- 18 Jul, 2018 3 commits
-
-
Sandrine Bailleux authored
Change-Id: I98f23f6cebcf984b57efc5449b75ff702e1984a0 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Antonio Nino Diaz authored
Define the values as unsigned int or unsigned long long based on the actual size of the register. This prevents subtle issues caused by having a type that is too small. For example: #define OPTION_ENABLE 0x3 #define OPTION_SHIFT 32 uint64_t mask = OPTION_ENABLE << OPTION_SHIFT; Because OPTION_ENABLE fits in an int, the value is considered an int. This means that, after shifting it 32 places to the left, the final result is 0. The correct way to define the values is: #define OPTION_ENABLE ULL(0x3) #define OPTION_SHIFT U(32) In this case, the compiler is forced to use a 64 bit value from the start, so shifting it 32 places to the left results in the expected value. Change-Id: Ieaf2ffc2d8caa48c622db011f2aef549e713e019 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Change-Id: Ifea46da46d1bfd01b341acfad75df5bcab48a204 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 Jul, 2018 2 commits
-
-
Antonio Nino Diaz authored
This library can be used in other projects. All comments that talk about the Trusted Firmware should be talking about the library itself. Change-Id: I3b98d42f7132be72c1f8a4900acfaa78dbd2daa2 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
This allows other parts of the code to reuse it. No functional changes. Change-Id: Ib052ae235c422d9179958bd3016c3e678779ae9b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 13 Jul, 2018 3 commits
-
-
Antonio Nino Diaz authored
Most registers are 64-bit wide, even in AArch32 mode: - MAIR_ELx is equivalent to MAIR0 and MAIR1. - TTBR is 64 bit in both AArch64 and AArch32. The only difference is the TCR register, which is 32 bit in AArch32 and in EL3 in AArch64. For consistency with the rest of ELs in AArch64, it makes sense to also have it as a 64-bit value. Change-Id: I2274d66a28876702e7085df5f8aad0e7ec139da9 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
The Exception Level is now detected at runtime. This means that it is not needed to hardcode the EL used by each image. This doesn't result in a substantial increase of the image size because the initialization functions that aren't used are garbage-collected by the linker. In AArch32 the current EL has been changed from EL3 to EL1 because the the AArch32 PL1&0 translation regime behaves more like the AArch64 EL1&0 translation regime than the EL3 one. Change-Id: I941404299ebe7666ca17619207c923b49a55cb73 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Sandrine Bailleux authored
Even if the log output is too low for a message to be printed out on the console by the debug macros, it should still be evaluated by the compiler to get some type checking and validation of the format specifiers. To do so, introduce the no_tf_log() macro that encloses the call to tf_log() in an always-false condition. This avoids the problem of discovering build issues only when we build the firmware with the right LOG_LEVEL value. Change-Id: Ic0fd252ab691d0187fd925756a4837aca1cbfd7b Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 12 Jul, 2018 1 commit
-
-
Dimitris Papastamos authored
Change-Id: Iaebbeac1a1d6fbd531e5694b95ed068b7a193e62 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 11 Jul, 2018 9 commits
-
-
Sandrine Bailleux authored
The ARM_INSTANTIATE_LOCK macro defines a lock meant to be further manipulated using the arm_lock_init/get/release() macros. It has 2 variants, depending on the BL image it is compiled for. One version defines the lock variable with internal linkage whereas the other one, with external linkage. Code that uses these macros is not compliant with MISRA rule 8.4 because when using the external linkage version, there is no visible declaration for the lock variable. This patch defines the arm_lock variable with internal linkage in both cases. This fits well the way these macros are used in the code today, where the lock is not used outside of the translation unit it is defined in. Change-Id: I213a74a2a6088a4f1e9a61a319ca7579c2001320 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Joel Hutton authored
Change-Id: Ic0486131c493632eadf329f80b0b5904aed5e4ef Signed-off-by: Joel Hutton <joel.hutton@arm.com> Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Joel Hutton authored
Change-Id: I2c4b06423fcd96af9351b88a5e2818059f981f1b Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com> Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Roberto Vargas authored
This check was added to ensure the correct behaviour of fill_constants macro. This macro has been verified and it is known his correct behaviour. The check generates an error when the clang assembler is used, so it is better to remove the check. Change-Id: I3447ff9e9e5ee5cf0502f65e53c3d105d9396b8b Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
