1. 02 Jun, 2020 2 commits
    • Jimmy Brisson's avatar
      Enable ARMv8.6-ECV Self-Synch when booting to EL2 · 29d0ee54
      Jimmy Brisson authored
      
      
      Enhanced Counter Virtualization, ECV, is an architecture extension introduced
      in ARMv8.6. This extension allows the hypervisor, at EL2, to setup
      self-synchronizing views of the timers for it's EL1 Guests. This patch pokes the
      control register to enable this extension when booting a hypervisor at EL2.
      
      Change-Id: I4e929ecdf400cea17eff1de5cf8704aa7e40973d
      Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      29d0ee54
    • Jimmy Brisson's avatar
      Enable ARMv8.6-FGT when booting to EL2 · 110ee433
      Jimmy Brisson authored
      
      
      The Fine Grained Traps (FGT) architecture extension was added to aarch64 in
      ARMv8.6. This extension primarily allows hypervisors, at EL2, to trap specific
      instructions in a more fine grained manner, with an enable bit for each
      instruction. This patch adds support for this extension by enabling the
      extension when booting an hypervisor at EL2.
      
      Change-Id: Idb9013ed118b6a1b7b76287237096de992ca4da3
      Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      110ee433
  2. 26 May, 2020 1 commit
  3. 19 May, 2020 1 commit
    • johpow01's avatar
      Enable v8.6 WFE trap delays · 6cac724d
      johpow01 authored
      
      
      This patch enables the v8.6 extension to add a delay before WFE traps
      are taken. A weak hook plat_arm_set_twedel_scr_el3 has been added in
      plat/common/aarch64/plat_common.c that disables this feature by default
      but platform-specific code can override it when needed.
      
      The only hook provided sets the TWED fields in SCR_EL3, there are similar
      fields in HCR_EL2, SCTLR_EL2, and SCTLR_EL1 to control WFE trap delays in
      lower ELs but these should be configured by code running at EL2 and/or EL1
      depending on the platform configuration and is outside the scope of TF-A.
      Signed-off-by: default avatarJohn Powell <john.powell@arm.com>
      Change-Id: I0a9bb814205efeab693a3d0a0623e62144abba2d
      6cac724d
  4. 14 May, 2020 1 commit
    • Manish V Badarkhe's avatar
      Implement workaround for AT speculative behaviour · 45aecff0
      Manish V Badarkhe authored
      During context switching from higher EL (EL2 or higher)
      to lower EL can cause incorrect translation in TLB due to
      speculative execution of AT instruction using out-of-context
      translation regime.
      
      Workaround is implemented as below during EL's (EL1 or EL2)
      "context_restore" operation:
      1. Disable page table walk using SCTLR.M and TCR.EPD0 & EPD1
         bits for EL1 or EL2 (stage1 and stage2 disabled)
      2. Save all system registers except TCR and SCTLR (for EL1 and EL2)
      3. Do memory barrier operation (isb) to ensure all
         system register writes are done.
      4. Restore TCR and SCTLR registers (for EL1 and EL2)
      
      Errata details are available for various CPUs as below:
      Cortex-A76: 1165522
      Cortex-A72: 1319367
      Cortex-A57: 1319537
      Cortex-A55: 1530923
      Cortex-A53: 1530924
      
      More details can be found in mail-chain:
      https://lists.trustedfirmware.org/pipermail/tf-a/2020-April/000445.html
      
      
      
      Currently, Workaround is implemented as build option which is default
      disabled.
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Change-Id: If8545e61f782cb0c2dda7ffbaf50681c825bd2f0
      45aecff0
  5. 15 Apr, 2020 1 commit
  6. 03 Apr, 2020 1 commit
    • John Powell's avatar
      Fix MISRA C issues in BL1/BL2/BL31 · 3443a702
      John Powell authored
      
      
      Attempts to address MISRA compliance issues in BL1, BL2, and BL31 code.
      Mainly issues like not using boolean expressions in conditionals,
      conflicting variable names, ignoring return values without (void), adding
      explicit casts, etc.
      
      Change-Id: If1fa18ab621b9c374db73fa6eaa6f6e5e55c146a
      Signed-off-by: default avatarJohn Powell <john.powell@arm.com>
      3443a702
  7. 06 Mar, 2020 1 commit
  8. 03 Mar, 2020 1 commit
    • Max Shvetsov's avatar
      SPMD: Adds partially supported EL2 registers. · 2825946e
      Max Shvetsov authored
      
      
      This patch adds EL2 registers that are supported up to ARMv8.6.
      ARM_ARCH_MINOR has to specified to enable save/restore routine.
      
