- 26 Mar, 2018 1 commit
-
-
Jonathan Wright authored
Ensure (where possible) that switch statements in services comply with MISRA rules 16.1 - 16.7. Change-Id: I47bf6ed4a026201e6fe125ce51842482e99e8bb0 Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
- 21 Mar, 2018 1 commit
-
-
Sandrine Bailleux authored
This patch fixes the sanity check on the non-secure entrypoint value returned by bl31_plat_get_next_image_ep_info(). This issue has been reported by Coverity Scan Online: CID 264893 (#1 of 1): Dereference null return value (NULL_RETURNS) Dereferencing a null pointer ns_ep_info. Change-Id: Ia0f64d8c8b005f042608f1422ecbd42bc90b2fb4 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 02 Mar, 2018 1 commit
-
-
Arve Hjønnevåg authored
Change-Id: I822ccf5852dce4c01f98382cc393331f29e1e256
-
- 01 Mar, 2018 3 commits
-
-
Arve Hjønnevåg authored
memset does not return a useful result here, so explitcitly ignore it Change-Id: I33cd2228cadc280ee8e5ce3a4f8682dde9a7c16c
-
Arve Hjønnevåg authored
Change-Id: I9f9a8a159b41be1c865a20801d03a1b2934c3cac
-
Arve Hjønnevåg authored
Change-Id: Ie4f937808d24c9b45066c6582c4eee61699ef6df
-
- 27 Feb, 2018 1 commit
-
-
Jeenu Viswambharan authored
An earlier patch extended ehf_allow_ns_preemption() API to also register an error code to offer to Non-secure when a Yielding SMC is preempted by SDEI interrupt. In TSPD's case, register the error code TSP_PREEMPTED. Change-Id: I31992b6651f80694e83bc5092b044ef7a3eda690 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 22 Feb, 2018 1 commit
-
-
Arve Hjønnevåg authored
Fixes tegra build with SPD=trusty. Not tested. Change-Id: I851a2b00b8b1cc65112b6088980a811d8eda1a99
-
- 06 Feb, 2018 2 commits
-
-
Jeenu Viswambharan authored
At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how Non-secure interrupt affects TSPs execution. When TSP is executing: 1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received at the TSP's exception vector, and TSP voluntarily preempts itself. 2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a trap to EL3, which preempts TSP execution. When EL3 exception handling is in place (i.e., EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system with GICv3, pending NS interrupts while TSP is executing will be signalled as FIQ (which traps to EL3). This situation necessitates the same treatment applied to case (2) above. Therefore, when EL3 exception handling is in place, additionally require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1. Strictly speaking, this is not required on a system with GICv2, but the same model is uniformly followed regardless, for simplicity. Relevant documentation updated. Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
When EL3 exception handling is in effect (i.e., EL3_EXCEPTION_HANDLING=1), Non-secure interrupts can't preempt Secure execution. However, for yielding SMCs, preemption by Non-secure interupts is intended. This patch therefore adds a call to ehf_allow_ns_preemption() before dispatching a Yielding SMC to TSP. Change-Id: Ia3a1ae252f3adc0f14e6d7e0502f251bdb349bdf Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 01 Feb, 2018 1 commit
-
-
Arve Hjønnevåg authored
Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
- 25 Jan, 2018 5 commits
-
-
Arve Hjønnevåg authored
Add off/on argument to SMC_FC_CPU_SUSPEND SMC_FC_CPU_RESUME and pass 1 when called from the cpu on/off hooks. Change-Id: Ie233c446fd38b3ff8546e445a8d86a15d2816093 Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
Arve Hjønnevåg authored
The secure physical timer is inacessible from 32-bit S-EL1 (when EL3 is 64-bit) so trusty will use the non-secure physical timer in this case. Linux will use the virtual timer instead of the physical timer when started in EL1. Change-Id: Ie49348d9a27e5287676dd4a77f678ecbd6c2309f Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
Arve Hjønnevåg authored
The original patch has been partly merged. This adds the missing pieces. Change-Id: I77fd434feab396ff05d9b8e0c1761e4dd588a701 Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
Arve Hjønnevåg authored
Add smc calls to return gic base address and print to the debug console. Allows running a generic trusty binary. Change-Id: I4b6540f140f11432cdff43c3f5a2097df09dc9d1 Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
Arve Hjønnevåg authored
Change-Id: I081901e7df22f78dd9c4fc4c6bfad2aceb870a2d Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
- 09 Jan, 2018 1 commit
-
-
Varun Wadekar authored
This patch adds support to receive function ID with NS world's memory ranges to provide the memory snapshot to TLK. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 08 Nov, 2017 1 commit
-
-
Antonio Nino Diaz authored
A line in the upstream SPDs is only compiled in in `DEBUG` builds. This line is used to help with assertions and so assertion failures can happen in release builds with assertions enabled. Use `ENABLE_ASSERTIONS` instead of `DEBUG`. This bug was introduced in commit aa61368e , which introduced the build option `ENABLE_ASSERTIONS`. Change-Id: I7977df9c89c68677b00099b2a1926fa3cb0937c6 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 19 Sep, 2017 1 commit
