1. 28 Feb, 2017 2 commits
  2. 23 Feb, 2017 1 commit
  3. 22 Feb, 2017 1 commit
  4. 15 Feb, 2017 2 commits
    • dp-arm's avatar
      Juno: Disable SPIDEN in release builds · 09fad498
      dp-arm authored
      
      
      On Juno, the secure privileged invasive debug authentication signal
      (SPIDEN) is controlled by board SCC registers, which by default enable
      SPIDEN.  Disable secure privileged external debug in release builds by
      programming the appropriate Juno SoC registers.
      
      Change-Id: I61045f09a47dc647bbe95e1b7a60e768f5499f49
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      09fad498
    • dp-arm's avatar
      Disable secure self-hosted debug via MDCR_EL3/SDCR · 85e93ba0
      dp-arm authored
      
      
      Trusted Firmware currently has no support for secure self-hosted
      debug.  To avoid unexpected exceptions, disable software debug
      exceptions, other than software breakpoint instruction exceptions,
      from all exception levels in secure state.  This applies to both
      AArch32 and AArch64 EL3 initialization.
      
      Change-Id: Id097e54a6bbcd0ca6a2be930df5d860d8d09e777
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      85e93ba0
  5. 13 Feb, 2017 1 commit
    • dp-arm's avatar
      PSCI: Decouple PSCI stat residency calculation from PMF · 04c1db1e
      dp-arm authored
      
      
      This patch introduces the following three platform interfaces:
      
      * void plat_psci_stat_accounting_start(const psci_power_state_t *state_info)
      
        This is an optional hook that platforms can implement in order
        to perform accounting before entering a low power state.  This
        typically involves capturing a timestamp.
      
      * void plat_psci_stat_accounting_stop(const psci_power_state_t *state_info)
      
        This is an optional hook that platforms can implement in order
        to perform accounting after exiting from a low power state.  This
        typically involves capturing a timestamp.
      
      * u_register_t plat_psci_stat_get_residency(unsigned int lvl,
      	const psci_power_state_t *state_info,
      	unsigned int last_cpu_index)
      
        This is an optional hook that platforms can implement in order
        to calculate the PSCI stat residency.
      
      If any of these interfaces are overridden by the platform, it is
      recommended that all of them are.
      
      By default `ENABLE_PSCI_STAT` is disabled.  If `ENABLE_PSCI_STAT`
      is set but `ENABLE_PMF` is not set then an alternative PSCI stat
      collection backend must be provided.  If both are set, then default
      weak definitions of these functions are provided, using PMF to
      calculate the residency.
      
      NOTE: Previously, platforms did not have to explicitly set
      `ENABLE_PMF` since this was automatically done by the top-level
      Makefile.
      
      Change-Id: I17b47804dea68c77bc284df15ee1ccd66bc4b79b
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      04c1db1e
  6. 06 Feb, 2017 1 commit
    • Douglas Raillard's avatar
      Introduce unified API to zero memory · 308d359b
      Douglas Raillard authored
      
      
      Introduce zeromem_dczva function on AArch64 that can handle unaligned
      addresses and make use of DC ZVA instruction to zero a whole block at a
      time. This zeroing takes place directly in the cache to speed it up
      without doing external memory access.
      
      Remove the zeromem16 function on AArch64 and replace it with an alias to
      zeromem. This zeromem16 function is now deprecated.
      
      Remove the 16-bytes alignment constraint on __BSS_START__ in
      firmware-design.md as it is now not mandatory anymore (it used to comply
      with zeromem16 requirements).
      
      Change the 16-bytes alignment constraints in SP min's linker script to a
      8-bytes alignment constraint as the AArch32 zeromem implementation is now
      more efficient on 8-bytes aligned addresses.
      
      Introduce zero_normalmem and zeromem helpers in platform agnostic header
      that are implemented this way:
      * AArch32:
      	* zero_normalmem: zero using usual data access
      	* zeromem: alias for zero_normalmem
      * AArch64:
      	* zero_normalmem: zero normal memory  using DC ZVA instruction
      	                  (needs MMU enabled)
      	* zeromem: zero using usual data access
      
      Usage guidelines: in most cases, zero_normalmem should be preferred.
      
