GitLab

Typically, interrupts for a specific security state get handled in the
same security execption level if the execution is in the same security
state. For example, if a non-secure interrupt gets fired when CPU is
executing in NS-EL2 it gets handled in the non-secure world.

However, interrupts belonging to the opposite security state typically
demand a world(context) switch. This is inline with the security
principle which states a secure interrupt has to be handled in the
secure world. Hence, the TSPD in EL3 expects the context(handle) for a
secure interrupt to be non-secure and vice versa.

The function "tspd_sel1_interrupt_handler" is the handler registered
for S-EL1 interrupts by the TSPD. Based on the above assumption, it
provides an assertion to validate if the interrupt originated from
non-secure world and upon success arranges entry into the TSP at
'tsp_sel1_intr_entry' for handling the interrupt.

However, a race condition between non-secure and secure interrupts can
lead to a scenario where the above assumptions do not hold true and
further leading to following assert fail.

This patch fixes the bug which causes this assert fail:

	ASSERT: services/spd/tspd/tspd_main.c:105
	BACKTRACE: START: assert
	0: EL3: 0x400c128
	1: EL3: 0x400faf8
	2: EL3: 0x40099a4
	3: EL3: 0x4010d54
	BACKTRACE: END: assert

Change-Id: I359d30fb5dbb1429a4a3c3fff37fdc64c07e9414
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

This patch implements support for the 64-bit and 32-bit versions of
0xBF00FF01 SMC function ID, as documented by the SMCCC, to allow
non-secure world clients to query SPD's UUID.

In order to service this FID, the Trusty SPD now increases the range
of SMCs that it services. To restrict Trusty from receiving the extra
SMC FIDs, this patch drops any unsupported FID.

Verified with TFTF tests for UID query and internal gtest for Trusty.

Change-Id: If96fe4993f7e641595cfe67cc6b4210a0d52403f
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

In case of AT speculative workaround applied, page table walk
is disabled for lower ELs (EL1 and EL0) in EL3.
Hence added a wrapper function which temporarily enables page
table walk to execute AT instruction for lower ELs and then
disables page table walk.

Execute AT instructions directly for lower ELs (EL1 and EL0)
assuming page table walk is enabled always when AT speculative
workaround is not applied.

Change-Id: I4ad4c0bcbb761448af257e9f72ae979473c0dde8
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

This patch adds support to handle following TLK SMCs:
{TLK_SET_BL_VERSION, TLK_LOCK_BL_INTERFACE, TLK_BL_RPMB_SERVICE}

These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.

Brief:
TLK_SET_BL_VERSION: This SMC is issued by the bootloader to supply its
version to TLK. TLK can use this to prevent rollback attacks.

TLK_LOCK_BL_INTERFACE: This SMC is issued by bootloader before handing off
execution to the OS. This allows preventing sensitive SMCs being used
by the OS.

TLK_BL_RPMB_SERVICE: bootloader issues this SMC to sign or verify RPMB
frames.

Tested by: Tests TLK can receive the new SMCs issued by bootloader

Change-Id: I57c2d189a5f7a77cea26c3f8921866f2a6f0f944
Signed-off-by: Mustafa Yigit Bilgen <mbilgen@nvidia.com>

TLK does not participate in the system off/reset process and so
has no use for the SYSTEM_OFF/RESET notifications.

This patch removes the system off/reset handlers as a result.

Change-Id: Icf1430b1400cea88000e6d54426eb604a43cbe6c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Platforms that do not support Trusty, usually see error
messages from the Trusty SPD, during boot. This can be
interpreted as a boot failure.

This patch lowers the logging level for those error messages
to avoid confusion.

Change-Id: I931baa2c6db0de1aee17383039bc29ed229a1f25
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This patch adds an interrupt handler for TLK. On receiving an
interrupt, the source of the interrupt is determined and the
interrupt is marked complete. The IRQ number is passed to
TLK along with a special SMC function ID. TLK issues an SMC
to notify completion of the interrupt handler in the S-EL1
world.

Change-Id: I76f28cee6537245c5e448d2078f86312219cea1a
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This patch adds EL2 registers that are supported up to ARMv8.6.
ARM_ARCH_MINOR has to specified to enable save/restore routine.

