1. 24 Feb, 2020 1 commit
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
  2. 22 Jan, 2020 1 commit
  3. 12 Nov, 2019 1 commit
    • Deepika Bhavnani's avatar
      Coding guideline suggest not to use unsigned long · 9afe8cdc
      Deepika Bhavnani authored
      
      
      `unsigned long` should be replaced to
      1. `unsigned int` or `unsigned long long` - If fixed,
      based on the architecture AArch32 or AArch64
      2. `u_register_t` - If it is supposed to be 32-bit
      wide in AArch32 and 64-bit wide in AArch64.
      
      Translation descriptors are always 32-bit wide, here
      `uint32_t` is used to describe the `exact size` of
      translation descriptors instead of `unsigned int` which
      guarantees minimum 32-bits
      Signed-off-by: default avatarDeepika Bhavnani <deepika.bhavnani@arm.com>
      Change-Id: I6a2af2e8b3c71170e2634044e0b887f07a41677e
      9afe8cdc
  4. 18 Oct, 2019 1 commit
    • Artsem Artsemenka's avatar
      xlat_table_v2: Fix enable WARMBOOT_ENABLE_DCACHE_EARLY config · 0e7a0540
      Artsem Artsemenka authored
      
      
      The WARMBOOT_ENABLE_DCACHE_EARLY allows caches to be turned on early during
      the boot. But the xlat_change_mem_attributes_ctx() API did not do the required
      cache maintenance after the mmap tables are modified if
      WARMBOOT_ENABLE_DCACHE_EARLY is enabled. This meant that when the caches are turned
      off during power down, the tables in memory are accessed as part of cache
      maintenance for power down, and the tables are not correct at this point which
      results in a data abort.
      This patch removes the optimization within xlat_change_mem_attributes_ctx()
      when WARMBOOT_ENABLE_DCACHE_EARLY is enabled.
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      Change-Id: I82de3decba87dd13e9856b5f3620a1c8571c8d87
      0e7a0540
  5. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
  6. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  7. 03 Apr, 2019 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Move shim layer to TTBR1_EL1 · 6de6965b
      Antonio Nino Diaz authored
      
      
      This gives each Secure Partition complete freedom on its address space.
      Previously, the memory used by the exception vectors was reserved and
      couldn't be used. Also, it always had to be mapped, forcing SPM to
      generate translation tables that included the exception vectors as well
      as the Partition memory regions. With this change, partitions can reduce
      their address space size easily.
      
      Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      6de6965b
  8. 19 Mar, 2019 1 commit
    • Antonio Nino Diaz's avatar
      xlat_tables_v2: Revert recent changes to remove recursion · f253645d
      Antonio Nino Diaz authored
      This commit reverts the following commits:
      
      - c54c7fc3 ("xlat_tables_v2: print xlat tables without recursion")
      - db8cac2d ("xlat_tables_v2: unmap region without recursion.")
      - 0ffe2692
      
       ("xlat_tables_v2: map region without recursion.")
      
      This was part of PR#1843.
      
      A problem has been detected in one of our test run configurations
      involving dynamic mapping of regions and it is blocking the next
      release. Until the problem can be solved, it is safer to revert
      the changes.
      
      Change-Id: I3d5456e4dbebf291c8b74939c6fb02a912e0903b
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      f253645d
  9. 05 Mar, 2019 3 commits
  10. 28 Feb, 2019 2 commits
    • David Pu's avatar
      xlat_tables_v2: find VA/idx with helper functions. · e664b5b6
      David Pu authored
      
      
      This patch introduces 2 helper functions 'xlat_tables_find_start_va' and
      'xlat_tables_va_to_index' to find the first VA and table index affected by the
      specified mmap region. it reduces code duplication and cyclomatic code
      complexity in xlat_tables_map/unmap_region functions.
      
      Cyclomatic complexity calculated using 'Coverity'
      
      fixes arm-software/tf-issues#673
      Signed-off-by: default avatarDavid Pu <dpu@nvidia.com>
      e664b5b6
    • David Pu's avatar
      xlat_tables_v2: get unmap action type with helper function. · 3ff6e401
      David Pu authored
      
      
      This patch introduces helper function 'xlat_tables_unmap_region_action'
      to get the required action type from given arguments when unmapping the
      specified region.
      it reduces cyclomatic code complexity in xlat_tables_unmap_region function.
      
