GitLab

Trusted OS may have extra images to be loaded. Load them one by one
and do the parsing. In this patch, ARM TF need to load up to 3 images
for optee os: header, pager and paged images. Header image is the info
about optee os and images. Pager image include pager code and data.
Paged image include the paging parts using virtual memory.

Change-Id: Ia3bcfa6d8a3ed7850deb5729654daca7b00be394
Signed-off-by: Summer Qin <summer.qin@arm.com>

Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.

Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>

Revision C of the Base FVP has the same memory map as earlier revisions,
but has the following differences:

  - Implements CCI550 instead of CCI400,
  - Has a single instantiation of SMMUv3,
  - CPU MPIDs are shifted left by one level, and has MT bit set in them.

The correct interconnect to program is chosen at run time based on the
FVP revision. Therefore, this patch implements FVP functions for
interconnect programming, rather than depending on ARM generic ones. The
macros used have been renamed to reflect this change.

Additionally, this patch initializes SMMUv3 as part of FVP early
platform setup.

New ARM config flags are introduced for feature queries at run time.

Change-Id: Ic7b7f080953a51fceaf62ce7daa6de0573801f09
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The CCI crash dump macros assumes CCI base at build time. Since this
can't be the case for CCI on FVP, choose not to register dump CCI
registers for FVP.

Change-Id: I7374a037e7fd0a85b138e84b3cf0aa044262da97
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

ARM CPUs with multi-threading implementation has more than one
Processing Element in a single physical CPU. Such an implementation will
reflect the following changes in the MPIDR register:

  - The MT bit set;

  - Affinity levels pertaining to cluster and CPUs occupy one level
    higher than in a single-threaded implementation, and the lowest
    affinity level pertains to hardware threads. MPIDR affinity level
    fields essentially appear shifted to left than otherwise.

The FVP port henceforth assumes that both properties above to be
concomitant on a given FVP platform.

To accommodate for varied MPIDR formats at run time, this patch
re-implements the FVP platform-specific functions that translates MPIDR
values to a linear indices, along with required validation. The same
treatment is applied for GICv3 MPIDR hashing function as well.

An FVP-specific build option FVP_MAX_PE_PER_CPU is introduced which
specifies the maximum number of threads implemented per CPU. For
backwards compatibility, its value defaults to 1.

Change-Id: I729b00d3e121d16ce9a03de4f9db36dfac580e3f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

plat_get_my_stack is called from C, so it can't expect argument
registers to be preserved. Stash registers temporarily onto the stack
instead.

plat_set_my_stack is called during early init, when there exists no
stack. Use any register other than argument registers to stash temporary
values.

Change-Id: I98052e20671d0933201d45ec7a5affccd71ce08c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch implements the early suspend handler for Tegra SoCs. This
handler is empty for now and the actual support for a particular platform
would be added later.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Almost all the arm platform has switch to translation tables library v2 as
default. Because qemu platform doesn't use arm_common.mk like other arm
platforms, QEMU haven't switched to v2 yet.

This patch adds all the necessary code for adding translation tables
library v2 support on QEMU and use it as default.

Fixes ARM-software/tf-issues#508
Signed-off-by: Fu Wei <fu.wei@linaro.org>

In a previous patch, the xlat_ctx_t type has been made public.
This patch now makes the *_ctx() APIs public.

Each API now has a *_ctx() variant. Most of them were already implemented
and this patch just makes them public. However, some of them were missing
so this patch introduces them.

Now that all these APIs are public, there's no good reason for splitting
them accross 2 files (xlat_tables_internal.c and xlat_tables_common.c).
Therefore, this patch moves all code into xlat_tables_internal.c and
removes xlat_tables_common.c. It removes it from the library's makefile
as well.

This last change introduces a compatibility break for platform ports
that specifically include the xlat_tables_common.c file instead of
including the library's Makefile. The UniPhier platform makefile has
been updated to now omit this file from the list of source files.

