Skip to content

GitLab

Switch branch/tag
  1. 17 Apr, 2018 1 commit
  3. 12 Apr, 2018 1 commit
  5. 27 Mar, 2018 1 commit
    • Joel Hutton's avatar
      Clean usage of void pointers to access symbols · 9f85f9e3
      Joel Hutton authored 
      

Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.

Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9f85f9e3
  7. 26 Mar, 2018 1 commit
  9. 21 Mar, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Rename 'smcc' to 'smccc' · 085e80ec
      Antonio Nino Diaz authored 
      

When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.

Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.

Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      085e80ec
  11. 14 Mar, 2018 2 commits
  13. 28 Feb, 2018 3 commits
  15. 27 Feb, 2018 6 commits
  17. 15 Feb, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Redefine SMC_UNK as -1 instead of 0xFFFFFFFF · 4abd7fa7
      Antonio Nino Diaz authored 
      

According to the SMC Calling Convention (ARM DEN0028B):

    The Unknown SMC Function Identifier is a sign-extended value of
    (-1) that is returned in R0, W0 or X0 register.

The value wasn't sign-extended because it was defined as a 32-bit
unsigned value (0xFFFFFFFF).

SMC_PREEMPT has been redefined as -2 for the same reason.

NOTE: This might be a compatibility break for some AArch64 platforms
that don't follow the previous version of the SMCCC (ARM DEN0028A)
correctly. That document specifies that only the bottom 32 bits of the
returned value must be checked. If a platform relies on the top 32 bits
of the result being 0 (so that SMC_UNK is 0x00000000FFFFFFFF), it will
have to fix its code to comply with the SMCCC.

Change-Id: I7f7b109f6b30c114fe570aa0ead3c335383cb54d
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      4abd7fa7
  19. 01 Feb, 2018 1 commit
    • Masahiro Yamada's avatar
      zlib: add gunzip() support · c43d6851
      Masahiro Yamada authored 
      

This commit adds some more files to use zlib from TF.

To use zlib, ->zalloc and ->zfree hooks are needed.  The implementation
depends on the system.  For user-space, the libc provides malloc() and
friends.  Unfortunately, ARM Trusted Firmware does not provide malloc()
or any concept of dynamic memory allocation.

I implemented very simple calloc() and free() for this.  Stupidly,
zfree() never frees memory, but it works enough for this.

The purpose of using zlib is to implement gunzip() - this function
takes compressed data from in_buf, then dumps the decompressed data
to oub_buf.  The work_buf is used for memory allocation during the
decompress.  Upon exit, it updates in_buf and out_buf.  If successful,
in_buf points to the end of input data, out_buf to the end of the
decompressed data.

To use this feature, you need to do:

 - include lib/zlib/zlib.mk from your platform.mk

 - add $(ZLIB_SOURCES) to your BL*_SOURCES
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      c43d6851
  21. 31 Jan, 2018 2 commits
  23. 29 Jan, 2018 2 commits
  25. 22 Jan, 2018 1 commit
    • Julius Werner's avatar
      Make div_round_up() correct for divisors that are not a power of 2 · 7baa7bca
      Julius Werner authored 
      

The current div_round_up() implementation relies on round_up() which
only works correctly for boundaries that are a power of 2. It is
documented as such, but this still seems dangerously easy to overlook,
especially since many other environments (e.g. the Linux kernel) have a
similar macro without these limitations.

There is a different way to calculate this that can deal with all kinds
of divisors without other drawbacks, so let's just use that instead.

Change-Id: Id382736683f5d4e880ef00c53cfa23a2f9208440
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      7baa7bca
  27. 19 Jan, 2018 1 commit
    • Julius Werner's avatar
      Add platform-independent coreboot support library · 3429c77a
      Julius Werner authored 
      

This patch adds the foundation for a platform-independent coreboot
support library that can be shared by all platforms that boot BL31 from
coreboot (acting as BL2). It adds code to parse the "coreboot table", a
data structure that coreboot uses to communicate different kinds of
information to later-stage firmware and certain OS drivers.

