1. 03 Jun, 2016 1 commit
    • Soby Mathew's avatar
      Build option to include AArch32 registers in cpu context · 8cd16e6b
      Soby Mathew authored
      The system registers that are saved and restored in CPU context include
      AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
      DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
      AArch64-only (i.e. on hardware that does not implement AArch32, or at
      least not at EL1 and higher ELs) platform leads to an exception. This patch
      introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
      include these AArch32 systems registers in the cpu context or not. By default
      this build option is set to 1 to ensure compatibility. AArch64-only platforms
      must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
      verify this.
      
      Fixes ARM-software/tf-issues#386
      
      Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
      8cd16e6b
  2. 14 Apr, 2016 1 commit
    • Sandrine Bailleux's avatar
      Give user's compiler flags precedence over default ones · 403973c9
      Sandrine Bailleux authored
      The user can provide additional CFLAGS to use when building TF.
      However, these custom CFLAGS are currently prepended to the
      standard CFLAGS that are hardcoded in the TF build system. This
      is an issue because when providing conflicting compiler flags
      (e.g. different optimisations levels like -O1 and -O0), the last
      one on the command line usually takes precedence. This means that
      the user flags get overriden.
      
      To address this problem, this patch separates the TF CFLAGS from
      the user CFLAGS. The former are now stored in the TF_CFLAGS make
      variable, whereas the CFLAGS make variable is untouched and reserved
      for the user. The order of the 2 sets of flags is enforced when
      invoking the compiler.
      
      Fixes ARM-Software/tf-issues#350
      
      Change-Id: Ib189f44555b885f1dffbec6015092f381600e560
      403973c9
  3. 08 Apr, 2016 4 commits
    • Antonio Nino Diaz's avatar
      Remove markdown files from coding style check · 8f524c22
      Antonio Nino Diaz authored
      All markdown (.md) files in the root directory of the repository and
      all the files inside the 'docs' directory have been removed from
      ROOT_DIRS_TO_CHECK in the Makefile in order not to perform the coding
      style check on them.
      
      Change-Id: Iac397b44f95cbcdb9a52cc20bf69998c394ac00a
      8f524c22
    • Antonio Nino Diaz's avatar
      Fix list of paths to perform coding style check on · 3323fe1d
      Antonio Nino Diaz authored
      Removed an extra parentheses that produced an invalid list of files
      and directories to check by checkpatch.pl.
      
      Change-Id: Iefe2c1f8be6e7b7b58f6ffe3e16fe6336b9a8689
      3323fe1d
    • Antonio Nino Diaz's avatar
      Rename BL33_BASE option to PRELOADED_BL33_BASE · 68450a6d
      Antonio Nino Diaz authored
      To avoid confusion the build option BL33_BASE has been renamed to
      PRELOADED_BL33_BASE, which is more descriptive of what it does and
      doesn't get mistaken by similar names like BL32_BASE that work in a
      completely different way.
      
      NOTE: PLATFORMS USING BUILD OPTION `BL33_BASE` MUST CHANGE TO THE NEW
      BUILD OPTION `PRELOADED_BL33_BASE`.
      
      Change-Id: I658925ebe95406edf0325f15aa1752e1782aa45b
      68450a6d
    • Antonio Nino Diaz's avatar
      Remove BL32_BASE when building without SPD for FVP · 81d139d5
      Antonio Nino Diaz authored
      Previously, when building TF without SPD support, BL2 tried to load a
      BL32 image from the FIP and fails to find one, which resulted on
      warning messages on the console. Even if there is a BL32 image in the
      FIP it shouldn't be loaded because there is no way to transfer
      control to the Secure Payload without SPD support.
      
      The Makefile has been modified to pass a define of the form
      SPD_${SPD} to the source code the same way it's done for PLAT. The
      define SPD_none is then used to undefine BL32_BASE when BL32 is not
      used to prevent BL2 from trying to load a BL32 image and failing,
      thus removing the warning messages mentioned above.
      
      Fixes ARM-software/tf-issues#287
      
      Change-Id: Ifeb6f1c26935efb76afd353fea88e87ba09e9658
      81d139d5
  4. 01 Apr, 2016 5 commits
    • Evan Lloyd's avatar
      Make:Allow for extension in tool names. · 42a45b51
      Evan Lloyd authored
      In some build environments executable programs have a specific file
      extension.  The value of BIN_EXT is appended to the relevant tool file
      names to allow for this.
      The value of BIN_EXT is set, where appropriate, by the build environment
      specific make helper (to .exe for Windows build environments).
      
