1. 01 Sep, 2020 1 commit
  2. 28 Aug, 2020 1 commit
  3. 12 Aug, 2020 1 commit
    • Manish Pandey's avatar
      dualroot: add chain of trust for Platform owned SPs · 2947412d
      Manish Pandey authored
      
      
      For dualroot CoT there are two sets of SP certificates, one owned by
      Silicon Provider(SiP) and other owned by Platform. Each certificate can
      have a maximum of 4 SPs.
      
      This patch reduces the number of SiP owned SPs from 8 to 4 and adds
      the remaining 4 to Plat owned SP.
      Plat owned SP certificate is signed using Platform RoT key and
      protected against anti-rollback using the Non-trusted Non-volatile
      counter.
      
      Change-Id: Idc3ddd87d6d85a5506a7435f45a6ec17c4c50425
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      2947412d
  4. 31 Jul, 2020 1 commit
    • Manish Pandey's avatar
      tbbr/dualroot: rename SP package certificate file · 03a5225c
      Manish Pandey authored
      
      
      Currently only single signing domain is supported for SP packages but
      there is plan to support dual signing domains if CoT is dualroot.
      
      SP_CONTENT_CERT_ID is the certificate file which is currently generated
      and signed with trusted world key which in-turn is derived from Silicon
      provider RoT key.
      To allow dual signing domain for SP packages, other certificate file
      will be derived from Platform owned RoT key.
      
      This patch renames "SP_CONTENT_CERT_ID" to "SIP_SP_CONTENT_CERT_ID" and
      does other related changes.
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: I0bc445a3ab257e2dac03faa64f46e36a9fed5e93
      03a5225c
  5. 17 Jul, 2020 1 commit
  6. 10 Jul, 2020 1 commit
  7. 29 Jun, 2020 1 commit
    • Masahiro Yamada's avatar
      linker_script: move .rela.dyn section to bl_common.ld.h · e8ad6168
      Masahiro Yamada authored
      
      
      The .rela.dyn section is the same for BL2-AT-EL3, BL31, TSP.
      
      Move it to the common header file.
      
      I slightly changed the definition so that we can do "RELA_SECTION >RAM".
      It still produced equivalent elf images.
      
      Please note I got rid of '.' from the VMA field. Otherwise, if the end
      of previous .data section is not 8-byte aligned, it fails to link.
      
      aarch64-linux-gnu-ld.bfd: warning: changing start of section .rela.dyn by 4 bytes
      aarch64-linux-gnu-ld.bfd: warning: changing start of section .rela.dyn by 4 bytes
      aarch64-linux-gnu-ld.bfd: warning: changing start of section .rela.dyn by 4 bytes
      make: *** [Makefile:1071: build/qemu/release/bl31/bl31.elf] Error 1
      
      Change-Id: Iba7422d99c0374d4d9e97e6fd47bae129dba5cc9
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      e8ad6168
  8. 09 Jun, 2020 1 commit
    • Manish Pandey's avatar
      dualroot: add chain of trust for secure partitions · 44f1aa8e
      Manish Pandey authored
      
      
      A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
      owned Secure Partitions(SP). A similar support for Platform owned SP can
      be added in future. The certificate is also protected against anti-
      rollback using the trusted Non-Volatile counter.
      
      To avoid deviating from TBBR spec, support for SP CoT is only provided
      in dualroot.
      Secure Partition content certificate is assigned image ID 31 and SP
      images follows after it.
      
      The CoT for secure partition look like below.
      +------------------+       +-------------------+
      | ROTPK/ROTPK Hash |------>| Trusted Key       |
      +------------------+       | Certificate       |
                                 | (Auth Image)      |
                                /+-------------------+
                               /                   |
                              /                    |
                             /                     |
                            /                      |
                           L                       v
      +------------------+       +-------------------+
      | Trusted World    |------>| SiP owned SPs     |
      | Public Key       |       | Content Cert      |
      +------------------+       | (Auth Image)      |
                              /   +-------------------+
                             /                      |
                            /                      v|
      +------------------+ L     +-------------------+
      | SP_PKG1 Hash     |------>| SP_PKG1           |
      |                  |       | (Data Image)      |
      +------------------+       +-------------------+
              .                           .
              .                           .
              .                           .
      +------------------+       +-------------------+
      | SP_PKG8 Hash     |------>| SP_PKG8           |
      |                  |       | (Data Image)      |
      +------------------+       +-------------------+
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f
      44f1aa8e
  9. 31 May, 2020 1 commit
    • Alexei Fedorov's avatar
      TF-A: Fix BL31 linker script error · 34dd1e96
      Alexei Fedorov authored
      
