1. 25 Feb, 2021 1 commit
  2. 11 Dec, 2020 1 commit
    • Javier Almansa Sobrino's avatar
      Add support for FEAT_MTPMU for Armv8.6 · 0063dd17
      Javier Almansa Sobrino authored
      
      
      If FEAT_PMUv3 is implemented and PMEVTYPER<n>(_EL0).MT bit is implemented
      as well, it is possible to control whether PMU counters take into account
      events happening on other threads.
      
      If FEAT_MTPMU is implemented, EL3 (or EL2) can override the MT bit
      leaving it to effective state of 0 regardless of any write to it.
      
      This patch introduces the DISABLE_MTPMU flag, which allows to diable
      multithread event count from EL3 (or EL2). The flag is disabled
      by default so the behavior is consistent with those architectures
      that do not implement FEAT_MTPMU.
      Signed-off-by: default avatarJavier Almansa Sobrino <javier.almansasobrino@arm.com>
      Change-Id: Iee3a8470ae8ba13316af1bd40c8d4aa86e0cb85e
      0063dd17
  3. 12 Oct, 2020 1 commit
    • Jimmy Brisson's avatar
      Increase type widths to satisfy width requirements · d7b5f408
      Jimmy Brisson authored
      
      
      Usually, C has no problem up-converting types to larger bit sizes. MISRA
      rule 10.7 requires that you not do this, or be very explicit about this.
      This resolves the following required rule:
      
          bl1/aarch64/bl1_context_mgmt.c:81:[MISRA C-2012 Rule 10.7 (required)]<None>
          The width of the composite expression "0U | ((mode & 3U) << 2U) | 1U |
          0x3c0U" (32 bits) is less that the right hand operand
          "18446744073709547519ULL" (64 bits).
      
      This also resolves MISRA defects such as:
      
          bl2/aarch64/bl2arch_setup.c:18:[MISRA C-2012 Rule 12.2 (required)]
          In the expression "3U << 20", shifting more than 7 bits, the number
          of bits in the essential type of the left expression, "3U", is
          not allowed.
      
      Further, MISRA requires that all shifts don't overflow. The definition of
      PAGE_SIZE was (1U << 12), and 1U is 8 bits. This caused about 50 issues.
      This fixes the violation by changing the definition to 1UL << 12. Since
      this uses 32bits, it should not create any issues for aarch32.
      
      This patch also contains a fix for a build failure in the sun50i_a64
      platform. Specifically, these misra fixes removed a single and
      instruction,
      
          92407e73        and     x19, x19, #0xffffffff
      
      from the cm_setup_context function caused a relocation in
      psci_cpus_on_start to require a linker-generated stub. This increased the
      size of the .text section and caused an alignment later on to go over a
      page boundary and round up to the end of RAM before placing the .data
      section. This sectionn is of non-zero size and therefore causes a link
      error.
      
      The fix included in this reorders the functions during link time
      without changing their ording with respect to alignment.
      
      Change-Id: I76b4b662c3d262296728a8b9aab7a33b02087f16
      Signed-off-by: default avatarJimmy Brisson <jimmy.brisson@arm.com>
      d7b5f408
  4. 10 Aug, 2020 1 commit
    • Alexei Fedorov's avatar
      TF-A AMU extension: fix detection of group 1 counters. · f3ccf036
      Alexei Fedorov authored
      
      
      This patch fixes the bug when AMUv1 group1 counters was
      always assumed being implemented without checking for its
      presence which was causing exception otherwise.
      The AMU extension code was also modified as listed below:
      - Added detection of AMUv1 for ARMv8.6
      - 'PLAT_AMU_GROUP1_NR_COUNTERS' build option is removed and
      number of group1 counters 'AMU_GROUP1_NR_COUNTERS' is now
      calculated based on 'AMU_GROUP1_COUNTERS_MASK' value
      - Added bit fields definitions and access functions for
      AMCFGR_EL0/AMCFGR and AMCGCR_EL0/AMCGCR registers
      - Unification of amu.c Aarch64 and Aarch32 source files
      - Bug fixes and TF-A coding style compliant changes.
      
      Change-Id: I14e407be62c3026ebc674ec7045e240ccb71e1fb
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      f3ccf036
  5. 15 Apr, 2020 1 commit
  6. 03 Apr, 2020 1 commit
    • John Powell's avatar
      Fix MISRA C issues in BL1/BL2/BL31 · 3443a702
      John Powell authored
      
      
      Attempts to address MISRA compliance issues in BL1, BL2, and BL31 code.
      Mainly issues like not using boolean expressions in conditionals,
      conflicting variable names, ignoring return values without (void), adding
      explicit casts, etc.
      
