- 31 Mar, 2020 1 commit
-
-
Masahiro Yamada authored
There are some cases where we want to run EL-dependent code in the shared code. We could use #ifdef, but it leaves slight possibility where we do not know the exception level at the build-time (e.g. library code). The counter approach is to use get_current_el(), but it is run-time detection, so all EL code is linked, some of which might be unneeded. This commit adds get_current_el_maybe_constant(). This is a static inline function that returns a constant value if we know the exception level at build-time. This is mostly the case. if (get_current_el_maybe_constant() == 1) { /* do something for EL1 */ } else if (get_current_el_maybe_constant() == 3) { /* do something for EL3 */ } If get_current_el_maybe_constant() is build-time constant, the compiler will optimize out the unreachable code. If such code is included from the library code, it is not built-time constant. In this case, it falls back to get_current_el(), so it still works. Change-Id: Idb03c20342a5b5173fe2d6b40e1fac7998675ad3 Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 11 Mar, 2020 1 commit
-
-
Madhukar Pappireddy authored
Change-Id: Ie1018bfbae2fe95c699e58648665baa75e862000 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 06 Mar, 2020 1 commit
-
-
Alexei Fedorov authored
This patch provides a fix for incorrect crash dump data for lower EL when TF-A is built with HANDLE_EA_EL3_FIRST=1 option which enables routing of External Aborts and SErrors to EL3. Change-Id: I9d5e6775e6aad21db5b78362da6c3a3d897df977 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 03 Mar, 2020 1 commit
-
-
Max Shvetsov authored
This patch adds EL2 registers that are supported up to ARMv8.6. ARM_ARCH_MINOR has to specified to enable save/restore routine. Note: Following registers are still not covered in save/restore. * AMEVCNTVOFF0<n>_EL2 * AMEVCNTVOFF1<n>_EL2 * ICH_AP0R<n>_EL2 * ICH_AP1R<n>_EL2 * ICH_LR<n>_EL2 Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1 Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
-
- 02 Mar, 2020 1 commit
-
-
Max Shvetsov authored
NOTE: Not all EL-2 system registers are saved/restored. This subset includes registers recognized by ARMv8.0 Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0 Signed-off-by: Jose Marinho <jose.marinho@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
-
- 20 Feb, 2020 1 commit
-
-
Varun Wadekar authored
This patch modifies the delay timer driver to switch to the ARM secure physical timer instead of using Tegra's on-chip uS timer. The secure timer is not accessible to the NS world and so eliminates an important attack vector, where the Tegra timer source gets switched off from the NS world leading to a DoS attack for the trusted world. This timer is shared with the S-EL1 layer for now, but later patches will mark it as exclusive to the EL3 exception mode. Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 07 Feb, 2020 1 commit
-
-
Alexei Fedorov authored
At the moment, address demangling is only used by the backtrace functionality. However, at some point, other parts of the TF-A codebase may want to use it. The 'demangle_address' function is replaced with a single XPACI instruction which is also added in 'do_crash_reporting()'. Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com> Change-Id: I4424dcd54d5bf0a5f9b2a0a84c4e565eec7329ec
-
- 22 Jan, 2020 1 commit
-
-
Anthony Steinhauser authored
Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). This was fixed in Linux, FreeBSD, OpenBSD and Optee OS: https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8 https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61 https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2 https://github.com/OP-TEE/optee_os/commit/abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a It is demonstrated in a SafeSide example: https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c Signed-off-by: Anthony Steinhauser <asteinhauser@google.com> Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
-
- 29 Dec, 2019 1 commit
-
-
Samuel Holland authored
Some platforms are extremely memory constrained and must split BL31 between multiple non-contiguous areas in SRAM. Allow the NOBITS sections (.bss, stacks, page tables, and coherent memory) to be placed in a separate region of RAM from the loaded firmware image. Because the NOBITS region may be at a lower address than the rest of BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this region, or el3_entrypoint_common would attempt to invalidate the dcache for the entire address space. New symbols __NOBITS_{START,END}__ are added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the NOBITS region is invalidated separately. Signed-off-by: Samuel Holland <samuel@sholland.org> Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
-
- 12 Dec, 2019 1 commit
-
-
Manish Pandey authored
When a Firmware is complied as Position Independent Executable it needs to request GDT fixup by passing size of the memory region to el3_entrypoint_common macro. The Global descriptor table fixup will be done early on during cold boot process of primary core. Currently only BL31 supports PIE, but in future when BL2_AT_EL3 will be compiled as PIE, it can simply pass fixup size to the common el3 entrypoint macro to fixup GDT. The reason for this patch was to overcome the bug introduced by SHA 330ead80 which called fixup routine for each core causing re-initializing of global pointers thus overwriting any changes done by the previous core. Change-Id: I55c792cc3ea9e7eef34c2e4653afd04572c4f055 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 06 Dec, 2019 2 commits
-
-
Artsem Artsemenka authored
