1. 22 Aug, 2018 3 commits
  2. 20 Aug, 2018 1 commit
  3. 03 Aug, 2018 1 commit
    • Roberto Vargas's avatar
      Add support for romlib in the build system · 5accce5b
      Roberto Vargas authored
      
      
      Romlib is a new image that is stored in ROM and contains the code of
      several libraries that can be shared between different images. All
      the functions within in the library are accessed using a jump table
      which allows to update the romlib image whithout changing the binary
      compatibility. This jump table can be also stored in RAM and it can
      allow to patch a romlib with potential bugs fixes..
      
      Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      5accce5b
  4. 13 Jul, 2018 1 commit
    • Sandrine Bailleux's avatar
      Run compiler on debug macros for type checking · cf24229e
      Sandrine Bailleux authored
      
      
      Even if the log output is too low for a message to be printed out on
      the console by the debug macros, it should still be evaluated by the
      compiler to get some type checking and validation of the format
      specifiers. To do so, introduce the no_tf_log() macro that encloses
      the call to tf_log() in an always-false condition.
      
      This avoids the problem of discovering build issues only when we build
      the firmware with the right LOG_LEVEL value.
      
      Change-Id: Ic0fd252ab691d0187fd925756a4837aca1cbfd7b
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      cf24229e
  5. 11 Jul, 2018 2 commits
    • Roberto Vargas's avatar
      Add end_vector_entry assembler macro · a9203eda
      Roberto Vargas authored
      
      
      Check_vector_size checks if the size of the vector fits
      in the size reserved for it. This check creates problems in
      the Clang assembler. A new macro, end_vector_entry, is added
      and check_vector_size is deprecated.
      
      This new macro fills the current exception vector until the next
      exception vector. If the size of the current vector is bigger
      than 32 instructions then it gives an error.
      
      Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      a9203eda
    • Roberto Vargas's avatar
      Remove .func and .endfunc assembler directives · b2805dab
      Roberto Vargas authored
      
      
      These directives are only used when stabs debugging information
      is used, but we use ELF which uses DWARF debugging information.
      Clang assembler doesn't support these directives, and removing
      them makes the code more compatible with clang.
      
      Change-Id: I2803f22ebd24c0fe248e04ef1b17de9cec5f89c4
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b2805dab
  6. 27 Jun, 2018 1 commit
    • Jeenu Viswambharan's avatar
      xlat v2: Split MMU setup and enable · 0cc7aa89
      Jeenu Viswambharan authored
      
      
      At present, the function provided by the translation library to enable
      MMU constructs appropriate values for translation library, and programs
      them to the right registers. The construction of initial values,
      however, is only required once as both the primary and secondaries
      program the same values.
      
      Additionally, the MMU-enabling function is written in C, which means
      there's an active stack at the time of enabling MMU. On some systems,
      like Arm DynamIQ, having active stack while enabling MMU during warm
      boot might lead to coherency problems.
      
      This patch addresses both the above problems by:
      
        - Splitting the MMU-enabling function into two: one that sets up
          values to be programmed into the registers, and another one that
          takes the pre-computed values and writes to the appropriate
          registers. With this, the primary effectively calls both functions
          to have the MMU enabled, but secondaries only need to call the
          latter.
      
        - Rewriting the function that enables MMU in assembly so that it
          doesn't use stack.
      
      This patch fixes a bunch of MISRA issues on the way.
      
      Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      0cc7aa89
  7. 26 Jun, 2018 1 commit
  8. 12 Jun, 2018 1 commit
    • Daniel Boulby's avatar
      Fix MISRA Rule 5.3 Part 1 · d3775d46
      Daniel Boulby authored
      
      
      Conflict with function name and variable name within that function.
      Change the name of the function from image_size to get_image_size
      to remove conflict and make the function fit the normal project
      naming convention.
      
      Rule 5.3:  An identifier declared in an inner scope shall not
                 hide an identifier declared in an outer scope
      
      Fixed For:
          make LOG_LEVEL=50 PLAT=fvp
      
      Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      d3775d46
  9. 22 May, 2018 1 commit
  10. 18 May, 2018 1 commit
  11. 04 May, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Introduce RAS handling · 14c6016a
      Jeenu Viswambharan authored
      
      
      RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
      extensions to base ARMv8.0 architecture.
      
      This patch adds build system support to enable RAS features in ARM
      Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
      this.
      
      With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
      inserted at all EL3 vector entry and exit. ESBs will synchronize pending
      external aborts before entering EL3, and therefore will contain and
      attribute errors to lower EL execution. Any errors thus synchronized are
      detected via. DISR_EL1 register.
      
