1. 20 Dec, 2019 2 commits
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  2. 17 Dec, 2019 2 commits
  3. 07 Nov, 2019 1 commit
  4. 13 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  5. 28 Jun, 2019 1 commit
  6. 17 Apr, 2019 1 commit
    • Aditya Angadi's avatar
      plat/arm: introduce wrapper functions to setup secure watchdog · b0c97daf
      Aditya Angadi authored
      
      
      The BL1 stage setup code for ARM platforms sets up the SP805 watchdog
      controller as the secure watchdog. But not all ARM platforms use SP805
      as the secure watchdog controller.
      
      So introduce two new ARM platform code specific wrapper functions to
      start and stop the secure watchdog. These functions then replace the
      calls to SP805 driver in common BL1 setup code. All the ARM platforms
      implement these wrapper functions by either calling into SP805 driver
      or the SBSA watchdog driver.
      
      Change-Id: I1a9a11b124cf3fac2a84f22ca40acd440a441257
      Signed-off-by: default avatarAditya Angadi <aditya.angadi@arm.com>
      b0c97daf
  7. 27 Feb, 2019 1 commit
  8. 25 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      plat/arm: Sanitise includes · bd9344f6
      Antonio Nino Diaz authored
      
      
      Use full include paths like it is done for common includes.
      
      This cleanup was started in commit d40e0e08283a ("Sanitise includes
      across codebase"), but it only cleaned common files and drivers. This
      patch does the same to Arm platforms.
      
      Change-Id: If982e6450bbe84dceb56d464e282bcf5d6d9ab9b
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      bd9344f6
  9. 22 Jan, 2019 1 commit
  10. 07 Jan, 2019 1 commit
  11. 19 Dec, 2018 1 commit
  12. 11 Dec, 2018 1 commit
  13. 10 Dec, 2018 1 commit
  14. 05 Nov, 2018 1 commit
  15. 29 Oct, 2018 1 commit
    • Soby Mathew's avatar
      FVP: Enable PIE for RESET_TO_BL31=1 · fc922ca8
      Soby Mathew authored
      
      
      This patch enabled PIE for FVP when RESET_TO_BL31=1. The references
      to BL31_BASE are replaced by BL31_START as being a symbol exported by
      the linker, will create a dynamic relocation entry in .rela.dyn and
      hence will be fixed up by dynamic linker at runtime. Also, we disable
      RECLAIM_INIT_CODE when PIE is enabled as the init section overlay
      creates some static relocations which cannot be handled by the
      dynamic linker currently.
      
      Change-Id: I86df1b0a8b2a8bbbe7c3f3c0b9a08c86c2963ec0
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      fc922ca8
  16. 03 Oct, 2018 1 commit
    • Daniel Boulby's avatar
      FVP: Reclaim init code for the stack · cb4adb0d
      Daniel Boulby authored
      
      
      Map the initialization code for BL31 to overlap with the memory
      required for the secondary cores stack. Once BL31 has been
      initialized the memory can be remapped to RW data so that it can
      be used for secondary cores stacks. By moving code from .text to
      .text.init the size of the BL31 image is decreased by a page.
      
      Split arm_common.ld.S into two linker scripts, one for tzc_dram
      (arm_tzc_dram.ld.S) and one for reclaiming initialization code
      (arm_reclaim_init.ld.S) so that platforms can chose which memory
      regions they wish to include.
      
      Change-Id: I648e88f3eda1aa71765744cf34343ecda9320b32
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      cb4adb0d
  17. 28 Sep, 2018 1 commit
  18. 21 Sep, 2018 1 commit
  19. 18 Sep, 2018 1 commit
  20. 03 Aug, 2018 1 commit
  21. 12 Jul, 2018 1 commit
  22. 21 Jun, 2018 1 commit
  23. 19 Jun, 2018 1 commit
    • Antonio Nino Diaz's avatar
      plat/arm: Migrate AArch64 port to the multi console driver · 88a0523e
      Antonio Nino Diaz authored
      
      
      The old API is deprecated and will eventually be removed.
      
      Arm platforms now use the multi console driver for boot and runtime
      consoles. However, the crash console uses the direct console API because
      it doesn't need any memory access to work. This makes it more robust
      during crashes.
      
      The AArch32 port of the Trusted Firmware doesn't support this new API
      yet, so it is only enabled in AArch64 builds. Because of this, the
      common code must maintain compatibility with both systems. SP_MIN
      doesn't have to be updated because it's only used in AArch32 builds.
      The TSP is only used in AArch64, so it only needs to support the new
      API without keeping support for the old one.
      
      Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
      causes the UARTs to reset (except for the one used by the TSP). This
      means that they must be unregistered when suspending and re-registered
      when resuming. This wasn't a problem with the old driver because it just
      restarted the UART, and there were no problems associated with
      registering and unregistering consoles.
      
      The size reserved for BL2 has been increased.
      
      Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      88a0523e
  24. 18 May, 2018 1 commit
    • Soby Mathew's avatar
      FVP: Enable capability to disable auth via dynamic config · 6e79f9fd
      Soby Mathew authored
      
      
      This patch adds capability to FVP to disable authentication dynamically
      via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
      the TB_FW_CONFIG for the `disable_auth` property and invokes the
      `load_dyn_disable_auth()` API to disable authentication if the
      property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
      FVP as it is a development platform. Note that the TB_FW_CONFIG has to
      be authenticated by BL1 irrespective of these settings.
      
      The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
      rather than in bl2_platform_setup() as we need to get the value of
      `disable_auth` property prior to authentication of any image by BL2.
      
      Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      6e79f9fd
  25. 15 May, 2018 1 commit
  26. 11 May, 2018 2 commits
    • Antonio Nino Diaz's avatar
      plat/arm: Introduce ARM_LINUX_KERNEL_AS_BL33 build option · b726c169
      Antonio Nino Diaz authored
      
      
      Normally, BL33 needs to contain a boot loader like U-Boot or UEFI that
      eventually gives control to the OS. However, in some cases, this boot
      sequence may be too slow. For example, when doing tests in a
      cycle-accurate emulator, the user may only be interested in the
      interaction between the Trusted Firmware and the OS, not in the boot
      process itself.
      
      The new option ARM_LINUX_KERNEL_AS_BL33 allows BL33 to contain the Linux
      kernel image by changing the value of registers x0-x3 to the values
      expected by the kernel. This option requires the device tree blob (DTB)
      to be present in memory. Its address must be specified in the newly
      introduced ARM_PRELOADED_DTB_BASE build option. For now, it only supports
      AArch64 kernels.
      
      This option is only available when RESET_TO_BL31=1. For this reason
      the BL33 binary must be preloaded in memory and PRELOADED_BL33_BASE must
      be used.
      
      For example, if the kernel is loaded at 0x80080000 and the DTB is loaded
      at address 0x82000000, the firmware could be built like this:
      
          CROSS_COMPILE=aarch64-linux-gnu-  \
          make PLAT=fvp DEBUG=1             \
          RESET_TO_BL31=1                   \
          ARM_LINUX_KERNEL_AS_BL33=1        \
          PRELOADED_BL33_BASE=0x80080000    \
          ARM_PRELOADED_DTB_BASE=0x82000000 \
          all fip
      
      Change-Id: If9dc847c65ae2d0c27b51f0fd44fc06b28497db9
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b726c169
    • Antonio Nino Diaz's avatar
      plat/arm: Migrate AArch64 port to the multi console driver · 2f18aa1f
      Antonio Nino Diaz authored
      
      
      The old API is deprecated and will eventually be removed.
      
      Arm platforms now use the multi console driver for boot and runtime
      consoles. However, the crash console uses the direct console API because
      it doesn't need any memory access to work. This makes it more robust
      during crashes.
      
      The AArch32 port of the Trusted Firmware doesn't support this new API
      yet, so it is only enabled in AArch64 builds. Because of this, the
      common code must maintain compatibility with both systems. SP_MIN
      doesn't have to be updated because it's only used in AArch32 builds.
      The TSP is only used in AArch64, so it only needs to support the new
      API without keeping support for the old one.
      
      Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
      causes the UARTs to reset (except for the one used by the TSP). This
      means that they must be unregistered when suspending and re-registered
      when resuming. This wasn't a problem with the old driver because it just
      restarted the UART, and there were no problems associated with
      registering and unregistering consoles.
      
      The size of BL31 has been increased in builds with SPM.
      
      Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2f18aa1f
  27. 04 May, 2018 1 commit
  28. 08 Mar, 2018 1 commit
    • Soby Mathew's avatar
      Juno: Change the Firmware update detect mechanism · 7b56928a
      Soby Mathew authored
      
      
      Previously, Juno used to depend on the SSC_GPRETN register to inform
      about the reset syndrome. This method was removed when SCP migrated
      to the SDS framework. But even the SDS framework doesn't report the
      reset syndrome correctly and hence Juno failed to enter Firmware
      update mode if BL2 authentication failed.
      
      In addition to that, the error code populated in V2M_SYS_NVFLAGS register
      does not seem to be retained any more on Juno across resets. This could
      be down to the motherboard firmware not doing the necessary to preserve
      the value.
      
      Hence this patch modifies the Juno platform to use the same mechanism to
      trigger firmware update as FVP which is to corrupt the FIP TOC on
      authentication failure. The implementation in `fvp_err.c` is made common
      for ARM platforms and is moved to the new `arm_err.c` file in
      plat/arm/common folder. The BL1 and BL2 mmap table entries for Juno
      are modified to allow write to the Flash memory address.
      
      Change-Id: Ica7d49a3e8a46a90efd4cf340f19fda3b549e945
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      7b56928a
  29. 26 Feb, 2018 2 commits
    • Soby Mathew's avatar
      ARM Platforms: Load HW_CONFIG in BL2 · cab0b5b0
      Soby Mathew authored
      
      
      The patch adds the necessary changes to load HW_CONFIG in BL2 for
      ARM Platforms :
      
      1. The load address of HW_CONFIG is specified via the `hw_config_addr`
      property in TB_FW_CONFIG is loaded by BL1. The `hw_config_max_size`
      property defines the maximum size to be expected for the HW_CONFIG.
      The `arm_dyn_cfg_helpers.c` and corresponding header implements
      utility functions to parse these DT properties defined.
      The `arm_dyn_cfg.c` implements wrappers to these helpers to enable
      them to be invoked from ARM platform layer.
      
