GitLab

Provide a strong definition for plat_sdei_validate_sdei_entrypoint()
which translates client address to Physical Address, and then validating
the address to be present in DRAM.

Change-Id: Ib93eb66b413d638aa5524d1b3de36aa16d38ea11
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

EHF is a framework that allows dispatching of EL3 interrupts to their
respective handlers in EL3.

This framework facilitates the firmware-first error handling policy in
which asynchronous exceptions may be routed to EL3. Such exceptions may
be handed over to respective exception handlers. Individual handlers
might further delegate exception handling to lower ELs.

The framework associates the delegated execution to lower ELs with a
priority value. For interrupts, this corresponds to the priorities
programmed in GIC; for other types of exceptions, viz. SErrors or
Synchronous External Aborts, individual dispatchers shall explicitly
associate delegation to a secure priority. In order to prevent lower
priority interrupts from preempting higher priority execution, the
framework provides helpers to control preemption by virtue of
programming Priority Mask register in the interrupt controller.

This commit allows for handling interrupts targeted at EL3. Exception
handlers own interrupts by assigning them a range of secure priorities,
and registering handlers for each priority range it owns.

Support for exception handling in BL31 image is enabled by setting the
build option EL3_EXCEPTION_HANDLING=1.

Documentation to follow.

NOTE: The framework assumes the priority scheme supported by platform
interrupt controller is compliant with that of ARM GIC architecture (v2
or later).

Change-Id: I7224337e4cea47c6ca7d7a4ca22a3716939f7e42
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:

- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.

A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.

The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:

- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
  Secure Partition.
- Implementing a well defined interface that is used by the normal world
  and other secure services for accessing the services exported by a
  Secure Partition.
- Implementing a well defined interface that is used by a Secure
  Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
  Partition to fulfil a service request.

Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This function can be useful to setup TCR_ELx by callers that don't use
the translation tables library to setup the system registers related
to them. By making it common, it can be reused whenever it is needed
without duplicating code.

Change-Id: Ibfada9e846d2a6cd113b1925ac911bb27327d375
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

These macros are only defined for corresponding image,
and they are undefined for other images. It means that we have
to use ifdef or defined() instead of relying on being 0 by default.

Change-Id: Iad11efab9830ddf471599b46286e1c56581ef5a7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Change sizeof call so it references a static type instead of return of
a function in order to be MISRA compliant.

Change-Id: I6f1adb206073d6cd200156e281b8d76249e3af0e
Signed-off-by: Joel Hutton <joel.hutton@arm.com>

Add events that trigger before entry to normal/secure world.  The
events trigger after the normal/secure context has been restored.

Similarly add events that trigger after leaving normal/secure world.
The events trigger after the normal/secure context has been saved.

Change-Id: I1b48a7ea005d56b1f25e2b5313d77e67d2f02bc5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

This allows other EL3 components to subscribe to CPU on events.

Update Firmware Design guide to list psci_cpu_on_finish as an available
event.

Change-Id: Ida774afe0f9cdce4021933fcc33a9527ba7aaae2
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This light-weight framework enables some EL3 components to publish
events which other EL3 components can subscribe to. Publisher can
optionally pass opaque data for subscribers. The order in which
subscribers are called is not defined.

Firmware design updated.

Change-Id: I24a3a70b2b1dedcb1f73cf48313818aebf75ebb6
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The implementation is the same as those used to disable it in EL3.

Change-Id: Ibfe7e69034a691fbf57477c5a76a8cdca28f6b26
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces a new API in the translation tables library
(v2), that allows to change the memory attributes of a memory
region. It may be used to change its execution permissions and
data access permissions.

As a prerequisite, the memory must be already mapped. Moreover, it
must be mapped at the finest granularity (currently 4 KB).

Change-Id: I242a8c6f0f3ef2b0a81a61e28706540462faca3c
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces a new API in the translation tables library
(v2), that allows to query the memory attributes of a memory block
or a memory page.

Change-Id: I45a8b39a53da39e7617cbac4bff5658dc1b20a11
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Previously, in AArch32, `IMAGE_XLAT_DEFAULT_REGIME` wasn't defined. The
translation regime is only used in the AArch64 port of the translation
tables library v2, so this is not a problem for now, but future patches
will use it.

