1. 14 Dec, 2015 1 commit
    • Juan Castillo's avatar
      TBB: apply TBBR naming convention to certificates and extensions · 516beb58
      Juan Castillo authored
      This patch applies the TBBR naming convention to the certificates
      and the corresponding extensions defined by the CoT:
      
          * Certificate UUID names
          * Certificate identifier names
          * OID names
      
      Changes apply to:
      
          * Generic code (variables and defines)
          * The default certificate identifiers provided in the generic
            code
          * Build system
          * ARM platforms port
          * cert_create tool internal definitions
          * fip_create and cert_create tools command line options
          * Documentation
      
      IMPORTANT: this change breaks the compatibility with platforms
      that use TBBR. The platform will need to adapt the identifiers
      and OIDs to the TBBR naming convention introduced by this patch:
      
      Certificate UUIDs:
      
          UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT --> UUID_TRUSTED_BOOT_FW_CERT
          UUID_SCP_FIRMWARE_BL30_KEY_CERT --> UUID_SCP_FW_KEY_CERT
          UUID_SCP_FIRMWARE_BL30_CERT --> UUID_SCP_FW_CONTENT_CERT
          UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT --> UUID_SOC_FW_KEY_CERT
          UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT --> UUID_SOC_FW_CONTENT_CERT
          UUID_SECURE_PAYLOAD_BL32_KEY_CERT --> UUID_TRUSTED_OS_FW_KEY_CERT
          UUID_SECURE_PAYLOAD_BL32_CERT --> UUID_TRUSTED_OS_FW_CONTENT_CERT
          UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT --> UUID_NON_TRUSTED_FW_KEY_CERT
          UUID_NON_TRUSTED_FIRMWARE_BL33_CERT --> UUID_NON_TRUSTED_FW_CONTENT_CERT
      
      Certificate identifiers:
      
          BL2_CERT_ID --> TRUSTED_BOOT_FW_CERT_ID
          BL30_KEY_CERT_ID --> SCP_FW_KEY_CERT_ID
          BL30_CERT_ID --> SCP_FW_CONTENT_CERT_ID
          BL31_KEY_CERT_ID --> SOC_FW_KEY_CERT_ID
          BL31_CERT_ID --> SOC_FW_CONTENT_CERT_ID
          BL32_KEY_CERT_ID --> TRUSTED_OS_FW_KEY_CERT_ID
          BL32_CERT_ID --> TRUSTED_OS_FW_CONTENT_CERT_ID
          BL33_KEY_CERT_ID --> NON_TRUSTED_FW_KEY_CERT_ID
          BL33_CERT_ID --> NON_TRUSTED_FW_CONTENT_CERT_ID
      
      OIDs:
      
          TZ_FW_NVCOUNTER_OID --> TRUSTED_FW_NVCOUNTER_OID
          NTZ_FW_NVCOUNTER_OID --> NON_TRUSTED_FW_NVCOUNTER_OID
          BL2_HASH_OID --> TRUSTED_BOOT_FW_HASH_OID
          TZ_WORLD_PK_OID --> TRUSTED_WORLD_PK_OID
          NTZ_WORLD_PK_OID --> NON_TRUSTED_WORLD_PK_OID
          BL30_CONTENT_CERT_PK_OID --> SCP_FW_CONTENT_CERT_PK_OID
          BL30_HASH_OID --> SCP_FW_HASH_OID
          BL31_CONTENT_CERT_PK_OID --> SOC_FW_CONTENT_CERT_PK_OID
          BL31_HASH_OID --> SOC_AP_FW_HASH_OID
          BL32_CONTENT_CERT_PK_OID --> TRUSTED_OS_FW_CONTENT_CERT_PK_OID
          BL32_HASH_OID --> TRUSTED_OS_FW_HASH_OID
          BL33_CONTENT_CERT_PK_OID --> NON_TRUSTED_FW_CONTENT_CERT_PK_OID
          BL33_HASH_OID --> NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID
          BL2U_HASH_OID --> AP_FWU_CFG_HASH_OID
          SCP_BL2U_HASH_OID --> SCP_FWU_CFG_HASH_OID
          NS_BL2U_HASH_OID --> FWU_HASH_OID
      
      Change-Id: I1e047ae046299ca913911c39ac3a6e123bd41079
      516beb58
  2. 09 Dec, 2015 9 commits
    • Yatharth Kochar's avatar
      FWU: Add Firmware Update support in BL2U for ARM platforms · dcda29f6
      Yatharth Kochar authored
      This patch adds support for Firmware update in BL2U for ARM
      platforms such that TZC initialization is performed on all
      ARM platforms and (optionally) transfer of SCP_BL2U image on
      ARM CSS platforms.
      
      BL2U specific functions are added to handle early_platform and
      plat_arch setup. The MMU is configured to map in the BL2U
      code/data area and other required memory.
      
      Change-Id: I57863295a608cc06e6cbf078b7ce34cbd9733e4f
      dcda29f6
    • Yatharth Kochar's avatar
      FWU: Add Generic BL2U FWU image support in BL2 · 9003fa0b
      Yatharth Kochar authored
      The Firmware Update (FWU) feature needs support for an optional
      secure world image, BL2U, to allow additional secure world
      initialization required by FWU, for example DDR initialization.
      
      This patch adds generic framework support to create BL2U.
      
      NOTE: A platform makefile must supply additional `BL2U_SOURCES`
            to build the bl2u target. A subsequent patch adds bl2u
            support for ARM platforms.
      
      Change-Id: If2ce036199bb40b39b7f91a9332106bcd4e25413
      9003fa0b
    • Yatharth Kochar's avatar
      FWU: Add Firmware Update support in BL1 for ARM platforms · 436223de
      Yatharth Kochar authored
      This patch adds Firmware Update support for ARM platforms.
      
      New files arm_bl1_fwu.c and juno_bl1_setup.c were added to provide
      platform specific Firmware update code.
      
      BL1 now includes mmap entry for `ARM_MAP_NS_DRAM1` to map DRAM for
      authenticating NS_BL2U image(For both FVP and JUNO platform).
      
