1. 28 Jul, 2016 1 commit
  2. 26 Jul, 2016 2 commits
  3. 25 Jul, 2016 6 commits
    • Achin Gupta's avatar
      Fix use of stale power states in PSCI standby finisher · 61eae524
      Achin Gupta authored
      A PSCI CPU_SUSPEND request to place a CPU in retention states at power levels
      higher than the CPU power level is subject to the same state coordination as a
      power down state. A CPU could implement multiple retention states at a
      particular power level. When exiting WFI, the non-CPU power levels may be in a
      different retention state to what was initially requested, therefore each CPU
      should refresh its view of the states of all power levels.
      
      Previously, a CPU re-used the state of the power levels when it entered the
      retention state. This patch fixes this issue by ensuring that a CPU upon exit
      from retention reads the state of each power level afresh.
      
      Change-Id: I93b5f5065c63400c6fd2598dbaafac385748f989
      61eae524
    • Sandrine Bailleux's avatar
      Ensure addresses in is_mem_free() don't overflow · 7b6d330c
      Sandrine Bailleux authored
      This patch adds some runtime checks to prevent some potential
      pointer overflow issues in the is_mem_free() function. The overflow
      could happen in the case where the end addresses, computed as the
      sum of a base address and a size, results in a value large enough
      to wrap around. This, in turn, could lead to unpredictable behaviour.
      
      If such an overflow is detected, the is_mem_free() function will now
      declare the memory region as not free. The overflow is detected using
      a new macro, called check_uptr_overflow().
      
      This patch also modifies all other places in the 'bl_common.c' file
      where an end address was computed as the sum of a base address and a
      size and instead keeps the two values separate. This avoids the need
      to handle pointer overflows everywhere. The code doesn't actually need
      to compute any end address before the is_mem_free() function is called
      other than to print information message to the serial output.
      
      This patch also introduces 2 slight changes to the reserve_mem()
      function:
      
       - It fixes the end addresses passed to choose_mem_pos(). It was
         incorrectly passing (base + size) instead of (base + size - 1).
      
       - When the requested allocation size is 0, the function now exits
         straight away and says so using a warning message.
         Previously, it used to actually reserve some memory. A zero-byte
         allocation was not considered as a special case so the function
         was using the same top/bottom allocation mechanism as for any
         other allocation. As a result, the smallest area of memory starting
         from the requested base address within the free region was
         reserved.
      
      Change-Id: I0e695f961e24e56ffe000718014e0496dc6e1ec6
      7b6d330c
    • Sandrine Bailleux's avatar
      Make runtime_svc_init() function more robust · 3a26a28c
      Sandrine Bailleux authored
       - Added some debug assertions checking that the runtime services
         indexes computed by get_unique_oen() are sane.
      
       - Do not print the name of the service when its descriptor is
         invalid. If the descriptor is corrupted then its name field
         could be corrupted as well and we would end up reading an
         arbitrary amount of invalid memory.
      
      Change-Id: I16f61065277d01fe1555d5a9cf743f7b52ccaa60
      3a26a28c
    • Sandrine Bailleux's avatar
      Improvements to runtime service init code · 9d24d353
      Sandrine Bailleux authored
      Light refactoring of the code in runtime_svc.c file.
      
       - Declare validate_rt_svc_desc()'s argument as const.
      
       - Remove 'goto' path in runtime_svc_init(). It was used in one
         place only.
      
       - Improve code readability by declaring a local variable holding the
         service pointer.
      
      Change-Id: I3b15c5adb9f37b786b5b993a9be70ea9dd017a83
      9d24d353
    • Sandrine Bailleux's avatar
      Validate psci_find_target_suspend_lvl() result · a1c3faa6
      Sandrine Bailleux authored
      This patch adds a runtime check that psci_find_target_suspend_lvl()
      returns a valid value back to psci_cpu_suspend() and psci_get_stat().
      If it is invalid, BL31 will now panic.
      
      Note that on the PSCI CPU suspend path there is already a debug
      assertion checking the validity of the target composite power state,
      which effectively also checks the validity of the target suspend level.
      Therefore, the error condition would already be caught in debug builds,
      but in a release build this assertion would be compiled out.
      
      On the PSCI stat path, there is currently no debug assertion checking
      the validity of the power state before using it as an index into
      the power domain state array.
      
      Although BL31 platforms ports are responsible for validating the
      power state parameter, the security impact (i.e. an out-of-bounds
      array access) of a potential platform port bug in this code would
      be quite high, given that this parameter comes from an untrusted
      source. The cost of checking this in runtime generic code is low.
      
