1. 22 Mar, 2020 1 commit
    • Mustafa Yigit Bilgen's avatar
      spd: tlkd: support new TLK SMCs for RPMB service · bd0c2f8d
      Mustafa Yigit Bilgen authored
      
      
      This patch adds support to handle following TLK SMCs:
      {TLK_SET_BL_VERSION, TLK_LOCK_BL_INTERFACE, TLK_BL_RPMB_SERVICE}
      
      These SMCs need to be supported in ATF in order to forward them to
      TLK. Otherwise, these functionalities won't work.
      
      Brief:
      TLK_SET_BL_VERSION: This SMC is issued by the bootloader to supply its
      version to TLK. TLK can use this to prevent rollback attacks.
      
      TLK_LOCK_BL_INTERFACE: This SMC is issued by bootloader before handing off
      execution to the OS. This allows preventing sensitive SMCs being used
      by the OS.
      
      TLK_BL_RPMB_SERVICE: bootloader issues this SMC to sign or verify RPMB
      frames.
      
      Tested by: Tests TLK can receive the new SMCs issued by bootloader
      
      Change-Id: I57c2d189a5f7a77cea26c3f8921866f2a6f0f944
      Signed-off-by: default avatarMustafa Yigit Bilgen <mbilgen@nvidia.com>
      bd0c2f8d
  2. 19 Mar, 2020 1 commit
  3. 11 Mar, 2020 1 commit
    • Varun Wadekar's avatar
      spd: tlkd: secure timer interrupt handler · d205cda6
      Varun Wadekar authored
      
      
      This patch adds an interrupt handler for TLK. On receiving an
      interrupt, the source of the interrupt is determined and the
      interrupt is marked complete. The IRQ number is passed to
      TLK along with a special SMC function ID. TLK issues an SMC
      to notify completion of the interrupt handler in the S-EL1
      world.
      
      Change-Id: I76f28cee6537245c5e448d2078f86312219cea1a
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      d205cda6
  4. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__ · d5dfdeb6
      Julius Werner authored
      
      
      NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
      
      All common C compilers predefine a macro called __ASSEMBLER__ when
      preprocessing a .S file. There is no reason for TF-A to define it's own
      __ASSEMBLY__ macro for this purpose instead. To unify code with the
      export headers (which use __ASSEMBLER__ to avoid one extra dependency),
      let's deprecate __ASSEMBLY__ and switch the code base over to the
      predefined standard.
      
      Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d5dfdeb6
  5. 25 Apr, 2019 1 commit
  6. 27 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      TSP: Enable pointer authentication support · 67b6ff9f
      Antonio Nino Diaz authored
      
      
      The size increase after enabling options related to ARMv8.3-PAuth is:
      
      +----------------------------+-------+-------+-------+--------+
      |                            |  text |  bss  |  data | rodata |
      +----------------------------+-------+-------+-------+--------+
      | CTX_INCLUDE_PAUTH_REGS = 1 |   +40 |   +0  |   +0  |   +0   |
      |                            |  0.4% |       |       |        |
      +----------------------------+-------+-------+-------+--------+
      | ENABLE_PAUTH = 1           |  +352 |    +0 |  +16  |   +0   |
      |                            |  3.1% |       | 15.8% |        |
      +----------------------------+-------+-------+-------+--------+
      
      Results calculated with the following build configuration:
      
          make PLAT=fvp SPD=tspd DEBUG=1 \
          SDEI_SUPPORT=1                 \
          EL3_EXCEPTION_HANDLING=1       \
          TSP_NS_INTR_ASYNC_PREEMPT=1    \
          CTX_INCLUDE_PAUTH_REGS=1       \
          ENABLE_PAUTH=1
      
      Change-Id: I6cc1fe0b2345c547dcef66f98758c4eb55fe5ee4
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      67b6ff9f
  7. 31 Jan, 2019 1 commit
    • Mihir Joshi's avatar
      tlkd: support new TLK SMCs · 7bc05f52
      Mihir Joshi authored
      This patch adds support to handle following TLK SMCs:
      {TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST}
      
      These SMCs need to be supported in ATF in order to forward them to
      TLK. Otherwise, these functionalities won't work.
      
      Brief:
      TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to
      set up secure storage buffers.
      
      TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to
      pass NS memory ranges to TLK.
      
      TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass
      Verified Boot parameters to TLK.
      
      Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc
      Reviewed-on: https://git-master.nvidia.com/r/1643851
      
      Signed-off-by: default avatarMihir Joshi <mihirj@nvidia.com>
      7bc05f52
  8. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  9. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  10. 28 Sep, 2018 1 commit
  11. 26 Feb, 2018 1 commit
    • Soby Mathew's avatar
      Introduce the new BL handover interface · a6f340fe
      Soby Mathew authored
      
      
      This patch introduces a new BL handover interface. It essentially allows
      passing 4 arguments between the different BL stages. Effort has been made
      so as to be compatible with the previous handover interface. The previous
      blx_early_platform_setup() platform API is now deprecated and the new
      blx_early_platform_setup2() variant is introduced. The weak compatiblity
      implementation for the new API is done in the `plat_bl_common.c` file.
      Some of the new arguments in the new API will be reserved for generic
      code use when dynamic configuration support is implemented. Otherwise
      the other registers are available for platform use.
      
      Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      a6f340fe
  12. 09 Jan, 2018 1 commit
  13. 09 Aug, 2017 1 commit
    • Etienne Carriere's avatar
      bl32: add secure interrupt handling in AArch32 sp_min · 71816096
      Etienne Carriere authored
      
      
      Add support for a minimal secure interrupt service in sp_min for
      the AArch32 implementation. Hard code that only FIQs are handled.
      
      Introduce bolean build directive SP_MIN_WITH_SECURE_FIQ to enable
      FIQ handling from SP_MIN.
      
      Configure SCR[FIQ] and SCR[FW] from generic code for both cold and
      warm boots to handle FIQ in secure state from monitor.
      
      Since SP_MIN architecture, FIQ are always trapped when system executes
      in non secure state. Hence discard relay of the secure/non-secure
      state in the FIQ handler.
      
      Change-Id: I1f7d1dc7b21f6f90011b7f3fcd921e455592f5e7
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@st.com>
      71816096
  14. 20 Jun, 2017 1 commit
  15. 04 May, 2017 1 commit
  16. 03 May, 2017 1 commit
  17. 29 Apr, 2017 1 commit
    • Scott Branden's avatar
      Move defines in utils.h to utils_def.h to fix shared header compile issues · 53d9c9c8
      Scott Branden authored
      
      
      utils.h is included in various header files for the defines in it.
      Some of the other header files only contain defines.  This allows the
      header files to be shared between host and target builds for shared defines.
      
      Recently types.h has been included in utils.h as well as some function
      prototypes.
      
      Because of the inclusion of types.h conflicts exist building host tools
      abd these header files now.  To solve this problem,
      move the defines to utils_def.h and have this included by utils.h and
      change header files to only include utils_def.h and not pick up the new
      types.h being introduced.
      
      Fixes ARM-software/tf-issues#461
      Signed-off-by: default avatarScott Branden <scott.branden@broadcom.com>
      
      Remove utils_def.h from utils.h
      
      This patch removes utils_def.h from utils.h as it is not required.
      And also makes a minor change to ensure Juno platform compiles.
      
      Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
      53d9c9c8
  18. 26 Apr, 2017 1 commit
  19. 26 Jan, 2017 1 commit
    • David Cunado's avatar
      Resolve build errors flagged by GCC 6.2 · 9edac047
      David Cunado authored
      
      
      With GCC 6.2 compiler, more C undefined behaviour is being flagged as
      warnings, which result in build errors in ARM TF build.
      
      The specific issue that this patch resolves is the use of (1 << 31),
      which is predominantly used in case statements, where 1 is represented
      as a signed int. When shifted to msb the behaviour is undefined.
      
      The resolution is to specify 1 as an unsigned int using a convenience
      macro ULL(). A duplicate macro MAKE_ULL() is replaced.
      
      Fixes ARM-software/tf-issues#438
      
      Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      9edac047
  20. 23 Dec, 2016 1 commit
    • Douglas Raillard's avatar
      Abort preempted TSP STD SMC after PSCI CPU suspend · 3df6012a
      Douglas Raillard authored
      
      
      Standard SMC requests that are handled in the secure-world by the Secure
      Payload can be preempted by interrupts that must be handled in the
      normal world. When the TSP is preempted the secure context is stored and
      control is passed to the normal world to handle the non-secure
      interrupt. Once completed the preempted secure context is restored. When
      restoring the preempted context, the dispatcher assumes that the TSP
      preempted context is still stored as the SECURE context by the context
      management library.
      
      However, PSCI power management operations causes synchronous entry into
      TSP. This overwrites the preempted SECURE context in the context
      management library. When restoring back the SECURE context, the Secure
      Payload crashes because this context is not the preempted context
      anymore.
      
      This patch avoids corruption of the preempted SECURE context by aborting
      any preempted SMC during PSCI power management calls. The
      abort_std_smc_entry hook of the TSP is called when aborting the SMC
      request.
      
      It also exposes this feature as a FAST SMC callable from normal world to
      abort preempted SMC with FID TSP_FID_ABORT.
      
      Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      3df6012a
  21. 20 Dec, 2016 1 commit
  22. 21 Sep, 2016 1 commit
    • Yatharth Kochar's avatar
      AArch32: Support in SP_MIN to receive arguments from BL2 · d9915518
      Yatharth Kochar authored
      This patch adds support in SP_MIN to receive generic and
      platform specific arguments from BL2.
      