      .gitignore is updated to hide the new (.exe) files.
      
      Change-Id: Icc32f64b750e425265075ad4e0dea18129640b86
      42a45b51
    • Evan Lloyd's avatar
      Make:Use "simply expanded" make variables. · b169f6a9
      Evan Lloyd authored
      Replace some "recursively expanded" make variables with "simply
      expanded" variables (i.e. replace = with :=). This has no functional
      impact but is more consistent and theoretically more efficient.
      
      Change-Id: Iaf33d7c8ad48464ae0d39923515d1e7f230c95c1
      b169f6a9
    • Evan Lloyd's avatar
      Make:Use environment variables for OS detection. · e7f54dbd
      Evan Lloyd authored
      Add make helper files to select the appropriate settings for the build
      environment. Selection is made in make_helpers/build_env.mk, which
      selects other files to include using generic build environment settings.
      The Trusted Firmware Makefile and supporting tool Makefiles are updated
      to include build_env.mk instead of unix.mk.
      
      NOTE: This change does not fully enable builds in other build
            environments. It facilitates this without compromising the
            existing build environments.
      
      Change-Id: Ic4064ffe6ce158bbd16d7cc9f27dd4655a3580f6
      e7f54dbd
    • Evan Lloyd's avatar
      Make:Make shell commands more portable · f1477d4a
      Evan Lloyd authored
      Macros are inserted to replace direct invocations of commands that are
      problematic on some build environments. (e.g. Some environments expect
      \ in paths instead of /.)
      The changes take into account mismatched command mappings across
      environments.
      The new helper file unix.mk retains existing makefile behaviour on unix
      like build environments by providing the following macro definitions:
        SHELL_COPY        cp -f
        SHELL_COPY_TREE   cp -rf
        SHELL_DELETE      rm -f
        SHELL_DELETE_ALL  rm -rf
        MAKE_PREREQ_DIR   mkdir -p  (As make target)
        SHELL_REMOVE_DIR  rm -rf
      
      Change-Id: I1b5ca5e1208e78230b15284c4af00c1c006cffcb
      f1477d4a
    • Evan Lloyd's avatar
      Make:Remove calls to shell from makefiles. · 231c1470
      Evan Lloyd authored
      As an initial stage of making Trusted Firmware build environment more
      portable, we remove most uses of the $(shell ) function and replace them
      with more portable make function based solutions.
      
      Note that the setting of BUILD_STRING still uses $(shell ) since it's
      not possible to reimplement this as a make function. Avoiding invocation
      of this on incompatible host platforms will be implemented separately.
      
      Change-Id: I768e2f9a265c78814a4adf2edee4cc46cda0f5b8
      231c1470
  5. 31 Mar, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Remove xlat_helpers.c · f33fbb2f
      Antonio Nino Diaz authored
      lib/aarch64/xlat_helpers.c defines helper functions to build
      translation descriptors, but no common code or upstream platform
      port uses them. As the rest of the xlat_tables code evolves, there
      may be conflicts with these helpers, therefore this code should be
      removed.
      
      Change-Id: I9f5be99720f929264818af33db8dada785368711
      f33fbb2f
  6. 02 Mar, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Enable preloaded BL33 alternative boot flow · cf2c8a33
      Antonio Nino Diaz authored
      Enable alternative boot flow where BL2 does not load BL33 from
      non-volatile storage, and BL31 hands execution over to a preloaded
      BL33.
      
      The flag used to enable this bootflow is BL33_BASE, which must hold
      the entrypoint address of the BL33 image. The User Guide has been
      updated with an example of how to use this option with a bootwrapped
      kernel.
      
      Change-Id: I48087421a7b0636ac40dca7d457d745129da474f
      cf2c8a33
  7. 26 Feb, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Compile stdlib C files individually · 191a0088
      Antonio Nino Diaz authored
      All C files of stdlib were included into std.c, which was the file
      that the Makefile actually compiled. This is a poor way of compiling
      all the files and, while it may work fine most times, it's
      discouraged.
      
      In this particular case, each C file included its own headers, which
      were later included into std.c. For example, this caused problems
      because a duplicated typedef of u_short in both subr_prf.c and
      types.h. While that may require an issue on its own, this kind of
      problems are avoided if all C files are as independent as possible.
      