      Change-Id: Icea85b8020e39928ac03ec0cd49805b5857b3906
      a1c3faa6
    • danh-arm's avatar
      Merge pull request #667 from soby-mathew/sm/PSCI_lib · 3dd9835f
      danh-arm authored
      Introduce PSCI library
      3dd9835f
  4. 19 Jul, 2016 6 commits
    • Soby Mathew's avatar
      Rearrange assembly helper macros · 738b1fd7
      Soby Mathew authored
      This patch moves assembler macros which are not architecture specific
      to a new file `asm_macros_common.S` and moves the `el3_common_macros.S`
      into `aarch64` specific folder.
      
      Change-Id: I444a1ee3346597bf26a8b827480cd9640b38c826
      738b1fd7
    • Soby Mathew's avatar
      Define `plat_get_syscnt_freq2()` unconditionally for ARM platforms · a4beaaff
      Soby Mathew authored
      Previously the definition of `plat_get_syscnt_freq2()` in `arm_common.c` was
      conditionally defined based on the ERROR_DEPRECATED flag. This patch makes
      this function available irrespective of the flag and removes the deprecated
      `plat_get_syscnt_freq()` definition.
      
      Change-Id: I250ca787ca1b5e867096c6ba8f2bb444db44c97b
      a4beaaff
    • Soby Mathew's avatar
      Cater for preloaded BL33 within plat_get_ns_image_entrypoint() · 48ac1df9
      Soby Mathew authored
      The PRELOADED_BL33_BASE build option allows to preload a BL33 and bypass its
      loading by BL2. In ARM standard platforms, the conditional behaviour of
      PRELOADED_BL33_BASE is moved within the implementation of
      `plat_get_ns_image_entrypoint()` so that all callers may benefit from this
      feature.
      
      Change-Id: Iea060e204ec72f8081087837854535c4e320da4e
      48ac1df9
    • Soby Mathew's avatar
      Move `arm_common.c` out of aarch64 folder · bc149bfc
      Soby Mathew authored
      This patch moves the `arm_common.c` file from `plat/arm/common/aarch64/`
      to the parent directory since the functions implemented in the file are
      not AArch64 specific. The platform makefiles are also modified for this
      change.
      
      Change-Id: I776d2e4958f59041476cf2f53a9adb5b2d304ee0
      bc149bfc
    • Soby Mathew's avatar
      Include `plat_psci_common.c` from the new location · bb2162f1
      Soby Mathew authored
      The `plat_psci_common.c` was moved to the new location `plat/common`
      and a stub file was retained at previous location for compatibility. This
      patch modifies the platform makefiles to include the file from the new
      location.
      
      Change-Id: Iabddeeb824e9a5d72d176d7c644735966c8c0699
      bb2162f1
    • Soby Mathew's avatar
      Introduce PSCI Library Interface · cf0b1492
      Soby Mathew authored
      This patch introduces the PSCI Library interface. The major changes
      introduced are as follows:
      
      * Earlier BL31 was responsible for Architectural initialization during cold
      boot via bl31_arch_setup() whereas PSCI was responsible for the same during
      warm boot. This functionality is now consolidated by the PSCI library
      and it does Architectural initialization via psci_arch_setup() during both
      cold and warm boots.
      
      * Earlier the warm boot entry point was always `psci_entrypoint()`. This was
      not flexible enough as a library interface. Now PSCI expects the runtime
      firmware to provide the entry point via `psci_setup()`. A new function
      `bl31_warm_entrypoint` is introduced in BL31 and the previous
      `psci_entrypoint()` is deprecated.
      
      * The `smc_helpers.h` is reorganized to separate the SMC Calling Convention
      defines from the Trusted Firmware SMC helpers. The former is now in a new
      header file `smcc.h` and the SMC helpers are moved to Architecture specific
      header.
      
      * The CPU context is used by PSCI for context initialization and
      restoration after power down (PSCI Context). It is also used by BL31 for SMC
      handling and context management during Normal-Secure world switch (SMC
      Context). The `psci_smc_handler()` interface is redefined to not use SMC
      helper macros thus enabling to decouple the PSCI context from EL3 runtime
      firmware SMC context. This enables PSCI to be integrated with other runtime
      firmware using a different SMC context.
      
      NOTE: With this patch the architectural setup done in `bl31_arch_setup()`
      is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be
      invoked prior to architectural setup. It is highly unlikely that the platform
      setup will depend on architectural setup and cause any failure. Please be
      be aware of this change in sequence.
      
      Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73
      cf0b1492
  5. 18 Jul, 2016 8 commits
    • Soby Mathew's avatar
      Introduce `el3_runtime` and `PSCI` libraries · 532ed618
      Soby Mathew authored
      This patch moves the PSCI services and BL31 frameworks like context
      management and per-cpu data into new library components `PSCI` and
      `el3_runtime` respectively. This enables PSCI to be built independently from
      BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
      PSCI library sources and gets included by `bl31.mk`. Other changes which
      are done as part of this patch are:
      
      * The runtime services framework is now moved to the `common/` folder to
        enable reuse.
      * The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
        specific folder.
      * The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
        to `plat/common` folder. The original file location now has a stub which
        just includes the file from new location to maintain platform compatibility.
      
      Most of the changes wouldn't affect platform builds as they just involve
      changes to the generic bl1.mk and bl31.mk makefiles.
      
      NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
      THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
      MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.
      
      Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
      532ed618
    • Soby Mathew's avatar
      Fix coding guideline warnings · da554d74
      Soby Mathew authored
      This patch fixes some coding guideline warnings reported by the checkpatch
      script. Only files related to upcoming feature development have been fixed.
      
      Change-Id: I26fbce75c02ed62f00493ed6c106fe7c863ddbc5
      da554d74
    • Soby Mathew's avatar
      Rework type usage in Trusted Firmware · 4c0d0390
      Soby Mathew authored
      This patch reworks type usage in generic code, drivers and ARM platform files
      to make it more portable. The major changes done with respect to
      type usage are as listed below:
      
      * Use uintptr_t for storing address instead of uint64_t or unsigned long.
      * Review usage of unsigned long as it can no longer be assumed to be 64 bit.
      * Use u_register_t for register values whose width varies depending on
        whether AArch64 or AArch32.
      * Use generic C types where-ever possible.
      
      In addition to the above changes, this patch also modifies format specifiers
      in print invocations so that they are AArch64/AArch32 agnostic. Only files
      related to upcoming feature development have been reworked.
      
      Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
      4c0d0390
    • danh-arm's avatar
      Merge pull request #666 from Xilinx/zynqmp/rodata-xn · bc469a84
      danh-arm authored
      zynqmp: Map read-only data as execute-never
      bc469a84
    • danh-arm's avatar
      Merge pull request #654 from rockchip-linux/rk3399-suspend-resume · 84ded36c
      danh-arm authored
      rockchip: support the suspend/resume for rk3399
      84ded36c
    • danh-arm's avatar
      Merge pull request #653 from rockchip-linux/support-rockchip-sip-runtime-service · 473cae6c
      danh-arm authored
      rockchip: support plat SIP runtime service for rk3399
      473cae6c
    • Tony Xie's avatar
      rockchip: support the suspend/resume for rk3399 · 9ec78bdf
      Tony Xie authored
      1.Fixes the suspend/resume some bugs.
      2.Add the power domain for saving power consumption.
      3.Add cpu clusters suspend for rk3399 SoCs
      
      Change-Id: Id602779016b41d6281f4ba40a20229d909b28e46
      9ec78bdf
    • Caesar Wang's avatar
      rockchip: support plat SIP runtime service · 1760db68
      Caesar Wang authored
      Software executing in the normal world and in the trusted world at
      exception levels lower than EL3 will request runtime services using the
      SMC instruction.
      
      See the documentation here:
      https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/
      rt-svc-writers-guide.md
      
      This to be implemented as an EL3 Runtime Service in rockchip BL31
      platform port, using the "SiP Service Call" range as specified in the
      SMC Calling Convention.
      This doesn't support any SMC yet, we will support it in later.
      
      Change-Id: I0a638dd0b653c28b08f79d89f77ed7c69864017d
      1760db68
  6. 15 Jul, 2016 4 commits
  7. 12 Jul, 2016 1 commit
  8. 11 Jul, 2016 1 commit
  9. 08 Jul, 2016 11 commits
    • Sandrine Bailleux's avatar
      ARM CSS platforms: Map flash as execute-never by default · 91fad655
      Sandrine Bailleux authored
      On ARM CSS platforms, the whole flash used to be mapped as executable.
      This is not required, given that the flash is used to store the BL1
      and FIP images and:
      
       - The FIP is not executed in place, its images are copied to RAM
         and executed from there.
      
       - BL1 is executed in place from flash but only its code needs to be
         mapped as executable and platform code takes care of re-mapping
         BL1's read-only section as executable.
      
