At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how
Non-secure interrupt affects TSPs execution. When TSP is executing:

  1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received
     at the TSP's exception vector, and TSP voluntarily preempts itself.

  2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a
     trap to EL3, which preempts TSP execution.

When EL3 exception handling is in place (i.e.,
EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system
with GICv3, pending NS interrupts while TSP is executing will be
signalled as FIQ (which traps to EL3). This situation necessitates the
same treatment applied to case (2) above.

Therefore, when EL3 exception handling is in place, additionally
require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1.

Strictly speaking, this is not required on a system with GICv2, but the
same model is uniformly followed regardless, for simplicity.

Relevant documentation updated.

Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

When EL3 exception handling is in effect (i.e.,
EL3_EXCEPTION_HANDLING=1), Non-secure interrupts can't preempt Secure
execution. However, for yielding SMCs, preemption by Non-secure
interupts is intended.

This patch therefore adds a call to ehf_allow_ns_preemption() before
dispatching a Yielding SMC to TSP.

Change-Id: Ia3a1ae252f3adc0f14e6d7e0502f251bdb349bdf
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

When ARM Trusted Firmware is built with EL3_EXCEPTION_HANDLING=1,
EL3 interrupts (INTR_TYPE_EL3) will always preempt both Non-secure and
secure execution.

The interrupt management framework currently treats EL3 interrupt
routing as valid. For the above reason, this patch makes them invalid
when EL3_EXCEPTION_HANDLING is in effect.

Change-Id: I95bca8f5dc8df8eb0ff6f305cfba098611522a39
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Commit 21b818c0

 (BL31: Introduce
Exception Handling Framework) introduced the build option
EL3_EXCEPTION_HANDLING, but missed to pass that to the build command
line. This patch fixes that.

Change-Id: I0a1be2c7b41a81e748ad7d6cf795aab7f6d19193
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

uniphier: fix and improve memory layout

AMUv1 support for AArch32

Looks like this is requirement in the pre-merge static analysis.

misra_violation: [Required] MISRA C-2012 Rule 7.2 violation:
Unsigned constants must be declared with U or u suffix.

Adding ULL as requested.  I used ULL() macros for BL*_{BASE,LIMIT}
because they are referenced from linker scripts.
Requested-by: David Cunado <david.cunado@arm.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Currently, the xlat region of the on-chip SRAM is always allocated
for all BL images.

The access to the on-chip SRAM is necessary for loading images from
a USB memory device (i.e. when updating firmware), so unneeded for
the usual boot procedure.

To avoid this waste, allocate the xlat region dynamically only for
BL2, and only when it is necessary.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Commit 247fc043

 ("uniphier: switch to BL2-AT-EL3 and remove BL1
support") accidentally changed the location of BL31 and BL32.  The
new memory map overlaps with the audio DSP images, also gives impact
to OP-TEE.  They are both out of control of ARM Trusted Firmware, so
not easy to change.  This commit restores the image layout that was
originally used prior to the BL2-AT-EL3 migration.
Reported-by: Katsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

rockchip/rk3399: Fix memory corruptions or illegal memory access

Analyze coding style of patches individually

Implement support for SMCCC v1.1 and optimize security mitigations for CVE-2017-5715 on AArch64

RK3399 GIC save/restore

Add amu_context_save() and amu_context_restore() functions for aarch32

Change-Id: I4df83d447adeaa9d9f203e16dc5a919ffc04d87a
Signed-off-by: Joel Hutton <joel.hutton@arm.com>

Change-Id: Id6dfe885a63561b1d2649521bd020367b96ae1af
Signed-off-by: Joel Hutton <joel.hutton@arm.com>

fiptool: Fix use after free

Makefile: Use ld.bfd linker if available

Correct the Makefile logic for disabling PIE

Fix udelay issues that can make duration slightly too short

Coverity scan done for the coreboot project found the issue:
Coverity (*** CID 1385418: Memory - illegal accesses (OVERRUN))
Coverity (*** CID 1385419: Memory - corruptions  (OVERRUN))

Fix the Converity error issue with store_cru[] loop needs to be one
element bigger.

Fixes: ARM-software/tf-issues#544

Change-Id: I420f0a660b24baaa5fc5e78fca242cf750c9bbc7
Signed-off-by: Caesar Wang <wxt@rock-chips.com>

SPM: Map devices in the 1st GB

Fix documentation for CnP bit

docs: hikey: Fix typo

Some toolchain distributions install both the BFD and GOLD linkers under
the names <target>-ld.bfd and <target>-ld.gold. <target>-ld will then be
a symlink that may point to either one of these.

Trusted Firmware should always be linked with the BFD linker, since GOLD
is meant primarily for userspace programs and doesn't support many of
the more obscure linker script features that may be needed for firmware.
With this patch the Makefile will auto-detect if ld.bfd is available and
use it explicitly in that case.

Change-Id: I7017055f67db3bd57d191d20a7af06ca646937d7
Signed-off-by: Julius Werner <jwerner@chromium.org>

The CnP bit documentation in the Firmware Design Guide incorrectly
used the term "Page Entries" instead of "Processing Elements".
Fix that.

