1. 18 Jan, 2018 3 commits
    • Dimitris Papastamos's avatar
      sp_min: Implement workaround for CVE-2017-5715 · 7343505d
      Dimitris Papastamos authored
      
      
      This patch introduces two workarounds for ARMv7 systems.  The
      workarounds need to be applied prior to any `branch` instruction in
      secure world.  This is achieved using a custom vector table where each
      entry is an `add sp, sp, #1` instruction.
      
      On entry to monitor mode, once the sequence of `ADD` instructions is
      executed, the branch target buffer (BTB) is invalidated.  The bottom
      bits of `SP` are then used to decode the exception entry type.
      
      A side effect of this change is that the exception vectors are
      installed before the CPU specific reset function.  This is now
      consistent with how it is done on AArch64.
      
      Note, on AArch32 systems, the exception vectors are typically tightly
      integrated with the secure payload (e.g. the Trusted OS).  This
      workaround will need porting to each secure payload that requires it.
      
      The patch to modify the AArch32 per-cpu vbar to the corresponding
      workaround vector table according to the CPU type will be done in a
      later patch.
      
      Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      7343505d
    • Roberto Vargas's avatar
      Mark functions defined in assembly files · d1f7292e
      Roberto Vargas authored
      
      
      This patch change the name of the section containing the functions
      defined in assembly files from text.* to text.asm.*. This change
      makes possible to select in the linker script the functions
      defined in those files.
      
      Change-Id: If35e44ef1b43ffd951dfac5e052db75d7198e2e0
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      d1f7292e
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored
      
      
      This patch enables BL2 to execute at the highest exception level
      without any dependancy on TF BL1. This enables platforms which already
      have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
      stages without need for BL1.  This is not currently possible because
      BL2 executes at S-EL1 and cannot jump straight to EL3.
      
      Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  2. 11 Jan, 2018 1 commit
    • Dimitris Papastamos's avatar
      Workaround for CVE-2017-5715 on Cortex A57 and A72 · f62ad322
      Dimitris Papastamos authored
      
      
      Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
      and enabling the MMU.  To achieve this without performing any branch
      instruction, a per-cpu vbar is installed which executes the workaround
      and then branches off to the corresponding vector entry in the main
      vector table.  A side effect of this change is that the main vbar is
      configured before any reset handling.  This is to allow the per-cpu
      reset function to override the vbar setting.
      
      This workaround is enabled by default on the affected CPUs.
      
      Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      f62ad322
  3. 12 Dec, 2017 1 commit
    • Julius Werner's avatar
      Add new function-pointer-based console API · 9536bae6
      Julius Werner authored
      
      
      This patch overhauls the console API to allow for multiple console
      instances of different drivers that are active at the same time. Instead
      of binding to well-known function names (like console_core_init),
      consoles now provide a register function (e.g. console_16550_register())
      that will hook them into the list of active consoles. All console
      operations will be dispatched to all consoles currently in the list.
      
      The new API will be selected by the build-time option MULTI_CONSOLE_API,
      which defaults to ${ERROR_DEPRECATED} for now. The old console API code
      will be retained to stay backwards-compatible to older platforms, but
      should no longer be used for any newly added platforms and can hopefully
      be removed at some point in the future.
      
      The new console API is intended to be used for both normal (bootup) and
      crash use cases, freeing platforms of the need to set up the crash
      console separately. Consoles can be individually configured to be active
      active at boot (until first handoff to EL2), at runtime (after first
      handoff to EL2), and/or after a crash. Console drivers should set a sane
      default upon registration that can be overridden with the
      console_set_scope() call. Code to hook up the crash reporting mechanism
      to this framework will be added with a later patch.
      
      This patch only affects AArch64, but the new API could easily be ported
      to AArch32 as well if desired.
      
      Change-Id: I35c5aa2cb3f719cfddd15565eb13c7cde4162549
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      9536bae6
  4. 05 Dec, 2017 1 commit
    • Soby Mathew's avatar
      Unify cache flush code path after image load · 76163b3a
      Soby Mathew authored
      
      
      Previously the cache flush happened in 2 different places in code
      depending on whether TRUSTED_BOARD_BOOT is enabled or not. This
      patch unifies this code path for both the cases. The `load_image()`
      function is now made an internal static function.
      