      Change-Id: Ie116cd83f5dc00aa53d904c2f1beb23d58926555
      436223de
    • Yatharth Kochar's avatar
      FWU: Add Generic Firmware Update framework support in BL1 · 48bfb88e
      Yatharth Kochar authored
      Firmware update(a.k.a FWU) feature is part of the TBB architecture.
      BL1 is responsible for carrying out the FWU process if platform
      specific code detects that it is needed.
      
      This patch adds support for FWU feature support in BL1 which is
      included by enabling `TRUSTED_BOARD_BOOT` compile time flag.
      
      This patch adds bl1_fwu.c which contains all the core operations
      of FWU, which are; SMC handler, image copy, authentication, execution
      and resumption. It also adds bl1.h introducing #defines for all
      BL1 SMCs.
      
      Following platform porting functions are introduced:
      
      int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
      unsigned int flags);
      	This function can be used to add platform specific memory checks
      	for the provided base/size for the given security state.
      	The weak definition will invoke `assert()` and return -ENOMEM.
      
      __dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
      	This function can be used to initiate platform specific procedure
      	to mark completion of the FWU process.
      	The weak definition waits forever calling `wfi()`.
      
      plat_bl1_common.c contains weak definitions for above functions.
      
      FWU process starts when platform detects it and return the image_id
      other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
      `bl1_main()`.
      
      NOTE: User MUST provide platform specific real definition for
      bl1_plat_mem_check() in order to use it for Firmware update.
      
      Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed
      48bfb88e
    • Yatharth Kochar's avatar
      Add descriptor based image management support in BL1 · 7baff11f
      Yatharth Kochar authored
      As of now BL1 loads and execute BL2 based on hard coded information
      provided in BL1. But due to addition of support for upcoming Firmware
      Update feature, BL1 now require more flexible approach to load and
      run different images using information provided by the platform.
      
      This patch adds new mechanism to load and execute images based on
      platform provided image id's. BL1 now queries the platform to fetch
      the image id of the next image to be loaded and executed. In order
      to achieve this, a new struct image_desc_t was added which holds the
      information about images, such as: ep_info and image_info.
      
      This patch introduces following platform porting functions:
      
      unsigned int bl1_plat_get_next_image_id(void);
      	This is used to identify the next image to be loaded
      	and executed by BL1.
      
      struct image_desc *bl1_plat_get_image_desc(unsigned int image_id);
      	This is used to retrieve the image_desc for given image_id.
      
      void bl1_plat_set_ep_info(unsigned int image_id,
      struct entry_point_info *ep_info);
      	This function allows platforms to update ep_info for given
      	image_id.
      
      The plat_bl1_common.c file provides default weak implementations of
      all above functions, the `bl1_plat_get_image_desc()` always return
      BL2 image descriptor, the `bl1_plat_get_next_image_id()` always return
      BL2 image ID and `bl1_plat_set_ep_info()` is empty and just returns.
      These functions gets compiled into all BL1 platforms by default.
      
      Platform setup in BL1, using `bl1_platform_setup()`, is now done
      _after_ the initialization of authentication module. This change
      provides the opportunity to use authentication while doing the
      platform setup in BL1.
      
      In order to store secure/non-secure context, BL31 uses percpu_data[]
      to store context pointer for each core. In case of BL1 only the
      primary CPU will be active hence percpu_data[] is not required to
      store the context pointer.
      
      This patch introduce bl1_cpu_context[] and bl1_cpu_context_ptr[] to
      store the context and context pointers respectively. It also also
      re-defines cm_get_context() and cm_set_context() for BL1 in
      bl1/bl1_context_mgmt.c.
      
      BL1 now follows the BL31 pattern of using SP_EL0 for the C runtime
      environment, to support resuming execution from a previously saved
      context.
      
      NOTE: THE `bl1_plat_set_bl2_ep_info()` PLATFORM PORTING FUNCTION IS
            NO LONGER CALLED BY BL1 COMMON CODE. PLATFORMS THAT OVERRIDE
            THIS FUNCTION MAY NEED TO IMPLEMENT `bl1_plat_set_ep_info()`
            INSTEAD TO MAINTAIN EXISTING BEHAVIOUR.
      
      Change-Id: Ieee4c124b951c2e9bc1c1013fa2073221195d881
      7baff11f
    • Soby Mathew's avatar
      Specify BL31 runtime console for ARM Standard platforms · 080225da
      Soby Mathew authored
      This patch overrides the default weak definition of
      `bl31_plat_runtime_setup()` for ARM Standard platforms to
      specify a BL31 runtime console. ARM Standard platforms are
      now expected to define `PLAT_ARM_BL31_RUN_UART_BASE` and
      `PLAT_ARM_BL31_RUN_UART_CLK_IN_HZ` macros which is required
      by `arm_bl31_plat_runtime_setup()` to initialize the runtime
      console.
      
      The system suspend resume helper `arm_system_pwr_domain_resume()`
      is fixed to initialize the runtime console rather than the boot
      console on resumption from system suspend.
      
      Fixes ARM-software/tf-issues#220
      
      Change-Id: I80eafe5b6adcfc7f1fdf8b99659aca1c64d96975
      080225da
    • Soby Mathew's avatar
      Ensure BL31 does not print to boot console by default · 78e61613
      Soby Mathew authored
      It is not ideal for BL31 to continue to use boot console at
      runtime which could be potentially uninitialized. This patch
      introduces a new optional platform porting API
      `bl31_plat_runtime_setup()` which allows the platform to perform
      any BL31 runtime setup just prior to BL31 exit during cold boot.
      The default weak implementation of this function will invoke
      `console_uninit()` which will suppress any BL31 runtime logs.
      
      On the ARM Standard platforms, there is an anomaly that
      the boot console will be reinitialized on resumption from
      system suspend in `arm_system_pwr_domain_resume()`. This
      will be resolved in the following patch.
      
      NOTE: The default weak definition of `bl31_plat_runtime_setup()`
      disables the BL31 console. To print the BL31 runtime
      messages, platforms must override this API and initialize a
      runtime console.
      
