1. 27 Feb, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Invalidate TLB entries during warm boot · 26441030
      Antonio Nino Diaz authored
      
      
      During the warm boot sequence:
      
      1. The MMU is enabled with the data cache disabled. The MMU table walker
         is set up to access the translation tables as in cacheable memory,
         but its accesses are non-cacheable because SCTLR_EL3.C controls them
         as well.
      2. The interconnect is set up and the CPU enters coherency with the
         rest of the system.
      3. The data cache is enabled.
      
      If the support for dynamic translation tables is enabled and another CPU
      makes changes to a region, the changes may only be present in the data
      cache, not in RAM. The CPU that is booting isn't in coherency with the
      rest of the system, so the table walker of that CPU isn't either. This
      means that it may read old entries from RAM and it may have invalid TLB
      entries corresponding to the dynamic mappings.
      
      This is not a problem for the boot code because the mapping is 1:1 and
      the regions are static. However, the code that runs after the boot
      sequence may need to access the dynamically mapped regions.
      
      This patch invalidates all TLBs during warm boot when the dynamic
      translation tables support is enabled to prevent this problem.
      
      Change-Id: I80264802dc0aa1cb3edd77d0b66b91db6961af3d
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      26441030
  2. 22 Feb, 2018 1 commit
  3. 08 Feb, 2018 1 commit
  4. 07 Feb, 2018 1 commit
  5. 05 Feb, 2018 1 commit
    • Etienne Carriere's avatar
      aarch32: optee: define the OP-TEE secure payload · 10c66958
      Etienne Carriere authored
      
      
      AArch32 only platforms can boot the OP-TEE secure firmware as
      a BL32 secure payload. Such configuration can be defined through
      AARCH32_SP=optee.
      
      The source files can rely on AARCH32_SP_OPTEE to condition
      OP-TEE boot specific instruction sequences.
      
      OP-TEE does not expect ARM Trusted Firmware formatted structure
      as boot argument. Load sequence is expected to have already loaded
      to OP-TEE boot arguments into the bl32 entrypoint info structure.
      
      Last, AArch32 platform can only boot AArch32 OP-TEE images.
      
      Change-Id: Ic28eec5004315fc9111051add6bb1a1d607fc815
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      10c66958
  6. 01 Feb, 2018 3 commits
    • Masahiro Yamada's avatar
      zlib: add gunzip() support · c43d6851
      Masahiro Yamada authored
      
      
      This commit adds some more files to use zlib from TF.
      
      To use zlib, ->zalloc and ->zfree hooks are needed.  The implementation
      depends on the system.  For user-space, the libc provides malloc() and
      friends.  Unfortunately, ARM Trusted Firmware does not provide malloc()
      or any concept of dynamic memory allocation.
      
      I implemented very simple calloc() and free() for this.  Stupidly,
      zfree() never frees memory, but it works enough for this.
      
      The purpose of using zlib is to implement gunzip() - this function
      takes compressed data from in_buf, then dumps the decompressed data
      to oub_buf.  The work_buf is used for memory allocation during the
      decompress.  Upon exit, it updates in_buf and out_buf.  If successful,
      in_buf points to the end of input data, out_buf to the end of the
      decompressed data.
      
      To use this feature, you need to do:
      
       - include lib/zlib/zlib.mk from your platform.mk
      
       - add $(ZLIB_SOURCES) to your BL*_SOURCES
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      c43d6851
    • Masahiro Yamada's avatar
      zlib: import zlib files from zlib 1.2.11 · 221b1638
      Masahiro Yamada authored
      Import the following files from zlib 1.2.11:
      
         adler32.c
         crc32.c
         crc32.h
         inffast.c
         inffast.h
         inffixed.h
         inflate.c
         inflate.h
         inftrees.c
         inftrees.h
         zconf.h
         zlib.h
         zutil.c
         zutil.h
      
      The original tarball is available from http://zlib.net/
      
      The zlib is free software, distributed under the zlib license.  The
      license text is included in the "zlib.h" file.  It should be compatible
      with BSD-3-Clause.
      