      Change-Id: I96a1da29d29236bbc34b1c95053e6a9a7fc98a54
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      76163b3a
  5. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored
      
      
      This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
      to one EL3 will check to see if the Scalable Vector Extension (SVE) is
      implemented when entering and exiting the Non-secure world.
      
      If SVE is implemented, EL3 will do the following:
      
      - Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
      
      - Exit from Non-secure world: SIMD, FP and SVE functionality is
        disabled. As SIMD and FP registers are part of the SVE Z-registers
        then any use of SIMD / FP functionality would corrupt the SVE
        registers.
      
      The build option default is 1. The SVE functionality is only supported
      on AArch64 and so the build option is set to zero when the target
      archiecture is AArch32.
      
      This build option is not compatible with the CTX_INCLUDE_FPREGS - an
      assert will be raised on platforms where SVE is implemented and both
      ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
      
      Also note this change prevents secure world use of FP&SIMD registers on
      SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
      such platforms unless ENABLE_SVE_FOR_NS is set to 0.
      
      Additionally, on the first entry into the Non-secure world the SVE
      functionality is enabled and the SVE Z-register length is set to the
      maximum size allowed by the architecture. This includes the use case
      where EL2 is implemented but not used.
      
      Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  6. 20 Nov, 2017 1 commit
    • Dimitris Papastamos's avatar
      Refactor Statistical Profiling Extensions implementation · 281a08cc
      Dimitris Papastamos authored
      
      
      Factor out SPE operations in a separate file.  Use the publish
      subscribe framework to drain the SPE buffers before entering secure
      world.  Additionally, enable SPE before entering normal world.
      
      A side effect of this change is that the profiling buffers are now
      only drained when a transition from normal world to secure world
      happens.  Previously they were drained also on return from secure
      world, which is unnecessary as SPE is not supported in S-EL1.
      
      Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      281a08cc
  7. 08 Nov, 2017 4 commits
    • Antonio Nino Diaz's avatar
      SPM: Introduce Secure Partition Manager · 2fccb228
      Antonio Nino Diaz authored
      
      
      A Secure Partition is a software execution environment instantiated in
      S-EL0 that can be used to implement simple management and security
      services. Since S-EL0 is an unprivileged exception level, a Secure
      Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
      granted access to system and processor resources. Essentially, it is a
      software sandbox that runs under the control of privileged software in
      the Secure World and accesses the following system resources:
      
      - Memory and device regions in the system address map.
      - PE system registers.
      - A range of asynchronous exceptions e.g. interrupts.
      - A range of synchronous exceptions e.g. SMC function identifiers.
      
      A Secure Partition enables privileged firmware to implement only the
      absolutely essential secure services in EL3 and instantiate the rest in
      a partition. Since the partition executes in S-EL0, its implementation
      cannot be overly complex.
      
      The component in ARM Trusted Firmware responsible for managing a Secure
      Partition is called the Secure Partition Manager (SPM). The SPM is
      responsible for the following:
      
      - Validating and allocating resources requested by a Secure Partition.
      - Implementing a well defined interface that is used for initialising a
        Secure Partition.
      - Implementing a well defined interface that is used by the normal world
        and other secure services for accessing the services exported by a
        Secure Partition.
      - Implementing a well defined interface that is used by a Secure
        Partition to fulfil service requests.
      - Instantiating the software execution environment required by a Secure
        Partition to fulfil a service request.
      
      Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2fccb228
    • Etienne Carriere's avatar
      ARMv7 may not support Virtualization Extensions · 64cc6e91
      Etienne Carriere authored
      
      
      ARMv7-A Virtualization extensions brings new instructions and resources
      that were supported by later architectures. Reference ARM ARM Issue C.c
      [DDI0406C_C].
      
      ERET and extended MSR/MRS instructions, as specified in [DDI0406C_C] in
      ID_PFR1 description of bits[15:12] (Virtualization Extensions):
       A value of 0b0001 implies implementation of the HVC, ERET, MRS
       (Banked register), and MSR (Banked register) instructions. The ID_ISARs
       do not identify whether these instructions are implemented.
      
