- 15 Feb, 2017 1 commit
-
-
dp-arm authored
Trusted Firmware currently has no support for secure self-hosted debug. To avoid unexpected exceptions, disable software debug exceptions, other than software breakpoint instruction exceptions, from all exception levels in secure state. This applies to both AArch32 and AArch64 EL3 initialization. Change-Id: Id097e54a6bbcd0ca6a2be930df5d860d8d09e777 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 02 Feb, 2017 1 commit
-
-
dp-arm authored
`PMF_ARM_TIF_IMPL_ID` should be set to 0x41. The code already left shifts it by 24 bit positions so this was overflowing. This fixes a build error with GCC 6.2 when `ENABLE_RUNTIME_INSTRUMENTATION` is set. Change-Id: I4c99d48ea7ce3d76e9edd1325b1979994db2c0fb Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 30 Jan, 2017 2 commits
-
-
Jeenu Viswambharan authored
The errata reporting policy is as follows: - If an errata workaround is enabled: - If it applies (i.e. the CPU is affected by the errata), an INFO message is printed, confirming that the errata workaround has been applied. - If it does not apply, a VERBOSE message is printed, confirming that the errata workaround has been skipped. - If an errata workaround is not enabled, but would have applied had it been, a WARN message is printed, alerting that errata workaround is missing. The CPU errata messages are printed by both BL1 (primary CPU only) and runtime firmware on debug builds, once for each CPU/errata combination. Relevant output from Juno r1 console when ARM Trusted Firmware is built with PLAT=juno LOG_LEVEL=50 DEBUG=1: VERBOSE: BL1: cortex_a57: errata workaround for 806969 was not applied VERBOSE: BL1: cortex_a57: errata workaround for 813420 was not applied INFO: BL1: cortex_a57: errata workaround for disable_ldnp_overread was applied WARNING: BL1: cortex_a57: errata workaround for 826974 was missing! WARNING: BL1: cortex_a57: errata workaround for 826977 was missing! WARNING: BL1: cortex_a57: errata workaround for 828024 was missing! WARNING: BL1: cortex_a57: errata workaround for 829520 was missing! WARNING: BL1: cortex_a57: errata workaround for 833471 was missing! ... VERBOSE: BL31: cortex_a57: errata workaround for 806969 was not applied VERBOSE: BL31: cortex_a57: errata workaround for 813420 was not applied INFO: BL31: cortex_a57: errata workaround for disable_ldnp_overread was applied WARNING: BL31: cortex_a57: errata workaround for 826974 was missing! WARNING: BL31: cortex_a57: errata workaround for 826977 was missing! WARNING: BL31: cortex_a57: errata workaround for 828024 was missing! WARNING: BL31: cortex_a57: errata workaround for 829520 was missing! WARNING: BL31: cortex_a57: errata workaround for 833471 was missing! ... VERBOSE: BL31: cortex_a53: errata workaround for 826319 was not applied INFO: BL31: cortex_a53: errata workaround for disable_non_temporal_hint was applied Also update documentation. Change-Id: Iccf059d3348adb876ca121cdf5207bdbbacf2aba Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
At present, spin locks can only defined from C files. Add some macros such that they can be defined from assembly files too. Change-Id: I64f0c214062f5c15b3c8b412c7f25c908e87d970 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 26 Jan, 2017 1 commit
-
-
David Cunado authored
With GCC 6.2 compiler, more C undefined behaviour is being flagged as warnings, which result in build errors in ARM TF build. The specific issue that this patch resolves is the use of (1 << 31), which is predominantly used in case statements, where 1 is represented as a signed int. When shifted to msb the behaviour is undefined. The resolution is to specify 1 as an unsigned int using a convenience macro ULL(). A duplicate macro MAKE_ULL() is replaced. Fixes ARM-software/tf-issues#438 Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 24 Jan, 2017 2 commits
-
-
Antonio Nino Diaz authored
Some side-channel attacks involve an attacker inferring something from the time taken for a memory compare operation to complete, for example when comparing hashes during image authentication. To mitigate this, timingsafe_bcmp() must be used for such operations instead of the standard memcmp(). This function executes in constant time and so doesn't leak any timing information to the caller. Change-Id: I470a723dc3626a0ee6d5e3f7fd48d0a57b8aa5fd Signed-off-by: dp-arm <dimitris.papastamos@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Sandrine Bailleux authored
This code has been imported and slightly adapted from FreeBSD: https://github.com/freebsd/freebsd/blob/6253393ad8df55730481bf2aafd76bdd6182e2f5/lib/libc/string/strnlen.c Change-Id: Ie5ef5f92e6e904adb88f8628077fdf1d27470eb3 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 23 Jan, 2017 2 commits