      The zlib license is included in the SPDX license list available at
      https://spdx.org/licenses/
      
      , but I did not add the SPDX license tag to
      the imported files above, to keep them as they are in the upstream
      project.  This seems the general policy for ARM Trusted Firmware, as
      SPDX License Identifier was not added to files imported from FreeBSD.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      221b1638
    • Masahiro Yamada's avatar
      misc_helpers: fix zero_normalmem() for BL2_AT_EL3 · 79c7e728
      Masahiro Yamada authored
      
      
      The assertion in zero_normalmem() fails for BL2_AT_EL3.  This mode is
      executed in EL3, so it should check sctlr_el3 instead of sctlr_el1.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      79c7e728
  7. 31 Jan, 2018 2 commits
  8. 29 Jan, 2018 3 commits
  9. 19 Jan, 2018 3 commits
    • Julius Werner's avatar
      coreboot: Add support for CBMEM console · 1c5f5031
      Julius Werner authored
      
      
      coreboot supports an in-memory console to store firmware logs even when
      no serial console is available. It is widely supported by
      coreboot-compatible bootloaders (including SeaBIOS and GRUB) and can be
      read by the Linux kernel.
      
      This patch allows BL31 to add its own log messages to this console. The
      driver will be registered automatically if coreboot support is compiled
      in and detects the presence of a console buffer in the coreboot tables.
      
      Change-Id: I31254dfa0c2fdeb7454634134b5707b4b4154907
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      1c5f5031
    • Julius Werner's avatar
      Add platform-independent coreboot support library · 3429c77a
      Julius Werner authored
      
      
      This patch adds the foundation for a platform-independent coreboot
      support library that can be shared by all platforms that boot BL31 from
      coreboot (acting as BL2). It adds code to parse the "coreboot table", a
      data structure that coreboot uses to communicate different kinds of
      information to later-stage firmware and certain OS drivers.
      
      As a first small use case for this information, allow platforms to
      access the serial console configuration used by coreboot, removing the
      need to hardcode base address and divisors and allowing Trusted Firmware
      to benefit from coreboot's user configuration (e.g. which UART to pick
      and which baud rate to use).
      
      Change-Id: I2bfb39cd2609ce6640b844ab68df6c9ae3f28e9e
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      3429c77a
    • Manoj Kumar's avatar
      lib/cpus: fix branching in reset function for cortex-a72 AARCH32 mode · 2dc80e49
      Manoj Kumar authored
      
      
      In AARCH32 mode, cortex_a72_reset_func branches to address in lr
      register instead of r5 register. This leads to linux boot failure
      of Cortex-A72 cores in AARCH32 mode on Juno-R2 board.
      
      This patch fixes the branching of cortex_a72_reset_func to r5
      register as in cortex_a57_reset_func implementation.
      Signed-off-by: default avatarManoj Kumar <manoj.kumar3@arm.com>
      2dc80e49
  10. 18 Jan, 2018 4 commits
  11. 15 Jan, 2018 1 commit
    • Dimitris Papastamos's avatar
      AMU: Remove unnecessary WARN() · c6cc9ac3
      Dimitris Papastamos authored
      
      
      If AMU is not supported by the hardware but it is enabled in Trusted
      Firmware, the console will be spammed with warnings every time a CPU
      is brought up with a CPU ON call.
      
      Remove the warning message as this is more in line with how other
      extensions like SPE and SVE are handled.
      
      Change-Id: Iba6d367e4d1375ab554d23d2eaceab3ae1362c5a
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      c6cc9ac3
  12. 11 Jan, 2018 8 commits
    • Dimitris Papastamos's avatar
      Add hooks to save/restore AMU context for Cortex A75 · 53bfb94e
      Dimitris Papastamos authored
      
      
      Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      53bfb94e
    • Dimitris Papastamos's avatar
      AMU: Add hooks to save/restore AMU context · b6eb3932
      Dimitris Papastamos authored
      
      
      On some systems, the AMU counters might reset to 0 when a CPU
      powerdown happens.  This behaviour conflicts with the intended
      use-case of AMU as lower ELs are only expected to see non-decreasing
      counter values.
      
