GitLab

The stdout-path property in the /chosen node of a DTB points to a device
node, which is used for boot console output.
On most (if not all) ARM based platforms this is the debug UART.
The ST platform code contains a function to parse this property and
chase down eventual aliases to learn the node offset of this UART node.

Introduce a slightly more generalised version of this ST platform function
in the generic fdt_wrappers code. This will be useful for other platforms
as well.

Change-Id: Ie6da47ace7833861b5e35fe8cba49835db3659a5
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

The STM32 platform port parse DT nodes to find base address to
peripherals. It does this by using its own implementation, even though
this functionality is generic and actually widely useful outside of the
STM32 code.

Re-implement fdt_get_reg_props_by_name() on top of the newly introduced
fdt_get_reg_props_by_index() function, and move it to fdt_wrapper.c.
This is removes the assumption that #address-cells and #size-cells are
always one.

Change-Id: I6d584930262c732b6e0356d98aea50b2654f789d
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

At the moment the fconf_populate_gicv3_config() implementation is
somewhat incomplete: First it actually fails to store the retrieved
information (the local addr[] array is going nowhere), but also it makes
quite some assumptions about the device tree passed to it: it needs to
use two address-cells and two size-cells, and also requires all five
register regions to be specified, where actually only the first two
are mandatory according to the binding (and needed by our code).

Fix this by introducing a proper generic function to retrieve "reg"
property information from a DT node:
We retrieve the #address-cells and #size-cells properties from the
parent node, then use those to extract the right values from the "reg"
property. The function takes an index to select one region of a reg
property.

This is loosely based on the STM32 implementation using "reg-names",
which we will subsume in a follow-up patch.

Change-Id: Ia59bfdf80aea4e36876c7b6ed4d153e303f482e8
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

The STM32 platform code uses its own set of FDT helper functions,
although some of them are fairly generic.

Remove the implementation of fdt_read_uint32_default() and implement it
on top of the newly introduced fdt_read_uint32() function, then convert
all users over.

This also fixes two callers, which were slightly abusing the "default"
semantic.

Change-Id: I570533362b4846e58dd797a92347de3e0e5abb75
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Our fdtw_read_cells() implementation goes to great lengths to
sanity-check every parameter and result, but leaves a big hole open:
The size of the storage the value pointer points at needs to match the
number of cells given. This can't be easily checked at compile time,
since we lose the size information by using a void pointer.
Regardless the current usage of this function is somewhat wrong anyways,
since we use it on single-element, fixed-length properties only, for
which the DT binding specifies the size.
Typically we use those functions dealing with a number of cells in DT
context to deal with *dynamically* sized properties, which depend on
other properties (#size-cells, #clock-cells, ...), to specify the number
of cells needed.

Another problem with the current implementation is the use of
ambiguously sized types (uintptr_t, size_t) together with a certain
expectation about their size. In general there is no relation between
the length of a DT property and the bitness of the code that parses the
DTB: AArch64 code could encounter 32-bit addresses (where the physical
address space is limited to 4GB [1]), while AArch32 code could read
64-bit sized properties (/memory nodes on LPAE systems, [2]).

To make this more clear, fix the potential issues and also align more
with other DT users (Linux and U-Boot), introduce functions to explicitly
read uint32 and uint64 properties. As the other DT consumers, we do this
based on the generic "read array" function.
Convert all users to use either of those two new functions, and make
sure we never use a pointer to anything other than uint32_t or uint64_t
variables directly.

This reveals (and fixes) a bug in plat_spmd_manifest.c, where we write
4 bytes into a uint16_t variable (passed via a void pointer).

Also we change the implementation of the function to better align with
other libfdt users, by using the right types (fdt32_t) and common
variable names (*prop, prop_names).

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi#n874
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/ecx-2000.dts



Change-Id: I718de960515117ac7a3331a1b177d2ec224a3890
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Currently our fdtw_read_array() implementation requires the length of
the property to exactly match the requested size, which makes it less
flexible for parsing generic device trees.
Also the name is slightly misleading, since we treat the cells of the
array as 32 bit unsigned integers, performing the endianess conversion.

To fix those issues and align the code more with other DT users (Linux
kernel or U-Boot), rename the function to "fdt_read_uint32_array", and
relax the length check to only check if the property covers at least the
number of cells we request.
This also changes the variable names to be more in-line with other DT
users, and switches to the proper data types.

This makes this function more useful in later patches.

Change-Id: Id86f4f588ffcb5106d4476763ecdfe35a735fa6c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

At the moment, OP-TEE has no support to receive a DTB in Secure Memory
so it cannot receive TOS_FW_CONFIG_ID as it is supposed to happen on
any BL32 image. Instead, when OP-TEE is enable as BL32 payload,
NT_FW_CONFIG_ID is passed.

This MUST be reverted as soon as OP-TEE has support for receiving
DTBs from Secure Memory.

Change-Id: I9a873f42e94f2f99a60b638333e7afba1505aec9
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>

This patch provides a fix for incorrect crash dump data for
lower EL when TF-A is built with HANDLE_EA_EL3_FIRST=1 option
which enables routing of External Aborts and SErrors to EL3.