      When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
      
      Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      14c6016a
  12. 23 Apr, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Add support for the SMC Calling Convention 2.0 · 2f370465
      Antonio Nino Diaz authored
      
      
      Due to differences in the bitfields of the SMC IDs, it is not possible
      to support SMCCC 1.X and 2.0 at the same time.
      
      The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
      option that specifies the major version of the SMCCC that the Trusted
      Firmware supports. The only two allowed values are 1 and 2, and it
      defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.
      
      Note: Support for SMCCC v2.0 is an experimental feature to enable
      prototyping of secure partition specifications. Support for this
      convention is disabled by default and could be removed without notice.
      
      Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2f370465
  13. 17 Apr, 2018 1 commit
  14. 13 Apr, 2018 1 commit
    • Roberto Vargas's avatar
      Fix MISRA rule 8.3 Part 4 · 735181b6
      Roberto Vargas authored
      
      
      Rule 8.3: All declarations of an object or function shall
                use the same names and type qualifiers
      
      Fixed for:
      	make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
      	     GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
      	     ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
      
      Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      735181b6
  15. 07 Apr, 2018 2 commits
    • Jiafei Pan's avatar
      fix instruction address range limitation · b4ad9768
      Jiafei Pan authored
      
      
      For the adr instruction, it require the label's offset from the
      address of this instruction must be in the range +/-1MB. If the
      option "BL2_IN_XIP_MEM" is set to '1', in some cases, BL2's RW
      memory will not in the range of +/-1MB from BL2's RO memory region.
      so we need to use ldr instruction to cover this case.
      Signed-off-by: default avatarJiafei Pan <Jiafei.Pan@nxp.com>
      b4ad9768
    • Jiafei Pan's avatar
      Add support for BL2 in XIP memory · 7d173fc5
      Jiafei Pan authored
      
      
      In some use-cases BL2 will be stored in eXecute In Place (XIP) memory,
      like BL1. In these use-cases, it is necessary to initialize the RW sections
      in RAM, while leaving the RO sections in place. This patch enable this
      use-case with a new build option, BL2_IN_XIP_MEM. For now, this option
      is only supported when BL2_AT_EL3 is 1.
      Signed-off-by: default avatarJiafei Pan <Jiafei.Pan@nxp.com>
      7d173fc5
  16. 27 Mar, 2018 1 commit
    • Joel Hutton's avatar
      Clean usage of void pointers to access symbols · 9f85f9e3
      Joel Hutton authored
      
      
      Void pointers have been used to access linker symbols, by declaring an
      extern pointer, then taking the address of it. This limits symbols
      values to aligned pointer values. To remove this restriction an
      IMPORT_SYM macro has been introduced, which declares it as a char
      pointer and casts it to the required type.
      
      Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
      Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9f85f9e3
  17. 21 Mar, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Rename 'smcc' to 'smccc' · 085e80ec
      Antonio Nino Diaz authored
      
      
      When the source code says 'SMCC' it is talking about the SMC Calling
      Convention. The correct acronym is SMCCC. This affects a few definitions
      and file names.
      
      Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
      but the old files have been kept for compatibility, they include the
      new ones with an ERROR_DEPRECATED guard.
      
      Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      085e80ec
  18. 28 Feb, 2018 3 commits
  19. 26 Feb, 2018 5 commits
    • Soby Mathew's avatar
      Dynamic cfg: MISRA fixes · da5f2745
      Soby Mathew authored
      
      
      Change-Id: I1d85b76af002b8b672fcaeca94939b7420bc8243
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      da5f2745
    • Soby Mathew's avatar
      ARM Platforms: Load HW_CONFIG in BL2 · cab0b5b0
      Soby Mathew authored
      
      
      The patch adds the necessary changes to load HW_CONFIG in BL2 for
      ARM Platforms :
      
      1. The load address of HW_CONFIG is specified via the `hw_config_addr`
      property in TB_FW_CONFIG is loaded by BL1. The `hw_config_max_size`
      property defines the maximum size to be expected for the HW_CONFIG.
      The `arm_dyn_cfg_helpers.c` and corresponding header implements
      utility functions to parse these DT properties defined.
      The `arm_dyn_cfg.c` implements wrappers to these helpers to enable
      them to be invoked from ARM platform layer.
      
      2. `HW_CONFIG` is added to the `bl2_mem_params_descs[]` array which is
      the list of images to be loaded by BL2.
      
      3. The `libfdt` sources are now included when BL2 is built
      
      4. A new helper `populate_next_bl_params_config()` is introduced in
      desc_image_load.c to populate the subsequent executable BL images
      with the `hw_config` and the corresponding `fw_config` if available.
      The `plat_get_next_bl_params()` API for ARM platforms is modified to
      invoke this new helper.
      
