GitLab

This patch adds the TSPD service which is responsible for managing
communication between the non-secure state and the Test Secure Payload
(TSP) executing in S-EL1.

The TSPD does the following:

1. Determines the location of the TSP (BL3-2) image and passes control
   to it for initialization. This is done by exporting the 'bl32_init()'
   function.

2. Receives a structure containing the various entry points into the TSP
   image as a response to being initialized. The TSPD uses this
   information to determine how the TSP should be entered depending on
   the type of operation.

3. Implements a synchronous mechanism for entering into and returning
   from the TSP image. This mechanism saves the current C runtime
   context on top of the current stack and jumps to the TSP through an
   ERET instruction. The TSP issues an SMC to indicate completion of the
   previous request. The TSPD restores the saved C runtime context and
   resumes TSP execution.

This patch also introduces a Make variable 'SPD' to choose the specific
SPD to include in the build. By default, no SPDs are included in the
build.

Change-Id: I124da5695cdc510999b859a1bf007f4d049e04f3
Co-authored-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

If there is a request to open a file from FIP, and that file is not
found, the driver fails to reset the offset address. This causes
subsequent file loads to fail.

This patch resets the offset address to zero if a file is not found so
that subsequent file loads are unaffected.

Change-Id: I16418e35f92fb7c85fb12e2acc071990520cdef8

This patch adds a simple TSP as the BL3-2 image. The secure payload
executes in S-EL1. It paves the way for the addition of the TSP
dispatcher runtime service to BL3-1. The TSP and the dispatcher service
will serve as an example of the runtime firmware's ability to toggle
execution between the non-secure and secure states in response to SMC
request from the non-secure state.  The TSP will be replaced by a
Trusted OS in a real system.

The TSP also exports a set of handlers which should be called in
response to a PSCI power management event e.g a cpu being suspended or
turned off. For now it runs out of Secure DRAM on the ARM FVP port and
will be moved to Secure SRAM later. The default translation table setup
code assumes that the caller is executing out of secure SRAM. Hence the
TSP exports its own translation table setup function.

The TSP only services Fast SMCs, is non-reentrant and non-interruptible.
It does arithmetic operations on two sets of four operands, one set
supplied by the non-secure client, and the other supplied by the TSP
dispatcher in EL3. It returns the result according to the Secure Monitor
Calling convention standard.

This TSP has two functional entry points:

- An initial, one-time entry point through which the TSP is initialized
  and prepares for receiving further requests from secure
  monitor/dispatcher

- A fast SMC service entry point through which the TSP dispatcher
  requests secure services on behalf of the non-secure client

Change-Id: I24377df53399307e2560a025eb2c82ce98ab3931
Co-authored-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch creates a 'services' directory and moves the PSCI under
it. Other runtime services e.g. the Secure Payload Dispatcher service
will be placed under the same directory in the future.

Also fixes issue ARM-software/tf-issues#12

Change-Id: I187f83dcb660b728f82155d91882e961d2255068

This patch adds the ability to specify the base address of a UART
device for initialising the console. This allows a boot loader stage
to use a different UART device from UART0 (default) for the console.

Change-Id: Ie60b927389ae26085cfc90d22a564ff83ba62955

This patch factors out the ARM FVP specific code to create MMU
translation tables so that it is possible for a boot loader stage to
create a different set of tables instead of using the default ones.
The default translation tables are created with the assumption that
the calling boot loader stage executes out of secure SRAM. This might
not be true for the BL3_2 stage in the future.

A boot loader stage can define the `fill_xlation_tables()` function as
per its requirements. It returns a reference to the level 1
translation table which is used by the common platform code to setup
the TTBR_EL3.

This patch is a temporary solution before a larger rework of
translation table creation logic is introduced.

Change-Id: I09a075d5da16822ee32a411a9dbe284718fb4ff6

This patch adds the following support to the BL3-1 stage:

1. BL3-1 allows runtime services to specify and determine the security
   state of the next image after BL3-1. This has been done by adding
   the `bl31_set_next_image_type()` & `bl31_get_next_image_type()`
   apis. The default security state is non-secure. The platform api
   `bl31_get_next_image_info()` has been modified to let the platform
   decide which is the next image in the desired security state.

2. BL3-1 exports the `bl31_prepare_next_image_entry()` function to
   program entry into the target security state. It uses the apis
   introduced in 1. to do so.

3. BL3-1 reads the information populated by BL2 about the BL3-2 image
   into its internal data structures.

4. BL3-1 introduces a weakly defined reference `bl32_init()` to allow
   initialisation of a BL3-2 image. A runtime service like the Secure
   payload dispatcher will define this function if present.

