GitLab

-D is a preprocessor flag that defines a macro. So, adding it to
BL*_CPPFLAGS makes more sense. You can reference it not only from
.c files but also from .S files.

Change-Id: Ib4f2f27a3ed3eae476a6a32da7ab5225ad0649de
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.

The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.

To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.

Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.

The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466

This patch introduces a better separation between the trusted-boot
related properties, and the dynamic configuration DTBs loading
information.

The dynamic configuration DTBs properties are moved to a new node:
`dtb-registry`. All the sub-nodes present will be provided to the
dynamic config framework to be loaded. The node currently only contains
the already defined configuration DTBs, but can be extended for future
features if necessary.
The dynamic config framework is modified to use the abstraction provided
by the fconf framework, instead of directly accessing the DTBs.

The trusted-boot properties are kept under the "arm,tb_fw" compatible
string, but in a separate `tb_fw-config` node.
The `tb_fw-config` property of the `dtb-registry` node simply points
to the load address of `fw_config`, as the `tb_fw-config` is currently
part of the same DTB.

Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
Removes hard-coded developer keys. Instead, setting
ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
In case of ROT_KEY specified - generates a new hash and replaces the
original.

Note: Juno board was tested by original feature author and was not tested
for this patch since we don't have access to the private key. Juno
implementation was moved to board-specific file without changing
functionality. It is not known whether byte-swapping is still needed
for this platform.

Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Add the disable_auth dynamic parameter, that allows to disable the
authentication when TBBR is enabled. This parameter is for development
only.

Change-Id: Ic24ad16738517f7e07c4f506dcf69a1ae8df7d2d
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

The watchdog is configured with a default value of 256 seconds in order
to implement the Trusted Board Boot Requirements.

For the FVP and Juno platforms, the FWU process relies on a watchdog
reset. In order to automate the test of FWU, the length of this process
needs to be as short as possible. Instead of waiting for those 4 minutes
to have a reset by the watchdog, tell it to reset immediately.

There are no side effects as the value of the watchdog's load register
resets to 0xFFFFFFFF.

Tested on Juno.

Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

The BL1 stage setup code for ARM platforms sets up the SP805 watchdog
controller as the secure watchdog. But not all ARM platforms use SP805
as the secure watchdog controller.

So introduce two new ARM platform code specific wrapper functions to
start and stop the secure watchdog. These functions then replace the
calls to SP805 driver in common BL1 setup code. All the ARM platforms
implement these wrapper functions by either calling into SP805 driver
or the SBSA watchdog driver.

Change-Id: I1a9a11b124cf3fac2a84f22ca40acd440a441257
Signed-off-by: Aditya Angadi <aditya.angadi@arm.com>

Change-Id: I7593f5ed89b9ef13b510e2259c909838c64ec56c
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Change-Id: Ia601d5ad65ab199e747fb60af4979b7db477d249
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I8989d2aa0258bf3b50a856c5b81532d578600124
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The PLAT_XLAT_TABLES_DYNAMIC build option, defined in platform_def.h
in Arm platforms, is checked by several headers, affecting their
behaviour. To avoid issues around the include ordering of the headers,
the definition should be moved to the platform's makefile.

Change-Id: I0e12365c8d66309122e8a20790e1641a4f480a10
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The top level makefile defines the PLAT variable, not PLATFORM.
This mistake was causing an empty variable expansion and showing an
incomplete error message.

Change-Id: I5da1275c73c61a7c1823643a76300f255841719d
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

In order to allow Arm platforms to override the default list of PSCI
callbacks, remove the existing weak implementation of
'plat_arm_psci_override_pm_ops' function and let all the Arm platforms
implement their own 'plat_arm_psci_override_pm_ops' function.

For platforms that support SCMI protocol, the function
'css_scmi_override_pm_ops' can be additionally used as well to
override the default PSCI callbacks.

