GitLab

This patch adds some verbose traces in the arm_setup_page_tables()
function to print the extents of the different memory regions it maps.

Change-Id: Ia3ae1053e7ebf3579601ff9238b0e3791eb1e9e4

The arm_setup_page_tables() function used to expect a single set of
addresses defining the extents of the whole read-only section, code
and read-only data mixed up, which was mapped as executable.

This patch changes this behaviour. arm_setup_page_tables() now
expects 2 separate sets of addresses:

 - the extents of the code section;
 - the extents of the read-only data section.

The code is mapped as executable, whereas the data is mapped as
execute-never. New #defines have been introduced to identify the
extents of the code and the read-only data section. Given that
all BL images except BL1 share the same memory layout and linker
script structure, these #defines are common across these images.
The slight memory layout differences in BL1 have been handled by
providing values specific to BL1.

Note that this patch also affects the Xilinx platform port, which
uses the arm_setup_page_tables() function. It has been updated
accordingly, such that the memory mappings on this platform are
unchanged. This is achieved by passing null values as the extents
of the read-only data section so that it is ignored. As a result,
the whole read-only section is still mapped as executable.

Fixes ARM-software/tf-issues#85

Change-Id: I1f95865c53ce6e253a01286ff56e0aa1161abac5

This patch changes the base address of the "total" Trusted SRAM region
seen by the BL2U image. It used to start just after BL2U's read-only
section (i.e. at address BL2U_RO_LIMIT), it now starts from the base
address of the BL2U image (i.e. at address BL2U_BASE). In other words,
the "total" memory region now includes BL2U's own read-only section.

This does not change BL2U's resulting memory mappings because the
read-only section was already mapped in BL2U, it just wasn't part of
this total memory region.

Change-Id: I2da16ac842469023b41904eaa8d13ed678d65671

At the moment, on ARM platforms, BL1 maps everything from BL1_RO_BASE
to BL1_RO_LIMIT. BL1_RO_LIMIT, as defined in the porting guide, is
the maximum address in Trusted ROM that BL1's actual content _can_
occupy. The actual portion of ROM occupied by BL1 can be less than
that, which means that BL1 might map more Trusted ROM than it actually
needs to.

This patch changes BL1's memory mappings on ARM platforms to restrict
the region of Trusted ROM it maps. It uses the symbols exported by
the linker to figure out the actual extents of BL1's ROM footprint.

This change increases the number of page tables used on FVP by 1.
On FVP, we used to map the whole Trusted ROM. As it is 64MB large,
we used to map it as blocks of 2MB using level-2 translation table
entries. We now need a finer-grained mapping, which requires an
additional level-3 translation table.

On ARM CSS platforms, the number of translation tables is unchanged.
The BL1 image resides in flash at address 0x0BEC0000. This address is
not aligned on a 2MB-boundary so a level-3 translation table was
already required to map this memory.

Change-Id: I317a93fd99c40e70d0f13cc3d7a570f05c6c61eb

This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.

For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.

bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.

Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9

This patch introduces the arm_setup_page_tables() function to
set up page tables on ARM platforms. It replaces the
arm_configure_mmu_elx() functions and does the same thing except
that it doesn't enable the MMU at the end. The idea is to reduce
the amount of per-EL code that is generated by the C preprocessor
by splitting the memory regions definitions and page tables creation
(which is generic) from the MMU enablement (which is the only per-EL
configuration).

As a consequence, the call to the enable_mmu_elx() function has been
moved up into the plat_arch_setup() hook. Any other ARM standard
platforms that use the functions `arm_configure_mmu_elx()` must be
updated.

Change-Id: I6f12a20ce4e5187b3849a8574aac841a136de83d

This patch enables optional PSCI functions `PSCI_STAT_COUNT` and
`PSCI_STAT_RESIDENCY` for ARM standard platforms. The optional platform
API 'translate_power_state_by_mpidr()' is implemented for the Juno
platform. 'validate_power_state()' on Juno downgrades PSCI CPU_SUSPEND
requests for the system power level to the cluster power level.
Hence, it is not suitable for validating the 'power_state' parameter
passed in a PSCI_STAT_COUNT/RESIDENCY call.

Change-Id: I9548322676fa468d22912392f2325c2a9f96e4d2

In GICv3 mode, the non secure group1 interrupts are signalled via the
FIQ line in EL3. To support waking up from CPU_SUSPEND to standby on
these systems, EL3 should route FIQ to EL3 temporarily before wfi and
restore the original setting after resume. This patch makes this change
for the CSS platforms in the `css_cpu_standby` psci pm ops hook.

