GitLab

The size increase after enabling options related to ARMv8.3-PAuth is:

+----------------------------+-------+-------+-------+--------+
|                            |  text |  bss  |  data | rodata |
+----------------------------+-------+-------+-------+--------+
| CTX_INCLUDE_PAUTH_REGS = 1 |  +192 | +1536 |   +0  |   +0   |
|                            |  0.3% |  3.1% |       |        |
+----------------------------+-------+-------+-------+--------+
| ENABLE_PAUTH = 1           | +1848 | +1536 |  +16  |   +0   |
|                            |  3.3% |  3.1% |  3.1% |        |
+----------------------------+-------+-------+-------+--------+

Results calculated with the following build configuration:

    make PLAT=fvp SPD=tspd DEBUG=1 \
    SDEI_SUPPORT=1                 \
    EL3_EXCEPTION_HANDLING=1       \
    TSP_NS_INTR_ASYNC_PREEMPT=1    \
    CTX_INCLUDE_PAUTH_REGS=1       \
    ENABLE_PAUTH=1

Change-Id: I43db7e509a4f39da6599ec2faa690d197573ec1b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The previous commit added the infrastructure to load and save
ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
didn't actually enable pointer authentication in the firmware.

This patch adds the functionality needed for platforms to provide
authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
enable pointer authentication in the firmware itself. This option is
disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
enabled.

Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.

This feature is supported only in AArch64 state.

This feature is mandatory in ARMv8.3 implementations.

This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.

To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.

Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Now that setjmp() and longjmp() are compliant with the standard they can
be moved with the other libc files.

Change-Id: Iea3b91c34eb353ace5e171e72f331602d57774d5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces explicit linker variables to mark the start and
end of the per-cpu bakery lock section to help bakery_lock_normal.c
calculate the size of the section. This patch removes the previously
used '__PERCPU_BAKERY_LOCK_SIZE__' linker variable to make the code
uniform across GNU linker and ARM linker.

Change-Id: Ie0c51702cbc0fe8a2076005344a1fcebb48e7cca
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This reverts commit 2f370465

 ("Add support for the SMC Calling
Convention 2.0").

SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.

The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.

Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This implementation is no longer deprecated.

Change-Id: I68552d0fd5ba9f08fad4345e4657e8e3c5362a36
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The SPM implementation based on MM is going to be kept for the
foreseeable future.

Change-Id: I11e96778a4f52a1aa803e7e048d9a7cb24a53954
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

On some systems, it may be preferred to place the secure EL1/0 vector
table outside of the static placement of the BL31 image itself, for
instance when the latter is located in non-shareable SRAM which does
not tolerate inner shareable WBWA mappings (as is the case on SynQuacer)

So permit the platform to #define SPM_SHIM_EXCEPTIONS_VMA in its
supplementary linker script, in which case it will be used as the
VMA region for the vector table. Note that the LMA does not change,
and it is up to the platform to copy the contents to the right place
at init time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

When the patch SHA 931f7c61

 introduced PIE support for BL31,
adding the GOT section when the SEPARATE_CODE_AND_RODATA=0
to the linker script was erroneously omitted. This patch corrects
the same.

Also the patch reduces the alignment requirement for GOT and RELA
sections from 16 bytes to 8. Comments are added explain the
intent for alignment.

Change-Id: I8035cbf75f346f99bd56b13f32e0b3b70dd2fe6c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Change-Id: I2ae9b3bb686c41b2e138132a7bed107925ac861e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The current SPM is a prototype that only supports one secure partition
in EL0. The objective of SPM is to have multiple partitions. The current
MM interface isn't adequate for this, so it is needed to modify heavily
the code to add proper support for it.

However, there are platforms which are already using this (like SGI) and
removing the code would break it.  For this reason, the current SPM code
has been duplicated in order to temporarily preserve compatibility. All
new improvements/changes to SPM will be done in the non-deprecated copy,
that may change without notice.

The new build option SPM_DEPRECATED has been introduced to select the SPM
implementation. It defaults to 1, that selects the deprecated SPM.

