1. 24 Jul, 2019 2 commits
    • Julius Werner's avatar
      Factor out cross-BL API into export headers suitable for 3rd party code · 57bf6057
      Julius Werner authored
      
      
      This patch adds a new include/export/ directory meant for inclusion in
      third-party code. This is useful for cases where third-party code needs
      to interact with TF-A interfaces and data structures (such as a custom
      BL2-implementation like coreboot handing off to BL31). Directly
      including headers from the TF-A repository avoids having to duplicate
      all these definitions (and risk them going stale), but with the current
      header structure this is not possible because handoff API definitions
      are too deeply intertwined with other TF code/headers and chain-include
      other headers that will not be available in the other environment.
      
      The new approach aims to solve this by separating only the parts that
      are really needed into these special headers that are self-contained and
      will not chain-include other (non-export) headers. TF-A code should
      never include them directly but should instead always include the
      respective wrapper header, which will include the required prerequisites
      (like <stdint.h>) before including the export header. Third-party code
      can include the export headers via its own wrappers that make sure the
      necessary definitions are available in whatever way that environment can
      provide them.
      
      Change-Id: Ifd769320ba51371439a8e5dd5b79c2516c3b43ab
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      57bf6057
    • Julius Werner's avatar
      Use explicit-width data types in AAPCS parameter structs · 9352be88
      Julius Werner authored
      
      
      It's not a good idea to use u_register_t for the members of
      aapcs64_params_t and aapcs32_params_t, since the width of that type
      always depends on the current execution environment. This would cause
      problems if e.g. we used this structure to set up the entry point of an
      AArch32 program from within an AArch64 program. (It doesn't seem like
      any code is doing that today, but it's probably still a good idea to
      write this defensively. Also, it helps with my next patch.)
      
      Change-Id: I12c04a85611f2b6702589f3362bea3e6a7c9f776
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      9352be88
  2. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  3. 27 Feb, 2019 2 commits
    • Varun Wadekar's avatar
      Tegra: Support for scatterfile for the BL31 image · c2ad38ce
      Varun Wadekar authored
      
      
      This patch provides support for using the scatterfile format as
      the linker script with the 'armlink' linker for Tegra platforms.
      
      In order to enable the scatterfile usage the following changes
      have been made:
      
      * provide mapping for ld.S symbols in bl_common.h
      * include bl_common.h from all the affected files
      * update the makefile rules to use the scatterfile and armlink
        to compile BL31
      * update pubsub.h to add sections to the scatterfile
      
      NOTE: THIS CHANGE HAS BEEN VERIFIED WITH TEGRA PLATFORMS ONLY.
      
      Change-Id: I7bb78b991c97d74a842e5635c74cb0b18e0fce67
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      c2ad38ce
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored
      
      
      The previous commit added the infrastructure to load and save
      ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
      didn't actually enable pointer authentication in the firmware.
      
      This patch adds the functionality needed for platforms to provide
      authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
      enable pointer authentication in the firmware itself. This option is
      disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
      enabled.
      
      Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
  4. 01 Feb, 2019 1 commit
  5. 31 Jan, 2019 1 commit
  6. 30 Jan, 2019 1 commit
  7. 23 Jan, 2019 1 commit
    • Sathees Balya's avatar
      plat/arm: Save BL2 descriptors to reserved memory. · 5b8d50e4
      Sathees Balya authored
      
      
      On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
      descriptors describing the list of executable images are created in BL2
      R/W memory, which could be possibly corrupted later on by BL31/BL32 due
      to overlay. This patch creates a reserved location in SRAM for these
      descriptors and are copied over by BL2 before handing over to next BL
      image.
      
      Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
      is enabled.
      
      Fixes ARM-Software/tf-issues#626
      
      Change-Id: I755735706fa702024b4032f51ed4895b3687377f
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      5b8d50e4
  8. 15 Jan, 2019 1 commit
  9. 04 Jan, 2019 2 commits
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
    • Antonio Nino Diaz's avatar
      Reorganize architecture-dependent header files · f5478ded
      Antonio Nino Diaz authored
      
      
      The architecture dependant header files in include/lib/${ARCH} and
      include/common/${ARCH} have been moved to /include/arch/${ARCH}.
      
      Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      f5478ded
  10. 03 Jan, 2019 1 commit
  11. 10 Dec, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Use SSBS for CVE_2018_3639 mitigation · 48e1d350
      Jeenu Viswambharan authored
      
      
      The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
      Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
      Armv8.5 feature, this can be implemented by CPUs implementing earlier
      version of the architecture.
      