Change-Id: Ibf3295d16e2f08da490847c1457bc839e1bac144

Building TF with ERROR_DEPRECATED=1 fails because of a missing
semi-column. This patch fixes this syntax error.

Change-Id: I98515840ce74245b0a0215805f85c8e399094f68

Replaced placeholder implementation of plat_set_nv_ctr for FVP
platforms by a working one.

On FVP, the mapping of region DEVICE2 has been changed from RO to RW
to prevent exceptions when writing to the NV counter, which is
contained in this region.

Change-Id: I56a49631432ce13905572378cbdf106f69c82f57

This patch adds ARM Cortex-A73 MPCore Processor support
in the CPU specific operations framework. It also includes
this support for the Base FVP port.

Change-Id: I0e26b594f2ec1d28eb815db9810c682e3885716d

This patch adds support to select CCN driver for FVP during build.
A new build option `FVP_INTERCONNECT_DRIVER` is added to allow
selection between the CCI and CCN driver. Currently only the CCN-502
variant is supported on FVP.

The common ARM CCN platform helper file now verifies the cluster
count declared by platform is equal to the number of root node
masters exported by the ARM Standard platform.

Change-Id: I71d7b4785f8925ed499c153b2e9b9925fcefd57a

Added a build flag to select the generic delay timer on FVP instead
of the SP804 timer. By default, the generic one will be selected. The
user guide has been updated.

Change-Id: Ica34425c6d4ed95a187b529c612f6d3b26b78bc6

Replaced plat_get_syscnt_freq by plat_get_syscnt_freq2 on all
upstream platforms.

Change-Id: I3248f3f65a16dc5e9720012a05c35b9e3ba6abbe

This patch changes the default driver for FVP platform from the deprecated
GICv3 legacy to the GICv3 only driver. This means that the default build of
Trusted Firmware will not be able boot Linux kernel with GICv2 FDT blob. The
user guide is also updated to reflect this change of default GIC driver for
FVP.

Change-Id: Id6fc8c1ac16ad633dabb3cd189b690415a047764

This patch removes support for legacy Versatile Express memory map for the
GIC peripheral in the FVP platform. The user guide is also updated for the
same.

Change-Id: Ib8cfb819083aca359e5b46b5757cb56cb0ea6533

This patch puts the definition of `plat_get_syscnt_freq()`
under `#ifdef ARM_SYS_CNTCTL_BASE` in arm_common.c file.
This is the fix for compilation error introduced by commit-id
`749ade45`, for platforms that use arm_common.c but do not
provide a memory mapped interface to the generic counter.

Fixes ARM-software/tf-issues#395

Change-Id: I2f2b10bd9500fa15308541ccb15829306a76a745

This patch moves the definition for `plat_get_syscnt_freq()`
from arm_bl31_setup.c to arm_common.c. This could be useful
in case a delay timer needs to be installed based on the
generic timer in other BLs.
This patch also modifies the return type for this function
from `uint64_t` to `unsigned long long` within ARM and other
platform files.

Change-Id: Iccdfa811948e660d4fdcaae60ad1d700e4eda80d

It is up to the platform to implement the new plat_crash_print_regs macro to
report all relevant platform registers helpful for troubleshooting.

plat_crash_print_regs merges or calls previously defined plat_print_gic_regs
and plat_print_interconnect_regs macros for each existing platforms.

NOTE: THIS COMMIT REQUIRES ALL PLATFORMS THAT ENABLE THE `CRASH_REPORTING`
BUILD FLAG TO MIGRATE TO USE THE NEW `plat_crash_print_regs()` MACRO. BY
DEFAULT, `CRASH_REPORTING` IS ENABLED IN DEBUG BUILDS FOR ALL PLATFORMS.

Fixes: arm-software/tf-issues#373
Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>

This patch modifies the upstream platform port makefiles to use the new
xlat_tables library files. This patch also makes mmap region setup common
between AArch64 and AArch32 for FVP platform port. The file `fvp_common.c`
is moved from the `plat/arm/board/fvp/aarch64` folder to the parent folder
as it is not specific to AArch64.

Change-Id: Id2e9aac45e46227b6f83cccfd1e915404018ea0b

To avoid confusion the build option BL33_BASE has been renamed to
PRELOADED_BL33_BASE, which is more descriptive of what it does and
doesn't get mistaken by similar names like BL32_BASE that work in a
completely different way.