      Change-Id: If1fa18ab621b9c374db73fa6eaa6f6e5e55c146a
      Signed-off-by: default avatarJohn Powell <john.powell@arm.com>
      3443a702
  7. 26 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      AArch32: Disable Secure Cycle Counter · c3e8b0be
      Alexei Fedorov authored
      
      
      This patch changes implementation for disabling Secure Cycle
      Counter. For ARMv8.5 the counter gets disabled by setting
      SDCR.SCCD bit on CPU cold/warm boot. For the earlier
      architectures PMCR register is saved/restored on secure
      world entry/exit from/to Non-secure state, and cycle counting
      gets disabled by setting PMCR.DP bit.
      In 'include\aarch32\arch.h' header file new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: Ia8845db2ebe8de940d66dff479225a5b879316f8
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      c3e8b0be
  8. 24 Jul, 2019 1 commit
    • John Tsichritzis's avatar
      SSBS: init SPSR register with default SSBS value · c250cc3b
      John Tsichritzis authored
      
      
      This patch introduces an additional precautionary step to further
      enhance protection against variant 4. During the context initialisation
      before we enter the various BL stages, the SPSR.SSBS bit is explicitly
      set to zero. As such, speculative loads/stores are by default disabled
      for all BL stages when they start executing. Subsequently, each BL
      stage, can choose to enable speculative loads/stores or keep them
      disabled.
      
      This change doesn't affect the initial execution context of BL33 which
      is totally platform dependent and, thus, it is intentionally left up to
      each platform to initialise.
      
      For Arm platforms, SPSR.SSBS is set to zero for BL33 too. This means
      that, for Arm platforms, all BL stages start with speculative
      loads/stores disabled.
      
      Change-Id: Ie47d39c391d3f20fc2852fc59dbd336f8cacdd6c
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      c250cc3b
  9. 17 Jun, 2019 1 commit
  10. 28 Feb, 2019 1 commit
  11. 18 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Disable processor Cycle Counting in Secure state · ed4fc6f0
      Antonio Nino Diaz authored
      
      
      In a system with ARMv8.5-PMU implemented:
      
      - If EL3 is using AArch32, setting MDCR_EL3.SCCD to 1 disables counting
        in Secure state in PMCCNTR.
      
      - If EL3 is using AArch64, setting SDCR.SCCD to 1 disables counting in
        Secure state in PMCCNTR_EL0.
      
      So far this effect has been achieved by setting PMCR_EL0.DP (in AArch64)
      or PMCR.DP (in AArch32) to 1 instead, but this isn't considered secure
      as any EL can change that value.
      
      Change-Id: I82cbb3e48f2e5a55c44d9c4445683c5881ef1f6f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ed4fc6f0
  12. 06 Feb, 2019 1 commit
  13. 11 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Dynamically detect need for CnP bit · 2559b2c8
      Antonio Nino Diaz authored
      
      
      ARMv8.2-TTCNP is mandatory from ARMv8.2 onwards, but it can be implemented
      in CPUs that don't implement all mandatory 8.2 features (and so have to
      claim to be a lower version).
      
      This patch removes usage of the ARM_ARCH_AT_LEAST() macro and uses system
      ID registers to detect whether it is needed to set the bit or not.
      
      Change-Id: I7bcbf0c7c937590dfc2ca668cfd9267c50f7d52c
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2559b2c8
  14. 04 Jan, 2019 2 commits
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
    • Antonio Nino Diaz's avatar
      Reorganize architecture-dependent header files · f5478ded
      Antonio Nino Diaz authored
      
      
      The architecture dependant header files in include/lib/${ARCH} and
      include/common/${ARCH} have been moved to /include/arch/${ARCH}.
      
      Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      f5478ded
  15. 03 Jan, 2019 1 commit
  16. 10 Dec, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Use SSBS for CVE_2018_3639 mitigation · 48e1d350
      Jeenu Viswambharan authored
      
      
      The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
      Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
      Armv8.5 feature, this can be implemented by CPUs implementing earlier
      version of the architecture.
      
      With this patch, when both PSTATE.SSBS is implemented and
      DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
      SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
      indicate that mitigation on the PE is either permanently enabled or not
      required.
      
      When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
      of every BL stage. This means that EL3 always executes with mitigation
      applied.
      
      For Cortex A76, if the PE implements SSBS, the existing mitigation (by
      using a different vector table, and tweaking CPU ACTLR2) is not used.
      
      Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      48e1d350
  17. 26 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Synchronise arch.h and arch_helpers.h with TF-A-Tests · 932b3ae2
      Antonio Nino Diaz authored
      
      
      The headers forked at some point in the past and have diverged a lot. In
      order to make it easier to share code between TF-A-Tests and TF-A, this
      patch synchronises most of the definitions in the mentioned headers.
      
      This is not a complete sync, it has to be followed by more cleanup.
      
