GitLab

This function was removed long ago.  Remove remaining
pragma reference.

Change-Id: I66c556863d47dc17d2ffdc6c23aa524df6aade80
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

The default case is impossible to hit as the `power_level`
is already checked earlier.  Avoids a clang warning.

Change-Id: I707463c843adc748ee9aa1d2313f9ab7dab3a8ab
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

The header tbbr_oid.h contains OIDs obtained by ARM Ltd.
so there is no good reason to use platform_oid.h
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide any
value (at least technically).

For easier use of TBBR, this commit allows platforms to reuse the OIDs
obtained by ARM Ltd.  This will be useful for non-ARM vendors that
do not need their own extension fields in their certificate files.

The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h

Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
defining USE_TBBR_DEFS as 1.  USE_TBBR_DEFS is 0 by default to keep the
backward compatibility.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

The commit abd2aba9

 introduced a
regression to the AArch32 sp_min Juno build. This patch fixes that.

Change-Id: I4b141717684d6aee60c761ea17f23170aa6708c3
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch adds `TRUSTED_BOARD_BOOT` support for AArch32 mode.

To build this patch the "mbedtls/include/mbedtls/bignum.h"
needs to be modified to remove `#define MBEDTLS_HAVE_UDBL`
when `MBEDTLS_HAVE_INT32` is defined. This is a workaround
for "https://github.com/ARMmbed/mbedtls/issues/708

"

NOTE: TBBR support on Juno AArch32 is not currently supported.

Change-Id: I86d80e30b9139adc4d9663f112801ece42deafcf
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>

We used to have the following circular dependency in the FVP platform
header files:

 +-> arm_def.h ---> platform_def.h ---> fvp_def.h --+
 |__________________________________________________|

This patch breaks it by not including 'arm_def.h' from 'fvp_def.h'.

Change-Id: I280d906559e3343dd38764029e77c0ea768b4fec
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/



Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

utils.h is included in various header files for the defines in it.
Some of the other header files only contain defines.  This allows the
header files to be shared between host and target builds for shared defines.

Recently types.h has been included in utils.h as well as some function
prototypes.

Because of the inclusion of types.h conflicts exist building host tools
abd these header files now.  To solve this problem,
move the defines to utils_def.h and have this included by utils.h and
change header files to only include utils_def.h and not pick up the new
types.h being introduced.

Fixes ARM-software/tf-issues#461
Signed-off-by: Scott Branden <scott.branden@broadcom.com>

Remove utils_def.h from utils.h

This patch removes utils_def.h from utils.h as it is not required.
And also makes a minor change to ensure Juno platform compiles.

Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29

The CSS power management layer previously allowed to suspend system
power domain level via both PSCI CPU_SUSPEND and PSCI SYSTEM_SUSPEND
APIs. System suspend via PSCI CPU_SUSPEND was always problematic to
support because of issues with targeting wakeup interrupts to
suspended cores before the per-cpu GIC initialization is done. This
is not the case for PSCI SYSTEM_SUSPEND API because all the other
cores are expected to be offlined prior to issuing system suspend and
PSCI CPU_ON explicit calls will be made to power them on. Hence the Juno
platform used to downgrade the PSCI CPU_SUSPEND request for system
power domain level to cluster level by overriding the default
`plat_psci_pm_ops` exported by CSS layer.

Given the direction the new CSS platforms are evolving, it is best to
limit the system suspend only via PSCI SYSTEM_SUSPEND API for all
CSS platforms. This patch makes changes to allow system suspend
only via PSCI SYSTEM_SUSPEND API. The override of `plat_psci_ops`
for Juno is removed.

Change-Id: Idb30eaad04890dd46074e9e888caeedc50a4b533
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch adds support for SP_MIN on JUNO platform.
The changes include addition of AArch32 assembly files,
JUNO specific SP_MIN make file and miscellaneous changes
in ARM platform files to enable support for SP_MIN.

Change-Id: Id1303f422fc9b98b9362c757b1a4225a16fffc0b
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Following steps are required to boot JUNO in AArch32 state:
1> BL1, in AArch64 state, loads BL2.
2> BL2, in AArch64 state, initializes DDR.
  Loads SP_MIN & BL33 (AArch32 executable)images.
  Calls RUN_IMAGE SMC to go back to BL1.
3> BL1 writes AArch32 executable opcodes, to load and branch
  at the entrypoint address of SP_MIN, at HI-VECTOR address and
  then request for warm reset in AArch32 state using RMR_EL3.