NOTE: PLATFORMS USING BUILD OPTION `BL33_BASE` MUST CHANGE TO THE NEW
BUILD OPTION `PRELOADED_BL33_BASE`.

Change-Id: I658925ebe95406edf0325f15aa1752e1782aa45b

The BL33 address is now set in arm_bl31_early_platform_setup() so
that the preloaded BL33 boot option is available when RESET_TO_BL31
is also used.

Change-Id: Iab93e3916f9199c3387886b055c7cd2315efed29

Previously, when building TF without SPD support, BL2 tried to load a
BL32 image from the FIP and fails to find one, which resulted on
warning messages on the console. Even if there is a BL32 image in the
FIP it shouldn't be loaded because there is no way to transfer
control to the Secure Payload without SPD support.

The Makefile has been modified to pass a define of the form
SPD_${SPD} to the source code the same way it's done for PLAT. The
define SPD_none is then used to undefine BL32_BASE when BL32 is not
used to prevent BL2 from trying to load a BL32 image and failing,
thus removing the warning messages mentioned above.

Fixes ARM-software/tf-issues#287

Change-Id: Ifeb6f1c26935efb76afd353fea88e87ba09e9658

Make the timer configuration conditional on the optional interface being
available.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

This patch modifies the return type of the platform API
`plat_get_ns_image_entrypoint()` from `unsigned long` to
`uintptr_t` in accordance with the coding guidelines.

Change-Id: Icb4510ca98b706aa4d535fe27e203394184fb4ca

This patch adds support to program TrustZone protection on ARM platforms that
implement a DMC-500. arm_dmc_500.c has been added which implements the
arm_dmc_tzc_setup() function. This function relies on constants related to TZC
programming that are exported by each platform to program TrustZone protection
using the DMC-500 TrustZone controller driver. This function should be called
from plat_arm_security_setup() which is implemented by each platform.

Change-Id: I5400bdee9e4b29155fd11296a40693d512312f29

This patch migrates ARM Standard platforms to the refactored TZC driver.

Change-Id: I2a2f60b645f73e14d8f416740c4551cec87cb1fb

This patch adds support for non-volatile counter authentication to
the Authentication Module. This method consists of matching the
counter values provided in the certificates with the ones stored
in the platform. If the value from the certificate is lower than
the platform, the boot process is aborted. This mechanism protects
the system against rollback.

The TBBR CoT has been updated to include this method as part of the
authentication process. Two counters are used: one for the trusted
world images and another for the non trusted world images.

** NEW PLATFORM APIs (mandatory when TBB is enabled) **

int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr);

    This API returns the non-volatile counter value stored
    in the platform. The cookie in the first argument may be
    used to select the counter in case the platform provides
    more than one (i.e. TBSA compliant platforms must provide
    trusted and non-trusted counters). This cookie is specified
    in the CoT.

int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr);

    This API sets a new counter value. The cookie may be
    used to select the counter to be updated.

An implementation of these new APIs for ARM platforms is also
provided. The values are obtained from the Trusted Non-Volatile
Counters peripheral. The cookie is used to pass the extension OID.
This OID may be interpreted by the platform to know which counter
must return. On Juno, The trusted and non-trusted counter values
have been tied to 31 and 223, respectively, and cannot be modified.

** IMPORTANT **

THIS PATCH BREAKS THE BUILD WHEN TRUSTED_BOARD_BOOT IS ENABLED. THE
NEW PLATFORM APIs INTRODUCED IN THIS PATCH MUST BE IMPLEMENTED IN
ORDER TO SUCCESSFULLY BUILD TF.

Change-Id: Ic943b76b25f2a37f490eaaab6d87b4a8b3cbc89a

This patch adds an option to the ARM common platforms to load BL31 in the
TZC secured DRAM instead of the default secure SRAM.

To enable this feature, set `ARM_BL31_IN_DRAM` to 1 in build options.
If TSP is present, then setting this option also sets the TSP location
to DRAM and ignores the `ARM_TSP_RAM_LOCATION` build flag.

To use this feature, BL2 platform code must map in the DRAM used by
BL31. The macro ARM_MAP_BL31_SEC_DRAM is provided for this purpose.
Currently, only the FVP BL2 platform code maps in this DRAM.

Change-Id: If5f7cc9deb569cfe68353a174d4caa48acd78d67

Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.

Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().

All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.

Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134

This patch fixes inconsistencies in bl1_tbbr_image_descs[]
and miscellaneous fixes in Firmware Update code.