The prototype of mmap_add_region_ctx() has been slightly changed. The
mmap_region_t passed in argument needs to be constant because it gets
called from map_add(), which receives a constant region. The former
implementation of mmap_add() used to cast the const qualifier away,
which is not a good practice.

Also remove init_xlation_table(), which was a sub-function of
init_xlat_tables(). Now there's just init_xlat_tables() (and
init_xlat_tables_ctx()). Both names were too similar, which was
confusing. Besides, now that all the code is in a single file,
it's no longer needed to have 2 functions for that.

Change-Id: I4ed88c68e44561c3902fbebb89cb197279c5293b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

After disconnect Jumper pin 1-2 in J15 header, the signal VBUS_DET is to
be pulled down to low level. This will assert the interrupt signal in
PMIC and trigger IRQ in GIC; the asserted signal from VBUS_DET is level
triggered and kernel reports the warning for unhooked interrupt handling;
and VBUS_DET stays with low level, this triggers IRQ storm in kernel.

This patch is to disable interrupt for VBUS_DET in PMIC, this can
dismiss the verbose log and IRQ storm after kernel booting.

[   40.835279] irq 57: nobody cared (try booting with the "irqpoll" option)
[   40.842075] CPU: 0 PID: 980 Comm: irq/57-hi655x-p Not tainted 4.4.77-568944-g576a0114dec8-dirty #667
[   40.851303] Hardware name: HiKey Development Board (DT)
[   40.856580] Call trace:
[   40.859060] [<ffffff800808c4cc>] dump_backtrace+0x0/0x1e0
[   40.864516] [<ffffff800808c8ac>] show_stack+0x20/0x28
[   40.869622] [<ffffff80084b9688>] dump_stack+0xa8/0xe0
[   40.874729] [<ffffff800812dd5c>] __report_bad_irq+0x40/0xec
[   40.880360] [<ffffff800812e0bc>] note_interrupt+0x1e4/0x2d8
[   40.885992] [<ffffff800812b11c>] handle_irq_event_percpu+0xd8/0x268
[   40.892324] [<ffffff800812b2f8>] handle_irq_event+0x4c/0x7c
[   40.897955] [<ffffff800812ecbc>] handle_level_irq+0xcc/0x178
[   40.903672] [<ffffff800812a778>] generic_handle_irq+0x34/0x4c
[   40.909481] [<ffffff80085074c8>] pl061_irq_handler+0xa8/0x124
[   40.915286] [<ffffff800812a778>] generic_handle_irq+0x34/0x4c
[   40.921092] [<ffffff800812a820>] __handle_domain_irq+0x90/0xf8
[   40.926985] [<ffffff8008082620>] gic_handle_irq+0x58/0xa8
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Leo Yan <leo.yan@linaro.org>

The DEVICE2 memory range is needed to access the Root of Trust Public
Key registers. This is not needed when Trusted Board Boot is disabled
so it's safer to not map it in this case. This also saves one level-2
page table in each of BL1 and BL2 images.

Also add some comments.

Change-Id: I67456b44f3fd5e145f6510a8499b7fdf720a7273
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

On ARM CSS platforms, the SCP_BL2/2U image is loaded below
BL1 read-write data. This same memory is used to load BL31
later on. But sufficient checks were not done to ensure that the
SCP_BL2 would not overwrite BL1 rw data. This patch adds the
required CASSERT checks to prevent overwrite into BL1 or BL2
memory by load of SCP_BL2/2U. Also the size of BL31 is increased
and SCP_BL2/2U size is decreased to accomodate it within the
allocated region.

