Skip to content

GitLab

Switch branch/tag
  1. 13 Nov, 2017 3 commits
    • Jeenu Viswambharan's avatar
      BL31: Program Priority Mask for SMC handling · 3d732e23
      Jeenu Viswambharan authored 
      

On GICv3 systems, as a side effect of adding provision to handle EL3
interrupts (unconditionally routing FIQs to EL3), pending Non-secure
interrupts (signalled as FIQs) may preempt execution in lower Secure ELs
[1]. This will inadvertently disrupt the semantics of Fast SMC
(previously called Atomic SMC) calls.

To retain semantics of Fast SMCs, the GIC PMR must be programmed to
prevent Non-secure interrupts from preempting Secure execution. To that
effect, two new functions in the Exception Handling Framework subscribe
to events introduced in an earlier commit:

  - Upon 'cm_exited_normal_world', the Non-secure PMR is stashed, and
    the PMR is programmed to the highest Non-secure interrupt priority.

  - Upon 'cm_entering_normal_world', the previously stashed Non-secure
    PMR is restored.

The above sequence however prevents Yielding SMCs from being preempted
by Non-secure interrupts as intended. To facilitate this, the public API
exc_allow_ns_preemption() is introduced that programs the PMR to the
original Non-secure PMR value. Another API
exc_is_ns_preemption_allowed() is also introduced to check if
exc_allow_ns_preemption() had been called previously.

API documentation to follow.

[1] On GICv2 systems, this isn't a problem as, unlike GICv3, pending NS
    IRQs during Secure execution are signalled as IRQs, which aren't
    routed to EL3.

Change-Id: Ief96b162b0067179b1012332cd991ee1b3051dd0
Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      3d732e23
    • Jeenu Viswambharan's avatar
      BL31: Introduce Exception Handling Framework · 21b818c0
      Jeenu Viswambharan authored 
      

EHF is a framework that allows dispatching of EL3 interrupts to their
respective handlers in EL3.

This framework facilitates the firmware-first error handling policy in
which asynchronous exceptions may be routed to EL3. Such exceptions may
be handed over to respective exception handlers. Individual handlers
might further delegate exception handling to lower ELs.

The framework associates the delegated execution to lower ELs with a
priority value. For interrupts, this corresponds to the priorities
programmed in GIC; for other types of exceptions, viz. SErrors or
Synchronous External Aborts, individual dispatchers shall explicitly
associate delegation to a secure priority. In order to prevent lower
priority interrupts from preempting higher priority execution, the
framework provides helpers to control preemption by virtue of
programming Priority Mask register in the interrupt controller.

This commit allows for handling interrupts targeted at EL3. Exception
handlers own interrupts by assigning them a range of secure priorities,
and registering handlers for each priority range it owns.

Support for exception handling in BL31 image is enabled by setting the
build option EL3_EXCEPTION_HANDLING=1.

Documentation to follow.

NOTE: The framework assumes the priority scheme supported by platform
interrupt controller is compliant with that of ARM GIC architecture (v2
or later).

Change-Id: I7224337e4cea47c6ca7d7a4ca22a3716939f7e42
Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      21b818c0
    • Jeenu Viswambharan's avatar
      GIC: Introduce API to get interrupt ID · 4ee8d0be
      Jeenu Viswambharan authored 
      

Acknowledging interrupt shall return a raw value from the interrupt
controller in which the actual interrupt ID may be encoded. Add a
platform API to extract the actual interrupt ID from the raw value
obtained from interrupt controller.

Document the new function. Also clarify the semantics of interrupt
acknowledge.

Change-Id: I818dad7be47661658b16f9807877d259eb127405
Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      4ee8d0be
  3. 09 Nov, 2017 1 commit
  5. 08 Nov, 2017 2 commits
    • Antonio Nino Diaz's avatar
      SPM: Introduce Secure Partition Manager · 2fccb228
      Antonio Nino Diaz authored 
      

A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:

- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.

A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.

The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:

- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
  Secure Partition.
- Implementing a well defined interface that is used by the normal world
  and other secure services for accessing the services exported by a
  Secure Partition.
- Implementing a well defined interface that is used by a Secure
  Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
  Partition to fulfil a service request.

Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: default avatarAchin Gupta <achin.gupta@arm.com>
Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2fccb228
    • Antonio Nino Diaz's avatar
      xlat: Make function to calculate TCR PA bits public · ad02a759
      Antonio Nino Diaz authored 
      

This function can be useful to setup TCR_ELx by callers that don't use
the translation tables library to setup the system registers related
to them. By making it common, it can be reused whenever it is needed
without duplicating code.

Change-Id: Ibfada9e846d2a6cd113b1925ac911bb27327d375
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ad02a759
  7. 01 Nov, 2017 1 commit
  9. 31 Oct, 2017 2 commits
  11. 25 Oct, 2017 1 commit
  13. 24 Oct, 2017 1 commit
  15. 23 Oct, 2017 2 commits
  17. 17 Oct, 2017 4 commits
  19. 16 Oct, 2017 15 commits
  21. 13 Oct, 2017 3 commits
    • Roberto Vargas's avatar
      Update PSCI version to 1.1 · 829e97d7
      Roberto Vargas authored 
      

Updated the PSCI version conforming to the PSCI v1.1
specification (ARM DEN022D).