This directive is not implemented by clang assembler. The traditional way to implement structs in assembly is using two macros for every field, one for the offset, and another one for the size. For every field, the offset can be calculated using the size and offset of the previous field. Change-Id: Iacc6781e8f302fb925898737b8e85ab4e88a51cc Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Clang assembler doesn't support concatenation of adjacent strings. Change-Id: I092a1e30c137d431c6adcc13519fc2d595f92f14 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
These directives are only used when stabs debugging information is used, but we use ELF which uses DWARF debugging information. Clang assembler doesn't support these directives, and removing them makes the code more compatible with clang. Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Clang linker doesn't support NEXT. As we are not using the MEMORY command to define discontinuous memory for the output file in any of the linker scripts, ALIGN and NEXT are equivalent. Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 10 Jul, 2018 1 commit
-
-
Roberto Vargas authored
Rule 8.3: All declarations of an object or function shall use the same names and type qualifiers. Fixed for: make DEBUG=1 PLAT=juno ARCH=aarch32 AARCH32_SP=sp_min RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32 Change-Id: Ia34f5155e1cdb67161191f69e8d1248cbaa39e1a Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 03 Jul, 2018 3 commits
-
-
Yann Gautier authored
This change is largely based on existing eMMC framework by Haojian Zhuang (@hzhuang1). The MMC framework supports both eMMC and SD card devices. It was written as a new framework since breaking few eMMC framework APIs. At card probe and after the reset to idle command (CMD0), a Send Interface Condition Command is sent (CMD8) to distinguish between eMMC and SD card devices. eMMC devices go through the same sequence as in the former eMMC framework. Else the framework uses commands dedicated to SD-cards for init or frequency switch. A structure is created to share info with the driver. It stores: - the MMC type (eMMC, SD or SD HC) - the device size - the max frequency supported by the device - the block size: 512 for eMMC and SD-HC and read from CSD structure for older SD-cards Restriction to align buffers on block size has been removed. Cache maintenance was removed and is expected to be done in the platform or device driver. The MMC framework includes some MISRA compliance coding style maybe not yet ported in the existing eMMC framework. Fixes ARM-software/tf-issues#597 Signed-off-by: Yann Gautier <yann.gautier@st.com>
-
Sandrine Bailleux authored
Casting a pointer to a struct uuid into a pointer to uint32_t may result in a pointer that is not correctly aligned, which constitutes an undefined behaviour. In the case of TF, this also generates a data abort because alignment fault checking is enabled (through the SCTLR.A bit). This patch modifies the SMC_UUID_RET() macro to read the uuid structure without any pointer aliasing. A helper function then combines every set of 4 bytes into a 32-bit value suitable to be returned through the x0-x3 registers. This fixes a violation of MISRA rule 11.3. Change-Id: I53ee73bb4cb332f4d8286055ceceb6f347caa080 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Antonio Nino Diaz authored
Instead of having one big file with all the code, it's better to have a few smaller files that are more manageable: - xlat_tables_core.c: Code related to the core functionality of the library (map and unmap regions, initialize xlat context). - xlat_tables_context.c: Instantiation of the active image context as well as APIs to manipulate it. - xlat_tables_utils.c: Helper code that isn't part of the core functionality (change attributes, debug print messages). Change-Id: I3ea956fc1afd7473c0bb5e7c6aab3b2e5d88c711 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 27 Jun, 2018 1 commit
-
-
Jeenu Viswambharan authored
At present, the function provided by the translation library to enable MMU constructs appropriate values for translation library, and programs them to the right registers. The construction of initial values, however, is only required once as both the primary and secondaries program the same values. Additionally, the MMU-enabling function is written in C, which means there's an active stack at the time of enabling MMU. On some systems, like Arm DynamIQ, having active stack while enabling MMU during warm boot might lead to coherency problems. This patch addresses both the above problems by: - Splitting the MMU-enabling function into two: one that sets up values to be programmed into the registers, and another one that takes the pre-computed values and writes to the appropriate registers. With this, the primary effectively calls both functions to have the MMU enabled, but secondaries only need to call the latter. - Rewriting the function that enables MMU in assembly so that it doesn't use stack. This patch fixes a bunch of MISRA issues on the way. Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 26 Jun, 2018 1 commit
-
-
Antonio Nino Diaz authored
