- 07 Feb, 2020 7 commits
-
-
Louis Mayencourt authored
Use the firmware configuration framework to store the io_policies information inside the configuration device tree instead of the static structure in the code base. The io_policies required by BL1 can't be inside the dtb, as this one is loaded by BL1, and only available at BL2. This change currently only applies to FVP platform. Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use the firmware configuration framework in arm dynamic configuration to retrieve mbedtls heap information between bl1 and bl2. For this, a new fconf getter is added to expose the device tree base address and size. Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use fconf to retrieve the `disable_authentication` property. Move this access from arm dynamic configuration to bl common. Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
This patch introduces a better separation between the trusted-boot related properties, and the dynamic configuration DTBs loading information. The dynamic configuration DTBs properties are moved to a new node: `dtb-registry`. All the sub-nodes present will be provided to the dynamic config framework to be loaded. The node currently only contains the already defined configuration DTBs, but can be extended for future features if necessary. The dynamic config framework is modified to use the abstraction provided by the fconf framework, instead of directly accessing the DTBs. The trusted-boot properties are kept under the "arm,tb_fw" compatible string, but in a separate `tb_fw-config` node. The `tb_fw-config` property of the `dtb-registry` node simply points to the load address of `fw_config`, as the `tb_fw-config` is currently part of the same DTB. Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use the dtb provided by bl1 as configuration file for fconf. Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Move the loading of the dtb from arm_dym_cfg to fconf. The new loading function is not associated to arm platform anymore, and can be moved to bl_main if wanted. Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Introduce the Firmware CONfiguration Framework (fconf). The fconf is an abstraction layer for platform specific data, allowing a "property" to be queried and a value retrieved without the requesting entity knowing what backing store is being used to hold the data. The default backing store used is C structure. If another backing store has to be used, the platform integrator needs to provide a "populate()" function to fill the corresponding C structure. The "populate()" function must be registered to the fconf framework with the "FCONF_REGISTER_POPULATOR()". This ensures that the function would be called inside the "fconf_populate()" function. A two level macro is used as getter: - the first macro takes 3 parameters and converts it to a function call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c). - the second level defines a__b_getter(c) to the matching C structure, variable, array, function, etc.. Ex: Get a Chain of trust property: 1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id) 2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id] Change-Id: Id394001353ed295bc680c3f543af0cf8da549469 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 04 Feb, 2020 1 commit
-
-
Zelalem authored
This patch removes unnecessary header file includes discovered by Coverity HFA option. Change-Id: I2827c37c1c24866c87db0e206e681900545925d4 Signed-off-by: Zelalem <zelalem.aweke@arm.com>
-
- 29 Jan, 2020 1 commit
-
-
Sandrine Bailleux authored
Allows to select the chain of trust to use when the Trusted Boot feature is enabled. This affects both the cert_create tool and the firmware itself. Right now, the only available CoT is TBBR. Change-Id: I7ab54e66508a1416cb3fcd3dfb0f055696763b3d Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 28 Jan, 2020 1 commit
-
-
Louis Mayencourt authored
The Secure Configuration Register is 64-bits in AArch64 and 32-bits in AArch32. Use u_register_t instead of unsigned int to reflect this. Change-Id: I51b69467baba36bf0cfaec2595dc8837b1566934 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 27 Jan, 2020 1 commit
-
-
Madhukar Pappireddy authored
In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate the build to require that ARM_BL31_IN_DRAM is enabled as well. Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code cannot be reclaimed to be used for runtime data such as secondary cpu stacks. Memory map for BL31 NOBITS region also has to be created. Change-Id: Ibbc8c9499a32e63fd0957a6e254608fbf6fa90c9 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 23 Jan, 2020 1 commit