This patch makes following changes to facilitate above steps:
* Added assembly function to carry out step 3 above.
* Added region in TZC that enables Secure access to the
  HI-VECTOR(0xFFFF0000) address space.
* AArch32 image descriptor is used, in BL2, to load
  SP_MIN and BL33 AArch32 executable images.

A new flag `JUNO_AARCH32_EL3_RUNTIME` is introduced that
controls above changes. By default this flag is disabled.

NOTE: BL1 and BL2 are not supported in AArch32 state for JUNO.

Change-Id: I091d56a0e6d36663e6d9d2bb53c92c672195d1ec
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Some header files using the ULL() macro were not directly including
utils.h where the macro definition resides. As a consequence, a linker
script with values using this macro did not see the macro definition
and kept the "ULL(<value>)" call in the preprocessed file, which lead to
link error.

Files using ULL() macro now include utils.h directly.

Change-Id: I433a7f36bd21a156c20e69bc2a2bb406140ebdf9
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

Change-Id: I7f3e4bfd46613c6311ba4015d56705414fd6feab
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

This function fills the buffer (first argument) with the specified
number of bytes (second argument) from the trusted entropy source.

This function will be used to initialize the stack protector canary.

Change-Id: Iff15aaf4778c13fa883ecb5528fcf9b8479d4489
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

Juno platform Makefile is responsible for enabling all the relevant
errata. As the Juno platform port does not know which revision of Juno
the TF
is compiled for, the revision of the cores are unknown and so all errata
up to this date are needed on at least one revision of Juno.

Change-Id: I38e1d6efc17e703f2bd55e0714f8d8fa4778f696
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

ARM erratum 855873 applies to all Cortex-A53 CPUs.
The recommended workaround is to promote "data cache clean"
instructions to "data cache clean and invalidate" instructions.
For core revisions of r0p3 and later this can be done by setting a bit
in the CPUACTLR_EL1 register, so that hardware takes care of the promotion.
As CPUACTLR_EL1 is both IMPLEMENTATION DEFINED and can be trapped to EL3,
we set the bit in firmware.
Also we dump this register upon crashing to provide more debug
information.

Enable the workaround for the Juno boards.

Change-Id: I3840114291958a406574ab6c49b01a9d9847fec8
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

TLBI instructions for EL3 won't have the desired effect under specific
circumstances in Cortex-A57 r0p0. The workaround is to execute DSB and
TLBI twice each time.

Even though this errata is only needed in r0p0, the current errata
framework is not prepared to apply run-time workarounds. The current one
is always applied if compiled in, regardless of the CPU or its revision.

This errata has been enabled for Juno.

The `DSB` instruction used when initializing the translation tables has
been changed to `DSB ISH` as an optimization and to be consistent with
the barriers used for the workaround.

Change-Id: Ifc1d70b79cb5e0d87e90d88d376a59385667d338
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

On Juno, the secure privileged invasive debug authentication signal
(SPIDEN) is controlled by board SCC registers, which by default enable
SPIDEN.  Disable secure privileged external debug in release builds by
programming the appropriate Juno SoC registers.

Change-Id: I61045f09a47dc647bbe95e1b7a60e768f5499f49
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

With GCC 6.2 compiler, more C undefined behaviour is being flagged as
warnings, which result in build errors in ARM TF build.

The specific issue that this patch resolves is the use of (1 << 31),
which is predominantly used in case statements, where 1 is represented
as a signed int. When shifted to msb the behaviour is undefined.

The resolution is to specify 1 as an unsigned int using a convenience
macro ULL(). A duplicate macro MAKE_ULL() is replaced.

Fixes ARM-software/tf-issues#438

Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
Signed-off-by: David Cunado <david.cunado@arm.com>

One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.

For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true.  (Options passed by $(call add_define,)
are the cases.)

For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.

Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
follows:

  $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))

  $(OBJ): $(2)
          @echo "  CC      $$<"
          $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@

This means, IMAGE_BL* is defined when building the corresponding
image, but *undefined* for the other images.

