1. 03 Oct, 2019 1 commit
  2. 02 Oct, 2019 2 commits
  3. 30 Sep, 2019 1 commit
  4. 26 Sep, 2019 4 commits
    • Alexei Fedorov's avatar
      AArch32: Disable Secure Cycle Counter · c3e8b0be
      Alexei Fedorov authored
      
      
      This patch changes implementation for disabling Secure Cycle
      Counter. For ARMv8.5 the counter gets disabled by setting
      SDCR.SCCD bit on CPU cold/warm boot. For the earlier
      architectures PMCR register is saved/restored on secure
      world entry/exit from/to Non-secure state, and cycle counting
      gets disabled by setting PMCR.DP bit.
      In 'include\aarch32\arch.h' header file new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: Ia8845db2ebe8de940d66dff479225a5b879316f8
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      c3e8b0be
    • Madhukar Pappireddy's avatar
      Migrate ARM platforms to use the new GICv3 API · 6806cd23
      Madhukar Pappireddy authored
      
      
      This patch invokes the new function gicv3_rdistif_probe() in the
      ARM platform specific gicv3 driver. Since this API modifies the
      shared GIC related data structure, it must be invoked coherently
      by using the platform specific pwr_domain_on_finish_late hook.
      
      Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      6806cd23
    • Madhukar Pappireddy's avatar
      Adding new optional PSCI hook pwr_domain_on_finish_late · 10107707
      Madhukar Pappireddy authored
      
      
      This PSCI hook is similar to pwr_domain_on_finish but is
      guaranteed to be invoked with the respective core and cluster are
      participating in coherency. This will be necessary to safely invoke
      the new GICv3 API which modifies shared GIC data structures concurrently.
      
      Change-Id: I8e54f05c9d4ef5712184c9c18ba45ac97a29eb7a
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      10107707
    • Madhukar Pappireddy's avatar
      GICv3: Enable multi socket GIC redistributor frame discovery · ec834925
      Madhukar Pappireddy authored
      
      
      This patch provides declaration and definition of new GICv3 driver
      API: gicv3_rdistif_probe().This function delegates the responsibility
      of discovering the corresponding Redistributor base frame to each CPU
      itself. It is a modified version of gicv3_rdistif_base_addrs_probe()
      and is executed by each CPU in the platform unlike the previous
      approach in which only the Primary CPU did the discovery of all the
      Redistributor frames for every CPU.
      
      The flush operations as part of gicv3_driver_init() function are
      made necessary even for platforms with WARMBOOT_ENABLE_DCACHE_EARLY
      because the GICv3 driver data structure contents are accessed by CPU
      with D-Cache turned off during power down operations.
      
      Change-Id: I1833e81d3974b32a3e4a3df4766a33d070982268
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      ec834925
  5. 20 Sep, 2019 2 commits
  6. 18 Sep, 2019 1 commit
  7. 13 Sep, 2019 5 commits
    • Andre Przywara's avatar
      Add fdt_add_reserved_memory() helper function · 3ef45dda
      Andre Przywara authored
      
      
      If a firmware component like TF-A reserves special memory regions for
      its own or secure payload services, it should announce the location and
      size of those regions to the non-secure world. This will avoid
      disappointment when some rich OS tries to acccess this memory, which
      will likely end in a crash.
      
      The traditional way of advertising reserved memory using device tree is
      using the special memreserve feature of the device tree blob (DTB).
      However by definition those regions mentioned there do not prevent the
      rich OS to map this memory, which may lead to speculative accesses to
      this memory and hence spurious bus errors.
      
      A safer way of carving out memory is to use the /reserved-memory node as
      part of the normal DT structure. Besides being easier to setup, this
      also defines an explicit "no-map" property to signify the secure-only
      nature of certain memory regions, which avoids the rich OS to
      accidentally step on it.
      
      Add a helper function to allow platform ports to easily add a region.
      
      Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      3ef45dda
    • Andre Przywara's avatar
      rpi3: Move rng driver to drivers · 990ab78e
      Andre Przywara authored
      
      
      To allow sharing the driver between the RPi3 and RPi4, move the random
      number generator driver into the generic driver directory.
      
      Change-Id: Iae94d7cb22c6bce3af9bff709d76d4caf87b14d1
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      990ab78e
    • Andre Przywara's avatar
      qemu: Move and generalise FDT PSCI fixup · f240728b
      Andre Przywara authored
      
      
      The QEMU platform port scans its device tree to advertise PSCI as the
      CPU enable method. It does this by scanning *every* node in the DT and
      check whether its compatible string starts with "arm,cortex-a". Then it
      sets the enable-method to PSCI, if it doesn't already have one.
      
