Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
will tell the build system to remove the -pedantic option from
the CFLAGS.

Inclusion of PolarSSL increases the memory requirements of the BL1
and BL2 images. The following are the changes made to the FVP and
Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
defined:

Changes on FVP:

  - BL1 and BL2 stacks have been increased to 4 KB
  - BL1(rw) section has been increased to 32 KB.
  - BL2 memory region has been increased to 112 KB

Changes on Juno:

  - BL1 and BL2 stacks have been increased to 4 KB
  - BL1(rw) section has been increased to 32 KB.
  - Trusted ROM region in Flash has been increased to 128 KB.
  - BL2 memory region has been increased to 116 KB

Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80

This patch adds the function plat_match_rotpk() to the platform
porting layer to provide a Root Of Trust Public key (ROTPK)
verification mechanism. This function is called during the
Trusted Board Boot process and receives a supposed valid copy
of the ROTPK as a parameter, usually obtained from an external
source (for instance, a certificate). It returns 0 (success) if
that key matches the actual ROTPK stored in the system or any
other value otherwise.

The mechanism to access the actual ROTPK stored in the system
is platform specific and should be implemented as part of this
function. The format of the ROTPK is also platform specific
(to save memory, some platforms might store a hash of the key
instead of the whole key).

TRUSTED_BOARD_BOOT build option has been added to allow the user
to enable the Trusted Board Boot features. The implementation of
the plat_match_rotpk() funtion is mandatory when Trusted Board
Boot is enabled.

For development purposes, FVP and Juno ports provide a dummy
function that returns always success (valid key). A safe trusted
boot implementation should provide a proper matching function.

Documentation updated accordingly.

Change-Id: I74ff12bc2b041556c48533375527d9e8c035b8c3

This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.

The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.

Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.

Change-Id: I2734d6808b964a2107ab3a4805110698066a04be

This patch adds support to call the reset_handler() function in BL3-1 in the
cold and warm boot paths when another Boot ROM reset_handler() has already run.

This means the BL1 and BL3-1 versions of the CPU and platform specific reset
handlers may execute different code to each other. This enables a developer to
perform additional actions or undo actions already performed during the first
call of the reset handlers e.g. apply additional errata workarounds.

Typically, the reset handler will be first called from the BL1 Boot ROM. Any
additional functionality can be added to the reset handler when it is called
from BL3-1 resident in RW memory. The constant FIRST_RESET_HANDLER_CALL is used
to identify whether this is the first version of the reset handler code to be
executed or an overridden version of the code.

The Cortex-A57 errata workarounds are applied only if they have not already been
applied.

Fixes ARM-software/tf-issue#275

Change-Id: Id295f106e4fda23d6736debdade2ac7f2a9a9053

This patch allows the secure payload (BL3-2) to be loaded in the
DRAM region secured by the TrustZone controller (top 16 MB of DRAM1).

The location of BL3-2 can be selected at build time by setting the
build flag FVP_TSP_RAM_LOCATION to one of the following options:

  - 'tsram' : Trusted SRAM (this is the default option)
  - 'tdram' : Trusted DRAM
  - 'dram'  : Secure region in DRAM1 (top 16MB configured by the
              TrustZone controller)

The number of MMU tables in BL3-2 depends on its location in
memory: 3 in case it is loaded in DRAM, 2 otherwise.

Documentation updated accordingly.

Fixes ARM-software/tf-issues#212

Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a

This patch allows the platform to validate the power_state and
entrypoint information from the normal world early on in PSCI
calls so that we can return the error safely. New optional
pm_ops hooks `validate_power_state` and `validate_ns_entrypoint`
are introduced to do this.

As a result of these changes, all the other pm_ops handlers except
the PSCI_ON handler are expected to be successful. Also, the PSCI
implementation will now assert if a PSCI API is invoked without the
corresponding pm_ops handler being registered by the platform.

NOTE : PLATFORM PORTS WILL BREAK ON MERGE OF THIS COMMIT. The
pm hooks have 2 additional optional callbacks and the return type
of the other hooks have changed.

Fixes ARM-Software/tf-issues#229

Change-Id: I036bc0cff2349187c7b8b687b9ee0620aa7e24dc

This patch removes the non-secure entry point information being passed
to the platform pm_ops which is not needed. Also, it removes the `mpidr`
parameter for  platform pm hooks which are meant to do power management
operations only on the current cpu.

NOTE: PLATFORM PORTS MUST BE UPDATED AFTER MERGING THIS COMMIT.