      Therefore, this patch now maps the flash as non-executable by default
      on these platforms. This increases security by restricting the
      executable region to what is strictly needed.
      
      This patch also adds some comments to clarify the memory mapping
      attributes on these platforms.
      
      Change-Id: I4db3c145508bea1f43fbe0f6dcd551e1aec1ecd3
      91fad655
    • Sandrine Bailleux's avatar
      Add some verbose traces in arm_setup_page_tables() · 84aaf559
      Sandrine Bailleux authored
      This patch adds some verbose traces in the arm_setup_page_tables()
      function to print the extents of the different memory regions it maps.
      
      Change-Id: Ia3ae1053e7ebf3579601ff9238b0e3791eb1e9e4
      84aaf559
    • Sandrine Bailleux's avatar
      ARM platforms: Add support for SEPARATE_CODE_AND_RODATA · 0af559a8
      Sandrine Bailleux authored
      The arm_setup_page_tables() function used to expect a single set of
      addresses defining the extents of the whole read-only section, code
      and read-only data mixed up, which was mapped as executable.
      
      This patch changes this behaviour. arm_setup_page_tables() now
      expects 2 separate sets of addresses:
      
       - the extents of the code section;
       - the extents of the read-only data section.
      
      The code is mapped as executable, whereas the data is mapped as
      execute-never. New #defines have been introduced to identify the
      extents of the code and the read-only data section. Given that
      all BL images except BL1 share the same memory layout and linker
      script structure, these #defines are common across these images.
      The slight memory layout differences in BL1 have been handled by
      providing values specific to BL1.
      
      Note that this patch also affects the Xilinx platform port, which
      uses the arm_setup_page_tables() function. It has been updated
      accordingly, such that the memory mappings on this platform are
      unchanged. This is achieved by passing null values as the extents
      of the read-only data section so that it is ignored. As a result,
      the whole read-only section is still mapped as executable.
      
      Fixes ARM-software/tf-issues#85
      
      Change-Id: I1f95865c53ce6e253a01286ff56e0aa1161abac5
      0af559a8
    • Sandrine Bailleux's avatar
      ARM platforms: Include BL2U's RO section in total memory region · b2c96eed
      Sandrine Bailleux authored
      This patch changes the base address of the "total" Trusted SRAM region
      seen by the BL2U image. It used to start just after BL2U's read-only
      section (i.e. at address BL2U_RO_LIMIT), it now starts from the base
      address of the BL2U image (i.e. at address BL2U_BASE). In other words,
      the "total" memory region now includes BL2U's own read-only section.
      
      This does not change BL2U's resulting memory mappings because the
      read-only section was already mapped in BL2U, it just wasn't part of
      this total memory region.
      
      Change-Id: I2da16ac842469023b41904eaa8d13ed678d65671
      b2c96eed
    • Sandrine Bailleux's avatar
      ARM platforms: Restrict mapping of Trusted ROM in BL1 · af419dd6
      Sandrine Bailleux authored
      At the moment, on ARM platforms, BL1 maps everything from BL1_RO_BASE
      to BL1_RO_LIMIT. BL1_RO_LIMIT, as defined in the porting guide, is
      the maximum address in Trusted ROM that BL1's actual content _can_
      occupy. The actual portion of ROM occupied by BL1 can be less than
      that, which means that BL1 might map more Trusted ROM than it actually
      needs to.
      
      This patch changes BL1's memory mappings on ARM platforms to restrict
      the region of Trusted ROM it maps. It uses the symbols exported by
      the linker to figure out the actual extents of BL1's ROM footprint.
      
      This change increases the number of page tables used on FVP by 1.
      On FVP, we used to map the whole Trusted ROM. As it is 64MB large,
      we used to map it as blocks of 2MB using level-2 translation table
      entries. We now need a finer-grained mapping, which requires an
      additional level-3 translation table.
      
      On ARM CSS platforms, the number of translation tables is unchanged.
      The BL1 image resides in flash at address 0x0BEC0000. This address is
      not aligned on a 2MB-boundary so a level-3 translation table was
      already required to map this memory.
      
      Change-Id: I317a93fd99c40e70d0f13cc3d7a570f05c6c61eb
      af419dd6
    • Sandrine Bailleux's avatar
      TSP: Print BL32_BASE rather than __RO_START__ · a604623c
      Sandrine Bailleux authored
      In debug builds, the TSP prints its image base address and size.
      The base address displayed corresponds to the start address of the
      read-only section, as defined in the linker script.
      