      UDIV/SDIV were introduced with the Virtualization extensions, even if
      not strictly related to the virtualization extensions.
      
      If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
      shall define ARMV7_SUPPORTS_VIRTUALIZATION to enable virtualization
      extension related resources.
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      64cc6e91
    • Etienne Carriere's avatar
      908cf705
    • Etienne Carriere's avatar
      ARMv7 does not support STL instruction · 0147bef5
      Etienne Carriere authored
      
      
      Also need to add a SEV instruction in ARMv7 spin_unlock which
      is implicit in ARMv8.
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      0147bef5
  8. 16 Oct, 2017 1 commit
    • Jeenu Viswambharan's avatar
      GIC: Allow specifying interrupt properties · c639e8eb
      Jeenu Viswambharan authored
      
      
      The GIC driver initialization currently allows an array of interrupts to
      be configured as secure. Future use cases would require more interrupt
      configuration other than just security, such as priority.
      
      This patch introduces a new interrupt property array as part of both
      GICv2 and GICv3 driver data. The platform can populate the array with
      interrupt numbers and respective properties. The corresponding driver
      initialization iterates through the array, and applies interrupt
      configuration as required.
      
      This capability, and the current way of supplying array (or arrays, in
      case of GICv3) of secure interrupts, are however mutually exclusive.
      Henceforth, the platform should supply either:
      
        - A list of interrupts to be mapped as secure (the current way).
          Platforms that do this will continue working as they were. With this
          patch, this scheme is deprecated.
      
        - A list of interrupt properties (properties include interrupt group).
          Individual interrupt properties are specified via. descriptors of
          type 'interrupt_prop_desc_t', which can be populated with the macro
          INTR_PROP_DESC().
      
      A run time assert checks that the platform doesn't specify both.
      
      Henceforth the old scheme of providing list of secure interrupts is
      deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
      that the interrupt properties are supplied instead of an array of secure
      interrupts.
      
      Add a section to firmware design about configuring secure interrupts.
      
      Fixes ARM-software/tf-issues#262
      
      Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      c639e8eb
  9. 11 Sep, 2017 2 commits
    • Soby Mathew's avatar
      Implement log framework · 7f56e9a3
      Soby Mathew authored
      
      
      This patch gives users control over logging messages printed from the C
      code using the LOG macros defined in debug.h Users now have the ability
      to reduce the log_level at run time using the tf_log_set_max_level()
      function. The default prefix string can be defined by platform by
      overriding the `plat_log_get_prefix()` platform API which is also
      introduced in this patch.
      
      The new log framework results in saving of some RO data. For example,
      when BL1 is built for FVP with LOG_LEVEL=LOG_LEVEL_VERBOSE, resulted
      in saving 384 bytes of RO data and increase of 8 bytes of RW data. The
      framework also adds about 108 bytes of code to the release build of FVP.
      
      Fixes ARM-software/tf-issues#462
      
      Change-Id: I476013d9c3deedfdd4c8b0b0f125665ba6250554
      Co-authored-by: default avatarEleanor Bonnici <Eleanor.bonnici@arm.com>
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      7f56e9a3
    • Soby Mathew's avatar
      Introduce tf_vprintf() and tf_string_print() · 2d7e8282
      Soby Mathew authored
      
      
      This patch introduces tf_vprintf() and tf_string_print() APIs
      which is needed by the logging framework introduced in a later
      patch.
      
      Change-Id: Ie4240443d0e04e070502b51e371e546dd469fd33
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      2d7e8282
  10. 01 Sep, 2017 1 commit
    • Etienne Carriere's avatar
      cpu log buffer size depends on cache line size · 86606eb5
      Etienne Carriere authored
      
      
      Platform may use specific cache line sizes. Since CACHE_WRITEBACK_GRANULE
      defines the platform specific cache line size, it is used to define the
      size of the cpu data structure CPU_DATA_SIZE aligned on cache line size.
      