-
-
Masahiro Yamada authored
One nasty part of ATF is some of boolean macros are always defined as 1 or 0, and the rest of them are only defined under certain conditions. For the former group, "#if FOO" or "#if !FOO" must be used because "#ifdef FOO" is always true. (Options passed by $(call add_define,) are the cases.) For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because checking the value of an undefined macro is strange. Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like follows: $(eval IMAGE := IMAGE_BL$(call uppercase,$(3))) $(OBJ): $(2) @echo " CC $$<" $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@ This means, IMAGE_BL* is defined when building the corresponding image, but *undefined* for the other images. So, IMAGE_BL* belongs to the latter group where we should use #ifdef or #ifndef. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
Haojian Zhuang authored
Support Designware eMMC driver. It's based on both IO block and eMMC driver. Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
-
- 19 Jan, 2017 1 commit
-
-
Antonio Nino Diaz authored
Fix the parameter type of the maintenance functions of data cache. Add missing declarations for AArch32 versions of dcsw_op_louis and dcsw_op_all to match the AAch64 ones. Change-Id: I4226e8ea4f8b2b5bc2972992c83de659ee0da52c
-
- 18 Jan, 2017 2 commits
-
-
Masahiro Yamada authored
We have lots of duplicated defines (and comment blocks too). Move them to include/plat/common/common_def.h. While we are here, suffix the end address with _END instead of _LIMIT. The _END is a better fit to indicate the linker-derived real end address. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
Masahiro Yamada authored
The usage of _LIMIT seems odd here, so rename as follows: BL_CODE_LIMIT --> BL_CODE_END BL_RO_DATA_LIMIT --> BL_RO_DATA_END BL1_CODE_LIMIT --> BL1_CODE_END BL1_RO_DATA_LIMIT --> BL1_RO_DATA_END Basically, we want to use _LIMIT and _END properly as follows: *_SIZE + *_MAX_SIZE = *_LIMIT *_SIZE + *_SIZE = *_END The _LIMIT is generally defined by platform_def.h to indicate the platform-dependent memory constraint. So, its typical usage is ASSERT(. <= BL31_LIMIT, "BL31 image has exceeded its limit.") in a linker script. On the other hand, _END is used to indicate the end address of the compiled image, i.e. we do not know it until the image is linked. Here, all of these macros belong to the latter, so should be suffixed with _END. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 16 Jan, 2017 1 commit
-
-
Antonio Nino Diaz authored
Delete old version of libfdt at lib/libfdt. Move new libfdt API headers to include/lib/libfdt and all other files to lib/libfdt. Change-Id: I32b7888f1f20d62205310e363accbef169ad7b1b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Jan, 2017 1 commit
-
-
Masahiro Yamada authored
We are duplicating this macro define, and it is useful enough to be placed in the common place. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 10 Jan, 2017 1 commit
-
-
Nishanth Menon authored
tbz check for RDR status is to check for a bit being zero. Unfortunately, we are using a mask rather than the bit position. Further as per http://www.ti.com/lit/ds/symlink/pc16550d.pdf (page 17), LSR register bit 0 is Data ready status (RDR), not bit position 2. Update the same to match the specification. Reported-by: Sekhar Nori <nsekhar@ti.com> Signed-off-by: Nishanth Menon <nm@ti.com>
-
- 30 Dec, 2016 1 commit
-
-
dp-arm authored
Previously, fiptool only understood a fixed set of images as specified in tbbr_config.c. It preserved unknown images during the update, unpack and remove operations but it was not possible to explicitly refer to one of those unknown images. Add a new --blob option to create/update/unpack/remove images that are not known at compile time. This is accomplished by specifying the UUID and filename pair as shown below: $ ./fiptool create --blob uuid=01234567-89ab-cdef-0123-456789abcdef,file=foo.bin fip.bin $ ./fiptool info fip.bin 01234567-89ab-cdef-0123-456789abcdef: offset=0x60, size=0x1AA68 Fixes ARM-software/tf-issues#420 Change-Id: Iaac2504b9a4252289c09e73d29645cbe240f3a82 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 23 Dec, 2016 1 commit
-
-
Douglas Raillard authored
