1. 22 Jan, 2018 1 commit
  2. 19 Jan, 2018 5 commits
    • Julius Werner's avatar
      coreboot: Add support for CBMEM console · 1c5f5031
      Julius Werner authored
      
      
      coreboot supports an in-memory console to store firmware logs even when
      no serial console is available. It is widely supported by
      coreboot-compatible bootloaders (including SeaBIOS and GRUB) and can be
      read by the Linux kernel.
      
      This patch allows BL31 to add its own log messages to this console. The
      driver will be registered automatically if coreboot support is compiled
      in and detects the presence of a console buffer in the coreboot tables.
      
      Change-Id: I31254dfa0c2fdeb7454634134b5707b4b4154907
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      1c5f5031
    • Julius Werner's avatar
      Add platform-independent coreboot support library · 3429c77a
      Julius Werner authored
      
      
      This patch adds the foundation for a platform-independent coreboot
      support library that can be shared by all platforms that boot BL31 from
      coreboot (acting as BL2). It adds code to parse the "coreboot table", a
      data structure that coreboot uses to communicate different kinds of
      information to later-stage firmware and certain OS drivers.
      
      As a first small use case for this information, allow platforms to
      access the serial console configuration used by coreboot, removing the
      need to hardcode base address and divisors and allowing Trusted Firmware
      to benefit from coreboot's user configuration (e.g. which UART to pick
      and which baud rate to use).
      
      Change-Id: I2bfb39cd2609ce6640b844ab68df6c9ae3f28e9e
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      3429c77a
    • Julius Werner's avatar
      drivers: cadence: cdns: Update CDNS driver to support MULTI_CONSOLE_API · 38ba8e93
      Julius Werner authored
      
      
      This patch updates the Cadence CDNS console driver to support the new
      console API. The driver will continue to support the old API as well by
      checking the MULTI_CONSOLE_API compile-time flag.
      
      Change-Id: I2ef8fb0d6ab72696997db1e0243a533499569d6b
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      38ba8e93
    • Julius Werner's avatar
      drivers: arm: pl011: Update PL011 driver to support MULTI_CONSOLE_API · 4a0c4571
      Julius Werner authored
      
      
      This patch updates the ARM PL011 console driver to support the new
      console API. The driver will continue to support the old API as well by
      checking the MULTI_CONSOLE_API compile-time flag.
      
      Change-Id: Ic34e4158addbb0c5fae500c9cff899c05a4f4206
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      4a0c4571
    • Julius Werner's avatar
      drivers: ti: uart: Update 16550 UART driver to support MULTI_CONSOLE_API · 36c42ca1
      Julius Werner authored
      
      
      This patch updates the TI 16550 console driver to support the new
      console API. The driver will continue to support the old API as well by
      checking the MULTI_CONSOLE_API compile-time flag.
      
      Change-Id: I60a44b7ba3c35c74561824c04b8dbe3e3039324c
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      36c42ca1
  3. 18 Jan, 2018 5 commits
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 for Cortex A9, A15 and A17 · e4b34efa
      Dimitris Papastamos authored
      
      
      A per-cpu vbar is installed that implements the workaround by
      invalidating the branch target buffer (BTB) directly in the case of A9
      and A17 and indirectly by invalidating the icache in the case of A15.
      
      For Cortex A57 and A72 there is currently no workaround implemented
      when EL3 is in AArch32 mode so report it as missing.
      
      For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are
      no changes since there is currently no upstream AArch32 EL3 support
      for these CPUs.
      
      Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      e4b34efa
    • Dimitris Papastamos's avatar
      sp_min: Implement workaround for CVE-2017-5715 · 7343505d
      Dimitris Papastamos authored
      
      
      This patch introduces two workarounds for ARMv7 systems.  The
      workarounds need to be applied prior to any `branch` instruction in
      secure world.  This is achieved using a custom vector table where each
      entry is an `add sp, sp, #1` instruction.
      
      On entry to monitor mode, once the sequence of `ADD` instructions is
      executed, the branch target buffer (BTB) is invalidated.  The bottom
      bits of `SP` are then used to decode the exception entry type.
      
      A side effect of this change is that the exception vectors are
      installed before the CPU specific reset function.  This is now
      consistent with how it is done on AArch64.
      
      Note, on AArch32 systems, the exception vectors are typically tightly
      integrated with the secure payload (e.g. the Trusted OS).  This
      workaround will need porting to each secure payload that requires it.
      
      The patch to modify the AArch32 per-cpu vbar to the corresponding
      workaround vector table according to the CPU type will be done in a
      later patch.
      
      Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7343505d
    • Roberto Vargas's avatar
      Mark functions defined in assembly files · d1f7292e
      Roberto Vargas authored
      
      
      This patch change the name of the section containing the functions
      defined in assembly files from text.* to text.asm.*. This change
      makes possible to select in the linker script the functions
      defined in those files.
      
      Change-Id: If35e44ef1b43ffd951dfac5e052db75d7198e2e0
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      d1f7292e
    • Roberto Vargas's avatar
      bl2-el3: Add BL2 at EL3 support in FVP · 81528dbc
      Roberto Vargas authored
      
      
      This patch add supports for the new API added for BL2 at EL3 for
      FVP. We don't have a non-TF Boot ROM for FVP, but this option can be
      tested setting specific parameters in the model.
      
      The bl2 image is loaded directly in memory instead of being loaded
      by a non-TF Boot ROM and the reset address is changed:
      
      	--data cluster0.cpu0=bl2.bin@0x4001000
      	-C cluster0.cpu0.RVBAR=0x4001000
      
      These parameters mean that in the cold boot path the processor will
      jump to BL2 again. For this reason, BL2 is loaded in dram in this
      case, to avoid other images reclaiming BL2 memory.
      
      Change-Id: Ieb2ff8535a9e67ccebcd8c2212cad366e7776422
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      81528dbc
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored
      
      
      This patch enables BL2 to execute at the highest exception level
      without any dependancy on TF BL1. This enables platforms which already
      have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
      stages without need for BL1.  This is not currently possible because
      BL2 executes at S-EL1 and cannot jump straight to EL3.
      
      Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  4. 17 Jan, 2018 1 commit
  5. 16 Jan, 2018 1 commit
  6. 11 Jan, 2018 9 commits
    • Dimitris Papastamos's avatar
      Increase BL31 memory space by 2 pages · f336d4af
      Dimitris Papastamos authored
      
      
      On some build configurations BL31 is running out of space.  Now that
      TSP is moved to secure dram, we have a bit of additional space to use
      in BL31.
      
      Change-Id: Ib89fcd8bae99c85c9c5e5d9228bb42fb7048dcb6
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      f336d4af
    • Dimitris Papastamos's avatar
      Add hooks to save/restore AMU context for Cortex A75 · 53bfb94e
      Dimitris Papastamos authored
      
      
      Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      53bfb94e
    • Dimitris Papastamos's avatar
      AMU: Add hooks to save/restore AMU context · b6eb3932
      Dimitris Papastamos authored
      
      
      On some systems, the AMU counters might reset to 0 when a CPU
      powerdown happens.  This behaviour conflicts with the intended
      use-case of AMU as lower ELs are only expected to see non-decreasing
      counter values.
      
      Change-Id: If25519965d4e6e47e09225d0e732947986cbb5ec
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      b6eb3932
    • Dimitris Papastamos's avatar
      AMU: Add configuration helpers for aarch64 · 0767d50e
      Dimitris Papastamos authored
      
      
      Add some AMU helper functions to allow configuring, reading and
      writing of the Group 0 and Group 1 counters.  Documentation for these
      helpers will come in a separate patch.
      
      Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      0767d50e
    • Dimitris Papastamos's avatar
      AMU: Add plat interface to select which group 1 counters to enable · 59902b7c
      Dimitris Papastamos authored
      
      
      A new platform macro `PLAT_AMU_GROUP1_COUNTERS_MASK` controls which
      group 1 counters should be enabled. The maximum number of group 1
      counters supported by AMUv1 is 16 so the mask can be at most 0xffff.
      If the platform does not define this mask, no group 1 counters are
      enabled.
      
      A related platform macro `PLAT_AMU_GROUP1_NR_COUNTERS` is used by
      generic code to allocate an array to save and restore the counters on
      CPU suspend.
      
      Change-Id: I6d135badf4846292de931a43bb563077f42bb47b
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      59902b7c
    • Dimitris Papastamos's avatar
      Add PubSub events for CPU powerdown/powerup · 7593252c
      Dimitris Papastamos authored
      
      
      The suspend hook is published at the start of a CPU powerdown
      operation.  The resume hook is published at the end of a CPU powerup
      operation.
      
      Change-Id: I50c05e2dde0d33834095ac41b4fcea4c161bb434
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7593252c
    • Dimitris Papastamos's avatar
      Use PFR0 to identify need for mitigation of CVE-2017-5915 · 780edd86
      Dimitris Papastamos authored
      
      
      If the CSV2 field reads as 1 then branch targets trained in one
      context cannot affect speculative execution in a different context.
      In that case skip the workaround on Cortex A75.
      
      Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      780edd86
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
      temporarily dropping into AArch32 Secure-EL1 and executing the
      `BPIALL` instruction.
      