Following are the changes:
* As part of the original FWU changes, a `copied_size`
  field was added to `image_info_t`. This was a subtle binary
  compatibility break because it changed the size of the
  `bl31_params_t` struct, which could cause problems if
  somebody used different versions of BL2 or BL31, one with
  the old `image_info_t` and one with the new version.
  This patch put the `copied_size` within the `image_desc_t`.
* EXECUTABLE flag is now stored in `ep_info.h.attr` in place
  of `image_info.h.attr`, associating it to an entrypoint.
* The `image_info.image_base` is only relevant for secure
  images that are copied from non-secure memory into secure
  memory. This patch removes initializing `image_base` for
  non secure images in the bl1_tbbr_image_descs[].
* A new macro `SET_STATIC_PARAM_HEAD` is added for populating
  bl1_tbbr_image_descs[].ep_info/image_info.h members statically.
  The version, image_type and image attributes are now
  populated using this new macro.
* Added PLAT_ARM_NVM_BASE and PLAT_ARM_NVM_SIZE to avoid direct
  usage of V2M_FLASH0_XXX in plat/arm/common/arm_bl1_fwu.c.
* Refactoring of code/macros related to SECURE and EXECUTABLE flags.

NOTE: PLATFORM PORTS THAT RELY ON THE SIZE OF `image_info_t`
      OR USE the "EXECUTABLE" BIT WITHIN `image_info_t.h.attr`
      OR USE THEIR OWN `image_desc_t` ARRAY IN BL1, MAY BE
      BROKEN BY THIS CHANGE. THIS IS CONSIDERED UNLIKELY.

Change-Id: Id4e5989af7bf0ed263d19d3751939da1169b561d

`board_arm_def.h` contains multiple definitions of
`PLAT_ARM_MMAP_ENTRIES` and `MAX_XLAT_TABLES` that are optimised for
memory usage depending upon the chosen build configuration. To ease
maintenance of these constants, this patch replaces their multiple
definitions with a single set of definitions that will work on all ARM
platforms.

Platforms can override the defaults with optimal values by enabling the
`ARM_BOARD_OPTIMISE_MMAP` build option. An example has been provided in
the Juno ADP port.

Additionally, `PLAT_ARM_MMAP_ENTRIES` is increased by one to accomodate
future ARM platforms.

Change-Id: I5ba6490fdd1e118cc9cc2d988ad7e9c38492b6f0

The common topology description helper funtions and macros for
ARM Standard platforms assumed a dual cluster system. This is not
flexible enough to scale to multi cluster platforms. This patch does
the following changes for more flexibility in defining topology:

1. The `plat_get_power_domain_tree_desc()` definition is moved from
   `arm_topology.c` to platform specific files, that is `fvp_topology.c`
   and `juno_topology.c`. Similarly the common definition of the porting
   macro `PLATFORM_CORE_COUNT` in `arm_def.h` is moved to platform
   specific `platform_def.h` header.

2. The ARM common layer porting macros which were dual cluster specific
   are now removed and a new macro PLAT_ARM_CLUSTER_COUNT is introduced
   which must be defined by each ARM standard platform.

3. A new mandatory ARM common layer porting API
   `plat_arm_get_cluster_core_count()` is introduced to enable the common
   implementation of `arm_check_mpidr()` to validate MPIDR.

4. For the FVP platforms, a new build option `FVP_NUM_CLUSTERS` has been
   introduced which allows the user to specify the cluster count to be
   used to build the topology tree within Trusted Firmare. This enables
   Trusted Firmware to be built for multi cluster FVP models.

Change-Id: Ie7a2e38e5661fe2fdb2c8fdf5641d2b2614c2b6b

The shared memory region on ARM platforms contains the mailboxes and,
on Juno, the payload area for communication with the SCP. This shared
memory may be configured as normal memory or device memory at build
time by setting the platform flag 'PLAT_ARM_SHARED_RAM_CACHED' (on
Juno, the value of this flag is defined by 'MHU_PAYLOAD_CACHED').
When set as normal memory, the platform port performs the corresponding
cache maintenance operations. From a functional point of view, this is
the equivalent of setting the shared memory as device memory, so there
is no need to maintain both options.

This patch removes the option to specify the shared memory as normal
memory on ARM platforms. Shared memory is always treated as device
memory. Cache maintenance operations are no longer needed and have
been replaced by data memory barriers to guarantee that payload and
MHU are accessed in the right order.

Change-Id: I7f958621d6a536dd4f0fa8768385eedc4295e79f

ARM Trusted Firmware supports 2 different interconnect peripheral
drivers: CCI and CCN. ARM platforms are implemented using either of the
interconnect peripherals.

