- 08 Jan, 2018 2 commits
-
-
Antonio Nino Diaz authored
The Secure Partition should be able to be used from any CPU, not just the lead one. This patch point the secure contexts of all secondary CPUs to the same one used by the lead CPU for the Secure Partition. This way, they can also use it. In order to prevent more than one CPU from using the Secure Partition at the same time, a lock has been added. Change-Id: Ica76373127c3626498b06c558a4874ce72201ff7 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Whether a Secure Partition is being initialized or not is something related to that specific partition, so it should be saved with the rest of the information related to it. Change-Id: Ie8a780f70df83fb03ef9c01ba37960208d9b5319 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Dec, 2017 1 commit
-
-
Sandrine Bailleux authored
This partially reverts commit d6b532b5 , keeping only the fixes to the assertions. The changes related to the order of arguments passed to the secure partition were not correct and violated the specification of the SP_EVENT_COMPLETE SMC. This patch also improves the MM_COMMUNICATE argument validation. The cookie argument, as it comes from normal world, can't be trusted and thus needs to always be validated at run time rather than using an assertion. Also validate the communication buffer address and return INVALID_PARAMETER if it is zero, as per the MM specification. Fix a few typos in comments and use the "secure partition" terminology rather than "secure payload". Change-Id: Ice6b7b5494b729dd44611f9a93d362c55ab244f7 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 06 Dec, 2017 3 commits
-
-
Antonio Nino Diaz authored
A new platform define, `PLAT_SP_IMAGE_XLAT_SECTION_NAME`, has been introduced to select the section where the translation tables used by the S-EL1/S-EL0 are placed. This define has been used to move the translation tables to DRAM secured by TrustZone. Most of the extra needed space in BL31 when SPM is enabled is due to the large size of the translation tables. By moving them to this memory region we can save 44 KiB. A new argument has been added to REGISTER_XLAT_CONTEXT2() to specify the region where the translation tables have to be placed by the linker. Change-Id: Ia81709b4227cb8c92601f0caf258f624c0467719 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Common code mustn't include ARM platforms headers. Change-Id: Ib6e4f5a77c2d095e6e8c3ad89c89cb1959cd3043 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Jeenu Viswambharan authored
At present, both SDEI_PRIVATE_RESET and SDEI_SHARED_RESET returns SDEI_PENDING if they fail to unregister an event. The SDEI specification however requires that the APIs return SDEI_EDENY in these cases. This patch fixes the return codes for the reset APIs. Change-Id: Ic14484c91fa8396910387196c256d1ff13d03afd Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 05 Dec, 2017 2 commits
-
-
Sandrine Bailleux authored
Rename SP_COMMUNICATE_AARCH32/AARCH64 into MM_COMMUNICATE_AARCH32/AARCH64 to align with the MM specification [1]. [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0060a/DEN0060A_ARM_MM_Interface_Specification.pdf Change-Id: I478aa4024ace7507d14a5d366aa8e20681075b03 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Antonio Nino Diaz authored
The defines have been renamed to match the names used in the documentation. Change-Id: I2f18b65112d2db040a89d5a8522e9790c3e21628 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 20 Nov, 2017 2 commits
-
-
Jeenu Viswambharan authored
The SDEI specification requires that binding a client interrupt dispatches SDEI Normal priority event. This means that dynamic events can't have Critical priority. Add asserts for this. Change-Id: I0bdd9e0e642fb2b61810cb9f4cbfbd35bba521d1 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
Change-Id: Ic381ab5d03ec68c7f6e8d357ac2e2cbf0cc6b2e8 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 15 Nov, 2017 2 commits
-
-
Antonio Nino Diaz authored
The parameters passed to the Secure world from the Secure Partition Manager when invoking SP_COMMUNICATE_AARCH32/64 were incorrect, as well as the checks done on them. Change-Id: I26e8c80cad0b83437db7aaada3d0d9add1c53a78 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
The code was incorrectly reading from ID_AA64PRF0_EL1 instead of ID_AA64MMFR0_EL1 causing the supported granularity sizes returned by the code to be wrong. This wasn't causing any problem because it's just used to check the alignment of the base of the buffer shared between Non-secure and Secure worlds, and it was aligned to more than 64 KiB, which is the maximum granularity supported by the architecture. Change-Id: Icc0d949d9521cc0ef13afb753825c475ea62d462 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 13 Nov, 2017 3 commits
