- 20 Nov, 2017 1 commit
-
-
Dimitris Papastamos authored
Factor out SPE operations in a separate file. Use the publish subscribe framework to drain the SPE buffers before entering secure world. Additionally, enable SPE before entering normal world. A side effect of this change is that the profiling buffers are now only drained when a transition from normal world to secure world happens. Previously they were drained also on return from secure world, which is unnecessary as SPE is not supported in S-EL1. Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a Signed-off-by:Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 15 Nov, 2017 1 commit
-
-
David Cunado authored
The FPEXC32_EL2 register controls SIMD and FP functionality when the lower ELs are executing in AArch32 mode. It is architecturally mapped to AArch32 system register FPEXC. This patch removes FPEXC32_EL2 register from the System Register context and adds it to the floating-point context. EL3 only saves / restores the floating-point context if the build option CTX_INCLUDE_FPREGS is set to 1. The rationale for this change is that if the Secure world is using FP functionality and EL3 is not managing the FP context, then the Secure world will save / restore the appropriate FP registers. NOTE - this is a break in behaviour in the unlikely case that CTX_INCLUDE_FPREGS is set to 0 and the platform contains an AArch32 Secure Payload that modifies FPEXC, but does not save and restore this register Change-Id: Iab80abcbfe302752d52b323b4abcc334b585c184 Signed-off-by:David Cunado <david.cunado@arm.com>
-
- 13 Nov, 2017 9 commits
-
-
Jeenu Viswambharan authored
This allows for other EL3 components to schedule an SDEI event dispatch to Normal world upon the next ERET. The API usage constrains are set out in the SDEI dispatcher documentation. Documentation to follow. Change-Id: Id534bae0fd85afc94523490098c81f85c4e8f019 Signed-off-by:Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
Support SDEI on ARM platforms using frameworks implemented in earlier patches by defining and exporting SDEI events: this patch defines the standard event 0, and a handful of shared and private dynamic events. Change-Id: I9d3d92a92cff646b8cc55eabda78e140deaa24e1 Signed-off-by: -
Jeenu Viswambharan authored
Define number of priority bits, and allocate priority levels for SDEI. Change-Id: Ib6bb6c5c09397f7caef950c4caed5a737b3d4112 Signed-off-by: -
Jeenu Viswambharan authored
Provide a strong definition for plat_sdei_validate_sdei_entrypoint() which translates client address to Physical Address, and then validating the address to be present in DRAM. Change-Id: Ib93eb66b413d638aa5524d1b3de36aa16d38ea11 Signed-off-by: -
Jeenu Viswambharan authored
The function arm_validate_ns_entrypoint() validates a given non-secure physical address. This function however specifically returns PSCI error codes. Non-secure physical address validation is potentially useful across ARM platforms, even for non-PSCI use cases. Therefore make this function common by returning 0 for success or -1 otherwise. Having made the function common, make arm_validate_psci_entrypoint() a wrapper around arm_validate_ns_entrypoint() which only translates return value into PSCI error codes. This wrapper is now used where arm_validate_ns_entrypoint() was currently used for PSCI entry point validation. Change-Id: Ic781fc3105d6d199fd8f53f01aba5baea0ebc310 Signed-off-by: -
Jeenu Viswambharan authored
The implementation currently supports only interrupt-based SDEI events, and supports all interfaces as defined by SDEI specification version 1.0 [1]. Introduce the build option SDEI_SUPPORT to include SDEI dispatcher in BL31. Update user guide and porting guide. SDEI documentation to follow. [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf Change-Id: I758b733084e4ea3b27ac77d0259705565842241a Co-authored-by:
Yousuf A <yousuf.sait@arm.com> Signed-off-by:
-
Jeenu Viswambharan authored
On GICv3 systems, as a side effect of adding provision to handle EL3 interrupts (unconditionally routing FIQs to EL3), pending Non-secure interrupts (signalled as FIQs) may preempt execution in lower Secure ELs [1]. This will inadvertently disrupt the semantics of Fast SMC (previously called Atomic SMC) calls. To retain semantics of Fast SMCs, the GIC PMR must be programmed to prevent Non-secure interrupts from preempting Secure execution. To that effect, two new functions in the Exception Handling Framework subscribe to events introduced in an earlier commit: - Upon 'cm_exited_normal_world', the Non-secure PMR is stashed, and the PMR is programmed to the highest Non-secure interrupt priority. - Upon 'cm_entering_normal_world', the previously stashed Non-secure PMR is restored. The above sequence however prevents Yielding SMCs from being preempted by Non-secure interrupts as intended. To facilitate this, the public API exc_allow_ns_preemption() is introduced that programs the PMR to the original Non-secure PMR value. Another API exc_is_ns_preemption_allowed() is also introduced to check if exc_allow_ns_preemption() had been called previously. API documentation to follow. [1] On GICv2 systems, this isn't a problem as, unlike GICv3, pending NS IRQs during Secure execution are signalled as IRQs, which aren't routed to EL3. Change-Id: Ief96b162b0067179b1012332cd991ee1b3051dd0 Signed-off-by: -
