- 26 Nov, 2018 1 commit
-
-
Jeenu Viswambharan authored
Secure world execution nearly always expect a controlled exit to Non-secure world. SDEI interrupts, although targets EL3, occur on behalf of Non-secure world, and may have higher priority than Secure world interrupts. Therefore they might preempt Secure execution, and yield execution to Non-secure SDEI handler. Upon completion of SDEI event handling (regardless of whether it's COPLETE or COMPLETE_AND_RESUME), we must resume Secure execution if it was preempted. Change-Id: I6edd991032588588427ba2fe6c3d7668f7080e3d Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 14 Nov, 2018 1 commit
-
-
Sughosh Ganu authored
The current secure partition design mandates that a) at a point, only a single core can be executing in the secure partition, and b) a core cannot be preempted by an interrupt while executing in secure partition. Ensure this by activating the SPM priority prior to entering the parition. Deactivate the priority on return from the partition. Change-Id: Icb3473496d16b733564592eef06304a1028e4f5c Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>
-
- 08 Nov, 2018 1 commit
-
-
Antonio Nino Diaz authored
All identifiers, regardless of use, that start with two underscores are reserved. This means they can't be used in header guards. The style that this project is now to use the full name of the file in capital letters followed by 'H'. For example, for a file called "uart_example.h", the header guard is UART_EXAMPLE_H. The exceptions are files that are imported from other projects: - CryptoCell driver - dt-bindings folders - zlib headers Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 31 Oct, 2018 1 commit
-
-
Varun Wadekar authored
This patch includes context.h from sdei_private.h to fix the following compilation errors: <snip> In file included from services/std_svc/sdei/sdei_event.c:9:0: services/std_svc/sdei/sdei_private.h: In function 'sdei_client_el': services/std_svc/sdei/sdei_private.h:164:2: error: unknown type name 'cpu_context_t' cpu_context_t *ns_ctx = cm_get_context(NON_SECURE); ^ services/std_svc/sdei/sdei_private.h:165:2: error: unknown type name 'el3_state_t' el3_state_t *el3_ctx = get_el3state_ctx(ns_ctx); ^ services/std_svc/sdei/sdei_private.h:165:2: error: implicit declaration of function 'get_el3state_ctx' [-Werror=implicit-function-declaration] services/std_svc/sdei/sdei_private.h:165:25: error: initialization makes pointer from integer without a cast [-Werror] el3_state_t *el3_ctx = get_el3state_ctx(ns_ctx); ^ services/std_svc/sdei/sdei_private.h:167:2: error: implicit declaration of function 'read_ctx_reg' [-Werror=implicit-function-declaration] return ((read_ctx_reg(el3_ctx, CTX_SCR_EL3) & SCR_HCE_BIT) != 0U) ? ^ services/std_svc/sdei/sdei_private.h:167:33: error: 'CTX_SCR_EL3' undeclared (first use in this function) return ((read_ctx_reg(el3_ctx, CTX_SCR_EL3) & SCR_HCE_BIT) != 0U) ? ^ services/std_svc/sdei/sdei_private.h:167:33: note: each undeclared identifier is reported only once for each function it appears in cc1: all warnings being treated as errors <snip> Change-Id: Id0cad56accf81b19cb0d301784f3f086dd052722 Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 28 Sep, 2018 1 commit
-
-
Antonio Nino Diaz authored
Change-Id: Icd1cdd42afdc78895a9be6c46b414b0a155cfa63 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 21 Sep, 2018 1 commit
-
-
Daniel Boulby authored
Ensure case clauses: * Terminate with an unconditional break, return or goto statement. * Use conditional break, return or goto statements as long as the end of the case clause is unreachable; such case clauses must terminate with assert(0) /* Unreachable */ or an unconditional __dead2 function call * Only fallthough when doing otherwise would result in less readable/maintainable code; such case clauses must terminate with a /* Fallthrough */ comment to make it clear this is the case and indicate that a fallthrough is intended. This reduces the chance of bugs appearing due to unintended flow through a switch statement Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 18 Sep, 2018 1 commit
-
-
Antonio Nino Diaz authored
The value used to signal failure is 0. It is needed to return a different value on success. Change-Id: I2186aa7dfbfc825bfe7b3d5ae3c4de7af10ee44f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 07 Sep, 2018 1 commit
-
-
Jeenu Viswambharan authored
The specification requires that, after wakeup from a CPU suspend, the dispatcher must mask all events on the CPU. This patch adds the feature to the SDEI dispatcher by subscribing to the PSCI suspend to power down event, and masking all events on the PE. Change-Id: I9fe1d1bc2a58379ba7bba953a8d8b275fc18902c Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 31 Aug, 2018 1 commit
-
-
Jorge Ramirez-Ortiz authored
Some platforms might chose to take different actions depending on this value; this is precisely the case for rcar-gen3. Signed-off-by: Jorge Ramirez-Ortiz <jramirez@baylibre.com>
-
- 22 Aug, 2018 2 commits
-
-
Antonio Nino Diaz authored
tf_printf and tf_snprintf are now called printf and snprintf, so the code needs to be updated. Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
The codebase was using non-standard headers. It is needed to replace them by the correct ones so that we can use the new libc headers. Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d Acked-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 20 Aug, 2018 2 commits
-
-
Jeenu Viswambharan authored
The event lock for a shared event was being unlocked twice, and the locking sequence for event complete was misplaced. This patch fixes both issues. Change-Id: Ie2fb15c6ec240af132d7d438946ca160bd5c63dc Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
