GitLab

The state-id field in the power-state parameter of a CPU_SUSPEND call can be
used to describe composite power states specific to a platform. The current PSCI
implementation does not interpret the state-id field. It relies on the target
power level and the state type fields in the power-state parameter to perform
state coordination and power management operations. The framework introduced
in this patch allows the PSCI implementation to intepret generic global states
like RUN, RETENTION or OFF from the State-ID to make global state coordination
decisions and reduce the complexity of platform ports. It adds support to
involve the platform in state coordination which facilitates the use of
composite power states and improves the support for entering standby states
at multiple power domains.

The patch also includes support for extended state-id format for the power
state parameter as specified by PSCIv1.0.

The PSCI implementation now defines a generic representation of the power-state
parameter. It depends on the platform port to convert the power-state parameter
(possibly encoding a composite power state) passed in a CPU_SUSPEND call to this
representation via the `validate_power_state()` plat_psci_ops handler. It is an
array where each index corresponds to a power level. Each entry contains the
local power state the power domain at that power level could enter.

The meaning of the local power state values is platform defined, and may vary
between levels in a single platform. The PSCI implementation constrains the
values only so that it can classify the state as RUN, RETENTION or OFF as
required by the specification:
   * zero means RUN
   * all OFF state values at all levels must be higher than all RETENTION
     state values at all levels
   * the platform provides PLAT_MAX_RET_STATE and PLAT_MAX_OFF_STATE values
     to the framework

The platform also must define the macros PLAT_MAX_RET_STATE and
PLAT_MAX_OFF_STATE which lets the PSCI implementation find out which power
domains have been requested to enter a retention or power down state. The PSCI
implementation does not interpret the local power states defined by the
platform. The only constraint is that the PLAT_MAX_RET_STATE <
PLAT_MAX_OFF_STATE.

For a power domain tree, the generic implementation maintains an array of local
power states. These are the states requested for each power domain by all the
cores contained within the domain. During a request to place multiple power
domains in a low power state, the platform is passed an array of requested
power-states for each power domain through the plat_get_target_pwr_state()
API. It coordinates amongst these states to determine a target local power
state for the power domain. A default weak implementation of this API is
provided in the platform layer which returns the minimum of the requested
power-states back to the PSCI state coordination.

Finally, the plat_psci_ops power management handlers are passed the target
local power states for each affected power domain using the generic
representation described above. The platform executes operations specific to
these target states.

The platform power management handler for placing a power domain in a standby
state (plat_pm_ops_t.pwr_domain_standby()) is now only used as a fast path for
placing a core power domain into a standby or retention state should now be
used to only place the core power domain in a standby or retention state.

The extended state-id power state format can be enabled by setting the
build flag PSCI_EXTENDED_STATE_ID=1 and it is disabled by default.

Change-Id: I9d4123d97e179529802c1f589baaa4101759d80c

This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.

A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.

The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.

The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.

On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.

REMOVED BUILD OPTIONS:

  * 'AUTH_MOD'

Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867

This patch extends the 'cert_create' tool to support ECDSA keys
to sign the certificates. The '--key-alg' command line option
can be used to specify the key algorithm when invoking the tool.
Available options are:

    * 'rsa': create RSA-2048 keys (default option)
    * 'ecdsa': create ECDSA-SECP256R1 keys

The TF Makefile has been updated to allow the platform to specify
the key algorithm by declaring the 'KEY_ALG' variable in the
platform makefile.

The behaviour regarding key management has changed. After applying
this patch, the tool will try first to open the keys from disk. If
one key does not exist or no key is specified, and the command line
option to create keys has been specified, new keys will be created.
Otherwise an error will be generated and the tool will exit. This
way, the user may specify certain keys while the tool will create
the remaining ones. This feature is useful for testing purposes
and CI infrastructures.

The OpenSSL directory may be specified using the build option
'OPENSSL_DIR' when building the certificate generation tool.
Default is '/usr'.

Change-Id: I98bcc2bfab28dd7179f17f1177ea7a65698df4e7

This patch adds a boolean build option 'SAVE_KEYS' to indicate the
certificate generation tool that it must save the private keys used
to establish the chain of trust. This option depends on 'CREATE_KEYS'
to be enabled. Default is '0' (do not save).

Because the same filenames are used as outputs to save the keys,
they are no longer a dependency to the cert_tool. This dependency
has been removed from the Makefile.