Check that entry point information requesting S-EL2 has AArch64 as an execution state during context setup. Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: I447263692fed6e55c1b076913e6eb73b1ea735b7
-
Achin Gupta authored
This patch adds support for enabling S-EL2 if this EL is specified in the entry point information being used to initialise a secure context. It is the caller's responsibility to check if S-EL2 is available on the system before requesting this EL through the entry point information. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Change-Id: I2752964f078ab528b2e80de71c7d2f35e60569e1
-
- 07 Oct, 2019 1 commit
-
-
Petre-Ionut Tudor authored
Currently the MDCR_EL3 initialisation implicitly disables MDCR_EL3.SPME by using mov_imm. This patch makes the SPME bit more visible by explicitly disabling it and documenting its use in different versions of the architecture. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: I221fdf314f01622f46ac5aa43388f59fa17a29b3
-
- 02 Oct, 2019 1 commit
-
-
Lionel Debieve authored
Add the missing flag for aarch32 XIP memory mode. It was previously added in aarch64 only. Minor: Correct the aarch64 missing flag. Signed-off-by: Lionel Debieve <lionel.debieve@st.com> Change-Id: Iac0a7581a1fd580aececa75f97deb894858f776f
-
- 13 Sep, 2019 1 commit
-
-
Alexei Fedorov authored
This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 12 Sep, 2019 1 commit
-
-
Hadi Asyrafi authored
Some of the platform (ie. Agilex) make use of CCU IPs which will only be initialized during bl2_el3_early_platform_setup. Any operation to the cache beforehand will crash the platform. Hence, this will provide an option to skip the data cache invalidation upon bl2 entry at EL3 Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06
-
- 11 Sep, 2019 1 commit
-
-
Justin Chadwell authored
This patch adds support for the Undefined Behaviour sanitizer. There are two types of support offered - minimalistic trapping support which essentially immediately crashes on undefined behaviour and full support with full debug messages. The full support relies on ubsan.c which has been adapted from code used by OPTEE. Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 09 Sep, 2019 1 commit
-
-
Justin Chadwell authored
This patch adds support for the new Memory Tagging Extension arriving in ARMv8.5. MTE support is now enabled by default on systems that support at EL0. To enable it at ELx for both the non-secure and the secure world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving and restoring when necessary in order to prevent register leakage between the worlds. Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 21 Aug, 2019 1 commit
-
-
Alexei Fedorov authored
This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 16 Aug, 2019 1 commit
-
-
Alexei Fedorov authored
This patch fixes FVP_Base_AEMv8A model hang issue with ARMv8.4+ with cache modelling enabled configuration. Incorrect L1 cache flush operation to PoU, using CLIDR_EL1 LoUIS field, which is required by the architecture to be zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced with L1 to L2 and L2 to L3 (if L3 is present) cache flushes. FVP_Base_AEMv8A model can be configured with L3 enabled by setting `cluster0.l3cache-size` and `cluster1.l3cache-size` to non-zero values, and presence of L3 is checked in `aem_generic_core_pwr_dwn` function by reading CLIDR_EL1.Ctype3 field value. Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 01 Aug, 2019 1 commit
-
-
Julius Werner authored
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__. All common C compilers predefine a macro called __ASSEMBLER__ when preprocessing a .S file. There is no reason for TF-A to define it's own __ASSEMBLY__ macro for this purpose instead. To unify code with the export headers (which use __ASSEMBLER__ to avoid one extra dependency), let's deprecate __ASSEMBLY__ and switch the code base over to the predefined standard. Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 24 Jul, 2019 1 commit
-
-
John Tsichritzis authored
This patch introduces an additional precautionary step to further enhance protection against variant 4. During the context initialisation before we enter the various BL stages, the SPSR.SSBS bit is explicitly set to zero. As such, speculative loads/stores are by default disabled for all BL stages when they start executing. Subsequently, each BL stage, can choose to enable speculative loads/stores or keep them disabled. This change doesn't affect the initial execution context of BL33 which is totally platform dependent and, thus, it is intentionally left up to each platform to initialise. For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means that, for Arm platforms, all BL stages start with speculative loads/stores disabled. Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 12 Jul, 2019 1 commit
-
-
Soby Mathew authored
This patch enables MTE for Normal world if the CPU suppors it. Enabling MTE for secure world will be done later. Change-Id: I9ef64460beaba15e9a9c20ab02da4fb2208b6f7d Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 10 Jul, 2019 1 commit
-
-
Alexei Fedorov authored
This patch removes incorrect SCTLR_V_BIT definition and adds definitions for ARMv8.3-Pauth EnIB, EnDA and EnDB bits. Change-Id: I1384c0a01f56f3d945833464a827036252c75c2e Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 17 Jun, 2019 1 commit
-
-
Yann Gautier authored
Those defines are used in STM32MP1 clock driver. It is better to put them altogether with already defined registers. Change-Id: I6f8ad8c2477b947af6f76283a4ef5c40212d0027 Signed-off-by: Yann Gautier <yann.gautier@st.com>
-
- 24 May, 2019 1 commit
-
-
Alexei Fedorov authored
