- 07 Jun, 2018 1 commit
-
-
Dimitris Papastamos authored
When SMCCC_ARCH_WORKAROUND_1 is invoked from a lower EL running in AArch32 state, ensure that the SMC call will take a shortcut in EL3. This minimizes the time it takes to apply the mitigation in EL3. When lower ELs run in AArch32, it is preferred that they execute the `BPIALL` instruction to invalidate the BTB. However, on some cores the `BPIALL` instruction may be a no-op and thus would benefit from making the SMCCC_ARCH_WORKAROUND_1 call go through the fast path. Change-Id: Ia38abd92efe2c4b4a8efa7b70f260e43c5bda8a5 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 23 May, 2018 5 commits
-
-
Antonio Nino Diaz authored
This function can be currently accessed through the wrappers cm_init_context_by_index() and cm_init_my_context(). However, they only work on contexts that are associated to a CPU. By making this function public, it is possible to set up a context that isn't associated to any CPU. For consistency, it has been renamed to cm_setup_context(). Change-Id: Ib2146105abc8137bab08745a8adb30ca2c4cedf4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Dimitris Papastamos authored
Some CPUS may benefit from using a dynamic mitigation approach for CVE-2018-3639. A new SMC interface is defined to allow software executing in lower ELs to enable or disable the mitigation for their execution context. It should be noted that regardless of the state of the mitigation for lower ELs, code executing in EL3 is always mitigated against CVE-2018-3639. NOTE: This change is a compatibility break for any platform using the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to the declare_cpu_ops_wa macro instead. Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
Implement static mitigation for CVE-2018-3639 on Cortex A57 and A72. Change-Id: I83409a16238729b84142b19e258c23737cc1ddc3 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
For affected CPUs, this approach enables the mitigation during EL3 initialization, following every PE reset. No mechanism is provided to disable the mitigation at runtime. This approach permanently mitigates the entire software stack and no additional mitigation code is required in other software components. TF-A implements this approach for the following affected CPUs: * Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of `CPUACTLR_EL1` (`S3_1_C15_C2_0`). * Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the Technical Reference Manual (TRM)). * Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1` (`S3_0_C15_C1_0`). Additionally, a new SMC interface is implemented to allow software executing in lower ELs to discover whether the system is mitigated against CVE-2018-3639. Refer to "Firmware interfaces for mitigating cache speculation vulnerabilities System Software on Arm Systems"[0] for more information. [0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
This patch renames symbols and files relating to CVE-2017-5715 to make it easier to introduce new symbols and files for new CVE mitigations. Change-Id: I24c23822862ca73648c772885f1690bed043dbc7 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 15 May, 2018 1 commit
-
-
Varun Wadekar authored
Flush the indirect branch predictor and RSB on entry to EL3 by issuing a newly added instruction for Denver CPUs. Support for this operation can be determined by comparing bits 19:16 of ID_AFR0_EL1 with 0b0001. To achieve this without performing any branch instruction, a per-cpu vbar is installed which executes the workaround and then branches off to the corresponding vector entry in the main vector table. A side effect of this change is that the main vbar is configured before any reset handling. This is to allow the per-cpu reset function to override the vbar setting. Change-Id: Ief493cd85935bab3cfee0397e856db5101bc8011 Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 09 May, 2018 2 commits
-
-
Varun Wadekar authored
The context management library initialises the CPU context for the secure/non-secure worlds to zero. This leads to zeros being stored to the actual registers when we restore the CPU context, during a world switch. Denver CPUs dont expect zero to be written to the implementation defined, actlr_el1 register, at any point of time. Writing a zero to some fields of this register, results in an UNDEFINED exception. This patch bases the context actlr_el1 value on the actual hardware register, to maintain parity with the expected settings Change-Id: I1c806d7ff12daa7fd1e5c72825494b81454948f2 Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Roberto Vargas authored
Using variables as format strings can generate security problems when the user can control those strings. Some compilers generate warnings in that cases, even when the variables are constants and are not controlled by the user. Change-Id: I65dee1d1b66feab38cbf298290a86fa56e6cca40 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 04 May, 2018 6 commits
-
-
Jeenu Viswambharan authored
The ARMv8.4 RAS extensions introduce architectural support for software to inject faults into the system in order to test fault-handling software. This patch introduces the build option FAULT_HANDLING_SUPPORT to allow for lower ELs to use registers in the Standard Error Record to inject fault. The build option RAS_EXTENSIONS must also be enabled along with fault injection. This feature is intended for testing purposes only, and is advisable to keep disabled for production images. Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