      Introduce assembly macro 'mov_imm' for AArch32 to simplify implementation
      of function '_cpu_data_by_index'.
      
      Change-Id: Ic2d49ffe0c3e51649425fd9c8c99559c582ac5a1
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      86606eb5
  11. 31 Aug, 2017 2 commits
    • Douglas Raillard's avatar
      Add CFI debug info to vector entries · 31823b69
      Douglas Raillard authored
      
      
      Add Call Frame Information assembler directives to vector entries so
      that debuggers display the backtrace of functions that triggered a
      synchronous exception. For example, a function triggering a data abort
      will be easier to debug if the backtrace can be displayed from a
      breakpoint at the beginning of the synchronous exception vector.
      
      DS-5 needs CFI otherwise it will not attempt to display the backtrace.
      Other debuggers might have other needs. These debug information are
      stored in the ELF file but not in the final binary.
      
      Change-Id: I32dc4e4b7af02546c93c1a45c71a1f6d710d36b1
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      31823b69
    • Masahiro Yamada's avatar
      asm_macros: set the default assembly code alignment to 4 byte · fed18b3a
      Masahiro Yamada authored
      Assembly routines are usually defined by using "func" and "endfunc":
      
          func foo
            ...
          endfunc foo
      
      Currently, the "func" macro does not specify ".align" directive
      by default.  It causes unaligned instruction under some circumstances.
      
      As far as I tested, this problem happens for GCC 5 or older.  It did
      not happen for GCC 6 or newer.  Taking into account that GCC 4.x / 5.x
      is still used, make sure that assembly code is at least 4 byte aligned.
      
      [ How to reproduce the problem ]
      
      For example, use GCC 5.3 downloaded from Linaro:
      http://releases.linaro.org/components/toolchain/binaries/5.3-2016.05/
      aarch64-linux-gnu/gcc-linaro-5.3.1-2016.05-x86_64_aarch64-linux-gnu.tar.xz
      
      Expand mbedtls-2.4.2 to the current directory.
      
      Try the following:
      
        $ git log --oneline -1
        77544efb
      
       Merge pull request #1071 from jeenu-arm/syntax-fix
        $ aarch64-linux-gnu-gcc --version | head -1
        aarch64-linux-gnu-gcc (Linaro GCC 5.3-2016.05) 5.3.1 20160412
        $ make CROSS_COMPILE=aarch64-linux-gnu- PLAT=uniphier \
          TRUSTED_BOARD_BOOT=1 MBEDTLS_DIR=mbedtls-2.4.2
          ( snip build log )
        $ aarch64-linux-gnu-nm build/uniphier/release/bl1/bl1.elf | grep handler
        00000000800088f4 T bl1_fwu_smc_handler
        00000000800084c8 T bl1_smc_handler
        000000008000a6e0 t _panic_handler
        000000008000a8e0 W plat_error_handler
        000000008000a8e8 W plat_panic_handler
        000000008000a8d8 W plat_reset_handler
        000000008000a39f T reset_handler
        000000008000a367 t smc_handler
        000000008000a2ef t smc_handler64
      
      You will notice "smc_handler64", "reset_handler", etc. are not properly
      aligned.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      fed18b3a
  12. 15 Aug, 2017 1 commit
    • Julius Werner's avatar
      Add new alignment parameter to func assembler macro · 64726e6d
      Julius Werner authored
      
      
      Assembler programmers are used to being able to define functions with a
      specific aligment with a pattern like this:
      
          .align X
        myfunction:
      
      However, this pattern is subtly broken when instead of a direct label
      like 'myfunction:', you use the 'func myfunction' macro that's standard
      in Trusted Firmware. Since the func macro declares a new section for the
      function, the .align directive written above it actually applies to the
      *previous* section in the assembly file, and the function it was
      supposed to apply to is linked with default alignment.
      
      An extreme case can be seen in Rockchip's plat_helpers.S which contains
      this code:
      
        [...]
        endfunc plat_crash_console_putc
      
        .align 16
        func platform_cpu_warmboot
        [...]
      