      This patch also removes the read helpers for the AArch32 instructions
      ats1cpr and ats1hr (they are write-only).
      
      Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      932b3ae2
  18. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  19. 28 Sep, 2018 1 commit
  20. 20 Sep, 2018 1 commit
  21. 30 Aug, 2018 1 commit
    • Douglas Raillard's avatar
      backtrace: Introduce backtrace function · 0c62883f
      Douglas Raillard authored
      
      
      This function diplays the backtrace, the current EL and security state
      to allow a post-processing tool to choose the right binary to interpret
      the dump.
      
      The output can be fed to GNU addr2line to resolve function names given
      an ELF binary compiled with debug information. The "-i" flag is
      recommended to improve display in case of inlined functions. The *.dump
      files generated during the build process can also be used.
      
      The function works in AArch64 and AArch32. In AArch32 it only works in
      A32 mode (without T32 interworking), which is enforced in the Makefile.
      
      Sample output of a backtrace at EL3:
      
          BACKTRACE: START: function_name
          0: EL3: 0x798
          1: EL3: 0x538
          2: EL3: 0x550
          3: EL3: 0x55c
          4: EL3: 0x568
          5: EL3: 0x5a8
          6: EL3: 0xf4
          BACKTRACE: END: function_name
      
      In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
      This option is set to 1 by default only in AArch64 debug builds. As
      usual, it can be overridden by the platform makefile and in the build
      command line.
      
      Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      0c62883f
  22. 10 Aug, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Support the EL2 translation regime · 1a92a0e0
      Antonio Nino Diaz authored
      
      
      The translation library is useful elsewhere. Even though this repository
      doesn't exercise the EL2 support of the library, it is better to have it
      here as well to make it easier to maintain.
      
      enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
      functions are still present, but they are behind ERROR_DEPRECATED and
      they call the new functions enable_mmu_svc_mon() and
      enable_mmu_direct_svc_mon().
      
      Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      1a92a0e0
  23. 18 Jul, 2018 2 commits
    • Sandrine Bailleux's avatar
      Fix HCPTR.TCP11 bit definition · e62ea09b
      Sandrine Bailleux authored
      
      
      Change-Id: I98f23f6cebcf984b57efc5449b75ff702e1984a0
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      e62ea09b
    • Antonio Nino Diaz's avatar
      Fix types of arch.h definitions · 30399885
      Antonio Nino Diaz authored
      
      
      Define the values as unsigned int or unsigned long long based on the
      actual size of the register. This prevents subtle issues caused by
      having a type that is too small. For example:
      
          #define OPTION_ENABLE 0x3
          #define OPTION_SHIFT  32
      
          uint64_t mask = OPTION_ENABLE << OPTION_SHIFT;
      
      Because OPTION_ENABLE fits in an int, the value is considered an int.
      This means that, after shifting it 32 places to the left, the final
      result is 0. The correct way to define the values is:
      
          #define OPTION_ENABLE ULL(0x3)
          #define OPTION_SHIFT  U(32)
      
      In this case, the compiler is forced to use a 64 bit value from the
      start, so shifting it 32 places to the left results in the expected
      value.
      
      Change-Id: Ieaf2ffc2d8caa48c622db011f2aef549e713e019
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      30399885
  24. 27 Jun, 2018 1 commit
    • Jeenu Viswambharan's avatar
      xlat v2: Split MMU setup and enable · 0cc7aa89
      Jeenu Viswambharan authored
      
      
      At present, the function provided by the translation library to enable
      MMU constructs appropriate values for translation library, and programs
      them to the right registers. The construction of initial values,
      however, is only required once as both the primary and secondaries
      program the same values.
      
      Additionally, the MMU-enabling function is written in C, which means
      there's an active stack at the time of enabling MMU. On some systems,
      like Arm DynamIQ, having active stack while enabling MMU during warm
      boot might lead to coherency problems.
      
      This patch addresses both the above problems by:
      
        - Splitting the MMU-enabling function into two: one that sets up
          values to be programmed into the registers, and another one that
          takes the pre-computed values and writes to the appropriate
          registers. With this, the primary effectively calls both functions
          to have the MMU enabled, but secondaries only need to call the
          latter.
      
        - Rewriting the function that enables MMU in assembly so that it
          doesn't use stack.
      
      This patch fixes a bunch of MISRA issues on the way.
      
      Change-Id: I0faca97263a970ffe765f0e731a1417e43fbfc45
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      0cc7aa89
  25. 20 Jun, 2018 1 commit
    • Soby Mathew's avatar
      ARM Platforms: Update CNTFRQ register in CNTCTLBase frame · 342d6220
      Soby Mathew authored
      
      
      Currently TF-A doesn't initialise CNTFRQ register in CNTCTLBase
      frame of the system timer. ARM ARM states that "The instance of
      the register in the CNTCTLBase frame must be programmed with this
      value as part of system initialization."
      