      Cyclomatic complexity calculated using 'Coverity'
      
      fixes arm-software/tf-issues#673
      Signed-off-by: default avatarDavid Pu <dpu@nvidia.com>
      3ff6e401
  11. 07 Feb, 2019 1 commit
    • Varun Wadekar's avatar
      xlat_tables_v2: mark 'xlat_clean_dcache_range' unused · a1d00bb3
      Varun Wadekar authored
      
      
      The armclang compiler can warn if a variable is declared but
      is never referenced. The '__attribute__((unused))' attribute
      informs the compiler to expect an unused variable, and tells
      it not to issue a warning.
      
      This patch marks the 'xlat_clean_dcache_range' function as
      "unused" to fix this armclang compiler warning.
      
      Change-Id: I7623f61c2975a01db4d1b80554dd4f9a9e0f7eb6
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      a1d00bb3
  12. 01 Feb, 2019 1 commit
  13. 30 Jan, 2019 1 commit
    • Sathees Balya's avatar
      lib/xlat_tables: Add support for ARMv8.4-TTST · cedfa04b
      Sathees Balya authored
      
      
      ARMv8.4-TTST (Small Translation tables) relaxes the lower limit on the
      size of translation tables by increasing the maximum permitted value
      of the T1SZ and T0SZ fields in TCR_EL1, TCR_EL2, TCR_EL3, VTCR_EL2 and
      VSTCR_EL2.
      
      This feature is supported in AArch64 state only.
      
      This patch adds support for this feature to both versions of the
      translation tables library. It also removes the static build time
      checks for virtual address space size checks to runtime assertions.
      
      Change-Id: I4e8cebc197ec1c2092dc7d307486616786e6c093
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      cedfa04b
  14. 11 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Dynamically detect need for CnP bit · 2559b2c8
      Antonio Nino Diaz authored
      
      
      ARMv8.2-TTCNP is mandatory from ARMv8.2 onwards, but it can be implemented
      in CPUs that don't implement all mandatory 8.2 features (and so have to
      claim to be a lower version).
      
      This patch removes usage of the ARM_ARCH_AT_LEAST() macro and uses system
      ID registers to detect whether it is needed to set the bit or not.
      
      Change-Id: I7bcbf0c7c937590dfc2ca668cfd9267c50f7d52c
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2559b2c8
  15. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  16. 11 Dec, 2018 1 commit
  17. 22 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Support mapping regions with allocated VA · 9056f108
      Antonio Nino Diaz authored
      
      
      Provide new APIs to add new regions without specifying the base VA.
      
      - `mmap_add_region_alloc_va` adds a static region to mmap choosing as
        base VA the first possible address after all the currently mapped
        regions. It is aligned to an appropriate boundary in relation to the
        size and base PA of the requested region. No attempt is made to fill
        any unused VA holes.
      
      - `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
        `mmap_add_region_alloc_va` does, but it's dynamic instead of static.
      
      - `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
        maps them in the same way as `mmap_add_region_alloc_va` and fills
        their `base_va` field. A helper macro has been created to help create
        the array, called `MAP_REGION_ALLOC_VA`.
      
      Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      9056f108
  18. 29 Oct, 2018 1 commit
    • Soby Mathew's avatar
      PIE: Use PC relative adrp/adr for symbol reference · f1722b69
      Soby Mathew authored
      
      
      This patch fixes up the AArch64 assembly code to use
      adrp/adr instructions instead of ldr instruction for
      reference to symbols. This allows these assembly
      sequences to be Position Independant. Note that the
      the reference to sizes have been replaced with
      calculation of size at runtime. This is because size
      is a constant value and does not depend on execution
      address and using PC relative instructions for loading
      them makes them relative to execution address. Also
      we cannot use `ldr` instruction to load size as it
      generates a dynamic relocation entry which must *not*
      be fixed up and it is difficult for a dynamic loader
      to differentiate which entries need to be skipped.
      
      Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      f1722b69
  19. 26 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat: Fix compatibility between v1 and v2 · 03987d01
      Antonio Nino Diaz authored
      
      
      There are several platforms using arm_setup_page_tables(), which is
      supposed to be Arm platform only. This creates several dependency
      problems between platforms.
      
      This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
      v2 makefile. This way it is possible to detect from C code which version
      is being used and include the correct header.
      
      The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
      moved to a common folder. This way, when in doubt, this header can be
      used to guarantee compatibility, as it includes the correct header based
      on XLAT_TABLES_LIB_V2.
      
      This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
      that is now locked in xlat lib v2) and ZynqMP (where it was added as a
      workaround).
      
      Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      03987d01
  20. 08 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat: Fix checks in mmap_add() and mmap_add_ctx() · a5fa5658
      Antonio Nino Diaz authored
      Commit 79621f00
      
       broke sgi575.
      
      It is possible to have a region with 0 as value for the attributes. It
      means device memory, read only, secure, executable. This is legitimate
      if the code is in flash and the code is executed from there.
      
      This is the case for SGI_MAP_FLASH0_RO, defined in the file
      plat/arm/css/sgi/sgi_plat.c.
      
      This problem is solved by checking both size and attributes in xlat v1.
      In xlat v2, it is enough to check the granularity, as it can never be 0.
      
      Change-Id: I7be11f1b0e51c4c2ffd560b4a6cdfbf15de2c276
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a5fa5658
  21. 03 Oct, 2018 2 commits
    • Daniel Boulby's avatar
      Mark xlat tables initialization code · aff2863f
      Daniel Boulby authored
      
      
      Mark the xlat tables code only used in BL31 initialization as
      __init to be reclaimed once no longer needed
      
      Change-Id: I3106bfd994706a57c578624573bcfa525fbbd3c4
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      aff2863f
    • Daniel Boulby's avatar
      xlat: Change check in mmap_add and mmap_add_ctx() · 79621f00
      Daniel Boulby authored
      
      
      Depending on the build flags it is possible that some of the memory
      regions mapped in page table setup could have a size of 0. In this
      case we simply want to do nothing but still wish to map the other
      regions in the array. Therefore we cannot only use size == 0 as
      the termination logic for the loop.
      
      Since an attributes field with value 0 means that the region is
      device memory, read only, secure and executable. Device memory
      can't be executable, so this combination should never be used
      and it is safe to use as a terminator value.
      
      Therefore by changing the termination logic to use attributes
      instead of size we prevent terminating the loop when we don't
      intend to.
      
      Change-Id: I92fc7f689ab08543497be6be4896dace2ed7b66a
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      79621f00
  22. 28 Sep, 2018 1 commit
  23. 22 Aug, 2018 2 commits
  24. 10 Aug, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Support the EL2 translation regime · 1a92a0e0
      Antonio Nino Diaz authored
      
      
      The translation library is useful elsewhere. Even though this repository
      doesn't exercise the EL2 support of the library, it is better to have it
      here as well to make it easier to maintain.
      
      enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
      functions are still present, but they are behind ERROR_DEPRECATED and
      they call the new functions enable_mmu_svc_mon() and
      enable_mmu_direct_svc_mon().
      
      Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      1a92a0e0
  25. 07 Aug, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Flush xlat tables after being modified · 3e318e40
      Antonio Nino Diaz authored
      During cold boot, the initial translation tables are created with data
      caches disabled, so all modifications go to memory directly. After the
      MMU is enabled and data cache is enabled, any modification to the tables
      goes to data cache, and eventually may get flushed to memory.
      
      If CPU0 modifies the tables while CPU1 is off, CPU0 will have the
      modified tables in its data cache. When CPU1 is powered on, the MMU is
      enabled, then it enables coherency, and then it enables the data cache.
      Until this is done, CPU1 isn't in coherency, and the translation tables
      it sees can be outdated if CPU0 still has some modified entries in its
      data cache.
      