      Change-Id: I9a7833fd2933003f19a5d7db921ed8542ea2d04a
      191a0088
  8. 08 Feb, 2016 1 commit
    • Sandrine Bailleux's avatar
      Disable non-temporal hint on Cortex-A53/57 · 54035fc4
      Sandrine Bailleux authored
      The LDNP/STNP instructions as implemented on Cortex-A53 and
      Cortex-A57 do not behave in a way most programmers expect, and will
      most probably result in a significant speed degradation to any code
      that employs them. The ARMv8-A architecture (see Document ARM DDI
      0487A.h, section D3.4.3) allows cores to ignore the non-temporal hint
      and treat LDNP/STNP as LDP/STP instead.
      
      This patch introduces 2 new build flags:
      A53_DISABLE_NON_TEMPORAL_HINT and A57_DISABLE_NON_TEMPORAL_HINT
      to enforce this behaviour on Cortex-A53 and Cortex-A57. They are
      enabled by default.
      
      The string printed in debug builds when a specific CPU errata
      workaround is compiled in but skipped at runtime has been
      generalised, so that it can be reused for the non-temporal hint use
      case as well.
      
      Change-Id: I3e354f4797fd5d3959872a678e160322b13867a1
      54035fc4
  9. 05 Jan, 2016 1 commit
    • Juan Castillo's avatar
      Apply TBBR naming convention to the fip_create options · 8f0617ef
      Juan Castillo authored
      The fip_create tool specifies images in the command line using the
      ARM TF naming convention (--bl2, --bl31, etc), while the cert_create
      tool uses the TBBR convention (--tb-fw, --soc-fw, etc). This double
      convention is confusing and should be aligned.
      
      This patch updates the fip_create command line options to follow the
      TBBR naming convention. Usage examples in the User Guide have been
      also updated.
      
      NOTE: users that build the FIP by calling the fip_create tool directly
      from the command line must update the command line options in their
      scripts. Users that build the FIP by invoking the main ARM TF Makefile
      should not notice any difference.
      
      Change-Id: I84d602630a2585e558d927b50dfde4dd2112496f
      8f0617ef
  10. 22 Dec, 2015 1 commit
  11. 21 Dec, 2015 1 commit
  12. 14 Dec, 2015 1 commit
  13. 10 Dec, 2015 1 commit
    • Juan Castillo's avatar
      De-feature PL011 UART driver to match generic UART spec · 12f654b6
      Juan Castillo authored
      The Server Base System Architecture document (ARM-DEN-0029)
      specifies a generic UART device. The programmer's view of this
      generic UART is a subset of the ARM PL011 UART. However, the
      current PL011 driver in Trusted Firmware uses some features
      that are outside the generic UART specification.
      
      This patch modifies the PL011 driver to exclude features outside
      the SBSA generic UART specification by setting the boolean build
      option 'PL011_GENERIC_UART=1'. Default value is 0 (use full
      PL011 features).
      
      User guide updated.
      
      Fixes ARM-software/tf-issues#216
      
      Change-Id: I6e0eb86f9d69569bc3980fb57e70d6da5d91a737
      12f654b6
  14. 09 Dec, 2015 3 commits
    • Yatharth Kochar's avatar
      FWU: Add support for `fwu_fip` target · 0191262d
      Yatharth Kochar authored
      Firmware update feature needs a new FIP called `fwu_fip.bin` that
      includes Secure(SCP_BL2U, BL2U) and Normal world(NS_BL2U) images
      along with the FWU_CERT certificate in order for NS_BL1U to load
      the images and help the Firmware update process to complete.
      
      This patch adds the capability to support the new target `fwu_fip`
      which includes above mentioned FWU images in the make files.
      
      The new target of `fwu_fip` and its dependencies are included for
      compilation only when `TRUSTED_BOARD_BOOT` is defined.
      
      Change-Id: Ie780e3aac6cbd0edfaff3f9af96a2332bd69edbc
      0191262d
    • Yatharth Kochar's avatar
      FWU: Add Generic BL2U FWU image support in BL2 · 9003fa0b
      Yatharth Kochar authored
      The Firmware Update (FWU) feature needs support for an optional
      secure world image, BL2U, to allow additional secure world
      initialization required by FWU, for example DDR initialization.
      
      This patch adds generic framework support to create BL2U.
      
