GitLab

The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
Armv8.5 feature, this can be implemented by CPUs implementing earlier
version of the architecture.

With this patch, when both PSTATE.SSBS is implemented and
DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
indicate that mitigation on the PE is either permanently enabled or not
required.

When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
of every BL stage. This means that EL3 always executes with mitigation
applied.

For Cortex A76, if the PE implements SSBS, the existing mitigation (by
using a different vector table, and tweaking CPU ACTLR2) is not used.

Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

- Update CPU frequency on AP807 to 2GHz for SAR 0x0.
- Increase AVS to 0.88V for 2GHz clock

Change-Id: Ic945b682ab2f8543e34294bfc56c3eae2c5e0c8e
Signed-off-by: Christine Gharzuzi <chrisg@marvell.com>
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

Add tzc380 support.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Bai Ping <ping.bai@nxp.com>

For platforms using multi-threaded CPUs, there can be upto four
platform power domain levels. At present, there are three platform
power domain levels that are defined for the CSS platforms. Define a
fourth level 'ARM_PWR_LVL3' as well to provide support for an
additional platform power domain level.

Change-Id: I40cc17a10f4690a560776f504364fd7277a7e72a
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>

The CSS_SYSTEM_PWR_DMN_LVL macro that defines the system power domain
level is fixed at ARM_PWR_LVL2 for all CSS platforms. However, the
system power domain level can be different for CSS platforms that
use multi-threaded CPUs.

So, in preparation towards adding support for platforms that use
multi-threaded CPUs, refactor the definition of CSS_SYSTEM_PWR_DMN_LVL
such that CSS_SYSTEM_PWR_DMN_LVL is uniquely defined for each of the
CSS platform.

Change-Id: Ia837b13f6865e71da01780993c048b45b7f36d85
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>

Initial Spectre Variant 1 mitigations (CVE-2017-5753).
A potential speculative data leak was found in PSCI code, this depends
on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
function. This is considered very low-risk. This patch adds a macro to
mitigate this. Note not all code paths could be analyzed with current
tools.

Add a macro which makes a variable 'speculation safe', using the
 __builtin_speculation_safe_value function of GCC and llvm. This will be
available in GCC 9, and is planned for llvm, but is not currently in
mainline GCC or llvm. In order to implement this mitigation the compiler
must support this builtin. Support is indicated by the
__HAVE_SPECULATION_SAFE_VALUE flag.

The -mtrack-speculation option maintains a 'tracker' register, which
determines if the processor is in false speculation at any point. This
adds instructions and increases code size, but avoids the performance
impact of a hard barrier.

Without the -mtrack-speculation option, __builtin_speculation_safe_value
expands to a

    ISB
    DSB SY

sequence after a conditional branch, before the
speculation safe variable is used. With -mtrack-speculation a

    CSEL tracker, tracker, XZR, [cond];
    AND safeval,tracker;
    CSDB

sequence is added instead, clearing the vulnerable variable by
AND'ing it with the tracker register, which is zero during speculative
execution. [cond] are the status flags which will only be true during
speculative execution. For more information on
__builtin_speculation_safe_value and the -mtrack-speculation option see
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations



The -mtracking option was not added, as the performance impact of the
mitigation is low, and there is only one occurence.

Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>

The headers forked at some point in the past and have diverged a lot. In
order to make it easier to share code between TF-A-Tests and TF-A, this
patch synchronises most of the definitions in the mentioned headers.

This is not a complete sync, it has to be followed by more cleanup.

This patch also removes the read helpers for the AArch32 instructions
ats1cpr and ats1hr (they are write-only).

Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>

This reverts commit 6f512a3d

.

According to the 'Cortex-A57 MPCore Software Developers Errata Notice':

    This bug will only affect secure AArch64 EL3. If the above
    conditions occur, the CPU will not invalidate the targeted EL3 TLB
    entries and incorrect translations might occur.

For this reason it is not needed in AArch32.

Change-Id: I6f7b333817515499723e8f306145790ad6af9975
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Provide new APIs to add new regions without specifying the base VA.

- `mmap_add_region_alloc_va` adds a static region to mmap choosing as
  base VA the first possible address after all the currently mapped
  regions. It is aligned to an appropriate boundary in relation to the
  size and base PA of the requested region. No attempt is made to fill
  any unused VA holes.