Jeenu Viswambharan authored
EHF is a framework that allows dispatching of EL3 interrupts to their respective handlers in EL3. This framework facilitates the firmware-first error handling policy in which asynchronous exceptions may be routed to EL3. Such exceptions may be handed over to respective exception handlers. Individual handlers might further delegate exception handling to lower ELs. The framework associates the delegated execution to lower ELs with a priority value. For interrupts, this corresponds to the priorities programmed in GIC; for other types of exceptions, viz. SErrors or Synchronous External Aborts, individual dispatchers shall explicitly associate delegation to a secure priority. In order to prevent lower priority interrupts from preempting higher priority execution, the framework provides helpers to control preemption by virtue of programming Priority Mask register in the interrupt controller. This commit allows for handling interrupts targeted at EL3. Exception handlers own interrupts by assigning them a range of secure priorities, and registering handlers for each priority range it owns. Support for exception handling in BL31 image is enabled by setting the build option EL3_EXCEPTION_HANDLING=1. Documentation to follow. NOTE: The framework assumes the priority scheme supported by platform interrupt controller is compliant with that of ARM GIC architecture (v2 or later). Change-Id: I7224337e4cea47c6ca7d7a4ca22a3716939f7e42 Signed-off-by: -
Jeenu Viswambharan authored
Acknowledging interrupt shall return a raw value from the interrupt controller in which the actual interrupt ID may be encoded. Add a platform API to extract the actual interrupt ID from the raw value obtained from interrupt controller. Document the new function. Also clarify the semantics of interrupt acknowledge. Change-Id: I818dad7be47661658b16f9807877d259eb127405 Signed-off-by:
-
- 09 Nov, 2017 1 commit
-
-
Antonio Nino Diaz authored
This initial port of the Secure Partitions Manager to FVP supports BL31 in both SRAM and Trusted DRAM. A document with instructions to build the SPM has been added. Change-Id: I4ea83ff0a659be77f2cd72eaf2302cdf8ba98b32 Co-authored-by:
Douglas Raillard <douglas.raillard@arm.com> Co-authored-by:
Sandrine Bailleux <sandrine.bailleux@arm.com> Co-authored-by:
Achin Gupta <achin.gupta@arm.com> Co-authored-by:
Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by:
-
- 08 Nov, 2017 2 commits
-
-
Antonio Nino Diaz authored
A Secure Partition is a software execution environment instantiated in S-EL0 that can be used to implement simple management and security services. Since S-EL0 is an unprivileged exception level, a Secure Partition relies on privileged firmware e.g. ARM Trusted Firmware to be granted access to system and processor resources. Essentially, it is a software sandbox that runs under the control of privileged software in the Secure World and accesses the following system resources: - Memory and device regions in the system address map. - PE system registers. - A range of asynchronous exceptions e.g. interrupts. - A range of synchronous exceptions e.g. SMC function identifiers. A Secure Partition enables privileged firmware to implement only the absolutely essential secure services in EL3 and instantiate the rest in a partition. Since the partition executes in S-EL0, its implementation cannot be overly complex. The component in ARM Trusted Firmware responsible for managing a Secure Partition is called the Secure Partition Manager (SPM). The SPM is responsible for the following: - Validating and allocating resources requested by a Secure Partition. - Implementing a well defined interface that is used for initialising a Secure Partition. - Implementing a well defined interface that is used by the normal world and other secure services for accessing the services exported by a Secure Partition. - Implementing a well defined interface that is used by a Secure Partition to fulfil service requests. - Instantiating the software execution environment required by a Secure Partition to fulfil a service request. Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f Co-authored-by:
-
Antonio Nino Diaz authored
This function can be useful to setup TCR_ELx by callers that don't use the translation tables library to setup the system registers related to them. By making it common, it can be reused whenever it is needed without duplicating code. Change-Id: Ibfada9e846d2a6cd113b1925ac911bb27327d375 Signed-off-by:
-
- 01 Nov, 2017 1 commit