      NOTE: A platform makefile must supply additional `BL2U_SOURCES`
            to build the bl2u target. A subsequent patch adds bl2u
            support for ARM platforms.
      
      Change-Id: If2ce036199bb40b39b7f91a9332106bcd4e25413
      9003fa0b
    • Yatharth Kochar's avatar
      FWU: Add Generic Firmware Update framework support in BL1 · 48bfb88e
      Yatharth Kochar authored
      Firmware update(a.k.a FWU) feature is part of the TBB architecture.
      BL1 is responsible for carrying out the FWU process if platform
      specific code detects that it is needed.
      
      This patch adds support for FWU feature support in BL1 which is
      included by enabling `TRUSTED_BOARD_BOOT` compile time flag.
      
      This patch adds bl1_fwu.c which contains all the core operations
      of FWU, which are; SMC handler, image copy, authentication, execution
      and resumption. It also adds bl1.h introducing #defines for all
      BL1 SMCs.
      
      Following platform porting functions are introduced:
      
      int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
      unsigned int flags);
      	This function can be used to add platform specific memory checks
      	for the provided base/size for the given security state.
      	The weak definition will invoke `assert()` and return -ENOMEM.
      
      __dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
      	This function can be used to initiate platform specific procedure
      	to mark completion of the FWU process.
      	The weak definition waits forever calling `wfi()`.
      
      plat_bl1_common.c contains weak definitions for above functions.
      
      FWU process starts when platform detects it and return the image_id
      other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
      `bl1_main()`.
      
      NOTE: User MUST provide platform specific real definition for
      bl1_plat_mem_check() in order to use it for Firmware update.
      
      Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed
      48bfb88e
  15. 26 Nov, 2015 3 commits
    • Sandrine Bailleux's avatar
      Introduce COLD_BOOT_SINGLE_CPU build option · a9bec67d
      Sandrine Bailleux authored
      This patch introduces a new build option named COLD_BOOT_SINGLE_CPU,
      which allows platforms that only release a single CPU out of reset to
      slightly optimise their cold boot code, both in terms of code size
      and performance.
      
      COLD_BOOT_SINGLE_CPU defaults to 0, which assumes that the platform
      may release several CPUs out of reset. In this case, the cold reset
      code needs to coordinate all CPUs via the usual primary/secondary
      CPU distinction.
      
      If a platform guarantees that only a single CPU will ever be released
      out of reset, there is no need to arbitrate execution ; the notion of
      primary and secondary CPUs itself no longer exists. Such platforms
      may set COLD_BOOT_SINGLE_CPU to 1 in order to compile out the
      primary/secondary CPU identification in the cold reset code.
      
      All ARM standard platforms can release several CPUs out of reset
      so they use COLD_BOOT_SINGLE_CPU=0. However, on CSS platforms like
      Juno, bringing up more than one CPU at reset should only be attempted
      when booting an EL3 payload, as it is not fully supported in the
      normal boot flow.
      
      For platforms using COLD_BOOT_SINGLE_CPU=1, the following 2 platform
      APIs become optional:
        - plat_secondary_cold_boot_setup();
        - plat_is_my_cpu_primary().
      The Porting Guide has been updated to reflect that.
      
      User Guide updated as well.
      
      Change-Id: Ic5b474e61b7aec1377d1e0b6925d17dfc376c46b
      a9bec67d
    • Sandrine Bailleux's avatar
      CSS: Enable booting of EL3 payloads · 4c117f6c
      Sandrine Bailleux authored
      This patch adds support for booting EL3 payloads on CSS platforms,
      for example Juno. In this scenario, the Trusted Firmware follows
      its normal boot flow up to the point where it would normally pass
      control to the BL31 image. At this point, it jumps to the EL3
      payload entry point address instead.
      
      Before handing over to the EL3 payload, the data SCP writes for AP
      at the beginning of the Trusted SRAM is restored, i.e. we zero the
      first 128 bytes and restore the SCP Boot configuration. The latter
      is saved before transferring the BL30 image to SCP and is restored
      just after the transfer (in BL2). The goal is to make it appear that
      the EL3 payload is the first piece of software to run on the target.
      
      The BL31 entrypoint info structure is updated to make the primary
      CPU jump to the EL3 payload instead of the BL31 image.
      
      The mailbox is populated with the EL3 payload entrypoint address,
      which releases the secondary CPUs out of their holding pen (if the
      SCP has powered them on). The arm_program_trusted_mailbox() function
      has been exported for this purpose.
      