Standard SMC requests that are handled in the secure-world by the Secure Payload can be preempted by interrupts that must be handled in the normal world. When the TSP is preempted the secure context is stored and control is passed to the normal world to handle the non-secure interrupt. Once completed the preempted secure context is restored. When restoring the preempted context, the dispatcher assumes that the TSP preempted context is still stored as the SECURE context by the context management library. However, PSCI power management operations causes synchronous entry into TSP. This overwrites the preempted SECURE context in the context management library. When restoring back the SECURE context, the Secure Payload crashes because this context is not the preempted context anymore. This patch avoids corruption of the preempted SECURE context by aborting any preempted SMC during PSCI power management calls. The abort_std_smc_entry hook of the TSP is called when aborting the SMC request. It also exposes this feature as a FAST SMC callable from normal world to abort preempted SMC with FID TSP_FID_ABORT. Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 20 Dec, 2016 2 commits
-
-
Douglas Raillard authored
Enforce valid FID input in TSP_STD_FID and TSP_FAST_FID macros. Also remove an undefined behavior by using unsigned literals. Change-Id: Id37e908da861980a4eaa3a70b37a729f416ce272 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
Sandrine Bailleux authored
The is_mem_free() function used to be local to bl_common.c. This patch exports it so that it can be used outside of bl_common.c. Change-Id: I01dcb4229f3a36f56a4724b567c5e6c416dc5e98 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 19 Dec, 2016 1 commit
-
-
Jeenu Viswambharan authored
ASM_ASSERT failure and panic messages are suppressed at present. This patch enables printing the PC location for panic messages, and file name and line number upon assembly assert failure. Change-Id: I80cb715988e7ce766f64da1e1d7065a74a096a0c Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 15 Dec, 2016 4 commits
-
-
Jeenu Viswambharan authored
Various CPU drivers in ARM Trusted Firmware register functions to handle power-down operations. At present, separate functions are registered to power down individual cores and clusters. This scheme operates on the basis of core and cluster, and doesn't cater for extending the hierarchy for power-down operations. For example, future CPUs might support multiple threads which might need powering down individually. This patch therefore reworks the CPU operations framework to allow for registering power down handlers on specific level basis. Henceforth: - Generic code invokes CPU power down operations by the level required. - CPU drivers explicitly mention CPU_NO_RESET_FUNC when the CPU has no reset function. - CPU drivers register power down handlers as a list: a mandatory handler for level 0, and optional handlers for higher levels. All existing CPU drivers are adapted to the new CPU operations framework without needing any functional changes within. Also update firmware design guide. Change-Id: I1826842d37a9e60a9e85fdcee7b4b8f6bc1ad043 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
dp-arm authored
The previous code required that a certificate be signed with the ROT key before the platform's NV counter could be updated with the value in the certificate. This implies that the Non-Trusted NV counter was not being updated for Non-Trusted content certificates, as they cannot be signed with the ROT key in the TBBR CoT scheme. The code is reworked to only allow updating the platform's Trusted NV counter when a certificate protected by the Trusted NV counter is signed with the ROT key. Content certificates protected by the Non-Trusted NV counter are allowed to update the platform's Non-Trusted NV counter, assuming that the certificate value is higher than the platform's value. A new optional platform API has been introduced, named plat_set_nv_ctr2(). Platforms may choose to implement it and perform additional checks based on the authentication image descriptor before modifying the NV counters. A default weak implementation is available that just calls into plat_set_nv_ctr(). Fixes ARM-software/tf-issues#426 Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
Jeenu Viswambharan authored
As with other ARM platform GIC APIs, these directly invoke the GICv3 driver APIs for Redistributor power management. For the sake of uniform GIC API, empty stubs are placed for those GIC drivers that lack Redistributor component. Change-Id: Iad0d760d4dbca790998f7768cda621ff3b15a864 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
Some GICv3 implementations have provision for power management operations at Redistributor level. This patch introduces and provides place-holders for Redistributor power management. The default implementations are empty stubs, but are weakly bound so as to enable implementation-specific drivers to override them. Change-Id: I4fec1358693d3603ca5dce242a2f7f0e730516d8 Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 14 Dec, 2016 3 commits
