- 26 Sep, 2019 3 commits
-
-
Madhukar Pappireddy authored
This patch invokes the new function gicv3_rdistif_probe() in the ARM platform specific gicv3 driver. Since this API modifies the shared GIC related data structure, it must be invoked coherently by using the platform specific pwr_domain_on_finish_late hook. Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
Madhukar Pappireddy authored
This PSCI hook is similar to pwr_domain_on_finish but is guaranteed to be invoked with the respective core and cluster are participating in coherency. This will be necessary to safely invoke the new GICv3 API which modifies shared GIC data structures concurrently. Change-Id: I8e54f05c9d4ef5712184c9c18ba45ac97a29eb7a Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
Madhukar Pappireddy authored
This patch provides declaration and definition of new GICv3 driver API: gicv3_rdistif_probe().This function delegates the responsibility of discovering the corresponding Redistributor base frame to each CPU itself. It is a modified version of gicv3_rdistif_base_addrs_probe() and is executed by each CPU in the platform unlike the previous approach in which only the Primary CPU did the discovery of all the Redistributor frames for every CPU. The flush operations as part of gicv3_driver_init() function are made necessary even for platforms with WARMBOOT_ENABLE_DCACHE_EARLY because the GICv3 driver data structure contents are accessed by CPU with D-Cache turned off during power down operations. Change-Id: I1833e81d3974b32a3e4a3df4766a33d070982268 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 13 Sep, 2019 5 commits
-
-
Andre Przywara authored
If a firmware component like TF-A reserves special memory regions for its own or secure payload services, it should announce the location and size of those regions to the non-secure world. This will avoid disappointment when some rich OS tries to acccess this memory, which will likely end in a crash. The traditional way of advertising reserved memory using device tree is using the special memreserve feature of the device tree blob (DTB). However by definition those regions mentioned there do not prevent the rich OS to map this memory, which may lead to speculative accesses to this memory and hence spurious bus errors. A safer way of carving out memory is to use the /reserved-memory node as part of the normal DT structure. Besides being easier to setup, this also defines an explicit "no-map" property to signify the secure-only nature of certain memory regions, which avoids the rich OS to accidentally step on it. Add a helper function to allow platform ports to easily add a region. Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Andre Przywara authored
To allow sharing the driver between the RPi3 and RPi4, move the random number generator driver into the generic driver directory. Change-Id: Iae94d7cb22c6bce3af9bff709d76d4caf87b14d1 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Andre Przywara authored
The QEMU platform port scans its device tree to advertise PSCI as the CPU enable method. It does this by scanning *every* node in the DT and check whether its compatible string starts with "arm,cortex-a". Then it sets the enable-method to PSCI, if it doesn't already have one. Other platforms might want to use this functionality as well, so let's move it out of the QEMU platform directory and make it more robust by fixing some shortcomings: - A compatible string starting with a certain prefix is not a good way to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will match as well and is in turn favoured with an enable-method. - If the DT already has an enable-method, we won't change this to PSCI. Those two issues will for instance fail on the Raspberry Pi 4 DT. To fix those problems, we adjust the scanning method: The DT spec says that all CPU nodes are subnodes of the mandatory /cpus node, which is a subnode of the root node. Also each CPU node has to have a device_type = "cpu" property. So we find the /cpus node, then scan for a subnode with the proper device_type, forcing the enable-method to "psci". We have to restart this search after a property has been patched, as the node offsets might have changed meanwhile. This allows this routine to be reused for the Raspberry Pi 4 later. Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Andre Przywara authored
To allow sharing the driver between the RPi3 and RPi4, move the mailbox driver into the generic driver directory. Change-Id: I463e49acf82b02bf004f3d56482b7791f3020bc0 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Alexei Fedorov authored
This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 12 Sep, 2019 2 commits
-
-
Justin Chadwell authored
