GitLab

This patch adds support to handle following TLK SMCs:
{TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST}

These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.

Brief:
TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to
set up secure storage buffers.

TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to
pass NS memory ranges to TLK.

TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass
Verified Boot parameters to TLK.

Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc
Reviewed-on: https://git-master.nvidia.com/r/1643851

Signed-off-by: Mihir Joshi <mihirj@nvidia.com>

When an unknown Trusty image is found, there's no point of still trying
to register the BL32 init handler. Instead, we just should bail out of
the trusty_setup() and allow the system to continue to boot.
Signed-off-by: David Lin <dtwlin@google.com>

Main Fixes:

Use int32_t replace int [Rule 4.6]

Added explicit casts (e.g. 0U) to integers in order for them to be
  compatible with whatever operation they're used in [Rule 10.1]

Force operands of an operator to the same type category [Rule 10.4]

Fixed if statement conditional to be essentially boolean [Rule 14.4]

Voided non c-library functions whose return types are not used
[Rule 17.7]

Change-Id: I98caa330c371757eb2dfb9438448cb99115ed907
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.

The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.

The exceptions are files that are imported from other projects:

- CryptoCell driver
- dt-bindings folders
- zlib headers

Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: Icd1cdd42afdc78895a9be6c46b414b0a155cfa63
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Ensure case clauses:
*   Terminate with an unconditional break, return or goto statement.
*   Use conditional break, return or goto statements as long as the end
    of the case clause is unreachable; such case clauses must terminate
    with assert(0) /* Unreachable */ or an unconditional  __dead2 function
    call
*   Only fallthough when doing otherwise would result in less
    readable/maintainable code; such case clauses must terminate with a
    /* Fallthrough */ comment to make it clear this is the case and
    indicate that a fallthrough is intended.

This reduces the chance of bugs appearing due to unintended flow through a
switch statement

Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

The value used to signal failure is 0. It is needed to return a different
value on success.

Change-Id: I2186aa7dfbfc825bfe7b3d5ae3c4de7af10ee44f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Some platforms might chose to take different actions depending on this
value; this is precisely the case for rcar-gen3.
Signed-off-by: Jorge Ramirez-Ortiz <jramirez@baylibre.com>

tf_printf and tf_snprintf are now called printf and snprintf, so the
code needs to be updated.

Change-Id: Iffeee97afcd6328c4c2d30830d4923b964682d71
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Functions provided by stdio.h such as printf and sprintf are available
in the codebase, but they add a lot of code to the final image if they
are used:

- AArch64: ~4KB
- AArch32: ~2KB in T32, ~3KB in A32

tf_printf and tf_snprintf are a lot more simple, but it is preferable
to use them when possible because they are also used in common code.

Change-Id: Id09fd2b486198fe3d79276e2c27931595b7ba60e
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Fix the types of the arguments of trusty_generic_platform_smc()
to match the expected prototype of a runtime service handler
(see rt_svc_handle_t type).

Change-Id: Ie839d116ca924b4b018ea2abbef72a1073da2a32
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Wherever we use 'struct foo' and 'foo_t' interchangeably in a
function's declaration and definition, use 'struct foo' consistently
for both, as per the TF-A coding guidelines [1].

[1] https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Coding-Guidelines#avoid-anonymous-typedefs-of-structsenums-in-header-files



Change-Id: I7998eb24a26746e87e9b6425529926406745b721
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

RFC4122 defines that fields are stored in network order (big endian),
but TF-A stores them in machine order (little endian by default in TF-A).
We cannot change the future UUIDs that are already generated, but we can store
all the bytes using arrays and modify fiptool to generate the UUIDs with
the correct byte order.

Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Rule 5.7: A tag name shall be a unique identifier

Follow convention of shorter names for smaller scope to fix
violations of MISRA rule 5.7

Fixed For:
    make ARM_TSP_RAM_LOCATION=tdram LOG_LEVEL=50 PLAT=fvp SPD=opteed

Change-Id: I5fbb5d6ebddf169550eddb07ed880f5c8076bb76
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

Use a _ prefix for macro arguments to prevent that argument from
hiding variables of the same name in the outer scope

Rule 5.3: An identifier declared in an inner scope shall not
          hide an identifier declared in an outer scope

Fixed For:
    make PLAT=fvp SPD=tspd

Change-Id: I2d711b9584c4cb9ba3814ecd2ca65a42b7e24179
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

Since commit 031dbb12

 ("AArch32: Add essential Arch helpers"),
it is difficult to use consistent format strings for printf() family
between aarch32 and aarch64.

For example, uint64_t is defined as 'unsigned long long' for aarch32
and as 'unsigned long' for aarch64.  Likewise, uintptr_t is defined
as 'unsigned int' for aarch32, and as 'unsigned long' for aarch64.

A problem typically arises when you use printf() in common code.

One solution could be, to cast the arguments to a type long enough
for both architectures.  For example, if 'val' is uint64_t type,
like this:

  printf("val = %llx\n", (unsigned long long)val);

Or, somebody may suggest to use a macro provided by <inttypes.h>,
like this:

  printf("val = %" PRIx64 "\n", val);

But, both would make the code ugly.

The solution adopted in Linux kernel is to use the same typedefs for
all architectures.  The fixed integer types in the kernel-space have
been unified into int-ll64, like follows:

    typedef signed char           int8_t;
    typedef unsigned char         uint8_t;

    typedef signed short          int16_t;
    typedef unsigned short        uint16_t;

    typedef signed int            int32_t;
    typedef unsigned int          uint32_t;

    typedef signed long long      int64_t;
    typedef unsigned long long    uint64_t;

[ Linux commit: 0c79a8e29b5fcbcbfd611daf9d500cfad8370fcf ]

This gets along with the codebase shared between 32 bit and 64 bit,
with the data model called ILP32, LP64, respectively.

The width for primitive types is defined as follows:

                   ILP32           LP64
    int            32              32
    long           32              64
    long long      64              64
    pointer        32              64

'long long' is 64 bit for both, so it is used for defining uint64_t.
'long' has the same width as pointer, so for uintptr_t.

We still need an ifdef conditional for (s)size_t.

All 64 bit architectures use "unsigned long" size_t, and most 32 bit
architectures use "unsigned int" size_t.  H8/300, S/390 are known as
exceptions; they use "unsigned long" size_t despite their architecture
is 32 bit.

One idea for simplification might be to define size_t as 'unsigned long'
across architectures, then forbid the use of "%z" string format.
However, this would cause a distortion between size_t and sizeof()
operator.  We have unknowledge about the native type of sizeof(), so
we need a guess of it anyway.  I want the following formula to always
return 1:

  __builtin_types_compatible_p(size_t, typeof(sizeof(int)))

Fortunately, ARM is probably a majority case.  As far as I know, all
32 bit ARM compilers use "unsigned int" size_t.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Commit 4c0d0390

 ("Rework type usage in Trusted Firmware") changed
the type usage in struct declarations, but did not touch the definition
side.  Fix the type mismatch.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

These are used locally in a file.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Rule 8.4: A compatible declaration shall be visible when
          an object or function with external linkage is defined

Fixed for:
	make DEBUG=1 PLAT=fvp SPD=tspd all

Change-Id: I0a16cf68fef29cf00ec0a52e47786f61d02ca4ae
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Rule 8.3: All declarations of an object or function shall
          use the same names and type qualifiers

Fixed for:
	make DEBUG=1 PLAT=fvp SPD=tspd all

Change-Id: I4e31c93d502d433806dfc521479d5d428468b37c
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Ensure (where possible) that switch statements in services comply with
MISRA rules 16.1 - 16.7.

Change-Id: I47bf6ed4a026201e6fe125ce51842482e99e8bb0
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>

This patch fixes the sanity check on the non-secure entrypoint value
returned by bl31_plat_get_next_image_ep_info(). This issue has been
reported by Coverity Scan Online:

  CID 264893 (#1 of 1): Dereference null return value (NULL_RETURNS)
  Dereferencing a null pointer ns_ep_info.