These changes address most of the required MISRA rules. In the process, some from generic code is also fixed. No functional changes. Change-Id: I6235a355e006f0b1c7c1c4d811b3964a64d0434f Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 10 Aug, 2018 1 commit
-
-
Antonio Nino Diaz authored
Functions provided by stdio.h such as printf and sprintf are available in the codebase, but they add a lot of code to the final image if they are used: - AArch64: ~4KB - AArch32: ~2KB in T32, ~3KB in A32 tf_printf and tf_snprintf are a lot more simple, but it is preferable to use them when possible because they are also used in common code. Change-Id: Id09fd2b486198fe3d79276e2c27931595b7ba60e Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Aug, 2018 1 commit
-
-
Antonio Nino Diaz authored
Changed the names for consistency with the rest of the library. Introduced new helpers that manipulate the active translation tables context. Change-Id: Icaca56b67fcf6a96e88aa3c7e47411162e8e6856 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 01 Aug, 2018 1 commit
-
-
Sandrine Bailleux authored
Fix the types of the arguments of trusty_generic_platform_smc() to match the expected prototype of a runtime service handler (see rt_svc_handle_t type). Change-Id: Ie839d116ca924b4b018ea2abbef72a1073da2a32 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 15 Jul, 2018 1 commit
-
-
Antonio Nino Diaz authored
Instead of having a different initialization routine than the rest of the codebase, use the common implementation. Change-Id: I27c03b9905f3cf0af8810aad9e43092005387a1a Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 13 Jul, 2018 1 commit
-
-
Sandrine Bailleux authored
Fix mismatches between the format specifier and the corresponding variable type. Change-Id: Ib9004bd9baa9ba24a50000bea4f2418e1bf7e743 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 11 Jul, 2018 2 commits
-
-
Sandrine Bailleux authored
Wherever we use 'struct foo' and 'foo_t' interchangeably in a function's declaration and definition, use 'struct foo' consistently for both, as per the TF-A coding guidelines [1]. [1] https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Coding-Guidelines#avoid-anonymous-typedefs-of-structsenums-in-header-files Change-Id: I7998eb24a26746e87e9b6425529926406745b721 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 22 Jun, 2018 3 commits
-
-
Jeenu Viswambharan authored
The function end_sdei_explicit_dispatch() was intended to be end_sdei_synchronous_dispatch() which does the opposite of begin_sdei_synchronous_dispatch(). This patch fixes that. No functional changes. Change-Id: I141bd91eb342ecf4ddfd05b49513eee4549e7a56 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
commit 2ccfcb2e ("SDEI: Determine client EL from NS context's SCR_EL3") intended to read from SCR_EL3, but wrongly read from SPSR_EL3 instead. This patch fixes that. Change-Id: I8ffea39cc98ef59cb8e7a4c6ef4cb12011c58536 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
The Commit cdb6ac94 introduced a bug because of which the SDEI dispatcher wrongly panic when an SDEI event dispatched earlier as a result of interrupt. This patch fixes the check for a bound interrupt. Change-Id: If55c8f0422ff781731248bbbc9c1b59fa0d3c4b0 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 21 Jun, 2018 3 commits
-
-
Jeenu Viswambharan authored
SDEI event dispatches currently only sets up the Non-secure context before returning to the caller. The actual dispatch only happens upon exiting EL3 next time. However, for various error handling scenarios, it's beneficial to have the dispatch happen synchronously. I.e. when receiving SDEI interrupt, or for a successful sdei_dispatch_event() call, the event handler is executed; and upon the event completion, dispatcher execution resumes after the point of dispatch. The jump primitives introduced in the earlier patch facilitates this feature. With this patch: - SDEI interrupts and calls to sdei_dispatch_event prepares the NS context for event dispatch, then sets a jump point, and immediately exits EL3. This results in the client handler executing in Non-secure. - When the SDEI client completes the dispatched event, the SDEI dispatcher does a longjmp to the jump pointer created earlier. For the caller of the sdei_dispatch_event() in particular, this would appear as if call returned successfully. The dynamic workaround for CVE_2018_3639 is slightly shifted around as part of related minor refactoring. It doesn't affect the workaround functionality. Documentation updated. NOTE: This breaks the semantics of the explicit dispatch API, and any exiting usages should be carefully reviewed. Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
Currently, the dispatcher reads from SCR_EL3 register directly to determine the EL of SDEI client. This is with the assumption that SCR_EL3 is not modified throughout. However, with RAS work flows, it's possible that SCR_EL3 register contains values corresponding to Secure world, and therefore EL determination can go wrong. To mitigate this, always read the register from the saved Non-secure context. Change-Id: Ic85e4021deb18eb58757f676f9a001174998543a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
The current macros only allow to define dynamic and statically-bound SDEI events. However, there ought be a mechanism to define SDEI events that are explicitly dispatched; i.e., events that are dispatched as a result of a previous secure interrupt or other exception This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit event. They must be placed under private mappings. Only the priority flags are allowed to be additionally specified. Documentation updated. Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 20 Jun, 2018 1 commit