Change-Id: If7c27468bd51a00ea9c2a3716b5894163f5a9f3c
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>

This patch adds support to build a combined BL1
and ROMLIB binary file with the right page
alignment in Juno. When USE_ROMLIB=1 is set for
Juno, it generates the combined file
bl1_romlib.bin which needs to be used instead of
bl1.bin

Change-Id: I407efbe48d3e522fa6ef855538a9587193cb1919
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

This file is only used by Juno as all other CSS platforms have their own
private memory maps.

Change-Id: I1c9f27aac7b1d8bff4d92674e8bde5505b93c8c4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This way it can be reused by other platforms if needed.

Note that this driver is designed to work with the Versatile Express NOR
flash of Juno and FVP. In said platforms, the memory is organized as an
interleaved memory of two chips with a 16 bit word.

Any platform that wishes to reuse it with a different configuration will
need to modify the driver so that it is more generic.

Change-Id: Ic721758425864e0cf42b7b9b04bf0d9513b6022e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This lets any future CSS platforms to use RESET_TO_BL31 flag.

Change-Id: I32a90fce43cb0c6f4d33589653a0fd6a7ecc9577
Signed-off-by: Deepak Pandey <Deepak.Pandey@arm.com>

This option makes it hard to optimize the memory definitions of all Arm
platforms because any change in the common defines must work in all of
them. The best thing to do is to remove it and move the definition to
each platform's header.

FVP, SGI and SGM were using the definitions in board_arm_def.h. The
definitions have been copied to each platform's platform_def.h. Juno
was already using the ones in platform_def.h, so there have been no
changes.

Change-Id: I9aecd11bbc72a3d0d7aad1ef9934d8df21dcfaf2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

- Remove references to removed build options.
- Remove support for legacy GIC driver.
- Remove support for LOAD_IMAGE_V2=0.

Change-Id: I72f8c05620bdf4a682765e6e53e2c04ca749a3d5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The patch 7b56928a

 unified the FWU mechanism on FVP and Juno
platforms due to issues with MCC firmware not preserving the
NVFLAGS. With MCCv150 firmware, this issue is resolved. Also
writing to the NOR flash while executing from the same flash
in Bypass mode had some stability issues. Hence, since the
MCC firmware issue is resolved, this patch reverts to the
NVFLAGS mechanism to detect FWU. Also, with the introduction
of SDS (Shared Data Structure) by the SCP, the reset syndrome
needs to queried from the appropriate SDS field.

Change-Id: If9c08f1afaaa4fcf197f3186887068103855f554
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
Signed-off-by: Soby Mathew <Soby.Mathew@arm.com>

All the arm platforms were including the files related to
mem-protect. This configuration generates some problems
with new platforms that don't support such functionality,
and for that reason this patch moves these files to the
platform specific makefiles.

Change-Id: I6923e5224668b76667795d8e11723cede7979b1e
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Add TZMP1 support on Juno and increase the BL2 size accordingly due to the
extra data structures to describe the TZC regions and the additional code.
Signed-off-by: Summer Qin <summer.qin@arm.com>

Previously, Juno used to depend on the SSC_GPRETN register to inform
about the reset syndrome. This method was removed when SCP migrated
to the SDS framework. But even the SDS framework doesn't report the
reset syndrome correctly and hence Juno failed to enter Firmware
update mode if BL2 authentication failed.

In addition to that, the error code populated in V2M_SYS_NVFLAGS register
does not seem to be retained any more on Juno across resets. This could
be down to the motherboard firmware not doing the necessary to preserve
the value.

Hence this patch modifies the Juno platform to use the same mechanism to
trigger firmware update as FVP which is to corrupt the FIP TOC on
authentication failure. The implementation in `fvp_err.c` is made common
for ARM platforms and is moved to the new `arm_err.c` file in
plat/arm/common folder. The BL1 and BL2 mmap table entries for Juno
are modified to allow write to the Flash memory address.

Change-Id: Ica7d49a3e8a46a90efd4cf340f19fda3b549e945
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

The SCP binaries provided in the 17.10 Linaro release (and onwards)
have migrated to the SCMI/SDS protocols. Therefore, the ARM TF should
now use the corresponding drivers by default.

This patch changes the default value of the CSS_USE_SCMI_SDS_DRIVER
build option to 1 for Juno.