      The TZC-400 configuration in BL2 is simplified: it grants secure
      access only to the whole DRAM. Other security initialization is
      unchanged.
      
      This alternative boot flow is disabled by default. A new build option
      EL3_PAYLOAD_BASE has been introduced to enable it and provide the EL3
      payload's entry point address. The build system has been modified
      such that BL31 and BL33 are not compiled and/or not put in the FIP in
      this case, as those images are not used in this boot flow.
      
      Change-Id: Id2e26fa57988bbc32323a0effd022ab42f5b5077
      4c117f6c
    • Sandrine Bailleux's avatar
      Introduce SPIN_ON_BL1_EXIT build flag · 35e8c766
      Sandrine Bailleux authored
      This patch introduces a new build flag, SPIN_ON_BL1_EXIT, which
      puts an infinite loop in BL1. It is intended to help debugging
      the post-BL2 phase of the Trusted Firmware by stopping execution
      in BL1 just before handing over to BL31. At this point, the
      developer may take control of the target using a debugger.
      
      This feature is disabled by default and can be enabled by
      rebuilding BL1 with SPIN_ON_BL1_EXIT=1.
      
      User Guide updated accordingly.
      
      Change-Id: I6b6779d5949c9e5571dd371255520ef1ac39685c
      35e8c766
  16. 24 Nov, 2015 1 commit
    • Soby Mathew's avatar
      Replace build macro WARN_DEPRECATED with ERROR_DEPRECATED · 7a24cba5
      Soby Mathew authored
      This patch changes the build time behaviour when using deprecated API within
      Trusted Firmware. Previously the use of deprecated APIs would only trigger a
      build warning (which was always treated as a build error), when
      WARN_DEPRECATED = 1. Now, the use of deprecated C declarations will always
      trigger a build time warning. Whether this warning is treated as error or not
      is determined by the build flag ERROR_DEPRECATED which is disabled by default.
      When the build flag ERROR_DEPRECATED=1, the invocation of deprecated API or
      inclusion of deprecated headers will result in a build error.
      
      Also the deprecated context management helpers in context_mgmt.c are now
      conditionally compiled depending on the value of ERROR_DEPRECATED flag
      so that the APIs themselves do not result in a build error when the
      ERROR_DEPRECATED flag is set.
      
      NOTE: Build systems that use the macro WARN_DEPRECATED must migrate to
      using ERROR_DEPRECATED, otherwise deprecated API usage will no longer
      trigger a build error.
      
      Change-Id: I843bceef6bde979af7e9b51dddf861035ec7965a
      7a24cba5
  17. 17 Nov, 2015 1 commit
    • Juan Castillo's avatar
      Fix build error when `BL32` is not defined · 70d1fc53
      Juan Castillo authored
      If an SPD wants to use a prebuilt binary as BL32 image (for example,
      the OPTEE Dispatcher), it must point the `BL32` variable to the
      image file. This dependency should apply only to the `fip` target.
      However, it also applies to the `all` target at the moment. If the
      user tries to build all individual TF images using `make all`
      without setting BL32, the build fails. The following command will
      throw the error:
      
          make CROSS_COMPILE=aarch64-linux-gnu- SPD=opteed all
          ...
          ...
          aarch64-linux-gnu-gcc: fatal error: no input files
          compilation terminated.
          make: *** [build/fvp/release/bl32/bl32.ld] Error 1
      
      The reason is that the build system checks if BL32 is defined, and
      if it is not, it will try to build BL32 from source. If the SPD
      makefile does not provide support for that (as is the case of the
      OPTEE Dispatcher, since OPTEE is provided as an external binary),
      the build will fail.
      
      This patch fixes the issue by checking if `BL32_SOURCES` has been
      defined by the SPD before attempting to build BL32 from source.
      If neither `BL32` nor `BL32_SOURCES` is defined when building the
      FIP, a warning message will be printed and the process aborted.
      
      Fixes ARM-software/tf-issues#333
      
      Change-Id: I5e801ad333103ed9b042e5c4757424c8df2ff6e4
      70d1fc53
  18. 10 Nov, 2015 1 commit
    • Juan Castillo's avatar
      Add -mstrict-align to the gcc options · fa1d3712
      Juan Castillo authored
      ARMv8 architecture allows unaligned memory accesses. However,
      Trusted Firmware disables such feature by setting the SCTLR_A_BIT
      and SCTLR_SA_BIT in the SCTLR_EL3 register (it enables alignment
      checks).
      