      Change-Id: If25519965d4e6e47e09225d0e732947986cbb5ec
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      b6eb3932
    • Dimitris Papastamos's avatar
      AMU: Add configuration helpers for aarch64 · 0767d50e
      Dimitris Papastamos authored
      
      
      Add some AMU helper functions to allow configuring, reading and
      writing of the Group 0 and Group 1 counters.  Documentation for these
      helpers will come in a separate patch.
      
      Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      0767d50e
    • Dimitris Papastamos's avatar
      AMU: Add plat interface to select which group 1 counters to enable · 59902b7c
      Dimitris Papastamos authored
      
      
      A new platform macro `PLAT_AMU_GROUP1_COUNTERS_MASK` controls which
      group 1 counters should be enabled. The maximum number of group 1
      counters supported by AMUv1 is 16 so the mask can be at most 0xffff.
      If the platform does not define this mask, no group 1 counters are
      enabled.
      
      A related platform macro `PLAT_AMU_GROUP1_NR_COUNTERS` is used by
      generic code to allocate an array to save and restore the counters on
      CPU suspend.
      
      Change-Id: I6d135badf4846292de931a43bb563077f42bb47b
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      59902b7c
    • Dimitris Papastamos's avatar
      Add PubSub events for CPU powerdown/powerup · 7593252c
      Dimitris Papastamos authored
      
      
      The suspend hook is published at the start of a CPU powerdown
      operation.  The resume hook is published at the end of a CPU powerup
      operation.
      
      Change-Id: I50c05e2dde0d33834095ac41b4fcea4c161bb434
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7593252c
    • Dimitris Papastamos's avatar
      Use PFR0 to identify need for mitigation of CVE-2017-5915 · 780edd86
      Dimitris Papastamos authored
      
      
      If the CSV2 field reads as 1 then branch targets trained in one
      context cannot affect speculative execution in a different context.
      In that case skip the workaround on Cortex A75.
      
      Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      780edd86
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
      temporarily dropping into AArch32 Secure-EL1 and executing the
      `BPIALL` instruction.
      
      This is achieved by using 3 vector tables.  There is the runtime
      vector table which is used to handle exceptions and 2 additional
      tables which are required to implement this workaround.  The
      additional tables are `vbar0` and `vbar1`.
      
      The sequence of events for handling a single exception is
      as follows:
      
      1) Install vector table `vbar0` which saves the CPU context on entry
         to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
         with the MMU disabled and I$ enabled.  This is the default vector table.
      
      2) Before doing an ERET into Secure-EL1, switch vbar to point to
         another vector table `vbar1`.  This is required to restore EL3 state
         when returning from the workaround, before proceeding with normal EL3
         exception handling.
      
      3) While in Secure-EL1, the `BPIALL` instruction is executed and an
         SMC call back to EL3 is performed.
      
      4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
         restored.  The vbar is switched to point to `vbar0` in preparation to
         handle further exceptions.  Finally a branch to the runtime vector
         table entry is taken to complete the handling of the original
         exception.
      
      This workaround is enabled by default on the affected CPUs.
      
      NOTE
      ====
      
      There are 4 different stubs in Secure-EL1.  Each stub corresponds to
      an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
      different value in `R0` before doing an SMC call back into EL3.
      Without this piece of information it would not be possible to know
      what the original exception type was as we cannot use `ESR_EL3` to
      distinguish between IRQs and FIQs.
      
      Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a1781a21
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
      and enabling the MMU.  To achieve this without performing any branch
      instruction, a per-cpu vbar is installed which executes the workaround
      and then branches off to the corresponding vector entry in the main
      vector table.  A side effect of this change is that the main vbar is
      configured before any reset handling.  This is to allow the per-cpu
      reset function to override the vbar setting.
      