-
-
Yatharth Kochar authored
This patch enables TRUSTED_BOARD_BOOT (Authentication and FWU) support, for AArch64, when LOAD_IMAGE_V2 is enabled. This patch also enables LOAD_IMAGE_V2 for ARM platforms. Change-Id: I294a2eebce7a30b6784c80c9d4ac7752808ee3ad Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
-
Antonio Nino Diaz authored
Some files have incorrect copyright notices, this patch fixes all files with deviations from the standard notice. Change-Id: I66b73e78a50a235acb55f1e2ec2052a42c0570d2 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
dp-arm authored
Testing showed that the time spent in a cluster power down operation is dominated by cache flushes. Add two more timestamps in runtime instrumentation to keep track of the time spent flushing the L1/L2 caches. Change-Id: I4c5a04e7663543225a85d3c6b271d7b706deffc4 Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 13 Dec, 2016 3 commits
-
-
Antonio Nino Diaz authored
The now deprecated ADDR_SPACE_SIZE has been replaced by the two defines PLAT_PHY_ADDR_SPACE_SIZE and PLAT_VIRT_ADDR_SPACE_SIZE. Change-Id: I027a2f02f47ab2f679b8979a6dbfb0f08270a1a4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Added the definitions `PLAT_PHY_ADDR_SPACE_SIZE` and `PLAT_VIRT_ADDR_SPACE_SIZE` which specify respectively the physical and virtual address space size a platform can use. `ADDR_SPACE_SIZE` is now deprecated. To maintain compatibility, if any of the previous defines aren't present, the value of `ADDR_SPACE_SIZE` will be used instead. For AArch64, register ID_AA64MMFR0_EL1 is checked to calculate the max PA supported by the hardware and to verify that the previously mentioned definition is valid. For AArch32, a 40 bit physical address space is considered. Added asserts to check for overflows. Porting guide updated. Change-Id: Ie8ce1da5967993f0c94dbd4eb9841fc03d5ef8d6 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Each translation table level entry can only map a given virtual address onto physical addresses of the same granularity. For example, with the current configuration, a level 2 entry maps blocks of 2 MB, so the physical address must be aligned to 2 MB. If the address is not aligned, the MMU will just ignore the lower bits. This patch adds an assertion to make sure that physical addresses are always aligned to the correct boundary. Change-Id: I0ab43df71829d45cdbe323301b3053e08ca99c2c Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Dec, 2016 1 commit
-
-
Soby Mathew authored
The AArch32 Procedure call Standard mandates that the stack must be aligned to 8 byte boundary at external interfaces. This patch does the required changes. This problem was detected when a crash was encountered in `psci_print_power_domain_map()` while printing 64 bit values. Aligning the stack to 8 byte boundary resolved the problem. Fixes ARM-Software/tf-issues#437 Change-Id: I517bd8203601bb88e9311bd36d477fb7b3efb292 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 07 Dec, 2016 2 commits
-
-
Soby Mathew authored
The capabilities exposed by the PSCI generic layer depends on the hooks populated by the platform in `plat_arm_psci_pm_ops`. Currently ARM Standard platforms statically define this structure. However, some platforms may want to modify the hooks at runtime before registering them with the generic layer. This patch introduces a new ARM platform layer API `plat_arm_psci_override_pm_ops` which allows the platform to probe the power controller and modify `plat_arm_psci_pm_ops` if required. Consequently, 'plat_arm_psci_pm_ops' is no longer qualified as `const` on ARM Standard platforms. Change-Id: I7dbb44b7bd36c20ec14ded5ee45a96816ca2ab9d Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
Soby Mathew authored
This patch introduces an additional layer of abstraction between CSS power management hooks and the SCPI driver. A new set of APIs are introduced in order to abstract out power management operations from underlying communication mechanism with the SCP. The SCPI and the associated MHU drivers are moved into a `drivers` folder in CSS. The new SCP communication abstraction layer is added in the `drivers/scp` folder. The existing CSS power management uses the new APIs to reflect this abstraction. Change-Id: I7d775129fc0558e9703c2724523fb8f0a916838c Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 05 Dec, 2016 1 commit
-
-
Jeenu Viswambharan authored