      
      The patch fixes BL31 linker script error
      "Init code ends past the end of the stacks"
      for platforms with number of CPUs less than 4,
      which is caused by __STACKS_END__ address being
      lower than __INIT_CODE_END__.
      The modified BL31 linker script detects such cases
      and increases the total amount of stack memory,
      setting __STACKS_END__ = __INIT_CODE_END__, and
      CPUs' stacks are calculated by BL31 'plat_get_my_stack'
      function accordingly. For platforms with more than 4 CPUs
      and __INIT_CODE_END__ < __STACKS_END__ stack memory does not
      increase and allocated CPUs' stacks match the existing
      implementation.
      The patch removes exclusion of PSCI initialization
      functions from the reclaimed .init section in
      'arm_reclaim_init.ld.S' script, which increases the
      size of reclaimed memory region.
      
      Change-Id: I927773e00dd84e1ffe72f9ee534f4f2fc7b6153c
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      34dd1e96
  10. 21 May, 2020 1 commit
  11. 19 May, 2020 1 commit
  12. 05 May, 2020 2 commits
    • Andre Przywara's avatar
      fdt/wrappers: Introduce code to find UART DT node · 60e2e27d
      Andre Przywara authored
      
      
      The stdout-path property in the /chosen node of a DTB points to a device
      node, which is used for boot console output.
      On most (if not all) ARM based platforms this is the debug UART.
      The ST platform code contains a function to parse this property and
      chase down eventual aliases to learn the node offset of this UART node.
      
      Introduce a slightly more generalised version of this ST platform function
      in the generic fdt_wrappers code. This will be useful for other platforms
      as well.
      
      Change-Id: Ie6da47ace7833861b5e35fe8cba49835db3659a5
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      60e2e27d
    • Andre Przywara's avatar
      plat/stm32: Use generic fdt_get_reg_props_by_name() · 7ad6d362
      Andre Przywara authored
      
      
      The STM32 platform port parse DT nodes to find base address to
      peripherals. It does this by using its own implementation, even though
      this functionality is generic and actually widely useful outside of the
      STM32 code.
      
      Re-implement fdt_get_reg_props_by_name() on top of the newly introduced
      fdt_get_reg_props_by_index() function, and move it to fdt_wrapper.c.
      This is removes the assumption that #address-cells and #size-cells are
      always one.
      
      Change-Id: I6d584930262c732b6e0356d98aea50b2654f789d
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      7ad6d362
  13. 30 Apr, 2020 1 commit
    • Andre Przywara's avatar
      arm: fconf: Fix GICv3 dynamic configuration · 364ad245
      Andre Przywara authored
      
      
      At the moment the fconf_populate_gicv3_config() implementation is
      somewhat incomplete: First it actually fails to store the retrieved
      information (the local addr[] array is going nowhere), but also it makes
      quite some assumptions about the device tree passed to it: it needs to
      use two address-cells and two size-cells, and also requires all five
      register regions to be specified, where actually only the first two
      are mandatory according to the binding (and needed by our code).
      
      Fix this by introducing a proper generic function to retrieve "reg"
      property information from a DT node:
      We retrieve the #address-cells and #size-cells properties from the
      parent node, then use those to extract the right values from the "reg"
      property. The function takes an index to select one region of a reg
      property.
      
      This is loosely based on the STM32 implementation using "reg-names",
      which we will subsume in a follow-up patch.
      
      Change-Id: Ia59bfdf80aea4e36876c7b6ed4d153e303f482e8
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      364ad245
  14. 29 Apr, 2020 2 commits
    • Andre Przywara's avatar
      plat/stm32: Implement fdt_read_uint32_default() as a wrapper · be858cff
      Andre Przywara authored
      
      
      The STM32 platform code uses its own set of FDT helper functions,
      although some of them are fairly generic.
      
      Remove the implementation of fdt_read_uint32_default() and implement it
      on top of the newly introduced fdt_read_uint32() function, then convert
      all users over.
      
      This also fixes two callers, which were slightly abusing the "default"
      semantic.
      
