- 13 Sep, 2019 1 commit
-
-
Alexei Fedorov authored
This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 01 Aug, 2019 1 commit
-
-
Julius Werner authored
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 14 Jun, 2019 1 commit
-
-
Masahiro Yamada authored
This linker script is so unreadable due to sprinkled #ifdef. Direct read-only data to 'ROM' and read-write data to 'RAM'. Both go to the same memory device when BL2_IN_XIP_MEM is disabled. Change-Id: Ieeac3f1a4e05e9e8599de2ec84260819c70f361e Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 24 May, 2019 1 commit
-
-
Alexei Fedorov authored
This patch adds the functionality needed for platforms to provide Branch Target Identification (BTI) extension, introduced to AArch64 in Armv8.5-A by adding BTI instruction used to mark valid targets for indirect branches. The patch sets new GP bit [50] to the stage 1 Translation Table Block and Page entries to denote guarded EL3 code pages which will cause processor to trap instructions in protected pages trying to perform an indirect branch to any instruction other than BTI. BTI feature is selected by BRANCH_PROTECTION option which supersedes the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication and is disabled by default. Enabling BTI requires compiler support and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0. The assembly macros and helpers are modified to accommodate the BTI instruction. This is an experimental feature. Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3 is now made as an internal flag and BRANCH_PROTECTION flag should be used instead to enable Pointer Authentication. Note. USE_LIBROM=1 option is currently not supported. Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 13 Mar, 2019 1 commit
-
-
Bryan O'Donoghue authored
Prior to entry into BL32 we set the SPSR by way of msr spsr, r1. This unfortunately only writes the bits f->[31:24] and c->[7:0]. This patch updates the bl2 exit path to write the x->[15:8] and c->[7:0] fields of the SPSR. For the purposes of initial setup of the SPSR the x and c fields should be sufficient and importantly will capture the necessary lower-order control bits that f:c alone do not. This is important to do to ensure the SPSR is set to the mode the platform intends prior to performing an eret. Fixes: b1d27b48 ("bl2-el3: Add BL2_EL3 image") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
-
- 12 Mar, 2019 1 commit
-
-
John Tsichritzis authored
The SCTLR.DSSBS bit is zero by default thus disabling speculative loads. However, we also explicitly set it to zero for BL2 and TSP images when each image initialises its context. This is done to ensure that the image environment is initialised in a safe state, regardless of the reset value of the bit. Change-Id: If25a8396641edb640f7f298b8d3309d5cba3cd79 Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 27 Feb, 2019 2 commits
-
-
Antonio Nino Diaz authored
The size increase after enabling options related to ARMv8.3-PAuth is: +----------------------------+-------+-------+-------+--------+ | | text | bss | data | rodata | +----------------------------+-------+-------+-------+--------+ | CTX_INCLUDE_PAUTH_REGS = 1 | +44 | +0 | +0 | +0 | | | 0.2% | | | | +----------------------------+-------+-------+-------+--------+ | ENABLE_PAUTH = 1 | +712 | +0 | +16 | +0 | | | 3.1% | | 0.9% | | +----------------------------+-------+-------+-------+--------+ The results are valid for the following build configuration: make PLAT=fvp SPD=tspd DEBUG=1 \ BL2_AT_EL3=1 \ CTX_INCLUDE_PAUTH_REGS=1 \ ENABLE_PAUTH=1 Change-Id: I1c0616e7dea30962a92b4fd113428bc30a018320 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
The size increase after enabling options related to ARMv8.3-PAuth is: +----------------------------+-------+-------+-------+--------+ | | text | bss | data | rodata | +----------------------------+-------+-------+-------+--------+ | CTX_INCLUDE_PAUTH_REGS = 1 | +40 | +0 | +0 | +0 | | | 0.2% | | | | +----------------------------+-------+-------+-------+--------+ | ENABLE_PAUTH = 1 | +664 | +0 | +16 | +0 | | | 3.1% | | 0.9% | | +----------------------------+-------+-------+-------+--------+ Results calculated with the following build configuration: make PLAT=fvp SPD=tspd DEBUG=1 \ SDEI_SUPPORT=1 \ EL3_EXCEPTION_HANDLING=1 \ TSP_NS_INTR_ASYNC_PREEMPT=1 \ CTX_INCLUDE_PAUTH_REGS=1 \ ENABLE_PAUTH=1 The changes for BL2_AT_EL3 aren't done in this commit. Change-Id: I8c803b40c7160525a06173bc6cdca21c4505837d Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 Jan, 2019 1 commit
