1. 20 Dec, 2019 3 commits
    • Paul Beesley's avatar
      spm-mm: Refactor secure_partition.h and its contents · aeaa225c
      Paul Beesley authored
      
      
      Before adding any new SPM-related components we should first do
      some cleanup around the existing SPM-MM implementation. The aim
      is to make sure that any SPM-MM components have names that clearly
      indicate that they are MM-related. Otherwise, when adding new SPM
      code, it could quickly become confusing as it would be unclear to
      which component the code belongs.
      
      The secure_partition.h header is a clear example of this, as the
      name is generic so it could easily apply to any SPM-related code,
      when it is in fact SPM-MM specific.
      
      This patch renames the file and the two structures defined within
      it, and then modifies any references in files that use the header.
      
      Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      aeaa225c
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  2. 19 Dec, 2019 1 commit
  3. 18 Dec, 2019 1 commit
  4. 17 Dec, 2019 2 commits
  5. 10 Dec, 2019 1 commit
    • Ambroise Vincent's avatar
      arm: gicv3: Fix compiler dependent behavior · d0196911
      Ambroise Vincent authored
      
      
      C99 standard: "What constitutes an access to an object that has
      volatile-qualified type is implementation-defined".
      
      GCC is not considering the cast to void of volatile structures as an
      access and so is not actually issuing reads.
      
      Clang does read those structures by copying them on the stack, which in
      this case creates an overflow because of their large size.
      
      This patch removes the cast to void and instead uses the USED attribute
      to tell the compiler to retain the static variables.
      
      Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      	       Zelalem Aweke <zelalem.aweke@arm.com>
      d0196911
  6. 09 Dec, 2019 1 commit
    • Louis Mayencourt's avatar
      Use the proper size for tb_fw_cfg_dtb · 6c77dfc5
      Louis Mayencourt authored
      
      
      Currently tb_fw_cfg_dtb size is fixed to max, which is generally a page
      (but depend on the platform). Instead, read the actual size of the dtb
      with the libfdt "fdt_totalsize" function.
      This avoid flushing extra memory after updating the dtb with mbedtls
      heap information when shared heap is used.
      
      Change-Id: Ibec727661116429f486464a0c9f15e9760d7afe2
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c77dfc5
  7. 07 Nov, 2019 1 commit
  8. 05 Nov, 2019 1 commit
  9. 21 Oct, 2019 1 commit
    • Manish Pandey's avatar
      plat/arm: use Aff3 bits also to validate mpidr · b30646a8
      Manish Pandey authored
      
      
      There are some platforms which uses MPIDR Affinity level 3 for storing
      extra affinity information e.g. N1SDP uses it for keeping chip id in a
      multichip setup, for such platforms MPIDR validation should not fail.
      
      This patch adds Aff3 bits also as part of mpidr validation mask, for
      platforms which does not uses Aff3 will not have any impact as these
      bits will be all zeros.
      
      Change-Id: Ia8273972fa7948fdb11708308d0239d2dc4dfa85
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      b30646a8
  10. 26 Sep, 2019 1 commit
  11. 13 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  12. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
  13. 23 Jul, 2019 1 commit
    • Ambroise Vincent's avatar
      arm: Shorten the Firmware Update (FWU) process · 37b70031
      Ambroise Vincent authored
      
      
      The watchdog is configured with a default value of 256 seconds in order
      to implement the Trusted Board Boot Requirements.
      
      For the FVP and Juno platforms, the FWU process relies on a watchdog
      reset. In order to automate the test of FWU, the length of this process
      needs to be as short as possible. Instead of waiting for those 4 minutes
      to have a reset by the watchdog, tell it to reset immediately.
      
      There are no side effects as the value of the watchdog's load register
      resets to 0xFFFFFFFF.
      
      Tested on Juno.
      
      Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      37b70031
  14. 28 Jun, 2019 1 commit
  15. 11 Jun, 2019 1 commit
  16. 15 May, 2019 1 commit
    • Sami Mujawar's avatar
      N1SDP: Initialise CNTFRQ in Non Secure CNTBaseN · 603b372e
      Sami Mujawar authored
      
      
      N1SDP exhibits the behavior similar to Juno wherein CNTBaseN.CNTFRQ
      can be written but does not reflect the value of the CNTFRQ register
      in CNTCTLBase frame. This doesn't follow ARM ARM in that the value
      updated in CNTCTLBase.CNTFRQ is not reflected in CNTBaseN.CNTFRQ.
      
      Hence enable the workaround (applied to Juno) for N1SDP that updates
      the CNTFRQ register in the Non Secure CNTBaseN frame.
      
      Change-Id: Id89ee1bca0f25c9d62f8f794f2c4f4e618cdf092
      Signed-off-by: default avatarSami Mujawar <sami.mujawar@arm.com>
      603b372e
  17. 10 May, 2019 1 commit
    • Alexei Fedorov's avatar
      SMMUv3: Abort DMA transactions · 1461ad9f
      Alexei Fedorov authored
      
      
      For security DMA should be blocked at the SMMU by default
      unless explicitly enabled for a device. SMMU is disabled
      after reset with all streams bypassing the SMMU, and
      abortion of all incoming transactions implements a default
      deny policy on reset.
      This patch also moves "bl1_platform_setup()" function from
      arm_bl1_setup.c to FVP platforms' fvp_bl1_setup.c and
      fvp_ve_bl1_setup.c files.
      
      Change-Id: Ie0ffedc10219b1b884eb8af625bd4b6753749b1a
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      1461ad9f
  18. 24 Apr, 2019 1 commit
  19. 17 Apr, 2019 1 commit
    • Aditya Angadi's avatar
      plat/arm: introduce wrapper functions to setup secure watchdog · b0c97daf
      Aditya Angadi authored
      
      
      The BL1 stage setup code for ARM platforms sets up the SP805 watchdog
      controller as the secure watchdog. But not all ARM platforms use SP805
      as the secure watchdog controller.
      
      So introduce two new ARM platform code specific wrapper functions to
      start and stop the secure watchdog. These functions then replace the
      calls to SP805 driver in common BL1 setup code. All the ARM platforms
      implement these wrapper functions by either calling into SP805 driver
      or the SBSA watchdog driver.
      
      Change-Id: I1a9a11b124cf3fac2a84f22ca40acd440a441257
      Signed-off-by: default avatarAditya Angadi <aditya.angadi@arm.com>
      b0c97daf
  20. 14 Mar, 2019 1 commit
    • Sandrine Bailleux's avatar
      Put Pointer Authentication key value in BSS section · 47102b35
      Sandrine Bailleux authored
      
      
      The dummy implementation of the plat_init_apiakey() platform API uses
      an internal 128-bit buffer to store the initial key value used for
      Pointer Authentication support.
      
      The intent - as stated in the file comments - was for this buffer to
      be write-protected by the MMU. Initialization of the buffer would be
      performed before enabling the MMU, thus bypassing write protection
      checks.
      
      However, the key buffer ended up into its own read-write section by
      mistake due to a typo on the section name ('rodata.apiakey' instead of
      '.rodata.apiakey', note the leading dot). As a result, the linker
      script was not pulling it into the .rodata output section.
      
      One way to address this issue could have been to fix the section
      name. However, this approach does not work well for BL1. Being the
      first image in the boot flow, it typically is sitting in real ROM
      so we don't have the capacity to update the key buffer at any time.
      
      The dummy implementation of plat_init_apiakey() provided at the moment
      is just there to demonstrate the Pointer Authentication feature in
      action. Proper key management and key generation would have to be a
      lot more careful on a production system.
      
      Therefore, the approach chosen here to leave the key buffer in
      writable memory but move it to the BSS section. This does mean that
      the key buffer could be maliciously updated for intalling unintended
      keys on the warm boot path but at the feature is only at an
      experimental stage right now, this is deemed acceptable.
      