      This is achieved by using 3 vector tables.  There is the runtime
      vector table which is used to handle exceptions and 2 additional
      tables which are required to implement this workaround.  The
      additional tables are `vbar0` and `vbar1`.
      
      The sequence of events for handling a single exception is
      as follows:
      
      1) Install vector table `vbar0` which saves the CPU context on entry
         to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
         with the MMU disabled and I$ enabled.  This is the default vector table.
      
      2) Before doing an ERET into Secure-EL1, switch vbar to point to
         another vector table `vbar1`.  This is required to restore EL3 state
         when returning from the workaround, before proceeding with normal EL3
         exception handling.
      
      3) While in Secure-EL1, the `BPIALL` instruction is executed and an
         SMC call back to EL3 is performed.
      
      4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
         restored.  The vbar is switched to point to `vbar0` in preparation to
         handle further exceptions.  Finally a branch to the runtime vector
         table entry is taken to complete the handling of the original
         exception.
      
      This workaround is enabled by default on the affected CPUs.
      
      NOTE
      ====
      
      There are 4 different stubs in Secure-EL1.  Each stub corresponds to
      an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
      different value in `R0` before doing an SMC call back into EL3.
      Without this piece of information it would not be possible to know
      what the original exception type was as we cannot use `ESR_EL3` to
      distinguish between IRQs and FIQs.
      
      Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a1781a21
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
      and enabling the MMU.  To achieve this without performing any branch
      instruction, a per-cpu vbar is installed which executes the workaround
      and then branches off to the corresponding vector entry in the main
      vector table.  A side effect of this change is that the main vbar is
      configured before any reset handling.  This is to allow the per-cpu
      reset function to override the vbar setting.
      
      This workaround is enabled by default on the affected CPUs.
      
      Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  7. 10 Jan, 2018 1 commit
  8. 09 Jan, 2018 1 commit
  9. 03 Jan, 2018 1 commit
  10. 19 Dec, 2017 1 commit
  11. 12 Dec, 2017 2 commits
    • Julius Werner's avatar
      Add new function-pointer-based console API · 9536bae6
      Julius Werner authored
      
      
      This patch overhauls the console API to allow for multiple console
      instances of different drivers that are active at the same time. Instead
      of binding to well-known function names (like console_core_init),
      consoles now provide a register function (e.g. console_16550_register())
      that will hook them into the list of active consoles. All console
      operations will be dispatched to all consoles currently in the list.
      
      The new API will be selected by the build-time option MULTI_CONSOLE_API,
      which defaults to ${ERROR_DEPRECATED} for now. The old console API code
      will be retained to stay backwards-compatible to older platforms, but
      should no longer be used for any newly added platforms and can hopefully
      be removed at some point in the future.
      
      The new console API is intended to be used for both normal (bootup) and
      crash use cases, freeing platforms of the need to set up the crash
      console separately. Consoles can be individually configured to be active
      active at boot (until first handoff to EL2), at runtime (after first
      handoff to EL2), and/or after a crash. Console drivers should set a sane
      default upon registration that can be overridden with the
      console_set_scope() call. Code to hook up the crash reporting mechanism
      to this framework will be added with a later patch.
      
      This patch only affects AArch64, but the new API could easily be ported
      to AArch32 as well if desired.
      
      Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      9536bae6
    • Julius Werner's avatar
      utils_def: Add REGSZ and make BIT() assembly-compatible · 155a1006
      Julius Werner authored
      
      
      In assembly code it can be useful to have a constant for the width of a
      register in the current architecture, so this patch adds one to
      <utils_def.h> and replaces the existing custom one in crash_reporting.S
      with that. It also fixes up the BIT() macro in the same file so that it
      can be safely used in assembly code.
      
      Change-Id: I10513a311f3379e767396e6ddfbae8d2d8201464
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      155a1006
  12. 06 Dec, 2017 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Move S-EL1/S-EL0 xlat tables to TZC DRAM · 45d640f0
      Antonio Nino Diaz authored
      
      
      A new platform define, `PLAT_SP_IMAGE_XLAT_SECTION_NAME`, has been
      introduced to select the section where the translation tables used by
      the S-EL1/S-EL0 are placed.
      
      This define has been used to move the translation tables to DRAM secured
      by TrustZone.
      
      Most of the extra needed space in BL31 when SPM is enabled is due to the
      large size of the translation tables. By moving them to this memory
      region we can save 44 KiB.
      
      A new argument has been added to REGISTER_XLAT_CONTEXT2() to specify the
      region where the translation tables have to be placed by the linker.
      
