1. 26 Nov, 2018 1 commit
    • Joel Hutton's avatar
      Initial Spectre V1 mitigations (CVE-2017-5753). · 9edd8912
      Joel Hutton authored
      Initial Spectre Variant 1 mitigations (CVE-2017-5753).
      A potential speculative data leak was found in PSCI code, this depends
      on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
      function. This is considered very low-risk. This patch adds a macro to
      mitigate this. Note not all code paths could be analyzed with current
      tools.
      
      Add a macro which makes a variable 'speculation safe', using the
       __builtin_speculation_safe_value function of GCC and llvm. This will be
      available in GCC 9, and is planned for llvm, but is not currently in
      mainline GCC or llvm. In order to implement this mitigation the compiler
      must support this builtin. Support is indicated by the
      __HAVE_SPECULATION_SAFE_VALUE flag.
      
      The -mtrack-speculation option maintains a 'tracker' register, which
      determines if the processor is in false speculation at any point. This
      adds instructions and increases code size, but avoids the performance
      impact of a hard barrier.
      
      Without the -mtrack-speculation option, __builtin_speculation_safe_value
      expands to a
      
          ISB
          DSB SY
      
      sequence after a conditional branch, before the
      speculation safe variable is used. With -mtrack-speculation a
      
          CSEL tracker, tracker, XZR, [cond];
          AND safeval,tracker;
          CSDB
      
      sequence is added instead, clearing the vulnerable variable by
      AND'ing it with the tracker register, which is zero during speculative
      execution. [cond] are the status flags which will only be true during
      speculative execution. For more information on
      __builtin_speculation_safe_value and the -mtrack-speculation option see
      https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations
      
      
      
      The -mtracking option was not added, as the performance impact of the
      mitigation is low, and there is only one occurence.
      
      Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
      Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9edd8912
  2. 23 Nov, 2018 1 commit
    • Sathees Balya's avatar
      juno: Add romlib support · afa5cfea
      Sathees Balya authored
      
      
      This patch adds support to build a combined BL1
      and ROMLIB binary file with the right page
      alignment in Juno. When USE_ROMLIB=1 is set for
      Juno, it generates the combined file
      bl1_romlib.bin which needs to be used instead of
      bl1.bin
      
      Change-Id: I407efbe48d3e522fa6ef855538a9587193cb1919
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      afa5cfea
  3. 22 Nov, 2018 4 commits
    • Sathees Balya's avatar
      romlib: Add map file generation · 582133a8
      Sathees Balya authored
      
      
      Change-Id: I1f377d2d94c0fe8d2d9e62614f4a8e2dfcd9e745
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      582133a8
    • Sathees Balya's avatar
      romlib: Add calloc_free register function · 032e3a6c
      Sathees Balya authored
      
      
      Register functions have to be added to the
      jump table to allow patching in the
      future
      
      Change-Id: I57a885f7fc6290ea74a6096aea5b1867b2098eb7
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      032e3a6c
    • Sathees Balya's avatar
      romlib: Allow patching of romlib functions · 6baf85b3
      Sathees Balya authored
      
      
      This change allows patching of functions in the
      romlib. This can be done by adding "patch" at the
      end of the jump table entry for the function that
      needs to be patched in the file jmptbl.i.
      Functions patched in the jump table list will be
      built as part of the BL image and the romlib
      version will not be used
      
      Change-Id: Iefb200cb86e2a4b61ad3ee6180d3ecc39bad537f
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      6baf85b3
    • Antonio Nino Diaz's avatar
      xlat v2: Support mapping regions with allocated VA · 9056f108
      Antonio Nino Diaz authored
      
      
      Provide new APIs to add new regions without specifying the base VA.
      
      - `mmap_add_region_alloc_va` adds a static region to mmap choosing as
        base VA the first possible address after all the currently mapped
        regions. It is aligned to an appropriate boundary in relation to the
        size and base PA of the requested region. No attempt is made to fill
        any unused VA holes.
      
      - `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
        `mmap_add_region_alloc_va` does, but it's dynamic instead of static.
      
      - `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
        maps them in the same way as `mmap_add_region_alloc_va` and fills
        their `base_va` field. A helper macro has been created to help create
        the array, called `MAP_REGION_ALLOC_VA`.
      
      Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      9056f108
  4. 06 Nov, 2018 2 commits
  5. 02 Nov, 2018 2 commits
  6. 01 Nov, 2018 2 commits
  7. 30 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      libfdt: Downgrade to version 1.4.6-9 · 00f588bf
      Antonio Nino Diaz authored
      
      
      Version 1.4.7 introduces a big performance hit to functions that access
      the FDT. Downgrade the library to version 1.4.6-9, before the changes
      that introduce the problem. Version 1.4.6 isn't used because one of the
      libfdt files (fdt_overlay.c) is missing the license header. This
      problem is also fixed in 1.4.6-9.
      
      This version corresponds to commit <aadd0b65c987> checks: centralize
      printing of property names in failure messages.
      
      Fixes ARM-software/tf-issues#643
      
      Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      00f588bf
  8. 29 Oct, 2018 6 commits
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in PMF · 195e363f
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: I64abd72026082218a40b1a4b8f7dc26ff2478ba6
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      195e363f
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in workaround and errata framework · 43534997
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: Iaab0310848be587b635ce5339726e92a50f534e0
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      43534997
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in extension libs · 40daecc1
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: I2f28f20944f552447ac4e9e755493cd7c0ea1192
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      40daecc1
    • Soby Mathew's avatar
      PIE: Position Independant Executable support for BL31 · 931f7c61
      Soby Mathew authored
      
      
      This patch introduces Position Independant Executable(PIE) support
      in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
      dynamic linker is implemented which supports fixing up Global Offset
      Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
      helper function implements this linker and this needs to be called
      early in the boot sequence prior to invoking C functions. The GOT is
      placed in the RO section of BL31 binary for improved security and the
      BL31 linker script is modified to export the appropriate symbols
      required for the dynamic linker.
      
      The C compiler always generates PC relative addresses to linker symbols
      and hence referencing symbols exporting constants are a problem when
      relocating the binary. Hence the reference to the
      `__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
      at runtime based on start and end addresses.
      
      Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      931f7c61
    • Soby Mathew's avatar
      Make errata reporting mandatory for CPU files · 12af5ed4
      Soby Mathew authored
      
      
      Previously the errata reporting was optional for CPU operation
      files and this was achieved by making use of weak reference to
      resolve to 0 if the symbol is not defined. This is error prone
      when adding new CPU operation files and weak references are
      problematic when fixing up dynamic relocations. Hence this patch
      removes the weak reference and makes it mandatory for the CPU
      operation files to define the errata reporting function.
      
      Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      12af5ed4
    • Soby Mathew's avatar
      PIE: Use PC relative adrp/adr for symbol reference · f1722b69
      Soby Mathew authored
      
      
      This patch fixes up the AArch64 assembly code to use
      adrp/adr instructions instead of ldr instruction for
      reference to symbols. This allows these assembly
      sequences to be Position Independant. Note that the
      the reference to sizes have been replaced with
      calculation of size at runtime. This is because size
      is a constant value and does not depend on execution
      address and using PC relative instructions for loading
      them makes them relative to execution address. Also
      we cannot use `ldr` instruction to load size as it
      generates a dynamic relocation entry which must *not*
      be fixed up and it is difficult for a dynamic loader
      to differentiate which entries need to be skipped.
      
      Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      f1722b69
  9. 26 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat: Fix compatibility between v1 and v2 · 03987d01
      Antonio Nino Diaz authored
      
      
      There are several platforms using arm_setup_page_tables(), which is
      supposed to be Arm platform only. This creates several dependency
      problems between platforms.
      
      This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
      v2 makefile. This way it is possible to detect from C code which version
      is being used and include the correct header.
      
      The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
      moved to a common folder. This way, when in doubt, this header can be
      used to guarantee compatibility, as it includes the correct header based
      on XLAT_TABLES_LIB_V2.
      
      This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
      that is now locked in xlat lib v2) and ZynqMP (where it was added as a
      workaround).
      
      Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      03987d01
  10. 23 Oct, 2018 4 commits
  11. 16 Oct, 2018 2 commits
    • Andrew F. Davis's avatar
      ti: k3: common: Do not disable cache on TI K3 core powerdown · 6a655a85
      Andrew F. Davis authored
      
      
      Leave the caches on and explicitly flush any data that
      may be stale when the core is powered down. This prevents
      non-coherent interconnect access which has negative side-
      effects on AM65x.
      Signed-off-by: default avatarAndrew F. Davis <afd@ti.com>
      6a655a85
    • Jeenu Viswambharan's avatar
      AArch64: Enable lower ELs to use pointer authentication · 3ff4aaac
      Jeenu Viswambharan authored
      
      
      Pointer authentication is an Armv8.3 feature that introduces
      instructions that can be used to authenticate and verify pointers.
      