      There are 2 scenarios where zeromem (or memset) must be used instead:
      * Code that must run with MMU disabled (which means all memory is
        considered device memory for data accesses).
      * Code that fills device memory with null bytes.
      
      Optionally, the following rule can be applied if performance is
      important:
      * Code zeroing small areas (few bytes) that are not secrets should use
        memset to take advantage of compiler optimizations.
      
        Note: Code zeroing security-related critical information should use
        zero_normalmem/zeromem instead of memset to avoid removal by
        compilers' optimizations in some cases or misbehaving versions of GCC.
      
      Fixes ARM-software/tf-issues#408
      
      Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      308d359b
  7. 02 Feb, 2017 1 commit
    • dp-arm's avatar
      PMF: Fixup PMF constants · 888037e5
      dp-arm authored
      
      
      `PMF_ARM_TIF_IMPL_ID` should be set to 0x41.  The code already left
      shifts it by 24 bit positions so this was overflowing.
      
      This fixes a build error with GCC 6.2 when
      `ENABLE_RUNTIME_INSTRUMENTATION` is set.
      
      Change-Id: I4c99d48ea7ce3d76e9edd1325b1979994db2c0fb
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      888037e5
  8. 30 Jan, 2017 2 commits
    • Jeenu Viswambharan's avatar
      Report errata workaround status to console · 10bcd761
      Jeenu Viswambharan authored
      
      
      The errata reporting policy is as follows:
      
        - If an errata workaround is enabled:
      
          - If it applies (i.e. the CPU is affected by the errata), an INFO
            message is printed, confirming that the errata workaround has been
            applied.
      
          - If it does not apply, a VERBOSE message is printed, confirming
            that the errata workaround has been skipped.
      
        - If an errata workaround is not enabled, but would have applied had
          it been, a WARN message is printed, alerting that errata workaround
          is missing.
      
      The CPU errata messages are printed by both BL1 (primary CPU only) and
      runtime firmware on debug builds, once for each CPU/errata combination.
      
      Relevant output from Juno r1 console when ARM Trusted Firmware is built
      with PLAT=juno LOG_LEVEL=50 DEBUG=1:
      
        VERBOSE: BL1: cortex_a57: errata workaround for 806969 was not applied
        VERBOSE: BL1: cortex_a57: errata workaround for 813420 was not applied
        INFO:    BL1: cortex_a57: errata workaround for disable_ldnp_overread was applied
        WARNING: BL1: cortex_a57: errata workaround for 826974 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 826977 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 828024 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 829520 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 833471 was missing!
        ...
        VERBOSE: BL31: cortex_a57: errata workaround for 806969 was not applied
        VERBOSE: BL31: cortex_a57: errata workaround for 813420 was not applied
        INFO:    BL31: cortex_a57: errata workaround for disable_ldnp_overread was applied
        WARNING: BL31: cortex_a57: errata workaround for 826974 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 826977 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 828024 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 829520 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 833471 was missing!
        ...
        VERBOSE: BL31: cortex_a53: errata workaround for 826319 was not applied
        INFO:    BL31: cortex_a53: errata workaround for disable_non_temporal_hint was applied
      
      Also update documentation.
      
      Change-Id: Iccf059d3348adb876ca121cdf5207bdbbacf2aba
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      10bcd761
    • Jeenu Viswambharan's avatar
      Allow spin locks to be defined from assembly · b38bc68b
      Jeenu Viswambharan authored
      
      
      At present, spin locks can only defined from C files. Add some macros
      such that they can be defined from assembly files too.
      
      Change-Id: I64f0c214062f5c15b3c8b412c7f25c908e87d970
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      b38bc68b
  9. 26 Jan, 2017 1 commit
    • David Cunado's avatar
      Resolve build errors flagged by GCC 6.2 · 9edac047
      David Cunado authored
      
      
      With GCC 6.2 compiler, more C undefined behaviour is being flagged as
      warnings, which result in build errors in ARM TF build.
      
      The specific issue that this patch resolves is the use of (1 << 31),
      which is predominantly used in case statements, where 1 is represented
      as a signed int. When shifted to msb the behaviour is undefined.
      
      The resolution is to specify 1 as an unsigned int using a convenience
      macro ULL(). A duplicate macro MAKE_ULL() is replaced.
      