      Change-Id: I570533362b4846e58dd797a92347de3e0e5abb75
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      be858cff
    • Andre Przywara's avatar
      fdt/wrappers: Replace fdtw_read_cells() implementation · ff4e6c35
      Andre Przywara authored
      Our fdtw_read_cells() implementation goes to great lengths to
      sanity-check every parameter and result, but leaves a big hole open:
      The size of the storage the value pointer points at needs to match the
      number of cells given. This can't be easily checked at compile time,
      since we lose the size information by using a void pointer.
      Regardless the current usage of this function is somewhat wrong anyways,
      since we use it on single-element, fixed-length properties only, for
      which the DT binding specifies the size.
      Typically we use those functions dealing with a number of cells in DT
      context to deal with *dynamically* sized properties, which depend on
      other properties (#size-cells, #clock-cells, ...), to specify the number
      of cells needed.
      
      Another problem with the current implementation is the use of
      ambiguously sized types (uintptr_t, size_t) together with a certain
      expectation about their size. In general there is no relation between
      the length of a DT property and the bitness of the code that parses the
      DTB: AArch64 code could encounter 32-bit addresses (where the physical
      address space is limited to 4GB [1]), while AArch32 code could read
      64-bit sized properties (/memory nodes on LPAE systems, [2]).
      
      To make this more clear, fix the potential issues and also align more
      with other DT users (Linux and U-Boot), introduce functions to explicitly
      read uint32 and uint64 properties. As the other DT consumers, we do this
      based on the generic "read array" function.
      Convert all users to use either of those two new functions, and make
      sure we never use a pointer to anything other than uint32_t or uint64_t
      variables directly.
      
      This reveals (and fixes) a bug in plat_spmd_manifest.c, where we write
      4 bytes into a uint16_t variable (passed via a void pointer).
      
      Also we change the implementation of the function to better align with
      other libfdt users, by using the right types (fdt32_t) and common
      variable names (*prop, prop_names).
      
      [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi#n874
      [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/ecx-2000.dts
      
      
      
      Change-Id: I718de960515117ac7a3331a1b177d2ec224a3890
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      ff4e6c35
  15. 28 Apr, 2020 1 commit
    • Andre Przywara's avatar
      fdt/wrappers: Generalise fdtw_read_array() · 6e3a89f4
      Andre Przywara authored
      
      
      Currently our fdtw_read_array() implementation requires the length of
      the property to exactly match the requested size, which makes it less
      flexible for parsing generic device trees.
      Also the name is slightly misleading, since we treat the cells of the
      array as 32 bit unsigned integers, performing the endianess conversion.
      
      To fix those issues and align the code more with other DT users (Linux
      kernel or U-Boot), rename the function to "fdt_read_uint32_array", and
      relax the length check to only check if the property covers at least the
      number of cells we request.
      This also changes the variable names to be more in-line with other DT
      users, and switches to the proper data types.
      
      This makes this function more useful in later patches.
      
      Change-Id: Id86f4f588ffcb5106d4476763ecdfe35a735fa6c
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      6e3a89f4
  16. 25 Apr, 2020 1 commit
    • Masahiro Yamada's avatar
      linker_script: move .data section to bl_common.ld.h · caa3e7e0
      Masahiro Yamada authored
      Move the data section to the common header.
      
      I slightly tweaked some scripts as follows:
      
      [1] bl1.ld.S has ALIGN(16). I added DATA_ALIGN macro, which is 1
          by default, but overridden by bl1.ld.S. Currently, ALIGN(16)
          of the .data section is redundant because commit 41286590
      
      
          ("Fix boot failures on some builds linked with ld.lld.") padded
          out the previous section to work around the issue of LLD version
          <= 10.0. This will be fixed in the future release of LLVM, so
          I am keeping the proper way to align LMA.
      
      [2] bl1.ld.S and bl2_el3.ld.S define __DATA_RAM_{START,END}__ instead
          of __DATA_{START,END}__. I put them out of the .data section.
      
      [3] SORT_BY_ALIGNMENT() is missing tsp.ld.S, sp_min.ld.S, and
          mediatek/mt6795/bl31.ld.S. This commit adds SORT_BY_ALIGNMENT()
          for all images, so the symbol order in those three will change,
          but I do not think it is a big deal.
      
      Change-Id: I215bb23c319f045cd88e6f4e8ee2518c67f03692
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      caa3e7e0
  17. 02 Apr, 2020 4 commits
    • Masahiro Yamada's avatar
      xlat_tables_v2: fix assembler warning of PLAT_RO_XLAT_TABLES · 268131c2
      Masahiro Yamada authored
      
      
      If PLAT_RO_XLAT_TABLES is defined, the base xlat table goes to the
      .rodata section instead of .bss section.
      