      With this patch, when both PSTATE.SSBS is implemented and
      DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
      SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
      indicate that mitigation on the PE is either permanently enabled or not
      required.
      
      When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
      of every BL stage. This means that EL3 always executes with mitigation
      applied.
      
      For Cortex A76, if the PE implements SSBS, the existing mitigation (by
      using a different vector table, and tweaking CPU ACTLR2) is not used.
      
      Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      48e1d350
  12. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  13. 02 Nov, 2018 2 commits
  14. 01 Nov, 2018 1 commit
  15. 29 Oct, 2018 2 commits
    • Soby Mathew's avatar
      PIE: Position Independant Executable support for BL31 · 931f7c61
      Soby Mathew authored
      
      
      This patch introduces Position Independant Executable(PIE) support
      in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
      dynamic linker is implemented which supports fixing up Global Offset
      Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
      helper function implements this linker and this needs to be called
      early in the boot sequence prior to invoking C functions. The GOT is
      placed in the RO section of BL31 binary for improved security and the
      BL31 linker script is modified to export the appropriate symbols
      required for the dynamic linker.
      
      The C compiler always generates PC relative addresses to linker symbols
      and hence referencing symbols exporting constants are a problem when
      relocating the binary. Hence the reference to the
      `__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
      at runtime based on start and end addresses.
      
      Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      931f7c61
    • Soby Mathew's avatar
      PIE: Use PC relative adrp/adr for symbol reference · f1722b69
      Soby Mathew authored
      
      
      This patch fixes up the AArch64 assembly code to use
      adrp/adr instructions instead of ldr instruction for
      reference to symbols. This allows these assembly
      sequences to be Position Independant. Note that the
      the reference to sizes have been replaced with
      calculation of size at runtime. This is because size
      is a constant value and does not depend on execution
      address and using PC relative instructions for loading
      them makes them relative to execution address. Also
      we cannot use `ldr` instruction to load size as it
      generates a dynamic relocation entry which must *not*
      be fixed up and it is difficult for a dynamic loader
      to differentiate which entries need to be skipped.
      
      Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      f1722b69
  16. 26 Oct, 2018 1 commit
  17. 19 Oct, 2018 1 commit
    • Soby Mathew's avatar
      Multi-console: Deprecate the `finish_console_register` macro · cc5859ca
      Soby Mathew authored
      
      
      The `finish_console_register` macro is used by the multi console
      framework to register the `console_t` driver callbacks. It relied
      on weak references to the `ldr` instruction to populate 0 to the
      callback in case the driver has not defined the appropriate
      function. Use of `ldr` instruction to load absolute address to a
      reference makes the binary position dependant. These instructions
      should be replaced with adrp/adr instruction for position independant
      executable(PIE). But adrp/adr instructions don't work well with weak
      references as described in GNU ld bugzilla issue 22589.
      
      This patch defines a new version of `finish_console_register` macro
      which can spcify which driver callbacks are valid and deprecates the
      old one. If any of the argument is not specified, then the macro
      populates 0 for that callback. Hence the functionality of the previous
      deprecated macro is preserved. The USE_FINISH_CONSOLE_REG_2 define
      is used to select the new variant of the macro and will be removed
      once the deprecated variant is removed.
      
      All the upstream console drivers have been migrated to use the new
      macro in this patch.
      
      NOTE: Platforms be aware that the new variant of the
      `finish_console_register` should be used and the old variant is
      deprecated.
      
      Change-Id: Ia6a67aaf2aa3ba93932992d683587bbd0ad25259
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      cc5859ca
  18. 16 Oct, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Enable lower ELs to use pointer authentication · 3ff4aaac
      Jeenu Viswambharan authored
      
      
      Pointer authentication is an Armv8.3 feature that introduces
      instructions that can be used to authenticate and verify pointers.
      
      Pointer authentication instructions are allowed to be accessed from all
      ELs but only when EL3 explicitly allows for it; otherwise, their usage
      will trap to EL3. Since EL3 doesn't have trap handling in place, this
      patch unconditionally disables all related traps to EL3 to avoid
      potential misconfiguration leading to an unhandled EL3 exception.
      
      Fixes ARM-software/tf-issues#629
      
      Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      3ff4aaac
  19. 15 Oct, 2018 1 commit
  20. 11 Oct, 2018 1 commit
  21. 10 Oct, 2018 1 commit
  22. 09 Oct, 2018 1 commit
  23. 04 Oct, 2018 1 commit
  24. 28 Sep, 2018 3 commits
  25. 21 Sep, 2018 1 commit
  26. 30 Aug, 2018 4 commits
  27. 22 Aug, 2018 3 commits
  28. 20 Aug, 2018 1 commit