1. 14 May, 2021 1 commit
    • Alexei Fedorov's avatar
      fix(security): Set MDCR_EL3.MCCD bit · 12f6c064
      Alexei Fedorov authored
      
      
      This patch adds setting MDCR_EL3.MCCD in 'el3_arch_init_common'
      macro to disable cycle counting by PMCCNTR_EL0 in EL3 when
      FEAT_PMUv3p7 is implemented. This fixes failing test
      'Leak PMU CYCLE counter values from EL3 on PSCI suspend SMC'
      on FVP models with 'has_v8_7_pmu_extension' parameter set to
      1 or 2.
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      Change-Id: I2ad3ef501b31ee11306f76cb5a61032ecfd0fbda
      12f6c064
  2. 25 Feb, 2021 1 commit
  3. 15 Jan, 2021 1 commit
  4. 11 Dec, 2020 1 commit
    • Javier Almansa Sobrino's avatar
      Add support for FEAT_MTPMU for Armv8.6 · 0063dd17
      Javier Almansa Sobrino authored
      
      
      If FEAT_PMUv3 is implemented and PMEVTYPER<n>(_EL0).MT bit is implemented
      as well, it is possible to control whether PMU counters take into account
      events happening on other threads.
      
      If FEAT_MTPMU is implemented, EL3 (or EL2) can override the MT bit
      leaving it to effective state of 0 regardless of any write to it.
      
      This patch introduces the DISABLE_MTPMU flag, which allows to diable
      multithread event count from EL3 (or EL2). The flag is disabled
      by default so the behavior is consistent with those architectures
      that do not implement FEAT_MTPMU.
      Signed-off-by: default avatarJavier Almansa Sobrino <javier.almansasobrino@arm.com>
      Change-Id: Iee3a8470ae8ba13316af1bd40c8d4aa86e0cb85e
      0063dd17
  5. 02 Dec, 2020 1 commit
  6. 30 Nov, 2020 1 commit
    • Alexei Fedorov's avatar
      Aarch64: Add support for FEAT_PANx extensions · a83103c8
      Alexei Fedorov authored
      
      
      This patch provides the changes listed below:
      - Adds new bit fields definitions for SCTLR_EL1/2 registers
      - Corrects the name of SCTLR_EL1/2.[20] bit field from
      SCTLR_UWXN_BIT to SCTLR_TSCXT_BIT
      - Adds FEAT_PANx bit field definitions and their possible
      values for ID_AA64MMFR1_EL1 register.
      - Adds setting of SCTLR_EL1.SPAN bit to preserve PSTATE.PAN
      on taking an exception to EL1 in spm_sp_setup() function
      (services\std_svc\spm_mm\spm_mm_setup.c)
      
      Change-Id: If51f20e7995c649126a7728a4d0867041fdade19
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      a83103c8
  7. 12 Oct, 2020 1 commit
    • Jimmy Brisson's avatar
      Increase type widths to satisfy width requirements · d7b5f408
      Jimmy Brisson authored
      
      
      Usually, C has no problem up-converting types to larger bit sizes. MISRA
      rule 10.7 requires that you not do this, or be very explicit about this.
      This resolves the following required rule:
      
          bl1/aarch64/bl1_context_mgmt.c:81:[MISRA C-2012 Rule 10.7 (required)]<None>
          The width of the composite expression "0U | ((mode & 3U) << 2U) | 1U |
          0x3c0U" (32 bits) is less that the right hand operand
          "18446744073709547519ULL" (64 bits).
      
      This also resolves MISRA defects such as:
      
          bl2/aarch64/bl2arch_setup.c:18:[MISRA C-2012 Rule 12.2 (required)]
          In the expression "3U << 20", shifting more than 7 bits, the number
          of bits in the essential type of the left expression, "3U", is
          not allowed.
      
      Further, MISRA requires that all shifts don't overflow. The definition of
      PAGE_SIZE was (1U << 12), and 1U is 8 bits. This caused about 50 issues.
      This fixes the violation by changing the definition to 1UL << 12. Since
      this uses 32bits, it should not create any issues for aarch32.
      
      This patch also contains a fix for a build failure in the sun50i_a64
      platform. Specifically, these misra fixes removed a single and
      instruction,
      
          92407e73        and     x19, x19, #0xffffffff
      
      from the cm_setup_context function caused a relocation in
      psci_cpus_on_start to require a linker-generated stub. This increased the
      size of the .text section and caused an alignment later on to go over a
      page boundary and round up to the end of RAM before placing the .data
      section. This sectionn is of non-zero size and therefore causes a link
      error.
      