`IMAGE_EL` isn't used in AArch32, so it isn't needed to define it.

Change-Id: I4acdb01a58658956ab94bd82ed5b7fee1aa6ba90
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

API documentation updated.

Change-Id: I40feec1fe67a960d035061b54dd55610bc34ce1d
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

API documentation updated.

Change-Id: I129725059299af6cc612bafa8d74817f779d7c4f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Document the API in separate platform interrupt controller API document.

Change-Id: If18f208e10a8a243f5c59d226fcf48e985941949
Co-authored-by: Yousuf A <yousuf.sait@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The macro DEFINE_SYSREG_WRITE_CONST_FUNC defines an inline function
to an assembly statement that uses the MSR (immediate) instruction
to access the PSTATE.  The "i" (immediate) assembly constraint on
the operand was only satisfied when compiling with optimizations
enabled which resulted in the function being optimized out - the
"const uint64_t v" parameter was optimized out and replaced by a
literal value.

When compiling without optimizations, the function call remained and
therefore the parameter is not optimized out - compilation fails as
the constraint is impossible to satisfy by the compiler.

This patch replaces the function encapsulating the use of
the MSR (immediate) with a macro that allows the literal value to be
directly fed to the inline assembly statement

Change-Id: Ib379a7acc48ef3cb83090a680cd8a6ce1a94a9d9
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Updated the PSCI version conforming to the PSCI v1.1
specification (ARM DEN022D).

Change-Id: I1f34772ef6de37ec1ade719a1ab3aa062152d995
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Currently TF does not initialise the PMCR_EL0 register in
the secure context or save/restore the register.

In particular, the DP field may not be set to one to prohibit
cycle counting in the secure state, even though event counting
generally is prohibited via the default setting of MDCR_EL3.SMPE
to 0.

This patch initialises PMCR_EL0.DP to one in the secure state
to prohibit cycle counting and also initialises other fields
that have an architectually UNKNOWN reset value.

Additionally, PMCR_EL0 is added to the list of registers that are
saved and restored during a world switch.

Similar changes are made for PMCR for the AArch32 execution state.

NOTE: secure world code at lower ELs that assume other values in PMCR_EL0
will be impacted.

Change-Id: Iae40e8c0a196d74053accf97063ebc257b4d2f3a
Signed-off-by: David Cunado <david.cunado@arm.com>

This patch implements PSCI_SYSTEM_RESET2 API as defined in PSCI
v1.1 specification. The specification allows architectural and
vendor-specific resets via this API. In the current specification,
there is only one architectural reset, the warm reset. This reset is
intended to provide a fast reboot path that guarantees not to reset
system main memory.

Change-Id: I057bb81a60cd0fe56465dbb5791d8e1cca025bd3
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

During system suspend, the GICv3 Distributor and Redistributor context
can be lost due to power gating of the system power domain. This means
that the GICv3 context needs to be saved prior to system suspend and
restored on wakeup. Currently the consensus is that the Firmware should
be in charge of this. See tf-issues#464 for more details.

This patch introduces helper APIs in the GICv3 driver to save and
restore the Distributor and Redistributor contexts. The GICv3 ITS
context is not considered in this patch because the specification says
that the details of ITS power management is implementation-defined.
These APIs are expected to be appropriately invoked by the platform
layer during system suspend.

Fixes ARM-software/tf-issues#464

Change-Id: Iebb9c6770ab8c4d522546f161fa402d2fe02ec00
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

This patch introduces the ability of the xlat tables library to manage
EL0 and EL1 mappings from a higher exception level.

Attributes MT_USER and MT_PRIVILEGED have been added to allow the user
specify the target EL in the translation regime EL1&0.

REGISTER_XLAT_CONTEXT2 macro is introduced to allow creating a
xlat_ctx_t that targets a given translation regime (EL1&0 or EL3).

A new member is added to xlat_ctx_t to represent the translation regime
the xlat_ctx_t manages. The execute_never mask member is removed as it
is computed from existing information.

Change-Id: I95e14abc3371d7a6d6a358cc54c688aa9975c110
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Introduce a variant of the TLB invalidation helper function that
allows the targeted translation regime to be specified, rather than
defaulting to the current one.

