Skip to content

GitLab

Switch branch/tag
  1. 25 Jun, 2020 2 commits
  3. 22 Jun, 2020 2 commits
  5. 12 Jun, 2020 2 commits
  7. 09 Jun, 2020 1 commit
    • Varun Wadekar's avatar
      cpus: denver: disable cycle counter when event counting is prohibited · c5c1af0d
      Varun Wadekar authored 
      

The Denver CPUs implement support for PMUv3 for ARMv8.1 and expect the
PMCR_EL0 to be saved in non-secure context.

This patch disables cycle counter when event counting is prohibited
immediately on entering the secure world to avoid leaking useful
information about the PMU counters. The context saving code later
saves the value of PMCR_EL0 to the non-secure world context.

Verified with 'PMU Leakage' test suite.

 ******************************* Summary *******************************
 > Test suite 'PMU Leakage'
                                                                 Passed
 =================================
 Tests Skipped : 2
 Tests Passed  : 2
 Tests Failed  : 0
 Tests Crashed : 0
 Total tests   : 4
 =================================
Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
Change-Id: I3675e2b99b44ed23d86e29a5af1b496e80324875
      c5c1af0d
  9. 08 Jun, 2020 1 commit
    • Manish Pandey's avatar
      cert_create: add SiP owned secure partitions support · 0792dd7d
      Manish Pandey authored 
      

Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.

A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.

Following new options added to cert_tool:
 --sip-sp-cert --> SiP owned Secure Partition Content Certificate
 --sp-pkg1 --> Secure Partition Package1 file
 --sp-pkg2
 .....
 --sp-pkg8

Trusted world key pair is used for signing.

Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
      0792dd7d
  11. 02 Jun, 2020 2 commits
    • Jimmy Brisson's avatar
      Enable ARMv8.6-ECV Self-Synch when booting to EL2 · 29d0ee54
      Jimmy Brisson authored 
      

Enhanced Counter Virtualization, ECV, is an architecture extension introduced
in ARMv8.6. This extension allows the hypervisor, at EL2, to setup
self-synchronizing views of the timers for it's EL1 Guests. This patch pokes the
control register to enable this extension when booting a hypervisor at EL2.

Change-Id: I4e929ecdf400cea17eff1de5cf8704aa7e40973d
Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      29d0ee54
    • Jimmy Brisson's avatar
      Enable ARMv8.6-FGT when booting to EL2 · 110ee433
      Jimmy Brisson authored 
      

The Fine Grained Traps (FGT) architecture extension was added to aarch64 in
ARMv8.6. This extension primarily allows hypervisors, at EL2, to trap specific
instructions in a more fine grained manner, with an enable bit for each
instruction. This patch adds support for this extension by enabling the
extension when booting an hypervisor at EL2.

Change-Id: Idb9013ed118b6a1b7b76287237096de992ca4da3
Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      110ee433
  13. 01 Jun, 2020 2 commits
  15. 26 May, 2020 1 commit
  17. 19 May, 2020 2 commits
    • johpow01's avatar
      Enable v8.6 WFE trap delays · 6cac724d
      johpow01 authored 
      

This patch enables the v8.6 extension to add a delay before WFE traps
are taken. A weak hook plat_arm_set_twedel_scr_el3 has been added in
plat/common/aarch64/plat_common.c that disables this feature by default
but platform-specific code can override it when needed.

The only hook provided sets the TWED fields in SCR_EL3, there are similar
fields in HCR_EL2, SCTLR_EL2, and SCTLR_EL1 to control WFE trap delays in
lower ELs but these should be configured by code running at EL2 and/or EL1
depending on the platform configuration and is outside the scope of TF-A.
Signed-off-by: default avatarJohn Powell <john.powell@arm.com>
Change-Id: I0a9bb814205efeab693a3d0a0623e62144abba2d
      6cac724d
    • Max Shvetsov's avatar
      Fix exception in save/restore of EL2 registers. · 30ee3755
      Max Shvetsov authored 
      

Removing FPEXC32_EL2 from the register save/restore routine for EL2
registers since it is already a part of save/restore routine for
fpregs.
Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
Change-Id: I5ed45fdbf7c8efa8dcfcd96586328d4f6b256bc4
      30ee3755
  19. 14 May, 2020 1 commit
    • Manish V Badarkhe's avatar
      Implement workaround for AT speculative behaviour · 45aecff0
      Manish V Badarkhe authored 
      During context switching from higher EL (EL2 or higher)
to lower EL can cause incorrect translation in TLB due to
speculative execution of AT instruction using out-of-context
translation regime.