-
-
Antonio Nino Diaz authored
The definitions in bl1/bl1_private.h and bl2/bl2_private.h are useful for platforms that may need to access them. Change-Id: Ifd1880f855ddafcb3bfcaf1ed4a4e0f121eda174 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 04 Jan, 2019 1 commit
-
-
Antonio Nino Diaz authored
Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca339 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 10 Dec, 2018 1 commit
-
-
Yann Gautier authored
This avoids the following warnings: no previous prototype for 'bl2_arch_setup' [-Wmissing-prototypes] no previous prototype for 'plat_log_get_prefix' [-Wmissing-prototypes] Also correct a compilation issue if BL2_IN_XIP_MEM is enabled: uintptr_t is not defined. Signed-off-by: Lionel Debieve <lionel.debieve@st.com> Signed-off-by: Yann Gautier <yann.gautier@st.com>
-
- 08 Nov, 2018 1 commit
-
-
Antonio Nino Diaz authored
All identifiers, regardless of use, that start with two underscores are reserved. This means they can't be used in header guards. The style that this project is now to use the full name of the file in capital letters followed by 'H'. For example, for a file called "uart_example.h", the header guard is UART_EXAMPLE_H. The exceptions are files that are imported from other projects: - CryptoCell driver - dt-bindings folders - zlib headers Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 29 Oct, 2018 1 commit
-
-
Soby Mathew authored
This patch fixes up the AArch64 assembly code to use adrp/adr instructions instead of ldr instruction for reference to symbols. This allows these assembly sequences to be Position Independant. Note that the the reference to sizes have been replaced with calculation of size at runtime. This is because size is a constant value and does not depend on execution address and using PC relative instructions for loading them makes them relative to execution address. Also we cannot use `ldr` instruction to load size as it generates a dynamic relocation entry which must *not* be fixed up and it is difficult for a dynamic loader to differentiate which entries need to be skipped. Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 28 Sep, 2018 1 commit
-
-
Roberto Vargas authored
The code of LOAD_IMAGE_V2=0 has been removed. Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 17 Aug, 2018 1 commit
-
-
John Tsichritzis authored
If the system is in near idle conditions, this erratum could cause a deadlock or data corruption. This patch applies the workaround that prevents this. This DSU erratum affects only the DSUs that contain the ACP interface and it was fixed in r2p0. The workaround is applied only to the DSUs that are actually affected. Link to respective Arm documentation: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9 Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 03 Aug, 2018 1 commit
-
-
Roberto Vargas authored
TF Makefile was linking all the objects files generated for the Mbed TLS library instead of creating a static library that could be used in the linking stage. Change-Id: I8e4cd843ef56033c9d3faeee71601d110b7e4c12 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 11 Jul, 2018 3 commits
-
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
These sections are required by clang when the code is compiled for aarch32. These sections are related to the unwind of the stack in exceptions, but in the way that clang defines and uses them, the garbage collector cannot get rid of them. Change-Id: I085efc0cf77eae961d522472f72c4b5bad2237ab Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Clang linker doesn't support NEXT. As we are not using the MEMORY command to define discontinuous memory for the output file in any of the linker scripts, ALIGN and NEXT are equivalent. Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 26 Apr, 2018 1 commit
-
-
Yann Gautier authored
If BL2_AT_EL3 is enabled, bl2_run_next_image is called at the end of BL2. This function calls disable_mmu_icache_secure. It is then useless to call it in bl2_main in that case. fixes arm-software/tf-issues#582 Signed-off-by: Yann Gautier <yann.gautier@st.com>
-
- 13 Apr, 2018 1 commit
-
-
Roberto Vargas authored