-
-
Mark Dykes authored
This reverts commit d433bbdd. Change-Id: I46c69dce704a1ce1b50452dd4d62425c4a67f7f0
-
- 22 Jan, 2020 1 commit
-
-
Madhukar Pappireddy authored
In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate the build to require that ARM_BL31_IN_DRAM is enabled as well. Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code cannot be reclaimed to be used for runtime data such as secondary cpu stacks. Memory map for BL31 NOBITS region also has to be created. Change-Id: Ibd480f82c1dc74e9cbb54eec07d7a8fecbf25433 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 20 Dec, 2019 3 commits
-
-
Paul Beesley authored
Before adding any new SPM-related components we should first do some cleanup around the existing SPM-MM implementation. The aim is to make sure that any SPM-MM components have names that clearly indicate that they are MM-related. Otherwise, when adding new SPM code, it could quickly become confusing as it would be unclear to which component the code belongs. The secure_partition.h header is a clear example of this, as the name is generic so it could easily apply to any SPM-related code, when it is in fact SPM-MM specific. This patch renames the file and the two structures defined within it, and then modifies any references in files that use the header. Change-Id: I44bd95fab774c358178b3e81262a16da500fda26 Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
The Secure Partition Manager (SPM) prototype implementation is being removed. This is preparatory work for putting in place a dispatcher component that, in turn, enables partition managers at S-EL2 / S-EL1. This patch removes: - The core service files (std_svc/spm) - The Resource Descriptor headers (include/services) - SPRT protocol support and service definitions - SPCI protocol support and service definitions Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426 Signed-off-by: Paul Beesley <paul.beesley@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
-
Paul Beesley authored
There are two different implementations of Secure Partition management in TF-A. One is based on the "Management Mode" (MM) design, the other is based on the Secure Partition Client Interface (SPCI) specification. Currently there is a dependency between their build flags that shouldn't exist, making further development harder than it should be. This patch removes that dependency, making the two flags function independently. Before: ENABLE_SPM=1 is required for using either implementation. By default, the SPCI-based implementation is enabled and this is overridden if SPM_MM=1. After: ENABLE_SPM=1 enables the SPCI-based implementation. SPM_MM=1 enables the MM-based implementation. The two build flags are mutually exclusive. Note that the name of the ENABLE_SPM flag remains a bit ambiguous - this will be improved in a subsequent patch. For this patch the intention was to leave the name as-is so that it is easier to track the changes that were made. Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 19 Dec, 2019 1 commit
-
-
Alexei Fedorov authored
This patch fixes the bug in BL2 dynamic configuration initialisation which prevents loading NT_FW_CONFIG image (ref. GENFW-3471). It also adds parentheses around 'if' statement conditions to fix Coverity defect. Change-Id: I353566c29b84341887e13bf8098a4fedfc4e00ff Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 18 Dec, 2019 1 commit
-
-
Ambroise Vincent authored
Provide an SMC interface to the 9p filesystem. This permits accessing firmware drivers through a common interface, using standardized read/write/control operations. Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Change-Id: I9314662314bb060f6bc02714476574da158b2a7d
-
- 17 Dec, 2019 2 commits
-
-
Bence Szépkúti authored
Ported the pmf asm macros and the asm code in the bl31 entrypoint necessary for the instrumentation to AArch32. Since smc dispatch is handled by the bl32 payload on AArch32, we provide this service only if AARCH32_SP=sp_min is set. Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com> Change-Id: Id33b7e9762ae86a4f4b40d7f1b37a90e5130c8ac
-
Bence Szépkúti authored
Switching execution states is only possible if EL3 is AArch64. As such there is no need to validate the entrypoint on AArch32 builds. Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com> Change-Id: I3c1eb25b5df296a492870641d274bf65213c6608
-
- 10 Dec, 2019 1 commit
-
-