      This causes a warning like:
      
      /tmp/ccswitLr.s: Assembler messages:
      /tmp/ccswitLr.s:297: Warning: setting incorrect section attributes for .rodata
      
      It is practically no problem, but I want to keep the build log clean.
      
      Put the base table into the "base_xlat_table" section to suppress the
      assembler warnings.
      
      The linker script determines its final destination; rodata section if
      PLAT_RO_XLAT_TABLES=1, or bss section otherwise. So, the result is the
      same.
      
      Change-Id: Ic85d1d2dddd9b5339289fc2378cbcb21dd7db02e
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      268131c2
    • Masahiro Yamada's avatar
      linker_script: move bss section to bl_common.ld.h · a7739bc7
      Masahiro Yamada authored
      
      
      Move the bss section to the common header. This adds BAKERY_LOCK_NORMAL
      and PMF_TIMESTAMP, which previously existed only in BL31. This is not
      a big deal because unused data should not be compiled in the first
      place. I believe this should be controlled by BL*_SOURCES in Makefiles,
      not by linker scripts.
      
      I investigated BL1, BL2, BL2U, BL31 for plat=fvp, and BL2-AT-EL3,
      BL31, BL31 for plat=uniphier. I did not see any more  unexpected
      code addition.
      
      The bss section has bigger alignment. I added BSS_ALIGN for this.
      
      Currently, SORT_BY_ALIGNMENT() is missing in sp_min.ld.S, and with this
      change, the BSS symbols in SP_MIN will be sorted by the alignment.
      This is not a big deal (or, even better in terms of the image size).
      
      Change-Id: I680ee61f84067a559bac0757f9d03e73119beb33
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      a7739bc7
    • Masahiro Yamada's avatar
      linker_script: replace common read-only data with RODATA_COMMON · 0a0a7a9a
      Masahiro Yamada authored
      The common section data are repeated in many linker scripts (often
      twice in each script to support SEPARATE_CODE_AND_RODATA). When you
      add a new read-only data section, you end up with touching lots of
      places.
      
      After this commit, you will only need to touch bl_common.ld.h when
      you add a new section to RODATA_COMMON.
      
      Replace a series of RO section with RODATA_COMMON, which contains
      6 sections, some of which did not exist before.
      
      This is not a big deal because unneeded data should not be compiled
      in the first place. I believe this should be controlled by BL*_SOURCES
      in Makefiles, not by linker scripts.
      
      When I was working on this commit, the BL1 image size increased
      due to the fconf_populator. Commit c452ba15
      
       ("fconf: exclude
      fconf_dyn_cfg_getter.c from BL1_SOURCES") fixed this issue.
      
      I investigated BL1, BL2, BL2U, BL31 for plat=fvp, and BL2-AT-EL3,
      BL31, BL31 for plat=uniphier. I did not see any more  unexpected
      code addition.
      
      Change-Id: I5d14d60dbe3c821765bce3ae538968ef266f1460
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      0a0a7a9a
    • Masahiro Yamada's avatar
      linker_script: move more common code to bl_common.ld.h · 9fb288a0
      Masahiro Yamada authored
      
      
      These are mostly used to collect data from special structure,
      and repeated in many linker scripts.
      
      To differentiate the alignment size between aarch32/aarch64, I added
      a new macro STRUCT_ALIGN.
      
      While I moved the PMF_SVC_DESCS, I dropped #if ENABLE_PMF conditional.
      As you can see in include/lib/pmf/pmf_helpers.h, PMF_REGISTER_SERVICE*
      are no-op when ENABLE_PMF=0. So, pmf_svc_descs and pmf_timestamp_array
      data are not populated.
      
      Change-Id: I3f4ab7fa18f76339f1789103407ba76bda7e56d0
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      9fb288a0
  18. 11 Mar, 2020 1 commit
    • Masahiro Yamada's avatar
      Factor xlat_table sections in linker scripts out into a header file · 665e71b8
      Masahiro Yamada authored
      
      
      TF-A has so many linker scripts, at least one linker script for each BL
      image, and some platforms have their own ones. They duplicate quite
      similar code (and comments).
      
      When we add some changes to linker scripts, we end up with touching
      so many files. This is not nice in the maintainability perspective.
      