      This assembles into the following plat_helpers.o:
      
        Sections:
        Idx Name                             Size  [...]  Algn
         9 .text.plat_crash_console_putc 00010000  [...]  2**16
        10 .text.platform_cpu_warmboot   00000080  [...]  2**3
      
      As can be seen, the *previous* function actually got the alignment
      constraint, and it is also 64KB big even though it contains only two
      instructions, because the .align directive at the end of its section
      forces the assembler to insert a giant sled of NOPs. The function we
      actually wanted to align has the default constraint. This code only
      works at all because the linker just happens to put the two functions
      right behind each other when linking the final image, and since the end
      of plat_crash_console_putc is aligned the start of platform_cpu_warmboot
      will also be. But it still wastes almost 64KB of image space
      unnecessarily, and it will break under certain circumstances (e.g. if
      the plat_crash_console_putc function becomes unused and its section gets
      garbage-collected out).
      
      There's no real way to fix this with the existing func macro. Code like
      
       func myfunc
       .align X
      
      happens to do the right thing, but is still not really correct code
      (because the function label is inserted before the .align directive, so
      the assembler is technically allowed to insert padding at the beginning
      of the function which would then get executed as instructions if the
      function was called). Therefore, this patch adds a new parameter with a
      default value to the func macro that allows overriding its alignment.
      
      Also fix up all existing instances of this dangerous antipattern.
      
      Change-Id: I5696a07e2fde896f21e0e83644c95b7b6ac79a10
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      64726e6d
  13. 09 Aug, 2017 1 commit
  14. 22 Jun, 2017 1 commit
    • dp-arm's avatar
      aarch64: Enable Statistical Profiling Extensions for lower ELs · d832aee9
      dp-arm authored
      
      
      SPE is only supported in non-secure state.  Accesses to SPE specific
      registers from SEL1 will trap to EL3.  During a world switch, before
      `TTBR` is modified the SPE profiling buffers are drained.  This is to
      avoid a potential invalid memory access in SEL1.
      
      SPE is architecturally specified only for AArch64.
      
      Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d832aee9
  15. 21 Jun, 2017 1 commit
    • David Cunado's avatar
      Fully initialise essential control registers · 18f2efd6
      David Cunado authored
      
      
      This patch updates the el3_arch_init_common macro so that it fully
      initialises essential control registers rather then relying on hardware
      to set the reset values.
      
      The context management functions are also updated to fully initialise
      the appropriate control registers when initialising the non-secure and
      secure context structures and when preparing to leave EL3 for a lower
      EL.
      
      This gives better alignement with the ARM ARM which states that software
      must initialise RES0 and RES1 fields with 0 / 1.
      
      This patch also corrects the following typos:
      
      "NASCR definitions" -> "NSACR definitions"
      
      Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      18f2efd6
  16. 15 Jun, 2017 1 commit
  17. 24 May, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Introduce `tf_snprintf` · da5241cb
      Antonio Nino Diaz authored
      
      
      This is a reduced version of `snprintf` that only supports formats '%d',
      '%i' and '%u'. It can be used when the full `snprintf` is not needed in
      order to save memory. If it finds an unknown format specifier, it
      prints an error message and panics.
      
      Change-Id: I2cb06fcdf74cda2c43caf73ae0762a91499fc04e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      da5241cb
  18. 23 May, 2017 1 commit
    • Masahiro Yamada's avatar
      fip: move headers shared between TF and fiptool to include/tools_share · 2a6c1a8f
      Masahiro Yamada authored
      
      
      Some header files need to be shared between TF and host programs.
      For fiptool, two headers are copied to the tools/fiptool directory,
      but it looks clumsy.
      
      This commit introduces a new directory, include/tools_share, which
      collects headers that should be shared between TF and host programs.
      
      This will clarify the interface exposed to host tools.  We should
      add new headers to this directory only when we really need to do so.
      
      For clarification, I inserted a blank line between headers from the
      include/ directory (#include <...>) and ones from a local directory
      (#include "..." ).
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      2a6c1a8f
  19. 03 May, 2017 1 commit
  20. 29 Apr, 2017 1 commit
    • Scott Branden's avatar
      Move defines in utils.h to utils_def.h to fix shared header compile issues · 53d9c9c8
      Scott Branden authored
      
      
      utils.h is included in various header files for the defines in it.
      Some of the other header files only contain defines.  This allows the
      header files to be shared between host and target builds for shared defines.
      
