- 11 Jul, 2016 1 commit
-
-
Soren Brinkmann authored
Set the SEPARATE_CODE_AND_RODATA build flag to map read-only data as execute never. Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
-
- 08 Jul, 2016 13 commits
-
-
Sandrine Bailleux authored
On ARM CSS platforms, the whole flash used to be mapped as executable. This is not required, given that the flash is used to store the BL1 and FIP images and: - The FIP is not executed in place, its images are copied to RAM and executed from there. - BL1 is executed in place from flash but only its code needs to be mapped as executable and platform code takes care of re-mapping BL1's read-only section as executable. Therefore, this patch now maps the flash as non-executable by default on these platforms. This increases security by restricting the executable region to what is strictly needed. This patch also adds some comments to clarify the memory mapping attributes on these platforms. Change-Id: I4db3c145508bea1f43fbe0f6dcd551e1aec1ecd3
-
Sandrine Bailleux authored
This patch adds some verbose traces in the arm_setup_page_tables() function to print the extents of the different memory regions it maps. Change-Id: Ia3ae1053e7ebf3579601ff9238b0e3791eb1e9e4
-
Sandrine Bailleux authored
The arm_setup_page_tables() function used to expect a single set of addresses defining the extents of the whole read-only section, code and read-only data mixed up, which was mapped as executable. This patch changes this behaviour. arm_setup_page_tables() now expects 2 separate sets of addresses: - the extents of the code section; - the extents of the read-only data section. The code is mapped as executable, whereas the data is mapped as execute-never. New #defines have been introduced to identify the extents of the code and the read-only data section. Given that all BL images except BL1 share the same memory layout and linker script structure, these #defines are common across these images. The slight memory layout differences in BL1 have been handled by providing values specific to BL1. Note that this patch also affects the Xilinx platform port, which uses the arm_setup_page_tables() function. It has been updated accordingly, such that the memory mappings on this platform are unchanged. This is achieved by passing null values as the extents of the read-only data section so that it is ignored. As a result, the whole read-only section is still mapped as executable. Fixes ARM-software/tf-issues#85 Change-Id: I1f95865c53ce6e253a01286ff56e0aa1161abac5
-
Sandrine Bailleux authored
This patch changes the base address of the "total" Trusted SRAM region seen by the BL2U image. It used to start just after BL2U's read-only section (i.e. at address BL2U_RO_LIMIT), it now starts from the base address of the BL2U image (i.e. at address BL2U_BASE). In other words, the "total" memory region now includes BL2U's own read-only section. This does not change BL2U's resulting memory mappings because the read-only section was already mapped in BL2U, it just wasn't part of this total memory region. Change-Id: I2da16ac842469023b41904eaa8d13ed678d65671
-
Sandrine Bailleux authored
At the moment, on ARM platforms, BL1 maps everything from BL1_RO_BASE to BL1_RO_LIMIT. BL1_RO_LIMIT, as defined in the porting guide, is the maximum address in Trusted ROM that BL1's actual content _can_ occupy. The actual portion of ROM occupied by BL1 can be less than that, which means that BL1 might map more Trusted ROM than it actually needs to. This patch changes BL1's memory mappings on ARM platforms to restrict the region of Trusted ROM it maps. It uses the symbols exported by the linker to figure out the actual extents of BL1's ROM footprint. This change increases the number of page tables used on FVP by 1. On FVP, we used to map the whole Trusted ROM. As it is 64MB large, we used to map it as blocks of 2MB using level-2 translation table entries. We now need a finer-grained mapping, which requires an additional level-3 translation table. On ARM CSS platforms, the number of translation tables is unchanged. The BL1 image resides in flash at address 0x0BEC0000. This address is not aligned on a 2MB-boundary so a level-3 translation table was already required to map this memory. Change-Id: I317a93fd99c40e70d0f13cc3d7a570f05c6c61eb
-
Sandrine Bailleux authored
In debug builds, the TSP prints its image base address and size. The base address displayed corresponds to the start address of the read-only section, as defined in the linker script. This patch changes this to use the BL32_BASE address instead, which is the same address as __RO_START__ at the moment but has the advantage to be independent of the linker symbols defined in the linker script as well as the layout and order of the sections. Change-Id: I032d8d50df712c014cbbcaa84a9615796ec902cc
-
Sandrine Bailleux authored