      This workaround is enabled by default on the affected CPUs.
      
      Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  13. 10 Jan, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Correctly unmap regions on map error · 96abc22b
      Antonio Nino Diaz authored
      
      
      `mm_cursor` doesn't have the needed data because the `memmove()` that
      is called right before it overwrites that information. In order to get
      the information of the region that was being mapped, `mm` has to be used
      instead (like it is done to fill the fields of `unmap_mm`).
      
      If the incorrect information is read, this check isn't reliable and
      `xlat_tables_unmap_region` may be requested to unmap memory that isn't
      mapped at all, triggering assertions.
      
      Change-Id: I602d4ac83095d4e5dac9deb34aa5d00d00e6c289
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      96abc22b
  14. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored
      
      
      This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
      to one EL3 will check to see if the Scalable Vector Extension (SVE) is
      implemented when entering and exiting the Non-secure world.
      
      If SVE is implemented, EL3 will do the following:
      
      - Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
      
      - Exit from Non-secure world: SIMD, FP and SVE functionality is
        disabled. As SIMD and FP registers are part of the SVE Z-registers
        then any use of SIMD / FP functionality would corrupt the SVE
        registers.
      
      The build option default is 1. The SVE functionality is only supported
      on AArch64 and so the build option is set to zero when the target
      archiecture is AArch32.
      
      This build option is not compatible with the CTX_INCLUDE_FPREGS - an
      assert will be raised on platforms where SVE is implemented and both
      ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
      
      Also note this change prevents secure world use of FP&SIMD registers on
      SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
      such platforms unless ENABLE_SVE_FOR_NS is set to 0.
      
      Additionally, on the first entry into the Non-secure world the SVE
      functionality is enabled and the SVE Z-register length is set to the
      maximum size allowed by the architecture. This includes the use case
      where EL2 is implemented but not used.
      
      Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  15. 29 Nov, 2017 3 commits
  16. 23 Nov, 2017 1 commit
    • Matt Ma's avatar
      Replace macro ASM_ASSERTION with macro ENABLE_ASSERTIONS · 5f70d8de
      Matt Ma authored
      
      
      This patch replaces the macro ASM_ASSERTION with the macro
      ENABLE_ASSERTIONS in ARM Cortex-A53/57/72 MPCore Processor
      related files. There is build error when ASM_ASSERTION is set
      to 1 and ENABLE_ASSERTIONS is set to 0 because function
      asm_assert in common/aarch32/debug.S is defined in the macro
      ENABLE_ASSERTIONS but is called with the macro ASM_ASSERTION.
      
      There is also the indication to use ENABLE_ASSERTIONS but not
      ASM_ASSERTION in the Makefile.
      Signed-off-by: default avatarMatt Ma <matt.ma@spreadtrum.com>
      5f70d8de
  17. 20 Nov, 2017 3 commits
  18. 17 Nov, 2017 1 commit
  19. 15 Nov, 2017 1 commit
    • David Cunado's avatar
      Move FPEXC32_EL2 to FP Context · 91089f36
      David Cunado authored
      
      
      The FPEXC32_EL2 register controls SIMD and FP functionality when the
      lower ELs are executing in AArch32 mode. It is architecturally mapped
      to AArch32 system register FPEXC.
      
      This patch removes FPEXC32_EL2 register from the System Register context
      and adds it to the floating-point context. EL3 only saves / restores the
      floating-point context if the build option CTX_INCLUDE_FPREGS is set to 1.
      
      The rationale for this change is that if the Secure world is using FP
      functionality and EL3 is not managing the FP context, then the Secure
      world will save / restore the appropriate FP registers.
      
      NOTE - this is a break in behaviour in the unlikely case that
      CTX_INCLUDE_FPREGS is set to 0 and the platform contains an AArch32
      Secure Payload that modifies FPEXC, but does not save and restore
      this register
      
      Change-Id: Iab80abcbfe302752d52b323b4abcc334b585c184
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      91089f36