-
-
Jeenu Viswambharan authored
Change-Id: Iee617a3528225349b6eede2f8abb26da96640678 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
This allows for other EL3 components to schedule an SDEI event dispatch to Normal world upon the next ERET. The API usage constrains are set out in the SDEI dispatcher documentation. Documentation to follow. Change-Id: Id534bae0fd85afc94523490098c81f85c4e8f019 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
The implementation currently supports only interrupt-based SDEI events, and supports all interfaces as defined by SDEI specification version 1.0 [1]. Introduce the build option SDEI_SUPPORT to include SDEI dispatcher in BL31. Update user guide and porting guide. SDEI documentation to follow. [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf Change-Id: I758b733084e4ea3b27ac77d0259705565842241a Co-authored-by: Yousuf A <yousuf.sait@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 10 Nov, 2017 1 commit
-
-
Antonio Nino Diaz authored
The MP info struct is placed right after the boot info struct. However, when calculating the address of the MP info, the size of the boot info struct was being multiplied by the size of the MP boot info. This left a big gap of empty space between the structs. This didn't break any code because the boot info struct has a pointer to the MP info struct. It was just wasting space. Change-Id: I1668e3540d9173261968f6740623549000bd48db Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 08 Nov, 2017 2 commits
-
-
Antonio Nino Diaz authored
A Secure Partition is a software execution environment instantiated in S-EL0 that can be used to implement simple management and security services. Since S-EL0 is an unprivileged exception level, a Secure Partition relies on privileged firmware e.g. ARM Trusted Firmware to be granted access to system and processor resources. Essentially, it is a software sandbox that runs under the control of privileged software in the Secure World and accesses the following system resources: - Memory and device regions in the system address map. - PE system registers. - A range of asynchronous exceptions e.g. interrupts. - A range of synchronous exceptions e.g. SMC function identifiers. A Secure Partition enables privileged firmware to implement only the absolutely essential secure services in EL3 and instantiate the rest in a partition. Since the partition executes in S-EL0, its implementation cannot be overly complex. The component in ARM Trusted Firmware responsible for managing a Secure Partition is called the Secure Partition Manager (SPM). The SPM is responsible for the following: - Validating and allocating resources requested by a Secure Partition. - Implementing a well defined interface that is used for initialising a Secure Partition. - Implementing a well defined interface that is used by the normal world and other secure services for accessing the services exported by a Secure Partition. - Implementing a well defined interface that is used by a Secure Partition to fulfil service requests. - Instantiating the software execution environment required by a Secure Partition to fulfil a service request. Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f Co-authored-by: Douglas Raillard <douglas.raillard@arm.com> Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Co-authored-by: Achin Gupta <achin.gupta@arm.com> Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
A line in the upstream SPDs is only compiled in in `DEBUG` builds. This line is used to help with assertions and so assertion failures can happen in release builds with assertions enabled. Use `ENABLE_ASSERTIONS` instead of `DEBUG`. This bug was introduced in commit aa61368e , which introduced the build option `ENABLE_ASSERTIONS`. Change-Id: I7977df9c89c68677b00099b2a1926fa3cb0937c6 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 19 Sep, 2017 1 commit
-
-
Aijun Sun authored
Currently, Trusty OS/LK implemented FPU context switch in internal thread switch but does not implement the proper mechanism for world switch. This commit just simply saves/restores FPU registes in world switch to prevent FPU context from being currupted when Trusty OS uses VFP in its applications. It should be noted that the macro *CTX_INCLUDE_FPREGS* must be defined in trusty.mk if Trusty OS uses VFP Signed-off-by: Aijun Sun <aijun.sun@spreadtrum.com>
-
- 24 Aug, 2017 1 commit
-
-
Jens Wiklander authored