      Fixes ARM-software/tf-issues#328
      
      Change-Id: Ibaf8346fcceb447fe1a5674094c9f8eb4c09ac4a
      78e61613
    • Achin Gupta's avatar
      Rework use of ARM GIC drivers on ARM platforms · 27573c59
      Achin Gupta authored
      Suport for ARM GIC v2.0 and v3.0 drivers has been reworked to create three
      separate drivers instead of providing a single driver that can work on both
      versions of the GIC architecture. These drivers correspond to the following
      software use cases:
      
      1. A GICv2 only driver that can run only on ARM GIC v2.0 implementations
         e.g. GIC-400
      
      2. A GICv3 only driver that can run only on ARM GIC v3.0 implementations
         e.g. GIC-500 in a mode where all interrupt regimes use GICv3 features
      
      3. A deprecated GICv3 driver that operates in legacy mode. This driver can
         operate only in the GICv2 mode in the secure world. On a GICv3 system, this
         driver allows normal world to run in either GICv3 mode (asymmetric mode)
         or in the GICv2 mode. Both modes of operation are deprecated on GICv3
         systems.
      
      ARM platforms implement both versions of the GIC architecture. This patch adds a
      layer of abstraction to help ARM platform ports chose the right GIC driver and
      corresponding platform support. This is as described below:
      
      1. A set of ARM common functions have been introduced to initialise the GIC and
         the driver during cold and warm boot. These functions are prefixed as
         "plat_arm_gic_". Weak definitions of these functions have been provided for
         each type of driver.
      
      2. Each platform includes the sources that implement the right functions
         directly into the its makefile. The FVP can be instantiated with different
         versions of the GIC architecture. It uses the FVP_USE_GIC_DRIVER build option
         to specify which of the three drivers should be included in the build.
      
      3. A list of secure interrupts has to be provided to initialise each of the
        three GIC drivers. For GIC v3.0 the interrupt ids have to be further
        categorised as Group 0 and Group 1 Secure interrupts. For GIC v2.0, the two
        types are merged and treated as Group 0 interrupts.
      
        The two lists of interrupts are exported from the platform_def.h. The lists
        are constructed by adding a list of board specific interrupt ids to a list of
        ids common to all ARM platforms and Compute sub-systems.
      
      This patch also makes some fields of `arm_config` data structure in FVP redundant
      and these unused fields are removed.
      
      Change-Id: Ibc8c087be7a8a6b041b78c2c3bd0c648cd2035d8
      27573c59
    • Soby Mathew's avatar
      Prepare platforms to use refactored ARM GIC drivers · f14d1886
      Soby Mathew authored
      This patch adds platform helpers for the new GICv2 and GICv3 drivers in
      plat_gicv2.c and plat_gicv3.c. The platforms can include the appropriate
      file in their build according to the GIC driver to be used. The existing
      plat_gic.c is only meant for the legacy GIC driver.
      
      In the case of ARM platforms, the major changes are as follows:
      
      1. The crash reporting helper macro `arm_print_gic_regs` that prints the GIC CPU
         interface register values has been modified to detect the type of CPU
         interface being used (System register or memory mappped interface) before
         using the right interface to print the registers.
      
      2. The power management helper function that is called after a core is powered
         up has been further refactored. This is to highlight that the per-cpu
         distributor interface should be initialised only when the core was originally
         powered down using the CPU_OFF PSCI API and not when the CPU_SUSPEND PSCI API
         was used.
      
      3. In the case of CSS platforms, the system power domain restore helper
         `arm_system_pwr_domain_resume()` is now only invoked in the `suspend_finish`
         handler as the system power domain is always expected to be initialized when
         the `on_finish` handler is invoked.
      
      Change-Id: I7fc27d61fc6c2a60cea2436b676c5737d0257df6
      f14d1886
  3. 04 Dec, 2015 1 commit
    • Juan Castillo's avatar
      Fix SP804 delay timer on FVP · 540a5ba8
      Juan Castillo authored
      This patch fixes several issues with the SP804 delay timer on FVP:
      
      * By default, the SP804 dual timer on FVP runs at 32 KHz. In order
        to run the timer at 35 MHz (as specified in the FVP user manual)
        the Overwrite bit in the SP810 control register must be set.
      
      * The CLKMULT and CLKDIV definitions are mixed up:
      
            delta(us) = delta(ticks) * T(us) = delta(ticks) / f(MHz)
      
        From the delay function:
      
            delta_us = (delta * ops->clk_mult) / ops->clk_div;
      
        Matching both expressions:
      
            1 / f(MHz) = ops->clk_mult / ops->clk_div
      
        And consequently:
      
            f(MHz) = ops->clk_div / ops->clk_mult
      
        Which, for a 35 MHz timer, translates to:
      
            ops->clk_div = 35
            ops->clk_mult = 1
      
      * The comment in the delay timer header file has been corrected:
        The ratio of the multiplier and the divider is the clock period
        in microseconds, not the frequency.
      
      Change-Id: Iffd5ce0a5a28fa47c0720c0336d81b678ff8fdf1
      540a5ba8
  4. 02 Dec, 2015 2 commits
    • Juan Castillo's avatar
      TBB: add Trusted Watchdog support on ARM platforms · 7b4c1405
      Juan Castillo authored
      This patch adds watchdog support on ARM platforms (FVP and Juno).
      A secure instance of SP805 is used as Trusted Watchdog. It is
      entirely managed in BL1, being enabled in the early platform setup
      hook and disabled in the exit hook. By default, the watchdog is
      enabled in every build (even when TBB is disabled).
      
      A new ARM platform specific build option `ARM_DISABLE_TRUSTED_WDOG`
      has been introduced to allow the user to disable the watchdog at
      build time. This feature may be used for testing or debugging
      purposes.
      
      Specific error handlers for Juno and FVP are also provided in this
      patch. These handlers will be called after an image load or
      authentication error. On FVP, the Table of Contents (ToC) in the FIP
      is erased. On Juno, the corresponding error code is stored in the
      V2M Non-Volatile flags register. In both cases, the CPU spins until
      a watchdog reset is generated after 256 seconds (as specified in
      the TBBR document).
      
