GitLab

Before adding a base address and a size to compute the end
address of an image to copy or authenticate, check this
won't result in an integer overflow. If it does then consider
the input arguments are invalid.

As a result, bl1_plat_mem_check() can now safely assume the
end address (computed as the sum of the base address and size
of the memory region) doesn't overflow, as the validation is
done upfront in bl1_fwu_image_copy/auth(). A debug assertion
has been added nonetheless in the ARM implementation in order
to help catching such problems, should bl1_plat_mem_check()
be called in a different context in the future.

Fixes TFV-1: Malformed Firmware Update SMC can result in copy
of unexpectedly large data into secure memory

Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Dan Handley <dan.handley@arm.com>

ASM_ASSERT failure and panic messages are suppressed at present. This
patch enables printing the PC location for panic messages, and file name
and line number upon assembly assert failure.

Change-Id: I80cb715988e7ce766f64da1e1d7065a74a096a0c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The previous code required that a certificate be signed with the ROT
key before the platform's NV counter could be updated with the value
in the certificate.  This implies that the Non-Trusted NV counter was
not being updated for Non-Trusted content certificates, as they cannot
be signed with the ROT key in the TBBR CoT scheme.

The code is reworked to only allow updating the platform's Trusted NV
counter when a certificate protected by the Trusted NV counter is
signed with the ROT key.

Content certificates protected by the Non-Trusted NV counter are
allowed to update the platform's Non-Trusted NV counter, assuming
that the certificate value is higher than the platform's value.

A new optional platform API has been introduced, named
plat_set_nv_ctr2().  Platforms may choose to implement it and perform
additional checks based on the authentication image descriptor before
modifying the NV counters.  A default weak implementation is available
that just calls into plat_set_nv_ctr().

Fixes ARM-software/tf-issues#426

Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

As with other ARM platform GIC APIs, these directly invoke the GICv3
driver APIs for Redistributor power management.

For the sake of uniform GIC API, empty stubs are placed for those GIC
drivers that lack Redistributor component.

Change-Id: Iad0d760d4dbca790998f7768cda621ff3b15a864
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch enables TRUSTED_BOARD_BOOT (Authentication and FWU)
support, for AArch64, when LOAD_IMAGE_V2 is enabled.

This patch also enables LOAD_IMAGE_V2 for ARM platforms.

Change-Id: I294a2eebce7a30b6784c80c9d4ac7752808ee3ad
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>

The capabilities exposed by the PSCI generic layer depends on the hooks
populated by the platform in `plat_arm_psci_pm_ops`. Currently ARM
Standard platforms statically define this structure. However, some
platforms may want to modify the hooks at runtime before registering
them with the generic layer.

This patch introduces a new ARM platform layer API
`plat_arm_psci_override_pm_ops` which allows the platform to probe
the power controller and modify `plat_arm_psci_pm_ops` if required.
Consequently, 'plat_arm_psci_pm_ops' is no longer qualified as
`const` on ARM Standard platforms.

Change-Id: I7dbb44b7bd36c20ec14ded5ee45a96816ca2ab9d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Add dependency information in the user guide for ARM_RECOM_STATE_ID_ENC
that needs to be set when using PSCI_EXTENDED_STATE_ID on ARM
platforms. Also clarify the build error message.

Change-Id: Id125a0299b179f5f222bca4e2503204bf89a3c59
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

This patch adds ARM SiP service for use by ARM standard platforms.
This service is added to support the SMC interface for the Performance
measurement framework(PMF).

Change-Id: I26f5712f9ab54f5f721dd4781e35a16f40aacc44
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

This patch adds support in SP_MIN to receive generic and
platform specific arguments from BL2.

The new signature is as following:
    void sp_min_early_platform_setup(void *from_bl2,
         void *plat_params_from_bl2);

ARM platforms have been modified to use this support.

Note: Platforms may break if using old signature.
      Default value for RESET_TO_SP_MIN is changed to 0.

Change-Id: I008d4b09fd3803c7b6231587ebf02a047bdba8d0

This patch adds ARM platform changes in BL2 for AArch32 state.
It instantiates a descriptor array for ARM platforms describing
image and entrypoint information for `SCP_BL2`, `BL32` and `BL33`.
It also enables building of BL2 for ARCH=aarch32.