Change-Id: Ie44ee99c281b7b1a9ad90fba2c7d109f12425507
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

With the old system `checkpatch.pl` gets one sole input that consists of
the commit message and commit diff of each commit between BASE_COMMIT
and HEAD. It also filters out changes in some files, which makes `git
format-patch` completely ignore that commit, even the commit message.

With the new system the commit message and commit diff are analyzed
separately. This means that, even if all the files modified by a commit
are filtered out, the commit message will still be analyzed.

Also, all commits are analyzed individually. This way it's easier to
know which commit caused the problem, and there are no warnings about
repeated "Signed-off-by" lines.

Change-Id: Ic676a0b76801bb2607141a8d73dc3a942dc01c0e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch implements a fast path for this SMC call on affected PEs by
detecting and returning immediately after executing the workaround.

NOTE: The MMU disable/enable workaround now assumes that the MMU was
enabled on entry to EL3.  This is a valid assumption as the code turns
on the MMU after reset and leaves it on until the core powers off.

Change-Id: I13c336d06a52297620a9760fb2461b4d606a30b3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

In the initial implementation of this workaround we used a dedicated
workaround context to save/restore state.  This patch reduces the
footprint as no additional context is needed.

Additionally, this patch reduces the memory loads and stores by 20%,
reduces the instruction count and exploits static branch prediction to
optimize the SMC path.

Change-Id: Ia9f6bf06fbf8a9037cfe7f1f1fb32e8aec38ec7d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

On some platforms it may be necessary to discover the SMCCC version
via a PSCI features call.

Change-Id: I95281ac2263ca9aefda1809eb03464fbdb8ac24d
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

SMCCC v1.1 comes with a relaxed calling convention for AArch64
callers.  The caller only needs to save x0-x3 before doing an SMC
call.

This patch adds support for SMCCC_VERSION and SMCCC_ARCH_FEATURES.

Refer to "Firmware Interfaces for mitigating CVE_2017_5715 System
Software on Arm Systems"[0] for more information.

[0] https://developer.arm.com/-/media/developer/pdf/ARM%20DEN%200070A%20Firmware%20interfaces%20for%20mitigating%20CVE-2017-5715_V1.0.pdf



Change-Id: If5b1c55c17d6c5c7cb9c2c3ed355d3a91cdad0a9
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

In preparation for SMCCC v1.1 support, save x4 to x29 unconditionally.
Previously we expected callers coming from AArch64 mode to preserve
x8-x17.  This is no longer the case with SMCCC v1.1 as AArch64 callers
only need to save x0-x3.

Change-Id: Ie62d620776533969ff4a02c635422f1b9208be9c
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Change-Id: Ib67b841ab621ca1ace3280e44cf3e1d83052cb73
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

hikey: fix assert in sec_protect()

This patch maps the devices in the first GB of the system address map
on the FVP into the S-EL1&0 translation regime when SPM support is
enabled. This grants the Secure Partition access to the devices in
this region, for example the memory-mapped Generic Timer device.

Change-Id: I3aeea65f859ecbe83efde2acee20c55500c451bc
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

The correct name of the manufacturer is LeMaker.
Signed-off-by: Andreas Färber <afaerber@suse.de>

Commit 880b9e8b

 (Add padding at the end
of the last entry) added code using toc_entry pointer, whose memory is
already freed via variable buf. This causes enormous padding on openSUSE.

Free the memory buffer only after padding is done.
Signed-off-by: Andreas Färber <afaerber@suse.de>

`assert(e)` was used in place of `if (e) ERROR()` when sec_protect()
was ported from hikey fork so the logic should have been reversed.

Fixes: 3d5d9f5a ("hikey: configure the top 16MB of DRAM as secure")
Fixes: 52988b38

 ("hikey: configure 4 MB of secure DRAM for OP-TEE
Secure Data Path")
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Tested-by: Victor Chong <victor.chong@linaro.org>

Hikey protect optee / sdp memory

This disables the redistributor before either of the pwr_dm_suspend
functions are called. This is because the rdist save code in the
rk3399 rockchip_soc_sys_pwr_dm_suspend function requires that each
redistributor be disabled before saving state.
Signed-off-by: Derek Basehore <dbasehore@chromium.org>

Delay functions like udelay() are often used to ensure that the
necessary time passed to allow some asynchronous event to finish, such
as the stabilization delay for a power rail. For these use cases it is
not very problematic if the delay is slightly longer than requested,
but it is critical that the delay must never be shorter.

The current udelay() implementation contains two hazards that may cause
the delay to be slightly shorter than intended: Firstly, the amount of
ticks to wait is calculated with an integer division, which may cut off
the last fraction of ticks needed. Secondly, the delay may be short by a
fraction of a tick because we do not know whether the initial ("start")
sample of the timer was near the start or near the end of the current
tick. Thus, if the code intends to wait for one tick, it might read the
timer value close to the end of the current tick and then read it again
right after the start of the next tick, concluding that the duration of
a full tick has passed when it in fact was just a fraction of it.

This patch rounds up the division and always adds one extra tick to
counteract both problems and ensure that delays will always be larger
but never smaller than requested.

Change-Id: Ic5fe5f858b5cdf3c0dbf3e488d4d5702d9569433
Signed-off-by: Julius Werner <jwerner@chromium.org>