GitLab

The BL3-1 firmware code is stored in TZSRAM on Tegra186 platforms. This
memory loses power when we enter System Suspend and so its contents are
stored to TZDRAM, before entry. This opens up an attack vector where the
TZDRAM contents might be tampered with when we are in the System Suspend
mode. To mitigate this attack the SE engine calculates the hash of entire
TZSRAM and stores it in PMC scratch, before we copy data to TZDRAM. The
WB0 code will validate the TZDRAM and match the hash with the one in PMC
scratch.

This patch adds driver for the SE engine, with APIs to calculate the hash
and store SE SHA256 hash-result to PMC scratch registers.

Change-Id: Ib487d5629225d3d99bd35d44f0402d6d3cf27ddf
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>

This patch enables the bpmp-ipc driver for Tegra186 platforms,
to ask BPMP firmware to toggle SE clock.

Change-Id: Ie63587346c4d9b7e54767dbee17d0139fa2818ae
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>

ERRATA_A57_829520 disables "indirect branch prediction" for
EL1 on cpu reset, leading to 15% drop in CPU performance
with coremark benchmarks.

Tegra210 already has a hardware fix for ARM BUG#829520,so
this errata is not needed.

This patch disables the errata to get increased performance
numbers.

Change-Id: I0b42e8badd19a8101f6a55d80eb2d953597d3c20
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>

This patch adds support for memqual miu 4,5.

The MEMQUAL engine has miu0 to miu7 in which miu6 and
miu7 is hardwired to bypass SMMU. So only miu0 to miu5
support is provided.

Change-Id: Ib350334eec521e65f395f1c3205e2cdaf464ebea
Signed-off-by: Pravin <pt@nvidia.com>

As bpmp-fw is running at the same time as ATF, and
the mss client reconfiguration sequence involves performing
a hot flush resets on bpmp, there is a chance that bpmp-fw is
trying to perform accesses while the hot flush is active.

Therefore, the mss client reconfigure has been moved to
System Suspend resume fw and bootloader, and it can be
removed from here.

Change-Id: I34019ad12abea9681f5e180af6bc86f2c4c6fc74
Signed-off-by: Stefan Kristiansson <stefank@nvidia.com>

This patch removes usage of bakery_locks from the FIQ handler, as it
creates unnecessary dependency whenever the watchdog timer interrupt
fires. All operations inside the interrupt handler are 'reads', so
no need for serialization.

Change-Id: I3f675e610e4dabc5b1435fdd24bc28e424f5a8e4
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Tegra210B01 SoCs support atomic context save for the two SE
hardware engines. Tegra210 SoCs have support for only one SE
engine and support a software based save/restore mechanism
instead.

This patch updates the SE driver to make this change.

Change-Id: Ia5e5ed75d0fe011f17809684bbc2ed2338925946
Signed-off-by: Harvey Hsieh <hhsieh@nvidia.com>

Update the list to include PMC registers that the NS world cannot
access even with smc calls.

Change-Id: I588179b56ebc0c29200b55e6d61535fd3a7a3b7e
Signed-off-by: kalyani chidambaram <kalyanic@nvidia.com>

This patch resets the macros to update the CPUACTLR_ELx to make
them generic for all exception levels.

Change-Id: I33e9b860efb543934b654a2f5d775135df7f1aa6
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Currently, the ROM region is needlessly too large.

The on-chip SRAM region of the next SoC will start from 0x04000000,
and this will cause the region overlap.

Mapping 0x04000000 for the ROM is enough.

Change-Id: I85ce0bb1120ebff2e3bc7fd13dc0fd15dfff5ff6
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Enable encryption IO layer to be stacked above FIP IO layer for optional
encryption of Bl31 and BL32 images in case ENCRYPT_BL31 or ENCRYPT_BL32
build flag is set.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I24cba64728861e833abffc3d5d9807599c49feb6

Secure FLASH0 memory map looks like:
- Offset: 0 to 256K -> bl1.bin
- Offset: 256K to 4.25M -> fip.bin

FLASH1 is normally used via UEFI/edk2 to keep varstore.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I6883f556c22d6a5d3fa3846c703bebc2abe36765

TBBR spec advocates for optional encryption of firmwares (see optional
requirement: R060_TBBR_FUNCTION). So add an IO abstaction layer to
support firmware decryption that can be stacked above any underlying IO/
packaging layer like FIP etc. It aims to provide a framework to load any
encrypted IO payload.

Also, add plat_get_enc_key_info() to be implemented in a platform
specific manner as handling of encryption key may vary from one platform
to another.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I9892e0ddf00ebecb8981301dbfa41ea23e078b03

Since commit ac71344e

 we have the UART base address in the generic
console_t structure. For most platforms the platform-specific struct
console is gone, so we *must* use the embedded base address, since there
is no storage behind the generic console_t anymore.

Replace the usage of CONSOLE_T_DRVDATA with CONSOLE_T_BASE to fix this.

Change-Id: I6d2ab0bc2c845c71f98b9dd64d89eef3252f4591
Reported-by: Varun Wadekar <vwadekar@nvidia.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Commit ac71344e

 moved the base address
for the MMIO aperture of the console inside the console_t struct. As
a result, the driver should now save the MMIO base address to console_t
at offset marked by the CONSOLE_T_BASE macro.

