- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Introduce zeromem_dczva function on AArch64 that can handle unaligned addresses and make use of DC ZVA instruction to zero a whole block at a time. This zeroing takes place directly in the cache to speed it up without doing external memory access. Remove the zeromem16 function on AArch64 and replace it with an alias to zeromem. This zeromem16 function is now deprecated. Remove the 16-bytes alignment constraint on __BSS_START__ in firmware-design.md as it is now not mandatory anymore (it used to comply with zeromem16 requirements). Change the 16-bytes alignment constraints in SP min's linker script to a 8-bytes alignment constraint as the AArch32 zeromem implementation is now more efficient on 8-bytes aligned addresses. Introduce zero_normalmem and zeromem helpers in platform agnostic header that are implemented this way: * AArch32: * zero_normalmem: zero using usual data access * zeromem: alias for zero_normalmem * AArch64: * zero_normalmem: zero normal memory using DC ZVA instruction (needs MMU enabled) * zeromem: zero using usual data access Usage guidelines: in most cases, zero_normalmem should be preferred. There are 2 scenarios where zeromem (or memset) must be used instead: * Code that must run with MMU disabled (which means all memory is considered device memory for data accesses). * Code that fills device memory with null bytes. Optionally, the following rule can be applied if performance is important: * Code zeroing small areas (few bytes) that are not secrets should use memset to take advantage of compiler optimizations. Note: Code zeroing security-related critical information should use zero_normalmem/zeromem instead of memset to avoid removal by compilers' optimizations in some cases or misbehaving versions of GCC. Fixes ARM-software/tf-issues#408 Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 30 Jan, 2017 1 commit
-
-
Jeenu Viswambharan authored
The errata reporting policy is as follows: - If an errata workaround is enabled: - If it applies (i.e. the CPU is affected by the errata), an INFO message is printed, confirming that the errata workaround has been applied. - If it does not apply, a VERBOSE message is printed, confirming that the errata workaround has been skipped. - If an errata workaround is not enabled, but would have applied had it been, a WARN message is printed, alerting that errata workaround is missing. The CPU errata messages are printed by both BL1 (primary CPU only) and runtime firmware on debug builds, once for each CPU/errata combination. Relevant output from Juno r1 console when ARM Trusted Firmware is built with PLAT=juno LOG_LEVEL=50 DEBUG=1: VERBOSE: BL1: cortex_a57: errata workaround for 806969 was not applied VERBOSE: BL1: cortex_a57: errata workaround for 813420 was not applied INFO: BL1: cortex_a57: errata workaround for disable_ldnp_overread was applied WARNING: BL1: cortex_a57: errata workaround for 826974 was missing! WARNING: BL1: cortex_a57: errata workaround for 826977 was missing! WARNING: BL1: cortex_a57: errata workaround for 828024 was missing! WARNING: BL1: cortex_a57: errata workaround for 829520 was missing! WARNING: BL1: cortex_a57: errata workaround for 833471 was missing! ... VERBOSE: BL31: cortex_a57: errata workaround for 806969 was not applied VERBOSE: BL31: cortex_a57: errata workaround for 813420 was not applied INFO: BL31: cortex_a57: errata workaround for disable_ldnp_overread was applied WARNING: BL31: cortex_a57: errata workaround for 826974 was missing! WARNING: BL31: cortex_a57: errata workaround for 826977 was missing! WARNING: BL31: cortex_a57: errata workaround for 828024 was missing! WARNING: BL31: cortex_a57: errata workaround for 829520 was missing! WARNING: BL31: cortex_a57: errata workaround for 833471 was missing! ... VERBOSE: BL31: cortex_a53: errata workaround for 826319 was not applied INFO: BL31: cortex_a53: errata workaround for disable_non_temporal_hint was applied Also update documentation. Change-Id: Iccf059d3348adb876ca121cdf5207bdbbacf2aba Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 24 Jan, 2017 2 commits
-
-
Antonio Nino Diaz authored
Some side-channel attacks involve an attacker inferring something from the time taken for a memory compare operation to complete, for example when comparing hashes during image authentication. To mitigate this, timingsafe_bcmp() must be used for such operations instead of the standard memcmp(). This function executes in constant time and so doesn't leak any timing information to the caller. Change-Id: I470a723dc3626a0ee6d5e3f7fd48d0a57b8aa5fd Signed-off-by: dp-arm <dimitris.papastamos@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Sandrine Bailleux authored