Documentation updated accordingly.

Change-Id: I67ab1c2b1f8a25793f0de95e8620ce7596a6bc3b

This patch introduces a new platform build option, called
PROGRAMMABLE_RESET_ADDRESS, which tells whether the platform has
a programmable or fixed reset vector address.

If the reset vector address is fixed then the code relies on the
platform_get_entrypoint() mailbox mechanism to figure out where
it is supposed to jump. On the other hand, if it is programmable
then it is assumed that the platform code will program directly
the right address into the RVBAR register (instead of using the
mailbox redirection) so the mailbox is ignored in this case.

Change-Id: If59c3b11fb1f692976e1d8b96c7e2da0ebfba308

This patch adds driver for the 16550 UART interface. The driver is exposed
as a console, which platforms can use to dump their boot/crash logs.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Update the top level makefile to allow platform ports to exist in
subdirectories at any level instead of one level under `plat/`. The
makefile recursively searches for all files called `platform.mk` in
all subdirectories of `plat/`. The directory containing
`platform.mk` is the platform name. Platform names must be unique
across the codebase.

Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since
these are both used to report the same information back to the user.

Update the TSP and cert_create tool makefiles in a similar way
to support a deeper platform port directory structure.

Also add PLAT_<plat_name> as a define passed through the top level
makefile to the source files, to allow build time variation in common
platform code.

Change-Id: I213420164808c5ddb99a26144e8e3f141a7417b7

The ARCH variable, which defaults to 'aarch64', gives the wrong
impression that the Trusted Firmware can be built for other
architectures. This patch removes it. This doesn't have any
consequence on the rest of the build system because the variable
was unused.

Change-Id: I97130f11f7733a3cbdfc89989587f2ebecaf3294

The shell command used to list all files but the libc's ones
introduced in commit 95d5353c was incorrect. It was listing
subdirectories without referencing their parent directories.
This patch fixes it.

Also, the command used to invoke the checkpatch.pl script is now
printed when V=1.

Change-Id: Ie2f1e74f60d77e38c25e717cffa44ca03baec7b2

Even though both CCI-400 and CCI-500 IPs have different configurations
with respect to the number and types of supported interfaces, their
register offsets and programming sequences are similar. This patch
creates a common driver for enabling and disabling snoop transactions
and DVMs with both the IPs.

New platform ports which implement one of these IPs should use this
common driver. Existing platform ports which implement CCI-400 should
migrate to the common driver as the standalone CCI-400 will be
deprecated in the future.

Change-Id: I3ccd0eb7b062922d2e4a374ff8c21e79fa357556

By default, the checkpatch script requires that commit references
included in commit messages follow a predefined format. Github
merge commits do not follow this convention, causing the code
style test to fail when a new pull request is created.

This patch adds the ignore GIT_COMMIT_ID option to the checkpatch
parameters. This flag indicates the tool to ignore the commit
message format.

Change-Id: I37133cc5cf803f664b8ff00f62d458b39f06918c

The message printed by 'make help' is incomplete. It doesn't
mention all relevant supported targets. This patch updates it.

The format of the first line of the help message has been changed
so that it no longer lists all supported targets. This eases the
maintenance as we don't need to update the list in 2 places
anymore whenever a new target is added.

Also add a reference to the user guide to get the list of
supported options.

Change-Id: I79d8b815b0ffc0c43b4c05124378fce0e938365c

Build target 'all' fails when GENERATE_COT=1 and no BL3-3 or
BL3-0 (if required) images are specified. The reason is that,
when GENERATE_COT=1, a dependency on the certificates is added
to the target 'all', and the certificates depend on the BL3-3
and BL3-0 images, causing the build process to fail if the
images are not specified.

This patch moves the dependency on the certificates from 'all' to
'fip'. Target 'all' may be used to build the individual images.
The certificates will be created by calling the target 'fip', where
BL3-3 and BL3-0 (if required) must be specified.

Change-Id: I870beb4e8f9f1bfad1d35b09c850a7ce3c9f4ec6

The C library source files embedded into the Trusted Firmware
tree are not required to comply to the Linux Coding Style.
Unfortunately, 'make checkpatch' does take them into account.

This patch modifies the Makefile so that the C library source
and header files are now ignored by 'make checkpatch'.

It also instructs the checkpatch.pl script to not treat the
presence of a 'Change-Id' line in the commit message as an error.