Change-Id: I9d5e6775e6aad21db5b78362da6c3a3d897df977
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

This patch repurposes the TOS FW configuration file as the manifest for
the SPM core component which will reside at the secure EL adjacent to
EL3. The SPM dispatcher component will use the manifest to determine how
the core component must be initialised. Routines and data structure to
parse the manifest have also been added.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: Id94f8ece43b4e05609f0a1d364708a912f6203cb

At the moment, address demangling is only used by the backtrace
functionality. However, at some point, other parts of the TF-A
codebase may want to use it.
The 'demangle_address' function is replaced with a single XPACI
instruction which is also added in 'do_crash_reporting()'.
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Change-Id: I4424dcd54d5bf0a5f9b2a0a84c4e565eec7329ec

Use fconf to retrieve the `disable_authentication` property.
Move this access from arm dynamic configuration to bl common.

Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Fix code that violates the MISRA rule:
MISRA C-2012 Rule 11.9: Literal "0" shall not be used as
null pointer constant.

The fix explicitly checks whether a pointer is NULL.

Change-Id: Ibc318dc0f464982be9a34783f24ccd1d44800551
Signed-off-by: Zelalem <zelalem.aweke@arm.com>

This patch adds 'fdtw_read_bytes' and 'fdtw_write_inplace_bytes'
functions for read/write array of bytes from/to a given property.
It also adds 'fdt_setprop_inplace_namelen_partial' to jmptbl.i
files for builds with USE_ROMLIB=1 option.

Change-Id: Ied7b5c8b38a0e21d508aa7bcf5893e656028b14d
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Moving the FDT helper functions to the common/ directory exposed the file
to MISRA checking, which is mandatory for common code.

Fix the complaints that the test suite reported.

Change-Id: Ica8c8a95218bba5a3fd92a55407de24df58e8476
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

The pre-processor directives make it hard to read the non-TBB version of
this function. Refactor the code to improve readability. No functional
change introduced.

In particular, introduce a new helper function load_image_flush(),
that simply loads an image and flushes it out to main memory. This is
the only thing load_auth_image_internal() needs to do when TBB is
disabled or when authentication is dynamically disabled.

In other cases, we need to recursively authenticate the parent images up
to the root of trust. To make this clearer, this code gets moved to a
TBB-specific helper function called load_auth_image_recursive().

As a result, load_auth_image_internal() now boils down to calling the
right helper function (depending on TBB enablement and dynamic
authentication status).

Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

PSCI uses different function IDs for CPU_SUSPEND and CPU_ON, depending on
the architecture used (AArch64 or AArch32).
For recent PSCI versions the client will determine the right version,
but for PSCI v0.1 we need to put some ID in the DT node. At the moment
we always add the 64-bit IDs, which is not correct if TF-A is built for
AArch32.

Use the function IDs matching the TF-A build architecture, for the two
IDs where this differs. This only affects legacy OSes using PSCI v0.1.

On the way remove the sys_poweroff and sys_reset properties, which were
never described in the official PSCI DT binding.

Change-Id: If77bc6daec215faeb2dc67112e765aacafd17f33
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

Since we moved some functions that amend a DT blob in memory to common
code, let's add proper function documentation.
This covers the three exported functions in common/fdt_fixup.c.

Change-Id: I67d7d27344e62172c789d308662f78d54903cf57
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

If a firmware component like TF-A reserves special memory regions for
its own or secure payload services, it should announce the location and
size of those regions to the non-secure world. This will avoid
disappointment when some rich OS tries to acccess this memory, which
will likely end in a crash.

The traditional way of advertising reserved memory using device tree is
using the special memreserve feature of the device tree blob (DTB).
However by definition those regions mentioned there do not prevent the
rich OS to map this memory, which may lead to speculative accesses to
this memory and hence spurious bus errors.

A safer way of carving out memory is to use the /reserved-memory node as
part of the normal DT structure. Besides being easier to setup, this
also defines an explicit "no-map" property to signify the secure-only
nature of certain memory regions, which avoids the rich OS to
accidentally step on it.

Add a helper function to allow platform ports to easily add a region.

Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

The QEMU platform port scans its device tree to advertise PSCI as the
CPU enable method. It does this by scanning *every* node in the DT and
check whether its compatible string starts with "arm,cortex-a". Then it
sets the enable-method to PSCI, if it doesn't already have one.

Other platforms might want to use this functionality as well, so let's
move it out of the QEMU platform directory and make it more robust by
fixing some shortcomings:
- A compatible string starting with a certain prefix is not a good way
to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
match as well and is in turn favoured with an enable-method.
- If the DT already has an enable-method, we won't change this to PSCI.

Those two issues will for instance fail on the Raspberry Pi 4 DT.
To fix those problems, we adjust the scanning method:
The DT spec says that all CPU nodes are subnodes of the mandatory
/cpus node, which is a subnode of the root node. Also each CPU node has
to have a device_type = "cpu" property. So we find the /cpus node, then
scan for a subnode with the proper device_type, forcing the
enable-method to "psci".
We have to restart this search after a property has been patched, as the
node offsets might have changed meanwhile.