Note: Following registers are still not covered in save/restore.
 * AMEVCNTVOFF0<n>_EL2
 * AMEVCNTVOFF1<n>_EL2
 * ICH_AP0R<n>_EL2
 * ICH_AP1R<n>_EL2
 * ICH_LR<n>_EL2

Change-Id: I4813f3243e56e21cb297b31ef549a4b38d4876e1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Fixes for the following MISRA violations:
- Missing explicit parentheses on sub-expression
- An identifier or macro name beginning with an
  underscore, shall not be declared
- Type mismatch in BL1 SMC handlers and tspd_main.c

Change-Id: I7a92abf260da95acb0846b27c2997b59b059efc4
Signed-off-by: Zelalem <zelalem.aweke@arm.com>

Add SMC_GET_GIC_BASE_GICR option to SMC_FC_GET_REG_BASE and
SMC_FC64_GET_REG_BASE calls for returning the base address of the gic
redistributor added in gic version 3.

Bug: 122357256
Change-Id: Ia7c287040656515bab262588163e0c5fc8f13a21
Signed-off-by: Arve Hjønnevåg <arve@android.com>

Some platforms define GICD_BASE instead of PLAT_ARM_GICD_BASE but the
meaning is the same.

Change-Id: I1bb04bb49fdab055b365b1d70a4d48d2058e49df
Signed-off-by: Arve Hjønnevåg <arve@android.com>

Some platforms define BL32_MEM_SIZE instead of TSP_SEC_MEM_SIZE, but
the meaning is the same.

Change-Id: I93d96dca442e653435cae6a165b1955efe2d2b75
Signed-off-by: Arve Hjønnevåg <arve@android.com>

Enable dispatcher to save/restore unbanked timer registers. So that
both secure (OP-TEE) and non-secure (Linux) worlds can have independent
access control over timer registers.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Change-Id: I4d58d5ff8298587ed478c8433fcbc3aef538d668

NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.

All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.

Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>

The project has been renamed from "Arm Trusted Firmware (ATF)" to
"Trusted Firmware-A (TF-A)" long ago. A few references to the old
project name that still remained in various places have now been
removed.

This change doesn't affect any platform files. Any "ATF" references
inside platform files, still remain.

Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Now it is needed to use the full path of the common header files.

Commit 09d40e0e

 ("Sanitise includes across codebase") provides more
information.

Change-Id: Ifedc79d9f664d208ba565f5736612a3edd94c647
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

The GIC definitions used in this file have to be provided by the platform
but platform_def.h wasn't included.

Change-Id: I858cdf7e60c50577c8e798d64ec2cbc4f067f33b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Rather than letting the Trusty makefile set the option to enable dynamic
translation tables, make platforms do it themselves.

This also allows platforms to replace the implementation of the
translation tables library as long as they use the same function
prototypes.

Change-Id: Ia60904f61709ac323addcb57f7a83391d9e21cd0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Commit 09d40e0e

 ("Sanitise includes across codebase") modified the
include paths of the TSP includes but it didn't remove the include path
from the makefile or did the same for TLK. This patch does the remaining
work.

Change-Id: Iecee2e88fabcd06989d35568c3a4c1f4e7d93572
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Trusty requires dynamic translation tables support, so the makefile of
Trusty itself should request it. Not doing so causes platforms such as
FVP to fail to build with Trusty. Other platforms like Tegra still build
because they use dynamic translation tables by default.

Change-Id: Id67d3b9e1f7d0547fa81e81cefa3faf1e0e6f876
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch dynamically maps the first page of trusty's code memory,
before accessing it to find out if we are running a 32-bit or 64-bit
image.

On Tegra platforms, this means we have to increase the mappings to
accomodate the new memmap entry.

Change-Id: If370d1e6cfcccd69b260134c1b462d8d17bee03d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

During System Suspend, the entire system loses its state. To allow Trusty
to save/restore its context and allow its TAs to participate in the suspend
process, it needs to look at the max affinity level being suspended. This
patch passes the max affinity level to Trusty to enable to do so.