      The fix included in this reorders the functions during link time
      without changing their ording with respect to alignment.
      
      Change-Id: I76b4b662c3d262296728a8b9aab7a33b02087f16
      Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      d7b5f408
  8. 10 Aug, 2020 1 commit
    • Alexei Fedorov's avatar
      TF-A AMU extension: fix detection of group 1 counters. · f3ccf036
      Alexei Fedorov authored
      
      
      This patch fixes the bug when AMUv1 group1 counters was
      always assumed being implemented without checking for its
      presence which was causing exception otherwise.
      The AMU extension code was also modified as listed below:
      - Added detection of AMUv1 for ARMv8.6
      - 'PLAT_AMU_GROUP1_NR_COUNTERS' build option is removed and
      number of group1 counters 'AMU_GROUP1_NR_COUNTERS' is now
      calculated based on 'AMU_GROUP1_COUNTERS_MASK' value
      - Added bit fields definitions and access functions for
      AMCFGR_EL0/AMCFGR and AMCGCR_EL0/AMCGCR registers
      - Unification of amu.c Aarch64 and Aarch32 source files
      - Bug fixes and TF-A coding style compliant changes.
      
      Change-Id: I14e407be62c3026ebc674ec7045e240ccb71e1fb
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      f3ccf036
  9. 12 Jun, 2020 1 commit
  10. 02 Jun, 2020 2 commits
    • Jimmy Brisson's avatar
      Enable ARMv8.6-ECV Self-Synch when booting to EL2 · 29d0ee54
      Jimmy Brisson authored
      
      
      Enhanced Counter Virtualization, ECV, is an architecture extension introduced
      in ARMv8.6. This extension allows the hypervisor, at EL2, to setup
      self-synchronizing views of the timers for it's EL1 Guests. This patch pokes the
      control register to enable this extension when booting a hypervisor at EL2.
      
      Change-Id: I4e929ecdf400cea17eff1de5cf8704aa7e40973d
      Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      29d0ee54
    • Jimmy Brisson's avatar
      Enable ARMv8.6-FGT when booting to EL2 · 110ee433
      Jimmy Brisson authored
      
      
      The Fine Grained Traps (FGT) architecture extension was added to aarch64 in
      ARMv8.6. This extension primarily allows hypervisors, at EL2, to trap specific
      instructions in a more fine grained manner, with an enable bit for each
      instruction. This patch adds support for this extension by enabling the
      extension when booting an hypervisor at EL2.
      
      Change-Id: Idb9013ed118b6a1b7b76287237096de992ca4da3
      Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      110ee433
  11. 26 May, 2020 1 commit
  12. 19 May, 2020 1 commit
    • johpow01's avatar
      Enable v8.6 WFE trap delays · 6cac724d
      johpow01 authored
      
      
      This patch enables the v8.6 extension to add a delay before WFE traps
      are taken. A weak hook plat_arm_set_twedel_scr_el3 has been added in
      plat/common/aarch64/plat_common.c that disables this feature by default
      but platform-specific code can override it when needed.
      
      The only hook provided sets the TWED fields in SCR_EL3, there are similar
      fields in HCR_EL2, SCTLR_EL2, and SCTLR_EL1 to control WFE trap delays in
      lower ELs but these should be configured by code running at EL2 and/or EL1
      depending on the platform configuration and is outside the scope of TF-A.
      Signed-off-by: default avatarJohn Powell <john.powell@arm.com>
      Change-Id: I0a9bb814205efeab693a3d0a0623e62144abba2d
      6cac724d
  13. 14 May, 2020 1 commit
    • Manish V Badarkhe's avatar
      Implement workaround for AT speculative behaviour · 45aecff0
      Manish V Badarkhe authored
      During context switching from higher EL (EL2 or higher)
      to lower EL can cause incorrect translation in TLB due to
      speculative execution of AT instruction using out-of-context
      translation regime.
      