      Change-Id: I9ca11dcb0fe15af5dbc5407ab3cf05add962f4b4
      7b4c1405
    • Juan Castillo's avatar
      TBB: add ARM OIDs · bf6863c6
      Juan Castillo authored
      This patch adds ARM specific OIDs which will be used to extract
      the extension data from the certificates. These OIDs are arranged
      as a subtree whose root node has been specifically allocated for
      ARM Ltd.
      
          { iso(1) identified-organization(3) dod(6) internet(1)
            private(4) enterprise(1) 4128 }
      
      Change-Id: Ice20b3c8a31ddefe9102f3bd42f7429986f3ac34
      bf6863c6
  5. 27 Nov, 2015 1 commit
    • Juan Castillo's avatar
      Add basic NOR flash driver for ARM platforms · 9784dbda
      Juan Castillo authored
      FVP and Juno platforms include a NOR flash memory to store and
      load the FIP, the kernel or a ramdisk. This NOR flash is arranged
      as 2 x 16 bit flash devices and can be programmed using CFI
      standard commands.
      
      This patch provides a basic API to write single 32 bit words of
      data into the NOR flash. Functions to lock/unlock blocks against
      erase or write operations are also provided.
      
      Change-Id: I1da7ad3105b1ea409c976adc863954787cbd90d2
      9784dbda
  6. 26 Nov, 2015 1 commit
    • Sandrine Bailleux's avatar
      CSS: Enable booting of EL3 payloads · 4c117f6c
      Sandrine Bailleux authored
      This patch adds support for booting EL3 payloads on CSS platforms,
      for example Juno. In this scenario, the Trusted Firmware follows
      its normal boot flow up to the point where it would normally pass
      control to the BL31 image. At this point, it jumps to the EL3
      payload entry point address instead.
      
      Before handing over to the EL3 payload, the data SCP writes for AP
      at the beginning of the Trusted SRAM is restored, i.e. we zero the
      first 128 bytes and restore the SCP Boot configuration. The latter
      is saved before transferring the BL30 image to SCP and is restored
      just after the transfer (in BL2). The goal is to make it appear that
      the EL3 payload is the first piece of software to run on the target.
      
      The BL31 entrypoint info structure is updated to make the primary
      CPU jump to the EL3 payload instead of the BL31 image.
      
      The mailbox is populated with the EL3 payload entrypoint address,
      which releases the secondary CPUs out of their holding pen (if the
      SCP has powered them on). The arm_program_trusted_mailbox() function
      has been exported for this purpose.
      
      The TZC-400 configuration in BL2 is simplified: it grants secure
      access only to the whole DRAM. Other security initialization is
      unchanged.
      
      This alternative boot flow is disabled by default. A new build option
      EL3_PAYLOAD_BASE has been introduced to enable it and provide the EL3
      payload's entry point address. The build system has been modified
      such that BL31 and BL33 are not compiled and/or not put in the FIP in
      this case, as those images are not used in this boot flow.
      
      Change-Id: Id2e26fa57988bbc32323a0effd022ab42f5b5077
      4c117f6c
  7. 24 Nov, 2015 1 commit
    • Soby Mathew's avatar
      Replace build macro WARN_DEPRECATED with ERROR_DEPRECATED · 7a24cba5
      Soby Mathew authored
      This patch changes the build time behaviour when using deprecated API within
      Trusted Firmware. Previously the use of deprecated APIs would only trigger a
      build warning (which was always treated as a build error), when
      WARN_DEPRECATED = 1. Now, the use of deprecated C declarations will always
      trigger a build time warning. Whether this warning is treated as error or not
      is determined by the build flag ERROR_DEPRECATED which is disabled by default.
      When the build flag ERROR_DEPRECATED=1, the invocation of deprecated API or
      inclusion of deprecated headers will result in a build error.
      
      Also the deprecated context management helpers in context_mgmt.c are now
      conditionally compiled depending on the value of ERROR_DEPRECATED flag
      so that the APIs themselves do not result in a build error when the
      ERROR_DEPRECATED flag is set.
      
      NOTE: Build systems that use the macro WARN_DEPRECATED must migrate to
      using ERROR_DEPRECATED, otherwise deprecated API usage will no longer
      trigger a build error.
      
      Change-Id: I843bceef6bde979af7e9b51dddf861035ec7965a
      7a24cba5
  8. 30 Oct, 2015 3 commits
    • Soby Mathew's avatar
      Include xlat_tables.h in plat_arm.h · 8f6623f0
      Soby Mathew authored
      This patch fixes a compilation issue for platforms that are aligned to ARM
      Standard platforms and include the `plat_arm.h` header in their platform port.
      The compilation would fail for such a platform because `xlat_tables.h` which
      has the definition for `mmap_region_t` is not included in `plat_arm.h`. This
      patch fixes this by including `xlat_tables.h` in `plat_arm.h` header.
      
      Fixes ARM-Software/tf-issues#318
      
      Change-Id: I75f990cfb4078b3996fc353c8cd37c9de61d555e
      8f6623f0
    • Soby Mathew's avatar
      Support PSCI SYSTEM SUSPEND on Juno · c1bb8a05
      Soby Mathew authored
      This patch adds the capability to power down at system power domain level
      on Juno via the PSCI SYSTEM SUSPEND API. The CSS power management helpers
      are modified to add support for power management operations at system
      power domain level. A new helper for populating `get_sys_suspend_power_state`
      handler in plat_psci_ops is defined. On entering the system suspend state,
      the SCP powers down the SYSTOP power domain on the SoC and puts the memory
      into retention mode. On wakeup from the power down, the system components
      on the CSS will be reinitialized by the platform layer and the PSCI client
      is responsible for restoring the context of these system components.
      
