GitLab

Improvements to Mbed TLS shared heap code

SDEI: Mask events after CPU wakeup

After introducing the Mbed TLS shared heap optimisation, reducing BL2
size by 3 pages didn't leave enough space for growth. We give 1 page
back to maximum BL2 size.

Change-Id: I4f05432f00b923693160f69a4e4ec310a37a2b16
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

A cache flush is added in BL1, in Mbed TLS shared heap code. Thus, we
ensure that the heap info written to the DTB always gets written back to
memory.  Hence, sharing this info with other images is guaranteed.

Change-Id: I0faada31fe7a83854cd5e2cf277ba519e3f050d5
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

In Mbed TLS shared heap code, an additional sanity check is introduced
in BL2. Currently, when BL2 shares heap with BL1, it expects the heap
info to be found in the DTB. If for any reason the DTB is missing, BL2
cannot have the heap address and, hence, Mbed TLS cannot proceed. So,
BL2 cannot continue executing and it will eventually crash.  With this
change we ensure that if the DTB is missing BL2 will panic() instead of
having an unpredictable crash.

Change-Id: I3045ae43e54b7fe53f23e7c2d4d00e3477b6a446
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

This patch, firstly, makes the error messages consistent to how printed
strings are usually formatted. Secondly, it removes an unnecessary #if
directive.

Change-Id: Idbb8ef0070562634766b683ac65f8160c9d109e6
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Convert BL31 error message into warning

The specification requires that, after wakeup from a CPU suspend, the
dispatcher must mask all events on the CPU. This patch adds the feature
to the SDEI dispatcher by subscribing to the PSCI suspend to power down
event, and masking all events on the PE.

Change-Id: I9fe1d1bc2a58379ba7bba953a8d8b275fc18902c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

If BL32 isn't present or it fails to initialize the current code prints
an error message in both debug and release builds. This is too verbose
for release builds, so it has been converted into a warning.

Also, it was missing a newline at the end of the message.

Change-Id: I91e18d5d5864dbb19d47ecd54f174d2d8c06296c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Add missing barriers to Bakery Locks

Qemu updates

With the current implementation, it's possible for a contender to
observe accesses in the Critical Section before acquiring or releasing
the lock. Insert fencing in the locking and release codes to prevent any
reorder.

Fixes ARM-software/tf-issues#609

Change-Id: I773b82aa41dd544a2d3dbacb9a4b42c9eb767bbb
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

'dmb ld' is not a recognized instruction for ARMv7. Since generic code
may use 'dmb ld', alias it to 'dmb' when building for ARMv7.

Change-Id: I502f360cb6412897ca9580b725d9f79469a7612e
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Atf master+linaro warp7 squash v4

Mbed TLS shared heap

Recent Denver CPU fixes from downstream

Xilinx latest platform related changes

Fix broken links in documentation

For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.

This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.

TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:

*   By setting bit 11 (Disable speculative store buffering) of
    `ACTLR_EL3`

*   By setting bit 9 (Disable speculative memory disambiguation) of
    `ACTLR_EL3`

TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:

*   By setting bit 18 (Disable speculative store buffering) of
    `ACTLR_EL3`

*   By setting bit 17 (Disable speculative memory disambiguation) of
    `ACTLR_EL3`

Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.

Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

The current functions to disable and enable Dynamic Code Optimizer
(DCO) assume that all denver cores are in the same cluster. They
ignore AFF1 field of the mpidr_el1 register, which leads to
incorect logical core id calculation.

This patch calls the platform handler, plat_my_core_pos(), to get
the logical core id to disable/enable DCO for the core.

Original change by: Krishna Sitaraman <ksitaraman@nvidia.com>

Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This patch adds me to various maintainer activities in the ATF tree
associated with the NXP i.MX7 generally and WaARP7 in particular.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This patch describes the boot-flow and building of the WaRP7 TF-A port.
What it describes is booting and unsigned TF-A.

A very brief section has been added on signing BL2 which is in no-way
comprehensive. For a comprehensive description of the signing process try
the Boundary Devices blog on the matter.

https://boundarydevices.com/high-assurance-boot-hab-dummies/

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

Replaces deprecated early platform setup APIs

* Replaces bl31_early_platform_setup() with bl31_early_platform_setup2()
* Replaces bl2_early_platform_setup() with bl2_early_platform_setup2()
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

Previous changes in this series made the necessary driver additions and
updates. With those changes in-place we can add the platform.mk and
bl2_el3_setup.c to drive the boot process.

After this commit its possible to build a fully-functional TF-A for the
WaRP7 and boot from the BootROM to the Linux command prompt in secure or
non-secure mode.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This patch adds a callback into the BootROM's provided High Assurance Boot
(HAB) failsafe function when panicking i.e. the call is done without making
use of stack.

The HAB failsafe function allows a piece of software to call into the
BootROM and place the processor into failsafe mode.

Failsafe mode is a special mode which presents a serial download protocol
interface over UART or USB at the time of writing.

If the board has been set into secure mode, then only a signed binary can
be used to recover the board.

Thus failsafe gives a putatively secure method of performing a secure
recovery over UART or USB.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

This patch adds entries to the mem params array for

- BL32
- BL32_EXTRA1
- BL32_EXTRA2
- BL33
- HW_CONFIG_ID

BL32 is marked as bootable to indicate that OPTEE is the thing that should
be booted next.

