1. 11 Jan, 2018 3 commits
    • Dimitris Papastamos's avatar
      Use PFR0 to identify need for mitigation of CVE-2017-5915 · 780edd86
      Dimitris Papastamos authored
      
      
      If the CSV2 field reads as 1 then branch targets trained in one
      context cannot affect speculative execution in a different context.
      In that case skip the workaround on Cortex A75.
      
      Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      780edd86
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
      temporarily dropping into AArch32 Secure-EL1 and executing the
      `BPIALL` instruction.
      
      This is achieved by using 3 vector tables.  There is the runtime
      vector table which is used to handle exceptions and 2 additional
      tables which are required to implement this workaround.  The
      additional tables are `vbar0` and `vbar1`.
      
      The sequence of events for handling a single exception is
      as follows:
      
      1) Install vector table `vbar0` which saves the CPU context on entry
         to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
         with the MMU disabled and I$ enabled.  This is the default vector table.
      
      2) Before doing an ERET into Secure-EL1, switch vbar to point to
         another vector table `vbar1`.  This is required to restore EL3 state
         when returning from the workaround, before proceeding with normal EL3
         exception handling.
      
      3) While in Secure-EL1, the `BPIALL` instruction is executed and an
         SMC call back to EL3 is performed.
      
      4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
         restored.  The vbar is switched to point to `vbar0` in preparation to
         handle further exceptions.  Finally a branch to the runtime vector
         table entry is taken to complete the handling of the original
         exception.
      
      This workaround is enabled by default on the affected CPUs.
      
      NOTE
      ====
      
      There are 4 different stubs in Secure-EL1.  Each stub corresponds to
      an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
      different value in `R0` before doing an SMC call back into EL3.
      Without this piece of information it would not be possible to know
      what the original exception type was as we cannot use `ESR_EL3` to
      distinguish between IRQs and FIQs.
      
      Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a1781a21
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
      and enabling the MMU.  To achieve this without performing any branch
      instruction, a per-cpu vbar is installed which executes the workaround
      and then branches off to the corresponding vector entry in the main
      vector table.  A side effect of this change is that the main vbar is
      configured before any reset handling.  This is to allow the per-cpu
      reset function to override the vbar setting.
      
      This workaround is enabled by default on the affected CPUs.
      
      Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  2. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored
      
      
      This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
      to one EL3 will check to see if the Scalable Vector Extension (SVE) is
      implemented when entering and exiting the Non-secure world.
      
      If SVE is implemented, EL3 will do the following:
      
      - Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
      
      - Exit from Non-secure world: SIMD, FP and SVE functionality is
        disabled. As SIMD and FP registers are part of the SVE Z-registers
        then any use of SIMD / FP functionality would corrupt the SVE
        registers.
      
      The build option default is 1. The SVE functionality is only supported
      on AArch64 and so the build option is set to zero when the target
      archiecture is AArch32.
      
      This build option is not compatible with the CTX_INCLUDE_FPREGS - an
      assert will be raised on platforms where SVE is implemented and both
      ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
      
      Also note this change prevents secure world use of FP&SIMD registers on
      SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
      such platforms unless ENABLE_SVE_FOR_NS is set to 0.
      
      Additionally, on the first entry into the Non-secure world the SVE
      functionality is enabled and the SVE Z-register length is set to the
      maximum size allowed by the architecture. This includes the use case
      where EL2 is implemented but not used.
      
      Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  3. 29 Nov, 2017 3 commits
  4. 23 Nov, 2017 1 commit
    • Matt Ma's avatar
      Replace macro ASM_ASSERTION with macro ENABLE_ASSERTIONS · 5f70d8de
      Matt Ma authored
      
      
      This patch replaces the macro ASM_ASSERTION with the macro
      ENABLE_ASSERTIONS in ARM Cortex-A53/57/72 MPCore Processor
      related files. There is build error when ASM_ASSERTION is set
      to 1 and ENABLE_ASSERTIONS is set to 0 because function
      asm_assert in common/aarch32/debug.S is defined in the macro
      ENABLE_ASSERTIONS but is called with the macro ASM_ASSERTION.
      
      There is also the indication to use ENABLE_ASSERTIONS but not
      ASM_ASSERTION in the Makefile.
      Signed-off-by: default avatarMatt Ma <matt.ma@spreadtrum.com>
      5f70d8de
  5. 20 Nov, 2017 3 commits
  6. 17 Nov, 2017 1 commit
  7. 15 Nov, 2017 1 commit
    • David Cunado's avatar
      Move FPEXC32_EL2 to FP Context · 91089f36
      David Cunado authored
      
      
      The FPEXC32_EL2 register controls SIMD and FP functionality when the
      lower ELs are executing in AArch32 mode. It is architecturally mapped
      to AArch32 system register FPEXC.
      