Change-Id: Ic9f80b53b450e97b4d3f47e4ef4a138ee8d87443
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Use the helper function `save_gp_registers` to save the register
state to cpu_context on entry to EL3 in SMC handler. This has the
effect of saving x0 - x3 as well into the cpu_context which was
not done previously but it unifies the register save sequence
in BL31.

Change-Id: I5753c942263a5f9178deda3dba896e3220f3dd83
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Add a dependency for building EL3 exception handling framework(EHF)
module with the secure partition manager(SPM).

The EHF module is needed for raising the core's running priority
before the core enters the secure partition, and lowering it
subsequently on exit from the secure partition.

Change-Id: Icbe2d0a63f00b46dc593ff3d86b676c9333506c3
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>

The macro EL_IMPLEMENTED() has been deprecated in favour of the new
function el_implemented().

Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces Position Independant Executable(PIE) support
in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
dynamic linker is implemented which supports fixing up Global Offset
Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
helper function implements this linker and this needs to be called
early in the boot sequence prior to invoking C functions. The GOT is
placed in the RO section of BL31 binary for improved security and the
BL31 linker script is modified to export the appropriate symbols
required for the dynamic linker.

The C compiler always generates PC relative addresses to linker symbols
and hence referencing symbols exporting constants are a problem when
relocating the binary. Hence the reference to the
`__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
at runtime based on start and end addresses.

Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

When HW_ASSISTED_COHERENCY is enabled we can use spinlocks
instead of using the more complex and slower bakery algorithm.

Change-Id: I9d791a70050d599241169b9160a67e57d5506564
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

No functional changes.

Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Mark the initialization functions in BL31, such as context management,
EHF, RAS and PSCI as __init so that they can be reclaimed by the
platform when no longer needed

Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

Change-Id: I2d4a21a80a768bc422e9707e6d7e98d20a716275
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The expected value for failure is 0, so the warning only has to be shown
in that case. This is the way the TSPD has done it since it was
introduced, and the way SPM and OP-TEE do it.

Trusty wrongly returns 0 on success.

In the case of TLK, the return value of tlkd_init() is passed from the
secure world in register X1 when calling the SMC TLK_ENTRY_DONE.

Change-Id: I39106d67631ee57f109619f8830bf4b9d96155e6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

If BL32 isn't present or it fails to initialize the current code prints
an error message in both debug and release builds. This is too verbose
for release builds, so it has been converted into a warning.

Also, it was missing a newline at the end of the message.

Change-Id: I91e18d5d5864dbb19d47ecd54f174d2d8c06296c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I5993b425445ee794e6d2a792c244c0af53640655
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

These changes address most of the required MISRA rules. In the process,
some from generic code are also fixed.

No functional changes.

Change-Id: I19786070af7bc5e1f6d15bdba93e22a4451d8fe9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.

With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.

Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

If the system is in near idle conditions, this erratum could cause a
deadlock or data corruption. This patch applies the workaround that
prevents this.

This DSU erratum affects only the DSUs that contain the ACP interface
and it was fixed in r2p0. The workaround is applied only to the DSUs
that are actually affected.

Link to respective Arm documentation:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html



Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

External Aborts while executing in EL3 is fatal in nature. This patch
allows for the platform to define a handler for External Aborts received
while executing in EL3. A default implementation is added which falls
back to platform unhandled exception.

Change-Id: I466f2c8113a33870f2c7d2d8f2bf20437d9fd354
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Double fault is when the PE receives another error whilst one is being
handled. To detect double fault condition, a per-CPU flag is introduced
to track the status of error handling. The flag is checked/modified
while temporarily masking external aborts on the PE.

This patch routes double faults to a separate platform-defined handler.

Change-Id: I70e9b7ba4c817273c55a0af978d9755ff32cc702
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Uncontainable errors are the most severe form of errors, which typically
mean that the system state can't be trusted any more. This further means
that normal error recovery process can't be followed, and an orderly
shutdown of the system is often desirable.