Change-Id: I60dc7a284311eceba401fc789311c50ac746c51e

This patch adds ARM platform changes in BL1 for AArch32 state.
It also enables building of BL1 for ARCH=aarch32.

Change-Id: I079be81a93d027f37b0f7d8bb474b1252bb4cf48

This patch adds changes in ARM platform code to use new
version of image loading.

Following are the major changes:
  -Refactor the signatures for bl31_early_platform_setup()
   and arm_bl31_early_platform_setup() function to use
   `void *` instead of `bl31_params_t *`.
  -Introduce `plat_arm_bl2_handle_scp_bl2()` to handle
   loading of SCP_BL2 image from BL2.
  -Remove usage of reserve_mem() function from
   `arm_bl1_early_platform_setup()`
  -Extract BL32 & BL33 entrypoint info, from the link list
   passed by BL2, in `arm_bl31_early_platform_setup()`
  -Provides weak definitions for following platform functions:
     plat_get_bl_image_load_info
     plat_get_next_bl_params
     plat_flush_next_bl_params
     bl2_plat_handle_post_image_load
  -Instantiates a descriptor array for ARM platforms
   describing image and entrypoint information for
   `SCP_BL2`, `BL31`, `BL32` and `BL33` images.

All the above changes are conditionally compiled using the
`LOAD_IMAGE_V2` flag.

Change-Id: I5e88b9785a3df1a2b2bbbb37d85b8e353ca61049

This patch implements the support for SP_MIN in FVP. The SP_MIN platform
APIs are implemented and the required makefile support is added for FVP.

Change-Id: Id50bd6093eccbd5e38894e3fd2b20d5baeac5452

This patch adds AArch32 support for FVP and implements common platform APIs
like `plat_get_my_stack`, `plat_set_my_stack`, `plat_my_core_cos` for AArch32.
Only Multi Processor(MP) implementations of these functions are considered in
this patch. The ARM Standard platform layer helpers are implemented for
AArch32 and the common makefiles are modified to cater for both AArch64 and
AArch32 builds. Compatibility with the deprecated platform API is not
supported for AArch32.

Change-Id: Iad228400613eec91abf731b49e21a15bcf2833ea

Previously the definition of `plat_get_syscnt_freq2()` in `arm_common.c` was
conditionally defined based on the ERROR_DEPRECATED flag. This patch makes
this function available irrespective of the flag and removes the deprecated
`plat_get_syscnt_freq()` definition.

Change-Id: I250ca787ca1b5e867096c6ba8f2bb444db44c97b

The PRELOADED_BL33_BASE build option allows to preload a BL33 and bypass its
loading by BL2. In ARM standard platforms, the conditional behaviour of
PRELOADED_BL33_BASE is moved within the implementation of
`plat_get_ns_image_entrypoint()` so that all callers may benefit from this
feature.

Change-Id: Iea060e204ec72f8081087837854535c4e320da4e

This patch moves the `arm_common.c` file from `plat/arm/common/aarch64/`
to the parent directory since the functions implemented in the file are
not AArch64 specific. The platform makefiles are also modified for this
change.

Change-Id: I776d2e4958f59041476cf2f53a9adb5b2d304ee0

The `plat_psci_common.c` was moved to the new location `plat/common`
and a stub file was retained at previous location for compatibility. This
patch modifies the platform makefiles to include the file from the new
location.

Change-Id: Iabddeeb824e9a5d72d176d7c644735966c8c0699

This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:

* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
  whether AArch64 or AArch32.
* Use generic C types where-ever possible.

In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.

Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8

This patch adds some verbose traces in the arm_setup_page_tables()
function to print the extents of the different memory regions it maps.

Change-Id: Ia3ae1053e7ebf3579601ff9238b0e3791eb1e9e4

The arm_setup_page_tables() function used to expect a single set of
addresses defining the extents of the whole read-only section, code
and read-only data mixed up, which was mapped as executable.

This patch changes this behaviour. arm_setup_page_tables() now
expects 2 separate sets of addresses:

 - the extents of the code section;
 - the extents of the read-only data section.