Change-Id: Icc46dcdb9e475ce6575dd3f9a5dc7a48a83d21d1

This patch adds support for loading a BL3-2 image in BL2. In case a
BL3-2 image is found, it also passes information to BL3-1 about where it
is located and the extents of memory available to it. Information about
memory extents is populated by platform specific code.

The documentation has also been updated to reflect the above changes.

Change-Id: I526b2efb80babebab1318f2b02e319a86d6758b0
Co-authored-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch reworks BL2 to BL3-1 hand over interface by introducing a
composite structure (bl31_args) that holds the superset of information
that needs to be passed from BL2 to BL3-1.

  - The extents of secure memory available to BL3-1
  - The extents of memory available to BL3-2 (not yet implemented) and
    BL3-3
  - Information to execute BL3-2 (not yet implemented) and BL3-3 images

This patch also introduces a new platform API (bl2_get_bl31_args_ptr)
that needs to be implemented by the platform code to export reference to
bl31_args structure which has been allocated in platform-defined memory.

The platform will initialize the extents of memory available to BL3-3
during early platform setup in bl31_args structure. This obviates the
need for bl2_get_ns_mem_layout platform API.

BL2 calls the bl2_get_bl31_args_ptr function to get a reference to
bl31_args structure. It uses the 'bl33_meminfo' field of this structure
to load the BL3-3 image. It sets the entry point information for the
BL3-3 image in the 'bl33_image_info' field of this structure. The
reference to this structure is passed to the BL3-1 image.

Also fixes issue ARM-software/tf-issues#25

Change-Id: Ic36426196dd5ebf89e60ff42643bed01b3500517

This patch adds guards so that an exception vector exceeding 32
instructions will generate a compile-time error. This keeps the
exception handlers in check from spilling over.

Change-Id: I7aa56dd0071a333664e2814c656d3896032046fe

This patch increases coherent stack size for both debug and release
builds in order to accommodate stack-heavy printf() and extended EL3
functionality

Change-Id: I30ef30530a01517a97e63d703873374828c09f20

This patch uses the reworked exception handling support to handle
runtime service requests through SMCs following the SMC calling
convention. This is a giant commit since all the changes are
inter-related. It does the following:

1. Replace the old exception handling mechanism with the new one
2. Enforce that SP_EL0 is used C runtime stacks.
3. Ensures that the cold and warm boot paths use the 'cpu_context'
   structure to program an ERET into the next lower EL.
4. Ensures that SP_EL3 always points to the next 'cpu_context'
   structure prior to an ERET into the next lower EL
5. Introduces a PSCI SMC handler which completes the use of PSCI as a
   runtime service

Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852
Co-authored-by: Achin Gupta <achin.gupta@arm.com>

This patch introduces the reworked exception handling logic which lays
the foundation for accessing runtime services in later patches. The
type of an exception has a greater say in the way it is
handled. SP_EL3 is used as the stack pointer for:

1. Determining the type of exception and handling the unexpected ones
   on the exception stack

2. Saving and restoring the essential general purpose and system
   register state after exception entry and prior to exception exit.

SP_EL0 is used as the stack pointer for handling runtime service
requests e.g. SMCs. A new structure for preserving general purpose
register state has been added to the 'cpu_context' structure. All
assembler ensures that it does not use callee saved registers
(x19-x29). The C runtime preserves them across functions calls. Hence
EL3 code does not have to save and restore them explicitly.

Since the exception handling framework has undergone substantial change,
the changes have been kept in separate files to aid readability. These
files will replace the existing ones in subsequent patches.

Change-Id: Ice418686592990ff7a4260771e8d6676e6c8c5ef

This patch introduces the framework to enable registration and
initialisation of runtime services. PSCI is registered and initialised
as a runtime service. Handling of runtime service requests will be
implemented in subsequent patches.

Change-Id: Id21e7ddc5a33d42b7d6e455b41155fc5441a9547

This patch uses the context library to save and restore EL3 state on
the 'cpu_context' data structures allocated by PSCI for managing
non-secure state context on each cpu.

Change-Id: I19c1f26578204a7cd9e0a6c582ced0d97ee4cf80

This patch adds support for a cpu context management library. This
library will be used to:

1. Share pointers to secure and non-secure state cpu contexts between
   runtime services e.g. PSCI and Secure Payload Dispatcher services
2. Set SP_EL3 to a context structure which will be used for
   programming an ERET into a lower EL
3. Provide wrapper functions to save and restore EL3 & EL1
   state. These functions will in turn use the helper functions in
   context.S

Change-Id: I655eeef83dcd2a0c6f2eb2ac23efab866ac83ca0

This patch introduces functions for saving and restoring shared system
registers between secure and non-secure EL1 exception levels, VFP
registers and essential EL3 system register and other state. It also
defines the 'cpu_context' data structure which will used for saving and
restoring execution context for a given security state. These functions
will allow runtime services like PSCI and Secure payload dispatcher to
implement logic for switching between the secure and non-secure states.