Pass device tree pointer to OP-TEE in x2. bl2 is expected to fill in the device tree pointer in args.arg3. Passing 0 means that device tree is unavailable. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
-
- 09 Aug, 2017 1 commit
-
-
Edison Ai authored
ARM TF need transfer information about pageable image load address and memory limit to OPTEE. OPTEE will relocate the pageable image to where it's needed. The legacy OP-TEE images that do not include header information are not affected. Change-Id: Id057efbbc894de7c36b2209b391febea4729c455 Signed-off-by: Edison Ai <edison.ai@arm.com>
-
- 12 Jul, 2017 1 commit
-
-
Isla Mitchell authored
This fix modifies the order of system includes to meet the ARM TF coding standard. There are some exceptions in order to retain header groupings, minimise changes to imported headers, and where there are headers within the #if and #ifndef statements. Change-Id: I65085a142ba6a83792b26efb47df1329153f1624 Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
-
- 14 Jun, 2017 1 commit
-
-
Varun Wadekar authored
This patch enables the 'sign-compare' flag, to enable warning/errors for comparisons between signed/unsigned variables. The warning has been enabled for all the Tegra platforms, to start with. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 04 May, 2017 1 commit
-
-
David Cunado authored
Since Issue B (November 2016) of the SMC Calling Convention document standard SMC calls are renamed to yielding SMC calls to help avoid confusion with the standard service SMC range, which remains unchanged. http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pd A previous patch introduced a new define for yielding SMC call type. This patch updates the secure payload dispatchers (except the TSPD) to use this new define and also migrates the code to use the new terminology. Change-Id: I3d2437c04e3b21fdbd32019f55c066c87679a5bf Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 03 May, 2017 1 commit
-
-
dp-arm authored
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 26 Apr, 2017 1 commit
-
-
David Cunado authored
Since Issue B (November 2016) of the SMC Calling Convention document standard SMC calls are renamed to yielding SMC calls to help avoid confusion with the standard service SMC range, which remains unchanged. http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf This patch adds a new define for yielding SMC call type and deprecates the current standard SMC call type. The tsp is migrated to use this new terminology and, additionally, the documentation and code comments are updated to use this new terminology. Change-Id: I0d7cc0224667ee6c050af976745f18c55906a793 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 20 Apr, 2017 1 commit
-
-
Antonio Nino Diaz authored
SMC_RET0 should only be used when the SMC code works as a function that returns void. If the code of the SMC uses SMC_RET1 to return a value to signify success and doesn't return anything in case of an error (or the other way around) SMC_RET1 should always be used to return clearly identifiable values. This patch fixes two cases in which the code used SMC_RET0 instead of SMC_RET1. It also introduces the define SMC_OK to use when an SMC must return a value to tell that it succeeded, the same way as SMC_UNK is used in case of failure. Change-Id: Ie4278b51559e4262aced13bbde4e844023270582 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Mar, 2017 7 commits
-
-
Varun Wadekar authored
This patch removes support for running Trusty in the AARCH32 mode as all platforms use it in only AARCH64 mode. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
This patch uses the stack end to start saving the CPU context during world switch. The previous logic, used the stack start to save the context, thus overwriting the other members of the context. Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
If Trusty is not running on the device, then Verified Boot is not supported and the NS layer will fail gracefully later during boot. This patch just returns success for the case when Trusty is not running on the device and the bootloader issues SET_ROT_PARAMS call during boot, so that we can at least boot non-Android images. Change-Id: I40fc249983df80fb8cc5be5e4ce94c99d5b5f17d Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Varun Wadekar authored
This patch checks if standard SMC calls, meant for TLK, are issued only on the boot CPU. TLK is UP Trusted OS stack and so we need this check to avoid the NS world calling into TLK from any other CPU. The previous check tied TLK to CPU0, but the boot CPU can be other than CPU0 in some scenarios. Change-Id: I75eaafa32471ce19e9920433c2f97b6b5fc02d86 Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Wayne Lin authored