      This patch adds -mstrict-align to the gcc build options. Although
      there are not explicit unaligned memory accesses in Trusted Firmware,
      this flag will tell the compiler not to use them.
      
      Fixes ARM-software/tf-issues#294
      
      Change-Id: I69748c6cf28504be9ca3dc975a331d14459c9ef1
      fa1d3712
  19. 07 Nov, 2015 1 commit
    • Achin Gupta's avatar
      Re-introduce evaluation of ENABLE_PLAT_COMPAT build flag · 93271a1e
      Achin Gupta authored
      Commit #73c99d4e had refactored the top level
      Makefile. This commit also broke platform ports that still rely on an enabled
      ENABLE_PLAT_COMPAT build option since the evaluation of this option was also
      accidentally removed from the Makefile.
      
      This patch fixes this break by re-introducing the necessary support to ensure
      that this build option is enabled by default if a platform port does not disable
      it explicitly.
      
      Fixes ARM-software/tf-issues#332
      
      Change-Id: I2217595d2e0bccae7de98cc6c0ea448b5bf3dae2
      93271a1e
  20. 27 Oct, 2015 2 commits
    • Juan Castillo's avatar
      Make: fix dependency files generation · 88154678
      Juan Castillo authored
      Currently, if no make goal is specified in the command line, 'all'
      is assumed by default, but the dependency files are not generated.
      This might lead to a successful but inconsistent build. This patch
      provides a fix to the problem.
      
      Change-Id: I0148719e114dbdbe46f8a57c7d05da7cbc212c92
      88154678
    • Juan Castillo's avatar
      Rework Makefile · 73c99d4e
      Juan Castillo authored
      This patch is a complete rework of the main Makefile. Functionality
      remains the same but the code has been reorganized in sections in
      order to improve readability and facilitate adding future extensions.
      
      A new file 'build_macros.mk' has been created and will contain common
      definitions (variables, macros, etc) that may be used from the main
      Makefile and other platform specific makefiles.
      
      A new macro 'FIP_ADD_IMG' has been introduced and it will allow the
      platform to specify binary images and the necessary checks for a
      successful build. Platforms that require a BL30 image no longer need
      to specify the NEED_BL30 option. The main Makefile is now completely
      unaware of additional images not built as part of Trusted Firmware,
      like BL30. It is the platform responsibility to specify images using
      the macro 'FIP_ADD_IMG'. Juno uses this macro to include the BL30
      image in the build.
      
      BL33 image is specified in the main Makefile to preserve backward
      compatibility with the NEED_BL33 option. Otherwise, platform ports
      that rely on the definition of NEED_BL33 might break.
      
      All Trusted Board Boot related definitions have been moved to a
      separate file 'tbbr_tools.mk'. The main Makefile will include this
      file unless the platform indicates otherwise by setting the variable
      'INCLUDE_TBBR_MK := 0' in the corresponding platform.mk file. This
      will keep backward compatibility but ideally each platform should
      include the corresponding TBB .mk file in platform.mk.
      
      Change-Id: I35e7bc9930d38132412e950e20aa2a01e2b26801
      73c99d4e
  21. 13 Aug, 2015 4 commits
    • Soby Mathew's avatar
      PSCI: Add deprecated API for SPD when compatibility is disabled · 5c8babcd
      Soby Mathew authored
      This patch defines deprecated platform APIs to enable Trusted
      Firmware components like Secure Payload and their dispatchers(SPD)
      to continue to build and run when platform compatibility is disabled.
      This decouples the migration of platform ports to the new platform API
      from SPD and enables them to be migrated independently. The deprecated
      platform APIs defined in this patch are : platform_get_core_pos(),
      platform_get_stack() and platform_set_stack().
      
      The patch also deprecates MPIDR based context management helpers like
      cm_get_context_by_mpidr(), cm_set_context_by_mpidr() and cm_init_context().
      A mechanism to deprecate APIs and identify callers of these APIs during
      build is introduced, which is controlled by the build flag WARN_DEPRECATED.
      If WARN_DEPRECATED is defined to 1, the users of the deprecated APIs will be
      flagged either as a link error for assembly files or compile time warning
      for C files during build.
      