The meaning of them wasn't clear in the header file, it was needed to search the code for the places where they are used. Add parentheses to macros in the same header. Change-Id: I700bc0fd75ccfc0a34f439cb3b2692861bb73b9b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 23 Jun, 2018 1 commit
-
-
Nariman Poushin authored
This is to fix a number of Coverity Scan DEADCODE defects, CID numbers listed below, as reported from https://scan.coverity.com/projects/arm-software-arm-trusted-firmware CID 267023 CID 267022 CID 267020 Change-Id: I2963a799b210149e84ccab5c5b9082267ddfe337 Signed-off-by: Nariman Poushin <nariman.poushin@linaro.org>
-
- 22 Jun, 2018 1 commit
-
-
Antonio Nino Diaz authored
The values defined in this type are used in logical operations, which goes against MISRA Rule 10.1: "Operands shall not be of an inappropriate essential type". Now, `unsigned int` is used instead. This also allows us to move the dynamic mapping bit from 30 to 31. It was an undefined behaviour in the past because an enum is signed by default, and bit 31 corresponds to the sign bit. It is undefined behaviour to modify the sign bit. Now, bit 31 is free to use as it was originally meant to be. mmap_attr_t is now defined as an `unsigned int` for backwards compatibility. Change-Id: I6b31218c14b9c7fdabebe432de7fae6e90a97f34 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 21 Jun, 2018 4 commits
-
-
Jeenu Viswambharan authored
SDEI event dispatches currently only sets up the Non-secure context before returning to the caller. The actual dispatch only happens upon exiting EL3 next time. However, for various error handling scenarios, it's beneficial to have the dispatch happen synchronously. I.e. when receiving SDEI interrupt, or for a successful sdei_dispatch_event() call, the event handler is executed; and upon the event completion, dispatcher execution resumes after the point of dispatch. The jump primitives introduced in the earlier patch facilitates this feature. With this patch: - SDEI interrupts and calls to sdei_dispatch_event prepares the NS context for event dispatch, then sets a jump point, and immediately exits EL3. This results in the client handler executing in Non-secure. - When the SDEI client completes the dispatched event, the SDEI dispatcher does a longjmp to the jump pointer created earlier. For the caller of the sdei_dispatch_event() in particular, this would appear as if call returned successfully. The dynamic workaround for CVE_2018_3639 is slightly shifted around as part of related minor refactoring. It doesn't affect the workaround functionality. Documentation updated. NOTE: This breaks the semantics of the explicit dispatch API, and any exiting usages should be carefully reviewed. Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
This patch introduces setjmp() and ongjmp() primitives to enable standard setjmp/longjmp style execution. Both APIs parameters take a pointer to struct jmpbuf type, which hosts CPU registers saved/restored during jump. As per the standard usage: - setjmp() return 0 when a jump is setup; and a non-zero value when returning from jump. - The caller of setjmp() must not return, or otherwise update stack pointer since. Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
The current macros only allow to define dynamic and statically-bound SDEI events. However, there ought be a mechanism to define SDEI events that are explicitly dispatched; i.e., events that are dispatched as a result of a previous secure interrupt or other exception This patch introduces SDEI_EXPLICIT_EVENT() macro to define an explicit event. They must be placed under private mappings. Only the priority flags are allowed to be additionally specified. Documentation updated. Change-Id: I2e12f5571381195d6234c9dfbd5904608ad41db3 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Dimitris Papastamos authored
Change-Id: I67e64bb79cc984ea3263f069e22738a42321c46d Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 20 Jun, 2018 2 commits
-
-
Antonio Nino Diaz authored
It may be needed to enter the Secure Partition through other means than an MM_COMMUNICATE SMC. This patch enables this behaviour by extracting the necessary code from mm_communicate() and allowing other parts of the code to use it. Change-Id: I59f6638d22d9c9d0baff0984f39d056298a8dc8e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Soby Mathew authored
Currently TF-A doesn't initialise CNTFRQ register in CNTCTLBase frame of the system timer. ARM ARM states that "The instance of the register in the CNTCTLBase frame must be programmed with this value as part of system initialization." The psci_arch_setup() updates the CNTFRQ system register but according to the ARM ARM, this instance of the register is independent of the memory mapped instance. This is only an issue for Normal world software which relies on the memory mapped instance rather than the system register one. This patch resolves the issue for ARM platforms. The patch also solves a related issue on Juno, wherein CNTBaseN.CNTFRQ can be written and does not reflect the value of the register in CNTCTLBase frame. Hence this patch additionally updates CNTFRQ register in the Non Secure frame of the CNTBaseN. Fixes ARM-Software/tf-issues#593 Change-Id: I09cebb6633688b34d5b1bc349fbde4751025b350 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 19 Jun, 2018 1 commit