-
-
Aijun Sun authored
Currently, Trusty OS/LK implemented FPU context switch in internal thread switch but does not implement the proper mechanism for world switch. This commit just simply saves/restores FPU registes in world switch to prevent FPU context from being currupted when Trusty OS uses VFP in its applications. It should be noted that the macro *CTX_INCLUDE_FPREGS* must be defined in trusty.mk if Trusty OS uses VFP Signed-off-by: Aijun Sun <aijun.sun@spreadtrum.com>
-
- 24 Aug, 2017 1 commit
-
-
Jens Wiklander authored
Pass device tree pointer to OP-TEE in x2. bl2 is expected to fill in the device tree pointer in args.arg3. Passing 0 means that device tree is unavailable. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
-
- 09 Aug, 2017 1 commit
-
-
Edison Ai authored
ARM TF need transfer information about pageable image load address and memory limit to OPTEE. OPTEE will relocate the pageable image to where it's needed. The legacy OP-TEE images that do not include header information are not affected. Change-Id: Id057efbbc894de7c36b2209b391febea4729c455 Signed-off-by: Edison Ai <edison.ai@arm.com>
-
- 12 Jul, 2017 1 commit
-
-
Isla Mitchell authored
This fix modifies the order of system includes to meet the ARM TF coding standard. There are some exceptions in order to retain header groupings, minimise changes to imported headers, and where there are headers within the #if and #ifndef statements. Change-Id: I65085a142ba6a83792b26efb47df1329153f1624 Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
-
- 14 Jun, 2017 1 commit
-
-
Varun Wadekar authored
This patch enables the 'sign-compare' flag, to enable warning/errors for comparisons between signed/unsigned variables. The warning has been enabled for all the Tegra platforms, to start with. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 04 May, 2017 1 commit
-
-
David Cunado authored
Since Issue B (November 2016) of the SMC Calling Convention document standard SMC calls are renamed to yielding SMC calls to help avoid confusion with the standard service SMC range, which remains unchanged. http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pd A previous patch introduced a new define for yielding SMC call type. This patch updates the secure payload dispatchers (except the TSPD) to use this new define and also migrates the code to use the new terminology. Change-Id: I3d2437c04e3b21fdbd32019f55c066c87679a5bf Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 03 May, 2017 1 commit
-
-
dp-arm authored
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 26 Apr, 2017 1 commit
-
-
David Cunado authored
Since Issue B (November 2016) of the SMC Calling Convention document standard SMC calls are renamed to yielding SMC calls to help avoid confusion with the standard service SMC range, which remains unchanged. http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf This patch adds a new define for yielding SMC call type and deprecates the current standard SMC call type. The tsp is migrated to use this new terminology and, additionally, the documentation and code comments are updated to use this new terminology. Change-Id: I0d7cc0224667ee6c050af976745f18c55906a793 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 20 Apr, 2017 1 commit
-
-
Antonio Nino Diaz authored
SMC_RET0 should only be used when the SMC code works as a function that returns void. If the code of the SMC uses SMC_RET1 to return a value to signify success and doesn't return anything in case of an error (or the other way around) SMC_RET1 should always be used to return clearly identifiable values. This patch fixes two cases in which the code used SMC_RET0 instead of SMC_RET1. It also introduces the define SMC_OK to use when an SMC must return a value to tell that it succeeded, the same way as SMC_UNK is used in case of failure. Change-Id: Ie4278b51559e4262aced13bbde4e844023270582 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Mar, 2017 7 commits
-
-
Varun Wadekar authored
This patch removes support for running Trusty in the AARCH32 mode as all platforms use it in only AARCH64 mode. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
This patch uses the stack end to start saving the CPU context during world switch. The previous logic, used the stack start to save the context, thus overwriting the other members of the context. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
If Trusty is not running on the device, then Verified Boot is not supported and the NS layer will fail gracefully later during boot. This patch just returns success for the case when Trusty is not running on the device and the bootloader issues SET_ROT_PARAMS call during boot, so that we can at least boot non-Android images. Change-Id: I40fc249983df80fb8cc5be5e4ce94c99d5b5f17d Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