Previously, TF-A could not support large RSA key sizes as the configuration options passed to MBEDTLS prevented storing and performing calculations with the larger, higher-precision numbers required. With these changes to the arguments passed to MBEDTLS, TF-A now supports using 3072 (3K) and 4096 (4K) keys in certificates. Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
Hadi Asyrafi authored
Some of the platform (ie. Agilex) make use of CCU IPs which will only be initialized during bl2_el3_early_platform_setup. Any operation to the cache beforehand will crash the platform. Hence, this will provide an option to skip the data cache invalidation upon bl2 entry at EL3 Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06
-
- 11 Sep, 2019 2 commits
-
-
Justin Chadwell authored
This patch adds support for the Undefined Behaviour sanitizer. There are two types of support offered - minimalistic trapping support which essentially immediately crashes on undefined behaviour and full support with full debug messages. The full support relies on ubsan.c which has been adapted from code used by OPTEE. Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
Masahiro Yamada authored
Sparse warns this: lib/libc/assert.c:29:6: error: symbol '__assert' redeclared with different type (originally declared at include/lib/libc/assert.h:36) - different modifiers Add __dead2 to match the header declaration and C definition. I also changed '__dead2 void' to 'void __dead2' for the consistency with other parts. Change-Id: Iefa4f0e787c24fa7e7e499d2e7baf54d4deb49ef Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 10 Sep, 2019 2 commits
-
-
kenny liang authored
Add plat parameter structs to support BL2 to pass variable-length, variable-type parameters to BL31. The parameters are structured as a link list. During BL31 setup time, we traverse the list to process each parameter. Signed-off-by: kenny liang <kenny.liang@mediatek.com> Change-Id: Ie84cfc9606656fb1d2780a68cadf27e09afa6628
-
kenny liang authored
- Add DCM driver - Add SPMC driver - Implement core and cluster power on/off handlers Change-Id: I902002f8ea6f98fd73bf259188162b10d3939c72 Signed-off-by: kenny liang <kenny.liang@mediatek.com>
-
- 09 Sep, 2019 1 commit
-
-
Justin Chadwell authored
This patch adds support for the new Memory Tagging Extension arriving in ARMv8.5. MTE support is now enabled by default on systems that support at EL0. To enable it at ELx for both the non-secure and the secure world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving and restoring when necessary in order to prevent register leakage between the worlds. Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 05 Sep, 2019 2 commits
-
-
Carlo Caione authored
The SHA256 DMA driver can be used by multiple SoCs. Move it to the common directory. Signed-off-by: Carlo Caione <ccaione@baylibre.com> Change-Id: I96319eeeeeebd503ef0dcb07c0e4ff6a67afeaa5
-
Carlo Caione authored
Meson is the internal code name for the SoC family. The correct name for the platform should be Amlogic. Change the name of the platform directory. Signed-off-by: Carlo Caione <ccaione@baylibre.com> Change-Id: Icc140e1ea137f12117acbf64c7dcb1a8b66b345d
-
- 04 Sep, 2019 1 commit
-
-
Masahiro Yamada authored
The #include "mbedtls/check_config.h" directive first searches for the header in the relative path to mbedtls_config.h, i.e. include/drivers/auth/mbedtls/mbedtls/check_config.h Obviously, it does not exist since check_config.h is located in the mbedtls project. It is more sensible to use #include <...> form. Change-Id: If72a71381f84e7748a2c9f07dd1176559d9bb1d2 Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 02 Sep, 2019 2 commits
-
-
Yann Gautier authored
If the max-frequency property is provided in the device tree mmc node, it should be managed. The max allowed frequency will be the min between this property value and what the card can support. Change-Id: I885b676c3300d2670a0fe4c6ecab87758b5893ad Signed-off-by: Yann Gautier <yann.gautier@st.com>
-
Yann Gautier authored
Introduce driver for STM32 IWDG peripheral (Independent Watchdog). It is configured according to device tree content and should be enabled from there. The watchdog is not started by default. It can be started after an HW reset if the dedicated OTP is fused. The watchdog also needs to be frozen if a debugger is attached. This is done by configuring the correct bits in DBGMCU. This configuration is allowed by checking BSEC properties. An increase of BL2 size is also required when adding this new code. Change-Id: Ide7535d717885ce2f9c387cf17afd8b5607f3e7f Signed-off-by: Yann Gautier <yann.gautier@st.com> Signed-off-by: Lionel Debieve <lionel.debieve@st.com> Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
-
- 21 Aug, 2019 1 commit
-
-
Alexei Fedorov authored