Change-Id: Ia0f64d8c8b005f042608f1422ecbd42bc90b2fb4
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Change-Id: I822ccf5852dce4c01f98382cc393331f29e1e256

memset does not return a useful result here, so explitcitly ignore it

Change-Id: I33cd2228cadc280ee8e5ce3a4f8682dde9a7c16c

Change-Id: I9f9a8a159b41be1c865a20801d03a1b2934c3cac

Change-Id: Ie4f937808d24c9b45066c6582c4eee61699ef6df

An earlier patch extended ehf_allow_ns_preemption() API to also register
an error code to offer to Non-secure when a Yielding SMC is preempted by
SDEI interrupt. In TSPD's case, register the error code TSP_PREEMPTED.

Change-Id: I31992b6651f80694e83bc5092b044ef7a3eda690
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Fixes tegra build with SPD=trusty. Not tested.

Change-Id: I851a2b00b8b1cc65112b6088980a811d8eda1a99

At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how
Non-secure interrupt affects TSPs execution. When TSP is executing:

  1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received
     at the TSP's exception vector, and TSP voluntarily preempts itself.

  2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a
     trap to EL3, which preempts TSP execution.

When EL3 exception handling is in place (i.e.,
EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system
with GICv3, pending NS interrupts while TSP is executing will be
signalled as FIQ (which traps to EL3). This situation necessitates the
same treatment applied to case (2) above.

Therefore, when EL3 exception handling is in place, additionally
require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1.

Strictly speaking, this is not required on a system with GICv2, but the
same model is uniformly followed regardless, for simplicity.

Relevant documentation updated.

Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

When EL3 exception handling is in effect (i.e.,
EL3_EXCEPTION_HANDLING=1), Non-secure interrupts can't preempt Secure
execution. However, for yielding SMCs, preemption by Non-secure
interupts is intended.

This patch therefore adds a call to ehf_allow_ns_preemption() before
dispatching a Yielding SMC to TSP.

Change-Id: Ia3a1ae252f3adc0f14e6d7e0502f251bdb349bdf
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Signed-off-by: Arve Hjønnevåg <arve@android.com>

Add off/on argument to SMC_FC_CPU_SUSPEND SMC_FC_CPU_RESUME and pass
1 when called from the cpu on/off hooks.

Change-Id: Ie233c446fd38b3ff8546e445a8d86a15d2816093
Signed-off-by: Arve Hjønnevåg <arve@android.com>

The secure physical timer is inacessible from 32-bit S-EL1 (when EL3
is 64-bit) so trusty will use the non-secure physical timer in this
case. Linux will use the virtual timer instead of the physical timer
when started in EL1.

Change-Id: Ie49348d9a27e5287676dd4a77f678ecbd6c2309f
Signed-off-by: Arve Hjønnevåg <arve@android.com>

The original patch has been partly merged. This adds the missing
pieces.

Change-Id: I77fd434feab396ff05d9b8e0c1761e4dd588a701
Signed-off-by: Arve Hjønnevåg <arve@android.com>

Add smc calls to return gic base address and print to the debug
console. Allows running a generic trusty binary.

Change-Id: I4b6540f140f11432cdff43c3f5a2097df09dc9d1
Signed-off-by: Arve Hjønnevåg <arve@android.com>

Change-Id: I081901e7df22f78dd9c4fc4c6bfad2aceb870a2d
Signed-off-by: Arve Hjønnevåg <arve@android.com>

This patch adds support to receive function ID with NS world's
memory ranges to provide the memory snapshot to TLK.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

A line in the upstream SPDs is only compiled in in `DEBUG` builds. This
line is used to help with assertions and so assertion failures can
happen in release builds with assertions enabled. Use
`ENABLE_ASSERTIONS` instead of `DEBUG`.

This bug was introduced in commit aa61368e

, which introduced the build
option `ENABLE_ASSERTIONS`.

Change-Id: I7977df9c89c68677b00099b2a1926fa3cb0937c6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>