At the moment, all BL images share a similar memory layout: they start with their code section, followed by their read-only data section. The two sections are contiguous in memory. Therefore, the end of the code section and the beginning of the read-only data one might share a memory page. This forces both to be mapped with the same memory attributes. As the code needs to be executable, this means that the read-only data stored on the same memory page as the code are executable as well. This could potentially be exploited as part of a security attack. This patch introduces a new build flag called SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data on separate memory pages. This in turn allows independent control of the access permissions for the code and read-only data. This has an impact on memory footprint, as padding bytes need to be introduced between the code and read-only data to ensure the segragation of the two. To limit the memory cost, the memory layout of the read-only section has been changed in this case. - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e. the read-only section still looks like this (padding omitted): | ... | +-------------------+ | Exception vectors | +-------------------+ | Read-only data | +-------------------+ | Code | +-------------------+ BLx_BASE In this case, the linker script provides the limits of the whole read-only section. - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and read-only data are swapped, such that the code and exception vectors are contiguous, followed by the read-only data. This gives the following new layout (padding omitted): | ... | +-------------------+ | Read-only data | +-------------------+ | Exception vectors | +-------------------+ | Code | +-------------------+ BLx_BASE In this case, the linker script now exports 2 sets of addresses instead: the limits of the code and the limits of the read-only data. Refer to the Firmware Design guide for more details. This provides platform code with a finer-grained view of the image layout and allows it to map these 2 regions with the appropriate access permissions. Note that SEPARATE_CODE_AND_RODATA applies to all BL images. Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
-
Sandrine Bailleux authored
This patch introduces the round_up() and round_down() macros, which round up (respectively down) a value to a given boundary. The boundary must be a power of two. Change-Id: I589dd1074aeb5ec730dd523b4ebf098d55a7e967
-
Sandrine Bailleux authored
This patch introduces a new header file: include/lib/utils.h. Its purpose is to provide generic macros and helper functions that are independent of any BL image, architecture, platform and even not specific to Trusted Firmware. For now, it contains only 2 macros: ARRAY_SIZE() and IS_POWER_OF_TWO(). These were previously defined in bl_common.h and xlat_tables.c respectively. bl_common.h includes utils.h to retain compatibility for platforms that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream platform ports that use this macro have been updated to include utils.h. Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9
-
Sandrine Bailleux authored
This patch adds a new linker symbol in BL1's linker script named '__BL1_ROM_END__', which marks the end of BL1's ROM content. This covers BL1's code, read-only data and read-write data to relocate in Trusted SRAM. The address of this new linker symbol is exported to C code through the 'BL1_ROM_END' macro. The section related to linker symbols in the Firmware Design guide has been updated and improved. Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7
-
Sandrine Bailleux authored
This patch introduces the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes in the translation table library to specify the access permissions for instruction execution of a memory region. These new attributes should be used only for normal, read-only memory regions. For other types of memory, the translation table library still enforces the following rules, regardless of the MT_EXECUTE/MT_EXECUTE_NEVER attribute: - Device memory is always marked as execute-never. - Read-write normal memory is always marked as execute-never. Change-Id: I8bd27800a8c1d8ac1559910caf4a4840cf25b8b0
-
Sandrine Bailleux authored
This patch clarifies the mmap_desc() function by adding some comments and reorganising its code. No functional change has been introduced. Change-Id: I873493be17b4e60a89c1dc087dd908b425065401
-
Sandrine Bailleux authored
This patch introduces the arm_setup_page_tables() function to set up page tables on ARM platforms. It replaces the arm_configure_mmu_elx() functions and does the same thing except that it doesn't enable the MMU at the end. The idea is to reduce the amount of per-EL code that is generated by the C preprocessor by splitting the memory regions definitions and page tables creation (which is generic) from the MMU enablement (which is the only per-EL configuration). As a consequence, the call to the enable_mmu_elx() function has been moved up into the plat_arch_setup() hook. Any other ARM standard platforms that use the functions `arm_configure_mmu_elx()` must be updated. Change-Id: I6f12a20ce4e5187b3849a8574aac841a136de83d
-
- 04 Jul, 2016 2 commits
- 16 Jun, 2016 3 commits
-
-
Soby Mathew authored
This patch enables optional PSCI functions `PSCI_STAT_COUNT` and `PSCI_STAT_RESIDENCY` for ARM standard platforms. The optional platform API 'translate_power_state_by_mpidr()' is implemented for the Juno platform. 'validate_power_state()' on Juno downgrades PSCI CPU_SUSPEND requests for the system power level to the cluster power level. Hence, it is not suitable for validating the 'power_state' parameter passed in a PSCI_STAT_COUNT/RESIDENCY call. Change-Id: I9548322676fa468d22912392f2325c2a9f96e4d2
-
Yatharth Kochar authored
This patch adds following optional PSCI STAT functions: - PSCI_STAT_RESIDENCY: This call returns the amount of time spent in power_state in microseconds, by the node represented by the `target_cpu` and the highest level of `power_state`. - PSCI_STAT_COUNT: This call returns the number of times a `power_state` has been used by the node represented by the `target_cpu` and the highest power level of `power_state`. These APIs provides residency statistics for power states that has been used by the platform. They are implemented according to v1.0 of the PSCI specification. By default this optional feature is disabled in the PSCI implementation. To enable it, set the boolean flag `ENABLE_PSCI_STAT` to 1. This also sets `ENABLE_PMF` to 1. Change-Id: Ie62e9d37d6d416ccb1813acd7f616d1ddd3e8aff