-
-
Roberto Vargas authored
These macros are only defined for corresponding image, and they are undefined for other images. It means that we have to use ifdef or defined() instead of relying on being 0 by default. Change-Id: Iad11efab9830ddf471599b46286e1c56581ef5a7 Signed-off-by:Roberto Vargas <roberto.vargas@arm.com>
-
- 31 Oct, 2017 2 commits
-
-
Joel Hutton authored
Change sizeof call so it references a static type instead of return of a function in order to be MISRA compliant. Change-Id: I6f1adb206073d6cd200156e281b8d76249e3af0e Signed-off-by:Joel Hutton <joel.hutton@arm.com>
-
Dimitris Papastamos authored
Add events that trigger before entry to normal/secure world. The events trigger after the normal/secure context has been restored. Similarly add events that trigger after leaving normal/secure world. The events trigger after the normal/secure context has been saved. Change-Id: I1b48a7ea005d56b1f25e2b5313d77e67d2f02bc5 Signed-off-by:
-
- 25 Oct, 2017 1 commit
-
-
Qixiang Xu authored
For Trusted Board Boot, BL2 needs more space to support the ECDSA and ECDSA+RSA algorithms. Change-Id: Ie7eda9a1315ce836dbc6d18d6588f8d17891a92d Signed-off-by:Qixiang Xu <qixiang.xu@arm.com>
-
- 24 Oct, 2017 1 commit
-
-
Roberto Vargas authored
These hooks are intended to allow one platform to try load images from alternative places. There is a hook to initialize the sequence of boot locations and a hook to pass to the next sequence. Change-Id: Ia0f84c415208dc4fa4f9d060d58476db23efa5b2 Signed-off-by:
-
- 23 Oct, 2017 2 commits
-
-
Jeenu Viswambharan authored
This allows other EL3 components to subscribe to CPU on events. Update Firmware Design guide to list psci_cpu_on_finish as an available event. Change-Id: Ida774afe0f9cdce4021933fcc33a9527ba7aaae2 Signed-off-by: -
Jeenu Viswambharan authored
This light-weight framework enables some EL3 components to publish events which other EL3 components can subscribe to. Publisher can optionally pass opaque data for subscribers. The order in which subscribers are called is not defined. Firmware design updated. Change-Id: I24a3a70b2b1dedcb1f73cf48313818aebf75ebb6 Signed-off-by:
-
- 17 Oct, 2017 4 commits
-
-
Antonio Nino Diaz authored
The implementation is the same as those used to disable it in EL3. Change-Id: Ibfe7e69034a691fbf57477c5a76a8cdca28f6b26 Signed-off-by: -
Sandrine Bailleux authored
This patch introduces a new API in the translation tables library (v2), that allows to change the memory attributes of a memory region. It may be used to change its execution permissions and data access permissions. As a prerequisite, the memory must be already mapped. Moreover, it must be mapped at the finest granularity (currently 4 KB). Change-Id: I242a8c6f0f3ef2b0a81a61e28706540462faca3c Co-authored-by:
-
Sandrine Bailleux authored
This patch introduces a new API in the translation tables library (v2), that allows to query the memory attributes of a memory block or a memory page. Change-Id: I45a8b39a53da39e7617cbac4bff5658dc1b20a11 Co-authored-by:
-
Antonio Nino Diaz authored
Previously, in AArch32, `IMAGE_XLAT_DEFAULT_REGIME` wasn't defined. The translation regime is only used in the AArch64 port of the translation tables library v2, so this is not a problem for now, but future patches will use it. `IMAGE_EL` isn't used in AArch32, so it isn't needed to define it. Change-Id: I4acdb01a58658956ab94bd82ed5b7fee1aa6ba90 Signed-off-by:
-
- 16 Oct, 2017 15 commits
-
-
Jeenu Viswambharan authored
The GIC driver initialization currently allows an array of interrupts to be configured as secure. Future use cases would require more interrupt configuration other than just security, such as priority. This patch introduces a new interrupt property array as part of both GICv2 and GICv3 driver data. The platform can populate the array with interrupt numbers and respective properties. The corresponding driver initialization iterates through the array, and applies interrupt configuration as required. This capability, and the current way of supplying array (or arrays, in case of GICv3) of secure interrupts, are however mutually exclusive. Henceforth, the platform should supply either: - A list of interrupts to be mapped as secure (the current way). Platforms that do this will continue working as they were. With this patch, this scheme is deprecated. - A list of interrupt properties (properties include interrupt group). Individual interrupt properties are specified via. descriptors of type 'interrupt_prop_desc_t', which can be populated with the macro INTR_PROP_DESC(). A run time assert checks that the platform doesn't specify both. Henceforth the old scheme of providing list of secure interrupts is deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require that the interrupt properties are supplied instead of an array of secure interrupts. Add a section to firmware design about configuring secure interrupts. Fixes ARM-software/tf-issues#262 Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942 Signed-off-by: -