EHF currently allows for registering interrupt handlers for a defined priority ranges. This is primarily targeted at various EL3 dispatchers to own ranges of secure interrupt priorities in order to delegate execution to lower ELs. The RAS support added by earlier patches necessitates registering handlers based on interrupt number so that error handling agents shall receive and handle specific Error Recovery or Fault Handling interrupts at EL3. This patch introduces a macro, RAS_INTERRUPTS() to declare an array of interrupt numbers and handlers. Error handling agents can use this macro to register handlers for individual RAS interrupts. The array is expected to be sorted in the increasing order of interrupt numbers. As part of RAS initialisation, the list of all RAS interrupts are sorted based on their ID so that, given an interrupt, its handler can be looked up with a simple binary search. For an error handling agent that wants to handle a RAS interrupt, platform must: - Define PLAT_RAS_PRI to be the priority of all RAS exceptions. - Enumerate interrupts to have the GIC driver program individual EL3 interrupts to the required priority range. This is required by EHF even before this patch. Documentation to follow. Change-Id: I9471e4887ff541f8a7a63309e9cd8f771f76aeda Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
Previous patches added frameworks for handling RAS errors. This patch introduces features that the platform can use to enumerate and iterate RAS nodes: - The REGISTER_RAS_NODES() can be used to expose an array of ras_node_info_t structures. Each ras_node_info_t describes a RAS node, along with handlers for probing the node for error, and if did record an error, another handler to handle it. - The macro for_each_ras_node() can be used to iterate over the registered RAS nodes, probe for, and handle any errors. The common platform EA handler has been amended using error handling primitives introduced by both this and previous patches. Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
The ARMv8 RAS Extensions introduced Standard Error Records which are a set of standard registers through which: - Platform can configure RAS node policy; e.g., notification mechanism; - RAS nodes can record and expose error information for error handling agents. Standard Error Records can either be accessed via. memory-mapped or System registers. This patch adds helper functions to access registers and fields within an error record. Change-Id: I6594ba799f4a1789d7b1e45b3e17fd40e7e0ba5c Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
At present, the function that restores general purpose registers also does ERET. Refactor the restore code to restore general purpose registers without ERET to complement the save function. The macro save_x18_to_x29_sp_el0 was used only once, and is therefore removed, and its contents expanded inline for readability. No functional changes, but with this patch: - The SMC return path will incur an branch-return and an additional register load. - The unknown SMC path restores registers x0 to x3. Change-Id: I7a1a63e17f34f9cde810685d70a0ad13ca3b7c50 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 02 May, 2018 1 commit
-
-
Antonio Nino Diaz authored
In AArch64, the field ID_AA64MMFR0_EL1.PARange has a different set of allowed values depending on the architecture version. Previously, we only compiled the Trusted Firmware with the values that were allowed by the architecture. However, given that this field is read-only, it is easier to compile the code with all values regardless of the target architecture. Change-Id: I57597ed103dd0189b1fb738a9ec5497391c10dd1 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 01 May, 2018 1 commit
-
-
Roberto Vargas authored
Previously mem_protect used to be only supported from BL2. This is not helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates mem_protect from el3_runtime firmware on ARM Platforms specifically when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap tables temporarily and then the protected regions are then cleared. This avoids the need to map the non secure DRAM permanently to BL31/sp_min. The stack size is also increased, because DYNAMIC_XLAT_TABLES require a bigger stack. Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 26 Apr, 2018 1 commit
-
-
Antonio Nino Diaz authored
According to the ARMv8 ARM issue C.a: AP[1] is valid only for stage 1 of a translation regime that can support two VA ranges. It is RES 1 when stage 1 translations can support only one VA range. This means that, even though this bit is ignored, it should be set to 1 in the EL3 and EL2 translation regimes. For translation regimes consisting on EL0 and a higher regime this bit selects between control at EL0 or at the higher Exception level. The regimes that support two VA ranges are EL1&0 and EL2&0 (the later one is only available since ARMv8.1). This fix has to be applied to both versions of the translation tables library. Change-Id: If19aaf588551bac7aeb6e9a686cf0c2068e7c181 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 17 Apr, 2018 1 commit
-
-
Antonio Nino Diaz authored
Change-Id: I989c1f4aef8e3cb20d5d19e6347575e6449bb60b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Apr, 2018 2 commits
-
-
Jonathan Wright authored
A fix for errata 835769 may be available in revisions r0p2, r0p3 or r0p4 of the Cortex-A53 processor. The presence of the fix is determined by checking bit 7 in the REVIDR register. If the fix is present we report ERRATA_NOT_APPLIES which silences the erroneous 'missing workaround' warning. Change-Id: Ib75b008e755e9ac648554ca9398024fdbea4a91a Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
Jonathan Wright authored
A fix for errata 843419 may be available in revision r0p4 of the Cortex-A53 processor. The presence of the fix is determined by checking bit 8 in the REVIDR register. If the fix is present we report ERRATA_NOT_APPLIES which silences the erroneous 'missing workaround' warning. Change-Id: Ibd2a478df3e2a6325442a6a48a0bb0259dcfc1d7 Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
- 09 Apr, 2018 1 commit
-
-
Varun Wadekar authored
The last entry in the mapping table is not necessarily the same as the end of the table. This patch loops through the table to find the last entry marker, on every new mmap addition. The memove operation then has to only move the memory between current entry and the last entry. For platforms that arrange their MMIO map properly, this opearation turns out to be a NOP. The previous implementation added significant overhead per mmap addition as the memmove operation always moved the difference between the current mmap entry and the end of the table. Tested on Tegra platforms and this new approach improves the memory mapping time by ~75%, thus significantly reducing boot time on some platforms. Change-Id: Ie3478fa5942379282ef58bee2085da799137e2ca Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 27 Mar, 2018 2 commits