So, IMAGE_BL* belongs to the latter group where we should use #ifdef
or #ifndef.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Earlier patches introduced GIC Redistributor power management for ARM
platforms. This patch modifies FVP power management to power down
Redistributor during CPU power on/off.

Change-Id: I2adb9c50a7dd750019fe3b4e576b5d5fc364bffb
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch enables TRUSTED_BOARD_BOOT (Authentication and FWU)
support, for AArch64, when LOAD_IMAGE_V2 is enabled.

This patch also enables LOAD_IMAGE_V2 for ARM platforms.

Change-Id: I294a2eebce7a30b6784c80c9d4ac7752808ee3ad
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>

The capabilities exposed by the PSCI generic layer depends on the hooks
populated by the platform in `plat_arm_psci_pm_ops`. Currently ARM
Standard platforms statically define this structure. However, some
platforms may want to modify the hooks at runtime before registering
them with the generic layer.

This patch introduces a new ARM platform layer API
`plat_arm_psci_override_pm_ops` which allows the platform to probe
the power controller and modify `plat_arm_psci_pm_ops` if required.
Consequently, 'plat_arm_psci_pm_ops' is no longer qualified as
`const` on ARM Standard platforms.

Change-Id: I7dbb44b7bd36c20ec14ded5ee45a96816ca2ab9d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

There are many instances in ARM Trusted Firmware where control is
transferred to functions from which return isn't expected. Such jumps
are made using 'bl' instruction to provide the callee with the location
from which it was jumped to. Additionally, debuggers infer the caller by
examining where 'lr' register points to. If a 'bl' of the nature
described above falls at the end of an assembly function, 'lr' will be
left pointing to a location outside of the function range. This misleads
the debugger back trace.

This patch defines a 'no_ret' macro to be used when jumping to functions
from which return isn't expected. The macro ensures to use 'bl'
instruction for the jump, and also, for debug builds, places a 'nop'
instruction immediately thereafter (unless instructed otherwise) so as
to leave 'lr' pointing within the function range.

Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This prevents a warning being emitted in the console during FVP
configuration setup when using the Foundation FVP 9.6 onwards.

Change-Id: I685b8bd0dbd0119af4b0cb3f7d708fcc08e99561

This patch adds ARM Cortex-A32 MPCore Processor support
in the CPU specific operations framework. It also includes
this support for the Base FVP port.

Change-Id: If3697b88678df737c29f79cf3fa1ea2cb6fa565d

This patch adds support in SP_MIN to receive generic and
platform specific arguments from BL2.

The new signature is as following:
    void sp_min_early_platform_setup(void *from_bl2,
         void *plat_params_from_bl2);

ARM platforms have been modified to use this support.

Note: Platforms may break if using old signature.
      Default value for RESET_TO_SP_MIN is changed to 0.

Change-Id: I008d4b09fd3803c7b6231587ebf02a047bdba8d0

This patch adds ARM platform changes in BL2 for AArch32 state.
It instantiates a descriptor array for ARM platforms describing
image and entrypoint information for `SCP_BL2`, `BL32` and `BL33`.
It also enables building of BL2 for ARCH=aarch32.

Change-Id: I60dc7a284311eceba401fc789311c50ac746c51e

This patch adds ARM platform changes in BL1 for AArch32 state.
It also enables building of BL1 for ARCH=aarch32.

Change-Id: I079be81a93d027f37b0f7d8bb474b1252bb4cf48

This patch adds common changes to support AArch32 state in
BL1 and BL2. Following are the changes:

* Added functions for disabling MMU from Secure state.
* Added AArch32 specific SMC function.
* Added semihosting support.
* Added reporting of unhandled exceptions.
* Added uniprocessor stack support.
* Added `el3_entrypoint_common` macro that can be
  shared by BL1 and BL32 (SP_MIN) BL stages. The
  `el3_entrypoint_common` is similar to the AArch64
  counterpart with the main difference in the assembly
  instructions and the registers that are relevant to
  AArch32 execution state.
* Enabled `LOAD_IMAGE_V2` flag in Makefile for
  `ARCH=aarch32` and added check to make sure that
  platform has not overridden to disable it.

Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3

This patch adds changes in ARM platform code to use new
version of image loading.