This new function is useful in the context of EL3 software managing
translation tables for the S-EL1&0 translation regime, as then it
might need to invalidate S-EL1&0 TLB entries rather than EL3 ones.

Define a new enumeration to be able to represent translation regimes in
the xlat tables library.

Change-Id: Ibe4438dbea2d7a6e7470bfb68ff805d8bf6b07e5
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The current implementation of the memory mapping API favours mapping
memory regions using the biggest possible block size in order to
reduce the number of translation tables needed.

In some cases, this behaviour might not be desirable. When translation
tables are edited at run-time, coarse-grain mappings like that might
need splitting into finer-grain tables. This operation has a
performance cost.

The MAP_REGION2() macro allows to specify the granularity of
translation tables used for the initial mapping of a memory region.
This might increase performance for memory regions that are likely to
be edited in the future, at the expense of a potentially increased
memory footprint.

The Translation Tables Library Design Guide has been updated to
explain the use case for this macro. Also added a few intermediate
titles to make the guide easier to digest.

Change-Id: I04de9302e0ee3d326b8877043a9f638766b81b7b
Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Since commit 769d65da ("xlat: Use MAP_REGION macro as compatibility
layer"), building with GCC 4.9 fails.

  CC      plat/arm/board/fvp/fvp_common.c
plat/arm/board/fvp/fvp_common.c:60:2: error: initializer element is not constant
  ARM_MAP_SHARED_RAM,
  ^
plat/arm/board/fvp/fvp_common.c:60:2: error: (near initialization for 'plat_arm_mmap[0]')
make: *** [Makefile:535: build/fvp/release/bl1/fvp_common.o] Error 1

Taking into account that MAP_REGION(_FLAT) is widely used in array
initializers, do not use cast.

Fixes: 769d65da

 ("xlat: Use MAP_REGION macro as compatibility layer")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

This commit introduces a new type (mem_region_t) used to describe
memory regions and it adds two utility functions:

	- clear_mem_regions: This function clears (write 0) to a set
		of regions described with an array of mem_region_t.

	- mem_region_in_array_chk This function checks if a
		region is covered by some of the regions described
		with an array of mem_region_t.

Change-Id: I12ce549f5e81dd15ac0981645f6e08ee7c120811
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

This patch adds the generic code that links the psci smc handler
with the platform function that implements the mem_protect and
mem_check_range functionalities. These functions are  optional
APIs added in PSCI v1.1 (ARM DEN022D).

Change-Id: I3bac1307a5ce2c7a196ace76db8317e8d8c8bb3f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

The type `unsigned long` is 32 bit wide in AArch32, but 64 bit wide in
AArch64. This is inconsistent and that's why we avoid using it as per
the Coding Guidelines. This patch changes all `UL` occurrences to `U`
or `ULL` depending on the context so that the size of the constant is
clear.

This problem affected the macro `BIT(nr)`. As long as this macro is used
to fill fields of registers, that's not a problem, since all registers
are 32 bit wide in AArch32 and 64 bit wide in AArch64. However, if the
macro is used to fill the fields of a 64-bit integer, it won't be able
to set the upper 32 bits in AArch32.

By changing the type of this macro to `unsigned long long` the behaviour
is always the same regardless of the architecture, as this type is
64-bit wide in both cases.

Some Tegra platform files have been modified by this patch.

Change-Id: I918264c03e7d691a931f0d1018df25a2796cc221
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

In the S-EL1&0 translation regime we aren't using the higher VA range,
whose translation table base address is held in TTBR1_EL1. The bit
TCR_EL1.EPD1 can be used to disable translations using TTBR1_EL1, but
the code wasn't setting it to 1. Additionally, other fields in TCR1_EL1
associated with the higher VA range (TBI1, TG1, SH1, ORGN1, IRGN1 and
A1) weren't set correctly as they were left as 0. In particular, 0 is a
reserved value for TG1. Also, TBBR1_EL1 was not explicitly set and its
reset value is UNKNOWN.

Therefore memory accesses to the higher VA range would result in
unpredictable behaviour as a translation table walk would be attempted
using an UNKNOWN value in TTBR1_EL1.

On the FVP and Juno platforms accessing the higher VA range resulted in
a translation fault, but this may not always be the case on all
platforms.