      According to PSCI Specification, interrupts targeted to cores in PSCI CPU
      SUSPEND should be able to resume it. On Juno, when the system power domain
      is suspended, the GIC is also powered down. The SCP resumes the final core
      to be suspend when an external wake-up event is received. But the other
      cores cannot be woken up by a targeted interrupt, because GIC doesn't
      forward these interrupts to the SCP. Due to this hardware limitation,
      we down-grade PSCI CPU SUSPEND requests targeted to the system power domain
      level to cluster power domain level in `juno_validate_power_state()`
      and the CSS default `plat_arm_psci_ops` is overridden in juno_pm.c.
      
      A system power domain resume helper `arm_system_pwr_domain_resume()` is
      defined for ARM standard platforms which resumes/re-initializes the
      system components on wakeup from system suspend. The security setup also
      needs to be done on resume from system suspend, which means
      `plat_arm_security_setup()` must now be included in the BL3-1 image in
      addition to previous BL images if system suspend need to be supported.
      
      Change-Id: Ie293f75f09bad24223af47ab6c6e1268f77bcc47
      c1bb8a05
    • Soby Mathew's avatar
      CSS: Implement topology support for System power domain · 5f3a6030
      Soby Mathew authored
      This patch implements the necessary topology changes for supporting
      system power domain on CSS platforms. The definition of PLAT_MAX_PWR_LVL and
      PLAT_NUM_PWR_DOMAINS macros are removed from arm_def.h and are made platform
      specific. In addition, the `arm_power_domain_tree_desc[]` and
      `arm_pm_idle_states[]` are modified to support the system power domain
      at level 2. With this patch, even though the power management operations
      involving the system power domain will not return any error, the platform
      layer will silently ignore any operations to the power domain. The actual
      power management support for the system power domain will be added later.
      
      Change-Id: I791867eded5156754fe898f9cdc6bba361e5a379
      5f3a6030
  9. 28 Oct, 2015 1 commit
    • Juan Castillo's avatar
      Add optional platform error handler API · 40fc6cd1
      Juan Castillo authored
      This patch adds an optional API to the platform port:
      
          void plat_error_handler(int err) __dead2;
      
      The platform error handler is called when there is a specific error
      condition after which Trusted Firmware cannot continue. While panic()
      simply prints the crash report (if enabled) and spins, the platform
      error handler can be used to hand control over to the platform port
      so it can perform specific bookeeping or post-error actions (for
      example, reset the system). This function must not return.
      
      The parameter indicates the type of error using standard codes from
      errno.h. Possible errors reported by the generic code are:
      
          -EAUTH  : a certificate or image could not be authenticated
                    (when Trusted Board Boot is enabled)
          -ENOENT : the requested image or certificate could not be found
                    or an IO error was detected
          -ENOMEM : resources exhausted. Trusted Firmware does not use
                    dynamic memory, so this error is usually an indication
                    of an incorrect array size
      
      A default weak implementation of this function has been provided.
      It simply implements an infinite loop.
      
      Change-Id: Iffaf9eee82d037da6caa43b3aed51df555e597a3
      40fc6cd1
  10. 20 Oct, 2015 1 commit
    • Soby Mathew's avatar
      Reorganise PSCI PM handler setup on ARM Standard platforms · 785fb92b
      Soby Mathew authored
      This patch does the following reorganization to psci power management (PM)
      handler setup for ARM standard platform ports :
      
      1. The mailbox programming required during `plat_setup_psci_ops()` is identical
         for all ARM platforms. Hence the implementation of this API is now moved
         to the common `arm_pm.c` file. Each ARM platform now must define the
         PLAT_ARM_TRUSTED_MAILBOX_BASE macro, which in current platforms is the same
         as ARM_SHARED_RAM_BASE.
      
      2. The PSCI PM handler callback structure, `plat_psci_ops`, must now be
         exported via `plat_arm_psci_pm_ops`. This allows the common implementation
         of `plat_setup_psci_ops()` to return a platform specific `plat_psci_ops`.
         In the case of CSS platforms, a default weak implementation of the same is
         provided in `css_pm.c` which can be overridden by each CSS platform.
      
      3. For CSS platforms, the PSCI PM handlers defined in `css_pm.c` are now
         made library functions and a new header file `css_pm.h` is added to export
         these generic PM handlers. This allows the platform to reuse the
         adequate CSS PM handlers and redefine others which need to be customized
         when overriding the default `plat_arm_psci_pm_ops` in `css_pm.c`.
      
      Change-Id: I277910f609e023ee5d5ff0129a80ecfce4356ede
      785fb92b
  11. 11 Sep, 2015 3 commits
    • Vikram Kanigiri's avatar
      Update ARM platform ports to use new bakery lock apis. · e25e6f41
      Vikram Kanigiri authored
      This patch updates ARM platform ports to use the new unified bakery locks
      API. The caller does not have to use a different bakery lock API depending upon
      the value of the USE_COHERENT_MEM build option.
      
      NOTE: THIS PATCH CAN BE USED AS A REFERENCE TO UPDATE OTHER PLATFORM PORTS.
      
      Change-Id: I1b26afc7c9a9808a6040eb22f603d30192251da7
      e25e6f41
    • Vikram Kanigiri's avatar
      Define the Non-Secure timer frame ID for ARM platforms · 4b1439c5
      Vikram Kanigiri authored
      On Juno and FVP platforms, the Non-Secure System timer corresponds
      to frame 1. However, this is a platform-specific decision and it
      shouldn't be hard-coded. Hence, this patch introduces
      PLAT_ARM_NSTIMER_FRAME_ID which should be used by all ARM platforms
      to specify the correct non-secure timer frame.
      
      Change-Id: I6c3a905d7d89200a2f58c20ce5d1e1d166832bba
      4b1439c5
    • Vikram Kanigiri's avatar
      Re-factor definition of TZC-400 base address · e86c1ff0
      Vikram Kanigiri authored
      This patch replaces the `ARM_TZC_BASE` constant with `PLAT_ARM_TZC_BASE` to
      support different TrustZone Controller base addresses across ARM platforms.
      