      This patch removes FPEXC32_EL2 register from the System Register context
      and adds it to the floating-point context. EL3 only saves / restores the
      floating-point context if the build option CTX_INCLUDE_FPREGS is set to 1.
      
      The rationale for this change is that if the Secure world is using FP
      functionality and EL3 is not managing the FP context, then the Secure
      world will save / restore the appropriate FP registers.
      
      NOTE - this is a break in behaviour in the unlikely case that
      CTX_INCLUDE_FPREGS is set to 0 and the platform contains an AArch32
      Secure Payload that modifies FPEXC, but does not save and restore
      this register
      
      Change-Id: Iab80abcbfe302752d52b323b4abcc334b585c184
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      91089f36
  8. 08 Nov, 2017 11 commits
  9. 03 Nov, 2017 1 commit
    • Soby Mathew's avatar
      Fix PSCI STAT time stamp collection · bfc87a8d
      Soby Mathew authored
      
      
      This patch includes various fixes for PSCI STAT functionality
      relating to timestamp collection:
      
      1. The PSCI stat accounting for retention states for higher level
      power domains were done outside the locks which could lead to
      spurious values in some race conditions. This is moved inside
      the locks. Also, the call to start the stat accounting was redundant
      which is now removed.
      
      2. The timestamp wrap-around case when calculating residency did
      not cater for AArch32. This is now fixed.
      
      3. In the warm boot path, `plat_psci_stat_accounting_stop()` was
      getting invoked prior to population of target power states. This
      is now corrected.
      
      Change-Id: I851526455304fb74ff0a724f4d5318cd89e19589
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      bfc87a8d
  10. 31 Oct, 2017 1 commit
  11. 23 Oct, 2017 1 commit
  12. 17 Oct, 2017 3 commits
  13. 13 Oct, 2017 3 commits
    • Roberto Vargas's avatar
      mem_protect: Fix PSCI FEATURES API for MEM_PROTECT_CHECK · 4ce9b8ea
      Roberto Vargas authored
      
      
      With this patch the PSCI_FEATURES API correctly reports availability
      of the PSCI_MEM_PROTECT_CHECK API - PSCI_MEM_CHK_RANGE_AARCH64 is
      added to the PSCI capabilities mask, PSCI_CAP_64BIT_MASK
      
      Change-Id: Ic90ee804deaadf0f948dc2d46ac5fe4121ef77ae
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      4ce9b8ea
    • David Cunado's avatar
      Init and save / restore of PMCR_EL0 / PMCR · 3e61b2b5
      David Cunado authored
      
      
      Currently TF does not initialise the PMCR_EL0 register in
      the secure context or save/restore the register.
      
      In particular, the DP field may not be set to one to prohibit
      cycle counting in the secure state, even though event counting
      generally is prohibited via the default setting of MDCR_EL3.SMPE
      to 0.
      
      This patch initialises PMCR_EL0.DP to one in the secure state
      to prohibit cycle counting and also initialises other fields
      that have an architectually UNKNOWN reset value.
      
      Additionally, PMCR_EL0 is added to the list of registers that are
      saved and restored during a world switch.
      
      Similar changes are made for PMCR for the AArch32 execution state.
      
      NOTE: secure world code at lower ELs that assume other values in PMCR_EL0
      will be impacted.
      
      Change-Id: Iae40e8c0a196d74053accf97063ebc257b4d2f3a
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      3e61b2b5
    • Roberto Vargas's avatar
      reset2: Add PSCI system_reset2 function · 36a8f8fd
      Roberto Vargas authored
      
      
      This patch implements PSCI_SYSTEM_RESET2 API as defined in PSCI
      v1.1 specification. The specification allows architectural and
      vendor-specific resets via this API. In the current specification,
      there is only one architectural reset, the warm reset. This reset is
      intended to provide a fast reboot path that guarantees not to reset
      system main memory.
      
      Change-Id: I057bb81a60cd0fe56465dbb5791d8e1cca025bd3
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      36a8f8fd
  14. 05 Oct, 2017 4 commits
    • Antonio Nino Diaz's avatar
      xlat: Add support for EL0 and EL1 mappings · 609c9191
      Antonio Nino Diaz authored
      
      
      This patch introduces the ability of the xlat tables library to manage
      EL0 and EL1 mappings from a higher exception level.
      
      Attributes MT_USER and MT_PRIVILEGED have been added to allow the user
      specify the target EL in the translation regime EL1&0.
      
      REGISTER_XLAT_CONTEXT2 macro is introduced to allow creating a
      xlat_ctx_t that targets a given translation regime (EL1&0 or EL3).
      
      A new member is added to xlat_ctx_t to represent the translation regime
      the xlat_ctx_t manages. The execute_never mask member is removed as it
      is computed from existing information.
      