Workaround is implemented as below during EL's (EL1 or EL2)
"context_restore" operation:
1. Disable page table walk using SCTLR.M and TCR.EPD0 & EPD1
   bits for EL1 or EL2 (stage1 and stage2 disabled)
2. Save all system registers except TCR and SCTLR (for EL1 and EL2)
3. Do memory barrier operation (isb) to ensure all
   system register writes are done.
4. Restore TCR and SCTLR registers (for EL1 and EL2)

Errata details are available for various CPUs as below:
Cortex-A76: 1165522
Cortex-A72: 1319367
Cortex-A57: 1319537
Cortex-A55: 1530923
Cortex-A53: 1530924

More details can be found in mail-chain:
https://lists.trustedfirmware.org/pipermail/tf-a/2020-April/000445.html



Currently, Workaround is implemented as build option which is default
disabled.
Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: If8545e61f782cb0c2dda7ffbaf50681c825bd2f0
      45aecff0
  21. 30 Apr, 2020 1 commit
  23. 29 Apr, 2020 1 commit
    • Andre Przywara's avatar
      fdt/wrappers: Replace fdtw_read_cells() implementation · ff4e6c35
      Andre Przywara authored 
      Our fdtw_read_cells() implementation goes to great lengths to
sanity-check every parameter and result, but leaves a big hole open:
The size of the storage the value pointer points at needs to match the
number of cells given. This can't be easily checked at compile time,
since we lose the size information by using a void pointer.
Regardless the current usage of this function is somewhat wrong anyways,
since we use it on single-element, fixed-length properties only, for
which the DT binding specifies the size.
Typically we use those functions dealing with a number of cells in DT
context to deal with *dynamically* sized properties, which depend on
other properties (#size-cells, #clock-cells, ...), to specify the number
of cells needed.

Another problem with the current implementation is the use of
ambiguously sized types (uintptr_t, size_t) together with a certain
expectation about their size. In general there is no relation between
the length of a DT property and the bitness of the code that parses the
DTB: AArch64 code could encounter 32-bit addresses (where the physical
address space is limited to 4GB [1]), while AArch32 code could read
64-bit sized properties (/memory nodes on LPAE systems, [2]).

To make this more clear, fix the potential issues and also align more
with other DT users (Linux and U-Boot), introduce functions to explicitly
read uint32 and uint64 properties. As the other DT consumers, we do this
based on the generic "read array" function.
Convert all users to use either of those two new functions, and make
sure we never use a pointer to anything other than uint32_t or uint64_t
variables directly.

This reveals (and fixes) a bug in plat_spmd_manifest.c, where we write
4 bytes into a uint16_t variable (passed via a void pointer).

Also we change the implementation of the function to better align with
other libfdt users, by using the right types (fdt32_t) and common
variable names (*prop, prop_names).

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi#n874
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/ecx-2000.dts



Change-Id: I718de960515117ac7a3331a1b177d2ec224a3890
Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      ff4e6c35
  25. 07 Apr, 2020 2 commits
    • Julius Werner's avatar
      coreboot: Add memory range parsing · 579d1e90
      Julius Werner authored 
      

This patch adds code to parse memory range information passed by
coreboot, and a simple helper to test whether a specific address belongs
to a range. This may be useful for coreboot-using platforms that need to
know information about the system's memory layout (e.g. to check whether
an address passed in via SMC targets valid DRAM).
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
Change-Id: I3bea326c426db27d1a8b7d6e17418e4850e884b4
      579d1e90
    • Masahiro Yamada's avatar
      locks: bakery: use is_dcache_enabled() helper · 11504163
      Masahiro Yamada authored 
      

bakery_lock_normal.c uses the raw register accessor, read_sctlr(_el3)
to check whether the dcache is enabled.

Using is_dcache_enabled() is cleaner, and a good abstraction for
the library code like this.

A problem is is_dcache_enabled() is declared in the local header,
lib/xlat_tables_v2/xlat_tables_private.h

I searched for a good place to declare this helper. Moving it to
arch_helpers.h, closed to cache operation helpers, looks good enough
to me.

I also changed the type of 'is_cached' to bool for consistency,
and to avoid MISRA warnings.

Change-Id: I9b016f67bc8eade25c316aa9c0db0fa4cd375b79
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      11504163
  27. 03 Apr, 2020 2 commits
    • Pramod Kumar's avatar
      xlat lib v2: Add support to pass shareability attribute for normal memory region · 06aca857
      Pramod Kumar authored 
      

Present framework restricts platform to pass desired shareability attribute
for normal memory region mapped in MMU. it defaults to inner shareability.

There are platforms where memories (like SRAM) are not placed at snoopable
region in advaned interconnect like CCN/CMN hence snoopable transaction is
not possible to these memory. Though These memories could be mapped in MMU
as MT_NON_CACHEABLE, data caches benefits won't be available.