This allows this routine to be reused for the Raspberry Pi 4 later.

Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
  of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
  which returns 128-bit value and uses Generic timer physical counter
  value to increase the randomness of the generated key.
  The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
  generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
  pauth_disable_el1()` and `pauth_disable_el3()` functions disable
  PAuth for EL1 and EL3 respectively;
  `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
  cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
  `save_gp_registers()` and `pauth_context_save()`;
  `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
  and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
  code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
  for 12 uint64_t PAuth registers instead of 10 by removal of macro
  CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
  and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
  in `msr	spsel`  instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.

Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Printing a newline is a relatively common functionality for code to want
to do. Therefore, this patch now moves this function into a common part
of the code that anyone can use.

Change-Id: I2cad699fde00ef8d2aabf8bf35742ddd88d090ba
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

This patch modifies crash reporting for AArch64 to provide
aligned output of register dump and GIC registers.

Change-Id: I8743bf1d2d6d56086e735df43785ef28051c5fc3
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.

All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)

Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>

BL31 used to take a single bl31_params_t parameter structure with entry
point information in arg0. In commit 72600226

 (Add new version of image
loading.) this API was changed to a more flexible linked list approach,
and the old parameter structure was copied into all platforms that still
used the old format. This duplicated code unnecessarily among all these
platforms.

This patch adds a helper function that platforms can optionally link to
outsource the task of interpreting arg0. Many platforms are just
interested in the BL32 and BL33 entry point information anyway. Since
some platforms still need to support the old version 1 parameters, the
helper will support both formats when ERROR_DEPRECATED == 0. This allows
those platforms to drop a bunch of boilerplate code and asynchronously
update their BL2 implementation to the newer format.

Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38
Signed-off-by: Julius Werner <jwerner@chromium.org>

When pointer authentication is enabled, the LR value saved on the stack
contains a Pointer Authentication Code (PAC). It must be stripped to
retrieve the return address.

The PAC field is stored on the high bits of the address and defined as:
- PAC field = Xn[54:bottom_PAC_bit], when address tagging is used.
- PAC field = Xn[63:56, 54:bottom_PAC_bit], without address tagging.

With bottom_PAC_bit = 64 - TCR_ELx.TnSZ

Change-Id: I21d804e58200dfeca1da4c2554690bed5d191936
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

The project has been renamed from "Arm Trusted Firmware (ATF)" to
"Trusted Firmware-A (TF-A)" long ago. A few references to the old
project name that still remained in various places have now been
removed.

This change doesn't affect any platform files. Any "ATF" references
inside platform files, still remain.

Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Check for both IMPLEMENTATION_DEFINED and Architected algorithms of
Address Authentication.

Change-Id: I209dcc6087172cfef7baf8d09e0454628f02cbd0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The previous commit added the infrastructure to load and save
ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
didn't actually enable pointer authentication in the firmware.

This patch adds the functionality needed for platforms to provide
authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
enable pointer authentication in the firmware itself. This option is
disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
enabled.

Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Commit ed51b51f

 ("Remove build option LOAD_IMAGE_V2") intended
to remove all code related to LOAD_IMAGE_V2=0 but missed a few things.

Change-Id: I16aaf52779dd4af1e134e682731328c5f1e5d622
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This reverts commit 2f370465

 ("Add support for the SMC Calling
Convention 2.0").

SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.

The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.

Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
descriptors describing the list of executable images are created in BL2
R/W memory, which could be possibly corrupted later on by BL31/BL32 due
to overlay. This patch creates a reserved location in SRAM for these
descriptors and are copied over by BL2 before handing over to next BL
image.

Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
is enabled.

Fixes ARM-Software/tf-issues#626

Change-Id: I755735706fa702024b4032f51ed4895b3687377f
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

It's better to have them in a separate file instead of having them spread
across the Makefile. This is what the stack protector is already doing.

Change-Id: Id30742c0af10de5ea6d10674ca25bf52b0f2b262
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

fdtw_read_cells() can only read one or two cells, sometimes it may be
needed to read more cells from one property.

Change-Id: Ie70dc76d1540cd6a04787cde7cccb4d1bafc7282
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Introduced fdtw_read_string() to read string properties.

Change-Id: I854eef0390632cf2eaddd2dce60cdb98c117de43
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

No functional changes.

Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Mark the initialization functions in BL31, such as context management,
EHF, RAS and PSCI as __init so that they can be reclaimed by the
platform when no longer needed

Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

The code of LOAD_IMAGE_V2=0 has been removed.

Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

When using the tf_log_set_max_level() function, one can dynamically
set the log level to a value smaller than then compile time specified
one, but not equal. This means that when the log level have been
lowered, it can't be reset to the previous value. This commit modifies
this function to allow setting the log level back to the compile time
value.

Fixes ARM-software/tf-issues#624

Change-Id: Ib157715c8835982ce4977ba67a48e18ff23d5a61
Signed-off-by: Junhan Zhou <Junhan@mellanox.com>