This patch passes the boot parameters, provided by the previous bootloader, to the Trusted OS via X0, X1 and X2. Original change by: Wayne Lin <wlin@nvidia.com> Change-Id: I2039612a8a8226158babfd505ce8c31c4212319c Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Anthony Zhou authored
In multi-guest trusty environment, all guest's SMCs will be forwarded to Trusty. This change only allows 1 guest's SMC to be forwarded at a time and returns 'busy' status to all other requests. Change-Id: I2144467d11e3680e28ec816adeec2766bca114d4 Signed-off-by: Anthony Zhou <anzhou@nvidia.com> Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Anthony Zhou authored
According to the ARM DEN0028A spec, hypervisor ID(VMID) should be stored in x7 (or w7). This patch gets this value from the context and passes it to Trusty. In order to do so, introduce new macros to pass five to eight parameters to the Trusted OS. Change-Id: I101cf45d0712e1e880466b2274f9a48af755c9fa Signed-off-by: Anthony Zhou <anzhou@nvidia.com> Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 23 Feb, 2017 2 commits
-
-
Amith authored
This patch uses the OEN_TAP_START aperture for all the standard calls being passed to Trusty. Change-Id: Id78d01c7f48e4f54855600d7c789ffbfb898c541 Signed-off-by: Amith <aramachan@nvidia.com> Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Douglas Raillard authored
ABORT SMC used to return to the previously executing world, which happened to be S-EL1 as it calls a TSP handler using synchronous entry into the TSP. Now properly save and restore the non-secure context (including system registers) and return to non-secure world as it should. fixes ARM-Software/tf-issues#453 Change-Id: Ie40c79ca2636ab8b6b2ab3106e8f49e0f9117f5f Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Replace all use of memset by zeromem when zeroing moderately-sized structure by applying the following transformation: memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x)) As the Trusted Firmware is compiled with -ffreestanding, it forbids the compiler from using __builtin_memset and forces it to generate calls to the slow memset implementation. Zeromem is a near drop in replacement for this use case, with a more efficient implementation on both AArch32 and AArch64. Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 26 Jan, 2017 1 commit
-
-
David Cunado authored
With GCC 6.2 compiler, more C undefined behaviour is being flagged as warnings, which result in build errors in ARM TF build. The specific issue that this patch resolves is the use of (1 << 31), which is predominantly used in case statements, where 1 is represented as a signed int. When shifted to msb the behaviour is undefined. The resolution is to specify 1 as an unsigned int using a convenience macro ULL(). A duplicate macro MAKE_ULL() is replaced. Fixes ARM-software/tf-issues#438 Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 23 Dec, 2016 1 commit
-
-
Douglas Raillard authored
Standard SMC requests that are handled in the secure-world by the Secure Payload can be preempted by interrupts that must be handled in the normal world. When the TSP is preempted the secure context is stored and control is passed to the normal world to handle the non-secure interrupt. Once completed the preempted secure context is restored. When restoring the preempted context, the dispatcher assumes that the TSP preempted context is still stored as the SECURE context by the context management library. However, PSCI power management operations causes synchronous entry into TSP. This overwrites the preempted SECURE context in the context management library. When restoring back the SECURE context, the Secure Payload crashes because this context is not the preempted context anymore. This patch avoids corruption of the preempted SECURE context by aborting any preempted SMC during PSCI power management calls. The abort_std_smc_entry hook of the TSP is called when aborting the SMC request. It also exposes this feature as a FAST SMC callable from normal world to abort preempted SMC with FID TSP_FID_ABORT. Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 30 Nov, 2016 1 commit
-
-
Sandrine Bailleux authored
Add a debug assertion in the initialization function of Trusty's SPD to check for the presence of Trusty. If Trusty is absent then the SPD's setup function already detects it and returns an error code so the init function will never been called. Therefore, a debug assertion is enough to catch this improbable error case. Change-Id: Id20013e9291cdeef7827b919de2a22455f6cd9f9 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-