      Change-Id: Ie4e1c7600fd7a5875323c7cc35e067de0c6ef6dd
      e86c1ff0
  12. 01 Sep, 2015 1 commit
    • Vikram Kanigiri's avatar
      Configure all secure interrupts on ARM platforms · a7270d35
      Vikram Kanigiri authored
      ARM TF configures all interrupts as non-secure except those which
      are present in irq_sec_array. This patch updates the irq_sec_array
      with the missing secure interrupts for ARM platforms.
      
      It also updates the documentation to be inline with the latest
      implementation.
      
      Fixes ARM-software/tf-issues#312
      
      Change-Id: I39956c56a319086e3929d1fa89030b4ec4b01fcc
      a7270d35
  13. 13 Aug, 2015 11 commits
    • Soby Mathew's avatar
      PSCI: Validate non secure entrypoint on ARM platforms · f9e858b1
      Soby Mathew authored
      This patch implements the platform power managment handler to verify
      non secure entrypoint for ARM platforms. The handler ensures that the
      entry point specified by the normal world during CPU_SUSPEND, CPU_ON
      or SYSTEM_SUSPEND PSCI API is a valid address within the non secure
      DRAM.
      
      Change-Id: I4795452df99f67a24682b22f0e0967175c1de429
      f9e858b1
    • Sandrine Bailleux's avatar
      PSCI: Use a single mailbox for warm reset for FVP and Juno · 804040d1
      Sandrine Bailleux authored
      Since there is a unique warm reset entry point, the FVP and Juno
      port can use a single mailbox instead of maintaining one per core.
      The mailbox gets programmed only once when plat_setup_psci_ops()
      is invoked during PSCI initialization. This means mailbox is not
      zeroed out during wakeup.
      
      Change-Id: Ieba032a90b43650f970f197340ebb0ce5548d432
      804040d1
    • Soby Mathew's avatar
      PSCI: Demonstrate support for composite power states · 2204afde
      Soby Mathew authored
      This patch adds support to the Juno and FVP ports for composite power states
      with both the original and extended state-id power-state formats. Both the
      platform ports use the recommended state-id encoding as specified in
      Section 6.5 of the PSCI specification (ARM DEN 0022C). The platform build flag
      ARM_RECOM_STATE_ID_ENC is used to include this support.
      
      By default, to maintain backwards compatibility, the original power state
      parameter format is used and the state-id field is expected to be zero.
      
      Change-Id: Ie721b961957eaecaca5bf417a30952fe0627ef10
      2204afde
    • Soby Mathew's avatar
      PSCI: Migrate ARM reference platforms to new platform API · 38dce70f
      Soby Mathew authored
      This patch migrates ARM reference platforms, Juno and FVP, to the new platform
      API mandated by the new PSCI power domain topology and composite power state
      frameworks. The platform specific makefiles now exports the build flag
      ENABLE_PLAT_COMPAT=0 to disable the platform compatibility layer.
      
      Change-Id: I3040ed7cce446fc66facaee9c67cb54a8cd7ca29
      38dce70f
    • Soby Mathew's avatar
      PSCI: Add deprecated API for SPD when compatibility is disabled · 5c8babcd
      Soby Mathew authored
      This patch defines deprecated platform APIs to enable Trusted
      Firmware components like Secure Payload and their dispatchers(SPD)
      to continue to build and run when platform compatibility is disabled.
      This decouples the migration of platform ports to the new platform API
      from SPD and enables them to be migrated independently. The deprecated
      platform APIs defined in this patch are : platform_get_core_pos(),
      platform_get_stack() and platform_set_stack().
      
      The patch also deprecates MPIDR based context management helpers like
      cm_get_context_by_mpidr(), cm_set_context_by_mpidr() and cm_init_context().
      A mechanism to deprecate APIs and identify callers of these APIs during
      build is introduced, which is controlled by the build flag WARN_DEPRECATED.
      If WARN_DEPRECATED is defined to 1, the users of the deprecated APIs will be
      flagged either as a link error for assembly files or compile time warning
      for C files during build.
      
      Change-Id: Ib72c7d5dc956e1a74d2294a939205b200f055613
      5c8babcd
    • Soby Mathew's avatar
      PSCI: Switch to the new PSCI frameworks · 67487846
      Soby Mathew authored
      This commit does the switch to the new PSCI framework implementation replacing
      the existing files in PSCI folder with the ones in PSCI1.0 folder. The
      corresponding makefiles are modified as required for the new implementation.
      The platform.h header file is also is switched to the new one
      as required by the new frameworks. The build flag ENABLE_PLAT_COMPAT defaults
      to 1 to enable compatibility layer which let the existing platform ports to
      continue to build and run with minimal changes.
      
      The default weak implementation of platform_get_core_pos() is now removed from
      platform_helpers.S and is provided by the compatibility layer.
      
      Note: The Secure Payloads and their dispatchers still use the old platform
      and framework APIs and hence it is expected that the ENABLE_PLAT_COMPAT build
      flag will remain enabled in subsequent patch. The compatibility for SPDs using
      the older APIs on platforms migrated to the new APIs will be added in the
      following patch.
      
      Change-Id: I18c51b3a085b564aa05fdd98d11c9f3335712719
      67487846
    • Soby Mathew's avatar
      PSCI: Implement platform compatibility layer · 32bc85f2
      Soby Mathew authored
      The new PSCI topology framework and PSCI extended State framework introduces
      a breaking change in the platform port APIs. To ease the migration of the
      platform ports to the new porting interface, a compatibility layer is
      introduced which essentially defines the new platform API in terms of the
      old API. The old PSCI helpers to retrieve the power-state, its associated
      fields and the highest coordinated physical OFF affinity level of a core
      are also implemented for compatibility. This allows the existing
      platform ports to work with the new PSCI framework without significant
      rework. This layer will be enabled by default once the switch to the new
      PSCI framework is done and is controlled by the build flag ENABLE_PLAT_COMPAT.
      
      Change-Id: I4b17cac3a4f3375910a36dba6b03d8f1700d07e3
      32bc85f2
    • Sandrine Bailleux's avatar
      PSCI: Unify warm reset entry points · eb975f52
      Sandrine Bailleux authored
      There used to be 2 warm reset entry points:
      
       - the "on finisher", for when the core has been turned on using a
         PSCI CPU_ON call;
      
       - the "suspend finisher", entered upon resumption from a previous
         PSCI CPU_SUSPEND call.
      