      Workaround is implemented as below during EL's (EL1 or EL2)
      "context_restore" operation:
      1. Disable page table walk using SCTLR.M and TCR.EPD0 & EPD1
         bits for EL1 or EL2 (stage1 and stage2 disabled)
      2. Save all system registers except TCR and SCTLR (for EL1 and EL2)
      3. Do memory barrier operation (isb) to ensure all
         system register writes are done.
      4. Restore TCR and SCTLR registers (for EL1 and EL2)
      
      Errata details are available for various CPUs as below:
      Cortex-A76: 1165522
      Cortex-A72: 1319367
      Cortex-A57: 1319537
      Cortex-A55: 1530923
      Cortex-A53: 1530924
      
      More details can be found in mail-chain:
      https://lists.trustedfirmware.org/pipermail/tf-a/2020-April/000445.html
      
      
      
      Currently, Workaround is implemented as build option which is default
      disabled.
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Change-Id: If8545e61f782cb0c2dda7ffbaf50681c825bd2f0
      45aecff0
  14. 15 Apr, 2020 1 commit
  15. 03 Apr, 2020 1 commit
    • John Powell's avatar
      Fix MISRA C issues in BL1/BL2/BL31 · 3443a702
      John Powell authored
      
      
      Attempts to address MISRA compliance issues in BL1, BL2, and BL31 code.
      Mainly issues like not using boolean expressions in conditionals,
      conflicting variable names, ignoring return values without (void), adding
      explicit casts, etc.
      
      Change-Id: If1fa18ab621b9c374db73fa6eaa6f6e5e55c146a
      Signed-off-by: default avatarJohn Powell <john.powell@arm.com>
      3443a702
  16. 06 Mar, 2020 1 commit
  17. 03 Mar, 2020 1 commit
    • Max Shvetsov's avatar
      SPMD: Adds partially supported EL2 registers. · 2825946e
      Max Shvetsov authored
      
      
      This patch adds EL2 registers that are supported up to ARMv8.6.
      ARM_ARCH_MINOR has to specified to enable save/restore routine.
      
      Note: Following registers are still not covered in save/restore.
       * AMEVCNTVOFF0<n>_EL2
       * AMEVCNTVOFF1<n>_EL2
       * ICH_AP0R<n>_EL2
       * ICH_AP1R<n>_EL2
       * ICH_LR<n>_EL2
      
      Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
      Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
      2825946e
  18. 02 Mar, 2020 1 commit
  19. 20 Feb, 2020 1 commit
    • Varun Wadekar's avatar
      Tegra: delay_timer: support for physical secure timer · dd4f0885
      Varun Wadekar authored
      
      
      This patch modifies the delay timer driver to switch to the ARM
      secure physical timer instead of using Tegra's on-chip uS timer.
      
      The secure timer is not accessible to the NS world and so eliminates
      an important attack vector, where the Tegra timer source gets switched
      off from the NS world leading to a DoS attack for the trusted world.
      
      This timer is shared with the S-EL1 layer for now, but later patches
      will mark it as exclusive to the EL3 exception mode.
      
      Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      dd4f0885
  20. 06 Dec, 2019 2 commits
  21. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
  22. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  23. 21 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      AArch64: Disable Secure Cycle Counter · e290a8fc
      Alexei Fedorov authored
      
      
      This patch fixes an issue when secure world timing information
      can be leaked because Secure Cycle Counter is not disabled.
      For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
      bit on CPU cold/warm boot.
      For the earlier architectures PMCR_EL0 register is saved/restored
      on secure world entry/exit from/to Non-secure state, and cycle
      counting gets disabled by setting PMCR_EL0.DP bit.
      'include\aarch64\arch.h' header file was tided up and new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      e290a8fc
  24. 16 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      FVP_Base_AEMv8A platform: Fix cache maintenance operations · ef430ff4
      Alexei Fedorov authored
      
      
      This patch fixes FVP_Base_AEMv8A model hang issue with
      ARMv8.4+ with cache modelling enabled configuration.
      Incorrect L1 cache flush operation to PoU, using CLIDR_EL1
      LoUIS field, which is required by the architecture to be
      zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced
      with L1 to L2 and L2 to L3 (if L3 is present) cache flushes.
      FVP_Base_AEMv8A model can be configured with L3 enabled by
      setting `cluster0.l3cache-size` and `cluster1.l3cache-size`
      to non-zero values, and presence of L3 is checked in
      `aem_generic_core_pwr_dwn` function by reading
      CLIDR_EL1.Ctype3 field value.
      
      Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ef430ff4
  25. 24 Jul, 2019 1 commit
    • John Tsichritzis's avatar
      SSBS: init SPSR register with default SSBS value · c250cc3b
      John Tsichritzis authored
      
      
      This patch introduces an additional precautionary step to further
      enhance protection against variant 4. During the context initialisation
      before we enter the various BL stages, the SPSR.SSBS bit is explicitly
      set to zero. As such, speculative loads/stores are by default disabled
      for all BL stages when they start executing. Subsequently, each BL
      stage, can choose to enable speculative loads/stores or keep them
      disabled.
      
      This change doesn't affect the initial execution context of BL33 which
      is totally platform dependent and, thus, it is intentionally left up to
      each platform to initialise.
      
      For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
      that, for Arm platforms, all BL stages start with speculative
      loads/stores disabled.
      
      Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      c250cc3b
  26. 12 Jul, 2019 1 commit
  27. 10 Jul, 2019 1 commit
  28. 17 Jun, 2019 1 commit
  29. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  30. 03 Apr, 2019 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Move shim layer to TTBR1_EL1 · 6de6965b
      Antonio Nino Diaz authored
      
      
      This gives each Secure Partition complete freedom on its address space.
      Previously, the memory used by the exception vectors was reserved and
      couldn't be used. Also, it always had to be mapped, forcing SPM to
      generate translation tables that included the exception vectors as well
      as the Partition memory regions. With this change, partitions can reduce
      their address space size easily.
      
      Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      6de6965b
  31. 14 Mar, 2019 1 commit
  32. 28 Feb, 2019 2 commits
  33. 27 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Add ARMv8.3-PAuth registers to CPU context · 5283962e
      Antonio Nino Diaz authored
      
      
      ARMv8.3-PAuth adds functionality that supports address authentication of
      the contents of a register before that register is used as the target of
      an indirect branch, or as a load.
      
      This feature is supported only in AArch64 state.
      
      This feature is mandatory in ARMv8.3 implementations.
      
      This feature adds several registers to EL1. A new option called
      CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
      them during Non-secure <-> Secure world switches. This option must be
      enabled if the hardware has the registers or the values will be leaked
      during world switches.
      
      To prevent leaks, this patch also disables pointer authentication in the
      Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
      be trapped in EL3.
      
      Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5283962e
  34. 26 Feb, 2019 1 commit
  35. 18 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Disable processor Cycle Counting in Secure state · ed4fc6f0
      Antonio Nino Diaz authored
      
      
      In a system with ARMv8.5-PMU implemented:
      
      - If EL3 is using AArch32, setting MDCR_EL3.SCCD to 1 disables counting
        in Secure state in PMCCNTR.
      
      - If EL3 is using AArch64, setting SDCR.SCCD to 1 disables counting in
        Secure state in PMCCNTR_EL0.
      
      So far this effect has been achieved by setting PMCR_EL0.DP (in AArch64)
      or PMCR.DP (in AArch32) to 1 instead, but this isn't considered secure
      as any EL can change that value.
      
      Change-Id: I82cbb3e48f2e5a55c44d9c4445683c5881ef1f6f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ed4fc6f0
  36. 30 Jan, 2019 1 commit
    • Sathees Balya's avatar
      lib/xlat_tables: Add support for ARMv8.4-TTST · cedfa04b
      Sathees Balya authored
      
      
      ARMv8.4-TTST (Small Translation tables) relaxes the lower limit on the
      size of translation tables by increasing the maximum permitted value
      of the T1SZ and T0SZ fields in TCR_EL1, TCR_EL2, TCR_EL3, VTCR_EL2 and
      VSTCR_EL2.
      
      This feature is supported in AArch64 state only.
      
      This patch adds support for this feature to both versions of the
      translation tables library. It also removes the static build time
      checks for virtual address space size checks to runtime assertions.
      
      Change-Id: I4e8cebc197ec1c2092dc7d307486616786e6c093
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      cedfa04b
  37. 11 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Dynamically detect need for CnP bit · 2559b2c8
      Antonio Nino Diaz authored
      
      
      ARMv8.2-TTCNP is mandatory from ARMv8.2 onwards, but it can be implemented
      in CPUs that don't implement all mandatory 8.2 features (and so have to
      claim to be a lower version).
      
      This patch removes usage of the ARM_ARCH_AT_LEAST() macro and uses system
      ID registers to detect whether it is needed to set the bit or not.
      
      Change-Id: I7bcbf0c7c937590dfc2ca668cfd9267c50f7d52c
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2559b2c8