GitLab

This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
to one EL3 will check to see if the Scalable Vector Extension (SVE) is
implemented when entering and exiting the Non-secure world.

If SVE is implemented, EL3 will do the following:

- Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.

- Exit from Non-secure world: SIMD, FP and SVE functionality is
  disabled. As SIMD and FP registers are part of the SVE Z-registers
  then any use of SIMD / FP functionality would corrupt the SVE
  registers.

The build option default is 1. The SVE functionality is only supported
on AArch64 and so the build option is set to zero when the target
archiecture is AArch32.

This build option is not compatible with the CTX_INCLUDE_FPREGS - an
assert will be raised on platforms where SVE is implemented and both
ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.

Also note this change prevents secure world use of FP&SIMD registers on
SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
such platforms unless ENABLE_SVE_FOR_NS is set to 0.

Additionally, on the first entry into the Non-secure world the SVE
functionality is enabled and the SVE Z-register length is set to the
maximum size allowed by the architecture. This includes the use case
where EL2 is implemented but not used.

Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
Signed-off-by: David Cunado <david.cunado@arm.com>

The Cortex A75 has 5 AMU counters.  The first three counters are fixed
and the remaining two are programmable.

A new build option is introduced, `ENABLE_AMU`.  When set, the fixed
counters will be enabled for use by lower ELs.  The programmable
counters are currently disabled.

Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Commit 26e63c44

 broke the Makefile for ARMv8-A AArch32 platforms.
This patch fixes it.

Change-Id: I49b8eb5b88f3a131aa4c8642ef970e92d90b6dd2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Factor out SPE operations in a separate file.  Use the publish
subscribe framework to drain the SPE buffers before entering secure
world.  Additionally, enable SPE before entering normal world.

A side effect of this change is that the profiling buffers are now
only drained when a transition from normal world to secure world
happens.  Previously they were drained also on return from secure
world, which is unnecessary as SPE is not supported in S-EL1.

Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:

- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.

A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.

The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:

- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
  Secure Partition.
- Implementing a well defined interface that is used by the normal world
  and other secure services for accessing the services exported by a
  Secure Partition.
- Implementing a well defined interface that is used by a Secure
  Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
  Partition to fulfil a service request.

Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

External build environment shall sets directive ARM_ARCH_MAJOR to 7
to specify a target ARMv7-A core.

As ARM-TF expects AARCH to be set, ARM_ARCH_MAJOR==7 mandates
AARCH=aarch32.

The toolchain target architecture/cpu is delegated after the platform
configuration is parsed. Platform shall define target core through
ARM_CORTEX_A<x>=yes, <x> being 5, 7, 9, 12, 15 and/or 17.

Platform can bypass ARM_CORTEX_A<x>=yes directive and provide straight
the toolchain target directive through MARCH32_DIRECTIVE.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

Some platforms (for ex. UniPhier) want to create files in the very
top of the build directory.  Add ${BUILD_PLAT} so such files can
depend on it.

Make existing directory targets depend on ${BUILD_PLAT} because
they are sub-directories of ${BUILD_PLAT}.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

The back end GIC driver converts and assigns the interrupt type to
suitable group.

For GICv2, a build option GICV2_G0_FOR_EL3 is introduced, which
determines to which type Group 0 interrupts maps to.

 - When the build option is set 0 (the default), Group 0 interrupts are
   meant for Secure EL1. This is presently the case.

 - Otherwise, Group 0 interrupts are meant for EL3. This means the SPD
   will have to synchronously hand over the interrupt to Secure EL1.

The query API allows the platform to query whether the platform supports
interrupts of a given type.

API documentation updated.

Change-Id: I60fdb4053ffe0bd006b3b20914914ebd311fc858
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch gives users control over logging messages printed from the C
code using the LOG macros defined in debug.h Users now have the ability
to reduce the log_level at run time using the tf_log_set_max_level()
function. The default prefix string can be defined by platform by
overriding the `plat_log_get_prefix()` platform API which is also
introduced in this patch.

The new log framework results in saving of some RO data. For example,
when BL1 is built for FVP with LOG_LEVEL=LOG_LEVEL_VERBOSE, resulted
in saving 384 bytes of RO data and increase of 8 bytes of RW data. The
framework also adds about 108 bytes of code to the release build of FVP.

Fixes ARM-software/tf-issues#462

Change-Id: I476013d9c3deedfdd4c8b0b0f125665ba6250554
Co-authored-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

TRUSTED_BOARD_BOOT and GENERATE_COT is not
compatible with EL3_PAYLOAD_BASE

Change-Id: I538c77e1f6c7da400d30ae4d633b8fcc55742202
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

Change-Id: I08c9789d3fd2b034b08de663d151023ca005f77f
Reported-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

The current build system and driver requires the CCI product to be
specified at build time. The device constraints can be determined at run
time from its ID registers, obviating the need for specifying them
ahead.