      Pointer authentication instructions are allowed to be accessed from all
      ELs but only when EL3 explicitly allows for it; otherwise, their usage
      will trap to EL3. Since EL3 doesn't have trap handling in place, this
      patch unconditionally disables all related traps to EL3 to avoid
      potential misconfiguration leading to an unhandled EL3 exception.
      
      Fixes ARM-software/tf-issues#629
      
      Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      3ff4aaac
  12. 11 Oct, 2018 1 commit
    • ldts's avatar
      psci: platform control of SYSTEM_SUSPEND entry · a4065abd
      ldts authored
      Some platforms can only resume from system suspend from the boot
      CPU, hence they should only enter that state from that same core.
      
      The following commit presents an interface that allows the platform to
      reject system suspend entry near its very last stage (last CPU).
      a4065abd
  13. 10 Oct, 2018 2 commits
  14. 08 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat: Fix checks in mmap_add() and mmap_add_ctx() · a5fa5658
      Antonio Nino Diaz authored
      Commit 79621f00
      
       broke sgi575.
      
      It is possible to have a region with 0 as value for the attributes. It
      means device memory, read only, secure, executable. This is legitimate
      if the code is in flash and the code is executed from there.
      
      This is the case for SGI_MAP_FLASH0_RO, defined in the file
      plat/arm/css/sgi/sgi_plat.c.
      
      This problem is solved by checking both size and attributes in xlat v1.
      In xlat v2, it is enough to check the granularity, as it can never be 0.
      
      Change-Id: I7be11f1b0e51c4c2ffd560b4a6cdfbf15de2c276
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a5fa5658
  15. 03 Oct, 2018 3 commits
    • Daniel Boulby's avatar
      Mark xlat tables initialization code · aff2863f
      Daniel Boulby authored
      
      
      Mark the xlat tables code only used in BL31 initialization as
      __init to be reclaimed once no longer needed
      
      Change-Id: I3106bfd994706a57c578624573bcfa525fbbd3c4
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      aff2863f
    • Daniel Boulby's avatar
      Mark BL31 initialization functions · 87c85134
      Daniel Boulby authored
      
      
      Mark the initialization functions in BL31, such as context management,
      EHF, RAS and PSCI as __init so that they can be reclaimed by the
      platform when no longer needed
      
      Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      87c85134
    • Daniel Boulby's avatar
      xlat: Change check in mmap_add and mmap_add_ctx() · 79621f00
      Daniel Boulby authored
      
      
      Depending on the build flags it is possible that some of the memory
      regions mapped in page table setup could have a size of 0. In this
      case we simply want to do nothing but still wish to map the other
      regions in the array. Therefore we cannot only use size == 0 as
      the termination logic for the loop.
      
      Since an attributes field with value 0 means that the region is
      device memory, read only, secure and executable. Device memory
      can't be executable, so this combination should never be used
      and it is safe to use as a terminator value.
      
      Therefore by changing the termination logic to use attributes
      instead of size we prevent terminating the loop when we don't
      intend to.
      
      Change-Id: I92fc7f689ab08543497be6be4896dace2ed7b66a
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      79621f00
  16. 28 Sep, 2018 4 commits
  17. 21 Sep, 2018 1 commit
    • Daniel Boulby's avatar
      Ensure the flow through switch statements is clear · a08a2014
      Daniel Boulby authored
      
      
      Ensure case clauses:
      *   Terminate with an unconditional break, return or goto statement.
      *   Use conditional break, return or goto statements as long as the end
          of the case clause is unreachable; such case clauses must terminate
          with assert(0) /* Unreachable */ or an unconditional  __dead2 function
          call
      *   Only fallthough when doing otherwise would result in less
          readable/maintainable code; such case clauses must terminate with a
          /* Fallthrough */ comment to make it clear this is the case and
          indicate that a fallthrough is intended.
      
      This reduces the chance of bugs appearing due to unintended flow through a
      switch statement
      
      Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      a08a2014
  18. 10 Sep, 2018 1 commit
  19. 07 Sep, 2018 1 commit