This patch updates the SPE console driver to use the CONSOLE_T_BASE macro
to save/access the MMIO base address.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I42afc2608372687832932269108ed642f218fd40

This patch implements loading of Secure Partition packages using
existing framework of loading other bl images.

The current framework uses a statically defined array to store all the
possible image types and at run time generates a link list and traverse
through it to load different images.

To load SPs, a new array of fixed size is introduced which will be
dynamically populated based on number of SPs available in the system
and it will be appended to the loadable images list.

Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Added SPMD_SPM_AT_SEL2 build command line parameter.
Set to 1 to run SPM at S-EL2.
Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled).
Removed runtime EL from SPM core manifest.

Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Renamed the structure according to a SPMD refactoring
introduced in <c585d07aa> since this structure is used
to service both EL1 and EL2 as opposed to serving only EL1.

Change-Id: I23b7c089e53f617157a4b4e6443acce50d85c3b5
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Add load address and UUID in fw config dts for Cactus and Ivy which are
example SP's in tf-test repository.

For prototype purpose these information is added manually but later on
it will be updated at compile time from SP layout file and SP manifests
provided by platform.

Change-Id: I41f485e0245d882c7b514bad41fae34036597ce4
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Use the firmware configuration framework to retrieve information about
Secure Partitions to facilitate loading them into memory.

To load a SP image we need UUID look-up into FIP and the load address
where it needs to be loaded in memory.

This patch introduces a SP populator function which gets UUID and load
address from firmware config device tree and updates its C data
structure.

Change-Id: I17faec41803df9a76712dcc8b67cadb1c9daf8cd
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

MISRA C-2012 Rule 20.7:
Macro parameter expands into an expression without being wrapped by parentheses.

MISRA C-2012 Rule 12.1:
Missing explicit parentheses on sub-expression.

MISRA C-2012 Rule 18.4:
Essential type of the left hand operand is not the same as that of the right
operand.

Include does not provide any needed symbols.

Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Modify RSU driver error code for backward-compatibility with
Linux RSU driver
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: Ib9e38d4017efe35d3aceeee27dce451fbd429fb5

The revision register address will be changed in the next SoC.

The LSI revision is needed in order to know where the revision
register is located, but you need to read out the revision
register for that. This is impossible.

We need to know the revision register address by other means.
Use BL_CODE_BASE, where the base address of the TF image that is
currently running. If it is bigger than 0x80000000 (i.e. the DRAM
base is 0x80000000), we assume it is a legacy SoC.

Change-Id: I9d7f4325fe2085a8a1ab5310025e5948da611256
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

This patch fixes incorrect setting for DEVICE1_SIZE
for FVP platforms with more than 8 PEs.
The current value of 0x200000 supports only 8 PEs
and causes exception for FVP platforms with the greater
number of PEs, e.g. FVP_Base_Cortex_A65AEx8 with 16 PEs
in one cluster.

Change-Id: Ie6391509fe6eeafb8ba779303636cd762e7d21b2
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Now that different UARTs share the same console_t struct, we can
simplify the console selection for the Marvell platforms:
We share the same console_t pointers, just change the name of the
console register functions, depending on the selected platform.

Change-Id: I6fe3e49fd7f208a9b3372c5deef43236a12867bc
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I7a23327394d142af4b293ea7ccd90b843c54587c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I07a07677153d3671ced776671e4f107824d3df16
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: Ia9d996bb45ff3a7f1b240f12fd75805b48a048e9
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I75dbfafb67849833b3f7b5047e237651e3f553cd
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I9f8b55414ab7965e431e3e86d182eabd511f32a4
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: Ifd6aff1064ba1c3c029cdd8a83f715f7a9976db5
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: Iea6ca26ff4903c33f0fad27fec96fdbabd4e0a91
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I836e26ff1771abf21fd460d0ee40e90a452e9b43
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I89c3ab2ed85ab941d8b38ced48474feb4aaa8b7e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I5c2fe3b6a667acf80c808cfec4a64059a2c9c25f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I058f793e4024fa7291e432f5be374a77faf16f36
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

This patch comes as fixes for 'intel: Fix Coverity Scan Defects' patch.
Revert changing argument type from uint32_t to uint64_t to fix
incompatible cast issue. Fix said bug by using intermediate uint32_t
array as a more appropriate solution.
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I344cdabd432cf0a0389b225c934b35d12f4c631d

This initializes the EMAC PHY in both Stratix 10 and Agilex,
without this, EMAC PHY wouldn't work correctly.

Change-Id: I7e6b9e88fd9ef472884fcf648e6001fcb7549ae6
Signed-off-by: Abdul Halim, Muhammad Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.

The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.

To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.

Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.

The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466

This patch adds support for a new SMC that can be used to control the
watchdog. This allows for a cleaner separation of responsibilities where
all watchdog operations have to go through Trusted Firmware and we could
no longer have kernel and firmware poking concurrently at the same
register block.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Change-Id: I4844a3559d5c956a53a74a61dd5bc2956f0cce7b