The code is mapped as executable, whereas the data is mapped as
execute-never. New #defines have been introduced to identify the
extents of the code and the read-only data section. Given that
all BL images except BL1 share the same memory layout and linker
script structure, these #defines are common across these images.
The slight memory layout differences in BL1 have been handled by
providing values specific to BL1.

Note that this patch also affects the Xilinx platform port, which
uses the arm_setup_page_tables() function. It has been updated
accordingly, such that the memory mappings on this platform are
unchanged. This is achieved by passing null values as the extents
of the read-only data section so that it is ignored. As a result,
the whole read-only section is still mapped as executable.

Fixes ARM-software/tf-issues#85

Change-Id: I1f95865c53ce6e253a01286ff56e0aa1161abac5

This patch changes the base address of the "total" Trusted SRAM region
seen by the BL2U image. It used to start just after BL2U's read-only
section (i.e. at address BL2U_RO_LIMIT), it now starts from the base
address of the BL2U image (i.e. at address BL2U_BASE). In other words,
the "total" memory region now includes BL2U's own read-only section.

This does not change BL2U's resulting memory mappings because the
read-only section was already mapped in BL2U, it just wasn't part of
this total memory region.

Change-Id: I2da16ac842469023b41904eaa8d13ed678d65671

At the moment, on ARM platforms, BL1 maps everything from BL1_RO_BASE
to BL1_RO_LIMIT. BL1_RO_LIMIT, as defined in the porting guide, is
the maximum address in Trusted ROM that BL1's actual content _can_
occupy. The actual portion of ROM occupied by BL1 can be less than
that, which means that BL1 might map more Trusted ROM than it actually
needs to.

This patch changes BL1's memory mappings on ARM platforms to restrict
the region of Trusted ROM it maps. It uses the symbols exported by
the linker to figure out the actual extents of BL1's ROM footprint.

This change increases the number of page tables used on FVP by 1.
On FVP, we used to map the whole Trusted ROM. As it is 64MB large,
we used to map it as blocks of 2MB using level-2 translation table
entries. We now need a finer-grained mapping, which requires an
additional level-3 translation table.

On ARM CSS platforms, the number of translation tables is unchanged.
The BL1 image resides in flash at address 0x0BEC0000. This address is
not aligned on a 2MB-boundary so a level-3 translation table was
already required to map this memory.

Change-Id: I317a93fd99c40e70d0f13cc3d7a570f05c6c61eb

This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.

For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.

bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.

Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9

This patch introduces the arm_setup_page_tables() function to
set up page tables on ARM platforms. It replaces the
arm_configure_mmu_elx() functions and does the same thing except
that it doesn't enable the MMU at the end. The idea is to reduce
the amount of per-EL code that is generated by the C preprocessor
by splitting the memory regions definitions and page tables creation
(which is generic) from the MMU enablement (which is the only per-EL
configuration).

As a consequence, the call to the enable_mmu_elx() function has been
moved up into the plat_arch_setup() hook. Any other ARM standard
platforms that use the functions `arm_configure_mmu_elx()` must be
updated.

Change-Id: I6f12a20ce4e5187b3849a8574aac841a136de83d

This patch enables optional PSCI functions `PSCI_STAT_COUNT` and
`PSCI_STAT_RESIDENCY` for ARM standard platforms. The optional platform
API 'translate_power_state_by_mpidr()' is implemented for the Juno
platform. 'validate_power_state()' on Juno downgrades PSCI CPU_SUSPEND
requests for the system power level to the cluster power level.
Hence, it is not suitable for validating the 'power_state' parameter
passed in a PSCI_STAT_COUNT/RESIDENCY call.

Change-Id: I9548322676fa468d22912392f2325c2a9f96e4d2

Building TF with ERROR_DEPRECATED=1 fails because of a missing
semi-column. This patch fixes this syntax error.

Change-Id: I98515840ce74245b0a0215805f85c8e399094f68

This patch adds support to select CCN driver for FVP during build.
A new build option `FVP_INTERCONNECT_DRIVER` is added to allow
selection between the CCI and CCN driver. Currently only the CCN-502
variant is supported on FVP.