This code has been imported and slightly adapted from FreeBSD: https://github.com/freebsd/freebsd/blob/6253393ad8df55730481bf2aafd76bdd6182e2f5/lib/libc/string/strnlen.c Change-Id: Ie5ef5f92e6e904adb88f8628077fdf1d27470eb3 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 23 Jan, 2017 1 commit
-
-
Masahiro Yamada authored
One nasty part of ATF is some of boolean macros are always defined as 1 or 0, and the rest of them are only defined under certain conditions. For the former group, "#if FOO" or "#if !FOO" must be used because "#ifdef FOO" is always true. (Options passed by $(call add_define,) are the cases.) For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because checking the value of an undefined macro is strange. Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like follows: $(eval IMAGE := IMAGE_BL$(call uppercase,$(3))) $(OBJ): $(2) @echo " CC $$<" $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@ This means, IMAGE_BL* is defined when building the corresponding image, but *undefined* for the other images. So, IMAGE_BL* belongs to the latter group where we should use #ifdef or #ifndef. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 17 Jan, 2017 1 commit
-
-
David Cunado authored
NOTE - this is patch does not address all occurrences of system includes not being in alphabetical order, just this one case. Change-Id: I3cd23702d69b1f60a4a9dd7fd4ae27418f15b7a3
-
- 16 Jan, 2017 3 commits
-
-
Antonio Nino Diaz authored
Delete old version of libfdt at lib/libfdt. Move new libfdt API headers to include/lib/libfdt and all other files to lib/libfdt. Change-Id: I32b7888f1f20d62205310e363accbef169ad7b1b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
* Add libfdt.mk helper makefile * Remove unused libfdt files * Minor changes to fdt.h and libfdt.h to make them C99 compliant Adapted from 754d78b1 . Change-Id: I0847f1c2e6e11f0c899b0b7ecc522c0ad7de210c Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Import libfdt code from https://git.kernel.org/cgit/utils/dtc/dtc.git tag "v1.4.2" commit ec02b34c05be04f249ffaaca4b666f5246877dea. This version includes commit d0b3ab0a0f46ac929b4713da46f7fdcd893dd3bd, which fixes a buffer overflow in fdt_offset_ptr(). Change-Id: I05a30511ea68417ee7ff26477da3f99e0bd4e06b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 Dec, 2016 1 commit
-
-
Jeenu Viswambharan authored
Various CPU drivers in ARM Trusted Firmware register functions to handle power-down operations. At present, separate functions are registered to power down individual cores and clusters. This scheme operates on the basis of core and cluster, and doesn't cater for extending the hierarchy for power-down operations. For example, future CPUs might support multiple threads which might need powering down individually. This patch therefore reworks the CPU operations framework to allow for registering power down handlers on specific level basis. Henceforth: - Generic code invokes CPU power down operations by the level required. - CPU drivers explicitly mention CPU_NO_RESET_FUNC when the CPU has no reset function. - CPU drivers register power down handlers as a list: a mandatory handler for level 0, and optional handlers for higher levels. All existing CPU drivers are adapted to the new CPU operations framework without needing any functional changes within. Also update firmware design guide. Change-Id: I1826842d37a9e60a9e85fdcee7b4b8f6bc1ad043 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 14 Dec, 2016 2 commits
-
-
Douglas Raillard authored
Unsigned conditions should be used instead of signed ones when comparing addresses or sizes in assembly. Signed-off-by: Douglas Raillard <douglas.raillard@arm.com> Change-Id: Id3bd9ccaf58c37037761af35ac600907c4bb0580
-
dp-arm authored
Testing showed that the time spent in a cluster power down operation is dominated by cache flushes. Add two more timestamps in runtime instrumentation to keep track of the time spent flushing the L1/L2 caches. Change-Id: I4c5a04e7663543225a85d3c6b271d7b706deffc4 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 13 Dec, 2016 4 commits
-
-
Antonio Nino Diaz authored