      Fixes ARM-software/tf-issues#438
      
      Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      9edac047
  10. 24 Jan, 2017 2 commits
  11. 23 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
    • Haojian Zhuang's avatar
      drivers: add designware emmc driver · 5dbdb7da
      Haojian Zhuang authored
      
      
      Support Designware eMMC driver. It's based on both IO block
      and eMMC driver.
      Signed-off-by: default avatarHaojian Zhuang <haojian.zhuang@linaro.org>
      5dbdb7da
  12. 19 Jan, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Fix declarations of cache maintenance functions · c8d64c54
      Antonio Nino Diaz authored
      Fix the parameter type of the maintenance functions of data cache.
      
      Add missing declarations for AArch32 versions of dcsw_op_louis and
      dcsw_op_all to match the AAch64 ones.
      
      Change-Id: I4226e8ea4f8b2b5bc2972992c83de659ee0da52c
      c8d64c54
  13. 18 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Move BL_COHERENT_RAM_BASE/END defines to common_def.h · 47497053
      Masahiro Yamada authored
      
      
      We have lots of duplicated defines (and comment blocks too).
      Move them to include/plat/common/common_def.h.
      
      While we are here, suffix the end address with _END instead of
      _LIMIT.  The _END is a better fit to indicate the linker-derived
      real end address.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      47497053
    • Masahiro Yamada's avatar
      Use *_END instead of *_LIMIT for linker derived end addresses · ecdc898d
      Masahiro Yamada authored
      
      
      The usage of _LIMIT seems odd here, so rename as follows:
        BL_CODE_LIMIT     --> BL_CODE_END
        BL_RO_DATA_LIMIT  --> BL_RO_DATA_END
        BL1_CODE_LIMIT    --> BL1_CODE_END
        BL1_RO_DATA_LIMIT --> BL1_RO_DATA_END
      
      Basically, we want to use _LIMIT and _END properly as follows:
        *_SIZE + *_MAX_SIZE = *_LIMIT
        *_SIZE + *_SIZE     = *_END
      
      The _LIMIT is generally defined by platform_def.h to indicate the
      platform-dependent memory constraint.  So, its typical usage is
        ASSERT(. <= BL31_LIMIT, "BL31 image has exceeded its limit.")
      in a linker script.
      
      On the other hand, _END is used to indicate the end address of the
      compiled image, i.e. we do not know it until the image is linked.
      
      Here, all of these macros belong to the latter, so should be
      suffixed with _END.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      ecdc898d
  14. 16 Jan, 2017 1 commit
  15. 12 Jan, 2017 1 commit
  16. 10 Jan, 2017 1 commit
  17. 30 Dec, 2016 1 commit
    • dp-arm's avatar
      fiptool: Add support for operating on binary blobs using the UUID · fcab6bbe
      dp-arm authored
      
      
      Previously, fiptool only understood a fixed set of images as
      specified in tbbr_config.c.  It preserved unknown images during
      the update, unpack and remove operations but it was not possible to
      explicitly refer to one of those unknown images.
      
      Add a new --blob option to create/update/unpack/remove images that
      are not known at compile time.  This is accomplished by specifying
      the UUID and filename pair as shown below:
      
      $ ./fiptool create --blob uuid=01234567-89ab-cdef-0123-456789abcdef,file=foo.bin fip.bin
      $ ./fiptool info fip.bin
      01234567-89ab-cdef-0123-456789abcdef: offset=0x60, size=0x1AA68
      
      Fixes ARM-software/tf-issues#420
      
      Change-Id: Iaac2504b9a4252289c09e73d29645cbe240f3a82
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      fcab6bbe
  18. 23 Dec, 2016 1 commit
    • Douglas Raillard's avatar
      Abort preempted TSP STD SMC after PSCI CPU suspend · 3df6012a
      Douglas Raillard authored
      
      
      Standard SMC requests that are handled in the secure-world by the Secure
      Payload can be preempted by interrupts that must be handled in the
      normal world. When the TSP is preempted the secure context is stored and
      control is passed to the normal world to handle the non-secure
      interrupt. Once completed the preempted secure context is restored. When
      restoring the preempted context, the dispatcher assumes that the TSP
      preempted context is still stored as the SECURE context by the context
      management library.
      
