1. 18 Sep, 2019 1 commit
  2. 13 Sep, 2019 5 commits
    • Andre Przywara's avatar
      Add fdt_add_reserved_memory() helper function · 3ef45dda
      Andre Przywara authored
      
      
      If a firmware component like TF-A reserves special memory regions for
      its own or secure payload services, it should announce the location and
      size of those regions to the non-secure world. This will avoid
      disappointment when some rich OS tries to acccess this memory, which
      will likely end in a crash.
      
      The traditional way of advertising reserved memory using device tree is
      using the special memreserve feature of the device tree blob (DTB).
      However by definition those regions mentioned there do not prevent the
      rich OS to map this memory, which may lead to speculative accesses to
      this memory and hence spurious bus errors.
      
      A safer way of carving out memory is to use the /reserved-memory node as
      part of the normal DT structure. Besides being easier to setup, this
      also defines an explicit "no-map" property to signify the secure-only
      nature of certain memory regions, which avoids the rich OS to
      accidentally step on it.
      
      Add a helper function to allow platform ports to easily add a region.
      
      Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      3ef45dda
    • Andre Przywara's avatar
      rpi3: Move rng driver to drivers · 990ab78e
      Andre Przywara authored
      
      
      To allow sharing the driver between the RPi3 and RPi4, move the random
      number generator driver into the generic driver directory.
      
      Change-Id: Iae94d7cb22c6bce3af9bff709d76d4caf87b14d1
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      990ab78e
    • Andre Przywara's avatar
      qemu: Move and generalise FDT PSCI fixup · f240728b
      Andre Przywara authored
      
      
      The QEMU platform port scans its device tree to advertise PSCI as the
      CPU enable method. It does this by scanning *every* node in the DT and
      check whether its compatible string starts with "arm,cortex-a". Then it
      sets the enable-method to PSCI, if it doesn't already have one.
      
      Other platforms might want to use this functionality as well, so let's
      move it out of the QEMU platform directory and make it more robust by
      fixing some shortcomings:
      - A compatible string starting with a certain prefix is not a good way
      to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
      match as well and is in turn favoured with an enable-method.
      - If the DT already has an enable-method, we won't change this to PSCI.
      
      Those two issues will for instance fail on the Raspberry Pi 4 DT.
      To fix those problems, we adjust the scanning method:
      The DT spec says that all CPU nodes are subnodes of the mandatory
      /cpus node, which is a subnode of the root node. Also each CPU node has
      to have a device_type = "cpu" property. So we find the /cpus node, then
      scan for a subnode with the proper device_type, forcing the
      enable-method to "psci".
      We have to restart this search after a property has been patched, as the
      node offsets might have changed meanwhile.
      
      This allows this routine to be reused for the Raspberry Pi 4 later.
      
      Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      f240728b
    • Andre Przywara's avatar
      rpi3: Move VC mailbox driver into generic drivers directory · c0031189
      Andre Przywara authored
      
      
      To allow sharing the driver between the RPi3 and RPi4, move the mailbox
      driver into the generic driver directory.
      
      Change-Id: I463e49acf82b02bf004f3d56482b7791f3020bc0
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      c0031189
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  3. 12 Sep, 2019 2 commits
  4. 11 Sep, 2019 2 commits
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
    • Masahiro Yamada's avatar
      libc: fix sparse warning for __assert() · f906a44e
      Masahiro Yamada authored
      
      
      Sparse warns this:
      
      lib/libc/assert.c:29:6: error: symbol '__assert' redeclared with different type (originally declared at include/lib/libc/assert.h:36) - different modifiers
      
      Add __dead2 to match the header declaration and C definition.
      
      I also changed '__dead2 void' to 'void __dead2' for the consistency
      with other parts.
      
      Change-Id: Iefa4f0e787c24fa7e7e499d2e7baf54d4deb49ef
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      f906a44e
  5. 10 Sep, 2019 2 commits
  6. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  7. 05 Sep, 2019 2 commits
  8. 04 Sep, 2019 1 commit
    • Masahiro Yamada's avatar
      mbedtls: use #include <...> instead of "..." · 948a0c0d
      Masahiro Yamada authored
      
      
      The #include "mbedtls/check_config.h" directive first searches for
      the header in the relative path to mbedtls_config.h, i.e.
      include/drivers/auth/mbedtls/mbedtls/check_config.h
      
      Obviously, it does not exist since check_config.h is located in
      the mbedtls project.
      
      It is more sensible to use #include <...> form.
      