The save and restore functions follow AArch64 PCS and only use
caller-saved temporary registers.

Change-Id: I8ee3aaa061d3caaedb28ae2c5becb9a206b6fd74

This patch ensures that VBAR_EL3 points to the simple stack-less
'early_exceptions' when the C runtime stack is not correctly setup to
use the more complex 'runtime_exceptions'. It is initialised to
'runtime_exceptions' once this is done.

This patch also moves all exception vectors into a '.vectors' section
and modifies linker scripts to place all such sections together. This
will minimize space wastage from alignment restrictions.

Change-Id: I8c3e596ea3412c8bd582af9e8d622bb1cb2e049d

The SynchronousExceptionA64 vector has gone beyond the 32-instruction
limit for individual exception vector. This patch splits and relocates
the exception handler so that it fits into the 32-instruction window.

Change-Id: Ic60c4fc3f09a1cb071d63ff0e58353ecaecbb62f

This patch moves the translation tables into their own section. This
saves space that would otherwise have been lost in padding due to page
table alignment constraints. The BL31 and BL32 bases have been
consequently adjusted.

Change-Id: Ibd65ae8a5ce4c4ea9a71a794c95bbff40dc63e65

This fixes ARM-software/tf-issues#9

Change-Id: Id57037115b8762efc9eaf5ff41887b71d6494c5d

The Firmware Image Package (FIP) driver allows for data to be loaded
from a FIP on platform storage. The FVP supports loading bootloader
images from a FIP located in NOR FLASH.

The implemented FVP policy states that bootloader images will be
loaded from a FIP in NOR FLASH if available and fall back to loading
individual images from semi-hosting.

NOTE:
- BL3-3(e.g. UEFI) is loaded into DRAM and needs to be configured
  to run from the BL33_BASE address. This is currently set to
  DRAM_BASE+128MB for the FVP.

Change-Id: I2e4821748e3376b5f9e467cf3ec09509e43579a0

This tool can be used to create a Firmware Image Packages (FIP). These
FIPs store a combined set of firmware images with a Table of Contents
(ToC) that can be loaded by the firmware from platform storage.

- Add uuid.h from FreeBSD.
- Use symbolic links to shared headers otherwise unwanted headers and
  definitions are pulled in.
- A FIP is created as part of the default FVP build.
- A BL3-3 image(e.g. UEFI) must be provided.

Change-Id: Ib73feee181df2dba68bf6abec115a83cfa5e26cb

The modified implementation uses the IO abstraction rather than
making direct semi-hosting calls.  The semi-hosting driver is now
registered for the FVP platform during initialisation of each boot
stage where it is used.  Additionally, the FVP platform includes a
straightforward implementation of 'plat_get_image_source' which
provides a generic means for the 'load_image' function to determine
how to access the image data.

Change-Id: Ia34457b471dbee990c7b3c79de7aee4ceea51aa6

This is intended primarily for use as a storage abstraction.
It allows operations such as image-loading to be implemented
in a platform-independent fashion.  Each platform registers
a set of IO drivers during initialisation.  The platform must
also provide a function that will return a device and a specifier
that can be used to access specified content.

Clients of the API will primarily use device and entity handles.
The term "entity" is deliberately vague, to allow for different
representations of content accessed using different types of
specifier, but will often be interpreted as a "file" where the
specifier will normally be its path.

This commit builds, but is intended to be paired with a sample
implementation of "load_image" using a semi-hosting driver on FVP.

Change-Id: Id3b52f1c0eb9ce76b44b99fc6b6460803668cc86

Also fix warnings generated in release builds when assert code
is absent.

Change-Id: I45b9173d3888f9e93e98eb5b4fdc06727ba5cbf4

Change-Id: Ic6cf19402a0936161baf6b91bf75d64d95269a3c

memmove needs to allow for overlapping memory regions and, together
with memcpy, should return the input destination pointer, not the
address after the end of the copied data.

fixes ARM-software/tf-issues#18
Signed-off-by: Jon Medhurst <tixy@linaro.org>

New phony Makefile targets have been added:

 * checkcodebase
 * checkpatch

The checkcodebase target will run a Linux style compliance check over the
entire codebase, and honours the V=1 Makefile verbose setting and so will
show more information when this is enabled.

If the local directory is a git checkout then the output of git ls-files is
used to decide which files to test for compliance.  If the local directory
is not under git control then a 'best attempt' is made, but in this case it
should be noted that it is possible for additional non-codebase files to be
tested, so care should be taken when parsing the output.