Change-Id: Idb7e3c6af582f49e332167a2158703c2d781b437
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Pre-v8.2 platforms such as the Juno platform does not have
the Scalable Vector Extensions implemented and so the build
option ENABLE_SVE is set to zero.

This has a minor performance improvement with no functional
impact.

Change-Id: Ib072735db7a0247406f8b60e325b7e28b1e04ad1
Signed-off-by: David Cunado <david.cunado@arm.com>

This patch fixes a couple of issues for AArch32 builds on ARM reference
platforms :

1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
   AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
   the BL31 memory is empty when built for AArch32. Hence this patch allocates
   BL32 to the memory region occupied by BL31 for AArch32 builds.

   As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
   be used to control the load address of BL32 in AArch32 mode which was
   never the intention of the macro anyway.

2. A static assert is added to sp_min linker script to check that the progbits
   are within the bounds expected when overlaid with other images.

3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
   involved when building Juno for AArch32 mode, the build option SPD needed to
   specifed. This patch corrects this and also updates the documentation in the
   user-guide.

4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
   a result the previous assumption that BL31 must be always present is removed
   and the certificates for BL31 is only generated if `NEED_BL31` is defined.

Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

    - fixed compile error when KEY_ALG=ecdsa
    - add new option ecdsa for TF_MBEDTLS_KEY_ALG
    - add new option devel_ecdsa for ARM_ROTPK_LOCATION
    - add ecdsa key at plat/arm/board/common/rotpk/
    - reduce the mbedtls heap memory size to 13k

Change-Id: I3f7a6170af93fdbaaa7bf2fffb4680a9f6113c13
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

Earlier patches added errata workarounds 859972 for Cortex-A72, and
859972 for Cortex-A57 CPUs. Explicitly disable the workaround for Juno.

Also reorganize errata workaround flags.

No functional changes.

Change-Id: I3fe3745de57d77e5bf52012826d3969fe5d4844e
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html



Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.

Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769

Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419

The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.

Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.

Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/



Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

The CSS power management layer previously allowed to suspend system
power domain level via both PSCI CPU_SUSPEND and PSCI SYSTEM_SUSPEND
APIs. System suspend via PSCI CPU_SUSPEND was always problematic to
support because of issues with targeting wakeup interrupts to
suspended cores before the per-cpu GIC initialization is done. This
is not the case for PSCI SYSTEM_SUSPEND API because all the other
cores are expected to be offlined prior to issuing system suspend and
PSCI CPU_ON explicit calls will be made to power them on. Hence the Juno
platform used to downgrade the PSCI CPU_SUSPEND request for system
power domain level to cluster level by overriding the default
`plat_psci_pm_ops` exported by CSS layer.

Given the direction the new CSS platforms are evolving, it is best to
limit the system suspend only via PSCI SYSTEM_SUSPEND API for all
CSS platforms. This patch makes changes to allow system suspend
only via PSCI SYSTEM_SUSPEND API. The override of `plat_psci_ops`
for Juno is removed.

Change-Id: Idb30eaad04890dd46074e9e888caeedc50a4b533
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Following steps are required to boot JUNO in AArch32 state:
1> BL1, in AArch64 state, loads BL2.
2> BL2, in AArch64 state, initializes DDR.
  Loads SP_MIN & BL33 (AArch32 executable)images.
  Calls RUN_IMAGE SMC to go back to BL1.
3> BL1 writes AArch32 executable opcodes, to load and branch
  at the entrypoint address of SP_MIN, at HI-VECTOR address and
  then request for warm reset in AArch32 state using RMR_EL3.

This patch makes following changes to facilitate above steps:
* Added assembly function to carry out step 3 above.
* Added region in TZC that enables Secure access to the
  HI-VECTOR(0xFFFF0000) address space.
* AArch32 image descriptor is used, in BL2, to load
  SP_MIN and BL33 AArch32 executable images.

A new flag `JUNO_AARCH32_EL3_RUNTIME` is introduced that
controls above changes. By default this flag is disabled.

NOTE: BL1 and BL2 are not supported in AArch32 state for JUNO.