Ambroise Vincent authored
C99 standard: "What constitutes an access to an object that has volatile-qualified type is implementation-defined". GCC is not considering the cast to void of volatile structures as an access and so is not actually issuing reads. Clang does read those structures by copying them on the stack, which in this case creates an overflow because of their large size. This patch removes the cast to void and instead uses the USED attribute to tell the compiler to retain the static variables. Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Zelalem Aweke <zelalem.aweke@arm.com>
-
- 09 Dec, 2019 1 commit
-
-
Louis Mayencourt authored
Currently tb_fw_cfg_dtb size is fixed to max, which is generally a page (but depend on the platform). Instead, read the actual size of the dtb with the libfdt "fdt_totalsize" function. This avoid flushing extra memory after updating the dtb with mbedtls heap information when shared heap is used. Change-Id: Ibec727661116429f486464a0c9f15e9760d7afe2 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 07 Nov, 2019 1 commit
-
-
Manish Pandey authored
Earlier PIE support was enabled for all arm platforms when RESET_TO_BL31=1, but later on it was restricted only to FVP with patch SHA d4580d17 because of n1sdp platform. Now it has been verified that PIE does work for n1sdp platform also, so enabling it again for all arm platforms. Change-Id: I05ad4f1775ef72e7cb578ec9245cde3fbce971a5 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 05 Nov, 2019 1 commit
-
-
Vijayenthiran Subramaniam authored
ARM platform can have a non-contiguous GICR frames. For instance, a multi socket platform can have two or more GIC Redistributor frames which are 4TB apart. Hence it is necessary for the `gicv3_rdistif_probe` function to probe all the GICR frames available in the platform. Introduce `plat_arm_override_gicr_frames` function which platforms can use to override the default gicr_frames which holds the GICR base address of the primary cpu. Change-Id: I1f537b0d871a679cb256092944737f2e55ab866e Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
-
- 21 Oct, 2019 1 commit
-
-
Manish Pandey authored
There are some platforms which uses MPIDR Affinity level 3 for storing extra affinity information e.g. N1SDP uses it for keeping chip id in a multichip setup, for such platforms MPIDR validation should not fail. This patch adds Aff3 bits also as part of mpidr validation mask, for platforms which does not uses Aff3 will not have any impact as these bits will be all zeros. Change-Id: Ia8273972fa7948fdb11708308d0239d2dc4dfa85 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 26 Sep, 2019 1 commit
-
-
Madhukar Pappireddy authored
This patch invokes the new function gicv3_rdistif_probe() in the ARM platform specific gicv3 driver. Since this API modifies the shared GIC related data structure, it must be invoked coherently by using the platform specific pwr_domain_on_finish_late hook. Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 13 Sep, 2019 1 commit
-
-
Alexei Fedorov authored
This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 01 Aug, 2019 1 commit
-
-
Julius Werner authored
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 23 Jul, 2019 1 commit
-
-
Ambroise Vincent authored
The watchdog is configured with a default value of 256 seconds in order to implement the Trusted Board Boot Requirements. For the FVP and Juno platforms, the FWU process relies on a watchdog reset. In order to automate the test of FWU, the length of this process needs to be as short as possible. Instead of waiting for those 4 minutes to have a reset by the watchdog, tell it to reset immediately. There are no side effects as the value of the watchdog's load register resets to 0xFFFFFFFF. Tested on Juno. Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 28 Jun, 2019 1 commit
-
-
Ambroise Vincent authored
The new API becomes the default one. Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 11 Jun, 2019 1 commit
-
-
Louis Mayencourt authored
BL2U should not build when RESET_TO_SP_MIN flag is set, like BL1 and BL2. Change-Id: Iac516121f98611ca1f58d2b5efdec6525b06ce4e Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 15 May, 2019 1 commit
-
-
Sami Mujawar authored
N1SDP exhibits the behavior similar to Juno wherein CNTBaseN.CNTFRQ can be written but does not reflect the value of the CNTFRQ register in CNTCTLBase frame. This doesn't follow ARM ARM in that the value updated in CNTCTLBase.CNTFRQ is not reflected in CNTBaseN.CNTFRQ. Hence enable the workaround (applied to Juno) for N1SDP that updates the CNTFRQ register in the Non Secure CNTBaseN frame. Change-Id: Id89ee1bca0f25c9d62f8f794f2c4f4e618cdf092 Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