Rule 8.3: All declarations of an object or function shall use the same names and type qualifiers. Fixed for: make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all Change-Id: I32d6fbce03bb4830ed5bf521afe7063505c6ed79 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 07 Apr, 2018 1 commit
-
-
Jiafei Pan authored
In some use-cases BL2 will be stored in eXecute In Place (XIP) memory, like BL1. In these use-cases, it is necessary to initialize the RW sections in RAM, while leaving the RO sections in place. This patch enable this use-case with a new build option, BL2_IN_XIP_MEM. For now, this option is only supported when BL2_AT_EL3 is 1. Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
-
- 05 Mar, 2018 1 commit
-
-
Lionel Debieve authored
When using BL2_EL3, we need to ensure that lr_svc is properly given to bl32 as it was previously made by bl1. Fixes ARM-Software/tf-issues#562 Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
-
- 28 Feb, 2018 2 commits
-
-
Roberto Vargas authored
Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined Fixed for: make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined. Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 27 Feb, 2018 1 commit
-
-
Antonio Nino Diaz authored
When the MMU is enabled and the translation tables are mapped, data read/writes to the translation tables are made using the attributes specified in the translation tables themselves. However, the MMU performs table walks with the attributes specified in TCR_ELx. They are completely independent, so special care has to be taken to make sure that they are the same. This has to be done manually because it is not practical to have a test in the code. Such a test would need to know the virtual memory region that contains the translation tables and check that for all of the tables the attributes match the ones in TCR_ELx. As the tables may not even be mapped at all, this isn't a test that can be made generic. The flags used by enable_mmu_xxx() have been moved to the same header where the functions are. Also, some comments in the linker scripts related to the translation tables have been fixed. Change-Id: I1754768bffdae75f53561b1c4a5baf043b45a304 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 26 Feb, 2018 2 commits
-
-
Soby Mathew authored
This patch introduces a new BL handover interface. It essentially allows passing 4 arguments between the different BL stages. Effort has been made so as to be compatible with the previous handover interface. The previous blx_early_platform_setup() platform API is now deprecated and the new blx_early_platform_setup2() variant is introduced. The weak compatiblity implementation for the new API is done in the `plat_bl_common.c` file. Some of the new arguments in the new API will be reserved for generic code use when dynamic configuration support is implemented. Otherwise the other registers are available for platform use. Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
Soby Mathew authored
This patch adds an argument to bl1_plat_post/pre_image_load() APIs to make it more future proof. The default implementation of these are moved to `plat_bl1_common.c` file. These APIs are now invoked appropriately in the FWU code path prior to or post image loading by BL1 and are not restricted to LOAD_IMAGE_V2. The patch also reorganizes some common platform files. The previous `plat_bl2_el3_common.c` and `platform_helpers_default.c` files are merged into a new `plat_bl_common.c` file. NOTE: The addition of an argument to the above mentioned platform APIs is not expected to have a great impact because these APIs were only recently added and are unlikely to be used. Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 06 Feb, 2018 1 commit
-
-
Etienne Carriere authored
As per MISRA C-2012 Rule 10.4. arg0 is a u_register_t, can be a 32bit or 64bit upon architecture. Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
-
- 05 Feb, 2018 1 commit
-
-
Etienne Carriere authored
AArch32 only platforms can boot the OP-TEE secure firmware as a BL32 secure payload. Such configuration can be defined through AARCH32_SP=optee. The source files can rely on AARCH32_SP_OPTEE to condition OP-TEE boot specific instruction sequences. OP-TEE does not expect ARM Trusted Firmware formatted structure as boot argument. Load sequence is expected to have already loaded to OP-TEE boot arguments into the bl32 entrypoint info structure. Last, AArch32 platform can only boot AArch32 OP-TEE images. Change-Id: Ic28eec5004315fc9111051add6bb1a1d607fc815 Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