      5. The implementation of `bl2_early_platform_setup2()` is modified to
      consider `arg0` as well in addition to `arg1` passed from BL1.
      
      6. Bump up the BL2 size for Juno to accommodate the inclusion of libfdt.
      
      Change-Id: I80f1554adec41753e0d179a5237364f04fe13a3f
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      cab0b5b0
    • Soby Mathew's avatar
      Dynamic cfg: Introduce fdt wrappers · e5674e1f
      Soby Mathew authored
      
      
      Change-Id: I9b1cdaf2430a1998a69aa366ea1461224a3d43dc
      Co-Authoured-by: default avatarJeenu Viswambharan <Jeenu.Viswambharan@arm.com>
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      e5674e1f
    • Soby Mathew's avatar
      Add dynamic config image IDs · bf9ce61b
      Soby Mathew authored
      
      
      Change-Id: I147031dea9487dc1976e31ad40c89b221e44edbc
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      bf9ce61b
    • Soby Mathew's avatar
      Dynamic cfg: Add HW and TB_FW configs to CoT · 6d31020e
      Soby Mathew authored
      
      
      This patch adds image IDs to `hw_config` and `tb_fw_config` and
      includes them in the default Chain Of Trust (CoT).
      
      Change-Id: If7bb3e9be8a5e48be76614b35bf43d58fc7fed12
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      6d31020e
  20. 02 Feb, 2018 1 commit
  21. 01 Feb, 2018 1 commit
    • Masahiro Yamada's avatar
      image_decompress: add APIs for decompressing images · 2e379d2f
      Masahiro Yamada authored
      
      
      These APIs are used by platforms that need to decompress images.
      
      image_decompress_init():
        This registers a temporary buffer and a decompressor callback.
        This should be called from platform init code.
      
      image_decompress_prepare():
        This should be called before each compressed image is loaded.  The
        best location to call this will be bl*_plat_handle_pre_image_load().
      
      image_decompress():
        This should be called after each compressed image is loaded.  The
        best location to call this will be bl*_plat_handle_post_image_load().
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      2e379d2f
  22. 18 Jan, 2018 3 commits
    • Dimitris Papastamos's avatar
      sp_min: Implement workaround for CVE-2017-5715 · 7343505d
      Dimitris Papastamos authored
      
      
      This patch introduces two workarounds for ARMv7 systems.  The
      workarounds need to be applied prior to any `branch` instruction in
      secure world.  This is achieved using a custom vector table where each
      entry is an `add sp, sp, #1` instruction.
      
      On entry to monitor mode, once the sequence of `ADD` instructions is
      executed, the branch target buffer (BTB) is invalidated.  The bottom
      bits of `SP` are then used to decode the exception entry type.
      
      A side effect of this change is that the exception vectors are
      installed before the CPU specific reset function.  This is now
      consistent with how it is done on AArch64.
      
      Note, on AArch32 systems, the exception vectors are typically tightly
      integrated with the secure payload (e.g. the Trusted OS).  This
      workaround will need porting to each secure payload that requires it.
      
      The patch to modify the AArch32 per-cpu vbar to the corresponding
      workaround vector table according to the CPU type will be done in a
      later patch.
      
      Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7343505d
    • Roberto Vargas's avatar
      Mark functions defined in assembly files · d1f7292e
      Roberto Vargas authored
      
      
      This patch change the name of the section containing the functions
      defined in assembly files from text.* to text.asm.*. This change
      makes possible to select in the linker script the functions
      defined in those files.
      
      Change-Id: If35e44ef1b43ffd951dfac5e052db75d7198e2e0
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      d1f7292e
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored
      
      
      This patch enables BL2 to execute at the highest exception level
      without any dependancy on TF BL1. This enables platforms which already
      have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
      stages without need for BL1.  This is not currently possible because
      BL2 executes at S-EL1 and cannot jump straight to EL3.
      
      Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  23. 11 Jan, 2018 1 commit
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
      and enabling the MMU.  To achieve this without performing any branch
      instruction, a per-cpu vbar is installed which executes the workaround
      and then branches off to the corresponding vector entry in the main
      vector table.  A side effect of this change is that the main vbar is
      configured before any reset handling.  This is to allow the per-cpu
      reset function to override the vbar setting.
      
      This workaround is enabled by default on the affected CPUs.
      
      Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  24. 12 Dec, 2017 1 commit
    • Julius Werner's avatar
      Add new function-pointer-based console API · 9536bae6
      Julius Werner authored
      
      
      This patch overhauls the console API to allow for multiple console
      instances of different drivers that are active at the same time. Instead
      of binding to well-known function names (like console_core_init),
      consoles now provide a register function (e.g. console_16550_register())
      that will hook them into the list of active consoles. All console
      operations will be dispatched to all consoles currently in the list.
      