-
-
Antonio Nino Diaz authored
It may be needed to enter the Secure Partition through other means than an MM_COMMUNICATE SMC. This patch enables this behaviour by extracting the necessary code from mm_communicate() and allowing other parts of the code to use it. Change-Id: I59f6638d22d9c9d0baff0984f39d056298a8dc8e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 Jun, 2018 1 commit
-
-
Antonio Nino Diaz authored
Only use synchronous calls to enter the Secure Partition in order to simplify the SMC handling code. Change-Id: Ia501a045585ee0836b9151141ad3bd11d0971be2 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 14 Jun, 2018 1 commit
-
-
Roberto Vargas authored
RFC4122 defines that fields are stored in network order (big endian), but TF-A stores them in machine order (little endian by default in TF-A). We cannot change the future UUIDs that are already generated, but we can store all the bytes using arrays and modify fiptool to generate the UUIDs with the correct byte order. Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 13 Jun, 2018 2 commits
-
-
Antonio Nino Diaz authored
The function xlat_arch_is_granule_size_supported() can be used to check if a specific granule size is supported. In Armv8, AArch32 only supports 4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the implementation, which is detected at runtime. The function xlat_arch_get_max_supported_granule_size() returns the max granule size supported by the implementation. Even though right now they are only used by SPM, they may be useful in other places in the future. This patch moves the code currently in SPM to the xlat tables lib so that it can be reused. Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
In the context management library, cm_setup_context() takes the information in ep_info to fill the registers x0-x7. This patch replaces the current code that sets them manually by the correct initialization code. Change-Id: Id1fdf4681b154026c2e3af1f9b05b19582b7d16d Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Jun, 2018 2 commits
-
-
Daniel Boulby authored
Rule 5.7: A tag name shall be a unique identifier Follow convention of shorter names for smaller scope to fix violations of MISRA rule 5.7 Fixed For: make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
Daniel Boulby authored
Use a _ prefix for macro arguments to prevent that argument from hiding variables of the same name in the outer scope Rule 5.3: An identifier declared in an inner scope shall not hide an identifier declared in an outer scope Fixed For: make PLAT=fvp SPD=tspd Change-Id: I2d711b9584c4cb9ba3814ecd2ca65a42b7e24179 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 08 Jun, 2018 1 commit
-
-
Dimitris Papastamos authored
When dynamic mitigation is used, the SDEI handler is required to execute with the mitigation enabled by default, regardless of the mitigation state for lower ELs. This means that if the kernel or hypervisor explicitly disables the mitigation and then later when the event is dispatched, the dispatcher will remember the mitigation state for the lower ELs but force the mitigation to be on during the SDEI handler execution. When the SDEI handler returns, it will restore the mitigation state. This behaviour is described in "Firmware interfaces for mitigating cache speculation vulnerabilities System Software on Arm Systems"[0]. [0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 23 May, 2018 6 commits
-
-
Antonio Nino Diaz authored
Simplify the code of the SMC handler by extracting the code of SP_EVENT_COMPLETE and MM_COMMUNICATE. Change-Id: I9250a3f5e4b807b35c9d044592c1074a45ab9a07 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Instead of just knowing if the Secure Partition is being initialized or not, this generic state enum can be used to tell if the Secure Partition is busy and to add more states in the future if needed. Also, the spinlock of the secure_partition_context_t structure now only protects against concurrent accesses to the state of the secure partition. Previously, it used to lock down the whole structure, thus preventing one CPU to access any of its fields while another CPU was executing the partition. Change-Id: I51215328e2ca8ea2452f92e4a1cb237415958b22 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
The current internal names are too long, which makes it hard to write code as many lines overflow the limit and need to be split, which may not help the reader. Change-Id: I072bdc8f3dd125255063ffa7f02500e5228fc9a1 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
This is done in order to make it easier to read the file spm_main.c. Change-Id: I21e765154c1682a319a3bc47a19a42fd736e910e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Move all information related to a Secure Partition to the struct secure_partition_context_t. This requires an in-depth refactor because most of the previous code of SPM relied on global information. Change-Id: I0a23e93817dcc191ce1d7506b8bc671d376123c4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Dimitris Papastamos authored
Some CPUS may benefit from using a dynamic mitigation approach for CVE-2018-3639. A new SMC interface is defined to allow software executing in lower ELs to enable or disable the mitigation for their execution context. It should be noted that regardless of the state of the mitigation for lower ELs, code executing in EL3 is always mitigated against CVE-2018-3639. NOTE: This change is a compatibility break for any platform using the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to the declare_cpu_ops_wa macro instead. Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-