      When you look at Linux kernel, the common code is macrofied in
      include/asm-generic/vmlinux.lds.h, which is included from each arch
      linker script, arch/*/kernel/vmlinux.lds.S
      
      TF-A can follow this approach. Let's factor out the common code into
      include/common/bl_common.ld.h
      
      As a start point, this commit factors out the xlat_table section.
      
      Change-Id: Ifa369e9b48e8e12702535d721cc2a16d12397895
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      665e71b8
  19. 06 Mar, 2020 1 commit
  20. 03 Feb, 2020 1 commit
  21. 24 Jan, 2020 1 commit
    • Masahiro Yamada's avatar
      bl_common: add BL_END macro · 2c74a29d
      Masahiro Yamada authored
      
      
      Currently, the end address macros are defined per BL, like BL2_END,
      BL31_END, BL32_END. They are not handy in the common code shared
      between multiple BL stages.
      
      This commit introduces BL_END, which is equivalent to BL{2,31,32}_END,
      and will be useful for the BL-common code.
      
      Change-Id: I3c39bf6096d99ce920a5b9fa21c0f65456fbfe8a
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      2c74a29d
  22. 13 Sep, 2019 2 commits
    • Andre Przywara's avatar
      Add fdt_add_reserved_memory() helper function · 3ef45dda
      Andre Przywara authored
      
      
      If a firmware component like TF-A reserves special memory regions for
      its own or secure payload services, it should announce the location and
      size of those regions to the non-secure world. This will avoid
      disappointment when some rich OS tries to acccess this memory, which
      will likely end in a crash.
      
      The traditional way of advertising reserved memory using device tree is
      using the special memreserve feature of the device tree blob (DTB).
      However by definition those regions mentioned there do not prevent the
      rich OS to map this memory, which may lead to speculative accesses to
      this memory and hence spurious bus errors.
      
      A safer way of carving out memory is to use the /reserved-memory node as
      part of the normal DT structure. Besides being easier to setup, this
      also defines an explicit "no-map" property to signify the secure-only
      nature of certain memory regions, which avoids the rich OS to
      accidentally step on it.
      
      Add a helper function to allow platform ports to easily add a region.
      
      Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      3ef45dda
    • Andre Przywara's avatar
      qemu: Move and generalise FDT PSCI fixup · f240728b
      Andre Przywara authored
      
      
      The QEMU platform port scans its device tree to advertise PSCI as the
      CPU enable method. It does this by scanning *every* node in the DT and
      check whether its compatible string starts with "arm,cortex-a". Then it
      sets the enable-method to PSCI, if it doesn't already have one.
      
      Other platforms might want to use this functionality as well, so let's
      move it out of the QEMU platform directory and make it more robust by
      fixing some shortcomings:
      - A compatible string starting with a certain prefix is not a good way
      to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
      match as well and is in turn favoured with an enable-method.
      - If the DT already has an enable-method, we won't change this to PSCI.
      
      Those two issues will for instance fail on the Raspberry Pi 4 DT.
      To fix those problems, we adjust the scanning method:
      The DT spec says that all CPU nodes are subnodes of the mandatory
      /cpus node, which is a subnode of the root node. Also each CPU node has
      to have a device_type = "cpu" property. So we find the /cpus node, then
      scan for a subnode with the proper device_type, forcing the
      enable-method to "psci".
      We have to restart this search after a property has been patched, as the
      node offsets might have changed meanwhile.
      
      This allows this routine to be reused for the Raspberry Pi 4 later.
      
      Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      f240728b
  23. 01 Aug, 2019 2 commits
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
    • Julius Werner's avatar
      Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__ · d5dfdeb6
      Julius Werner authored
      
      
      NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
      
      All common C compilers predefine a macro called __ASSEMBLER__ when
      preprocessing a .S file. There is no reason for TF-A to define it's own
      __ASSEMBLY__ macro for this purpose instead. To unify code with the
      export headers (which use __ASSEMBLER__ to avoid one extra dependency),
      let's deprecate __ASSEMBLY__ and switch the code base over to the
      predefined standard.
      
      Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d5dfdeb6
  24. 24 Jul, 2019 3 commits
    • Julius Werner's avatar
      Add helper to parse BL31 parameters (both versions) · d9af1f7b
      Julius Werner authored
      BL31 used to take a single bl31_params_t parameter structure with entry
      point information in arg0. In commit 72600226
      
       (Add new version of image
      loading.) this API was changed to a more flexible linked list approach,
      and the old parameter structure was copied into all platforms that still
      used the old format. This duplicated code unnecessarily among all these
      platforms.
      