Change-Id: If632376a990b7f3b355f910e78771884bf6b12e7

This patch extends the build option `USE_COHERENT_MEMORY` to
conditionally remove coherent memory from the memory maps of
all boot loader stages. The patch also adds necessary
documentation for coherent memory removal in firmware-design,
porting and user guides.

Fixes ARM-Software/tf-issues#106

Change-Id: I260e8768c6a5c2efc402f5804a80657d8ce38773

This patch moves the bakery locks out of coherent memory to normal memory.
This implies that the lock information needs to be placed on a separate cache
line for each cpu. Hence the bakery_lock_info_t structure is allocated in the
per-cpu data so as to minimize memory wastage. A similar platform per-cpu
data is introduced for the platform locks.

As a result of the above changes, the bakery lock api is completely changed.
Earlier, a reference to the lock structure was passed to the lock implementation.
Now a unique-id (essentially an index into the per-cpu data array) and an offset
into the per-cpu data for bakery_info_t needs to be passed to the lock
implementation.

Change-Id: I1e76216277448713c6c98b4c2de4fb54198b39e0

This patch maps the non-secure region of DRAM1 in the MMU. The
non-secure region comprises the whole DRAM1 (0x80000000 -
0xffffffff) excluding the top 16 MB (0xff000000 - 0xffffffff).
The TrustZone controller configures this 16 MB region as secure
memory, so it can not be accessed in non-secure mode.

The number of MMU tables in BL2 has been increased to 3 because
the new size of the non-secure region in DRAM requires an extra L2
table.

Change-Id: I5ad080c6e181f6b6060e15cebb1d18b7fa128cf5

This patch allows the BL3-1 NOBITS section to overlap the BL1 R/W
section since the former will always be used after the latter.
Similarly, the BL3-2 NOBITS section can overlay the BL2 image
when BL3-2 is loaded in Trusted SRAM.

Due to the current size of the images, there is no actual overlap.
Nevertheless, this reorganization may help to optimise the Trusted
SRAM usage when the images size grows.

Note that because BL3-1 NOBITS section is allowed to overlap the
BL1 R/W section, BL1 global variables will remain valid only until
execution reaches the BL3-1 entry point during a cold boot.

Documentation updated accordingly.

Fixes ARM-software/tf-issues#254

Change-Id: Id538f4d1c7f1f7858108280fd7b97e138572b879

In both FVP and Juno ports, IRQ #16, which is a PPI, is incorrectly
identified as secure SGI #8 through the constant IRQ_SEC_SGI_8.
This patch removes it.

Fixes ARM-software/tf-issues#282

Change-Id: I9e52d849611ffcd2b1f28e56dd156c5b217ed63e

This patch reassigns the crash console on Juno and FVP to use the runtime
BL3-1 console. The crash console is changed to SoC UART0 (UART2) from the
previous FPGA UART0 (UART0) on Juno. In FVP, it is changed from UART0 to
UART1.

Fixes ARM-software/tf-issues#256

Change-Id: I7df54f86ca00ec2652c27261dd66a94c12610816

This patch replaces the usage of the GIC private driver in Juno with
the generic ARM GIC driver. The private driver is no longer necessary
and has been removed from the Juno port.

Fixes ARM-software/tf-issues#253

Change-Id: I6aaabc252e5e6fb5fcf44ab6d0febd9b38791056

This patch optimizes the Cortex-A57 cluster power down sequence by not
flushing the Level1 data cache. The L1 data cache and the L2 unified
cache are inclusive. A flush of the L2 by set/way flushes any dirty
lines from the L1 as well. This is a known safe deviation from the
Cortex-A57 TRM defined power down sequence. This optimization can be
enabled by the platform through the 'SKIP_A57_L1_FLUSH_PWR_DWN' build
flag. Each Cortex-A57 based platform must make its own decision on
whether to use the optimization.

This patch also renames the cpu-errata-workarounds.md to
cpu-specific-build-macros.md as this facilitates documentation
of both CPU Specific errata and CPU Specific Optimization
build macros.

Change-Id: I299b9fe79e9a7e08e8a0dffb7d345f9a00a71480

This patch deprecates the build option to relocate the shared data
into Trusted DRAM in FVP. After this change, shared data is always
located at the base of Trusted SRAM. This reduces the complexity
of the memory map and the number of combinations in the build
options.

Fixes ARM-software/tf-issues#257

Change-Id: I68426472567b9d8c6d22d8884cb816f6b61bcbd3

This patch adds support on the Juno platform for entering a wfi in
response to a PSCI CPU_SUSPEND call where the state type is a
standby state.

Change-Id: I0a102dee1f8d2ad936c63ad1d1d3ad001a4a4768