      Change-Id: If72a71381f84e7748a2c9f07dd1176559d9bb1d2
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      948a0c0d
  9. 02 Sep, 2019 2 commits
  10. 21 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      AArch64: Disable Secure Cycle Counter · e290a8fc
      Alexei Fedorov authored
      
      
      This patch fixes an issue when secure world timing information
      can be leaked because Secure Cycle Counter is not disabled.
      For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
      bit on CPU cold/warm boot.
      For the earlier architectures PMCR_EL0 register is saved/restored
      on secure world entry/exit from/to Non-secure state, and cycle
      counting gets disabled by setting PMCR_EL0.DP bit.
      'include\aarch64\arch.h' header file was tided up and new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      e290a8fc
  11. 19 Aug, 2019 1 commit
  12. 16 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      FVP_Base_AEMv8A platform: Fix cache maintenance operations · ef430ff4
      Alexei Fedorov authored
      
      
      This patch fixes FVP_Base_AEMv8A model hang issue with
      ARMv8.4+ with cache modelling enabled configuration.
      Incorrect L1 cache flush operation to PoU, using CLIDR_EL1
      LoUIS field, which is required by the architecture to be
      zero for ARMv8.4-A with ARMv8.4-S2FWB feature is replaced
      with L1 to L2 and L2 to L3 (if L3 is present) cache flushes.
      FVP_Base_AEMv8A model can be configured with L3 enabled by
      setting `cluster0.l3cache-size` and `cluster1.l3cache-size`
      to non-zero values, and presence of L3 is checked in
      `aem_generic_core_pwr_dwn` function by reading
      CLIDR_EL1.Ctype3 field value.
      
      Change-Id: If3de3d4eb5ed409e5b4ccdbc2fe6d5a01894a9af
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ef430ff4
  13. 15 Aug, 2019 1 commit
  14. 01 Aug, 2019 2 commits
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
    • Julius Werner's avatar
      Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__ · d5dfdeb6
      Julius Werner authored
      
      
      NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
      
      All common C compilers predefine a macro called __ASSEMBLER__ when
      preprocessing a .S file. There is no reason for TF-A to define it's own
      __ASSEMBLY__ macro for this purpose instead. To unify code with the
      export headers (which use __ASSEMBLER__ to avoid one extra dependency),
      let's deprecate __ASSEMBLY__ and switch the code base over to the
      predefined standard.
      
      Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d5dfdeb6
  15. 31 Jul, 2019 1 commit
  16. 25 Jul, 2019 2 commits
    • Gilad Ben-Yossef's avatar
      cryptocell: add product version awareness support · 76f3c7dc
      Gilad Ben-Yossef authored
      
      
      Add support for multiple Cryptocell revisions which
      use different APIs.
      
      This commit only refactors the existing code in preperation to the addition
      of another Cryptocell revisions later on.
      Signed-off-by: default avatarGilad Ben-Yossef <gilad.benyossef@arm.com>
      Change-Id: I16d80b31afb6edd56dc645fee5ea619cc74f09b6
      76f3c7dc
    • Gilad Ben-Yossef's avatar
      cryptocell: move Cryptocell specific API into driver · 36ec2bb0
      Gilad Ben-Yossef authored
      
      
      Code using Cryptocell specific APIs was used as part of the
      arm common board ROT support, instead of being abstracted
      in Cryptocell specific driver code, creating two problems:
      - Any none arm board that uses Cryptocell wuld need to
        copy and paste the same code.
      - Inability to cleanly support multiple versions of Cryptocell
        API and products.
      
      Move over Cryptocell specific API calls into the Cryptocell
      driver, creating abstraction API where needed.
      Signed-off-by: default avatarGilad Ben-Yossef <gilad.benyossef@arm.com>
      Change-Id: I9e03ddce90fcc47cfdc747098bece86dbd11c58e
      36ec2bb0
  17. 24 Jul, 2019 4 commits
    • John Tsichritzis's avatar
      SSBS: init SPSR register with default SSBS value · c250cc3b
      John Tsichritzis authored
      
      
      This patch introduces an additional precautionary step to further
      enhance protection against variant 4. During the context initialisation
      before we enter the various BL stages, the SPSR.SSBS bit is explicitly
      set to zero. As such, speculative loads/stores are by default disabled
      for all BL stages when they start executing. Subsequently, each BL
      stage, can choose to enable speculative loads/stores or keep them
      disabled.
      
      This change doesn't affect the initial execution context of BL33 which
      is totally platform dependent and, thus, it is intentionally left up to
      each platform to initialise.
      