      Change-Id: Ia81709b4227cb8c92601f0caf258f624c0467719
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      45d640f0
  13. 05 Dec, 2017 3 commits
  14. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored
      
      
      This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
      to one EL3 will check to see if the Scalable Vector Extension (SVE) is
      implemented when entering and exiting the Non-secure world.
      
      If SVE is implemented, EL3 will do the following:
      
      - Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
      
      - Exit from Non-secure world: SIMD, FP and SVE functionality is
        disabled. As SIMD and FP registers are part of the SVE Z-registers
        then any use of SIMD / FP functionality would corrupt the SVE
        registers.
      
      The build option default is 1. The SVE functionality is only supported
      on AArch64 and so the build option is set to zero when the target
      archiecture is AArch32.
      
      This build option is not compatible with the CTX_INCLUDE_FPREGS - an
      assert will be raised on platforms where SVE is implemented and both
      ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
      
      Also note this change prevents secure world use of FP&SIMD registers on
      SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
      such platforms unless ENABLE_SVE_FOR_NS is set to 0.
      
      Additionally, on the first entry into the Non-secure world the SVE
      functionality is enabled and the SVE Z-register length is set to the
      maximum size allowed by the architecture. This includes the use case
      where EL2 is implemented but not used.
      
      Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  15. 29 Nov, 2017 5 commits
    • Soby Mathew's avatar
      ARM platforms: Fixup AArch32 builds · 5744e874
      Soby Mathew authored
      
      
      This patch fixes a couple of issues for AArch32 builds on ARM reference
      platforms :
      
      1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
         AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
         the BL31 memory is empty when built for AArch32. Hence this patch allocates
         BL32 to the memory region occupied by BL31 for AArch32 builds.
      
         As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
         be used to control the load address of BL32 in AArch32 mode which was
         never the intention of the macro anyway.
      
      2. A static assert is added to sp_min linker script to check that the progbits
         are within the bounds expected when overlaid with other images.
      
      3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
         involved when building Juno for AArch32 mode, the build option SPD needed to
         specifed. This patch corrects this and also updates the documentation in the
         user-guide.
      
      4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
         a result the previous assumption that BL31 must be always present is removed
         and the certificates for BL31 is only generated if `NEED_BL31` is defined.
      
      Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      5744e874
    • Antonio Nino Diaz's avatar
      Replace magic numbers in linkerscripts by PAGE_SIZE · a2aedac2
      Antonio Nino Diaz authored
      
      
      When defining different sections in linker scripts it is needed to align
      them to multiples of the page size. In most linker scripts this is done
      by aligning to the hardcoded value 4096 instead of PAGE_SIZE.
      
      This may be confusing when taking a look at all the codebase, as 4096
      is used in some parts that aren't meant to be a multiple of the page
      size.
      
      Change-Id: I36c6f461c7782437a58d13d37ec8b822a1663ec1
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a2aedac2
    • Dimitris Papastamos's avatar
      AMU: Implement support for aarch32 · ef69e1ea
      Dimitris Papastamos authored
      
      
      The `ENABLE_AMU` build option can be used to enable the
      architecturally defined AMU counters.  At present, there is no support
      for the auxiliary counter group.
      
      Change-Id: Ifc7532ef836f83e629f2a146739ab61e75c4abc8
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      ef69e1ea
    • Dimitris Papastamos's avatar
      AMU: Implement support for aarch64 · 380559c1
      Dimitris Papastamos authored
      
      
      The `ENABLE_AMU` build option can be used to enable the
      architecturally defined AMU counters.  At present, there is no support
      for the auxiliary counter group.
      
      Change-Id: I7ea0c0a00327f463199d1b0a481f01dadb09d312
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      380559c1
    • Dimitris Papastamos's avatar
      Implement support for the Activity Monitor Unit on Cortex A75 · 0319a977
      Dimitris Papastamos authored
      
      
      The Cortex A75 has 5 AMU counters.  The first three counters are fixed
      and the remaining two are programmable.
      
      A new build option is introduced, `ENABLE_AMU`.  When set, the fixed
      counters will be enabled for use by lower ELs.  The programmable
      counters are currently disabled.
      
      Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      0319a977
  16. 21 Nov, 2017 1 commit
  17. 20 Nov, 2017 1 commit
    • Dimitris Papastamos's avatar
      Refactor Statistical Profiling Extensions implementation · 281a08cc
      Dimitris Papastamos authored
      
      
      Factor out SPE operations in a separate file.  Use the publish
      subscribe framework to drain the SPE buffers before entering secure
      world.  Additionally, enable SPE before entering normal world.
      
      A side effect of this change is that the profiling buffers are now
      only drained when a transition from normal world to secure world
      happens.  Previously they were drained also on return from secure
      world, which is unnecessary as SPE is not supported in S-EL1.
      
      Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      281a08cc