      Change-Id: I121ccf35fe7bc86c73275a4586b32d4bc14698d6
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      47102b35
  21. 27 Feb, 2019 1 commit
  22. 19 Feb, 2019 2 commits
    • Usama Arif's avatar
      plat/arm: Support for Cortex A5 in FVP Versatile Express platform · 8f73663b
      Usama Arif authored
      
      
      Cortex A5 doesnt support VFP, Large Page addressing and generic timer
      which are addressed in this patch. The device tree for Cortex a5
      is also included.
      
      Change-Id: I0722345721b145dfcc80bebd36a1afbdc44bb678
      Signed-off-by: default avatarUsama Arif <usama.arif@arm.com>
      8f73663b
    • Usama Arif's avatar
      plat/arm: Introduce FVP Versatile Express platform. · 6393c787
      Usama Arif authored
      
      
      This patch adds support for Versatile express FVP (Fast models).
      Versatile express is a family of platforms that are based on ARM v7.
      Currently this port has only been tested on Cortex A7, although it
      should work with other ARM V7 cores that support LPAE, generic timers,
      VFP and hardware divide. Future patches will support other
      cores like Cortex A5 that dont support features like LPAE
      and hardware divide. This platform is tested on and only expected to
      work on single core models.
      
      Change-Id: I10893af65b8bb64da7b3bd851cab8231718e61dd
      Signed-off-by: default avatarUsama Arif <usama.arif@arm.com>
      6393c787
  23. 18 Feb, 2019 1 commit
  24. 01 Feb, 2019 3 commits
  25. 25 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      plat/arm: Sanitise includes · bd9344f6
      Antonio Nino Diaz authored
      
      
      Use full include paths like it is done for common includes.
      
      This cleanup was started in commit d40e0e08283a ("Sanitise includes
      across codebase"), but it only cleaned common files and drivers. This
      patch does the same to Arm platforms.
      
      Change-Id: If982e6450bbe84dceb56d464e282bcf5d6d9ab9b
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      bd9344f6
  26. 23 Jan, 2019 1 commit
    • Sathees Balya's avatar
      plat/arm: Save BL2 descriptors to reserved memory. · 5b8d50e4
      Sathees Balya authored
      
      
      On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
      descriptors describing the list of executable images are created in BL2
      R/W memory, which could be possibly corrupted later on by BL31/BL32 due
      to overlay. This patch creates a reserved location in SRAM for these
      descriptors and are copied over by BL2 before handing over to next BL
      image.
      
      Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
      is enabled.
      
      Fixes ARM-Software/tf-issues#626
      
      Change-Id: I755735706fa702024b4032f51ed4895b3687377f
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      5b8d50e4
  27. 22 Jan, 2019 1 commit
  28. 15 Jan, 2019 3 commits
    • Paul Beesley's avatar
      Correct typographical errors · 8aabea33
      Paul Beesley authored
      
      
      Corrects typos in core code, documentation files, drivers, Arm
      platforms and services.
      
      None of the corrections affect code; changes are limited to comments
      and other documentation.
      
      Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      8aabea33
    • Antonio Nino Diaz's avatar
      plat/arm: Fix header dependencies · 234bc7f8
      Antonio Nino Diaz authored
      
      
      From now on, platform_def.h must include any header with definitions that
      are platform-specific (like arm_def.h) and the included headers mustn't
      include back platform_def.h, and shouldn't be used by other files. Only
      platform_def.h should be included in other files. This will ensure that all
      needed definitions are present, rather than needing to include all the
      headers in all the definitions' headers just in case.
      
      This also prevents problems like cyclic dependencies.
      
      Change-Id: I9d3cf4d1de4b956fa035c79545222697acdaf5ca
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      234bc7f8
    • Antonio Nino Diaz's avatar
      Move BL1 and BL2 private defines to bl_common.h · c9f9d9ea
      Antonio Nino Diaz authored
      
      
      The definitions in bl1/bl1_private.h and bl2/bl2_private.h are useful for
      platforms that may need to access them.
      
      Change-Id: Ifd1880f855ddafcb3bfcaf1ed4a4e0f121eda174
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c9f9d9ea
  29. 07 Jan, 2019 1 commit
  30. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  31. 19 Dec, 2018 1 commit
  32. 11 Dec, 2018 1 commit