Change-Id: I23b28b5e1589e91150852a06452bd52b273216ee
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

The SCP_BL2 is transferred to SCP during BL2 image load and authenticate
sequence. The Boot-Over-MHU (BOM) protocol is used as transport for this. After
the SCP boots using the transferred image, the AP CPU waits till the `READY`
message is received from SCP. This patch separates the API for transport of
image from the wait for `READY` message and also moves the related files to
the `css/drivers` folder. The previous API `scp_bootloader_transfer` is
renamed to `css_scp_boot_image_xfer` to reflect the css naming convention.
This reorganisation also allows easier switch to a different transport
(eg: Shared Data Structure based transfer) in future

Change-Id: I8a96f9c4616ffde6dbfdf7c18f6f6f8bfa40bbf0
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Recent patches to reduce the memory footprint of BL images have
resulted in saving several pages of memory. This patch reduces
the BL2 size limit by 20KB for Juno when ARM_BOARD_OPTIMISE_MEM=1
so that more free space can be freed up for Trusted OS (BL32). Also
SCP_BL2/SCP_BL2U size is now restricted to 80K.

Change-Id: I1573d7a34e24d15e4abce8a14da40dbb5dc81e37
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

The board features the Hi3798C V200 with an integrated quad-core
64-bit ARM Cortex A53 processor and high performance Mali T720 GPU,
making it capable of running any commercial set-top solution based on
Linux or Android. Its high performance specification also supports a
premium user experience with up to H.265 HEVC decoding of 4K video at
60 frames per second.

SOC  Hisilicon Hi3798CV200
CPU  Quad-core ARM Cortex-A53 64 bit
DRAM DDR3/3L/4 SDRAM interface, maximum 32-bit data width 2 GB
USB  Two USB 2.0 ports One USB 3.0 ports
CONSOLE  USB-micro port for console support
ETHERNET  1 GBe Ethernet
PCIE  One PCIe 2.0 interfaces
JTAG  8-Pin JTAG
EXPANSION INTERFACE  Linaro 96Boards Low Speed Expansion slot
DIMENSION Standard 160×120 mm 96Boards Enterprice Edition form factor
WIFI  802.11AC 2*2 with Bluetooth
CONNECTORS  One connector for Smart Card One connector for TSI

The platform boot sequence is as follows:
    l-loader --> arm_trusted_firmware --> u-boot

Repositories:
 - https://github.com/Linaro/poplar-l-loader.git
 - https://github.com/Linaro/poplar-u-boot.git



U-Boot is also upstream in the project's master branch.

Make sure you are using the correct branch on each one of these
repositories. The definition of "correct" might change over time (at
this moment in time this would be the "latest" branch).

Build Line:
make CROSS_COMPILE=aarch64-linux-gnu-  all fip SPD=none DEBUG=1
PLAT=poplar BL33=/path/to/u-boot.bin
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Signed-off-by: Alex Elder <elder@linaro.org>
Tested-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
Tested-by: Leo Yan <leo.yan@linaro.org>
Tested-by: Alex Elder <elder@linaro.org>

This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions to this change in order to retain
header groupings and where there are headers within #if statements.

Change-Id: Ib5b668c992d817cc860e97b29e16ef106d17e404
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>

This fix modifies the order of #includes in ARM standard platforms
to meet the ARM TF coding standard.

Change-Id: Ide19aad6233babda4eea2d17d49e523645fed1b2
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>

Signed-off-by: Victor Chong <victor.chong@linaro.org>

PLATFORM_LINKER_FORMAT
and
PLATFORM_LINKER_ARCH
defines are removed from
plat/hisilicon/hikey/include/platform_def.h
since there are already defined in
include/plat/common/common_def.h
which is included by
plat/hisilicon/hikey/hikey_def.h
which is included by
plat/hisilicon/hikey/include/platform_def.h

The line
$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
is removed from
plat/hisilicon/hikey/platform.mk
to clear the warning below:

Makefile:544: warning: overriding commands for target `check_SCP_BL2'
plat/hisilicon/hikey/platform.mk:19: warning: ignoring old commands for target `check_SCP_BL2'

$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
already exists in
Makefile
and applies to plat hikey so is redundant in
plat/hisilicon/hikey/platform.mk
Signed-off-by: Victor Chong <victor.chong@linaro.org>