      Change-Id: Ib72c7d5dc956e1a74d2294a939205b200f055613
      5c8babcd
    • Soby Mathew's avatar
      PSCI: Switch to the new PSCI frameworks · 67487846
      Soby Mathew authored
      This commit does the switch to the new PSCI framework implementation replacing
      the existing files in PSCI folder with the ones in PSCI1.0 folder. The
      corresponding makefiles are modified as required for the new implementation.
      The platform.h header file is also is switched to the new one
      as required by the new frameworks. The build flag ENABLE_PLAT_COMPAT defaults
      to 1 to enable compatibility layer which let the existing platform ports to
      continue to build and run with minimal changes.
      
      The default weak implementation of platform_get_core_pos() is now removed from
      platform_helpers.S and is provided by the compatibility layer.
      
      Note: The Secure Payloads and their dispatchers still use the old platform
      and framework APIs and hence it is expected that the ENABLE_PLAT_COMPAT build
      flag will remain enabled in subsequent patch. The compatibility for SPDs using
      the older APIs on platforms migrated to the new APIs will be added in the
      following patch.
      
      Change-Id: I18c51b3a085b564aa05fdd98d11c9f3335712719
      67487846
    • Soby Mathew's avatar
      PSCI: Implement platform compatibility layer · 32bc85f2
      Soby Mathew authored
      The new PSCI topology framework and PSCI extended State framework introduces
      a breaking change in the platform port APIs. To ease the migration of the
      platform ports to the new porting interface, a compatibility layer is
      introduced which essentially defines the new platform API in terms of the
      old API. The old PSCI helpers to retrieve the power-state, its associated
      fields and the highest coordinated physical OFF affinity level of a core
      are also implemented for compatibility. This allows the existing
      platform ports to work with the new PSCI framework without significant
      rework. This layer will be enabled by default once the switch to the new
      PSCI framework is done and is controlled by the build flag ENABLE_PLAT_COMPAT.
      
      Change-Id: I4b17cac3a4f3375910a36dba6b03d8f1700d07e3
      32bc85f2
    • Soby Mathew's avatar
      PSCI: Add framework to handle composite power states · 8ee24980
      Soby Mathew authored
      The state-id field in the power-state parameter of a CPU_SUSPEND call can be
      used to describe composite power states specific to a platform. The current PSCI
      implementation does not interpret the state-id field. It relies on the target
      power level and the state type fields in the power-state parameter to perform
      state coordination and power management operations. The framework introduced
      in this patch allows the PSCI implementation to intepret generic global states
      like RUN, RETENTION or OFF from the State-ID to make global state coordination
      decisions and reduce the complexity of platform ports. It adds support to
      involve the platform in state coordination which facilitates the use of
      composite power states and improves the support for entering standby states
      at multiple power domains.
      
      The patch also includes support for extended state-id format for the power
      state parameter as specified by PSCIv1.0.
      
      The PSCI implementation now defines a generic representation of the power-state
      parameter. It depends on the platform port to convert the power-state parameter
      (possibly encoding a composite power state) passed in a CPU_SUSPEND call to this
      representation via the `validate_power_state()` plat_psci_ops handler. It is an
      array where each index corresponds to a power level. Each entry contains the
      local power state the power domain at that power level could enter.
      
      The meaning of the local power state values is platform defined, and may vary
      between levels in a single platform. The PSCI implementation constrains the
      values only so that it can classify the state as RUN, RETENTION or OFF as
      required by the specification:
         * zero means RUN
         * all OFF state values at all levels must be higher than all RETENTION
           state values at all levels
         * the platform provides PLAT_MAX_RET_STATE and PLAT_MAX_OFF_STATE values
           to the framework
      
      The platform also must define the macros PLAT_MAX_RET_STATE and
      PLAT_MAX_OFF_STATE which lets the PSCI implementation find out which power
      domains have been requested to enter a retention or power down state. The PSCI
      implementation does not interpret the local power states defined by the
      platform. The only constraint is that the PLAT_MAX_RET_STATE <
      PLAT_MAX_OFF_STATE.
      
      For a power domain tree, the generic implementation maintains an array of local
      power states. These are the states requested for each power domain by all the
      cores contained within the domain. During a request to place multiple power
      domains in a low power state, the platform is passed an array of requested
      power-states for each power domain through the plat_get_target_pwr_state()
      API. It coordinates amongst these states to determine a target local power
      state for the power domain. A default weak implementation of this API is
      provided in the platform layer which returns the minimum of the requested
      power-states back to the PSCI state coordination.
      