If these memories are mapped as cacheable with non-shareable attribute,
when only one core is running like at boot time, MMU data cached could be
used for faster execution. Hence adding support to pass the shareability
attribute for memory regions.
Signed-off-by: default avatarPramod Kumar <pramod.kumar@broadcom.com>
Change-Id: I678cb50120a28dae4aa9d1896e8faf1dd5cf1754
      06aca857
    • Masahiro Yamada's avatar
      xlat_tables_v2: use get_current_el_maybe_constant() in is_dcache_enabled() · 3cde15fa
      Masahiro Yamada authored 
      

Using get_current_el_maybe_constant() produces more optimized code
because in most cases, we know the exception level at build-time.
For example, BL31 runs at EL3, so unneeded code will be trimmed.

[before]

0000000000000000 <is_dcache_enabled>:
   0:   d5384240        mrs     x0, currentel
   4:   53020c00        ubfx    w0, w0, #2, #2
   8:   7100041f        cmp     w0, #0x1
   c:   54000081        b.ne    1c <is_dcache_enabled+0x1c>  // b.any
  10:   d5381000        mrs     x0, sctlr_el1
  14:   53020800        ubfx    w0, w0, #2, #1
  18:   d65f03c0        ret
  1c:   7100081f        cmp     w0, #0x2
  20:   54000061        b.ne    2c <is_dcache_enabled+0x2c>  // b.any
  24:   d53c1000        mrs     x0, sctlr_el2
  28:   17fffffb        b       14 <is_dcache_enabled+0x14>
  2c:   d53e1000        mrs     x0, sctlr_el3
  30:   17fffff9        b       14 <is_dcache_enabled+0x14>

[after]

0000000000000000 <is_dcache_enabled>:
   0:   d53e1000        mrs     x0, sctlr_el3
   4:   53020800        ubfx    w0, w0, #2, #1
   8:   d65f03c0        ret

Change-Id: I3698fae9b517022ff9fbfd4cad3a320c6e137e10
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3cde15fa
  29. 02 Apr, 2020 1 commit
    • Masahiro Yamada's avatar
      xlat_tables_v2: fix assembler warning of PLAT_RO_XLAT_TABLES · 268131c2
      Masahiro Yamada authored 
      

If PLAT_RO_XLAT_TABLES is defined, the base xlat table goes to the
.rodata section instead of .bss section.

This causes a warning like:

/tmp/ccswitLr.s: Assembler messages:
/tmp/ccswitLr.s:297: Warning: setting incorrect section attributes for .rodata

It is practically no problem, but I want to keep the build log clean.

Put the base table into the "base_xlat_table" section to suppress the
assembler warnings.

The linker script determines its final destination; rodata section if
PLAT_RO_XLAT_TABLES=1, or bss section otherwise. So, the result is the
same.

Change-Id: Ic85d1d2dddd9b5339289fc2378cbcb21dd7db02e
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      268131c2
  31. 31 Mar, 2020 2 commits
    • Masahiro Yamada's avatar
      fconf: exclude fconf_dyn_cfg_getter.c from BL1_SOURCES · c452ba15
      Masahiro Yamada authored 
      

fconf_dyn_cfg_getter.c calls FCONF_REGISTER_POPULATOR(), which populates
the fconf_populator structure.

However, bl1/bl1.ld.S does not have:

        __FCONF_POPULATOR_START__ = .;
        KEEP(*(.fconf_populator))
        __FCONF_POPULATOR_END__ = .;

So, this is not linked to bl1.elf

We could change either bl1/bl1.lds.S or lib/fconf/fconf.mk to make
them consistent.

I chose to fix up fconf.mk to keep the current behavior.

This is a groundwork to factor out the common code from linker scripts.

Change-Id: I07b7ad4db4ec77b57acf1588fffd0b06306d7293
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      c452ba15
    • Masahiro Yamada's avatar
      xlat_tables_v2: add enable_mmu() · f5547735
      Masahiro Yamada authored 
      

enable_mmu_* has a different function name, so it is not handy in the
shared code. enable_mmu() calls an appropriate one depending on the
exception level.

Change-Id: I0657968bfcb91c32733f75f9259f550a5c35b1c3
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      f5547735
  33. 27 Mar, 2020 1 commit
  35. 20 Mar, 2020 1 commit
  37. 16 Mar, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Clean Arm IO · a6de824f
      Louis Mayencourt authored 
      

Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
removes the duplicate io_policies and functions definition.