      Recently types.h has been included in utils.h as well as some function
      prototypes.
      
      Because of the inclusion of types.h conflicts exist building host tools
      abd these header files now.  To solve this problem,
      move the defines to utils_def.h and have this included by utils.h and
      change header files to only include utils_def.h and not pick up the new
      types.h being introduced.
      
      Fixes ARM-software/tf-issues#461
      Signed-off-by: default avatarScott Branden <scott.branden@broadcom.com>
      
      Remove utils_def.h from utils.h
      
      This patch removes utils_def.h from utils.h as it is not required.
      And also makes a minor change to ensure Juno platform compiles.
      
      Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
      53d9c9c8
  21. 20 Apr, 2017 2 commits
  22. 31 Mar, 2017 1 commit
    • Douglas Raillard's avatar
      Add support for GCC stack protection · 51faada7
      Douglas Raillard authored
      
      
      Introduce new build option ENABLE_STACK_PROTECTOR. It enables
      compilation of all BL images with one of the GCC -fstack-protector-*
      options.
      
      A new platform function plat_get_stack_protector_canary() is introduced.
      It returns a value that is used to initialize the canary for stack
      corruption detection. Returning a random value will prevent an attacker
      from predicting the value and greatly increase the effectiveness of the
      protection.
      
      A message is printed at the ERROR level when a stack corruption is
      detected.
      
      To be effective, the global data must be stored at an address
      lower than the base of the stacks. Failure to do so would allow an
      attacker to overwrite the canary as part of an attack which would void
      the protection.
      
      FVP implementation of plat_get_stack_protector_canary is weak as
      there is no real source of entropy on the FVP. It therefore relies on a
      timer's value, which could be predictable.
      
      Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      51faada7
  23. 27 Mar, 2017 1 commit
    • Soby Mathew's avatar
      Re-factor header files for easier PSCI library integration · 5dffb46c
      Soby Mathew authored
      
      
      This patch re-factors the following headers to make it easier to
      integrate the PSCI library with an AArch32 Secure Payload :
      
        *  bl_common.h : The entry point information and the param
           header data structures are factored out into separate
           headers ep_info.h and param_headers.h
        *  psci.h : The PSCI library interfaces are factored out
           into the new header psci_lib.h
        *  context_mgmt.h : The header file is modified to not include
           arch.h when compiled for AArch32 mode.
      
      No functional changes are introduced by this patch.
      
      Change-Id: I5e21a843c0af2ba8e47dee4e577cf95929be8cd4
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      5dffb46c
  24. 15 Feb, 2017 1 commit
    • dp-arm's avatar
      Disable secure self-hosted debug via MDCR_EL3/SDCR · 85e93ba0
      dp-arm authored
      
      
      Trusted Firmware currently has no support for secure self-hosted
      debug.  To avoid unexpected exceptions, disable software debug
      exceptions, other than software breakpoint instruction exceptions,
      from all exception levels in secure state.  This applies to both
      AArch32 and AArch64 EL3 initialization.
      
      Change-Id: Id097e54a6bbcd0ca6a2be930df5d860d8d09e777
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      85e93ba0
  25. 06 Feb, 2017 1 commit
    • Douglas Raillard's avatar
      Introduce unified API to zero memory · 308d359b
      Douglas Raillard authored
      
      
      Introduce zeromem_dczva function on AArch64 that can handle unaligned
      addresses and make use of DC ZVA instruction to zero a whole block at a
      time. This zeroing takes place directly in the cache to speed it up
      without doing external memory access.
      
      Remove the zeromem16 function on AArch64 and replace it with an alias to
      zeromem. This zeromem16 function is now deprecated.
      
      Remove the 16-bytes alignment constraint on __BSS_START__ in
      firmware-design.md as it is now not mandatory anymore (it used to comply
      with zeromem16 requirements).
      