This patch fixes an issue when secure world timing information can be leaked because Secure Cycle Counter is not disabled. For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR_EL0.DP bit. 'include\aarch64\arch.h' header file was tided up and new ARMv8.5-PMU related definitions were added. Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 19 Aug, 2019 1 commit
-
-
Masahiro Yamada authored
Currently, console drivers prepend '\r' to '\n' by themselves. This is common enough to be supported in the framework. Add a new flag, CONSOLE_FLAG_TRANSLATE_CRLF. A driver can set this flag to ask the framework to transform LF into CRLF instead of doing it by itself. Change-Id: I4f5c5887591bc0a8749a105abe62b6562eaf503b Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 16 Aug, 2019 1 commit
-
-
Alexei Fedorov authored
This patch fixes FVP_Base_AEMv8A model hang issue with ARMv8.4+ with cache modelling enabled configuration. Incorrect L1 cache flush operation to PoU, using CLIDR_EL1 LoUIS field, which is required by the architecture to be zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced with L1 to L2 and L2 to L3 (if L3 is present) cache flushes. FVP_Base_AEMv8A model can be configured with L3 enabled by setting `cluster0.l3cache-size` and `cluster1.l3cache-size` to non-zero values, and presence of L3 is checked in `aem_generic_core_pwr_dwn` function by reading CLIDR_EL1.Ctype3 field value. Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 15 Aug, 2019 1 commit
-
-
Alexei Fedorov authored
This patch modifies crash reporting for AArch64 to provide aligned output of register dump and GIC registers. Change-Id: I8743bf1d2d6d56086e735df43785ef28051c5fc3 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 01 Aug, 2019 2 commits
-
-
Julius Werner authored
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
Julius Werner authored
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__. All common C compilers predefine a macro called __ASSEMBLER__ when preprocessing a .S file. There is no reason for TF-A to define it's own __ASSEMBLY__ macro for this purpose instead. To unify code with the export headers (which use __ASSEMBLER__ to avoid one extra dependency), let's deprecate __ASSEMBLY__ and switch the code base over to the predefined standard. Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 31 Jul, 2019 1 commit
-
-
Balint Dobszay authored
Change-Id: Ie0a94783d0c8e111ae19fd592304e6485f04ca29 Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
-
- 25 Jul, 2019 2 commits
-
-
Gilad Ben-Yossef authored
Add support for multiple Cryptocell revisions which use different APIs. This commit only refactors the existing code in preperation to the addition of another Cryptocell revisions later on. Signed-off-by: Gilad Ben-Yossef <gilad.benyossef@arm.com> Change-Id: I16d80b31afb6edd56dc645fee5ea619cc74f09b6
-
Gilad Ben-Yossef authored
Code using Cryptocell specific APIs was used as part of the arm common board ROT support, instead of being abstracted in Cryptocell specific driver code, creating two problems: - Any none arm board that uses Cryptocell wuld need to copy and paste the same code. - Inability to cleanly support multiple versions of Cryptocell API and products. Move over Cryptocell specific API calls into the Cryptocell driver, creating abstraction API where needed. Signed-off-by: Gilad Ben-Yossef <gilad.benyossef@arm.com> Change-Id: I9e03ddce90fcc47cfdc747098bece86dbd11c58e
-
- 24 Jul, 2019 4 commits
-
-
John Tsichritzis authored
This patch introduces an additional precautionary step to further enhance protection against variant 4. During the context initialisation before we enter the various BL stages, the SPSR.SSBS bit is explicitly set to zero. As such, speculative loads/stores are by default disabled for all BL stages when they start executing. Subsequently, each BL stage, can choose to enable speculative loads/stores or keep them disabled. This change doesn't affect the initial execution context of BL33 which is totally platform dependent and, thus, it is intentionally left up to each platform to initialise. For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means that, for Arm platforms, all BL stages start with speculative loads/stores disabled. Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
Julius Werner authored
BL31 used to take a single bl31_params_t parameter structure with entry point information in arg0. In commit 72600226 (Add new version of image loading.) this API was changed to a more flexible linked list approach, and the old parameter structure was copied into all platforms that still used the old format. This duplicated code unnecessarily among all these platforms. This patch adds a helper function that platforms can optionally link to outsource the task of interpreting arg0. Many platforms are just interested in the BL32 and BL33 entry point information anyway. Since some platforms still need to support the old version 1 parameters, the helper will support both formats when ERROR_DEPRECATED == 0. This allows those platforms to drop a bunch of boilerplate code and asynchronously update their BL2 implementation to the newer format. Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