-
- 01 Feb, 2018 1 commit
-
-
Masahiro Yamada authored
There are cases where we need to manipulate image information before the load. For example, for decompressing data, we cannot load the compressed images to their final destination. Instead, we need to load them to the temporary buffer for the decompressor. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 18 Jan, 2018 3 commits
-
-
Roberto Vargas authored
This patch modifies the makefiles to avoid the definition of BL1_SOURCES and BL2_SOURCES in the tbbr makefiles, and it lets to the platform makefiles to define them if they actually need these images. In the case of BL2_AT_EL3 BL1 will not be needed usually because the Boot ROM will jump directly to BL2. Change-Id: Ib6845a260633a22a646088629bcd7387fe35dcf9 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
When BL2_AT_EL3 option is enabled some platforms are going to need a resident part in BL2 because the boot rom may jump to it after a reset. This patch introduces __TEXT_RESIDENT_START__ and __TEXT_RESIDENT_END__ linker symbols that mark the resident region. Change-Id: Ib20c1b8ee257831bcc0ca7d3df98d0cb617a04f8 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
This patch enables BL2 to execute at the highest exception level without any dependancy on TF BL1. This enables platforms which already have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL stages without need for BL1. This is not currently possible because BL2 executes at S-EL1 and cannot jump straight to EL3. Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 29 Nov, 2017 1 commit
-
-
Antonio Nino Diaz authored
When defining different sections in linker scripts it is needed to align them to multiples of the page size. In most linker scripts this is done by aligning to the hardcoded value 4096 instead of PAGE_SIZE. This may be confusing when taking a look at all the codebase, as 4096 is used in some parts that aren't meant to be a multiple of the page size. Change-Id: I36c6f461c7782437a58d13d37ec8b822a1663ec1 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 24 Oct, 2017 1 commit
-
-
Roberto Vargas authored
These hooks are intended to allow one platform to try load images from alternative places. There is a hook to initialize the sequence of boot locations and a hook to pass to the next sequence. Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 03 May, 2017 1 commit
-
-
dp-arm authored
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 19 Apr, 2017 1 commit
-
-
Dan Handley authored
Previously, get_next_bl_params_from_mem_params_desc() populated arg0 in the EL3 runtime entrypoint with a bl_params_t pointer. This is the responsibility of the generic LOAD_IMAGE_V2 framework instead of the descriptor-based image loading utility functions. Therefore this patch moves that code to bl2_load_images(). Also, this patch moves the code that flushes the bl_params structure to flush_bl_params_desc(), together with the other descriptor-based image loading flushing code. Change-Id: I4541e3f50e3878dde7cf89e9e8f31fe0b173fb9d Signed-off-by: Dan Handley <dan.handley@arm.com>
-
- 31 Mar, 2017 2 commits
-
-
Douglas Raillard authored
Introduce new build option ENABLE_STACK_PROTECTOR. It enables compilation of all BL images with one of the GCC -fstack-protector-* options. A new platform function plat_get_stack_protector_canary() is introduced. It returns a value that is used to initialize the canary for stack corruption detection. Returning a random value will prevent an attacker from predicting the value and greatly increase the effectiveness of the protection. A message is printed at the ERROR level when a stack corruption is detected. To be effective, the global data must be stored at an address lower than the base of the stacks. Failure to do so would allow an attacker to overwrite the canary as part of an attack which would void the protection. FVP implementation of plat_get_stack_protector_canary is weak as there is no real source of entropy on the FVP. It therefore relies on a timer's value, which could be predictable. Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
Antonio Nino Diaz authored
Call console_flush() before execution either terminates or leaves an exception level. Fixes: ARM-software/tf-issues#123 Change-Id: I64eeb92effb039f76937ce89f877b68e355588e3 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-