      The new signature is as following:
          void sp_min_early_platform_setup(void *from_bl2,
               void *plat_params_from_bl2);
      
      ARM platforms have been modified to use this support.
      
      Note: Platforms may break if using old signature.
            Default value for RESET_TO_SP_MIN is changed to 0.
      
      Change-Id: I008d4b09fd3803c7b6231587ebf02a047bdba8d0
      d9915518
  23. 10 Aug, 2016 1 commit
    • Soby Mathew's avatar
      AArch32: add a minimal secure payload (SP_MIN) · c11ba852
      Soby Mathew authored
      This patch adds a minimal AArch32 secure payload SP_MIN. It relies on PSCI
      library to initialize the normal world context. It runs in Monitor mode
      and uses the runtime service framework to handle SMCs. It is added as
      a BL32 component in the Trusted Firmware source tree.
      
      Change-Id: Icc04fa6b242025a769c1f6c7022fde19459c43e9
      c11ba852
  24. 04 Dec, 2015 2 commits
    • Soby Mathew's avatar
      Enable use of FIQs and IRQs as TSP interrupts · 02446137
      Soby Mathew authored
      On a GICv2 system, interrupts that should be handled in the secure world are
      typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
      as IRQs instead. The mechanism for handling both types of interrupts is the same
      in both cases. This patch enables the TSP to run on a GICv3 system by:
      
      1. adding support for handling IRQs in the exception handling code.
      2. removing use of "fiq" in the names of data structures, macros and functions.
      
      The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
      new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
      former build flag is defined, it will be used to define the value for the
      new build flag. The documentation is also updated accordingly.
      
      Change-Id: I1807d371f41c3656322dd259340a57649833065e
      02446137
    • Soby Mathew's avatar
      Unify interrupt return paths from TSP into the TSPD · 404dba53
      Soby Mathew authored
      The TSP is expected to pass control back to EL3 if it gets preempted due to
      an interrupt while handling a Standard SMC in the following scenarios:
      
      1. An FIQ preempts Standard SMC execution and that FIQ is not a TSP Secure
         timer interrupt or is preempted by a higher priority interrupt by the time
         the TSP acknowledges it. In this case, the TSP issues an SMC with the ID
         as `TSP_EL3_FIQ`. Currently this case is never expected to happen as only
         the TSP Secure Timer is expected to generate FIQ.
      
      2. An IRQ preempts Standard SMC execution and in this case the TSP issues
         an SMC with the ID as `TSP_PREEMPTED`.
      
      In both the cases, the TSPD hands control back to the normal world and returns
      returns an error code to the normal world to indicate that the standard SMC it
      had issued has been preempted but not completed.
      
      This patch unifies the handling of these two cases in the TSPD and ensures that
      the TSP only uses TSP_PREEMPTED instead of separate SMC IDs. Also instead of 2
      separate error codes, SMC_PREEMPTED and TSP_EL3_FIQ, only SMC_PREEMPTED is
      returned as error code back to the normal world.
      
      Background information: On a GICv3 system, when the secure world has affinity
      routing enabled, in 2. an FIQ will preempt TSP execution instead of an IRQ. The
      FIQ could be a result of a Group 0 or a Group 1 NS interrupt. In both case, the
      TSPD passes control back to the normal world upon receipt of the TSP_PREEMPTED
      SMC. A Group 0 interrupt will immediately preempt execution to EL3 where it
      will be handled. This allows for unified interrupt handling in TSP for both
      GICv3 and GICv2 systems.
      
      Change-Id: I9895344db74b188021e3f6a694701ad272fb40d4
      404dba53
  25. 30 Sep, 2015 1 commit
    • Varun Wadekar's avatar
      Send power management events to the Trusted OS (TLK) · cb790c5e
      Varun Wadekar authored
      
      
      This patch adds PM handlers to TLKD for the system suspend/resume and
      system poweroff/reset cases. TLK expects all SMCs through a single
      handler, which then fork out into multiple handlers depending on the
      SMC. We tap into the same single entrypoint by restoring the S-EL1
      context before passing the PM event via register 'x0'. On completion
      of the PM event, TLK sends a completion SMC and TLKD then moves on
      with the PM process.
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      cb790c5e
  26. 13 Apr, 2015 1 commit
  27. 31 Mar, 2015 5 commits
  28. 19 Aug, 2014 2 commits
    • Juan Castillo's avatar
      Add support for PSCI SYSTEM_OFF and SYSTEM_RESET APIs · d5f13093
      Juan Castillo authored
      This patch adds support for SYSTEM_OFF and SYSTEM_RESET PSCI
      operations. A platform should export handlers to complete the
      requested operation. The FVP port exports fvp_system_off() and
      fvp_system_reset() as an example.
      