      Finally, the plat_psci_ops power management handlers are passed the target
      local power states for each affected power domain using the generic
      representation described above. The platform executes operations specific to
      these target states.
      
      The platform power management handler for placing a power domain in a standby
      state (plat_pm_ops_t.pwr_domain_standby()) is now only used as a fast path for
      placing a core power domain into a standby or retention state should now be
      used to only place the core power domain in a standby or retention state.
      
      The extended state-id power state format can be enabled by setting the
      build flag PSCI_EXTENDED_STATE_ID=1 and it is disabled by default.
      
      Change-Id: I9d4123d97e179529802c1f589baaa4101759d80c
      8ee24980
  22. 25 Jun, 2015 3 commits
    • Juan Castillo's avatar
      TBB: switch to the new authentication framework · 1779ba6b
      Juan Castillo authored
      This patch modifies the Trusted Board Boot implementation to use
      the new authentication framework, making use of the authentication
      module, the cryto module and the image parser module to
      authenticate the images in the Chain of Trust.
      
      A new function 'load_auth_image()' has been implemented. When TBB
      is enabled, this function will call the authentication module to
      authenticate parent images following the CoT up to the root of
      trust to finally load and authenticate the requested image.
      
      The platform is responsible for picking up the right makefiles to
      build the corresponding cryptographic and image parser libraries.
      ARM platforms use the mbedTLS based libraries.
      
      The platform may also specify what key algorithm should be used
      to sign the certificates. This is done by declaring the 'KEY_ALG'
      variable in the platform makefile. FVP and Juno use ECDSA keys.
      
      On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
      each to accommodate the ECDSA code.
      
      REMOVED BUILD OPTIONS:
      
        * 'AUTH_MOD'
      
      Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
      1779ba6b
    • Juan Castillo's avatar
      TBB: add ECDSA support to the certificate generation tool · ccbf890e
      Juan Castillo authored
      This patch extends the 'cert_create' tool to support ECDSA keys
      to sign the certificates. The '--key-alg' command line option
      can be used to specify the key algorithm when invoking the tool.
      Available options are:
      
          * 'rsa': create RSA-2048 keys (default option)
          * 'ecdsa': create ECDSA-SECP256R1 keys
      
      The TF Makefile has been updated to allow the platform to specify
      the key algorithm by declaring the 'KEY_ALG' variable in the
      platform makefile.
      
      The behaviour regarding key management has changed. After applying
      this patch, the tool will try first to open the keys from disk. If
      one key does not exist or no key is specified, and the command line
      option to create keys has been specified, new keys will be created.
      Otherwise an error will be generated and the tool will exit. This
      way, the user may specify certain keys while the tool will create
      the remaining ones. This feature is useful for testing purposes
      and CI infrastructures.
      
      The OpenSSL directory may be specified using the build option
      'OPENSSL_DIR' when building the certificate generation tool.
      Default is '/usr'.
      
      Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7
      ccbf890e
    • Juan Castillo's avatar
      TBB: add build option to save private keys · fd34e7ba
      Juan Castillo authored
      This patch adds a boolean build option 'SAVE_KEYS' to indicate the
      certificate generation tool that it must save the private keys used
      to establish the chain of trust. This option depends on 'CREATE_KEYS'
      to be enabled. Default is '0' (do not save).
      
      Because the same filenames are used as outputs to save the keys,
      they are no longer a dependency to the cert_tool. This dependency
      has been removed from the Makefile.
      
      Documentation updated accordingly.
      
      Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b
      fd34e7ba
  23. 04 Jun, 2015 1 commit
    • Sandrine Bailleux's avatar
      Introduce PROGRAMMABLE_RESET_ADDRESS build option · bf031bba
      Sandrine Bailleux authored
      This patch introduces a new platform build option, called
      PROGRAMMABLE_RESET_ADDRESS, which tells whether the platform has
      a programmable or fixed reset vector address.
      
      If the reset vector address is fixed then the code relies on the
      platform_get_entrypoint() mailbox mechanism to figure out where
      it is supposed to jump. On the other hand, if it is programmable
      then it is assumed that the platform code will program directly
      the right address into the RVBAR register (instead of using the
      mailbox redirection) so the mailbox is ignored in this case.
      
      Change-Id: If59c3b11fb1f692976e1d8b96c7e2da0ebfba308
      bf031bba