This patch sets the bit TCR_EL1.EPD1 to 1 so that any kind of
unpredictable behaviour is prevented.

This bug only affects the AArch64 version of the code, the AArch32
version sets this bit to 1 as expected.

Change-Id: I481c000deda5bc33a475631301767b9e0474a303
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch provides helper macros for both Device and Normal memory MAIR
encodings as defined by the ARM Architecture Reference Manual for ARMv8-A
(ARM DDI0487B.A).

Change-Id: I5faae7f2cf366390ad4ba1d9253c6f3b60fd5e20
Signed-off-by: David Cunado <david.cunado@arm.com>

Use the MAP_REGION to build the mmap_region_t argument in wrappers like
mmap_add_region(). Evolution of the mmap_region_t might require adding
new members with a non-zero default value. Users of MAP_REGION are
protected against such evolution. This commit also protects users of
mmap_add_region() and mmap_add_dynamic_region() functions against these
evolutions.

Also make the MAP_REGION macro implementation more explicit and make it
a mmap_region_t compound literal to make it useable as a function
parameter on its own and to prevent using it in initialization of
variables of different type.

Change-Id: I7bfc4689f6dd4dd23c895b65f628d8ee991fc161
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

Erratum 855971 applies to revision r0p3 or earlier Cortex-A72 CPUs. The
recommended workaround is to disable instruction prefetch.

Change-Id: I7fde74ee2a8a23b2a8a1891b260f0eb909fad4bf
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Erratum 855972 applies to revision r1p3 or earlier Cortex-A57 CPUs. The
recommended workaround is to disable instruction prefetch.

Change-Id: I56eeac0b753eb1432bd940083372ad6f7e93b16a
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Platform may use specific cache line sizes. Since CACHE_WRITEBACK_GRANULE
defines the platform specific cache line size, it is used to define the
size of the cpu data structure CPU_DATA_SIZE aligned on cache line size.

Introduce assembly macro 'mov_imm' for AArch32 to simplify implementation
of function '_cpu_data_by_index'.

Change-Id: Ic2d49ffe0c3e51649425fd9c8c99559c582ac5a1
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

At present, various CPU register macros that refer to CPUACTLR are named
ACTLR. This patch fixes that.

The previous register names are retained, but guarded by the
ERROR_DEPRECATED macro, so as not to break platforms that continue using
the old names.

Change-Id: Ia872196d81803f8f390b887d149e0fd054df519b
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>

In order to avoid Undefined behavior, left operand in left-shift
expressions needs to be unsigned, and of sufficient size. The safest and
most consistent approach is to use unsigned long long type.

Change-Id: I9612f16a6e6ea4c7df62a02497d862abf19b8e1b
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>

This patch enables the CnP (Common not Private) bit for secure page
tables so that multiple PEs in the same Inner Shareable domain can use
the same translation table entries for a given stage of translation in
a particular translation regime. This only takes effect when ARM
Trusted Firmware is built with ARM_ARCH_MINOR >= 2.

ARM Trusted Firmware Design has been updated to include a description
of this feature usage.

Change-Id: I698305f047400119aa1900d34c65368022e410b8
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>

The macro concisely expresses and requires architecture version to be at
least as required by its arguments. This would be useful when extending
Trusted Firmware functionality for future architecture revisions.

Replace similar usage in the current code base with the new macro.

Change-Id: I9dcd0aa71a663eabd02ed9632b8ce87611fa5a57
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Trusted OS may have extra images to be loaded. Load them one by one
and do the parsing. In this patch, ARM TF need to load up to 3 images
for optee os: header, pager and paged images. Header image is the info
about optee os and images. Pager image include pager code and data.
Paged image include the paging parts using virtual memory.

Change-Id: Ia3bcfa6d8a3ed7850deb5729654daca7b00be394
Signed-off-by: Summer Qin <summer.qin@arm.com>

This patch adds an early suspend handler, that executes with
SMP and data cache enabled. This handler allows platforms to
perform any early actions during the CPU suspend entry sequence.

This handler is optional and platforms can choose to implement it
depending on their needs. The `pwr_domain_suspend` handler still
exists and platforms can keep on using it without any side effects.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>