      If the SPD provides a power management hook for system off and
      system reset, then the SPD is notified about the corresponding
      operation so it can do some bookkeeping. The TSPD exports
      tspd_system_off() and tspd_system_reset() for that purpose.
      
      Versatile Express shutdown and reset methods have been removed
      from the FDT as new PSCI sys_poweroff and sys_reset services
      have been added. For those kernels that do not support yet these
      PSCI services (i.e. GICv3 kernel), the original dtsi files have
      been renamed to *-no_psci.dtsi.
      
      Fixes ARM-software/tf-issues#218
      
      Change-Id: Ic8a3bf801db979099ab7029162af041c4e8330c8
      d5f13093
    • Dan Handley's avatar
      Clarify platform porting interface to TSP · 5a06bb7e
      Dan Handley authored
      * Move TSP platform porting functions to new file:
        include/bl32/tsp/platform_tsp.h.
      
      * Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
        TSP interrupt handling code, instead of depending on the FVP
        specific definition IRQ_SEC_PHY_TIMER.
      
      * Rename TSP platform porting functions from bl32_* to tsp_*, and
        definitions from BL32_* to TSP_*.
      
      * Update generic TSP code to use new platform porting function names
        and definitions.
      
      * Update FVP port accordingly and move all TSP source files to:
        plat/fvp/tsp/.
      
      * Update porting guide with above changes.
      
      Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
            BE UPDATED
      
      Fixes ARM-software/tf-issues#167
      
      Change-Id: Ic0ff8caf72aebb378d378193d2f017599fc6b78f
      5a06bb7e
  29. 14 Aug, 2014 1 commit
  30. 23 May, 2014 5 commits
    • Dan Handley's avatar
      Move BL porting functions into platform.h · dec5e0d1
      Dan Handley authored
      Some platform porting functions were in BL specific header files.
      These have been moved to platform.h so that all porting functions
      are in the same place. The functions are now grouped by BL.
      Obsolete BL headers files have been removed.
      
      Also, the weak declaration of the init_bl2_mem_layout() function
      has been moved out the header file and into the source file
      (bl_common.c) using the more succinct #pragma syntax. This
      mitigates the risk of 2 weak definitions being created and the
      wrong one being picked up by the compiler.
      
      Change-Id: Ib19934939fd755f3e5a5a5bceec88da684308a83
      dec5e0d1
    • Dan Handley's avatar
      Split platform.h into separate headers · 5f0cdb05
      Dan Handley authored
      Previously, platform.h contained many declarations and definitions
      used for different purposes. This file has been split so that:
      
      * Platform definitions used by common code that must be defined
        by the platform are now in platform_def.h. The exact include
        path is exported through $PLAT_INCLUDES in the platform makefile.
      
      * Platform definitions specific to the FVP platform are now in
        /plat/fvp/fvp_def.h.
      
      * Platform API declarations specific to the FVP platform are now
        in /plat/fvp/fvp_private.h.
      
      * The remaining platform API declarations that must be ported by
        each platform are still in platform.h but this file has been
        moved to /include/plat/common since this can be shared by all
        platforms.
      
      Change-Id: Ieb3bb22fbab3ee8027413c6b39a783534aee474a
      5f0cdb05
    • Dan Handley's avatar
      Remove extern keyword from function declarations · c6bc0710
      Dan Handley authored
      Function declarations implicitly have external linkage so do not
      need the extern keyword.
      
      Change-Id: Ia0549786796d8bf5956487e8996450a0b3d79f32
      c6bc0710
    • Andrew Thoelke's avatar
      Use a vector table for TSP entrypoints · 399fb08f
      Andrew Thoelke authored
      The TSP has a number of entrypoints used by the TSP on different
      occasions. These were provided to the TSPD as a table of function
      pointers, and required the TSPD to read the entry in the table,
      which is in TSP memory, in order to program the exception return
      address.
      
      Ideally, the TSPD has no access to the TSP memory.
      
      This patch changes the table of function pointers into a vector
      table of single instruction entrypoints. This allows the TSPD to
      calculate the entrypoint address instead of read it.
      
      Fixes ARM-software/tf-issues#160
      
      Change-Id: Iec6e055d537ade78a45799fbc6f43765a4725ad3
      399fb08f
    • Soby Mathew's avatar
      Non-Secure Interrupt support during Standard SMC processing in TSP · 239b04fa
      Soby Mathew authored
      Implements support for Non Secure Interrupts preempting the
      Standard SMC call in EL1. Whenever an IRQ is trapped in the
      Secure world we securely handover to the Normal world
      to process the interrupt. The normal world then issues
      "resume" smc call to resume the previous interrupted SMC call.
      Fixes ARM-software/tf-issues#105
      
      Change-Id: I72b760617dee27438754cdfc9fe9bcf4cc024858
      239b04fa