      This can be a problem in some cases. For example, the warm boot code
      uses only the tables mapped during cold boot, which don't normally
      change. However, if they are modified (and a RO page is made RW, or a XN
      page is made executable) the CPU will see the old attributes and crash
      when it tries to access it.
      
      This doesn't happen in systems with HW_ASSISTED_COHERENCY or
      WARMBOOT_ENABLE_DCACHE_EARLY. In these systems, the data cache is
      enabled at the same time as the MMU. As soon as this happens, the CPU is
      in coherency.
      
      There was an attempt of a fix in psci_helpers.S, but it didn't solve the
      problem. That code has been deleted. The code was introduced in commit
      <26441030
      
      > ("Invalidate TLB entries during warm boot").
      
      Now, during a map or unmap operation, the memory associated to each
      modified table is flushed. Traversing a table will also flush it's
      memory, as there is no way to tell in the current implementation if the
      table that has been traversed has also been modified.
      
      Change-Id: I4b520bca27502f1018878061bc5fb82af740bb92
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      3e318e40
  26. 06 Aug, 2018 1 commit
  27. 02 Aug, 2018 1 commit
  28. 30 Jul, 2018 1 commit
  29. 15 Jul, 2018 2 commits
  30. 13 Jul, 2018 4 commits
    • Antonio Nino Diaz's avatar
      xlat v2: Turn MMU parameters into 64-bit values · 6563c0be
      Antonio Nino Diaz authored
      
      
      Most registers are 64-bit wide, even in AArch32 mode:
      
      - MAIR_ELx is equivalent to MAIR0 and MAIR1.
      - TTBR is 64 bit in both AArch64 and AArch32.
      
      The only difference is the TCR register, which is 32 bit in AArch32 and
      in EL3 in AArch64. For consistency with the rest of ELs in AArch64, it
      makes sense to also have it as a 64-bit value.
      
      Change-Id: I2274d66a28876702e7085df5f8aad0e7ec139da9
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      6563c0be
    • Antonio Nino Diaz's avatar
      xlat v2: Remove IMAGE_EL define · aa1d5f60
      Antonio Nino Diaz authored
      
      
      The Exception Level is now detected at runtime. This means that it is not
      needed to hardcode the EL used by each image.
      
      This doesn't result in a substantial increase of the image size because
      the initialization functions that aren't used are garbage-collected by
      the linker.
      
      In AArch32 the current EL has been changed from EL3 to EL1 because the
      the AArch32 PL1&0 translation regime behaves more like the AArch64 EL1&0
      translation regime than the EL3 one.
      
      Change-Id: I941404299ebe7666ca17619207c923b49a55cb73
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      aa1d5f60
    • Antonio Nino Diaz's avatar
      xlat v2: Remove unused tlbi helper · 8d164bc6
      Antonio Nino Diaz authored
      
      
      xlat_arch_tlbi_va_regime() isn't used, so it has been renamed to
      xlat_arch_tlbi_va() and the previous implementation has been removed.
      
      Change-Id: Ic118bed3fb68234748d86b2e9e95b25650289276
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      8d164bc6
    • Antonio Nino Diaz's avatar
      xlat v2: Remove architectural headers · 468e2382
      Antonio Nino Diaz authored
      
      
      They only contained one function that is easily integrated in the private
      library header and the existing architectural C files.
      
      This also helps making the library more portable, as the Makefile of the
      library now doesn't use the variable INCLUDES, which is specific to this
      codebase and doesn't respect the namespace of the library.
      
      Change-Id: I22228e6a97e9b4f346f5cd8947609263e8df71d8
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      468e2382
  31. 03 Jul, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Make get/set attrs functions less verbose · 6a086061
      Antonio Nino Diaz authored
      
      
      It is useful to have LOG_LEVEL_VERBOSE because it prints the memory map
      of each image, but that also means that the change_mem_attributes and
      get_mem_attributes functions have verbose prints, and generate a too
      long text output that hides other useful information.
      
      As they were mostly there for debug purposes, this patch removes them.
      
      Change-Id: I2986537377d1f78be2b79cc8a6cf230c380bdb55
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      6a086061