Signed-off-by: Victor Chong <victor.chong@linaro.org>

The line
$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
is removed from
plat/hisilicon/hikey960/platform.mk
to clear the warning below:

Makefile:544: warning: overriding commands for target `check_SCP_BL2'
plat/hisilicon/hikey960/platform.mk:13: warning: ignoring old commands for
target `check_SCP_BL2'

$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
already exists in
Makefile
and applies to plat hikey960 so is redundant in
plat/hisilicon/hikey960/platform.mk
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>

Fix cortex a53 errata issues: #836870, #843419, #855873.
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>

Fix cortex a53 errata issues: #836870, #843419, #855873.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>

Decrypt device private keys which transfer from kernel, then stuff it to
DP controller. So that DP driver could start HDCP authentication in
kernel.

Change-Id: If3c2cd99bca811fe5fc30acc88bf5dc1afd7416d
Signed-off-by: Ziyuan Xu <xzy.xu@rock-chips.com>
Signed-off-by: Caesar Wang <wxt@rock-chips.com>

Fixing compilation errors due to duplicate 'const' keyword:
  plat/xilinx/zynqmp/pm_service/pm_client.c:39:29: error: duplicate 'const' declaration specifier [-Werror=duplicate-decl-specifier]
   static const struct pm_proc const pm_procs_all[] = {
                               ^~~~~
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

This patch fixes the two things as follows:

1) rk3399_flash_l2_b" seems to be a typo. That's "flush", not "flash".

2) fixes the warnings log.
We always hit the warnings thing during the suspend, as below log:
..
[   51.022334] CPU5: shutdown
[   51.025069] psci: CPU5 killed.
INFO:    sdram_params->ddr_freq = 928000000
WARNING: rk3399_flash_l2_b:reg 28830380,wait

When the L2 completes the clean and invalidate sequence, it asserts the
L2FLUSHDONE signal. The SoC can now deassert L2FLUSHREQ signal and then
the L2 deasserts L2FLUSHDONE.

Then, a loop without a delay isn't really great to measure time. We should
probably add a udelay(10) or so in there and then maybe replace the WARN()
after the loop. In the actual tests, the L2 cache will take ~4ms by
default for big cluster.

In the real world that give 10ms for the enough margin, like the
ddr/cpu/cci frequency and other factors that will affect it.

Change-Id: I55788c897be232bf72e8c7b0e10cf9b06f7aa50d
Signed-off-by: Caesar Wang <wxt@rock-chips.com>

This patch implements the platform APIs plat_get_rotpk_info,
plat_get_nv_ctr, plat_set_nv_ctr to invoke CryptoCell SBROM
APIs when ARM_CRYPTOCELL_INT is set.

Change-Id: I693556b3c7f42eceddd527abbe6111e499f55c45
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch makes the necessary changes to enable ARM platform to
successfully integrate CryptoCell during Trusted Board Boot. The
changes are as follows:

* A new build option `ARM_CRYPTOCELL_INTEG` is introduced to select
  the CryptoCell crypto driver for Trusted Board boot.

* The TrustZone filter settings for Non Secure DRAM is modified
  to allow CryptoCell to read this memory. This is required to
  authenticate BL33 which is loaded into the Non Secure DDR.

* The CSS platforms are modified to use coherent stacks in BL1 and BL2
  when CryptoCell crypto is selected. This is because CryptoCell makes
  use of DMA to transfer data and the CryptoCell SBROM library allocates
  buffers on the stack during signature/hash verification.

Change-Id: I1e6f6dcd1899784f1edeabfa2a9f279bbfb90e31
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

For rk3399, the L2ACTLR[14] is 0 by default, as ACE CCI-500 doesn't
support WriteEvict. and you will hit the condition L2ACTLR[3] with 0,
as the Evict transactions should propagate to CCI-500 since it has
snoop filters.