Change-Id: I38196202efe518bae3a57c2affe2ed7758c9f69c

Final updates to readme.md and change-log.md for ARM Trusted Firmware version
1.1. Also increment the version in the Makefile.

Change-Id: Ib001a6ec9a9c570985841d06f0ff80ed76c2996b

This patch provides an API to access the authentication module that
will be used to verify the authenticity of the images loaded into
memory as part of the Trusted Board Boot process.

To include the authentication module as part of the build, set the
boolean build option TRUSTED_BOARD_BOOT. One single authentication
module must be registered at build time by setting the build option
AUTH_MOD=<mod_name>. All authentication modules will be located in
'common/auth/<mod_name>' and must present the <mod_name>.mk file that
will be included by the build system to compile the module sources.

To create an authentication module, an instance of auth_mod_t called
'auth_mod' must be declared in the module sources. The initialization
and verification functions provided by the module will be exported
through the function pointers specified when declaring this instance.

If an authentication module includes third party sources that do not
adhere to the C99 standard, the -pedantic option may be removed from
the build options by setting the flag DISABLE_PEDANTIC in the module
file <mod_name>.mk.

Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd

This patch implements an authentication module based on the
PolarSSL library (v1.3.9) to verify the Chain of Trust when
Trusted Boot is enabled.

PolarSSL sources must be fetched separately. The POLARSSL_DIR
build option may be used to indicate the path to the PolarSSL
main directory (this directory must contain the 'include' and
'library' subdirectories).

To be able to build PolarSSL sources as a part of the Trusted
Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
will tell the build system to remove the -pedantic option from
the CFLAGS.

Inclusion of PolarSSL increases the memory requirements of the BL1
and BL2 images. The following are the changes made to the FVP and
Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
defined:

Changes on FVP:

  - BL1 and BL2 stacks have been increased to 4 KB
  - BL1(rw) section has been increased to 32 KB.
  - BL2 memory region has been increased to 112 KB

Changes on Juno:

  - BL1 and BL2 stacks have been increased to 4 KB
  - BL1(rw) section has been increased to 32 KB.
  - Trusted ROM region in Flash has been increased to 128 KB.
  - BL2 memory region has been increased to 116 KB

Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80

This patch adds the function plat_match_rotpk() to the platform
porting layer to provide a Root Of Trust Public key (ROTPK)
verification mechanism. This function is called during the
Trusted Board Boot process and receives a supposed valid copy
of the ROTPK as a parameter, usually obtained from an external
source (for instance, a certificate). It returns 0 (success) if
that key matches the actual ROTPK stored in the system or any
other value otherwise.

The mechanism to access the actual ROTPK stored in the system
is platform specific and should be implemented as part of this
function. The format of the ROTPK is also platform specific
(to save memory, some platforms might store a hash of the key
instead of the whole key).

TRUSTED_BOARD_BOOT build option has been added to allow the user
to enable the Trusted Board Boot features. The implementation of
the plat_match_rotpk() funtion is mandatory when Trusted Board
Boot is enabled.

For development purposes, FVP and Juno ports provide a dummy
function that returns always success (valid key). A safe trusted
boot implementation should provide a proper matching function.

Documentation updated accordingly.

Change-Id: I74ff12bc2b041556c48533375527d9e8c035b8c3

This patch extends the FIP tool to include the certificates
generated by the 'cert_create' tool.

If GENERATE_COT build option is enabled, the Makefile adds the
certificates as dependencies to create the FIP file. Thus, make
target 'fip' will also build the certificates as part of the
Trusted Firmware build process.

Change-Id: I5eee500da7f7be6cfb6e3df0423599739d260074

This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.

The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.

Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.

Change-Id: I2734d6808b964a2107ab3a4805110698066a04be

This patch allows the secure payload (BL3-2) to be loaded in the
DRAM region secured by the TrustZone controller (top 16 MB of DRAM1).

The location of BL3-2 can be selected at build time by setting the
build flag FVP_TSP_RAM_LOCATION to one of the following options:

  - 'tsram' : Trusted SRAM (this is the default option)
  - 'tdram' : Trusted DRAM
  - 'dram'  : Secure region in DRAM1 (top 16MB configured by the
              TrustZone controller)

The number of MMU tables in BL3-2 depends on its location in
memory: 3 in case it is loaded in DRAM, 2 otherwise.