This patch adds changes to identify and validate CCI at run time. Some
global variables are renamed to be in line with the rest of the code
base.

The build option ARM_CCI_PRODUCT_ID is now removed, and user guide is
updated.

Change-Id: Ibb765e349d3bc95ff3eb9a64bde1207ab710a93d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Commit d832aee9

, which added SPE support, got the alphabetical ordering
wrong for documentation and Makefile addition. This patch fixes that.

Change-Id: I061ecfba4db363902c9d7d577d2ce6c612cb9e1d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Change-Id: I8676a22649dce92d0ddd98013fc6dafcfbe94c90
Signed-off-by: David Cunado <david.cunado@arm.com>

Use TF_LDFLAGS from the Makefiles, and still append LDFLAGS as well to
the compiler's invocation. This allows passing extra options from the
make command line using LDFLAGS.

Document new LDFLAGS Makefile option.

Change-Id: I88c5ac26ca12ac2b2d60a6f150ae027639991f27
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html



Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.

Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769

Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419

The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.

Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.

Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

SPE is only supported in non-secure state.  Accesses to SPE specific
registers from SEL1 will trap to EL3.  During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained.  This is to
avoid a potential invalid memory access in SEL1.

SPE is architecturally specified only for AArch64.

Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

It doesn't make sense to use the `-pedantic` flag when building the
Trusted Firmware as we use GNU extensions and so our code is not
fully ISO C compliant. This flag only makes sense if the code intends to
be ISO C compliant.

Change-Id: I6273564112759ff57f03b273f5349733a5f38aef
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Only the compiler is switched to ARM Compiler 6.  The assembler and linker
are provided by the GCC toolchain.

ARM Compiler 6 is used to build TF when the base name of the path assigned
to `CC` matches the string 'armclang'.

`CROSS_COMPILE` is still needed and should point to the appropriate
GCC toolchain.

Tested with ARM CC 6.7.

Change-Id: Ib359bf9c1e8aeed3f662668e44830864f3fe7b4a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Only the compiler is switched to clang.  The assembler and linker are
provided by the GCC toolchain.

clang is used to build TF when the base name of the path assigned to
`CC` contains the string 'clang'.

`CROSS_COMPILE` is still needed and should point to the appropriate
GCC toolchain.

Tested with clang 3.9.x and 4.0.x.

Change-Id: I53236d64e3c83ad27fc843bae5fcdae30f2e325e
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Tools are built using the compiler specified in `HOSTCC` instead of
reusing the `CC` variable.  By default, gcc is used.

Change-Id: I83636a375c61f4804b4e80784db9d061fe20af87
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Since TF uses GCC extensions, switch the C environment
from c99 to gnu99.

This change allows armclang to build TF.

Change-Id: Iaacb2726ba1458af59faf607ae9405d6eedb9962
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

This is a reduced version of `snprintf` that only supports formats '%d',
'%i' and '%u'. It can be used when the full `snprintf` is not needed in
order to save memory. If it finds an unknown format specifier, it
prints an error message and panics.

Change-Id: I2cb06fcdf74cda2c43caf73ae0762a91499fc04e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide any
value (at least technically).

For easier use of TBBR, this commit allows platforms to reuse the OIDs
obtained by ARM Ltd.  This will be useful for non-ARM vendors that
do not need their own extension fields in their certificate files.

The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h

Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
defining USE_TBBR_DEFS as 1.  USE_TBBR_DEFS is 0 by default to keep the
backward compatibility.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Some header files need to be shared between TF and host programs.
For fiptool, two headers are copied to the tools/fiptool directory,
but it looks clumsy.

This commit introduces a new directory, include/tools_share, which
collects headers that should be shared between TF and host programs.

This will clarify the interface exposed to host tools.  We should
add new headers to this directory only when we really need to do so.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Add support for firmware upgrade on AArch32.
This patch has been tested on the FVP models.

NOTE: Firmware upgrade on Juno AArch32 is not currently supported.

Change-Id: I1ca8078214eaf86b46463edd14740120af930aec
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>

This patch adds `TRUSTED_BOARD_BOOT` support for AArch32 mode.

To build this patch the "mbedtls/include/mbedtls/bignum.h"
needs to be modified to remove `#define MBEDTLS_HAVE_UDBL`
when `MBEDTLS_HAVE_INT32` is defined. This is a workaround
for "https://github.com/ARMmbed/mbedtls/issues/708

"

NOTE: TBBR support on Juno AArch32 is not currently supported.

Change-Id: I86d80e30b9139adc4d9663f112801ece42deafcf
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>

This patch enables compiler-rt for the AArch32 target.  The code is
not used for AArch64 as the architecture supports the 64-bit division
and modulo operations natively.

Change-Id: I1703a92872b0bb56ac0b98c67193830683963b13
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/



Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Some recent changes have added direct use of the echo command without
parameters.  This fails on a Windows shell, because echo without
parameters reports the mode ("ECHO is on").
This is corrected using the ECHO_BLANK_LINE macro already provided
for that purpose.