In our model OPTEE chain-loads onto u-boot so only BL32 is bootable.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This commit adds support for parsing a FIP pre-loaded by a previous
boot-phase such as u-boot or via ATF reading directly from eMMC.

[bod: squashing several patches from Rui, Jun and bod]
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This patch defines a platform_def.h describing

- FIP layout and location
- eMMC device select
- UART identity select
- System clock frequency
- Operational memory map
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

In order to link even a basic image we need to declare
REGISTER_BL_IMAGE_DESCS. This patch declares an empty structure which is
passed to REGISTER_BL_IMAGE_DESCS(). Later patches will add in some
meaningful data.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

Internal declarations for the WaRP7 port will go here. For now just include
sys/types.h.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This commit adds warp7_image_load.c with the functions

- plat_flush_next_bl_params()
- plat_get_bl_image_load_info()
- plat_get_next_bl_params()
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This commit adds a warp7_helpers.S which contains a implementation of:

- platform_mem_init
- plat_get_my_entrypoint
- plat_crash_console_init
- plat_crash_console_putc
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

The watchdog block on the IMX is mercifully simple. This patch maps the
various registers and bits associated with the block.

We are mostly only really interested in the power-down-enable (PDE) bits in
the block for the purposes of ATF.

The i.MX7 Solo Applications Processor Reference Manual details the PDE bit
as follows:

"Power Down Enable bit. Reset value of this bit is 1, which means the power
down counter inside the WDOG is enabled after reset. The software must
write 0 to this bit to disable the counter within 16 seconds of reset
de-assertion. Once disabled this counter cannot be enabled again. See
Power-down counter event for operation of this counter."

This patch does that zero write in-lieu of later phases in the boot
no-longer have the necessary permissions to rewrite the PDE bit directly.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

This patch defines the most basic part of the CAAM and the only piece of
the CAAM silicon we are really interested in, in ATF, the CAAM control
structure.

The CAAM itself is a huge address space of some 32k, way out of scope for
the purpose we have in ATF.

This patch adds a simple CAAM init function that assigns ownership of the
CAAM job-rings to the non-secure MID with the ownership bit set to
non-secure.

This will allow later logic in the boot process such as OPTEE, u-boot and
Linux to assign job-rings as appropriate, restricting if necessary but
leaving open the main functionality of the CAAM to the Linux NS runtime.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

The QEMU platform has only been used with LOAD_IMAGE_V2=1 for some time
now and bit rot has occurred for LOAD_IMAGE_V2=0. To ease the
maintenance make LOAD_IMAGE_V2=1 mandatory and remove the platform
specific code for LOAD_IMAGE_V2=0.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

Enable ARM_XLAT_TABLES_LIB_V1 as ZynqMP is using
v1 library of translation tables.

With upstream patch d323af9e

,
the usage of MAP_REGION_FLAT is referring to definition in file
include/lib/xlat_tables/xlat_tables_v2.h but while preparing
xlat tables in lib/xlat_tables/xlat_tables_common.c it is referring
to include/lib/xlat_tables/xlat_tables.h which is v1 xlat tables.
Also, ZynqMP was using v1 so defined ARM_XLAT_TABLES_LIB_V1 to
use v1 xlat tables everywhere.
This fixes the issue of xlat tables failures as it takes v2
library mmap_region structure in some files and v1 in other
files.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>

The High Assurance Boot or HAB is an on-chip method of providing a
root-of-trust from the reset vector to subsequent stages in the bootup
flow of the Cortex-A7 on the i.MX series of processors.

This patch adds a simple header file with pointer offsets of the provided
set of HAH API callbacks in the BootROM.

The relative offset of the function pointers is a constant and known
quantum, a software-contract between NXP and an implementation which is
defined in the NXP HAB documentation.

All we need is the correct base offset and then we can map the set of
function pointers relative to that offset.

imx_hab_arch.h provides the correct offset and the imx_hab.h hooks the
offset to the pre-determined callbacks.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

In order to enable compile time differences in HAB interaction, we should
split out the definition of the base address of the HAB API.

Some version of the i.MX series have different offsets from the BootROM
base for the HAB callback table.

This patch defines the header into which we will define the i.MX7 specific
offset. The offset of the i.MX7 function-callback table is simultaneously
defined.

Once done, we can latch a set of common function pointer locations from the
offset given here and if necessary change the offset for different
processors without any other code-change.

For now all we support is i.MX7 so the only offset being defined is that
for the i.MX7.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

This patch adds snvs.c with a imx_snvs_init() function.

imx_snvs_init() sets up permissions of the RTC via the SNVS HPCOMR.

During previous work with OPTEE on the i.MX7 part we discovered that prior
to switching from secure-world to normal-world it is required to apply more
permissive permissions than are defaulted to in order for Linux to be able
to access the RTC and CAAM functionality in general.

This patch pertains to fixing the RTC permissions by way of the
HPCOMR.NPSWA_EN bit.

Once set non-privileged code aka Linux-kernel code has permissions to
access the SNVS where the RTC resides.

Perform that permissions fix in imx_snvs_init() now, with a later patch making
the call from our platform setup code.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>