As a first small use case for this information, allow platforms to
access the serial console configuration used by coreboot, removing the
need to hardcode base address and divisors and allowing Trusted Firmware
to benefit from coreboot's user configuration (e.g. which UART to pick
and which baud rate to use).

Change-Id: I2bfb39cd2609ce6640b844ab68df6c9ae3f28e9e
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      3429c77a
  29. 18 Jan, 2018 3 commits
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 for Cortex A9, A15 and A17 · e4b34efa
      Dimitris Papastamos authored 
      

A per-cpu vbar is installed that implements the workaround by
invalidating the branch target buffer (BTB) directly in the case of A9
and A17 and indirectly by invalidating the icache in the case of A15.

For Cortex A57 and A72 there is currently no workaround implemented
when EL3 is in AArch32 mode so report it as missing.

For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are
no changes since there is currently no upstream AArch32 EL3 support
for these CPUs.

Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      e4b34efa
    • Dimitris Papastamos's avatar
      sp_min: Implement workaround for CVE-2017-5715 · 7343505d
      Dimitris Papastamos authored 
      

This patch introduces two workarounds for ARMv7 systems.  The
workarounds need to be applied prior to any `branch` instruction in
secure world.  This is achieved using a custom vector table where each
entry is an `add sp, sp, #1` instruction.

On entry to monitor mode, once the sequence of `ADD` instructions is
executed, the branch target buffer (BTB) is invalidated.  The bottom
bits of `SP` are then used to decode the exception entry type.

A side effect of this change is that the exception vectors are
installed before the CPU specific reset function.  This is now
consistent with how it is done on AArch64.

Note, on AArch32 systems, the exception vectors are typically tightly
integrated with the secure payload (e.g. the Trusted OS).  This
workaround will need porting to each secure payload that requires it.

The patch to modify the AArch32 per-cpu vbar to the corresponding
workaround vector table according to the CPU type will be done in a
later patch.

Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7343505d
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored 
      

This patch enables BL2 to execute at the highest exception level
without any dependancy on TF BL1. This enables platforms which already
have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
stages without need for BL1.  This is not currently possible because
BL2 executes at S-EL1 and cannot jump straight to EL3.

Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  31. 16 Jan, 2018 1 commit
  33. 11 Jan, 2018 7 commits
    • Dimitris Papastamos's avatar
      Add hooks to save/restore AMU context for Cortex A75 · 53bfb94e
      Dimitris Papastamos authored 
      

Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      53bfb94e
    • Dimitris Papastamos's avatar
      AMU: Add hooks to save/restore AMU context · b6eb3932
      Dimitris Papastamos authored 
      

On some systems, the AMU counters might reset to 0 when a CPU
powerdown happens.  This behaviour conflicts with the intended
use-case of AMU as lower ELs are only expected to see non-decreasing
counter values.

Change-Id: If25519965d4e6e47e09225d0e732947986cbb5ec
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      b6eb3932
    • Dimitris Papastamos's avatar
      AMU: Add configuration helpers for aarch64 · 0767d50e
      Dimitris Papastamos authored 
      

Add some AMU helper functions to allow configuring, reading and
writing of the Group 0 and Group 1 counters.  Documentation for these
helpers will come in a separate patch.

Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      0767d50e
    • Dimitris Papastamos's avatar
      AMU: Add plat interface to select which group 1 counters to enable · 59902b7c
      Dimitris Papastamos authored 
      

A new platform macro `PLAT_AMU_GROUP1_COUNTERS_MASK` controls which
group 1 counters should be enabled. The maximum number of group 1
counters supported by AMUv1 is 16 so the mask can be at most 0xffff.
If the platform does not define this mask, no group 1 counters are
enabled.

A related platform macro `PLAT_AMU_GROUP1_NR_COUNTERS` is used by
generic code to allocate an array to save and restore the counters on
CPU suspend.