In AArch64, depending on the granularity of the translation tables, level 0 and/or level 1 of the translation tables may not support block descriptors, only table descriptors. This patch introduces a check to make sure that, even if theoretically it could be possible to create a block descriptor to map a big memory region, a new subtable will be created to describe its mapping. Change-Id: Ieb9c302206bfa33fbaf0cdc6a5a82516d32ae2a7 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Added the definitions `PLAT_PHY_ADDR_SPACE_SIZE` and `PLAT_VIRT_ADDR_SPACE_SIZE` which specify respectively the physical and virtual address space size a platform can use. `ADDR_SPACE_SIZE` is now deprecated. To maintain compatibility, if any of the previous defines aren't present, the value of `ADDR_SPACE_SIZE` will be used instead. For AArch64, register ID_AA64MMFR0_EL1 is checked to calculate the max PA supported by the hardware and to verify that the previously mentioned definition is valid. For AArch32, a 40 bit physical address space is considered. Added asserts to check for overflows. Porting guide updated. Change-Id: Ie8ce1da5967993f0c94dbd4eb9841fc03d5ef8d6 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Each translation table level entry can only map a given virtual address onto physical addresses of the same granularity. For example, with the current configuration, a level 2 entry maps blocks of 2 MB, so the physical address must be aligned to 2 MB. If the address is not aligned, the MMU will just ignore the lower bits. This patch adds an assertion to make sure that physical addresses are always aligned to the correct boundary. Change-Id: I0ab43df71829d45cdbe323301b3053e08ca99c2c Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
dp-arm authored
There is no guarantee on the signedness of char. It can be either signed or unsigned. On ARM it is unsigned and hence this memcmp() implementation works as intended. On other machines, char can be signed (x86 for example). In that case (and assuming a 2's complement implementation), interpreting a bit-pattern of 0xFF as signed char can yield -1. If *s1 is 0 and *s2 is 255 then the difference *s1 - *s2 should be negative. The C integer promotion rules guarantee that the unsigned chars will be converted to int before the operation takes place. The current implementation will return a positive value (0 - (-1)) instead, which is wrong. Fix it by changing the signedness to unsigned to avoid surprises for anyone using this code on non-ARM systems. Change-Id: Ie222fcaa7c0c4272d7a521a6f2f51995fd5130cc Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 12 Dec, 2016 1 commit
-
-
Soby Mathew authored
The AArch32 Procedure call Standard mandates that the stack must be aligned to 8 byte boundary at external interfaces. This patch does the required changes. This problem was detected when a crash was encountered in `psci_print_power_domain_map()` while printing 64 bit values. Aligning the stack to 8 byte boundary resolved the problem. Fixes ARM-Software/tf-issues#437 Change-Id: I517bd8203601bb88e9311bd36d477fb7b3efb292 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 05 Dec, 2016 1 commit
-
-
Jeenu Viswambharan authored
There are many instances in ARM Trusted Firmware where control is transferred to functions from which return isn't expected. Such jumps are made using 'bl' instruction to provide the callee with the location from which it was jumped to. Additionally, debuggers infer the caller by examining where 'lr' register points to. If a 'bl' of the nature described above falls at the end of an assembly function, 'lr' will be left pointing to a location outside of the function range. This misleads the debugger back trace. This patch defines a 'no_ret' macro to be used when jumping to functions from which return isn't expected. The macro ensures to use 'bl' instruction for the jump, and also, for debug builds, places a 'nop' instruction immediately thereafter (unless instructed otherwise) so as to leave 'lr' pointing within the function range. Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0 Co-authored-by: Douglas Raillard <douglas.raillard@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 01 Dec, 2016 1 commit
-
-
David Cunado authored
This patch resets EL2 and EL3 registers that have architecturally UNKNOWN values on reset and that also provide EL2/EL3 configuration and trap controls. Specifically, the EL2 physical timer is disabled to prevent timer interrups into EL2 - CNTHP_CTL_EL2 and CNTHP_CTL for AArch64 and AArch32, respectively. Additionally, for AArch64, HSTR_EL2 is reset to avoid unexpected traps of non-secure access to certain system registers at EL1 or lower. For AArch32, the patch also reverts the reset to SDCR which was incorrectly added in a previous change. Change-Id: If00eaa23afa7dd36a922265194ccd6223187414f Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 21 Nov, 2016 1 commit
-
-
Soby Mathew authored