Change-Id: If7838dae10c3f5a694baedb15ec56fbad41f2b36
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

c_rt_ctx is used to store current SP before the system goes
into suspend. The assert for its value being zero is not
really necessary as the value gets over-written eventually.

This patch removes assert(tlk_ctx->c_rt_ctx == 0) from the
System Suspend path, as a result.

Change-Id: If41f15e74ebbbfd82958d8e179114899b2ffb0a7
Signed-off-by: Mihir Joshi <mihirj@nvidia.com>

This patch adds support to handle following TLK SMCs:
{TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST}

These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.

Brief:
TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to
set up secure storage buffers.

TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to
pass NS memory ranges to TLK.

TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass
Verified Boot parameters to TLK.

Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc
Reviewed-on: https://git-master.nvidia.com/r/1643851

Signed-off-by: Mihir Joshi <mihirj@nvidia.com>

When an unknown Trusty image is found, there's no point of still trying
to register the BL32 init handler. Instead, we just should bail out of
the trusty_setup() and allow the system to continue to boot.
Signed-off-by: David Lin <dtwlin@google.com>

Main Fixes:

Use int32_t replace int [Rule 4.6]

Added explicit casts (e.g. 0U) to integers in order for them to be
  compatible with whatever operation they're used in [Rule 10.1]

Force operands of an operator to the same type category [Rule 10.4]

Fixed if statement conditional to be essentially boolean [Rule 14.4]

Voided non c-library functions whose return types are not used
[Rule 17.7]

Change-Id: I98caa330c371757eb2dfb9438448cb99115ed907
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.

The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.

The exceptions are files that are imported from other projects:

- CryptoCell driver
- dt-bindings folders
- zlib headers

Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: Icd1cdd42afdc78895a9be6c46b414b0a155cfa63
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Ensure case clauses:
*   Terminate with an unconditional break, return or goto statement.
*   Use conditional break, return or goto statements as long as the end
    of the case clause is unreachable; such case clauses must terminate
    with assert(0) /* Unreachable */ or an unconditional  __dead2 function
    call
*   Only fallthough when doing otherwise would result in less
    readable/maintainable code; such case clauses must terminate with a
    /* Fallthrough */ comment to make it clear this is the case and
    indicate that a fallthrough is intended.

This reduces the chance of bugs appearing due to unintended flow through a
switch statement

Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

The value used to signal failure is 0. It is needed to return a different
value on success.

Change-Id: I2186aa7dfbfc825bfe7b3d5ae3c4de7af10ee44f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Some platforms might chose to take different actions depending on this
value; this is precisely the case for rcar-gen3.
Signed-off-by: Jorge Ramirez-Ortiz <jramirez@baylibre.com>

tf_printf and tf_snprintf are now called printf and snprintf, so the
code needs to be updated.

Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Functions provided by stdio.h such as printf and sprintf are available
in the codebase, but they add a lot of code to the final image if they
are used:

- AArch64: ~4KB
- AArch32: ~2KB in T32, ~3KB in A32

tf_printf and tf_snprintf are a lot more simple, but it is preferable
to use them when possible because they are also used in common code.

Change-Id: Id09fd2b486198fe3d79276e2c27931595b7ba60e
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Fix the types of the arguments of trusty_generic_platform_smc()
to match the expected prototype of a runtime service handler
(see rt_svc_handle_t type).

Change-Id: Ie839d116ca924b4b018ea2abbef72a1073da2a32
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Wherever we use 'struct foo' and 'foo_t' interchangeably in a
function's declaration and definition, use 'struct foo' consistently
for both, as per the TF-A coding guidelines [1].

[1] https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Coding-Guidelines#avoid-anonymous-typedefs-of-structsenums-in-header-files



Change-Id: I7998eb24a26746e87e9b6425529926406745b721
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.

Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Rule 5.7: A tag name shall be a unique identifier

Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7

Fixed For:
    make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed

Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope

Rule 5.3: An identifier declared in an inner scope shall not
          hide an identifier declared in an outer scope

Fixed For:
    make PLAT=fvp SPD=tspd

Change-Id: I2d711b9584c4cb9ba3814ecd2ca65a42b7e24179
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>