      For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
      that, for Arm platforms, all BL stages start with speculative
      loads/stores disabled.
      
      Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      c250cc3b
    • Julius Werner's avatar
      Add helper to parse BL31 parameters (both versions) · d9af1f7b
      Julius Werner authored
      BL31 used to take a single bl31_params_t parameter structure with entry
      point information in arg0. In commit 72600226
      
       (Add new version of image
      loading.) this API was changed to a more flexible linked list approach,
      and the old parameter structure was copied into all platforms that still
      used the old format. This duplicated code unnecessarily among all these
      platforms.
      
      This patch adds a helper function that platforms can optionally link to
      outsource the task of interpreting arg0. Many platforms are just
      interested in the BL32 and BL33 entry point information anyway. Since
      some platforms still need to support the old version 1 parameters, the
      helper will support both formats when ERROR_DEPRECATED == 0. This allows
      those platforms to drop a bunch of boilerplate code and asynchronously
      update their BL2 implementation to the newer format.
      
      Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d9af1f7b
    • Julius Werner's avatar
      Factor out cross-BL API into export headers suitable for 3rd party code · 57bf6057
      Julius Werner authored
      
      
      This patch adds a new include/export/ directory meant for inclusion in
      third-party code. This is useful for cases where third-party code needs
      to interact with TF-A interfaces and data structures (such as a custom
      BL2-implementation like coreboot handing off to BL31). Directly
      including headers from the TF-A repository avoids having to duplicate
      all these definitions (and risk them going stale), but with the current
      header structure this is not possible because handoff API definitions
      are too deeply intertwined with other TF code/headers and chain-include
      other headers that will not be available in the other environment.
      
      The new approach aims to solve this by separating only the parts that
      are really needed into these special headers that are self-contained and
      will not chain-include other (non-export) headers. TF-A code should
      never include them directly but should instead always include the
      respective wrapper header, which will include the required prerequisites
      (like <stdint.h>) before including the export header. Third-party code
      can include the export headers via its own wrappers that make sure the
      necessary definitions are available in whatever way that environment can
      provide them.
      
      Change-Id: Ifd769320ba51371439a8e5dd5b79c2516c3b43ab
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      57bf6057
    • Julius Werner's avatar
      Use explicit-width data types in AAPCS parameter structs · 9352be88
      Julius Werner authored
      
      
      It's not a good idea to use u_register_t for the members of
      aapcs64_params_t and aapcs32_params_t, since the width of that type
      always depends on the current execution environment. This would cause
      problems if e.g. we used this structure to set up the entry point of an
      AArch32 program from within an AArch64 program. (It doesn't seem like
      any code is doing that today, but it's probably still a good idea to
      write this defensively. Also, it helps with my next patch.)
      
      Change-Id: I12c04a85611f2b6702589f3362bea3e6a7c9f776
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      9352be88
  18. 23 Jul, 2019 1 commit
    • Ambroise Vincent's avatar
      arm: Shorten the Firmware Update (FWU) process · 37b70031
      Ambroise Vincent authored
      
      
      The watchdog is configured with a default value of 256 seconds in order
      to implement the Trusted Board Boot Requirements.
      
      For the FVP and Juno platforms, the FWU process relies on a watchdog
      reset. In order to automate the test of FWU, the length of this process
      needs to be as short as possible. Instead of waiting for those 4 minutes
      to have a reset by the watchdog, tell it to reset immediately.
      
      There are no side effects as the value of the watchdog's load register
      resets to 0xFFFFFFFF.
      
      Tested on Juno.
      
      Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      37b70031
  19. 18 Jul, 2019 1 commit
    • Julius Werner's avatar
      Introduce lightweight BL platform parameter library · b852d229
      Julius Werner authored
      
      
      This patch adds some common helper code to support a lightweight
      platform parameter passing framework between BLs that has already been
      used on Rockchip platforms but is more widely useful to others as well.
      It can be used as an implementation for the SoC firmware configuration
      file mentioned in the docs, and is primarily intended for platforms
      that only require a handful of values to be passed and want to get by
      without a libfdt dependency. Parameters are stored in a linked list and
      the parameter space is split in generic and vendor-specific parameter
      types. Generic types will be handled by this code whereas
      vendor-specific types have to be handled by a vendor-specific handler
      function that gets passed in.
      
      Change-Id: If3413d44e86b99d417294ce8d33eb2fc77a6183f
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      b852d229
  20. 16 Jul, 2019 3 commits
  21. 12 Jul, 2019 2 commits
  22. 10 Jul, 2019 2 commits