      The new API will be selected by the build-time option MULTI_CONSOLE_API,
      which defaults to ${ERROR_DEPRECATED} for now. The old console API code
      will be retained to stay backwards-compatible to older platforms, but
      should no longer be used for any newly added platforms and can hopefully
      be removed at some point in the future.
      
      The new console API is intended to be used for both normal (bootup) and
      crash use cases, freeing platforms of the need to set up the crash
      console separately. Consoles can be individually configured to be active
      active at boot (until first handoff to EL2), at runtime (after first
      handoff to EL2), and/or after a crash. Console drivers should set a sane
      default upon registration that can be overridden with the
      console_set_scope() call. Code to hook up the crash reporting mechanism
      to this framework will be added with a later patch.
      
      This patch only affects AArch64, but the new API could easily be ported
      to AArch32 as well if desired.
      
      Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      9536bae6
  25. 05 Dec, 2017 1 commit
    • Soby Mathew's avatar
      Unify cache flush code path after image load · 76163b3a
      Soby Mathew authored
      
      
      Previously the cache flush happened in 2 different places in code
      depending on whether TRUSTED_BOARD_BOOT is enabled or not. This
      patch unifies this code path for both the cases. The `load_image()`
      function is now made an internal static function.
      
      Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      76163b3a
  26. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored
      
      
      This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
      to one EL3 will check to see if the Scalable Vector Extension (SVE) is
      implemented when entering and exiting the Non-secure world.
      
      If SVE is implemented, EL3 will do the following:
      
      - Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
      
      - Exit from Non-secure world: SIMD, FP and SVE functionality is
        disabled. As SIMD and FP registers are part of the SVE Z-registers
        then any use of SIMD / FP functionality would corrupt the SVE
        registers.
      
      The build option default is 1. The SVE functionality is only supported
      on AArch64 and so the build option is set to zero when the target
      archiecture is AArch32.
      
      This build option is not compatible with the CTX_INCLUDE_FPREGS - an
      assert will be raised on platforms where SVE is implemented and both
      ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
      
      Also note this change prevents secure world use of FP&SIMD registers on
      SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
      such platforms unless ENABLE_SVE_FOR_NS is set to 0.
      
      Additionally, on the first entry into the Non-secure world the SVE
      functionality is enabled and the SVE Z-register length is set to the
      maximum size allowed by the architecture. This includes the use case
      where EL2 is implemented but not used.
      
      Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  27. 20 Nov, 2017 1 commit
    • Dimitris Papastamos's avatar
      Refactor Statistical Profiling Extensions implementation · 281a08cc
      Dimitris Papastamos authored
      
      
      Factor out SPE operations in a separate file.  Use the publish
      subscribe framework to drain the SPE buffers before entering secure
      world.  Additionally, enable SPE before entering normal world.
      
      A side effect of this change is that the profiling buffers are now
      only drained when a transition from normal world to secure world
      happens.  Previously they were drained also on return from secure
      world, which is unnecessary as SPE is not supported in S-EL1.
      
      Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      281a08cc
  28. 08 Nov, 2017 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Introduce Secure Partition Manager · 2fccb228
      Antonio Nino Diaz authored
      
      
      A Secure Partition is a software execution environment instantiated in
      S-EL0 that can be used to implement simple management and security
      services. Since S-EL0 is an unprivileged exception level, a Secure
      Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
      granted access to system and processor resources. Essentially, it is a
      software sandbox that runs under the control of privileged software in
      the Secure World and accesses the following system resources:
      
      - Memory and device regions in the system address map.
      - PE system registers.
      - A range of asynchronous exceptions e.g. interrupts.
      - A range of synchronous exceptions e.g. SMC function identifiers.
      
      A Secure Partition enables privileged firmware to implement only the
      absolutely essential secure services in EL3 and instantiate the rest in
      a partition. Since the partition executes in S-EL0, its implementation
      cannot be overly complex.
      
      The component in ARM Trusted Firmware responsible for managing a Secure
      Partition is called the Secure Partition Manager (SPM). The SPM is
      responsible for the following:
      
      - Validating and allocating resources requested by a Secure Partition.
      - Implementing a well defined interface that is used for initialising a
        Secure Partition.
      - Implementing a well defined interface that is used by the normal world
        and other secure services for accessing the services exported by a
        Secure Partition.
      - Implementing a well defined interface that is used by a Secure
        Partition to fulfil service requests.
      - Instantiating the software execution environment required by a Secure
        Partition to fulfil a service request.
      
      Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2fccb228