      This patch changes this to use the BL32_BASE address instead, which is
      the same address as __RO_START__ at the moment but has the advantage
      to be independent of the linker symbols defined in the linker script
      as well as the layout and order of the sections.
      
      Change-Id: I032d8d50df712c014cbbcaa84a9615796ec902cc
      a604623c
    • Sandrine Bailleux's avatar
      Introduce SEPARATE_CODE_AND_RODATA build flag · 5d1c104f
      Sandrine Bailleux authored
      At the moment, all BL images share a similar memory layout: they start
      with their code section, followed by their read-only data section.
      The two sections are contiguous in memory. Therefore, the end of the
      code section and the beginning of the read-only data one might share
      a memory page. This forces both to be mapped with the same memory
      attributes. As the code needs to be executable, this means that the
      read-only data stored on the same memory page as the code are
      executable as well. This could potentially be exploited as part of
      a security attack.
      
      This patch introduces a new build flag called
      SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
      on separate memory pages. This in turn allows independent control of
      the access permissions for the code and read-only data.
      
      This has an impact on memory footprint, as padding bytes need to be
      introduced between the code and read-only data to ensure the
      segragation of the two. To limit the memory cost, the memory layout
      of the read-only section has been changed in this case.
      
       - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
         the read-only section still looks like this (padding omitted):
      
         |        ...        |
         +-------------------+
         | Exception vectors |
         +-------------------+
         |  Read-only data   |
         +-------------------+
         |       Code        |
         +-------------------+ BLx_BASE
      
         In this case, the linker script provides the limits of the whole
         read-only section.
      
       - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
         read-only data are swapped, such that the code and exception
         vectors are contiguous, followed by the read-only data. This
         gives the following new layout (padding omitted):
      
         |        ...        |
         +-------------------+
         |  Read-only data   |
         +-------------------+
         | Exception vectors |
         +-------------------+
         |       Code        |
         +-------------------+ BLx_BASE
      
         In this case, the linker script now exports 2 sets of addresses
         instead: the limits of the code and the limits of the read-only
         data. Refer to the Firmware Design guide for more details. This
         provides platform code with a finer-grained view of the image
         layout and allows it to map these 2 regions with the appropriate
         access permissions.
      
      Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
      
      Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
      5d1c104f
    • Sandrine Bailleux's avatar
      Introduce round_up/down() macros · 0146ae64
      Sandrine Bailleux authored
      This patch introduces the round_up() and round_down() macros,
      which round up (respectively down) a value to a given boundary.
      The boundary must be a power of two.
      
      Change-Id: I589dd1074aeb5ec730dd523b4ebf098d55a7e967
      0146ae64
    • Sandrine Bailleux's avatar
      Introduce utils.h header file · ed81f3eb
      Sandrine Bailleux authored
      This patch introduces a new header file: include/lib/utils.h.
      Its purpose is to provide generic macros and helper functions that
      are independent of any BL image, architecture, platform and even
      not specific to Trusted Firmware.
      
      For now, it contains only 2 macros: ARRAY_SIZE() and
      IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
      xlat_tables.c respectively.
      
      bl_common.h includes utils.h to retain compatibility for platforms
      that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
      platform ports that use this macro have been updated to include
      utils.h.
      
      Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9
      ed81f3eb
    • Sandrine Bailleux's avatar
      BL1: Add linker symbol identifying end of ROM content · c02fcc4a
      Sandrine Bailleux authored
      This patch adds a new linker symbol in BL1's linker script named
      '__BL1_ROM_END__', which marks the end of BL1's ROM content. This
      covers BL1's code, read-only data and read-write data to relocate
      in Trusted SRAM. The address of this new linker symbol is exported
      to C code through the 'BL1_ROM_END' macro.
      
      The section related to linker symbols in the Firmware Design guide
      has been updated and improved.
      
      Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7
      c02fcc4a
    • Sandrine Bailleux's avatar
      xlat lib: Introduce MT_EXECUTE/MT_EXECUTE_NEVER attributes · b9161469
      Sandrine Bailleux authored
      This patch introduces the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping
      attributes in the translation table library to specify the
      access permissions for instruction execution of a memory region.
      These new attributes should be used only for normal, read-only
      memory regions. For other types of memory, the translation table
      library still enforces the following rules, regardless of the
      MT_EXECUTE/MT_EXECUTE_NEVER attribute:
      
       - Device memory is always marked as execute-never.
       - Read-write normal memory is always marked as execute-never.
      
      Change-Id: I8bd27800a8c1d8ac1559910caf4a4840cf25b8b0
      b9161469