Change-Id: I6d135badf4846292de931a43bb563077f42bb47b
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      59902b7c
    • Dimitris Papastamos's avatar
      Add PubSub events for CPU powerdown/powerup · 7593252c
      Dimitris Papastamos authored 
      

The suspend hook is published at the start of a CPU powerdown
operation.  The resume hook is published at the end of a CPU powerup
operation.

Change-Id: I50c05e2dde0d33834095ac41b4fcea4c161bb434
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7593252c
    • Dimitris Papastamos's avatar
      Use PFR0 to identify need for mitigation of CVE-2017-5915 · 780edd86
      Dimitris Papastamos authored 
      

If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A75.

Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      780edd86
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A73 and A75 · a1781a21
      Dimitris Papastamos authored 
      

Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.

This is achieved by using 3 vector tables.  There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround.  The
additional tables are `vbar0` and `vbar1`.

The sequence of events for handling a single exception is
as follows:

1) Install vector table `vbar0` which saves the CPU context on entry
   to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
   with the MMU disabled and I$ enabled.  This is the default vector table.

2) Before doing an ERET into Secure-EL1, switch vbar to point to
   another vector table `vbar1`.  This is required to restore EL3 state
   when returning from the workaround, before proceeding with normal EL3
   exception handling.

3) While in Secure-EL1, the `BPIALL` instruction is executed and an
   SMC call back to EL3 is performed.

4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
   restored.  The vbar is switched to point to `vbar0` in preparation to
   handle further exceptions.  Finally a branch to the runtime vector
   table entry is taken to complete the handling of the original
   exception.

This workaround is enabled by default on the affected CPUs.

NOTE
====

There are 4 different stubs in Secure-EL1.  Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.

Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      a1781a21
  35. 12 Dec, 2017 1 commit
    • Julius Werner's avatar
      utils_def: Add REGSZ and make BIT() assembly-compatible · 155a1006
      Julius Werner authored 
      

In assembly code it can be useful to have a constant for the width of a
register in the current architecture, so this patch adds one to
<utils_def.h> and replaces the existing custom one in crash_reporting.S
with that. It also fixes up the BIT() macro in the same file so that it
can be safely used in assembly code.

Change-Id: I10513a311f3379e767396e6ddfbae8d2d8201464
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      155a1006
  37. 06 Dec, 2017 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Move S-EL1/S-EL0 xlat tables to TZC DRAM · 45d640f0
      Antonio Nino Diaz authored 
      

A new platform define, `PLAT_SP_IMAGE_XLAT_SECTION_NAME`, has been
introduced to select the section where the translation tables used by
the S-EL1/S-EL0 are placed.

This define has been used to move the translation tables to DRAM secured
by TrustZone.

Most of the extra needed space in BL31 when SPM is enabled is due to the
large size of the translation tables. By moving them to this memory
region we can save 44 KiB.

A new argument has been added to REGISTER_XLAT_CONTEXT2() to specify the
region where the translation tables have to be placed by the linker.

Change-Id: Ia81709b4227cb8c92601f0caf258f624c0467719
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      45d640f0
  39. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored 
      

This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
to one EL3 will check to see if the Scalable Vector Extension (SVE) is
implemented when entering and exiting the Non-secure world.

If SVE is implemented, EL3 will do the following:

- Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.

- Exit from Non-secure world: SIMD, FP and SVE functionality is
  disabled. As SIMD and FP registers are part of the SVE Z-registers
  then any use of SIMD / FP functionality would corrupt the SVE
  registers.

The build option default is 1. The SVE functionality is only supported
on AArch64 and so the build option is set to zero when the target
archiecture is AArch32.

This build option is not compatible with the CTX_INCLUDE_FPREGS - an
assert will be raised on platforms where SVE is implemented and both
ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.

Also note this change prevents secure world use of FP&SIMD registers on
SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
such platforms unless ENABLE_SVE_FOR_NS is set to 0.

Additionally, on the first entry into the Non-secure world the SVE
functionality is enabled and the SVE Z-register length is set to the
maximum size allowed by the architecture. This includes the use case
where EL2 is implemented but not used.

Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  41. 29 Nov, 2017 2 commits