This patch:
- replace arm_io_storage.c with the content of arm_fconf_io_storage.c
- rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
- use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
- propagate DEFINES when parsing dts.
- use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
- set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
  of fvp stays the same as it was before the introduction of fconf.

Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      a6de824f
  39. 11 Mar, 2020 2 commits
    • Madhukar Pappireddy's avatar
      fconf: enhancements to firmware configuration framework · 25d740c4
      Madhukar Pappireddy authored 
      

A populate() function essentially captures the value of a property,
defined by a platform, into a fconf related c structure. Such a
callback is usually platform specific and is associated to a specific
configuration source.
For example, a populate() function which captures the hardware topology
of the platform can only parse HW_CONFIG DTB. Hence each populator
function must be registered with a specific 'config_type' identifier.
It broadly represents a logical grouping of configuration properties
which is usually a device tree source file.

Example:
> TB_FW: properties related to trusted firmware such as IO policies,
	 base address of other DTBs, mbedtls heap info etc.
> HW_CONFIG: properties related to hardware configuration of the SoC
	 such as topology, GIC controller, PSCI hooks, CPU ID etc.

This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
to register and invoke the appropriate callbacks selectively based on
configuration type.

Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      25d740c4
    • Masahiro Yamada's avatar
      xlat_tables_v2: merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE} · 363830df
      Masahiro Yamada authored 
      

xlat_tables_v2_helpers.h defines two quite similar macros,
REGISTER_XLAT_CONTEXT_FULL_SPEC and REGISTER_XLAT_CONTEXT_RO_BASE_TABLE.

Only the difference is the section of _ctx_name##_base_xlat_table.

Parameterize it and unify these two macros.

The base xlat table goes into the .bss section by default.
If PLAT_RO_XLAT_TABLES is defined, it goes into the .rodata section.

Change-Id: I8b02f4da98f0c272e348a200cebd89f479099c55
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      363830df
  41. 09 Mar, 2020 1 commit
  43. 06 Mar, 2020 1 commit
    • Varun Wadekar's avatar
      locks: bakery: add a DMB to the 'read_cache_op' macro · d439cea9
      Varun Wadekar authored 
      

ARM has a weak memory ordering model. This means that without
explicit barriers, memory accesses can be observed differently
than program order. In this case, the cache invalidate instruction
can be observed after the subsequent read to address.

To solve this, a DMB instruction is required between the cache
invalidate and the read. This ensures that the cache invalidate
completes before all memory accesses in program order after the DMB.

This patch updates the 'read_cache_op' macro to issue a DMB after
the cache invalidate instruction to fix this anomaly.

Change-Id: Iac9a90d228c57ba8bcdca7e409ea6719546ab441
Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      d439cea9
  45. 03 Mar, 2020 1 commit
    • Max Shvetsov's avatar
      SPMD: Adds partially supported EL2 registers. · 2825946e
      Max Shvetsov authored 
      

This patch adds EL2 registers that are supported up to ARMv8.6.
ARM_ARCH_MINOR has to specified to enable save/restore routine.

Note: Following registers are still not covered in save/restore.
 * AMEVCNTVOFF0<n>_EL2
 * AMEVCNTVOFF1<n>_EL2
 * ICH_AP0R<n>_EL2
 * ICH_AP1R<n>_EL2
 * ICH_LR<n>_EL2

Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
      2825946e
  47. 02 Mar, 2020 1 commit
  49. 25 Feb, 2020 1 commit
    • Andre Przywara's avatar
      coreboot: Use generic base address · e21a788e
      Andre Przywara authored 
      

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location for the coreboot memory console.
This removes the base member from the coreboot specific data structure,
but keeps the struct console_cbmc_t and its size member.

Change-Id: I7f1dffd41392ba3fe5c07090aea761a42313fb5b
Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      e21a788e
  51. 24 Feb, 2020 1 commit
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored 
      

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.

The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.

To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.

Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.

The caches are also flushed.
Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
  53. 20 Feb, 2020 1 commit
    • Varun Wadekar's avatar
      cpus: higher performance non-cacheable load forwarding · cd0ea184
      Varun Wadekar authored 
      

The CPUACTLR_EL1 register on Cortex-A57 CPUs supports a bit to enable
non-cacheable streaming enhancement. Platforms can set this bit only
if their memory system meets the requirement that cache line fill
requests from the Cortex-A57 processor are atomic.

This patch adds support to enable higher performance non-cacheable load
forwarding for such platforms. Platforms must enable this support by
setting the 'A57_ENABLE_NONCACHEABLE_LOAD_FWD' flag from their
makefiles. This flag is disabled by default.

Change-Id: Ib27e55dd68d11a50962c0bbc5b89072208b4bac5
Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      cd0ea184
  55. 18 Feb, 2020 3 commits