This patch adds a layer of abstraction to help ARM platform ports to
choose the right interconnect driver and corresponding platform support.
This is as described below:

1. A set of ARM common functions have been implemented to initialise an
interconnect and for entering/exiting a cluster from coherency. These
functions are prefixed as "plat_arm_interconnect_". Weak definitions of
these functions have been provided for each type of driver.

2.`plat_print_interconnect_regs` macro used for printing CCI registers is
moved from a common arm_macros.S to cci_macros.S.

3. The `ARM_CONFIG_HAS_CCI` flag used in `arm_config_flags` structure
is renamed to `ARM_CONFIG_HAS_INTERCONNECT`.

Change-Id: I02f31184fbf79b784175892d5ce1161b65a0066c

Current code mandates loading of SCP_BL2/SCP_BL2U images for all
CSS platforms. On future ARM CSS platforms, the Application
Processor (AP) might not need to load these images. So, these
items can be removed from the FIP on those platforms.

BL2 tries to load  SCP_BL2/SCP_BL2U images if their base
addresses are defined causing boot error if the images are not
found in FIP.

This change adds a make flag `CSS_LOAD_SCP_IMAGES` which if set
to `1` does:
1. Adds SCP_BL2, SCP_BL2U images to FIP.
2. Defines the base addresses of these images so that AP loads
   them.

And vice-versa if it is set to `0`. The default value is set to
`1`.

Change-Id: I5abfe22d5dc1e9d80d7809acefc87b42a462204a

Prior to this patch, it was assumed that on all ARM platforms the bare
minimal security setup required is to program TrustZone protection. This
would always be done by programming the TZC-400 which was assumed to be
present in all ARM platforms. The weak definition of
platform_arm_security_setup() in plat/arm/common/arm_security.c
reflected these assumptions.

In reality, each ARM platform either decides at runtime whether
TrustZone protection needs to be programmed (e.g. FVPs) or performs
some security setup in addition to programming TrustZone protection
(e.g. NIC setup on Juno). As a result, the weak definition of
plat_arm_security_setup() is always overridden.

When a platform needs to program TrustZone protection and implements the
TZC-400 peripheral, it uses the arm_tzc_setup() function to do so. It is
also possible to program TrustZone protection through other peripherals
that include a TrustZone controller e.g. DMC-500. The programmer's
interface is slightly different across these various peripherals.

In order to satisfy the above requirements, this patch makes the
following changes to the way security setup is done on ARM platforms.

1. arm_security.c retains the definition of arm_tzc_setup() and has been
   renamed to arm_tzc400.c. This is to reflect the reliance on the
   TZC-400 peripheral to perform TrustZone programming. The new file is
   not automatically included in all platform ports through
   arm_common.mk. Each platform must include it explicitly in a platform
   specific makefile if needed.

   This approach enables introduction of similar library code to program
   TrustZone protection using a different peripheral. This code would be
   used by the subset of ARM platforms that implement this peripheral.

2. Due to #1 above, existing platforms which implements the TZC-400 have been
   updated to include the necessary files for both BL2, BL2U and BL31
   images.

Change-Id: I513c58f7a19fff2e9e9c3b95721592095bcb2735

Current code assumes `SCP_COM_SHARED_MEM_BASE` as the base address
for BOM/SCPI protocol between AP<->SCP on all CSS platforms. To
cater for future ARM platforms this is made platform specific.
Similarly, the bit shifts of `SCP_BOOT_CONFIG_ADDR` are also made
platform specific.

Change-Id: Ie8866c167abf0229a37b3c72576917f085c142e8

Functions to configure the MMU in S-EL1 and EL3 on ARM platforms
expect each platform to export its memory map in the `plat_arm_mmap`
data structure. This approach does not scale well in case the memory
map cannot be determined until runtime. To cater for this possibility,
this patch introduces the plat_arm_get_mmap() API. It returns a
reference to the `plat_arm_mmap` by default but can be overridden
by a platform if required.

Change-Id: Idae6ad8fdf40cdddcd8b992abc188455fa047c74

Each ARM Compute Subsystem based platform implements a System Security
Control (SSC) Registers Unit. The SSC_VERSION register inside it carries
information to identify the platform. This enables ARM Trusted Firmware
to compile in support for multiple ARM platforms and choose one at
runtime. This patch adds macros to enable access to this register.
Each platform is expected to export its PART_NUMBER separately.

Additionally, it also adds juno part number.

Change-Id: I2b1d5f5b65a9c7b76c6f64480cc7cf0aef019422