Jeenu Viswambharan authored
The helpers perform read-modify-write on GIC*_ICFGR registers, but don't serialise callers. Any serialisation must be taken care of by the callers. Change-Id: I71995f82ff2c7f70d37af0ede30d6ee18682fd3f Signed-off-by: -
Jeenu Viswambharan authored
An earlier patch added provision for the platform to provide secure interrupt properties. ARM platforms already has a list of interrupts that fall into different secure groups. This patch defines macros that enumerate interrupt properties in the same fashion, and points the driver driver data to a list of interrupt properties rather than list of secure interrupts on ARM platforms. The deprecated interrupt list definitions are however retained to support legacy builds. Configuration applied to individual interrupts remain unchanged, so no runtime behaviour change expected. NOTE: Platforms that use the arm/common function plat_arm_gic_driver_init() must replace their PLAT_ARM_G1S_IRQS and PLAT_ARM_G0_IRQS macro definitions with PLAT_ARM_G1S_IRQ_PROPS and PLAT_ARM_G0_IRQ_PROPS macros respectively, using the provided INTR_PROP_DESC macro. Change-Id: I24d643b83e3333753a3ba97d4b6fb71e16bb0952 Signed-off-by: -
Jeenu Viswambharan authored
API documentation updated. Change-Id: I40feec1fe67a960d035061b54dd55610bc34ce1d Signed-off-by: -
Jeenu Viswambharan authored
API documentation updated. Change-Id: I14e33cfc7dfa93257c82d76fae186b17a1b6d266 Co-authored-by:
-
Jeenu Viswambharan authored
SPIs can be routed to either a specific PE, or to any one of all available PEs. API documentation updated. Change-Id: I28675f634568aaf4ea1aa8aa7ebf25b419a963ed Co-authored-by:
-
Jeenu Viswambharan authored
API documentation updated. Change-Id: I129725059299af6cc612bafa8d74817f779d7c4f Signed-off-by: -
Jeenu Viswambharan authored
The back end GIC driver converts and assigns the interrupt type to suitable group. For GICv2, a build option GICV2_G0_FOR_EL3 is introduced, which determines to which type Group 0 interrupts maps to. - When the build option is set 0 (the default), Group 0 interrupts are meant for Secure EL1. This is presently the case. - Otherwise, Group 0 interrupts are meant for EL3. This means the SPD will have to synchronously hand over the interrupt to Secure EL1. The query API allows the platform to query whether the platform supports interrupts of a given type. API documentation updated. Change-Id: I60fdb4053ffe0bd006b3b20914914ebd311fc858 Co-authored-by:
-
Jeenu Viswambharan authored
API documentation updated. Change-Id: Ib700eb1b8ca65503aeed0ac4ce0e7b934df67ff9 Co-authored-by:
-
Jeenu Viswambharan authored
API documentation updated. Change-Id: Ice7511f8df5356851001d2f7dc2a46cfe318f9ba Co-authored-by:
-
Jeenu Viswambharan authored
API documentation updated. Change-Id: I6d61785af0d5330930c709de971a904dc7c3516c Co-authored-by:
-
Jeenu Viswambharan authored
These APIs allow the GIC implementation to categorize interrupt numbers into SPIs, PPIs, and SGIs. The default implementations for GICv2 and GICv3 follows interrupt numbering as specified by the ARM GIC architecture. API documentation updated. Change-Id: Ia6aa379dc955994333232e6138f259535d4fa087 Signed-off-by: -
Jeenu Viswambharan authored
The PE target mask is used to translate linear PE index (returned by platform core position) to a bit mask used when targeting interrupts to a PE, viz. when raising SGIs and routing SPIs. The platform shall: - Populate the driver data with a pointer to array that's to contain per-PE target masks. - Invoke the new driver API 'gicv2_set_pe_target_mask()' during per-CPU initialization so that the driver populates the target mask for that CPU. Platforms that don't intend to target interrupts or raise SGIs need not populate this. Change-Id: Ic0db54da86915e9dccd82fff51479bc3c1fdc968 Signed-off-by: -
Jeenu Viswambharan authored
Document the API in separate platform interrupt controller API document. Change-Id: If18f208e10a8a243f5c59d226fcf48e985941949 Co-authored-by:
-
Roberto Vargas authored
The macro DEFINE_SYSREG_WRITE_CONST_FUNC defines an inline function to an assembly statement that uses the MSR (immediate) instruction to access the PSTATE. The "i" (immediate) assembly constraint on the operand was only satisfied when compiling with optimizations enabled which resulted in the function being optimized out - the "const uint64_t v" parameter was optimized out and replaced by a literal value. When compiling without optimizations, the function call remained and therefore the parameter is not optimized out - compilation fails as the constraint is impossible to satisfy by the compiler. This patch replaces the function encapsulating the use of the MSR (immediate) with a macro that allows the literal value to be directly fed to the inline assembly statement Change-Id: Ib379a7acc48ef3cb83090a680cd8a6ce1a94a9d9 Signed-off-by:
-