-
-
Jonathan Wright authored
Initializes each element of the last_cpu_in_non_cpu_pd array in PSCI stat implementation to -1, the reset value. This satisfies MISRA rule 9.3. Previously, only the first element of the array was initialized to -1. Change-Id: I666c71e6c073710c67c6d24c07a219b1feb5b773 Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
Joel Hutton authored
Void pointers have been used to access linker symbols, by declaring an extern pointer, then taking the address of it. This limits symbols values to aligned pointer values. To remove this restriction an IMPORT_SYM macro has been introduced, which declares it as a char pointer and casts it to the required type. Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0 Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
-
- 26 Mar, 2018 1 commit
-
-
Jonathan Wright authored
Ensure (where possible) that switch statements in lib comply with MISRA rules 16.1 - 16.7. Change-Id: I52bc896fb7094d2b7569285686ee89f39f1ddd84 Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
- 21 Mar, 2018 1 commit
-
-
Antonio Nino Diaz authored
When the source code says 'SMCC' it is talking about the SMC Calling Convention. The correct acronym is SMCCC. This affects a few definitions and file names. Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S) but the old files have been kept for compatibility, they include the new ones with an ERROR_DEPRECATED guard. Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 Mar, 2018 1 commit
-
-
Jonathan Wright authored
Ensures compliance with MISRA C-2012 Rule 22.7 Change-Id: Ifbe0926a24ba0dca18174e1aa87313a63bba50fb Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
- 14 Mar, 2018 2 commits
-
-
Dimitris Papastamos authored
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`, return either: * -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called requires firmware mitigation for CVE-2017-5715 but the mitigation is not compiled in. * 0 to indicate that firmware mitigation is required, or * 1 to indicate that no firmware mitigation is required. This patch complies with v1.2 of the firmware interfaces specification (ARM DEN 0070A). Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
If the CSV2 field reads as 1 then branch targets trained in one context cannot affect speculative execution in a different context. In that case skip the workaround on Cortex A72 and A73. Change-Id: Ide24fb6efc77c548e4296295adc38dca87d042ee Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 28 Feb, 2018 3 commits
-
-
Roberto Vargas authored
Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined Fixed for: make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined. Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Rule 8.3: All declarations of an object or function shall use the same names and type qualifiers. Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 27 Feb, 2018 8 commits
-
-
David Cunado authored
MISRA C-2012 Rule 7.3 violation: lowercase l shall not be used as literal suffixes. This patch resolves this for the ULL() macro by using ULL suffix instead of the ull suffix. Change-Id: Ia8183c399e74677e676956e8653e82375d0e0a01 Signed-off-by: David Cunado <david.cunado@arm.com>
-
Antonio Nino Diaz authored
During the warm boot sequence: 1. The MMU is enabled with the data cache disabled. The MMU table walker is set up to access the translation tables as in cacheable memory, but its accesses are non-cacheable because SCTLR_EL3.C controls them as well. 2. The interconnect is set up and the CPU enters coherency with the rest of the system. 3. The data cache is enabled. If the support for dynamic translation tables is enabled and another CPU makes changes to a region, the changes may only be present in the data cache, not in RAM. The CPU that is booting isn't in coherency with the rest of the system, so the table walker of that CPU isn't either. This means that it may read old entries from RAM and it may have invalid TLB entries corresponding to the dynamic mappings. This is not a problem for the boot code because the mapping is 1:1 and the regions are static. However, the code that runs after the boot sequence may need to access the dynamically mapped regions. This patch invalidates all TLBs during warm boot when the dynamic translation tables support is enabled to prevent this problem. Change-Id: I80264802dc0aa1cb3edd77d0b66b91db6961af3d Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Dimitris Papastamos authored
Change-Id: I61c9fdfda0c0b3c3ec6249519db23602cf4c2100 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
This patch also fixes the assumption that the counters are disabled on the resume path. This is incorrect as the AMU counters are enabled early in the CPU reset function before `cpuamu_context_restore()` runs. Change-Id: I38a94eb166a523f00de18e86860434ffccff2131 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
This patch also fixes `cpuamu_write_cpuamcntenclr_el0()` to use an MSR instruction instead of an MRS instruction. Change-Id: Ia6531f64b5ebc60ba432124eaa8d8eaccba40ed0 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
Change-Id: I38470528111410cf12b187eb1397d87b812c9416 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
AArch32 uses odd-even pairs when passing 64-bit arguments to functions. For example in `amu_group0_cnt_write_internal()` the second argument is a uint64_t which is passed in r2 and r3. In `amu_group1_set_evtype_internal()` the value that needs to be written to the system register is in r1 not in r0. Change-Id: I20196268fdb1dc9ef6c4ebe61e761fba9623b3f2 Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
Dimitris Papastamos authored
Before suspend the AMU counters should be enabled and after resume they should be disabled. Assert that to be consistent with the AArch64 implementation of `amu_context_{save,restore}()`. Change-Id: Ia46f77e4062b93afb93721a2890a9b9d2a7f300e Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-