There are many instances in ARM Trusted Firmware where control is transferred to functions from which return isn't expected. Such jumps are made using 'bl' instruction to provide the callee with the location from which it was jumped to. Additionally, debuggers infer the caller by examining where 'lr' register points to. If a 'bl' of the nature described above falls at the end of an assembly function, 'lr' will be left pointing to a location outside of the function range. This misleads the debugger back trace. This patch defines a 'no_ret' macro to be used when jumping to functions from which return isn't expected. The macro ensures to use 'bl' instruction for the jump, and also, for debug builds, places a 'nop' instruction immediately thereafter (unless instructed otherwise) so as to leave 'lr' pointing within the function range. Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0 Co-authored-by: Douglas Raillard <douglas.raillard@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 01 Dec, 2016 3 commits
-
-
David Cunado authored
This patch resets EL2 and EL3 registers that have architecturally UNKNOWN values on reset and that also provide EL2/EL3 configuration and trap controls. Specifically, the EL2 physical timer is disabled to prevent timer interrups into EL2 - CNTHP_CTL_EL2 and CNTHP_CTL for AArch64 and AArch32, respectively. Additionally, for AArch64, HSTR_EL2 is reset to avoid unexpected traps of non-secure access to certain system registers at EL1 or lower. For AArch32, the patch also reverts the reset to SDCR which was incorrectly added in a previous change. Change-Id: If00eaa23afa7dd36a922265194ccd6223187414f Signed-off-by: David Cunado <david.cunado@arm.com>
-
Qixiang.Xu authored
C99 restricts bitfields type is signed and unsigned integer or _Bool. See section 6.7.2.1 Structure and union specifiers. "A bit-field shall have a type that is a qualified or unqualified version of _Bool, signed int, unsigned int, or some other implementation-defined type." Since the compiler packs bitfields anyways, actual data layout in the structure is unaffected. Signed-off-by: Alex Nemirovsky <alex.nemirovsky@cortina-access.com>
-
Yatharth Kochar authored
This patch makes following miscellaneous fixes: * pl011_console.S: Fixed the bit mask used to check if the transmit FIFO is full or empty. * smcc_macros.S: Added `_fsxc` suffix while updating the SPSR. By default the assembler assumes `_fc` suffix which does not update all the fields in SPSR. By adding `_fsxc` suffix all the fields gets updated. * platform_helpers.S: Removed the weak definition for `plat_my_core_pos()` as this is a mandatory function which needs to be defined by all platforms. Change-Id: I8302292533c943686fff8d7c749a07132c052a3b Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
-
- 21 Nov, 2016 1 commit
-
-
Douglas Raillard authored
This allows the debugger to print the callstack when there is an assembly function in the callstack. It will work as long as the CFA pointer (frame pointer) location is not modified (i.e. x29 is not touched in AArch64 state). It is the case in almost all assembly functions, so this patch improves the average debugging experience. Call stacks from the debugger should still be interpreted with care. In more complex functions, one could use .cfi* directives to inform the debugger about the new location of the CFA pointer. Change-Id: I9dabfbc033b45e8528e67f4823c17de7bf02fa24 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 09 Nov, 2016 1 commit
-
-
David Cunado authored
In order to avoid unexpected traps into EL3/MON mode, this patch resets the debug registers, MDCR_EL3 and MDCR_EL2 for AArch64, and SDCR and HDCR for AArch32. MDCR_EL3/SDCR is zero'ed when EL3/MON mode is entered, at the start of BL1 and BL31/SMP_MIN. For MDCR_EL2/HDCR, this patch zero's the bits that are architecturally UNKNOWN values on reset. This is done when exiting from EL3/MON mode but only on platforms that support EL2/HYP mode but choose to exit to EL1/SVC mode. Fixes ARM-software/tf-issues#430 Change-Id: Idb992232163c072faa08892251b5626ae4c3a5b6 Signed-off-by: David Cunado <david.cunado@arm.com>
-
- 14 Oct, 2016 1 commit
-
-
Soby Mathew authored
The values of CP15BEN, nTWI & nTWE bits in SCTLR_EL1 are architecturally unknown if EL3 is AARCH64 whereas they reset to 1 if EL3 is AArch32. This might be a compatibility break for legacy AArch32 normal world software if these bits are not set to 1 when EL3 is AArch64. This patch enables the CP15BEN, nTWI and nTWE bits in the SCTLR_EL1 if the lower non-secure EL is AArch32. This unifies the SCTLR settings for lower non-secure EL in AArch32 mode for both AArch64 and AArch32 builds of Trusted Firmware. Fixes ARM-software/tf-issues#428 Change-Id: I3152d1580e4869c0ea745c5bd9da765f9c254947 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-