This patch adds the functionality needed for platforms to provide Branch Target Identification (BTI) extension, introduced to AArch64 in Armv8.5-A by adding BTI instruction used to mark valid targets for indirect branches. The patch sets new GP bit [50] to the stage 1 Translation Table Block and Page entries to denote guarded EL3 code pages which will cause processor to trap instructions in protected pages trying to perform an indirect branch to any instruction other than BTI. BTI feature is selected by BRANCH_PROTECTION option which supersedes the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication and is disabled by default. Enabling BTI requires compiler support and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0. The assembly macros and helpers are modified to accommodate the BTI instruction. This is an experimental feature. Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3 is now made as an internal flag and BRANCH_PROTECTION flag should be used instead to enable Pointer Authentication. Note. USE_LIBROM=1 option is currently not supported. Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 07 May, 2019 1 commit
-
-
Soby Mathew authored
The workaround for Cortex-A76 errata #1286807 is implemented in this patch. Change-Id: I6c15af962ac99ce223e009f6d299cefb41043bed Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 03 Apr, 2019 3 commits
-
-
Ambroise Vincent authored
Change-Id: I14fcabbdfd53153d1d5f187f6f8b23a045794408 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
Ambroise Vincent authored
The old version of the macro is deprecated. Commit cc5859ca ("Multi-console: Deprecate the `finish_console_register` macro") provides more details. Change-Id: I3d1cdf6496db7d8e6cfbb5804f508ff46ae7e67e Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
Antonio Nino Diaz authored
This gives each Secure Partition complete freedom on its address space. Previously, the memory used by the exception vectors was reserved and couldn't be used. Also, it always had to be mapped, forcing SPM to generate translation tables that included the exception vectors as well as the Partition memory regions. With this change, partitions can reduce their address space size easily. Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 14 Mar, 2019 1 commit
-
-
John Tsichritzis authored
This patch applies the new MSR instruction to directly set the PSTATE.SSBS bit which controls speculative loads. This new instruction is available at Neoverse N1 core so it's utilised. Change-Id: Iee18a8b042c90fdb72d2b98f364dcfbb17510728 Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 04 Mar, 2019 1 commit
-
-
Dimitris Papastamos authored
SSBS support is determined by checking ID_AA64PFR1_EL1 and not ID_AA64PFR0_EL1. Fixes ARM-Software/tf-issues#679 Change-Id: I8ecba13b850995ec6a6ede3c2a1e02e69a3a95db Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 01 Mar, 2019 1 commit
-
-
Antonio Nino Diaz authored
Check for both IMPLEMENTATION_DEFINED and Architected algorithms of Address Authentication. Change-Id: I209dcc6087172cfef7baf8d09e0454628f02cbd0 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 28 Feb, 2019 2 commits
-
-
Louis Mayencourt authored
Complete the MPAM enablement in TF-A for lower ELs by enabling the EL2 traps in MPAMHCR_EL2 and MPAM2_EL2.This prevents an MPAM-unaware-hypervisor to be restricted by an MPAM-aware-guest. Change-Id: I47bf3f833fa22baa590f83d49cc0e3f2974e698d Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Ambroise Vincent authored
The workarounds for these errata are so closely related that it is better to only have one patch to make it easier to understand. Change-Id: I0287fa69aefa8b72f884833f6ed0e7775ca834e9 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 27 Feb, 2019 2 commits
-
-
Antonio Nino Diaz authored
The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
ARMv8.3-PAuth adds functionality that supports address authentication of the contents of a register before that register is used as the target of an indirect branch, or as a load. This feature is supported only in AArch64 state. This feature is mandatory in ARMv8.3 implementations. This feature adds several registers to EL1. A new option called CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save them during Non-secure <-> Secure world switches. This option must be enabled if the hardware has the registers or the values will be leaked during world switches. To prevent leaks, this patch also disables pointer authentication in the Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will be trapped in EL3. Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 26 Feb, 2019 1 commit
-
-
Louis Mayencourt authored
Implicit Error Synchronization Barrier (IESB) might not be correctly generated in Cortex-A75 r0p0. To prevent this, IESB are enabled at all expection levels. Change-Id: I2a1a568668a31e4f3f38d0fba1d632ad9939e5ad Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 18 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
In a system with ARMv8.5-PMU implemented: - If EL3 is using AArch32, setting MDCR_EL3.SCCD to 1 disables counting in Secure state in PMCCNTR. - If EL3 is using AArch64, setting SDCR.SCCD to 1 disables counting in Secure state in PMCCNTR_EL0. So far this effect has been achieved by setting PMCR_EL0.DP (in AArch64) or PMCR.DP (in AArch32) to 1 instead, but this isn't considered secure as any EL can change that value. Change-Id: I82cbb3e48f2e5a55c44d9c4445683c5881ef1f6f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 08 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
Now that setjmp() and longjmp() are compliant with the standard they can be moved with the other libc files. Change-Id: Iea3b91c34eb353ace5e171e72f331602d57774d5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-