      The appropriate warm reset entry point used to be programmed into the
      mailboxes by the power management hooks.
      
      However, it is not required to provide this information to the PSCI
      entry point code, as it can figure it out by itself. By querying affinity
      info state, a core is able to determine on which execution path it is.
      If the state is ON_PENDING then it means it's been turned on else
      it is resuming from suspend.
      
      This patch unifies the 2 warm reset entry points into a single one:
      psci_entrypoint(). The patch also implements the necessary logic
      to distinguish between the 2 types of warm resets in the power up
      finisher.
      
      The plat_setup_psci_ops() API now takes the
      secure entry point as an additional parameter to enable the platforms
      to configure their mailbox. The platform hooks `pwr_domain_on`
      and `pwr_domain_suspend` no longer take secure entry point as
      a parameter.
      
      Change-Id: I7d1c93787b54213aefdbc046b8cd66a555dfbfd9
      eb975f52
    • Soby Mathew's avatar
      PSCI: Add framework to handle composite power states · 8ee24980
      Soby Mathew authored
      The state-id field in the power-state parameter of a CPU_SUSPEND call can be
      used to describe composite power states specific to a platform. The current PSCI
      implementation does not interpret the state-id field. It relies on the target
      power level and the state type fields in the power-state parameter to perform
      state coordination and power management operations. The framework introduced
      in this patch allows the PSCI implementation to intepret generic global states
      like RUN, RETENTION or OFF from the State-ID to make global state coordination
      decisions and reduce the complexity of platform ports. It adds support to
      involve the platform in state coordination which facilitates the use of
      composite power states and improves the support for entering standby states
      at multiple power domains.
      
      The patch also includes support for extended state-id format for the power
      state parameter as specified by PSCIv1.0.
      
      The PSCI implementation now defines a generic representation of the power-state
      parameter. It depends on the platform port to convert the power-state parameter
      (possibly encoding a composite power state) passed in a CPU_SUSPEND call to this
      representation via the `validate_power_state()` plat_psci_ops handler. It is an
      array where each index corresponds to a power level. Each entry contains the
      local power state the power domain at that power level could enter.
      
      The meaning of the local power state values is platform defined, and may vary
      between levels in a single platform. The PSCI implementation constrains the
      values only so that it can classify the state as RUN, RETENTION or OFF as
      required by the specification:
         * zero means RUN
         * all OFF state values at all levels must be higher than all RETENTION
           state values at all levels
         * the platform provides PLAT_MAX_RET_STATE and PLAT_MAX_OFF_STATE values
           to the framework
      
      The platform also must define the macros PLAT_MAX_RET_STATE and
      PLAT_MAX_OFF_STATE which lets the PSCI implementation find out which power
      domains have been requested to enter a retention or power down state. The PSCI
      implementation does not interpret the local power states defined by the
      platform. The only constraint is that the PLAT_MAX_RET_STATE <
      PLAT_MAX_OFF_STATE.
      
      For a power domain tree, the generic implementation maintains an array of local
      power states. These are the states requested for each power domain by all the
      cores contained within the domain. During a request to place multiple power
      domains in a low power state, the platform is passed an array of requested
      power-states for each power domain through the plat_get_target_pwr_state()
      API. It coordinates amongst these states to determine a target local power
      state for the power domain. A default weak implementation of this API is
      provided in the platform layer which returns the minimum of the requested
      power-states back to the PSCI state coordination.
      
      Finally, the plat_psci_ops power management handlers are passed the target
      local power states for each affected power domain using the generic
      representation described above. The platform executes operations specific to
      these target states.
      
      The platform power management handler for placing a power domain in a standby
      state (plat_pm_ops_t.pwr_domain_standby()) is now only used as a fast path for
      placing a core power domain into a standby or retention state should now be
      used to only place the core power domain in a standby or retention state.
      
      The extended state-id power state format can be enabled by setting the
      build flag PSCI_EXTENDED_STATE_ID=1 and it is disabled by default.
      
      Change-Id: I9d4123d97e179529802c1f589baaa4101759d80c
      8ee24980
    • Soby Mathew's avatar
      PSCI: Introduce new platform interface to describe topology · 82dcc039
      Soby Mathew authored
      This patch removes the assumption in the current PSCI implementation that MPIDR
      based affinity levels map directly to levels in a power domain tree. This
      enables PSCI generic code to support complex power domain topologies as
      envisaged by PSCIv1.0 specification. The platform interface for querying
      the power domain topology has been changed such that:
      
      1. The generic PSCI code does not generate MPIDRs and use them to query the
         platform about the number of power domains at a particular power level. The
         platform now provides a description of the power domain tree on the SoC
         through a data structure. The existing platform APIs to provide the same
         information have been removed.
      
      2. The linear indices returned by plat_core_pos_by_mpidr() and
         plat_my_core_pos() are used to retrieve core power domain nodes from the
         power domain tree. Power domains above the core level are accessed using a
         'parent' field in the tree node descriptors.
      
      The platform describes the power domain tree in an array of 'unsigned
      char's. The first entry in the array specifies the number of power domains at
      the highest power level implemented in the system. Each susbsequent entry
      corresponds to a power domain and contains the number of power domains that are
      its direct children. This array is exported to the generic PSCI implementation
      via the new `plat_get_power_domain_tree_desc()` platform API.
      
      The PSCI generic code uses this array to populate its internal power domain tree
      using the Breadth First Search like algorithm. The tree is split into two
      arrays:
      
      1. An array that contains all the core power domain nodes
      
      2. An array that contains all the other power domain nodes
      
      A separate array for core nodes allows certain core specific optimisations to
      be implemented e.g. remove the bakery lock, re-use per-cpu data framework for
      storing some information.
      
