GitLab

This patch provides support for measured boot by adding calculation
of BL2 image hash in BL1 and writing these data in TB_FW_CONFIG DTB.

Change-Id: Ic074a7ed19b14956719c271c805b35d147b7cec1
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

When SPD=spmd and SPMD_SPM_AT_SEL2=0, that is SPMC sits at S-EL1
then there is no need for TF-A to load secure partitions individually.
In this configuration, SPMC handles secure partition loading at
S-EL1/EL0 levels.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I06a0d88a4811274a8c347ce57b56bb5f64e345df

To demonstrate communication between SP's two instances of Cactus at
S-EL1 has been used.
This patch replaces Ivy SP with cactus-secondary SP which aligns with
changes in tf-a-tests repository.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iee84f1f7f023b7c4f23fbc13682a42614a7f3707

When using the SPM Dispatcher, the SPMC sits as a BL32 component
(BL32_IMAGE_ID). The SPMC manifest is passed as the TOS fw config
component (TOS_FW_CONFIG_ID). It defines platform specific attributes
(memory range and physical CPU layout) as well as the attributes for
each secure partition (mostly load address). This manifest is passed
to the SPMC on boot up. An SP package contains the SP dtb in the SPCI
defined partition manifest format. As the SPMC manifest was enriched
it needs an increase of tos_fw-config max-size in fvp_fw_config dts.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia1dce00c6c4cbaa118fa56617980d32e2956a94e

Rather than creating entry in plat_arm_mmap array to map the
entire DRAM region in BL31/SP_MIN, only map a smaller region holding
HW_CONFIG DTB. Consequently, an increase in number of sub-translation
tables(level-2 and level-3) i.e., MAX_XLAT_TABLES is necessary to map
the new region in memory.

In order to accommodate the increased code size in BL31 i.e.,
PROGBITS, the max size of BL31 image is increased by 0x1000(4K).

Change-Id: I540b8ee550588e22a3a9fb218183d2ab8061c851
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Implemented SMCCC_ARCH_SOC_ID call in order to get below
SOC information:

1. SOC revision
2. SOC version

Implementation done using below SMCCC specification document:
https://developer.arm.com/docs/den0028/c

Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ie0595f1c345a6429a6fb4a7f05534a0ca9c9a48b

Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
removes the duplicate io_policies and functions definition.

This patch:
- replace arm_io_storage.c with the content of arm_fconf_io_storage.c
- rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
- use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
- propagate DEFINES when parsing dts.
- use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
- set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
  of fvp stays the same as it was before the introduction of fconf.

Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Increase bl1 RW limit to allow future development.

Change-Id: I3159b36dbaca798b4c4374c1415cd033d6586388
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

This patch introduces the `SPCI_ID_GET` interface which will return the
ID of the calling SPCI component. Returns 0 for requests from the
non-secure world and the SPCI component ID as specified in the manifest
for secure world requests.

Change-Id: Icf81eb1d0e1d7d5c521571e04972b6e2d356e0d1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>

To accommodate the increasing size of the SCP_BL2 binary, the base
address of the memory region allocated to SCP_BL2 has been moved
downwards from its current (mostly) arbitrary address to the beginning
of the non-shared trusted SRAM.

Change-Id: I086a3765bf3ea88f45525223d765dc0dbad6b434
Signed-off-by: Chris Kay <chris.kay@arm.com>

Add CLCD, HDLCD, PCI and VIRTIO devices as source interfaces for TZC
filter unit to enable DMA for these devices.

Change-Id: Ifad2e56b18605311936e03cfcccda573cac7e60a
Signed-off-by: Aditya Angadi <aditya.angadi@arm.com>

The motivation behind this patch and following patches is to extract
information about the platform in runtime rather than depending on
compile time macros such as FVP_CLUSTER_COUNT. This partially enables
us to use a single binary for a family of platforms which all have
similar hardware capabilities but differ in configurations.

we populate the data structure describing the power domain hierarchy
of the platform dynamically by querying the number of clusters and cpus
using fconf getter APIs. Compile time macro such as FVP_CLUSTER_COUNT
is still needed as it determines the size of related data structures.

Note that the cpu-map node in HW_CONFIG dts represents a logical
hierarchy of power domains of CPU. However, in reality, the power
domains may not have been physically built in such hierarchy.

Change-Id: Ibcbb5ca7b2c969f8ad03ab2eab289725245af7a9
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Create, register( and implicitly invoke) fconf_populate_topology()
function which extracts the topology related properties from dtb into
the newly created fconf based configuration structure 'soc_topology'.
Appropriate libfdt APIs are added to jmptbl.i file for use with USE_ROMLIB
build feature.