Change-Id: I091d56a0e6d36663e6d9d2bb53c92c672195d1ec
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Change-Id: I7f3e4bfd46613c6311ba4015d56705414fd6feab
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

This function fills the buffer (first argument) with the specified
number of bytes (second argument) from the trusted entropy source.

This function will be used to initialize the stack protector canary.

Change-Id: Iff15aaf4778c13fa883ecb5528fcf9b8479d4489
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Juno platform Makefile is responsible for enabling all the relevant
errata. As the Juno platform port does not know which revision of Juno
the TF
is compiled for, the revision of the cores are unknown and so all errata
up to this date are needed on at least one revision of Juno.

Change-Id: I38e1d6efc17e703f2bd55e0714f8d8fa4778f696
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

ARM erratum 855873 applies to all Cortex-A53 CPUs.
The recommended workaround is to promote "data cache clean"
instructions to "data cache clean and invalidate" instructions.
For core revisions of r0p3 and later this can be done by setting a bit
in the CPUACTLR_EL1 register, so that hardware takes care of the promotion.
As CPUACTLR_EL1 is both IMPLEMENTATION DEFINED and can be trapped to EL3,
we set the bit in firmware.
Also we dump this register upon crashing to provide more debug
information.

Enable the workaround for the Juno boards.

Change-Id: I3840114291958a406574ab6c49b01a9d9847fec8
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

TLBI instructions for EL3 won't have the desired effect under specific
circumstances in Cortex-A57 r0p0. The workaround is to execute DSB and
TLBI twice each time.

Even though this errata is only needed in r0p0, the current errata
framework is not prepared to apply run-time workarounds. The current one
is always applied if compiled in, regardless of the CPU or its revision.

This errata has been enabled for Juno.

The `DSB` instruction used when initializing the translation tables has
been changed to `DSB ISH` as an optimization and to be consistent with
the barriers used for the workaround.

Change-Id: Ifc1d70b79cb5e0d87e90d88d376a59385667d338
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Compile option `ARM_BOARD_OPTIMISE_MMAP` has been renamed to
`ARM_BOARD_OPTIMISE_MEM` because it now applies not only to defines
related to the translation tables but to the image size as well.

The defines `PLAT_ARM_MAX_BL1_RW_SIZE`, `PLAT_ARM_MAX_BL2_SIZE` and
`PLAT_ARM_MAX_BL31_SIZE` have been moved to the file board_arm_def.h.
This way, ARM platforms no longer have to set their own values if
`ARM_BOARD_OPTIMISE_MEM=0` and they can specify optimized values
otherwise. The common sizes have been set to the highest values used
for any of the current build configurations.

This is needed because in some build configurations some images are
running out of space. This way there is a common set of values known
to work for all of them and it can be optimized for each particular
platform if needed.

The space reserved for BL2 when `TRUSTED_BOARD_BOOT=0` has been
increased. This is needed because when memory optimisations are
disabled the values for Juno of `PLAT_ARM_MMAP_ENTRIES` and
`MAX_XLAT_TABLES` are higher. If in this situation the code is
compiled in debug mode and with "-O0", the code won't fit.

Change-Id: I70a3d8d3a0b0cad1d6b602c01a7ea334776e718e

This patch migrates ARM Standard platforms to the refactored TZC driver.

Change-Id: I2a2f60b645f73e14d8f416740c4551cec87cb1fb

`board_arm_def.h` contains multiple definitions of
`PLAT_ARM_MMAP_ENTRIES` and `MAX_XLAT_TABLES` that are optimised for
memory usage depending upon the chosen build configuration. To ease
maintenance of these constants, this patch replaces their multiple
definitions with a single set of definitions that will work on all ARM
platforms.

Platforms can override the defaults with optimal values by enabling the
`ARM_BOARD_OPTIMISE_MMAP` build option. An example has been provided in
the Juno ADP port.

Additionally, `PLAT_ARM_MMAP_ENTRIES` is increased by one to accomodate
future ARM platforms.

Change-Id: I5ba6490fdd1e118cc9cc2d988ad7e9c38492b6f0