      This patch adds a helper function that platforms can optionally link to
      outsource the task of interpreting arg0. Many platforms are just
      interested in the BL32 and BL33 entry point information anyway. Since
      some platforms still need to support the old version 1 parameters, the
      helper will support both formats when ERROR_DEPRECATED == 0. This allows
      those platforms to drop a bunch of boilerplate code and asynchronously
      update their BL2 implementation to the newer format.
      
      Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d9af1f7b
    • Julius Werner's avatar
      Factor out cross-BL API into export headers suitable for 3rd party code · 57bf6057
      Julius Werner authored
      
      
      This patch adds a new include/export/ directory meant for inclusion in
      third-party code. This is useful for cases where third-party code needs
      to interact with TF-A interfaces and data structures (such as a custom
      BL2-implementation like coreboot handing off to BL31). Directly
      including headers from the TF-A repository avoids having to duplicate
      all these definitions (and risk them going stale), but with the current
      header structure this is not possible because handoff API definitions
      are too deeply intertwined with other TF code/headers and chain-include
      other headers that will not be available in the other environment.
      
      The new approach aims to solve this by separating only the parts that
      are really needed into these special headers that are self-contained and
      will not chain-include other (non-export) headers. TF-A code should
      never include them directly but should instead always include the
      respective wrapper header, which will include the required prerequisites
      (like <stdint.h>) before including the export header. Third-party code
      can include the export headers via its own wrappers that make sure the
      necessary definitions are available in whatever way that environment can
      provide them.
      
      Change-Id: Ifd769320ba51371439a8e5dd5b79c2516c3b43ab
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      57bf6057
    • Julius Werner's avatar
      Use explicit-width data types in AAPCS parameter structs · 9352be88
      Julius Werner authored
      
      
      It's not a good idea to use u_register_t for the members of
      aapcs64_params_t and aapcs32_params_t, since the width of that type
      always depends on the current execution environment. This would cause
      problems if e.g. we used this structure to set up the entry point of an
      AArch32 program from within an AArch64 program. (It doesn't seem like
      any code is doing that today, but it's probably still a good idea to
      write this defensively. Also, it helps with my next patch.)
      
      Change-Id: I12c04a85611f2b6702589f3362bea3e6a7c9f776
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      9352be88
  25. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  26. 27 Feb, 2019 2 commits
    • Varun Wadekar's avatar
      Tegra: Support for scatterfile for the BL31 image · c2ad38ce
      Varun Wadekar authored
      
      
      This patch provides support for using the scatterfile format as
      the linker script with the 'armlink' linker for Tegra platforms.
      
      In order to enable the scatterfile usage the following changes
      have been made:
      
      * provide mapping for ld.S symbols in bl_common.h
      * include bl_common.h from all the affected files
      * update the makefile rules to use the scatterfile and armlink
        to compile BL31
      * update pubsub.h to add sections to the scatterfile
      
      NOTE: THIS CHANGE HAS BEEN VERIFIED WITH TEGRA PLATFORMS ONLY.
      
      Change-Id: I7bb78b991c97d74a842e5635c74cb0b18e0fce67
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      c2ad38ce
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored
      
      
      The previous commit added the infrastructure to load and save
      ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
      didn't actually enable pointer authentication in the firmware.
      
      This patch adds the functionality needed for platforms to provide
      authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
      enable pointer authentication in the firmware itself. This option is
      disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
      enabled.
      
      Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
  27. 01 Feb, 2019 1 commit
  28. 31 Jan, 2019 1 commit
  29. 30 Jan, 2019 1 commit
  30. 23 Jan, 2019 1 commit
    • Sathees Balya's avatar
      plat/arm: Save BL2 descriptors to reserved memory. · 5b8d50e4
      Sathees Balya authored
      
      
      On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
      descriptors describing the list of executable images are created in BL2
      R/W memory, which could be possibly corrupted later on by BL31/BL32 due
      to overlay. This patch creates a reserved location in SRAM for these
      descriptors and are copied over by BL2 before handing over to next BL
      image.
      
      Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
      is enabled.
      
      Fixes ARM-Software/tf-issues#626
      
      Change-Id: I755735706fa702024b4032f51ed4895b3687377f
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      5b8d50e4