A new property which describes the power domain levels is added to the
HW_CONFIG device tree source files.

This patch also fixes a minor bug in the common device tree file
fvp-base-gicv3-psci-dynamiq-common.dtsi
As this file includes fvp-base-gicv3-psci-common.dtsi, it is necessary
to delete all previous cluster node definitons because DynamIQ based
models have upto 8 CPUs in each cluster. If not deleted, the final dts
would have an inaccurate description of SoC topology, i.e., cluster0
with 8 or more core nodes and cluster1 with 4 core nodes.

Change-Id: I9eb406da3ba4732008a66c01afec7c9fa8ef59bf
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN.
Created few populator() functions which parse HW_CONFIG device tree
and registered them with fconf framework. Many of the changes are
only applicable for fvp platform.

This patch:
1. Adds necessary symbols and sections in BL31, SP_MIN linker script
2. Adds necessary memory map entry for translation in BL31, SP_MIN
3. Creates an abstraction layer for hardware configuration based on
   fconf framework
4. Adds necessary changes to build flow (makefiles)
5. Minimal callback to read hw_config dtb for capturing properties
   related to GIC(interrupt-controller node)
6. updates the fconf documentation

Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

A populate() function essentially captures the value of a property,
defined by a platform, into a fconf related c structure. Such a
callback is usually platform specific and is associated to a specific
configuration source.
For example, a populate() function which captures the hardware topology
of the platform can only parse HW_CONFIG DTB. Hence each populator
function must be registered with a specific 'config_type' identifier.
It broadly represents a logical grouping of configuration properties
which is usually a device tree source file.

Example:
> TB_FW: properties related to trusted firmware such as IO policies,
	 base address of other DTBs, mbedtls heap info etc.
> HW_CONFIG: properties related to hardware configuration of the SoC
	 such as topology, GIC controller, PSCI hooks, CPU ID etc.

This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
to register and invoke the appropriate callbacks selectively based on
configuration type.

Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Shared RAM region in the remote chip's memory is used as one of the
mailbox region (SCMI payload area) through which the AP core on the
local chip and SCP core on the remote chip exchange SCMI protocol
message during the initialization. Mark this region as non-cacheable in
the MMAP entry to prevent local AP core from reading stale data from the
cache.

Change-Id: I7e9dc5fbcc3b40e9bcff5499f15abd2aadaed385
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>

Since N1SDP has a system level cache which is an
external LLC enable the NEOVERSE_N1_EXTERNAL_LLC flag.

Change-Id: Idb34274e61e7fd9db5485862a0caa497f3e290c7
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>

This patch provides separation of GICD, GICR accessor
functions and adds new macros for GICv3 registers access
as a preparation for GICv3.1 and GICv4 support.
NOTE: Platforms need to modify to include both
'gicdv3_helpers.c' and 'gicrv3_helpers.c' instead of the
single helper file previously.

Change-Id: I1641bd6d217d6eb7d1228be3c4177b2d556da60a
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

This patch implements loading of Secure Partition packages using
existing framework of loading other bl images.

The current framework uses a statically defined array to store all the
possible image types and at run time generates a link list and traverse
through it to load different images.

To load SPs, a new array of fixed size is introduced which will be
dynamically populated based on number of SPs available in the system
and it will be appended to the loadable images list.

Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Added SPMD_SPM_AT_SEL2 build command line parameter.
Set to 1 to run SPM at S-EL2.
Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled).
Removed runtime EL from SPM core manifest.

Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Add load address and UUID in fw config dts for Cactus and Ivy which are
example SP's in tf-test repository.

For prototype purpose these information is added manually but later on
it will be updated at compile time from SP layout file and SP manifests
provided by platform.

Change-Id: I41f485e0245d882c7b514bad41fae34036597ce4
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Use the firmware configuration framework to retrieve information about
Secure Partitions to facilitate loading them into memory.

To load a SP image we need UUID look-up into FIP and the load address
where it needs to be loaded in memory.

This patch introduces a SP populator function which gets UUID and load
address from firmware config device tree and updates its C data
structure.

Change-Id: I17faec41803df9a76712dcc8b67cadb1c9daf8cd
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

MISRA C-2012 Rule 20.7:
Macro parameter expands into an expression without being wrapped by parentheses.

MISRA C-2012 Rule 12.1:
Missing explicit parentheses on sub-expression.

MISRA C-2012 Rule 18.4:
Essential type of the left hand operand is not the same as that of the right
operand.

Include does not provide any needed symbols.

Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

This patch fixes incorrect setting for DEVICE1_SIZE
for FVP platforms with more than 8 PEs.
The current value of 0x200000 supports only 8 PEs
and causes exception for FVP platforms with the greater
number of PEs, e.g. FVP_Base_Cortex_A65AEx8 with 16 PEs
in one cluster.

Change-Id: Ie6391509fe6eeafb8ba779303636cd762e7d21b2
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.

Change-Id: I7a23327394d142af4b293ea7ccd90b843c54587c
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.

The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.

To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.

Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.

The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466

The dualroot chain of trust involves 2 root-of-trust public keys:
- The classic ROTPK.
- The platform ROTPK (a.k.a. PROTPK).

Use the cookie argument as a key ID for plat_get_rotpk_info() to return the
appropriate one. This only applies if we are using the dualroot CoT ; if using
the TBBR one, the behaviour is unchanged.

Change-Id: I400707a87ec01afd5922b68db31d652d787f79bd
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

The cookie will be leveraged in the next commit.

Change-Id: Ie8bad275d856d84c27466461cf815529dd860446
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

- Use the development PROTPK if using the dualroot CoT.

  Note that unlike the ROTPK, the PROTPK key hash file is not generated
  from the key file, instead it has to be provided. This might be
  enhanced in the future.

- Define a CoT build flag for the platform code to provide different
  implementations where needed.

Change-Id: Iaaf25183b94e77a99a5d8d875831d90c102a97ea
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

When using the new dualroot chain of trust, a new root of trust key is
needed to authenticate the images belonging to the platform owner.
Provide a development one to deploy this on Arm platforms.

Change-Id: I481145e09aa564822d474cb47d38ec211dd24efd
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

A TZC400 controller is placed inline on DRAM channels and regulates
the secure and non-secure accesses to both secure and non-secure
regions of the DRAM memory. Configure each of the TZC controllers
accordingly.

Change-Id: I75f6d13591a7fe9e50ce15c793e35a8018041815
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>

For platforms that have two or more TZC400 controllers instantiated,
allow the TZC400 driver to be usable with all those instances.
This is achieved by allowing 'arm_tzc400_setup' function to accept
the base address of the TZC400 controller.

Change-Id: I4add470e6ddb58432cd066145e644112400ab924
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>

The base address for second DRAM varies across different platforms.
So allow platforms to define second DRAM by moving Juno/SGM-775 specific
definition of second DRAM base address to Juno/SGM-775 board definition
respectively, SGI/RD specific definition of DRAM 2 base address to SGI
board definition.

Change-Id: I0ecd3a2bd600b6c7019c7f06f8c452952bd07cae
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>

A TZC400 can have upto 4 filters and the number of filters instantiated
within a TZC400 is platform dependent. So allow platforms to define the
value of PLAT_ARM_TZC_FILTERS by moving the existing Juno specific
definition of PLAT_ARM_TZC_FILTERS to Juno board definitions.

Change-Id: I67a63d7336595bbfdce3163f9a9473e15e266f40
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>

Use CREATE_SEQ helper macro to create sequence of valid chip counts
instead of manually creating the sequence. This allows a scalable
approach to increase the valid chip count sequence in the future.

Change-Id: I5ca7a00460325c156b9e9e52b2bf656a2e43f82d
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>

Also update copyright statements

Change-Id: Iba0305522ac0f2ddc4da99127fd773f340e67300
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

Change-Id: I686fd623b8264c85434853a2a26ecd71e9eeac01
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

When TF-A is built with RESET_TO_BL31=1 option, BL31 is the
first image to be run and should have all the memory allocated
to it except for the memory reserved for Shared RAM at the start
of Trusted SRAM.
This patch fixes FVP BL31 load address and its image size for
RESET_TO_BL31=1 option. BL31 startup address should be set to
0x400_1000 and its maximum image size to the size of Trusted SRAM
minus the first 4KB of shared memory.
Loading BL31 at 0x0402_0000 as it is currently stated in
'\docs\plat\arm\fvp\index.rst' causes EL3 exception when the
image size gets increased (i.e. building with LOG_LEVEL=50)
but doesn't exceed 0x3B000 not causing build error.

Change-Id: Ie450baaf247f1577112f8d143b24e76c39d33e91
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Adding support for 32MHz UART clock and selecting it as the
default UART clock

Change-Id: I9541eaff70424e85a3b5ee4820ca0e7efb040d2c
Signed-off-by: Vishnu Banavath <vishnu.banavath@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>

Running checkpatch.pl on the codebase and making required changes

Change-Id: I7d3f8764cef632ab2a6d3c355c68f590440b85b8
Signed-off-by: Avinash Mehta <avinash.mehta@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>