-
Yatharth Kochar authored
This patch adds Performance Measurement Framework(PMF) in the ARM Trusted Firmware. PMF is implemented as a library and the SMC interface is provided through ARM SiP service. The PMF provides capturing, storing, dumping and retrieving the time-stamps, by enabling the development of services by different providers, that can be easily integrated into ARM Trusted Firmware. The PMF capture and retrieval APIs can also do appropriate cache maintenance operations to the timestamp memory when the caller indicates so. `pmf_main.c` consists of core functions that implement service registration, initialization, storing, dumping and retrieving the time-stamp. `pmf_smc.c` consists SMC handling for registered PMF services. `pmf.h` consists of the macros that can be used by the PMF service providers to register service and declare time-stamp functions. `pmf_helpers.h` consists of internal macros that are used by `pmf.h` By default this feature is disabled in the ARM trusted firmware. To enable it set the boolean flag `ENABLE_PMF` to 1. NOTE: The caller is responsible for specifying the appropriate cache maintenance flags and for acquiring/releasing appropriate locks before/after capturing/retrieving the time-stamps. Change-Id: Ib45219ac07c2a81b9726ef6bd9c190cc55e81854
-
- 15 Jun, 2016 2 commits
-
-
Soren Brinkmann authored
Add build time option 'cadence1' for ZYNQMP_CONSOLE to select the 2nd UART available in the SoC. Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com> Acked-by: Michal Simek <michal.simek@xilinx.com>
-
danh-arm authored
Zynqmp updates
-
- 13 Jun, 2016 6 commits
-
-
Soren Brinkmann authored
Add a convenience macro to add a build definition with a value. Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
-
danh-arm authored
Bring IO storage dummy driver
-
danh-arm authored
opteed: assume aarch64 for optee
-
danh-arm authored
CSS: Add support to wake up the core from wfi in GICv3
-
danh-arm authored
Add support for QEMU virt ARMv8-A
-
Ashutosh Singh authored
OPTEE to execute in aarch64 bit mode, set it accordingly when execution transitions from EL3 to EL1 Change-Id: I59f2f940bdc1aac10543045b006a137d107ec95f Signed-off-by: Ashutosh Singh <ashutosh.singh@arm.com>
-
- 09 Jun, 2016 1 commit
-
-
Jens Wiklander authored
This patch adds support for the QEMU virt ARMv8-A target. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
-
- 08 Jun, 2016 4 commits
-
-
danh-arm authored
Allow dynamic overriding of ROTPK verification
-
danh-arm authored
Move checkpatch options in a configuration file
-
danh-arm authored
Import libfdt v1.4.1 and related changes
-
David Wang authored
In GICv3 mode, the non secure group1 interrupts are signalled via the FIQ line in EL3. To support waking up from CPU_SUSPEND to standby on these systems, EL3 should route FIQ to EL3 temporarily before wfi and restore the original setting after resume. This patch makes this change for the CSS platforms in the `css_cpu_standby` psci pm ops hook. Change-Id: Ibf3295d16e2f08da490847c1457bc839e1bac144
-
- 07 Jun, 2016 3 commits
-
-
Mirela Simonovic authored
NODE_IPI_APU is the node ID of APU's IPI device. If APU should be woken-up on an IPI from FPD power down, this node shall be set as the wake-up source upon suspend. Signed-off-by: Mirela Simonovic <mirela.simonovic@aggios.com>
-
danh-arm authored
Update comments in load_image()
-
Sandrine Bailleux authored
- Fix the function documentation. Since commit 16948ae1, load_image() uses image IDs rather than image names. - Clarify the consequences of a null entry point argument. - Slightly reorganize the code to remove an unnecessary 'if' statement. Change-Id: Iebea3149a37f23d3b847a37a206ed23f7e8ec717
-
- 06 Jun, 2016 2 commits
-
-
danh-arm authored
xlat lib: Remove out-dated comment
-
Sandrine Bailleux authored
At the moment, the top Makefile specifies the options to pass to the checkpatch script in order to check the coding style. The checkpatch script also supports reading its options from a configuration file rather than from the command line. This patch makes use of this feature and moves the checkpatch options out of the Makefile. This simplifies the Makefile and makes things clearer. This patch also adds some more checkpatch options: --showfile --ignore FILE_PATH_CHANGES --ignore AVOID_EXTERNS --ignore NEW_TYPEDEFS --ignore VOLATILE The rationale behind each of these options has been documented in the configuration file. Change-Id: I423e1abe5670c0f57046cbf705f89a8463898676
-
- 03 Jun, 2016 3 commits
-
-
Soby Mathew authored
A production ROM with TBB enabled must have the ability to boot test software before a real ROTPK is deployed (e.g. manufacturing mode). Previously the function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed. This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags` parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK in certificate is used without verifying against the platform value. Fixes ARM-software/tf-issues#381 Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb
-
danh-arm authored
Implement plat_set_nv_ctr for FVP platforms
-
danh-arm authored
Fix a syntax error in plat/arm/common/aarch64/arm_common.c
-