This patch allows for the platform to define a handler for Uncontainable
errors received. Due to the nature of Uncontainable error, the handler
is expected to initiate an orderly shutdown of the system, and therefore
is not expected to return. A default implementation is added which falls
back to platform unhandled exception.

Also fix ras_arch.h header guards.

Change-Id: I072e336a391a0b382e77e627eb9e40729d488b55
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

RAS handling flows might involve using setjmp/longjump calls introduced
in earlier patches; therefore, it'd be good to make sure the stack has
been unwound completely after the handling.

This patch inserts ASM assertions on the RAS handling path to validate
stack.

Change-Id: I59d40d3122010c977cdeab3cce3160f3909e7e69
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

A new file ea_delegate.S is introduced, and all EA-related functions are
moved into it. This makes runtime_exceptions.S less crowded and reads
better.

No functional changes.

Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.

This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.

Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Clang linker doesn't support NEXT. As we are not using the MEMORY command
to define discontinuous memory for the output file in any of the linker
scripts, ALIGN and NEXT are equivalent.

Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Having an active stack while enabling MMU has shown coherency problems.
This patch builds on top of translation library changes that introduces
MMU-enabling without using stacks.

Previously, with HW_ASSISTED_COHERENCY, data caches were disabled while
enabling MMU only because of active stack. Now that we can enable MMU
without using stack, we can enable both MMU and data caches at the same
time.

NOTE: Since this feature depends on using translation table library v2,
disallow using translation table library v1 with HW_ASSISTED_COHERENCY.

Fixes ARM-software/tf-issues#566

Change-Id: Ie55aba0c23ee9c5109eb3454cb8fa45d74f8bbb2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

SDEI event dispatches currently only sets up the Non-secure context
before returning to the caller. The actual dispatch only happens upon
exiting EL3 next time.

However, for various error handling scenarios, it's beneficial to have
the dispatch happen synchronously. I.e. when receiving SDEI interrupt,
or for a successful sdei_dispatch_event() call, the event handler is
executed; and upon the event completion, dispatcher execution resumes
after the point of dispatch. The jump primitives introduced in the
earlier patch facilitates this feature.

With this patch:

  - SDEI interrupts and calls to sdei_dispatch_event prepares the NS
    context for event dispatch, then sets a jump point, and immediately
    exits EL3. This results in the client handler executing in
    Non-secure.

  - When the SDEI client completes the dispatched event, the SDEI
    dispatcher does a longjmp to the jump pointer created earlier. For
    the caller of the sdei_dispatch_event() in particular, this would
    appear as if call returned successfully.

The dynamic workaround for CVE_2018_3639 is slightly shifted around as
part of related minor refactoring. It doesn't affect the workaround
functionality.

Documentation updated.

NOTE: This breaks the semantics of the explicit dispatch API, and any
exiting usages should be carefully reviewed.

Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch introduces setjmp() and ongjmp() primitives to enable
standard setjmp/longjmp style execution. Both APIs parameters take a
pointer to struct jmpbuf type, which hosts CPU registers saved/restored
during jump.

As per the standard usage:

  - setjmp() return 0 when a jump is setup; and a non-zero value when
    returning from jump.

  - The caller of setjmp() must not return, or otherwise update stack
    pointer since.

Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The translation tables allocated for the Secure Partition do not need
to be treated as a special case. They can be put amongst the other
tables mapping BL31's general purpose memory. They will be mapped with
the same attributes as them, which is fine.

The explicit alignment constraint in BL31's linker script to pad the
last page of memory allocated to the Secure Partition's translation
tables is useless too, as page tables are per se pages, thus their
end address is naturally aligned on a page-boundary.

In fact, this patch does not change the existing behaviour. Since
patch 22282bb6

 ("SPM: Move all SP-related info to SP context
struct"), the secure_partition.c file has been renamed into sp_xlat.c
but the linker script has not been properly updated. As a result, the
SP translation tables are not specifically put at the start of the
xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__
symbols have the same value, the size of the resulting mmap_region
covering these xlat tables is 0 and so it is ignored.

Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.

Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>