Documentation updated accordingly.

Fixes ARM-software/tf-issues#212

Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a

This patch moves the bakery locks out of coherent memory to normal memory.
This implies that the lock information needs to be placed on a separate cache
line for each cpu. Hence the bakery_lock_info_t structure is allocated in the
per-cpu data so as to minimize memory wastage. A similar platform per-cpu
data is introduced for the platform locks.

As a result of the above changes, the bakery lock api is completely changed.
Earlier, a reference to the lock structure was passed to the lock implementation.
Now a unique-id (essentially an index into the per-cpu data array) and an offset
into the per-cpu data for bakery_info_t needs to be passed to the lock
implementation.

Change-Id: I1e76216277448713c6c98b4c2de4fb54198b39e0

This patch allows to define the name of the FIP at build time by
defining the FIP_NAME variable. If FIP_NAME is not defined, default
name 'fip.bin' is used.

Documentation updated accordingly.

Change-Id: Ic41f42aac379b0c958b3dfd02863ba8ba7108710

The 'fiptool' target doesn't depend on fip_create's source files,
neither directly nor indirectly. As a result, the FIP tool is not
rebuilt whenever its source files change.

This patch makes the ${FIPTOOL} target into a phony target so that the
FIP tool's sub-makefile is always called. The sub-makefile correctly
handles the dependencies. It also moves the completion message into
the sub-makefile so that it is only displayed when the tool is
actually recompiled.

Fixes ARM-software/tf-issues#278

Change-Id: Ia027519fe51d3c42be30665d1ad20a7b89fa350f

This patch optimizes the Cortex-A57 cluster power down sequence by not
flushing the Level1 data cache. The L1 data cache and the L2 unified
cache are inclusive. A flush of the L2 by set/way flushes any dirty
lines from the L1 as well. This is a known safe deviation from the
Cortex-A57 TRM defined power down sequence. This optimization can be
enabled by the platform through the 'SKIP_A57_L1_FLUSH_PWR_DWN' build
flag. Each Cortex-A57 based platform must make its own decision on
whether to use the optimization.

This patch also renames the cpu-errata-workarounds.md to
cpu-specific-build-macros.md as this facilitates documentation
of both CPU Specific errata and CPU Specific Optimization
build macros.

Change-Id: I299b9fe79e9a7e08e8a0dffb7d345f9a00a71480

This patch adds support for supplying pre-built BL binaries for BL2,
BL3-1 and BL3-2 during trusted firmware build. Specifying BLx = <path_to_BLx>
in the build command line, where 'x' is any one of BL2, BL3-1 or BL3-2, will
skip building that BL stage from source and include the specified binary in
final fip image.

This patch also makes BL3-3 binary for FIP optional depending on the
value of 'NEED_BL33' flag which is defined by the platform.

Fixes ARM-software/tf-issues#244
Fixes ARM-software/tf-issues#245

Change-Id: I3ebe1d4901f8b857e8bb51372290978a3323bfe7

Final updates to readme.md and change-log.md for ARM Trusted
Firmware version 1.0. Also increment the version in the Makefile.

Change-Id: I00fe1016c8b936834bbf7bbba7aab07f51261bbb

This patch adds workarounds for selected errata which affect the Cortex-A57 r0p0
part. Each workaround has a build time flag which should be used by the platform
port to enable or disable the corresponding workaround. The workarounds are
disabled by default. An assertion is raised if the platform enables a workaround
which does not match the CPU revision at runtime.

Change-Id: I9ae96b01c6ff733d04dc733bd4e67dbf77b29fb0

This patch adds CPU core and cluster power down sequences to the CPU specific
operations framework introduced in a earlier patch. Cortex-A53, Cortex-A57 and
generic AEM sequences have been added. The latter is suitable for the
Foundation and Base AEM FVPs. A pointer to each CPU's operations structure is
saved in the per-cpu data so that it can be easily accessed during power down
seqeunces.

An optional platform API has been introduced to allow a platform to disable the
Accelerator Coherency Port (ACP) during a cluster power down sequence. The weak
definition of this function (plat_disable_acp()) does not take any action. It
should be overriden with a strong definition if the ACP is present on a
platform.

Change-Id: I8d09bd40d2f528a28d2d3f19b77101178778685d

* Move TSP platform porting functions to new file:
  include/bl32/tsp/platform_tsp.h.

* Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
  TSP interrupt handling code, instead of depending on the FVP
  specific definition IRQ_SEC_PHY_TIMER.

* Rename TSP platform porting functions from bl32_* to tsp_*, and
  definitions from BL32_* to TSP_*.

* Update generic TSP code to use new platform porting function names
  and definitions.

* Update FVP port accordingly and move all TSP source files to:
  plat/fvp/tsp/.

* Update porting guide with above changes.

Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
      BE UPDATED

Fixes ARM-software/tf-issues#167

Change-Id: Ic0ff8caf72aebb378d378193d2f017599fc6b78f

Move the remaining IO storage source file (io_storage.c) from the
lib to the drivers directory. This requires that platform ports
explicitly add this file to the list of source files.

Also move the IO header files to a new sub-directory, include/io.

Change-Id: I862b1252a796b3bcac0d93e50b11e7fb2ded93d6

Create new LOG_LEVEL build option, which controls the amount of
console output compiled into the build. This should be one of the
following:

    0  (LOG_LEVEL_NONE)
    10 (LOG_LEVEL_NOTICE)
    20 (LOG_LEVEL_ERROR)
    30 (LOG_LEVEL_WARNING)
    40 (LOG_LEVEL_INFO)
    50 (LOG_LEVEL_VERBOSE)

All log output up to and including the log level is compiled into the
build. The default value is 40 in debug builds and 20 in release
builds.

Complement the existing INFO, WARN and ERROR console output macros
with NOTICE and VERBOSE macros, which are conditionally compiled in
depending on the value of LOG_LEVEL.

Fixes ARM-software/tf-issues#232

Change-Id: I951e2f333e7b90fc4b1060741d9a6db699d5aa72

This patch defines a compile time macro for each boot loader stage
which allows compilation of code only for a specific stage.

Change-Id: I3a4068404cd3dc26d652556ca9ca7afea8dd28ef

This patch reworks the crash reporting mechanism to further
optimise the stack and code size. The reporting makes use
of assembly console functions to avoid calling C Runtime
to report the CPU state. The crash buffer requirement is
reduced to 64 bytes with this implementation. The crash
buffer is now part of per-cpu data which makes retrieving
the crash buffer trivial.

Also now panic() will use crash reporting if
invoked from BL3-1.

Fixes ARM-software/tf-issues#199

Change-Id: I79d27a4524583d723483165dc40801f45e627da5

The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.

Fixes ARM-software/tf-issues#95

Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86

Print out Trusted Firmware version at runtime at each BL stage.
Message consists of TF version as defined statically in the Makefile
(e.g. v0.4), build mode (debug|release) and a customizable build
string:

  1. By defining BUILD_STRING in command line when building TF
  2. Default string is git commit ID
  3. Empty if git meta-data is not available

Fixes ARM-software/tf-issues#203

Change-Id: I5c5ba438f66ab68810427d76b49c5b9177a957d6

This patch implements a "tf_printf" which supports only the commonly
used format specifiers in Trusted Firmware, which uses a lot less
stack space than the stdlib printf function.

Fixes ARM-software/tf-issues#116

Change-Id: I7dfa1944f4c1e634b3e2d571f49afe02d109a351

The ARM_GIC_ARCH build option was supposed to default to 2 on all
platforms. However, the default value was set in the FVP makefile
so for all other platforms it wasn't even defined.

This patch moves the default value to the main Makefile. The platform
port can then override it if needed.

Change-Id: I8e2da1cce7ffa3ed18814bbdcbcf2578101f18a6

 - Add support for loading a BL3-0 image in BL2. Information about
   memory extents is populated by platform-specific code. Subsequent
   handling of BL3-0 is also platform specific.
   The BL2 main function has been broken down to improve readability.
   The BL3-2 image is now loaded before the BL3-3 image to align with
   the boot flow.

 - Build system: Add support for specifying a BL3-0 image that will be
   included into the FIP image.

 - IO FIP driver: Add support for identifying a BL3-0 image inside a
   FIP image.

 - Update the documentation to reflect the above changes.

Change-Id: I067c184afd52ccaa86569f13664757570c86fc48

CTX_INCLUDE_FPREGS make variable allows us to include or exclude FP
registers from context structure, in case FP is not used by TSPD.

Fixes ARM-software/tf-issues#194

Change-Id: Iee41af382d691340c7ae21830ad1bbf95dad1f4b