-
-
Antonio Nino Diaz authored
The old API is deprecated and will eventually be removed. Arm platforms now use the multi console driver for boot and runtime consoles. However, the crash console uses the direct console API because it doesn't need any memory access to work. This makes it more robust during crashes. The AArch32 port of the Trusted Firmware doesn't support this new API yet, so it is only enabled in AArch64 builds. Because of this, the common code must maintain compatibility with both systems. SP_MIN doesn't have to be updated because it's only used in AArch32 builds. The TSP is only used in AArch64, so it only needs to support the new API without keeping support for the old one. Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this causes the UARTs to reset (except for the one used by the TSP). This means that they must be unregistered when suspending and re-registered when resuming. This wasn't a problem with the old driver because it just restarted the UART, and there were no problems associated with registering and unregistering consoles. The size reserved for BL2 has been increased. Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 18 Jun, 2018 1 commit
-
-
Roberto Vargas authored
Having these definitions in board_arm_def.h forces to all the arm platforms to use the same definition for PLAT_ARM_MEM_PROT_ADDR. This macro also enables the mem-protect mechanism, which means that all the arm platform has enabled mem-protect and they cannot get rid of it. Change-Id: Id29d2c51cbe6edc15f010a9f5a20c42266c48a08 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 14 Jun, 2018 3 commits
-
-
Yann Gautier authored
When applying some MISRA rules, lots of issues are raised with BIT macro on AARCH32, and cast on uint32_t would be required (Rule 10.3). The macros BIT_32 and BIT_64 are then created for 32bit and 64bit. Then the BIT macro defaults on BIT_64 on AARCH64, and on BIT_32 on AARCH32. Signed-off-by: Yann Gautier <yann.gautier@st.com>
-
Yann Gautier authored
Import GENMASK_32 and GENMASK_64 macros from optee-os (permissive license). And default GENMASK is set to GENMASK_32 for AARCH32, and to GENMASK_64 for 64bit arch. fixes arm-software/tf-issues#596 Signed-off-by: Yann Gautier <yann.gautier@st.com> Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
-
Roberto Vargas authored
RFC4122 defines that fields are stored in network order (big endian), but TF-A stores them in machine order (little endian by default in TF-A). We cannot change the future UUIDs that are already generated, but we can store all the bytes using arrays and modify fiptool to generate the UUIDs with the correct byte order. Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 13 Jun, 2018 2 commits
-
-
Sandrine Bailleux authored
The translation tables allocated for the Secure Partition do not need to be treated as a special case. They can be put amongst the other tables mapping BL31's general purpose memory. They will be mapped with the same attributes as them, which is fine. The explicit alignment constraint in BL31's linker script to pad the last page of memory allocated to the Secure Partition's translation tables is useless too, as page tables are per se pages, thus their end address is naturally aligned on a page-boundary. In fact, this patch does not change the existing behaviour. Since patch 22282bb6 ("SPM: Move all SP-related info to SP context struct"), the secure_partition.c file has been renamed into sp_xlat.c but the linker script has not been properly updated. As a result, the SP translation tables are not specifically put at the start of the xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__ symbols have the same value, the size of the resulting mmap_region covering these xlat tables is 0 and so it is ignored. Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Antonio Nino Diaz authored
The function xlat_arch_is_granule_size_supported() can be used to check if a specific granule size is supported. In Armv8, AArch32 only supports 4 KiB pages. AArch64 supports 4 KiB, 16 KiB or 64 KiB depending on the implementation, which is detected at runtime. The function xlat_arch_get_max_supported_granule_size() returns the max granule size supported by the implementation. Even though right now they are only used by SPM, they may be useful in other places in the future. This patch moves the code currently in SPM to the xlat tables lib so that it can be reused. Change-Id: If54624a5ecf20b9b9b7f38861b56383a03bbc8a4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Jun, 2018 1 commit
-
-
Daniel Boulby authored
Use a _ prefix for Macro arguments to prevent that argument from hiding variables of the same name in the outer scope Rule 5.3: An identifier declared in an inner scope shall not hide an identifier declared in an outer scope Fixed For: make LOG_LEVEL=50 PLAT=fvp Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-