1. 24 Feb, 2020 1 commit
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
  2. 20 Feb, 2020 4 commits
    • Varun Wadekar's avatar
      Tegra: delay_timer: support for physical secure timer · dd4f0885
      Varun Wadekar authored
      
      
      This patch modifies the delay timer driver to switch to the ARM
      secure physical timer instead of using Tegra's on-chip uS timer.
      
      The secure timer is not accessible to the NS world and so eliminates
      an important attack vector, where the Tegra timer source gets switched
      off from the NS world leading to a DoS attack for the trusted world.
      
      This timer is shared with the S-EL1 layer for now, but later patches
      will mark it as exclusive to the EL3 exception mode.
      
      Change-Id: I2c00f8cb4c48b25578971c626c314603906ad7cc
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      dd4f0885
    • Varun Wadekar's avatar
      include: move MHZ_TICKS_PER_SEC to utils_def.h · d4b29105
      Varun Wadekar authored
      
      
      This patch moves the MHZ_TICKS_PER_SEC macro to utils_def.h
      for other platforms to use.
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      Change-Id: I6c4dc733f548d73cfdb3515ec9ad89a9efaf4407
      d4b29105
    • Varun Wadekar's avatar
      cpus: higher performance non-cacheable load forwarding · cd0ea184
      Varun Wadekar authored
      
      
      The CPUACTLR_EL1 register on Cortex-A57 CPUs supports a bit to enable
      non-cacheable streaming enhancement. Platforms can set this bit only
      if their memory system meets the requirement that cache line fill
      requests from the Cortex-A57 processor are atomic.
      
      This patch adds support to enable higher performance non-cacheable load
      forwarding for such platforms. Platforms must enable this support by
      setting the 'A57_ENABLE_NONCACHEABLE_LOAD_FWD' flag from their
      makefiles. This flag is disabled by default.
      
      Change-Id: Ib27e55dd68d11a50962c0bbc5b89072208b4bac5
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      cd0ea184
    • Manish V Badarkhe's avatar
      Use consistent SMCCC error code · af10d224
      Manish V Badarkhe authored
      
      
      Removed duplicate error code present for SMCCC and used
      proper error code for "SMCCC_ARCH_WORKAROUND_2" call.
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Change-Id: I76fc7c88095f78a7e2c3d205838f8eaf3132ed5c
      af10d224
  3. 18 Feb, 2020 3 commits
  4. 10 Feb, 2020 4 commits
    • Achin Gupta's avatar
      SPMD: add SPM dispatcher based upon SPCI Beta 0 spec · bdd2596d
      Achin Gupta authored
      
      
      This patch adds a rudimentary SPM dispatcher component in EL3.
      It does the following:
      
      - Consumes the TOS_FW_CONFIG to determine properties of the SPM core
        component
      - Initialises the SPM core component which resides in the BL32 image
      - Implements a handler for SPCI calls from either security state. Some
        basic validation is done for each call but in most cases it is simply
        forwarded as-is to the "other" security state.
      Signed-off-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      Change-Id: I7d116814557f7255f4f4ebb797d1619d4fbab590
      bdd2596d
    • Achin Gupta's avatar
      SPMD: add support to run BL32 in TDRAM and BL31 in secure DRAM on Arm FVP · 64758c97
      Achin Gupta authored
      
      
      This patch reserves and maps the Trusted DRAM for SPM core execution.
      It also configures the TrustZone address space controller to run BL31
      in secure DRAM.
      Signed-off-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      Change-Id: I7e1bb3bbc61a0fec6a9cb595964ff553620c21dc
      64758c97
    • Achin Gupta's avatar
      SPMD: add support for an example SPM core manifest · 0cb64d01
      Achin Gupta authored
      
      
      This patch repurposes the TOS FW configuration file as the manifest for
      the SPM core component which will reside at the secure EL adjacent to
      EL3. The SPM dispatcher component will use the manifest to determine how
      the core component must be initialised. Routines and data structure to
      parse the manifest have also been added.
      Signed-off-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      Change-Id: Id94f8ece43b4e05609f0a1d364708a912f6203cb
      0cb64d01
    • Manish Pandey's avatar
      SPM: modify sptool to generate individual SP blobs · 3977a825
      Manish Pandey authored
      
      
      Currently sptool generates a single blob containing all the Secure
      Partitions, with latest SPM implementation, it is desirable to have
      individual blobs for each Secure Partition. It allows to leverage
      packaging and parsing of SP on existing FIP framework. It also allows
      SP packages coming from different sources.
      
      This patch modifies sptool so that it takes number of SP payload pairs
      as input and generates number of SP blobs instead of a single blob.
      
      Each SP blob can optionally have its own header containing offsets and
      sizes of different payloads along with a SP magic number and version.
      It is also associated in FIP with a UUID, provided by SP owner.
      