      Change-Id: I95e14abc3371d7a6d6a358cc54c688aa9975c110
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      609c9191
    • Douglas Raillard's avatar
      xlat: Introduce function xlat_arch_tlbi_va_regime() · b4ae615b
      Douglas Raillard authored
      
      
      Introduce a variant of the TLB invalidation helper function that
      allows the targeted translation regime to be specified, rather than
      defaulting to the current one.
      
      This new function is useful in the context of EL3 software managing
      translation tables for the S-EL1&0 translation regime, as then it
      might need to invalidate S-EL1&0 TLB entries rather than EL3 ones.
      
      Define a new enumeration to be able to represent translation regimes in
      the xlat tables library.
      
      Change-Id: Ibe4438dbea2d7a6e7470bfb68ff805d8bf6b07e5
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b4ae615b
    • Sandrine Bailleux's avatar
      xlat: Always compile TLB invalidation functions · f301da44
      Sandrine Bailleux authored
      
      
      TLB invalidation functions used to be conditionally compiled in.
      They were enabled only when using the dynamic mapping feature.
      because only then would we need to modify page tables on the fly.
      
      Actually there are other use cases where invalidating TLBs is required.
      When changing memory attributes in existing translation descriptors for
      example. These other use cases do not necessarily depend on the dynamic
      mapping feature.
      
      This patch removes this dependency and always compile TLB invalidation
      functions in. If they're not used, they will be removed from the binary
      at link-time anyway so there's no consequence on the memory footprint
      if these functions are not called.
      
      Change-Id: I1c33764ae900eb00073ee23b7d0d53d4efa4dd21
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      f301da44
    • Sandrine Bailleux's avatar
      xlat: Introduce MAP_REGION2() macro · fdb1964c
      Sandrine Bailleux authored
      
      
      The current implementation of the memory mapping API favours mapping
      memory regions using the biggest possible block size in order to
      reduce the number of translation tables needed.
      
      In some cases, this behaviour might not be desirable. When translation
      tables are edited at run-time, coarse-grain mappings like that might
      need splitting into finer-grain tables. This operation has a
      performance cost.
      
      The MAP_REGION2() macro allows to specify the granularity of
      translation tables used for the initial mapping of a memory region.
      This might increase performance for memory regions that are likely to
      be edited in the future, at the expense of a potentially increased
      memory footprint.
      
      The Translation Tables Library Design Guide has been updated to
      explain the use case for this macro. Also added a few intermediate
      titles to make the guide easier to digest.
      
      Change-Id: I04de9302e0ee3d326b8877043a9f638766b81b7b
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      fdb1964c
  15. 25 Sep, 2017 2 commits
    • Roberto Vargas's avatar
      Add mem_region utility functions · 43cbaf06
      Roberto Vargas authored
      
      
      This commit introduces a new type (mem_region_t) used to describe
      memory regions and it adds two utility functions:
      
      	- clear_mem_regions: This function clears (write 0) to a set
      		of regions described with an array of mem_region_t.
      
      	- mem_region_in_array_chk This function checks if a
      		region is covered by some of the regions described
      		with an array of mem_region_t.
      
      Change-Id: I12ce549f5e81dd15ac0981645f6e08ee7c120811
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      43cbaf06
    • Roberto Vargas's avatar
      mem_protect: Add mem_protect API · d4c596be
      Roberto Vargas authored
      
      
      This patch adds the generic code that links the psci smc handler
      with the platform function that implements the mem_protect and
      mem_check_range functionalities. These functions are  optional
      APIs added in PSCI v1.1 (ARM DEN022D).
      
      Change-Id: I3bac1307a5ce2c7a196ace76db8317e8d8c8bb3f
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      d4c596be
  16. 21 Sep, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Set TCR_EL1.EPD1 bit to 1 · 3388b38d
      Antonio Nino Diaz authored
      
      
      In the S-EL1&0 translation regime we aren't using the higher VA range,
      whose translation table base address is held in TTBR1_EL1. The bit
      TCR_EL1.EPD1 can be used to disable translations using TTBR1_EL1, but
      the code wasn't setting it to 1. Additionally, other fields in TCR1_EL1
      associated with the higher VA range (TBI1, TG1, SH1, ORGN1, IRGN1 and
      A1) weren't set correctly as they were left as 0. In particular, 0 is a
      reserved value for TG1. Also, TBBR1_EL1 was not explicitly set and its
      reset value is UNKNOWN.
      
      Therefore memory accesses to the higher VA range would result in
      unpredictable behaviour as a translation table walk would be attempted
      using an UNKNOWN value in TTBR1_EL1.
      
      On the FVP and Juno platforms accessing the higher VA range resulted in
      a translation fault, but this may not always be the case on all
      platforms.
      
      This patch sets the bit TCR_EL1.EPD1 to 1 so that any kind of
      unpredictable behaviour is prevented.
      
      This bug only affects the AArch64 version of the code, the AArch32
      version sets this bit to 1 as expected.
      
      Change-Id: I481c000deda5bc33a475631301767b9e0474a303
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      3388b38d