This patch checks if standard SMC calls, meant for TLK, are issued only on the boot CPU. TLK is UP Trusted OS stack and so we need this check to avoid the NS world calling into TLK from any other CPU. The previous check tied TLK to CPU0, but the boot CPU can be other than CPU0 in some scenarios. Change-Id: I75eaafa32471ce19e9920433c2f97b6b5fc02d86 Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Wayne Lin authored
This patch passes the boot parameters, provided by the previous bootloader, to the Trusted OS via X0, X1 and X2. Original change by: Wayne Lin <wlin@nvidia.com> Change-Id: I2039612a8a8226158babfd505ce8c31c4212319c Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Anthony Zhou authored
In multi-guest trusty environment, all guest's SMCs will be forwarded to Trusty. This change only allows 1 guest's SMC to be forwarded at a time and returns 'busy' status to all other requests. Change-Id: I2144467d11e3680e28ec816adeec2766bca114d4 Signed-off-by: Anthony Zhou <anzhou@nvidia.com> Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Anthony Zhou authored
According to the ARM DEN0028A spec, hypervisor ID(VMID) should be stored in x7 (or w7). This patch gets this value from the context and passes it to Trusty. In order to do so, introduce new macros to pass five to eight parameters to the Trusted OS. Change-Id: I101cf45d0712e1e880466b2274f9a48af755c9fa Signed-off-by: Anthony Zhou <anzhou@nvidia.com> Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 23 Feb, 2017 2 commits
-
-
Amith authored
This patch uses the OEN_TAP_START aperture for all the standard calls being passed to Trusty. Change-Id: Id78d01c7f48e4f54855600d7c789ffbfb898c541 Signed-off-by: Amith <aramachan@nvidia.com> Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Douglas Raillard authored
ABORT SMC used to return to the previously executing world, which happened to be S-EL1 as it calls a TSP handler using synchronous entry into the TSP. Now properly save and restore the non-secure context (including system registers) and return to non-secure world as it should. fixes ARM-Software/tf-issues#453 Change-Id: Ie40c79ca2636ab8b6b2ab3106e8f49e0f9117f5f Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Replace all use of memset by zeromem when zeroing moderately-sized structure by applying the following transformation: memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x)) As the Trusted Firmware is compiled with -ffreestanding, it forbids the compiler from using __builtin_memset and forces it to generate calls to the slow memset implementation. Zeromem is a near drop in replacement for this use case, with a more efficient implementation on both AArch32 and AArch64. Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 26 Jan, 2017 1 commit
-
-
David Cunado authored
With GCC 6.2 compiler, more C undefined behaviour is being flagged as warnings, which result in build errors in ARM TF build. The specific issue that this patch resolves is the use of (1 << 31), which is predominantly used in case statements, where 1 is represented as a signed int. When shifted to msb the behaviour is undefined. The resolution is to specify 1 as an unsigned int using a convenience macro ULL(). A duplicate macro MAKE_ULL() is replaced. Fixes ARM-software/tf-issues#438 Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 23 Dec, 2016 1 commit
-
-
Douglas Raillard authored
Standard SMC requests that are handled in the secure-world by the Secure Payload can be preempted by interrupts that must be handled in the normal world. When the TSP is preempted the secure context is stored and control is passed to the normal world to handle the non-secure interrupt. Once completed the preempted secure context is restored. When restoring the preempted context, the dispatcher assumes that the TSP preempted context is still stored as the SECURE context by the context management library. However, PSCI power management operations causes synchronous entry into TSP. This overwrites the preempted SECURE context in the context management library. When restoring back the SECURE context, the Secure Payload crashes because this context is not the preempted context anymore. This patch avoids corruption of the preempted SECURE context by aborting any preempted SMC during PSCI power management calls. The abort_std_smc_entry hook of the TSP is called when aborting the SMC request. It also exposes this feature as a FAST SMC callable from normal world to abort preempted SMC with FID TSP_FID_ABORT. Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 30 Nov, 2016 1 commit
-
-
Sandrine Bailleux authored
Add a debug assertion in the initialization function of Trusty's SPD to check for the presence of Trusty. If Trusty is absent then the SPD's setup function already detects it and returns an error code so the init function will never been called. Therefore, a debug assertion is enough to catch this improbable error case. Change-Id: Id20013e9291cdeef7827b919de2a22455f6cd9f9 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-