Change-Id: I5fd7192861b4496f6f46b4f096e80a752cd135d6
Signed-off-by: Evan Lloyd <evan.lloyd@arm.com>

The build option `ENABLE_ASSERTIONS` should be used instead. That way
both C and ASM assertions can be enabled or disabled together.

All occurrences of `ASM_ASSERTION` in common code and ARM platforms have
been replaced by `ENABLE_ASSERTIONS`.

ASM_ASSERTION has been removed from the user guide.

Change-Id: I51f1991f11b9b7ff83e787c9a3270c274748ec6f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Add the new build option `ENABLE_ASSERTIONS` that controls whether or
not assert functions are compiled out. It defaults to 1 for debug builds
and to 0 for release builds.

Additionally, a following patch will be done to allow this build option
to hide auxiliary code used for the checks done in an `assert()`. This
code is is currently under the DEBUG build flag.

Assert messages are now only printed if LOG_LEVEL >= LOG_LEVEL_INFO,
which is the default for debug builds.

This patch also updates the User Guide.

Change-Id: I1401530b56bab25561bb0f274529f1d12c5263bc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces a build option to enable D-cache early on the CPU
after warm boot. This is applicable for platforms which do not require
interconnect programming to enable cache coherency (eg: single cluster
platforms). If this option is enabled, then warm boot path enables
D-caches immediately after enabling MMU.

Fixes ARM-Software/tf-issues#456

Change-Id: I44c8787d116d7217837ced3bcf0b1d3441c8d80e
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

If SCP_BL2 is passed in from the command line, it is recognized by
make_helpers/tbbr/tbbr_tools.mk, and the cert_create tool generates
the corresponding key and content certificates.

On the other hand, the top-level Makefile does not care SCP_BL2, so
the --scp-fw option is not passed to the fiptool.  As far as I see
plat/arm/css/common/css_common.mk, it looks like a platform's job to
add $(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw)).

We can make the top-level Makefile kind enough to take care of it.
This is useful when we want to have optional SCP_BL2 firmware.

Adjust css_common.mk so that Juno still requires SCP_BL2 by default.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

At present, the build option checks are done prior to inclusion of
BL makefiles. This meant if the BL makefiles modified any of the options
then these checks were bypassed. This patch corrects this problem.

Change-Id: I0b591392a74d6d456d2b19bbe292f42b5aeae048
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

These source file definitions should be defined in generic
Makefiles so that all platforms can benefit. Ensure that the
symbols are properly marked as weak so they can be overridden
by platforms.

NOTE: This change is a potential compatibility break for
non-upstream platforms.

Change-Id: I7b892efa9f2d6d216931360dc6c436e1d10cffed
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

The folder lib/xlat_tables_v2 has been created to store a new version
of the translation tables library for further modifications in patches
to follow. At the moment it only contains a basic implementation that
supports static regions.

This library allows different translation tables to be modified by
using different 'contexts'. For now, the implementation defaults to
the translation tables used by the current image, but it is possible
to modify other tables than the ones in use.

Added a new API to print debug information for the current state of
the translation tables, rather than printing the information while
the tables are being created. This allows subsequent debug printing
of the xlat tables after they have been changed, which will be useful
when dynamic regions are implemented in a patch to follow.

The common definitions stored in `xlat_tables.h` header have been moved
to a new file common to both versions, `xlat_tables_defs.h`.

All headers related to the translation tables library have been moved to
a the subfolder `xlat_tables`.

Change-Id: Ia55962c33e0b781831d43a548e505206dffc5ea9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

ARM Trusted Firmware keeps certain data structures in a memory region
with non-cacheable attributes (termed as "coherent memory") to keep data
coherent with observers that are cache-coherent, and those not. These
data structures pertain to power management and mutual exclusion. Using
coherent memory also costs at least an additional page to map memory
with special memory attributes.

On systems with hardware-assisted coherency, all CPUs that participate
in power management and mutual exclusion are cache-coherent, obviating
the need for special memory attributes for such data structures.
Instead, they can be placed in normal memory, along with rest of data.

On systems with hardware-assisted coherency, where build option
HW_ASSISTED_COHERENCY will be set, also having USE_COHERENT_MEMORY
enabled only wastes a page of memory without any
benefit. Therefore, with HW_ASSISTED_COHERENCY set to 1, require that
USE_COHERENT_MEMORY is explicitly set to 0.

Change-Id: I5101657ae6b1a46278069f23e2d88ee5cbd98efa
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The boolean build option HW_ASSISTED_COHERENCY is introduced to enable
various optimizations in ARM Trusted Software, when built for such
systems. It's set to 0 by default.

Change-Id: I638390da6e1718fe024dcf5b402e07084f1eb014
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>