This patch fixes an issue in the normal memory bakery lock implementation. During assertion of lock status, there is a possibility that the assertion could fail. This is because the previous update done to the lock status by the owning CPU when not participating in cache coherency could result in stale data in the cache due to cache maintenance operations not propagating to all the caches. This patch fixes this issue by doing an extra read cache maintenance operation prior to the assertion. Fixes ARM-software/tf-issues#402 Change-Id: I0f38a7c52476a4f58e17ebe0141d256d198be88d Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 09 Nov, 2016 1 commit
-
-
David Cunado authored
In order to avoid unexpected traps into EL3/MON mode, this patch resets the debug registers, MDCR_EL3 and MDCR_EL2 for AArch64, and SDCR and HDCR for AArch32. MDCR_EL3/SDCR is zero'ed when EL3/MON mode is entered, at the start of BL1 and BL31/SMP_MIN. For MDCR_EL2/HDCR, this patch zero's the bits that are architecturally UNKNOWN values on reset. This is done when exiting from EL3/MON mode but only on platforms that support EL2/HYP mode but choose to exit to EL1/SVC mode. Fixes ARM-software/tf-issues#430 Change-Id: Idb992232163c072faa08892251b5626ae4c3a5b6 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 14 Oct, 2016 1 commit
-
-
Soby Mathew authored
The values of CP15BEN, nTWI & nTWE bits in SCTLR_EL1 are architecturally unknown if EL3 is AARCH64 whereas they reset to 1 if EL3 is AArch32. This might be a compatibility break for legacy AArch32 normal world software if these bits are not set to 1 when EL3 is AArch64. This patch enables the CP15BEN, nTWI and nTWE bits in the SCTLR_EL1 if the lower non-secure EL is AArch32. This unifies the SCTLR settings for lower non-secure EL in AArch32 mode for both AArch64 and AArch32 builds of Trusted Firmware. Fixes ARM-software/tf-issues#428 Change-Id: I3152d1580e4869c0ea745c5bd9da765f9c254947 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 12 Oct, 2016 1 commit
-
-
dp-arm authored
In order to quantify the overall time spent in the PSCI software implementation, an initial collection of PMF instrumentation points has been added. Instrumentation has been added to the following code paths: - Entry to PSCI SMC handler. The timestamp is captured as early as possible during the runtime exception and stored in memory before entering the PSCI SMC handler. - Exit from PSCI SMC handler. The timestamp is captured after normal return from the PSCI SMC handler or if a low power state was requested it is captured in the bl31 warm boot path before return to normal world. - Entry to low power state. The timestamp is captured before entry to a low power state which implies either standby or power down. As these power states are mutually exclusive, only one timestamp is defined to describe both. It is possible to differentiate between the two power states using the PSCI STAT interface. - Exit from low power state. The timestamp is captured after a standby or power up operation has completed. To calculate the number of cycles spent running code in Trusted Firmware one can perform the following calculation: (exit_psci - enter_psci) - (exit_low_pwr - enter_low_pwr). The resulting number of cycles can be converted to time given the frequency of the counter. Change-Id: Ie3b8f3d16409b6703747093b3a2d5c7429ad0166 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 28 Sep, 2016 1 commit
-
-
Yatharth Kochar authored
At present the `el3_entrypoint_common` macro uses `memcpy` function defined in lib/stdlib/mem.c file, to copy data from ROM to RAM for BL1. Depending on the compiler being used the stack could potentially be used, in `memcpy`, for storing the local variables. Since the stack is initialized much later in `el3_entrypoint_common` it may result in unknown behaviour. This patch adds `memcpy4` function definition in assembly so that it can be used before the stack is initialized and it also replaces `memcpy` by `memcpy4` in `el3_entrypoint_common` macro, to copy data from ROM to RAM for BL1. Change-Id: I3357a0e8095f05f71bbbf0b185585d9499bfd5e0
-
- 22 Sep, 2016 1 commit
-
-
Soby Mathew authored
This patch introduces a `psci_lib_args_t` structure which must be passed into `psci_setup()` which is then used to initialize the PSCI library. The `psci_lib_args_t` is a versioned structure so as to enable compatibility checks during library initialization. Both BL31 and SP_MIN are modified to use the new structure. SP_MIN is also modified to add version string and build message as part of its cold boot log just like the other BLs in Trusted Firmware. NOTE: Please be aware that this patch modifies the prototype of `psci_setup()`, which breaks compatibility with EL3 Runtime Firmware (excluding BL31 and SP_MIN) integrated with the PSCI Library. Change-Id: Ic3761db0b790760a7ad664d8a437c72ea5edbcd6
-
- 21 Sep, 2016 2 commits
-
-
Yatharth Kochar authored