-
- 10 May, 2019 1 commit
-
-
Alexei Fedorov authored
For security DMA should be blocked at the SMMU by default unless explicitly enabled for a device. SMMU is disabled after reset with all streams bypassing the SMMU, and abortion of all incoming transactions implements a default deny policy on reset. This patch also moves "bl1_platform_setup()" function from arm_bl1_setup.c to FVP platforms' fvp_bl1_setup.c and fvp_ve_bl1_setup.c files. Change-Id: Ie0ffedc10219b1b884eb8af625bd4b6753749b1a Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 24 Apr, 2019 1 commit
-
-
Ambroise Vincent authored
Change-Id: Ie649b3c367a93db057eeaee7e83fa3e43f8c2607 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 17 Apr, 2019 1 commit
-
-
Aditya Angadi authored
The BL1 stage setup code for ARM platforms sets up the SP805 watchdog controller as the secure watchdog. But not all ARM platforms use SP805 as the secure watchdog controller. So introduce two new ARM platform code specific wrapper functions to start and stop the secure watchdog. These functions then replace the calls to SP805 driver in common BL1 setup code. All the ARM platforms implement these wrapper functions by either calling into SP805 driver or the SBSA watchdog driver. Change-Id: I1a9a11b124cf3fac2a84f22ca40acd440a441257 Signed-off-by: Aditya Angadi <aditya.angadi@arm.com>
-
- 14 Mar, 2019 1 commit
-
-
Sandrine Bailleux authored
The dummy implementation of the plat_init_apiakey() platform API uses an internal 128-bit buffer to store the initial key value used for Pointer Authentication support. The intent - as stated in the file comments - was for this buffer to be write-protected by the MMU. Initialization of the buffer would be performed before enabling the MMU, thus bypassing write protection checks. However, the key buffer ended up into its own read-write section by mistake due to a typo on the section name ('rodata.apiakey' instead of '.rodata.apiakey', note the leading dot). As a result, the linker script was not pulling it into the .rodata output section. One way to address this issue could have been to fix the section name. However, this approach does not work well for BL1. Being the first image in the boot flow, it typically is sitting in real ROM so we don't have the capacity to update the key buffer at any time. The dummy implementation of plat_init_apiakey() provided at the moment is just there to demonstrate the Pointer Authentication feature in action. Proper key management and key generation would have to be a lot more careful on a production system. Therefore, the approach chosen here to leave the key buffer in writable memory but move it to the BSS section. This does mean that the key buffer could be maliciously updated for intalling unintended keys on the warm boot path but at the feature is only at an experimental stage right now, this is deemed acceptable. Change-Id: I121ccf35fe7bc86c73275a4586b32d4bc14698d6 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 27 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
This feature is only supported on FVP. Change-Id: I4e265610211d92a84bd2773c34acfbe02a1a1826 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 19 Feb, 2019 2 commits
-
-
Usama Arif authored
Cortex A5 doesnt support VFP, Large Page addressing and generic timer which are addressed in this patch. The device tree for Cortex a5 is also included. Change-Id: I0722345721b145dfcc80bebd36a1afbdc44bb678 Signed-off-by: Usama Arif <usama.arif@arm.com>
-
Usama Arif authored
This patch adds support for Versatile express FVP (Fast models). Versatile express is a family of platforms that are based on ARM v7. Currently this port has only been tested on Cortex A7, although it should work with other ARM V7 cores that support LPAE, generic timers, VFP and hardware divide. Future patches will support other cores like Cortex A5 that dont support features like LPAE and hardware divide. This platform is tested on and only expected to work on single core models. Change-Id: I10893af65b8bb64da7b3bd851cab8231718e61dd Signed-off-by: Usama Arif <usama.arif@arm.com>
-
- 18 Feb, 2019 1 commit
-
-
Usama Arif authored
The variable is renamed to PLAT_ARM_RUN_UART as the UART is used outside BL31 as well. Change-Id: I00e3639dfb2001758b7d24548c11236c6335f64a Signed-off-by: Usama Arif <usama.arif@arm.com>
-