      Usage example:
      sptool -i sp1.bin:sp1.dtb -o sp1.pkg -i sp2.bin:sp2.dtb -o sp2.pkg ...
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: Ie2db8e601fa1d4182d0a1d22e78e9533dce231bc
      3977a825
  5. 07 Feb, 2020 13 commits
    • Alexei Fedorov's avatar
      Make PAC demangling more generic · 68c76088
      Alexei Fedorov authored
      
      
      At the moment, address demangling is only used by the backtrace
      functionality. However, at some point, other parts of the TF-A
      codebase may want to use it.
      The 'demangle_address' function is replaced with a single XPACI
      instruction which is also added in 'do_crash_reporting()'.
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      Change-Id: I4424dcd54d5bf0a5f9b2a0a84c4e565eec7329ec
      68c76088
    • Aditya Angadi's avatar
      drivers/arm/scmi: allow use of multiple SCMI channels · 31e703f9
      Aditya Angadi authored
      
      
      On systems that have multiple platform components that can interpret the
      SCMI messages, there is a need to support multiple SCMI channels (one
      each to those platform components). Extend the existing SCMI interface
      that currently supports only a single SCMI channel to support multiple
      SCMI channels.
      
      Change-Id: Ice4062475b903aef3b5e5bc37df364c9778a62c5
      Signed-off-by: default avatarAditya Angadi <aditya.angadi@arm.com>
      31e703f9
    • Aditya Angadi's avatar
      drivers/mhu: derive doorbell base address · f8931606
      Aditya Angadi authored
      
      
      In order to allow the MHUv2 driver to be usable with multiple MHUv2
      controllers, use the base address of the controller from the platform
      information instead of the MHUV2_BASE_ADDR macro.
      
      Change-Id: I4dbab87b929fb0568935e6c8b339ce67937f8cd1
      Signed-off-by: default avatarAditya Angadi <aditya.angadi@arm.com>
      f8931606
    • Vijayenthiran Subramaniam's avatar
      plat/arm/sgi: add chip_id and multi_chip_mode to platform variant info · 6daeec70
      Vijayenthiran Subramaniam authored
      
      
      Multi-chip platforms have two or more identical chips connected using a
      high speed coherent link. In order to identify such platforms,
      add chip_id and multi_chip_mode information in the platform variant
      info structure. The values of these two new elements is populated
      during boot.
      
      Change-Id: Ie6e89cb33b3f0f408814f6239cd06647053e23ed
      Signed-off-by: default avatarVijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
      6daeec70
    • Louis Mayencourt's avatar
      arm-io: Panic in case of io setup failure · 97399821
      Louis Mayencourt authored
      
      
      Currently, an IO setup failure will be ignored on arm platform release
      build. Change this to panic instead.
      
      Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      97399821
    • Louis Mayencourt's avatar
      MISRA fix: Use boolean essential type · d6dcbcad
      Louis Mayencourt authored
      
      
      Change the return type of "arm_io_is_toc_valid()" and
      "plat_arm_bl1_fwu_needed()" to bool, to match function behavior.
      
      Change-Id: I503fba211219a241cb263149ef36ca14e3362a1c
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      d6dcbcad
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
    • Louis Mayencourt's avatar
      fconf: Add mbedtls shared heap as property · 6c972317
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework in arm dynamic configuration
      to retrieve mbedtls heap information between bl1 and bl2.
      
      For this, a new fconf getter is added to expose the device tree base
      address and size.
      
      Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c972317
    • Louis Mayencourt's avatar
      fconf: Add TBBR disable_authentication property · ce852841
      Louis Mayencourt authored
      
      
      Use fconf to retrieve the `disable_authentication` property.
      Move this access from arm dynamic configuration to bl common.
      
      Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ce852841
    • Louis Mayencourt's avatar
      fconf: Add dynamic config DTBs info as property · 25ac8794
      Louis Mayencourt authored
      
      
      This patch introduces a better separation between the trusted-boot
      related properties, and the dynamic configuration DTBs loading
      information.
      
      The dynamic configuration DTBs properties are moved to a new node:
      `dtb-registry`. All the sub-nodes present will be provided to the
      dynamic config framework to be loaded. The node currently only contains
      the already defined configuration DTBs, but can be extended for future
      features if necessary.
      The dynamic config framework is modified to use the abstraction provided
      by the fconf framework, instead of directly accessing the DTBs.
      
      The trusted-boot properties are kept under the "arm,tb_fw" compatible
      string, but in a separate `tb_fw-config` node.
      The `tb_fw-config` property of the `dtb-registry` node simply points
      to the load address of `fw_config`, as the `tb_fw-config` is currently
      part of the same DTB.
      
      Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      25ac8794
    • Louis Mayencourt's avatar
      fconf: Populate properties from dtb during bl2 setup · 9814bfc1
      Louis Mayencourt authored
      
      
      Use the dtb provided by bl1 as configuration file for fconf.
      
      Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      9814bfc1
    • Louis Mayencourt's avatar
      fconf: Load config dtb from bl1 · 3b5ea741
      Louis Mayencourt authored
      
      
      Move the loading of the dtb from arm_dym_cfg to fconf. The new loading
      function is not associated to arm platform anymore, and can be moved
      to bl_main if wanted.
      
      Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      3b5ea741
    • Louis Mayencourt's avatar
      fconf: initial commit · ab1981db
      Louis Mayencourt authored
      
      
      Introduce the Firmware CONfiguration Framework (fconf).
      
      The fconf is an abstraction layer for platform specific data, allowing
      a "property" to be queried and a value retrieved without the requesting
      entity knowing what backing store is being used to hold the data.
      
      The default backing store used is C structure. If another backing store
      has to be used, the platform integrator needs to provide a "populate()"
      function to fill the corresponding C structure.
      The "populate()" function must be registered to the fconf framework with
      the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
      be called inside the "fconf_populate()" function.
      
      A two level macro is used as getter:
      - the first macro takes 3 parameters and converts it to a function
        call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
      - the second level defines a__b_getter(c) to the matching C structure,
        variable, array, function, etc..
      
      Ex: Get a Chain of trust property:
          1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
          2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
      
      Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ab1981db
  6. 06 Feb, 2020 1 commit
    • Max Shvetsov's avatar
      Adds option to read ROTPK from registers for FVP · a6ffddec
      Max Shvetsov authored
      
      
      Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
      Removes hard-coded developer keys. Instead, setting
      ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
      In case of ROT_KEY specified - generates a new hash and replaces the
      original.
      
      Note: Juno board was tested by original feature author and was not tested
      for this patch since we don't have access to the private key. Juno
      implementation was moved to board-specific file without changing
      functionality. It is not known whether byte-swapping is still needed
      for this platform.
      
      Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
      Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
      a6ffddec
  7. 05 Feb, 2020 1 commit
  8. 03 Feb, 2020 1 commit
  9. 30 Jan, 2020 1 commit
    • Grzegorz Jaszczyk's avatar
      plat: marvell: armada: add support for loading MG CM3 images · 81646055
      Grzegorz Jaszczyk authored
      
      
      In order to access MG SRAM, the amb bridge needs to be configured which is
      done in bl2 platform init.
      
      For MG CM3, the image is only loaded to its SRAM and the CM3 itself is
      left in reset. It is because the next stage bootloader (e.g. u-boot)
      will trigger action which will take it out of reset when needed. This
      can happen e.g. when appropriate device-tree setup (which has enabled
      802.3 auto-neg) will be chosen. In other cases the MG CM3 should not be
      running.
      
      Change-Id: I816ea14e3a7174eace068ec44e3cc09998d0337e
      Signed-off-by: default avatarGrzegorz Jaszczyk <jaz@semihalf.com>
      81646055
  10. 28 Jan, 2020 2 commits
  11. 27 Jan, 2020 2 commits
    • Madhukar Pappireddy's avatar
      plat/arm: Add support for SEPARATE_NOBITS_REGION · 0c1f197a
      Madhukar Pappireddy authored
      
      
      In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
      BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
      the build to require that ARM_BL31_IN_DRAM is enabled as well.
      
      Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
      cannot be reclaimed to be used for runtime data such as secondary cpu stacks.
      
      Memory map for BL31 NOBITS region also has to be created.
      
      Change-Id: Ibbc8c9499a32e63fd0957a6e254608fbf6fa90c9
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      0c1f197a
    • Manish Pandey's avatar
      Neovers N1: added support to update presence of External LLC · f2d6b4ee
      Manish Pandey authored
      
      
      CPUECTLR_EL1.EXTLLC bit indicates the presense of internal or external
      last level cache(LLC) in the system, the reset value is internal LLC.
      
      To cater for the platforms(like N1SDP) which has external LLC present
      introduce a new build option 'NEOVERSE_N1_EXTERNAL_LLC' which can be
      enabled by platform port.
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: Ibf475fcd6fd44401897a71600f4eafe989921363
      f2d6b4ee
  12. 24 Jan, 2020 1 commit
    • Masahiro Yamada's avatar
      bl_common: add BL_END macro · 2c74a29d
      Masahiro Yamada authored
      
      
      Currently, the end address macros are defined per BL, like BL2_END,
      BL31_END, BL32_END. They are not handy in the common code shared
      between multiple BL stages.
      
      This commit introduces BL_END, which is equivalent to BL{2,31,32}_END,
      and will be useful for the BL-common code.
      
      Change-Id: I3c39bf6096d99ce920a5b9fa21c0f65456fbfe8a
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      2c74a29d
  13. 23 Jan, 2020 2 commits
  14. 22 Jan, 2020 2 commits
  15. 20 Jan, 2020 2 commits