This patch adds ARM Cortex-A32 MPCore Processor support in the CPU specific operations framework. It also includes this support for the Base FVP port. Change-Id: If3697b88678df737c29f79cf3fa1ea2cb6fa565d
-
Yatharth Kochar authored
This patch adds common changes to support AArch32 state in BL1 and BL2. Following are the changes: * Added functions for disabling MMU from Secure state. * Added AArch32 specific SMC function. * Added semihosting support. * Added reporting of unhandled exceptions. * Added uniprocessor stack support. * Added `el3_entrypoint_common` macro that can be shared by BL1 and BL32 (SP_MIN) BL stages. The `el3_entrypoint_common` is similar to the AArch64 counterpart with the main difference in the assembly instructions and the registers that are relevant to AArch32 execution state. * Enabled `LOAD_IMAGE_V2` flag in Makefile for `ARCH=aarch32` and added check to make sure that platform has not overridden to disable it. Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3
-
- 15 Sep, 2016 1 commit
-
-
Jeenu Viswambharan authored
This patch adds support for NODE_HW_STATE PSCI API by introducing a new PSCI platform hook (get_node_hw_state). The implementation validates supplied arguments, and then invokes this platform-defined hook and returns its result to the caller. PSCI capabilities are updated accordingly. Also updates porting and firmware design guides. Change-Id: I808e55bdf0c157002a7c104b875779fe50a68a30
-
- 09 Sep, 2016 1 commit
-
-
Soby Mathew authored
The `psci_plat_pm_ops` global pointer is initialized during cold boot by the primary CPU and will be accessed by the secondary CPUs before enabling data cache during warm boot. This patch adds a missing data cache flush of `psci_plat_psci_ops` after initialization during psci_setup() so that secondaries can see the updated `psci_plat_psci_ops` pointer. Fixes ARM-software/tf-issues#424 Change-Id: Id4554800b5646302b944115a33be69507d53cedb
-
- 31 Aug, 2016 1 commit
-
-
Soby Mathew authored
This patch fixes a bug in context management library when writing SCTLR register during context initialization. The write happened prior to initialization of the register context pointer. This resulted in the compiler optimizing the write sequence from the final binary and hence SCTLR remains uninitialized when entering normal world. The bug is fixed by doing the initialization of the register context pointer earlier in the sequence. Change-Id: Ic7465593a74534046b79f40446ffa1165c52ed76
-
- 23 Aug, 2016 1 commit
-
-
Antonio Nino Diaz authored
Instead of hardcoding a level 1 table as the base translation level table, let the code decide which level is the most appropriate given the virtual address space size. As the table granularity is 4 KB, this allows the code to select level 0, 1 or 2 as base level for AArch64. This way, instead of limiting the virtual address space width to 39-31 bits, widths of 48-25 bit can be used. For AArch32, this change allows the code to select level 1 or 2 as the base translation level table and use virtual address space width of 32-25 bits. Also removed some unused definitions related to translation tables. Fixes ARM-software/tf-issues#362 Change-Id: Ie3bb5d6d1a4730a26700b09827c79f37ca3cdb65
-
- 10 Aug, 2016 4 commits
-
-
Soby Mathew authored
This patch adds AArch32 support to PSCI library, as follows : * The `psci_helpers.S` is implemented for AArch32. * AArch32 version of internal helper function `psci_get_ns_ep_info()` is defined. * The PSCI Library is responsible for the Non Secure context initialization. Hence a library interface `psci_prepare_next_non_secure_ctx()` is introduced to enable EL3 runtime firmware to initialize the non secure context without invoking context management library APIs. Change-Id: I25595b0cc2dbfdf39dbf7c589b875cba33317b9d
-
Soby Mathew authored
This patch adds AArch32 support to cpu ops, context management, per-cpu data and spinlock libraries. The `entrypoint_info` structure is modified to add support for AArch32 register arguments. The CPU operations for AEM generic cpu in AArch32 mode is also added. Change-Id: I1e52e79f498661d8f31f1e7b3a29e222bc7a4483
-
Soby Mathew authored
This patch adds translation library supports for AArch32 platforms. The library only supports long descriptor formats for AArch32. The `enable_mmu_secure()` enables the MMU for secure world with `TTBR0` pointing to the populated translation tables. Change-Id: I061345b1779391d098e35e7fe0c76e3ebf850e08
-
Soby Mathew authored
This patch adds various assembly helpers for AArch32 like : * cache management : Functions to flush, invalidate and clean cache by MVA. Also helpers to do cache operations by set-way are also added. * stack management: Macros to declare stack and get the current stack corresponding to current CPU. * Misc: Macros to access co processor registers in AArch32, macros to define functions in assembly, assert macros, generic `do_panic()` implementation and function to zero block of memory. Change-Id: I7b78ca3f922c0eda39beb9786b7150e9193425be
