1. 21 Mar, 2018 1 commit
  2. 14 Mar, 2018 1 commit
    • Dimitris Papastamos's avatar
      Fixup `SMCCC_ARCH_FEATURES` semantics · a205a56e
      Dimitris Papastamos authored
      
      
      When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`,
      return either:
        * -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called
          requires firmware mitigation for CVE-2017-5715 but the mitigation
          is not compiled in.
        * 0 to indicate that firmware mitigation is required, or
        * 1 to indicate that no firmware mitigation is required.
      
      This patch complies with v1.2 of the firmware interfaces
      specification (ARM DEN 0070A).
      
      Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a205a56e
  3. 02 Mar, 2018 1 commit
  4. 01 Mar, 2018 3 commits
  5. 28 Feb, 2018 1 commit
  6. 27 Feb, 2018 2 commits
    • Jeenu Viswambharan's avatar
      TSPD: Register preempted SMC error code with EHF · 472be0f7
      Jeenu Viswambharan authored
      
      
      An earlier patch extended ehf_allow_ns_preemption() API to also register
      an error code to offer to Non-secure when a Yielding SMC is preempted by
      SDEI interrupt. In TSPD's case, register the error code TSP_PREEMPTED.
      
      Change-Id: I31992b6651f80694e83bc5092b044ef7a3eda690
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      472be0f7
    • Jeenu Viswambharan's avatar
      SDEI: Pop dispatch context only after error checking · 8e3032f9
      Jeenu Viswambharan authored
      
      
      Currently, when the client attempts to do SDEI_EVENT_COMPLETE or
      SDEI_EVENT_COMPLETE_AND_RESUME, the dispatcher pops off the outstanding
      dispatch context for sanity check. There are however other checks
      following this, which could potentially return failure. If that happens,
      by popping the context, the dispatcher has inadvertently discarded a
      valid context.
      
      This patch fixes this bug by inspecting (not actually popping) the
      outstanding context. The context is popped only after all error checks
      are completed.
      
      Change-Id: Ie199f6442f871a8177a8247a0c646543bad76d21
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      8e3032f9
  7. 22 Feb, 2018 1 commit
  8. 21 Feb, 2018 1 commit
  9. 14 Feb, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Remove URLs from comments · fb1198b1
      Antonio Nino Diaz authored
      
      
      This fixes all defects according to MISRA Rule 3.1: "The character
      sequences /* and // shall not be used within a comment". This affects
      all URLs in comments, so they have been removed:
      
      - The link in `sdei_state.c` can also be found in the documentation file
        `docs/sdei.rst`.
      
      - The bug that the file `io_fip.c` talks about doesn't affect the
        currently supported version of GCC, so it doesn't make sense to keep
        the comment. Note that the version of GCC officially supported is the
        one that comes with Linaro Release 17.10, which is GCC 6.2.
      
      - The link in `tzc400.c` was broken, and it didn't correctly direct to
        the Technical Reference Manual it should. The link has been replaced
        by the title of the document, which is more convenient when looking
        for the document.
      
      Change-Id: I89f60c25f635fd4c008a5d3a14028f814c147bbe
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      fb1198b1
  10. 06 Feb, 2018 2 commits
    • Jeenu Viswambharan's avatar
      TSPD: Require NS preemption along with EL3 exception handling · 6027796f
      Jeenu Viswambharan authored
      
      
      At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how
      Non-secure interrupt affects TSPs execution. When TSP is executing:
      
        1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received
           at the TSP's exception vector, and TSP voluntarily preempts itself.
      
        2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a
           trap to EL3, which preempts TSP execution.
      
      When EL3 exception handling is in place (i.e.,
      EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system
      with GICv3, pending NS interrupts while TSP is executing will be
      signalled as FIQ (which traps to EL3). This situation necessitates the
      same treatment applied to case (2) above.
      
      Therefore, when EL3 exception handling is in place, additionally
      require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1.
      
      Strictly speaking, this is not required on a system with GICv2, but the
      same model is uniformly followed regardless, for simplicity.
      
      Relevant documentation updated.
      
      Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      6027796f
    • Jeenu Viswambharan's avatar
      TSPD: Explicitly allow NS preemption for Yielding SMCs · 1dd022ca
      Jeenu Viswambharan authored
      
      
      When EL3 exception handling is in effect (i.e.,
      EL3_EXCEPTION_HANDLING=1), Non-secure interrupts can't preempt Secure
      execution. However, for yielding SMCs, preemption by Non-secure
      interupts is intended.
      
      This patch therefore adds a call to ehf_allow_ns_preemption() before
      dispatching a Yielding SMC to TSP.
      
      Change-Id: Ia3a1ae252f3adc0f14e6d7e0502f251bdb349bdf
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      1dd022ca
  11. 01 Feb, 2018 1 commit
  12. 29 Jan, 2018 1 commit
  13. 25 Jan, 2018 5 commits
  14. 10 Jan, 2018 1 commit
  15. 09 Jan, 2018 1 commit
  16. 08 Jan, 2018 2 commits
  17. 12 Dec, 2017 1 commit
    • Sandrine Bailleux's avatar
      SPM: Fix MM_COMMUNICATE_AARCH32/64 parameters · 4d2787ce
      Sandrine Bailleux authored
      This partially reverts commit d6b532b5
      
      , keeping only the fixes to
      the assertions. The changes related to the order of arguments passed
      to the secure partition were not correct and violated the
      specification of the SP_EVENT_COMPLETE SMC.
      
      This patch also improves the MM_COMMUNICATE argument validation.  The
      cookie argument, as it comes from normal world, can't be trusted and thus
      needs to always be validated at run time rather than using an assertion.
      
      Also validate the communication buffer address and return
      INVALID_PARAMETER if it is zero, as per the MM specification.
      
      Fix a few typos in comments and use the "secure partition" terminology
      rather than "secure payload".
      
      Change-Id: Ice6b7b5494b729dd44611f9a93d362c55ab244f7
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      4d2787ce
  18. 06 Dec, 2017 3 commits
  19. 05 Dec, 2017 2 commits
  20. 20 Nov, 2017 2 commits
  21. 15 Nov, 2017 2 commits
  22. 13 Nov, 2017 3 commits
  23. 10 Nov, 2017 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Fix pointer to MP info in boot info struct · ff7d0805
      Antonio Nino Diaz authored
      
      
      The MP info struct is placed right after the boot info struct. However,
      when calculating the address of the MP info, the size of the boot info
      struct was being multiplied by the size of the MP boot info. This left
      a big gap of empty space between the structs.
      
      This didn't break any code because the boot info struct has a pointer to
      the MP info struct. It was just wasting space.
      
      Change-Id: I1668e3540d9173261968f6740623549000bd48db
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ff7d0805
  24. 08 Nov, 2017 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Introduce Secure Partition Manager · 2fccb228
      Antonio Nino Diaz authored
      
      
      A Secure Partition is a software execution environment instantiated in
      S-EL0 that can be used to implement simple management and security
      services. Since S-EL0 is an unprivileged exception level, a Secure
      Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
      granted access to system and processor resources. Essentially, it is a
      software sandbox that runs under the control of privileged software in
      the Secure World and accesses the following system resources:
      
      - Memory and device regions in the system address map.
      - PE system registers.
      - A range of asynchronous exceptions e.g. interrupts.
      - A range of synchronous exceptions e.g. SMC function identifiers.
      
      A Secure Partition enables privileged firmware to implement only the
      absolutely essential secure services in EL3 and instantiate the rest in
      a partition. Since the partition executes in S-EL0, its implementation
      cannot be overly complex.
      
      The component in ARM Trusted Firmware responsible for managing a Secure
      Partition is called the Secure Partition Manager (SPM). The SPM is
      responsible for the following:
      
      - Validating and allocating resources requested by a Secure Partition.
      - Implementing a well defined interface that is used for initialising a
        Secure Partition.
      - Implementing a well defined interface that is used by the normal world
        and other secure services for accessing the services exported by a
        Secure Partition.
      - Implementing a well defined interface that is used by a Secure
        Partition to fulfil service requests.
      - Instantiating the software execution environment required by a Secure
        Partition to fulfil a service request.
      
      Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2fccb228