      2. `HW_CONFIG` is added to the `bl2_mem_params_descs[]` array which is
      the list of images to be loaded by BL2.
      
      3. The `libfdt` sources are now included when BL2 is built
      
      4. A new helper `populate_next_bl_params_config()` is introduced in
      desc_image_load.c to populate the subsequent executable BL images
      with the `hw_config` and the corresponding `fw_config` if available.
      The `plat_get_next_bl_params()` API for ARM platforms is modified to
      invoke this new helper.
      
      5. The implementation of `bl2_early_platform_setup2()` is modified to
      consider `arg0` as well in addition to `arg1` passed from BL1.
      
      6. Bump up the BL2 size for Juno to accommodate the inclusion of libfdt.
      
      Change-Id: I80f1554adec41753e0d179a5237364f04fe13a3f
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      cab0b5b0
    • Soby Mathew's avatar
      ARM Platorms: Load TB_FW_CONFIG in BL1 · c228956a
      Soby Mathew authored
      
      
      This patch modifies the bl1_platform_setup() API to load and authenticate
      TB_FW_CONFIG in BL1. The load address of the same is passed on to BL2 in
      `arg0` of entrypoint info. The fvp_io_storage.c and arm_io_storage.c also
      adds entries corresponding to TB_FW_CONFIG. A helper function
      `arm_load_tb_fw_config()` is added to load and authenticate TB_FW_CONFIG
      if present.
      
      Change-Id: Ie7bce667b3fad2b1a083bbcbc0a773f9f04254b1
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      c228956a
  30. 01 Feb, 2018 3 commits
    • Masahiro Yamada's avatar
      Build: change the first parameter of TOOL_ADD_IMG to lowercase · 33950dd8
      Masahiro Yamada authored
      
      
      In the next commit, I need the image name in lowercase because
      output files are generally named in lowercase.
      
      Unfortunately, TOOL_ADD_IMG takes the first argument in uppercase
      since we generally use uppercase Make variables.
      
      make_helpers/build_macros.mk provides 'uppercase' macro to convert
      a string into uppercase, but 'lowercase' does not exist.  We can
      implement it if we like, but it would be more straightforward to
      change the argument of TOOL_ADD_IMG.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      33950dd8
    • Masahiro Yamada's avatar
      Build: rename FIP_ADD_IMG to TOOL_ADD_IMG · c939d13a
      Masahiro Yamada authored
      
      
      Now FIP_ADD_IMG takes care of both fiptool and cert_create
      symmetrically.  Rename it so that it matches the behavior.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      c939d13a
    • Masahiro Yamada's avatar
      Build: merge build macros between FIP_ and FWU_FIP_ · 1dc0714f
      Masahiro Yamada authored
      
      
      The build system supports generating two FIP images, fip and fwu_fip.
      Accordingly, we have similar build macros.
      
         FIP_ADD_PAYLOAD   <-->  FWU_FIP_ADD_PAYLOAD
         CERT_ADD_CMD_OPT  <-->  FWU_CERT_ADD_CMD_OPT
         FIP_ADD_IMG       <-->  FWU_FIP_ADD_IMG
      
      The duplicated code increases the maintenance burden.  Also, the build
      rule of BL2U looks clumsy - we want to call MAKE_BL to compile it from
      source files, but we want to put it in fwu_fip.  We can not do it in a
      single macro call since the current MAKE_BL does not support fwu_fip.
      
      To refactor those in a clean way is to support one more argument to
      specify the FIP prefix.  If it is empty, the images are targeted to
      fip, whereas if the argument is "FWU_", targeted to fwu_fip.
      
      The build macros prefixed with FWU_ go away.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      1dc0714f
  31. 18 Jan, 2018 1 commit
    • Roberto Vargas's avatar
      bl2-el3: Add BL2 at EL3 support in FVP · 81528dbc
      Roberto Vargas authored
      
      
      This patch add supports for the new API added for BL2 at EL3 for
      FVP. We don't have a non-TF Boot ROM for FVP, but this option can be
      tested setting specific parameters in the model.
      
      The bl2 image is loaded directly in memory instead of being loaded
      by a non-TF Boot ROM and the reset address is changed:
      
      	--data cluster0.cpu0=bl2.bin@0x4001000
      	-C cluster0.cpu0.RVBAR=0x4001000
      
      These parameters mean that in the cold boot path the processor will
      jump to BL2 again. For this reason, BL2 is loaded in dram in this
      case, to avoid other images reclaiming BL2 memory.
      
      Change-Id: Ieb2ff8535a9e67ccebcd8c2212cad366e7776422
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      81528dbc
  32. 03 Jan, 2018 1 commit
  33. 13 Nov, 2017 2 commits