      Note: Following registers are still not covered in save/restore.
       * AMEVCNTVOFF0<n>_EL2
       * AMEVCNTVOFF1<n>_EL2
       * ICH_AP0R<n>_EL2
       * ICH_AP1R<n>_EL2
       * ICH_LR<n>_EL2
      
      Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
      Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
      2825946e
  9. 02 Mar, 2020 1 commit
  10. 20 Feb, 2020 1 commit
    • Varun Wadekar's avatar
      Tegra: delay_timer: support for physical secure timer · dd4f0885
      Varun Wadekar authored
      
      
      This patch modifies the delay timer driver to switch to the ARM
      secure physical timer instead of using Tegra's on-chip uS timer.
      
      The secure timer is not accessible to the NS world and so eliminates
      an important attack vector, where the Tegra timer source gets switched
      off from the NS world leading to a DoS attack for the trusted world.
      
      This timer is shared with the S-EL1 layer for now, but later patches
      will mark it as exclusive to the EL3 exception mode.
      
      Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      dd4f0885
  11. 06 Dec, 2019 2 commits
  12. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
  13. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  14. 21 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      AArch64: Disable Secure Cycle Counter · e290a8fc
      Alexei Fedorov authored
      
      
      This patch fixes an issue when secure world timing information
      can be leaked because Secure Cycle Counter is not disabled.
      For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
      bit on CPU cold/warm boot.
      For the earlier architectures PMCR_EL0 register is saved/restored
      on secure world entry/exit from/to Non-secure state, and cycle
      counting gets disabled by setting PMCR_EL0.DP bit.
      'include\aarch64\arch.h' header file was tided up and new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      e290a8fc
  15. 16 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      FVP_Base_AEMv8A platform: Fix cache maintenance operations · ef430ff4
      Alexei Fedorov authored
      
      
      This patch fixes FVP_Base_AEMv8A model hang issue with
      ARMv8.4+ with cache modelling enabled configuration.
      Incorrect L1 cache flush operation to PoU, using CLIDR_EL1
      LoUIS field, which is required by the architecture to be
      zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced
      with L1 to L2 and L2 to L3 (if L3 is present) cache flushes.
      FVP_Base_AEMv8A model can be configured with L3 enabled by
      setting `cluster0.l3cache-size` and `cluster1.l3cache-size`
      to non-zero values, and presence of L3 is checked in
      `aem_generic_core_pwr_dwn` function by reading
      CLIDR_EL1.Ctype3 field value.
      
      Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ef430ff4
  16. 24 Jul, 2019 1 commit
    • John Tsichritzis's avatar
      SSBS: init SPSR register with default SSBS value · c250cc3b
      John Tsichritzis authored
      
      
      This patch introduces an additional precautionary step to further
      enhance protection against variant 4. During the context initialisation
      before we enter the various BL stages, the SPSR.SSBS bit is explicitly
      set to zero. As such, speculative loads/stores are by default disabled
      for all BL stages when they start executing. Subsequently, each BL
      stage, can choose to enable speculative loads/stores or keep them
      disabled.
      
      This change doesn't affect the initial execution context of BL33 which
      is totally platform dependent and, thus, it is intentionally left up to
      each platform to initialise.
      
      For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
      that, for Arm platforms, all BL stages start with speculative
      loads/stores disabled.
      
      Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      c250cc3b
  17. 12 Jul, 2019 1 commit
  18. 10 Jul, 2019 1 commit
  19. 17 Jun, 2019 1 commit
  20. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  21. 03 Apr, 2019 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Move shim layer to TTBR1_EL1 · 6de6965b
      Antonio Nino Diaz authored
      
      
      This gives each Secure Partition complete freedom on its address space.
      Previously, the memory used by the exception vectors was reserved and
      couldn't be used. Also, it always had to be mapped, forcing SPM to
      generate translation tables that included the exception vectors as well
      as the Partition memory regions. With this change, partitions can reduce
      their address space size easily.
      
      Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      6de6965b
  22. 14 Mar, 2019 1 commit
  23. 28 Feb, 2019 2 commits
  24. 27 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Add ARMv8.3-PAuth registers to CPU context · 5283962e
      Antonio Nino Diaz authored
      
      
      ARMv8.3-PAuth adds functionality that supports address authentication of
      the contents of a register before that register is used as the target of
      an indirect branch, or as a load.
      
      This feature is supported only in AArch64 state.
      
      This feature is mandatory in ARMv8.3 implementations.
      
      This feature adds several registers to EL1. A new option called
      CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
      them during Non-secure <-> Secure world switches. This option must be
      enabled if the hardware has the registers or the values will be leaked
      during world switches.
      
      To prevent leaks, this patch also disables pointer authentication in the
      Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
      be trapped in EL3.
      
      Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5283962e
  25. 26 Feb, 2019 1 commit
  26. 18 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Disable processor Cycle Counting in Secure state · ed4fc6f0
      Antonio Nino Diaz authored
      
      
      In a system with ARMv8.5-PMU implemented:
      
      - If EL3 is using AArch32, setting MDCR_EL3.SCCD to 1 disables counting
        in Secure state in PMCCNTR.
      
      - If EL3 is using AArch64, setting SDCR.SCCD to 1 disables counting in
        Secure state in PMCCNTR_EL0.
      
      So far this effect has been achieved by setting PMCR_EL0.DP (in AArch64)
      or PMCR.DP (in AArch32) to 1 instead, but this isn't considered secure
      as any EL can change that value.
      
      Change-Id: I82cbb3e48f2e5a55c44d9c4445683c5881ef1f6f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ed4fc6f0
  27. 30 Jan, 2019 1 commit
    • Sathees Balya's avatar
      lib/xlat_tables: Add support for ARMv8.4-TTST · cedfa04b
      Sathees Balya authored
      
      
      ARMv8.4-TTST (Small Translation tables) relaxes the lower limit on the
      size of translation tables by increasing the maximum permitted value
      of the T1SZ and T0SZ fields in TCR_EL1, TCR_EL2, TCR_EL3, VTCR_EL2 and
      VSTCR_EL2.
      
      This feature is supported in AArch64 state only.
      
      This patch adds support for this feature to both versions of the
      translation tables library. It also removes the static build time
      checks for virtual address space size checks to runtime assertions.
      
      Change-Id: I4e8cebc197ec1c2092dc7d307486616786e6c093
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      cedfa04b
  28. 11 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Dynamically detect need for CnP bit · 2559b2c8
      Antonio Nino Diaz authored
      
      
      ARMv8.2-TTCNP is mandatory from ARMv8.2 onwards, but it can be implemented
      in CPUs that don't implement all mandatory 8.2 features (and so have to
      claim to be a lower version).
      
      This patch removes usage of the ARM_ARCH_AT_LEAST() macro and uses system
      ID registers to detect whether it is needed to set the bit or not.
      
      Change-Id: I7bcbf0c7c937590dfc2ca668cfd9267c50f7d52c
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2559b2c8
  29. 04 Jan, 2019 2 commits
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
    • Antonio Nino Diaz's avatar
      Reorganize architecture-dependent header files · f5478ded
      Antonio Nino Diaz authored
      
      
      The architecture dependant header files in include/lib/${ARCH} and
      include/common/${ARCH} have been moved to /include/arch/${ARCH}.
      
      Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      f5478ded
  30. 03 Jan, 2019 1 commit
  31. 18 Dec, 2018 1 commit
  32. 10 Dec, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Use SSBS for CVE_2018_3639 mitigation · 48e1d350
      Jeenu Viswambharan authored
      
      
      The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
      Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
      Armv8.5 feature, this can be implemented by CPUs implementing earlier
      version of the architecture.
      
      With this patch, when both PSTATE.SSBS is implemented and
      DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
      SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
      indicate that mitigation on the PE is either permanently enabled or not
      required.
      
      When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
      of every BL stage. This means that EL3 always executes with mitigation
      applied.
      
      For Cortex A76, if the PE implements SSBS, the existing mitigation (by
      using a different vector table, and tweaking CPU ACTLR2) is not used.
      
      Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      48e1d350
  33. 26 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Synchronise arch.h and arch_helpers.h with TF-A-Tests · 932b3ae2
      Antonio Nino Diaz authored
      
      
      The headers forked at some point in the past and have diverged a lot. In
      order to make it easier to share code between TF-A-Tests and TF-A, this
      patch synchronises most of the definitions in the mentioned headers.
      
      This is not a complete sync, it has to be followed by more cleanup.
      
      This patch also removes the read helpers for the AArch32 instructions
      ats1cpr and ats1hr (they are write-only).
      
      Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      932b3ae2
  34. 16 Oct, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Enable lower ELs to use pointer authentication · 3ff4aaac
      Jeenu Viswambharan authored
      
      
      Pointer authentication is an Armv8.3 feature that introduces
      instructions that can be used to authenticate and verify pointers.
      
      Pointer authentication instructions are allowed to be accessed from all
      ELs but only when EL3 explicitly allows for it; otherwise, their usage
      will trap to EL3. Since EL3 doesn't have trap handling in place, this
      patch unconditionally disables all related traps to EL3 to avoid
      potential misconfiguration leading to an unhandled EL3 exception.
      
      Fixes ARM-software/tf-issues#629
      
      Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      3ff4aaac
  35. 28 Sep, 2018 1 commit
  36. 30 Aug, 2018 1 commit