Julius Werner authored
This patch adds a new include/export/ directory meant for inclusion in third-party code. This is useful for cases where third-party code needs to interact with TF-A interfaces and data structures (such as a custom BL2-implementation like coreboot handing off to BL31). Directly including headers from the TF-A repository avoids having to duplicate all these definitions (and risk them going stale), but with the current header structure this is not possible because handoff API definitions are too deeply intertwined with other TF code/headers and chain-include other headers that will not be available in the other environment. The new approach aims to solve this by separating only the parts that are really needed into these special headers that are self-contained and will not chain-include other (non-export) headers. TF-A code should never include them directly but should instead always include the respective wrapper header, which will include the required prerequisites (like <stdint.h>) before including the export header. Third-party code can include the export headers via its own wrappers that make sure the necessary definitions are available in whatever way that environment can provide them. Change-Id: Ifd769320ba51371439a8e5dd5b79c2516c3b43ab Signed-off-by: Julius Werner <jwerner@chromium.org>
-
Julius Werner authored
It's not a good idea to use u_register_t for the members of aapcs64_params_t and aapcs32_params_t, since the width of that type always depends on the current execution environment. This would cause problems if e.g. we used this structure to set up the entry point of an AArch32 program from within an AArch64 program. (It doesn't seem like any code is doing that today, but it's probably still a good idea to write this defensively. Also, it helps with my next patch.) Change-Id: I12c04a85611f2b6702589f3362bea3e6a7c9f776 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 23 Jul, 2019 1 commit
-
-
Ambroise Vincent authored
The watchdog is configured with a default value of 256 seconds in order to implement the Trusted Board Boot Requirements. For the FVP and Juno platforms, the FWU process relies on a watchdog reset. In order to automate the test of FWU, the length of this process needs to be as short as possible. Instead of waiting for those 4 minutes to have a reset by the watchdog, tell it to reset immediately. There are no side effects as the value of the watchdog's load register resets to 0xFFFFFFFF. Tested on Juno. Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 18 Jul, 2019 1 commit
-
-
Julius Werner authored
This patch adds some common helper code to support a lightweight platform parameter passing framework between BLs that has already been used on Rockchip platforms but is more widely useful to others as well. It can be used as an implementation for the SoC firmware configuration file mentioned in the docs, and is primarily intended for platforms that only require a handful of values to be passed and want to get by without a libfdt dependency. Parameters are stored in a linked list and the parameter space is split in generic and vendor-specific parameter types. Generic types will be handled by this code whereas vendor-specific types have to be handled by a vendor-specific handler function that gets passed in. Change-Id: If3413d44e86b99d417294ce8d33eb2fc77a6183f Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 16 Jul, 2019 3 commits
-
-
Louis Mayencourt authored
Change-Id: Iab767e9937f5c6c8150953fcdc3b37e8ee83fa63 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Remi Pommarel authored
Use v2 xlat tables library instead of v1 for marvell platforms. Signed-off-by: Remi Pommarel <repk@triplefau.lt> Change-Id: I838a6a878a8353e84eea9529721761b478943f0a
-
Ambroise Vincent authored
Update the skeleton implementation of the console interface. The 32 bit version was outdated and has been copied from the 64 bit version. Change-Id: Ib3e4eb09402ffccb1a30c703a53829a7bf064dfe Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 12 Jul, 2019 2 commits
-
-
Soby Mathew authored
This patch enables MTE for Normal world if the CPU suppors it. Enabling MTE for secure world will be done later. Change-Id: I9ef64460beaba15e9a9c20ab02da4fb2208b6f7d Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
Justin Chadwell authored
This consists of ensuring that the left operand of each shift is unsigned when the operation might overflow into the sign bit. Change-Id: Iddd6f38139a4c6e500468b4fc48d04e0939f574e Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-