The common ARM CCN platform helper file now verifies the cluster
count declared by platform is equal to the number of root node
masters exported by the ARM Standard platform.

Change-Id: I71d7b4785f8925ed499c153b2e9b9925fcefd57a

Replaced plat_get_syscnt_freq by plat_get_syscnt_freq2 on all
upstream platforms.

Change-Id: I3248f3f65a16dc5e9720012a05c35b9e3ba6abbe

This patch removes support for legacy Versatile Express memory map for the
GIC peripheral in the FVP platform. The user guide is also updated for the
same.

Change-Id: Ib8cfb819083aca359e5b46b5757cb56cb0ea6533

This patch puts the definition of `plat_get_syscnt_freq()`
under `#ifdef ARM_SYS_CNTCTL_BASE` in arm_common.c file.
This is the fix for compilation error introduced by commit-id
`749ade45`, for platforms that use arm_common.c but do not
provide a memory mapped interface to the generic counter.

Fixes ARM-software/tf-issues#395

Change-Id: I2f2b10bd9500fa15308541ccb15829306a76a745

This patch moves the definition for `plat_get_syscnt_freq()`
from arm_bl31_setup.c to arm_common.c. This could be useful
in case a delay timer needs to be installed based on the
generic timer in other BLs.
This patch also modifies the return type for this function
from `uint64_t` to `unsigned long long` within ARM and other
platform files.

Change-Id: Iccdfa811948e660d4fdcaae60ad1d700e4eda80d

This patch modifies the upstream platform port makefiles to use the new
xlat_tables library files. This patch also makes mmap region setup common
between AArch64 and AArch32 for FVP platform port. The file `fvp_common.c`
is moved from the `plat/arm/board/fvp/aarch64` folder to the parent folder
as it is not specific to AArch64.

Change-Id: Id2e9aac45e46227b6f83cccfd1e915404018ea0b

To avoid confusion the build option BL33_BASE has been renamed to
PRELOADED_BL33_BASE, which is more descriptive of what it does and
doesn't get mistaken by similar names like BL32_BASE that work in a
completely different way.

NOTE: PLATFORMS USING BUILD OPTION `BL33_BASE` MUST CHANGE TO THE NEW
BUILD OPTION `PRELOADED_BL33_BASE`.

Change-Id: I658925ebe95406edf0325f15aa1752e1782aa45b

The BL33 address is now set in arm_bl31_early_platform_setup() so
that the preloaded BL33 boot option is available when RESET_TO_BL31
is also used.

Change-Id: Iab93e3916f9199c3387886b055c7cd2315efed29

Previously, when building TF without SPD support, BL2 tried to load a
BL32 image from the FIP and fails to find one, which resulted on
warning messages on the console. Even if there is a BL32 image in the
FIP it shouldn't be loaded because there is no way to transfer
control to the Secure Payload without SPD support.

The Makefile has been modified to pass a define of the form
SPD_${SPD} to the source code the same way it's done for PLAT. The
define SPD_none is then used to undefine BL32_BASE when BL32 is not
used to prevent BL2 from trying to load a BL32 image and failing,
thus removing the warning messages mentioned above.

Fixes ARM-software/tf-issues#287

Change-Id: Ifeb6f1c26935efb76afd353fea88e87ba09e9658

Make the timer configuration conditional on the optional interface being
available.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

This patch modifies the return type of the platform API
`plat_get_ns_image_entrypoint()` from `unsigned long` to
`uintptr_t` in accordance with the coding guidelines.

Change-Id: Icb4510ca98b706aa4d535fe27e203394184fb4ca

This patch adds support to program TrustZone protection on ARM platforms that
implement a DMC-500. arm_dmc_500.c has been added which implements the
arm_dmc_tzc_setup() function. This function relies on constants related to TZC
programming that are exported by each platform to program TrustZone protection
using the DMC-500 TrustZone controller driver. This function should be called
from plat_arm_security_setup() which is implemented by each platform.

Change-Id: I5400bdee9e4b29155fd11296a40693d512312f29

This patch migrates ARM Standard platforms to the refactored TZC driver.

Change-Id: I2a2f60b645f73e14d8f416740c4551cec87cb1fb