      However, PSCI power management operations causes synchronous entry into
      TSP. This overwrites the preempted SECURE context in the context
      management library. When restoring back the SECURE context, the Secure
      Payload crashes because this context is not the preempted context
      anymore.
      
      This patch avoids corruption of the preempted SECURE context by aborting
      any preempted SMC during PSCI power management calls. The
      abort_std_smc_entry hook of the TSP is called when aborting the SMC
      request.
      
      It also exposes this feature as a FAST SMC callable from normal world to
      abort preempted SMC with FID TSP_FID_ABORT.
      
      Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      3df6012a
  19. 20 Dec, 2016 2 commits
  20. 19 Dec, 2016 1 commit
  21. 15 Dec, 2016 4 commits
    • Jeenu Viswambharan's avatar
      Add provision to extend CPU operations at more levels · 5dd9dbb5
      Jeenu Viswambharan authored
      
      
      Various CPU drivers in ARM Trusted Firmware register functions to handle
      power-down operations. At present, separate functions are registered to
      power down individual cores and clusters.
      
      This scheme operates on the basis of core and cluster, and doesn't cater
      for extending the hierarchy for power-down operations. For example,
      future CPUs might support multiple threads which might need powering
      down individually.
      
      This patch therefore reworks the CPU operations framework to allow for
      registering power down handlers on specific level basis. Henceforth:
      
        - Generic code invokes CPU power down operations by the level
          required.
      
        - CPU drivers explicitly mention CPU_NO_RESET_FUNC when the CPU has no
          reset function.
      
        - CPU drivers register power down handlers as a list: a mandatory
          handler for level 0, and optional handlers for higher levels.
      
      All existing CPU drivers are adapted to the new CPU operations framework
      without needing any functional changes within.
      
      Also update firmware design guide.
      
      Change-Id: I1826842d37a9e60a9e85fdcee7b4b8f6bc1ad043
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      5dd9dbb5
    • dp-arm's avatar
      tbbr: Fix updating of Non-Trusted NV counter · d35dee23
      dp-arm authored
      
      
      The previous code required that a certificate be signed with the ROT
      key before the platform's NV counter could be updated with the value
      in the certificate.  This implies that the Non-Trusted NV counter was
      not being updated for Non-Trusted content certificates, as they cannot
      be signed with the ROT key in the TBBR CoT scheme.
      
      The code is reworked to only allow updating the platform's Trusted NV
      counter when a certificate protected by the Trusted NV counter is
      signed with the ROT key.
      
      Content certificates protected by the Non-Trusted NV counter are
      allowed to update the platform's Non-Trusted NV counter, assuming
      that the certificate value is higher than the platform's value.
      
      A new optional platform API has been introduced, named
      plat_set_nv_ctr2().  Platforms may choose to implement it and perform
      additional checks based on the authentication image descriptor before
      modifying the NV counters.  A default weak implementation is available
      that just calls into plat_set_nv_ctr().
      
      Fixes ARM-software/tf-issues#426
      
      Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d35dee23
    • Jeenu Viswambharan's avatar
      Introduce ARM platform APIs for GICv3 Redistributor · d17b953a
      Jeenu Viswambharan authored
      
      
      As with other ARM platform GIC APIs, these directly invoke the GICv3
      driver APIs for Redistributor power management.
      
      For the sake of uniform GIC API, empty stubs are placed for those GIC
      drivers that lack Redistributor component.
      
      Change-Id: Iad0d760d4dbca790998f7768cda621ff3b15a864
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      d17b953a
    • Jeenu Viswambharan's avatar
      GICv3: Introduce power management APIs for Redistributor · d780699b
      Jeenu Viswambharan authored
      
      
      Some GICv3 implementations have provision for power management
      operations at Redistributor level. This patch introduces and provides
      place-holders for Redistributor power management. The default
      implementations are empty stubs, but are weakly bound so as to enable
      implementation-specific drivers to override them.
      
      Change-Id: I4fec1358693d3603ca5dce242a2f7f0e730516d8
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      d780699b
  22. 14 Dec, 2016 3 commits
  23. 13 Dec, 2016 3 commits
    • Antonio Nino Diaz's avatar
      ARM platforms: Replace address space size defines · e60e74bd
      Antonio Nino Diaz authored
      
      
      The now deprecated ADDR_SPACE_SIZE has been replaced by the two
      defines PLAT_PHY_ADDR_SPACE_SIZE and PLAT_VIRT_ADDR_SPACE_SIZE.
      