      Entries in the core power domain array are allocated such that the
      array index of the domain is equal to the linear index returned by
      plat_core_pos_by_mpidr() and plat_my_core_pos() for the MPIDR
      corresponding to that domain. This relationship is key to be able to use
      an MPIDR to find the corresponding core power domain node, traverse to higher
      power domain nodes and index into arrays that contain core specific
      information.
      
      An introductory document has been added to briefly describe the new interface.
      
      Change-Id: I4b444719e8e927ba391cae48a23558308447da13
      82dcc039
    • Soby Mathew's avatar
      PSCI: Introduce new platform and CM helper APIs · 12d0d00d
      Soby Mathew authored
      This patch introduces new platform APIs and context management helper APIs
      to support the new topology framework based on linear core position. This
      framework will be introduced in the follwoing patch and it removes the
      assumption that the MPIDR based affinity levels map directly to levels
      in a power domain tree. The new platforms APIs and context management
      helpers based on core position are as described below:
      
      * plat_my_core_pos() and plat_core_pos_by_mpidr()
      
      These 2 new mandatory platform APIs are meant to replace the existing
      'platform_get_core_pos()' API. The 'plat_my_core_pos()' API returns the
      linear index of the calling core and 'plat_core_pos_by_mpidr()' returns
      the linear index of a core specified by its MPIDR. The latter API will also
      validate the MPIDR passed as an argument and will return an error code (-1)
      if an invalid MPIDR is passed as the argument. This enables the caller to
      safely convert an MPIDR of another core to its linear index without querying
      the PSCI topology tree e.g. during a call to PSCI CPU_ON.
      
      Since the 'plat_core_pos_by_mpidr()' API verifies an MPIDR, which is always
      platform specific, it is no longer possible to maintain a default implementation
      of this API. Also it might not be possible for a platform port to verify an
      MPIDR before the C runtime has been setup or the topology has been initialized.
      This would prevent 'plat_core_pos_by_mpidr()' from being callable prior to
      topology setup. As a result, the generic Trusted Firmware code does not call
      this API before the topology setup has been done.
      
      The 'plat_my_core_pos' API should be able to run without a C runtime.
      Since this API needs to return a core position which is equal to the one
      returned by 'plat_core_pos_by_mpidr()' API for the corresponding MPIDR,
      this too cannot have default implementation and is a mandatory API for
      platform ports. These APIs will be implemented by the ARM reference platform
      ports later in the patch stack.
      
      * plat_get_my_stack() and plat_set_my_stack()
      
      These APIs are the stack management APIs which set/return stack addresses
      appropriate for the calling core. These replace the 'platform_get_stack()' and
      'platform_set_stack()' APIs. A default weak MP version and a global UP version
      of these APIs are provided for the platforms.
      
      * Context management helpers based on linear core position
      
      A set of new context management(CM) helpers viz cm_get_context_by_index(),
      cm_set_context_by_index(), cm_init_my_context() and cm_init_context_by_index()
      are defined which are meant to replace the old helpers which took MPIDR
      as argument. The old CM helpers are implemented based on the new helpers to
      allow for code consolidation and will be deprecated once the switch to the new
      framework is done.
      
      Change-Id: I89758632b370c2812973a4b2efdd9b81a41f9b69
      12d0d00d
  14. 05 Aug, 2015 3 commits
    • Soby Mathew's avatar
      PSCI: Remove references to affinity based power management · 4067dc31
      Soby Mathew authored
      As per Section 4.2.2. in the PSCI specification, the term "affinity"
      is used in the context of describing the hierarchical arrangement
      of cores. This often, but not always, maps directly to the processor
      power domain topology of the system. The current PSCI implementation
      assumes that this is always the case i.e. MPIDR based levels of
      affinity always map to levels in a power domain topology tree.
      
      This patch is the first in a series of patches which remove this
      assumption. It removes all occurences of the terms "affinity
      instances and levels" when used to describe the power domain
      topology. Only the terminology is changed in this patch. Subsequent
      patches will implement functional changes to remove the above
      mentioned assumption.
      
      Change-Id: Iee162f051b228828310610c5a320ff9d31009b4e
      4067dc31
    • Soby Mathew's avatar
      PSCI: Create new directory to implement new frameworks · b48349eb
      Soby Mathew authored
      This patch creates a copy of the existing PSCI files and related psci.h and
      platform.h header files in a new `PSCI1.0` directory. The changes for the
      new PSCI power domain topology and extended state-ID frameworks will be
      added incrementally to these files. This incremental approach will
      aid in review and in understanding the changes better. Once all the
      changes have been introduced, these files will replace the existing PSCI
      files.
      
      Change-Id: Ibb8a52e265daa4204e34829ed050bddd7e3316ff
      b48349eb
    • Juan Castillo's avatar
      Fix build error with optimizations disabled (-O0) · 80bb6afd
      Juan Castillo authored
      If Trusted Firmware is built with optimizations disabled (-O0), the
      linker throws the following error:
      
          undefined reference to 'xxx'
      
      Where 'xxx' is a raw inline function defined in a header file. The
      reason is that, with optimizations disabled, GCC may decide to skip
      the inlining. If that is the case, an external definition to the
      compilation unit must be provided. Because no external definition
      is present, the linker throws the error.
      
      This patch fixes the problem by declaring the following inline
      functions static, so the internal definition is used:
      
          inline void soc_css_security_setup(void)
          inline const arm_config_t *get_arm_config(void)
      
      Change-Id: Id650d6be1b1396bdb48af1ac8a4c7900d212e95f
      80bb6afd
  15. 09 Jul, 2015 1 commit
    • Juan Castillo's avatar
      Use uintptr_t as base address type in ARM driver APIs · 02462972
      Juan Castillo authored
      This patch changes the type of the base address parameter in the
      ARM device driver APIs to uintptr_t (GIC, CCI, TZC400, PL011). The
      uintptr_t type allows coverage of the whole memory space and to
      perform arithmetic operations on the addresses. ARM platform code
      has also been updated to use uintptr_t as GIC base address in the
      configuration.
      
      Fixes ARM-software/tf-issues#214
      
      Change-Id: I1b87daedadcc8b63e8f113477979675e07d788f1
      02462972