Following are the major changes:
  -Refactor the signatures for bl31_early_platform_setup()
   and arm_bl31_early_platform_setup() function to use
   `void *` instead of `bl31_params_t *`.
  -Introduce `plat_arm_bl2_handle_scp_bl2()` to handle
   loading of SCP_BL2 image from BL2.
  -Remove usage of reserve_mem() function from
   `arm_bl1_early_platform_setup()`
  -Extract BL32 & BL33 entrypoint info, from the link list
   passed by BL2, in `arm_bl31_early_platform_setup()`
  -Provides weak definitions for following platform functions:
     plat_get_bl_image_load_info
     plat_get_next_bl_params
     plat_flush_next_bl_params
     bl2_plat_handle_post_image_load
  -Instantiates a descriptor array for ARM platforms
   describing image and entrypoint information for
   `SCP_BL2`, `BL31`, `BL32` and `BL33` images.

All the above changes are conditionally compiled using the
`LOAD_IMAGE_V2` flag.

Change-Id: I5e88b9785a3df1a2b2bbbb37d85b8e353ca61049

This patch implements CSS platform hook to support NODE_HW_STATE PSCI
API. The platform hook queries SCP to obtain CSS power state. Power
states returned by SCP are then converted to expected PSCI return codes.

Juno's PSCI operation structure is modified to use the CSS
implementation.

Change-Id: I4a5edac0e5895dd77b51398cbd78f934831dafc0

This patch implements FVP platform hook to support NODE_HW_STATE PSCI
API. The platform hook validates the given MPIDR and reads corresponding
status from FVP power controller, and returns expected values for the
PSCI call.

Change-Id: I286c92637da11858db2c8aba8ba079389032de6d

This patch adds a WFI instruction in the default implementations of
plat_error_handler() and plat_panic_handler(). This potentially reduces
power consumption by allowing the hardware to enter a low-power state.
The same change has been made to the FVP and Juno platform ports.

Change-Id: Ia4e6e1e5bf1ed42efbba7d0ebbad7be8d5f9f173

This patch implements the support for SP_MIN in FVP. The SP_MIN platform
APIs are implemented and the required makefile support is added for FVP.

Change-Id: Id50bd6093eccbd5e38894e3fd2b20d5baeac5452

This patch adds AArch32 support for FVP and implements common platform APIs
like `plat_get_my_stack`, `plat_set_my_stack`, `plat_my_core_cos` for AArch32.
Only Multi Processor(MP) implementations of these functions are considered in
this patch. The ARM Standard platform layer helpers are implemented for
AArch32 and the common makefiles are modified to cater for both AArch64 and
AArch32 builds. Compatibility with the deprecated platform API is not
supported for AArch32.

Change-Id: Iad228400613eec91abf731b49e21a15bcf2833ea

This patch migrates the upstream platform makefiles to include the
console drivers from the new location in ARM Trusted Firmware code
base.

Change-Id: I866d6c4951e475de1f836ce8a8c1d5e6da9577e3

Compile option `ARM_BOARD_OPTIMISE_MMAP` has been renamed to
`ARM_BOARD_OPTIMISE_MEM` because it now applies not only to defines
related to the translation tables but to the image size as well.

The defines `PLAT_ARM_MAX_BL1_RW_SIZE`, `PLAT_ARM_MAX_BL2_SIZE` and
`PLAT_ARM_MAX_BL31_SIZE` have been moved to the file board_arm_def.h.
This way, ARM platforms no longer have to set their own values if
`ARM_BOARD_OPTIMISE_MEM=0` and they can specify optimized values
otherwise. The common sizes have been set to the highest values used
for any of the current build configurations.

This is needed because in some build configurations some images are
running out of space. This way there is a common set of values known
to work for all of them and it can be optimized for each particular
platform if needed.

The space reserved for BL2 when `TRUSTED_BOARD_BOOT=0` has been
increased. This is needed because when memory optimisations are
disabled the values for Juno of `PLAT_ARM_MMAP_ENTRIES` and
`MAX_XLAT_TABLES` are higher. If in this situation the code is
compiled in debug mode and with "-O0", the code won't fit.

Change-Id: I70a3d8d3a0b0cad1d6b602c01a7ea334776e718e