      Change the 16-bytes alignment constraints in SP min's linker script to a
      8-bytes alignment constraint as the AArch32 zeromem implementation is now
      more efficient on 8-bytes aligned addresses.
      
      Introduce zero_normalmem and zeromem helpers in platform agnostic header
      that are implemented this way:
      * AArch32:
      	* zero_normalmem: zero using usual data access
      	* zeromem: alias for zero_normalmem
      * AArch64:
      	* zero_normalmem: zero normal memory  using DC ZVA instruction
      	                  (needs MMU enabled)
      	* zeromem: zero using usual data access
      
      Usage guidelines: in most cases, zero_normalmem should be preferred.
      
      There are 2 scenarios where zeromem (or memset) must be used instead:
      * Code that must run with MMU disabled (which means all memory is
        considered device memory for data accesses).
      * Code that fills device memory with null bytes.
      
      Optionally, the following rule can be applied if performance is
      important:
      * Code zeroing small areas (few bytes) that are not secrets should use
        memset to take advantage of compiler optimizations.
      
        Note: Code zeroing security-related critical information should use
        zero_normalmem/zeromem instead of memset to avoid removal by
        compilers' optimizations in some cases or misbehaving versions of GCC.
      
      Fixes ARM-software/tf-issues#408
      
      Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      308d359b
  26. 30 Jan, 2017 1 commit
  27. 23 Jan, 2017 1 commit
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
  28. 20 Dec, 2016 1 commit
  29. 19 Dec, 2016 1 commit
  30. 05 Dec, 2016 1 commit
    • Jeenu Viswambharan's avatar
      Define and use no_ret macro where no return is expected · a806dad5
      Jeenu Viswambharan authored
      
      
      There are many instances in ARM Trusted Firmware where control is
      transferred to functions from which return isn't expected. Such jumps
      are made using 'bl' instruction to provide the callee with the location
      from which it was jumped to. Additionally, debuggers infer the caller by
      examining where 'lr' register points to. If a 'bl' of the nature
      described above falls at the end of an assembly function, 'lr' will be
      left pointing to a location outside of the function range. This misleads
      the debugger back trace.
      
      This patch defines a 'no_ret' macro to be used when jumping to functions
      from which return isn't expected. The macro ensures to use 'bl'
      instruction for the jump, and also, for debug builds, places a 'nop'
      instruction immediately thereafter (unless instructed otherwise) so as
      to leave 'lr' pointing within the function range.
      
      Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      a806dad5
  31. 01 Dec, 2016 1 commit
    • David Cunado's avatar
      Reset EL2 and EL3 configurable controls · 939f66d6
      David Cunado authored
      
      
      This patch resets EL2 and EL3 registers that have architecturally
      UNKNOWN values on reset and that also provide EL2/EL3 configuration
      and trap controls.
      
      Specifically, the EL2 physical timer is disabled to prevent timer
      interrups into EL2 - CNTHP_CTL_EL2 and CNTHP_CTL for AArch64 and AArch32,
      respectively.
      
      Additionally, for AArch64, HSTR_EL2 is reset to avoid unexpected traps of
      non-secure access to certain system registers at EL1 or lower.
      
      For AArch32, the patch also reverts the reset to SDCR which was
      incorrectly added in a previous change.
      
      Change-Id: If00eaa23afa7dd36a922265194ccd6223187414f
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      939f66d6
  32. 21 Nov, 2016 1 commit
    • Douglas Raillard's avatar
      Add CFI debug frame information for ASM functions · b91d935f
      Douglas Raillard authored
      
      
      This allows the debugger to print the callstack when there is an
      assembly function in the callstack.
      
      It will work as long as the CFA pointer (frame pointer) location is not
      modified (i.e. x29 is not touched in AArch64 state). It is the case in
      almost all assembly functions, so this patch improves the average
      debugging experience. Call stacks from the debugger should still be
      interpreted with care. In more complex functions, one could use .cfi*
      directives to inform the debugger about the new location of the CFA
      pointer.
      
      Change-Id: I9dabfbc033b45e8528e67f4823c17de7bf02fa24
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      b91d935f