      Other platforms might want to use this functionality as well, so let's
      move it out of the QEMU platform directory and make it more robust by
      fixing some shortcomings:
      - A compatible string starting with a certain prefix is not a good way
      to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
      match as well and is in turn favoured with an enable-method.
      - If the DT already has an enable-method, we won't change this to PSCI.
      
      Those two issues will for instance fail on the Raspberry Pi 4 DT.
      To fix those problems, we adjust the scanning method:
      The DT spec says that all CPU nodes are subnodes of the mandatory
      /cpus node, which is a subnode of the root node. Also each CPU node has
      to have a device_type = "cpu" property. So we find the /cpus node, then
      scan for a subnode with the proper device_type, forcing the
      enable-method to "psci".
      We have to restart this search after a property has been patched, as the
      node offsets might have changed meanwhile.
      
      This allows this routine to be reused for the Raspberry Pi 4 later.
      
      Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      f240728b
    • Andre Przywara's avatar
      rpi3: Move VC mailbox driver into generic drivers directory · c0031189
      Andre Przywara authored
      
      
      To allow sharing the driver between the RPi3 and RPi4, move the mailbox
      driver into the generic driver directory.
      
      Change-Id: I463e49acf82b02bf004f3d56482b7791f3020bc0
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      c0031189
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  8. 12 Sep, 2019 2 commits
  9. 11 Sep, 2019 2 commits
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
    • Masahiro Yamada's avatar
      libc: fix sparse warning for __assert() · f906a44e
      Masahiro Yamada authored
      
      
      Sparse warns this:
      
      lib/libc/assert.c:29:6: error: symbol '__assert' redeclared with different type (originally declared at include/lib/libc/assert.h:36) - different modifiers
      
      Add __dead2 to match the header declaration and C definition.
      
      I also changed '__dead2 void' to 'void __dead2' for the consistency
      with other parts.
      
      Change-Id: Iefa4f0e787c24fa7e7e499d2e7baf54d4deb49ef
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      f906a44e
  10. 10 Sep, 2019 2 commits
  11. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  12. 05 Sep, 2019 2 commits
  13. 04 Sep, 2019 1 commit
    • Masahiro Yamada's avatar
      mbedtls: use #include <...> instead of "..." · 948a0c0d
      Masahiro Yamada authored
      
      
      The #include "mbedtls/check_config.h" directive first searches for
      the header in the relative path to mbedtls_config.h, i.e.
      include/drivers/auth/mbedtls/mbedtls/check_config.h
      
      Obviously, it does not exist since check_config.h is located in
      the mbedtls project.
      
      It is more sensible to use #include <...> form.
      
      Change-Id: If72a71381f84e7748a2c9f07dd1176559d9bb1d2
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      948a0c0d
  14. 02 Sep, 2019 2 commits
  15. 21 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      AArch64: Disable Secure Cycle Counter · e290a8fc
      Alexei Fedorov authored
      
      
      This patch fixes an issue when secure world timing information
      can be leaked because Secure Cycle Counter is not disabled.
      For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
      bit on CPU cold/warm boot.
      For the earlier architectures PMCR_EL0 register is saved/restored
      on secure world entry/exit from/to Non-secure state, and cycle
      counting gets disabled by setting PMCR_EL0.DP bit.
      'include\aarch64\arch.h' header file was tided up and new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      e290a8fc
  16. 19 Aug, 2019 1 commit
  17. 16 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      FVP_Base_AEMv8A platform: Fix cache maintenance operations · ef430ff4
      Alexei Fedorov authored
      
      
      This patch fixes FVP_Base_AEMv8A model hang issue with
      ARMv8.4+ with cache modelling enabled configuration.
      Incorrect L1 cache flush operation to PoU, using CLIDR_EL1
      LoUIS field, which is required by the architecture to be
      zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced
      with L1 to L2 and L2 to L3 (if L3 is present) cache flushes.
      FVP_Base_AEMv8A model can be configured with L3 enabled by
      setting `cluster0.l3cache-size` and `cluster1.l3cache-size`
      to non-zero values, and presence of L3 is checked in
      `aem_generic_core_pwr_dwn` function by reading
      CLIDR_EL1.Ctype3 field value.
      
      Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ef430ff4
  18. 15 Aug, 2019 1 commit
  19. 01 Aug, 2019 2 commits
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
    • Julius Werner's avatar
      Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__ · d5dfdeb6
      Julius Werner authored
      
      
      NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
      
      All common C compilers predefine a macro called __ASSEMBLER__ when
      preprocessing a .S file. There is no reason for TF-A to define it's own
      __ASSEMBLY__ macro for this purpose instead. To unify code with the
      export headers (which use __ASSEMBLER__ to avoid one extra dependency),
      let's deprecate __ASSEMBLY__ and switch the code base over to the
      predefined standard.
      
      Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d5dfdeb6
  20. 31 Jul, 2019 1 commit
  21. 25 Jul, 2019 2 commits
    • Gilad Ben-Yossef's avatar
      cryptocell: add product version awareness support · 76f3c7dc
      Gilad Ben-Yossef authored
      
      
      Add support for multiple Cryptocell revisions which
      use different APIs.
      
      This commit only refactors the existing code in preperation to the addition
      of another Cryptocell revisions later on.
      Signed-off-by: default avatarGilad Ben-Yossef <gilad.benyossef@arm.com>
      Change-Id: I16d80b31afb6edd56dc645fee5ea619cc74f09b6
      76f3c7dc
    • Gilad Ben-Yossef's avatar
      cryptocell: move Cryptocell specific API into driver · 36ec2bb0
      Gilad Ben-Yossef authored
      
      
      Code using Cryptocell specific APIs was used as part of the
      arm common board ROT support, instead of being abstracted
      in Cryptocell specific driver code, creating two problems:
      - Any none arm board that uses Cryptocell wuld need to
        copy and paste the same code.
      - Inability to cleanly support multiple versions of Cryptocell
        API and products.
      
      Move over Cryptocell specific API calls into the Cryptocell
      driver, creating abstraction API where needed.
      Signed-off-by: default avatarGilad Ben-Yossef <gilad.benyossef@arm.com>
      Change-Id: I9e03ddce90fcc47cfdc747098bece86dbd11c58e
      36ec2bb0
  22. 24 Jul, 2019 3 commits
    • John Tsichritzis's avatar
      SSBS: init SPSR register with default SSBS value · c250cc3b
      John Tsichritzis authored
      
      
      This patch introduces an additional precautionary step to further
      enhance protection against variant 4. During the context initialisation
      before we enter the various BL stages, the SPSR.SSBS bit is explicitly
      set to zero. As such, speculative loads/stores are by default disabled
      for all BL stages when they start executing. Subsequently, each BL
      stage, can choose to enable speculative loads/stores or keep them
      disabled.
      
      This change doesn't affect the initial execution context of BL33 which
      is totally platform dependent and, thus, it is intentionally left up to
      each platform to initialise.
      
      For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
      that, for Arm platforms, all BL stages start with speculative
      loads/stores disabled.
      
      Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      c250cc3b
    • Julius Werner's avatar
      Add helper to parse BL31 parameters (both versions) · d9af1f7b
      Julius Werner authored
      BL31 used to take a single bl31_params_t parameter structure with entry
      point information in arg0. In commit 72600226
      
       (Add new version of image
      loading.) this API was changed to a more flexible linked list approach,
      and the old parameter structure was copied into all platforms that still
      used the old format. This duplicated code unnecessarily among all these
      platforms.
      
      This patch adds a helper function that platforms can optionally link to
      outsource the task of interpreting arg0. Many platforms are just
      interested in the BL32 and BL33 entry point information anyway. Since
      some platforms still need to support the old version 1 parameters, the
      helper will support both formats when ERROR_DEPRECATED == 0. This allows
      those platforms to drop a bunch of boilerplate code and asynchronously
      update their BL2 implementation to the newer format.
      
      Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d9af1f7b
    • Julius Werner's avatar
      Factor out cross-BL API into export headers suitable for 3rd party code · 57bf6057
      Julius Werner authored
      
      
      This patch adds a new include/export/ directory meant for inclusion in
      third-party code. This is useful for cases where third-party code needs
      to interact with TF-A interfaces and data structures (such as a custom
      BL2-implementation like coreboot handing off to BL31). Directly
      including headers from the TF-A repository avoids having to duplicate
      all these definitions (and risk them going stale), but with the current
      header structure this is not possible because handoff API definitions
      are too deeply intertwined with other TF code/headers and chain-include
      other headers that will not be available in the other environment.
      
      The new approach aims to solve this by separating only the parts that
      are really needed into these special headers that are self-contained and
      will not chain-include other (non-export) headers. TF-A code should
      never include them directly but should instead always include the
      respective wrapper header, which will include the required prerequisites
      (like <stdint.h>) before including the export header. Third-party code
      can include the export headers via its own wrappers that make sure the
      necessary definitions are available in whatever way that environment can
      provide them.
      
      Change-Id: Ifd769320ba51371439a8e5dd5b79c2516c3b43ab
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      57bf6057