      The psci_arch_setup() updates the CNTFRQ system register but
      according to the ARM ARM, this instance of the register is
      independent of the memory mapped instance. This is only an issue
      for Normal world software which relies on the memory mapped
      instance rather than the system register one.
      
      This patch resolves the issue for ARM platforms.
      
      The patch also solves a related issue on Juno, wherein
      CNTBaseN.CNTFRQ can be written and does not reflect the value of
      the register in CNTCTLBase frame. Hence this patch additionally
      updates CNTFRQ register in the Non Secure frame of the CNTBaseN.
      
      Fixes ARM-Software/tf-issues#593
      
      Change-Id: I09cebb6633688b34d5b1bc349fbde4751025b350
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      342d6220
  26. 31 Jan, 2018 2 commits
  27. 18 Jan, 2018 1 commit
    • Dimitris Papastamos's avatar
      sp_min: Implement workaround for CVE-2017-5715 · 7343505d
      Dimitris Papastamos authored
      
      
      This patch introduces two workarounds for ARMv7 systems.  The
      workarounds need to be applied prior to any `branch` instruction in
      secure world.  This is achieved using a custom vector table where each
      entry is an `add sp, sp, #1` instruction.
      
      On entry to monitor mode, once the sequence of `ADD` instructions is
      executed, the branch target buffer (BTB) is invalidated.  The bottom
      bits of `SP` are then used to decode the exception entry type.
      
      A side effect of this change is that the exception vectors are
      installed before the CPU specific reset function.  This is now
      consistent with how it is done on AArch64.
      
      Note, on AArch32 systems, the exception vectors are typically tightly
      integrated with the secure payload (e.g. the Trusted OS).  This
      workaround will need porting to each secure payload that requires it.
      
      The patch to modify the AArch32 per-cpu vbar to the corresponding
      workaround vector table according to the CPU type will be done in a
      later patch.
      
      Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7343505d
  28. 29 Nov, 2017 1 commit
  29. 08 Nov, 2017 1 commit
  30. 16 Oct, 2017 1 commit
  31. 13 Oct, 2017 1 commit
    • David Cunado's avatar
      Init and save / restore of PMCR_EL0 / PMCR · 3e61b2b5
      David Cunado authored
      
      
      Currently TF does not initialise the PMCR_EL0 register in
      the secure context or save/restore the register.
      
      In particular, the DP field may not be set to one to prohibit
      cycle counting in the secure state, even though event counting
      generally is prohibited via the default setting of MDCR_EL3.SMPE
      to 0.
      
      This patch initialises PMCR_EL0.DP to one in the secure state
      to prohibit cycle counting and also initialises other fields
      that have an architectually UNKNOWN reset value.
      
      Additionally, PMCR_EL0 is added to the list of registers that are
      saved and restored during a world switch.
      
      Similar changes are made for PMCR for the AArch32 execution state.
      
      NOTE: secure world code at lower ELs that assume other values in PMCR_EL0
      will be impacted.
      
      Change-Id: Iae40e8c0a196d74053accf97063ebc257b4d2f3a
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      3e61b2b5
  32. 11 Sep, 2017 1 commit
  33. 24 Aug, 2017 1 commit
    • Isla Mitchell's avatar
      Enable CnP bit for ARMv8.2 CPUs · 9fce2725
      Isla Mitchell authored
      
      
      This patch enables the CnP (Common not Private) bit for secure page
      tables so that multiple PEs in the same Inner Shareable domain can use
      the same translation table entries for a given stage of translation in
      a particular translation regime. This only takes effect when ARM
      Trusted Firmware is built with ARM_ARCH_MINOR >= 2.
      
      ARM Trusted Firmware Design has been updated to include a description
      of this feature usage.
      
      Change-Id: I698305f047400119aa1900d34c65368022e410b8
      Signed-off-by: default avatarIsla Mitchell <isla.mitchell@arm.com>
      9fce2725
  34. 21 Jun, 2017 1 commit
    • David Cunado's avatar
      Fully initialise essential control registers · 18f2efd6
      David Cunado authored
      
      
      This patch updates the el3_arch_init_common macro so that it fully
      initialises essential control registers rather then relying on hardware
      to set the reset values.
      
      The context management functions are also updated to fully initialise
      the appropriate control registers when initialising the non-secure and
      secure context structures and when preparing to leave EL3 for a lower
      EL.
      
      This gives better alignement with the ARM ARM which states that software
      must initialise RES0 and RES1 fields with 0 / 1.
      
      This patch also corrects the following typos:
      
      "NASCR definitions" -> "NSACR definitions"
      
      Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      18f2efd6
  35. 03 May, 2017 1 commit
  36. 20 Apr, 2017 2 commits