- `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
  `mmap_add_region_alloc_va` does, but it's dynamic instead of static.

- `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
  maps them in the same way as `mmap_add_region_alloc_va` and fills
  their `base_va` field. A helper macro has been created to help create
  the array, called `MAP_REGION_ALLOC_VA`.

Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

ARM CoreLink DMC-620 Dynamic Memory Controller includes a TZC controller
to setup secure or non-secure regions of DRAM memory. The TZC controller
allows to setup upto eight such regions of memory in DRAM. This driver
provides helper functions to setup the TZC controller within DMC-620.

Change-Id: Iee7692417c2080052bdb7b1c2873a024bc5d1d10
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>

Migrate Marvell platforms from legacy console API to
multi-console API.

Change-Id: I647f5f49148b463a257a747af05b5f0c967f267c
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

Signed-off-by: Yann Gautier <yann.gautier@st.com>

Signed-off-by: Yann Gautier <yann.gautier@st.com>

When compiling assembly files, stdint.h is not included.
UINT32_C and UINT64_C are then not defined.
A new GENMASK macro for assembly is then created.
Signed-off-by: Yann Gautier <yann.gautier@st.com>

Signed-off-by: Alexei Colin <acolin@isi.edu>

It is already in include/drivers/st/stm32mp1_ddr_helpers.h.
Signed-off-by: Yann Gautier <yann.gautier@st.com>

These issues wer found by sparse:

drivers/st/clk/stm32mp1_clk.c:1524:19:
 warning: incorrect type in assignment (different base types)
    expected restricted fdt32_t const [usertype] *pkcs_cell
    got unsigned int const [usertype] *

plat/st/stm32mp1/plat_image_load.c:13:6:
 warning: symbol 'plat_flush_next_bl_params' was not declared.
 Should it be static?
plat/st/stm32mp1/plat_image_load.c:21:16:
 warning: symbol 'plat_get_bl_image_load_info' was not declared.
 Should it be static?
plat/st/stm32mp1/plat_image_load.c:29:13:
 warning: symbol 'plat_get_next_bl_params' was not declared.
 Should it be static?

plat/st/stm32mp1/bl2_io_storage.c:40:10:
 warning: symbol 'block_buffer' was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>

These warnings were issued by sparse:
plat/st/stm32mp1/stm32mp1_pm.c:365:36:
 warning: incorrect type in initializer (different modifiers)
    expected void ( *[noreturn] pwr_domain_pwr_down_wfi )( ... )
    got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:366:23:
 warning: incorrect type in initializer (different modifiers)
    expected void ( *[noreturn] system_off )( ... )
    got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:367:25:
 warning: incorrect type in initializer (different modifiers)
    expected void ( *[noreturn] system_reset )( ... )
    got void ( [noreturn] *<noident> )( ... )

This cannot be changed the other way in all platforms pm drivers
or else there is a compilation error:
plat/st/stm32mp1/stm32mp1_pm.c:234:1: error: attributes should be specified
 before the declarator in a function definition
Signed-off-by: Yann Gautier <yann.gautier@st.com>

All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.

The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.

The exceptions are files that are imported from other projects:

- CryptoCell driver
- dt-bindings folders
- zlib headers

Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

On AArch32, ARM_DRAM1_BASE and ARM_DRAM1_SIZE constants are currently
32-bit values (because they are suffixed with UL and the value
0x80000000 fits in a unsigned long int, i.e. a 32-bit value). When
summing them up, the result overflows the maximum value that can be
encoded in a 32-bit value so it wraps around and does not result in
the expected value.

This patch changes the suffix of these constants into ULL so that they
always are 64-bit values.

Change-Id: I3b19b1805e35cc7e43050458df379081b1e882d5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

fdtw_read_cells() can only read one or two cells, sometimes it may be
needed to read more cells from one property.

Change-Id: Ie70dc76d1540cd6a04787cde7cccb4d1bafc7282
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Introduced fdtw_read_string() to read string properties.

Change-Id: I854eef0390632cf2eaddd2dce60cdb98c117de43
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I2f5f64aaf90caae936510e1179392a8835f493e0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I600bc13522ae977db355b6dc5a1695bce39ec130
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: Iae6758ca6395560131d1e1a69a1ecfe50ca8bf83
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I33eaee8e7c983b3042635a448cb8d689ea4e3a12
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The macro EL_IMPLEMENTED() has been deprecated in favour of the new
function el_implemented().

Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Add supprot for Marvell platforms based on Armada-37xx SoC.
This includes support for the official Armada-3720 modular
development board and EspressoBin community board.
The Armada-37xx SoC contains dual Cortex-A53 Application CPU,
single secure CPU (Cortex-M3) and the following interfaces:
- SATA 3.0
- USB 3.0 and USB 2.0
- PCIe
- SDIO (supports boot from eMMC)
- SPI
- UART
- I2c
- Gigabit Ethernet
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

Version 1.4.7 introduces a big performance hit to functions that access
the FDT. Downgrade the library to version 1.4.6-9, before the changes
that introduce the problem. Version 1.4.6 isn't used because one of the
libfdt files (fdt_overlay.c) is missing the license header. This
problem is also fixed in 1.4.6-9.

This version corresponds to commit <aadd0b65c987> checks: centralize
printing of property names in failure messages.

Fixes ARM-software/tf-issues#643

Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

No functional changes.

Change-Id: I64abd72026082218a40b1a4b8f7dc26ff2478ba6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

No functional changes.

Change-Id: Iaab0310848be587b635ce5339726e92a50f534e0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

No functional changes.

Change-Id: I9b9f8d3dfde08d57706ad5450de6ff858a55ac01
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

No functional changes.

Change-Id: I2f28f20944f552447ac4e9e755493cd7c0ea1192
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces Position Independant Executable(PIE) support
in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
dynamic linker is implemented which supports fixing up Global Offset
Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
helper function implements this linker and this needs to be called
early in the boot sequence prior to invoking C functions. The GOT is
placed in the RO section of BL31 binary for improved security and the
BL31 linker script is modified to export the appropriate symbols
required for the dynamic linker.

The C compiler always generates PC relative addresses to linker symbols
and hence referencing symbols exporting constants are a problem when
relocating the binary. Hence the reference to the
`__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
at runtime based on start and end addresses.

Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Previously the errata reporting was optional for CPU operation
files and this was achieved by making use of weak reference to
resolve to 0 if the symbol is not defined. This is error prone
when adding new CPU operation files and weak references are
problematic when fixing up dynamic relocations. Hence this patch
removes the weak reference and makes it mandatory for the CPU
operation files to define the errata reporting function.

Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch fixes up the AArch64 assembly code to use
adrp/adr instructions instead of ldr instruction for
reference to symbols. This allows these assembly
sequences to be Position Independant. Note that the
the reference to sizes have been replaced with
calculation of size at runtime. This is because size
is a constant value and does not depend on execution
address and using PC relative instructions for loading
them makes them relative to execution address. Also
we cannot use `ldr` instruction to load size as it
generates a dynamic relocation entry which must *not*
be fixed up and it is difficult for a dynamic loader
to differentiate which entries need to be skipped.

Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch adds a utility function to return
the address of a symbol. By default, the compiler
generates adr/adrp instruction pair to return
the reference and this utility is used to override
this compiler generated to code and use `ldr`
instruction.

This is needed for Position Independent Executable
when it needs to reference a symbol which is constant
and does not depend on the execute address of the
binary.

For example, on the FVP, the GICv3 register context is
stored in a secure carveout (arm_el3_tzc_dram) within
DDR and does not relocate with the BL image. Now if
BL31 is executing at a different address other than
the compiled address, using adrp/adr instructions to
reference this memory will not work as they generate an
address that is PC relative. The way to get around this
problem is to reference it as non-PC relative (i.e
non-relocatable location) via `ldr` instruction.

Change-Id: I5008a951b007144258121690afb68dc8e12ee6f7
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This function is not related to Arm platforms and can be reused by other
platforms if needed.

Change-Id: Ia9c328ce57ce7e917b825a9e09a42b0abb1a53e8
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

There are several platforms using arm_setup_page_tables(), which is
supposed to be Arm platform only. This creates several dependency
problems between platforms.

This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
v2 makefile. This way it is possible to detect from C code which version
is being used and include the correct header.

The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
moved to a common folder. This way, when in doubt, this header can be
used to guarantee compatibility, as it includes the correct header based
on XLAT_TABLES_LIB_V2.

This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
that is now locked in xlat lib v2) and ZynqMP (where it was added as a
workaround).

Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>