The checkpatch target will compare local changes against the git origin/master
to allow issues with the last set of changes to be identified.  To override
the change comparision location, set the BASE_COMMIT variable to your
desired git branch.

Both targets rely on the Linux source tree script checkpatch.pl to do the
syntax checking, and expects that the CHECKPATCH environment variable points
to the location of this file.

Notes on the usage of these targets have been added to the contributing.md
and docs/user-guide.md text files.

Change-Id: I6d73c97af578e24a34226d972afadab9d30f1d8d

Fixes arm-software/tf-issues#15
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>

The last CPU in a cluster is responsible for issuing the cluster power
down request to the FVP power controller. If another CPU in this
cluster wakes up before the last CPU enters WFI then the cluster power
down request remains pending. If this request is not cancelled and the
newly woken up CPU enters a simple WFI later, the power controller
powers the cluster down. This leads to unpredictable behaviour.

This patch fixes this issue by ensuring that the first CPU to wake up
in a cluster writes its MPIDR to the power controller's PPONR. This
cancels any pending cluster power down request.

Change-Id: I7e787adfd6c9a0bd7308390e3309d46f35c01086

The psci implementation does not track target affinity level requests
specified during cpu_suspend calls correctly as per the following
example.

1. cpu0.cluster0 calls cpu_suspend with the target affinity level as 0
2. Only the cpu0.cluster0 is powered down while cluster0 remains
   powered up
3. cpu1.cluster0 calls cpu_off to power itself down to highest
   possible affinity level
4. cluster0 will be powered off even though cpu0.cluster0 does not
   allow cluster shutdown

This patch introduces reference counts at affinity levels > 0 to track
the number of cpus which want an affinity instance at level X to
remain powered up. This instance can be turned off only if its
reference count is 0. Cpus still undergo the normal state transitions
(ON, OFF, ON_PENDING, SUSPEND) but the higher levels can only be
either ON or OFF depending upon their reference count.

The above issue is thus fixed as follows:

1. cluster0's reference count is incremented by two when cpu0 and cpu1
   are initially powered on.

2. cpu0.cluster0 calls cpu_suspend with the target affinity level as
   0. This does not affect the cluster0 reference count.

3. Only the cpu0.cluster0 is powered down while cluster0 remains
   powered up as it has a non-zero reference count.

4. cpu1.cluster0 call cpu_off to power itself down to highest possible
   affinity level. This decrements the cluster0 reference count.

5. cluster0 is still not powered off since its reference count will at
   least be 1 due to the restriction placed by cpu0.

Change-Id: I433dfe82b946f5f6985b1602c2de87800504f7a9

This patch adds support to save and restore the target affinity level
specified during a cpu_suspend psci call. This ensures that we
traverse only through the affinity levels that we originally intended
to after resuming from suspend.

Change-Id: I0900ae49a50b496da137cfec8f158da0397ec56c

The secure context saved and restored across a cpu_suspend operation
can be more than just the state of the secure system registers e.g. we
also need to save the affinity level till which the cpu is being
powered down. This patch creates a suspend_context data structure
which includes the system register context. This will allow other bits
to be saved and restored as well in subsequent patches.

Change-Id: I1c1f7d25497388b54b7d6ee4fab77e8c6a9992c4

The FVP platform has a few filenames that begin with fvp_.  These are
renamed to plat_ to make it easier to use the FVP port as a template.

Change-Id: I601e6256d5ef3bae81a2e1f5df6de56db5b27069
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>

Add the 'help' target to the Makefile to present a brief guide to the
various build options available.

Change-Id: Ic3a3489860b6362eb236470ea6b43a16a1b2fe3a
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>

Tidy up the spacing of variable definitions within the makefiles to make
them more consistent, easier to read and amend.

Change-Id: Ic6d7c8489ca4330824abb5cd1ead8f1d449d1a85
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>

Move all explicit platform or architecture specific references
into a new platform.mk file that is defined for each platform.

Change-Id: I9d6320d1ba957e0cc8d9b316b3578132331fa428
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>

This patch replaces the empty definition of display_boot_progress() in
bl2_main.c with a weak definition. The former allowed bl2 to use the
early_exceptions(). It is possible to do that with a simple weak
definition as well.

Change-Id: Idb3f425a5e265f3579b638e3d26bd8c9bb78f80d

Ctags seem to have a problem with generating tags for assembler symbols
when a comment immediately follows an assembly label.

This patch inserts a single space character between the label
definition and the following comments to help ctags.

The patch is generated by the command:

  git ls-files -- \*.S | xargs sed -i 's/^\([^:]\+\):;/\1: ;/1'

Change-Id: If7a3c9d0f51207ea033cc8b8e1b34acaa0926475