Maybe this erratum applies to all Cortex-A53 cores so far, especially
if RK3399's A53 is a r0p4. we should enable it to avoid data corruption,

Change-Id: Ib86933f1fc84f8919c8e43dac41af60fd0c3ce2f
Signed-off-by: Caesar Wang <wxt@rock-chips.com>

A recent commit 030567e6

 added U()/ULL()
macro to TF constants. This has caused some signed-unsigned comparison
warnings / errors in the TF static analysis.

This patch addresses these issues by migrating impacted variables from
signed ints to unsigned ints and vice verse where applicable.

Change-Id: I4b4c739a3fa64aaf13b69ad1702c66ec79247e53
Signed-off-by: David Cunado <david.cunado@arm.com>

On Juno AArch32, the L2 cache may contain garbage after the warm reset
from AArch64 to AArch32.  This is all fine until the MMU is configured
and the data caches enabled.  To avoid fetching stale data from the L2
unified cache, invalidate it before the warm reset to AArch32 state.

Change-Id: I7d27e810692c02c3e83c9f31de67f6bae59a960a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Before BL2 loads the SCP ram firmware, `SCP_BOOT_CFG_ADDR` specifies
the primary core.  After the SCP ram firmware has started executing,
`SCP_BOOT_CFG_ADDR` is modified.  This is not normally an issue but
the Juno AArch32 boot flow is a special case.  BL1 does a warm reset
into AArch32 and the core jumps to the `sp_min` entrypoint.  This is
effectively a `RESET_TO_SP_MIN` configuration.  `sp_min` has to be
able to determine the primary core and hence we need to restore
`SCP_BOOT_CFG_ADDR` to the cold boot value before `sp_min` runs.

This magically worked when booting on A53 because the core index was
zero and it just so happened to match with the new value in
`SCP_BOOT_CFG_ADDR`.

Change-Id: I105425c680cf6238948625c1d1017b01d3517c01
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

For some reason, HDCP key decrytion can't open source in ATF, so we
build it as hdcp.bin. Besides declare the handler for decrypting.

Change-Id: Ia67ff2442ab43cb3ee4875b3d59cc1608e854b4b
Signed-off-by: Ziyuan Xu <xzy.xu@rock-chips.com>
Signed-off-by: Caesar Wang <wxt@rock-chips.com>

Use TF_CFLAGS instead of CFLAGS, to allow CFLAGS to be overriden from
the make command line.

Change-Id: I3e5726c04bcd0176f232581b8be2c94413374ac7
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html



Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.

Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769

Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419

The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.

Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.

Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

SPE is only supported in non-secure state.  Accesses to SPE specific
registers from SEL1 will trap to EL3.  During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained.  This is to
avoid a potential invalid memory access in SEL1.

SPE is architecturally specified only for AArch64.

Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Currently, ROTPK_NOT_DEPLOYED flag is set in plat_get_rotpk_info().
It is up to users how to retrieve ROTPK if the ROT verification is
desired.  This is not nice.

This commit improves plat_get_rotpk_info() implementation and automates
the ROTPK deployment.  UniPhier platform has no ROTPK storage, so it
should be embedded in BL1/BL2, like ARM_ROTPK_LOCATION=devel_rsa case.
This makes sense because UniPhier platform implements its internal ROM
i.e. BL1 is used as updatable pseudo ROM.

Things work like this:

- ROT_KEY (default: $(BUILD_PLAT)/rot_key.pem) is created if missing.
  Users can override ROT_KEY from the command line if they want to
  use a specific ROT key.

- ROTPK_HASH is generated based on ROT_KEY.

- ROTPK_HASH is included by uniphier_rotpk.S and compiled into BL1/BL2.

- ROT_KEY is input to cert_create tool.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Commit 6de8b24f

 broke Juno AArch32
build.

Change-Id: Ied70d9becb86e53ccb46a2e3245e2a551d1bf701
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

On ARM platforms before exiting from SP_MIN ensure that
the default console is switched to the runtime serial port.

Change-Id: I0ca0d42cc47e345d56179eac16aa3d6712767c9b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>