Change-Id: I1f34772ef6de37ec1ade719a1ab3aa062152d995
Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      829e97d7
    • David Cunado's avatar
      Init and save / restore of PMCR_EL0 / PMCR · 3e61b2b5
      David Cunado authored 
      

Currently TF does not initialise the PMCR_EL0 register in
the secure context or save/restore the register.

In particular, the DP field may not be set to one to prohibit
cycle counting in the secure state, even though event counting
generally is prohibited via the default setting of MDCR_EL3.SMPE
to 0.

This patch initialises PMCR_EL0.DP to one in the secure state
to prohibit cycle counting and also initialises other fields
that have an architectually UNKNOWN reset value.

Additionally, PMCR_EL0 is added to the list of registers that are
saved and restored during a world switch.

Similar changes are made for PMCR for the AArch32 execution state.

NOTE: secure world code at lower ELs that assume other values in PMCR_EL0
will be impacted.

Change-Id: Iae40e8c0a196d74053accf97063ebc257b4d2f3a
Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      3e61b2b5
    • Roberto Vargas's avatar
      reset2: Add PSCI system_reset2 function · 36a8f8fd
      Roberto Vargas authored 
      

This patch implements PSCI_SYSTEM_RESET2 API as defined in PSCI
v1.1 specification. The specification allows architectural and
vendor-specific resets via this API. In the current specification,
there is only one architectural reset, the warm reset. This reset is
intended to provide a fast reboot path that guarantees not to reset
system main memory.

Change-Id: I057bb81a60cd0fe56465dbb5791d8e1cca025bd3
Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      36a8f8fd
  23. 11 Oct, 2017 2 commits
    • Soby Mathew's avatar
      ARM platforms: enable GICv3 state save/restore · e35a3fb5
      Soby Mathew authored 
      

Provides GICv3 save/restore feature to arm_system_pwr_domain_resume and
arm_system_pwr_domain_save functions.

Introduce FVP PSCI power level 3 (System level) support. This is solely
done to provide example code on how to use the GICv3 save and restore
helpers.

Also make CSS GICv3 platforms power off the Redistributor on SYSTEM
SUSPEND as its state is saved and restored.

Change-Id: I0d852f3af8824edee1a17c085cf593ddd33a4e77
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
Co-Authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      e35a3fb5
    • Soby Mathew's avatar
      ARM platforms: Add support for EL3 TZC memory region · a22dffc6
      Soby Mathew authored 
      

Some recent enhancements to EL3 runtime firmware like support for
save and restoring GICv3 register context during system_suspend
necessitates additional data memory for the firmware. This patch
introduces support for creating a TZC secured DDR carveout for use
by ARM reference platforms. A new linker section `el3_tzc_dram` is
created using platform supplied linker script and data marked with
the attribute `arm_el3_tzc_dram` will be placed in this section.
The FVP makefile now defines the `PLAT_EXTRA_LD_SCRIPT` variable to
allow inclusion of the platform linker script by the top level BL31
linker script.

Change-Id: I0e7f4a75a6ac51419c667875ff2677043df1585d
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      a22dffc6
  25. 06 Oct, 2017 1 commit
    • David Cunado's avatar
      Increase PLAT_ARM_MMAP_ENTRIES and MAX_XLAT_TABLES · 2e421ad2
      David Cunado authored 
      

The MEM_PROTECT support adds a MMAP region for DRAM2, which when
building with TBBR support and OP-TEE tsp requires an additional
entry in the MMAP region array in BL2 - PLAT_ARM_MMAP_ENTRIES is
increased.

The MEM_PROTECT support also adds a new region in BL31, and when
BL31 is placed in DRAM, the memory mappings require an additional
translation table - MAX_XLAT_TABLES is increased.

Change-Id: I0b76260da817dcfd0b8f73a7193c36efda977625
Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      2e421ad2
  27. 05 Oct, 2017 2 commits
    • Soby Mathew's avatar
      GICv3: ITS architectural save and restore helpers · b258278e
      Soby Mathew authored 
      

This patch adds functions to save and restore GICv3 ITS registers during
system suspend. Please note that the power management of GIC ITS is
implementation defined. These functions only implements the
architectural part of the ITS power management and they do not restore
memory structures or register content required to support ITS. Even if
the ITS implementation stores structures in memory, an implementation
defined power down sequence is likely to be required to flush some
internal ITS caches to memory. If such implementation defined sequence
is not followed, the platform must ensure that the ITS is not power
gated during system suspend.

Change-Id: I5f31e5541975aa7dcaab69b0b7f67583c0e27678
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      b258278e
    • Soby Mathew's avatar
      GICv3: add functions for save and restore · ebf1ca10
      Soby Mathew authored 
      

During system suspend, the GICv3 Distributor and Redistributor context
can be lost due to power gating of the system power domain. This means
that the GICv3 context needs to be saved prior to system suspend and
restored on wakeup. Currently the consensus is that the Firmware should
be in charge of this. See tf-issues#464 for more details.

This patch introduces helper APIs in the GICv3 driver to save and
restore the Distributor and Redistributor contexts. The GICv3 ITS
context is not considered in this patch because the specification says
that the details of ITS power management is implementation-defined.
These APIs are expected to be appropriately invoked by the platform
layer during system suspend.

Fixes ARM-software/tf-issues#464

Change-Id: Iebb9c6770ab8c4d522546f161fa402d2fe02ec00
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      ebf1ca10