      Change-Id: I027a2f02f47ab2f679b8979a6dbfb0f08270a1a4
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      e60e74bd
    • Antonio Nino Diaz's avatar
      Add PLAT_xxx_ADDR_SPACE_SIZE definitions · 0029624f
      Antonio Nino Diaz authored
      
      
      Added the definitions `PLAT_PHY_ADDR_SPACE_SIZE` and
      `PLAT_VIRT_ADDR_SPACE_SIZE` which specify respectively the physical
      and virtual address space size a platform can use.
      
      `ADDR_SPACE_SIZE` is now deprecated. To maintain compatibility, if any
      of the previous defines aren't present, the value of `ADDR_SPACE_SIZE`
      will be used instead.
      
      For AArch64, register ID_AA64MMFR0_EL1 is checked to calculate the
      max PA supported by the hardware and to verify that the previously
      mentioned definition is valid. For AArch32, a 40 bit physical
      address space is considered.
      
      Added asserts to check for overflows.
      
      Porting guide updated.
      
      Change-Id: Ie8ce1da5967993f0c94dbd4eb9841fc03d5ef8d6
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      0029624f
    • Antonio Nino Diaz's avatar
      Assert correct granularity when mapping a PA · d3d6c6e3
      Antonio Nino Diaz authored
      
      
      Each translation table level entry can only map a given virtual
      address onto physical addresses of the same granularity. For example,
      with the current configuration, a level 2 entry maps blocks of 2 MB,
      so the physical address must be aligned to 2 MB. If the address is not
      aligned, the MMU will just ignore the lower bits.
      
      This patch adds an assertion to make sure that physical addresses are
      always aligned to the correct boundary.
      
      Change-Id: I0ab43df71829d45cdbe323301b3053e08ca99c2c
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      d3d6c6e3
  24. 12 Dec, 2016 1 commit
    • Soby Mathew's avatar
      AArch32: Fix the stack alignment issue · 9f3ee61c
      Soby Mathew authored
      
      
      The AArch32 Procedure call Standard mandates that the stack must be aligned
      to 8 byte boundary at external interfaces. This patch does the required
      changes.
      
      This problem was detected when a crash was encountered in
      `psci_print_power_domain_map()` while printing 64 bit values. Aligning
      the stack to 8 byte boundary resolved the problem.
      
      Fixes ARM-Software/tf-issues#437
      
      Change-Id: I517bd8203601bb88e9311bd36d477fb7b3efb292
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      9f3ee61c
  25. 07 Dec, 2016 2 commits
    • Soby Mathew's avatar
      Allow ARM Standard platforms to dynamically define PSCI capability · 5486a965
      Soby Mathew authored
      
      
      The capabilities exposed by the PSCI generic layer depends on the hooks
      populated by the platform in `plat_arm_psci_pm_ops`. Currently ARM
      Standard platforms statically define this structure. However, some
      platforms may want to modify the hooks at runtime before registering
      them with the generic layer.
      
      This patch introduces a new ARM platform layer API
      `plat_arm_psci_override_pm_ops` which allows the platform to probe
      the power controller and modify `plat_arm_psci_pm_ops` if required.
      Consequently, 'plat_arm_psci_pm_ops' is no longer qualified as
      `const` on ARM Standard platforms.
      
      Change-Id: I7dbb44b7bd36c20ec14ded5ee45a96816ca2ab9d
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      5486a965
    • Soby Mathew's avatar
      Introduce SCP power management abstraction · b12a2b49
      Soby Mathew authored
      
      
      This patch introduces an additional layer of abstraction between
      CSS power management hooks and the SCPI driver. A new set of APIs
      are introduced in order to abstract out power management operations
      from underlying communication mechanism with the SCP.
      
      The SCPI and the associated MHU drivers are moved into a `drivers`
      folder in CSS. The new SCP communication abstraction layer is added
      in the `drivers/scp` folder. The existing CSS power management
      uses the new APIs to reflect this abstraction.
      
      Change-Id: I7d775129fc0558e9703c2724523fb8f0a916838c
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      b12a2b49