-
- 09 Aug, 2016 2 commits
-
-
Soby Mathew authored
This patch moves the assembly exclusive lock library code `spinlock.S` into architecture specific folder `aarch64`. A stub file which includes the file from new location is retained at the original location for compatibility. The BL makefiles are also modified to include the file from the new location. Change-Id: Ide0b601b79c439e390c3a017d93220a66be73543
-
Soby Mathew authored
This patch fixes the translation table library for wraparound cases. These cases are not expected to occur on AArch64 platforms because only the 48 bits of the 64 bit address space are used. But it is a possibility for AArch32 platforms. Change-Id: Ie7735f7ba2977019381e1c124800381471381499
-
- 25 Jul, 2016 2 commits
-
-
Achin Gupta authored
A PSCI CPU_SUSPEND request to place a CPU in retention states at power levels higher than the CPU power level is subject to the same state coordination as a power down state. A CPU could implement multiple retention states at a particular power level. When exiting WFI, the non-CPU power levels may be in a different retention state to what was initially requested, therefore each CPU should refresh its view of the states of all power levels. Previously, a CPU re-used the state of the power levels when it entered the retention state. This patch fixes this issue by ensuring that a CPU upon exit from retention reads the state of each power level afresh. Change-Id: I93b5f5065c63400c6fd2598dbaafac385748f989
-
Sandrine Bailleux authored
This patch adds a runtime check that psci_find_target_suspend_lvl() returns a valid value back to psci_cpu_suspend() and psci_get_stat(). If it is invalid, BL31 will now panic. Note that on the PSCI CPU suspend path there is already a debug assertion checking the validity of the target composite power state, which effectively also checks the validity of the target suspend level. Therefore, the error condition would already be caught in debug builds, but in a release build this assertion would be compiled out. On the PSCI stat path, there is currently no debug assertion checking the validity of the power state before using it as an index into the power domain state array. Although BL31 platforms ports are responsible for validating the power state parameter, the security impact (i.e. an out-of-bounds array access) of a potential platform port bug in this code would be quite high, given that this parameter comes from an untrusted source. The cost of checking this in runtime generic code is low. Change-Id: Icea85b8020e39928ac03ec0cd49805b5857b3906
-
- 19 Jul, 2016 1 commit
-
-
Soby Mathew authored
This patch introduces the PSCI Library interface. The major changes introduced are as follows: * Earlier BL31 was responsible for Architectural initialization during cold boot via bl31_arch_setup() whereas PSCI was responsible for the same during warm boot. This functionality is now consolidated by the PSCI library and it does Architectural initialization via psci_arch_setup() during both cold and warm boots. * Earlier the warm boot entry point was always `psci_entrypoint()`. This was not flexible enough as a library interface. Now PSCI expects the runtime firmware to provide the entry point via `psci_setup()`. A new function `bl31_warm_entrypoint` is introduced in BL31 and the previous `psci_entrypoint()` is deprecated. * The `smc_helpers.h` is reorganized to separate the SMC Calling Convention defines from the Trusted Firmware SMC helpers. The former is now in a new header file `smcc.h` and the SMC helpers are moved to Architecture specific header. * The CPU context is used by PSCI for context initialization and restoration after power down (PSCI Context). It is also used by BL31 for SMC handling and context management during Normal-Secure world switch (SMC Context). The `psci_smc_handler()` interface is redefined to not use SMC helper macros thus enabling to decouple the PSCI context from EL3 runtime firmware SMC context. This enables PSCI to be integrated with other runtime firmware using a different SMC context. NOTE: With this patch the architectural setup done in `bl31_arch_setup()` is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be invoked prior to architectural setup. It is highly unlikely that the platform setup will depend on architectural setup and cause any failure. Please be be aware of this change in sequence. Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73
-