1. 23 Feb, 2017 6 commits
  2. 22 Feb, 2017 9 commits
  3. 15 Feb, 2017 1 commit
    • dp-arm's avatar
      Juno: Disable SPIDEN in release builds · 09fad498
      dp-arm authored
      
      
      On Juno, the secure privileged invasive debug authentication signal
      (SPIDEN) is controlled by board SCC registers, which by default enable
      SPIDEN.  Disable secure privileged external debug in release builds by
      programming the appropriate Juno SoC registers.
      
      Change-Id: I61045f09a47dc647bbe95e1b7a60e768f5499f49
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      09fad498
  4. 13 Feb, 2017 1 commit
    • dp-arm's avatar
      PSCI: Decouple PSCI stat residency calculation from PMF · 04c1db1e
      dp-arm authored
      
      
      This patch introduces the following three platform interfaces:
      
      * void plat_psci_stat_accounting_start(const psci_power_state_t *state_info)
      
        This is an optional hook that platforms can implement in order
        to perform accounting before entering a low power state.  This
        typically involves capturing a timestamp.
      
      * void plat_psci_stat_accounting_stop(const psci_power_state_t *state_info)
      
        This is an optional hook that platforms can implement in order
        to perform accounting after exiting from a low power state.  This
        typically involves capturing a timestamp.
      
      * u_register_t plat_psci_stat_get_residency(unsigned int lvl,
      	const psci_power_state_t *state_info,
      	unsigned int last_cpu_index)
      
        This is an optional hook that platforms can implement in order
        to calculate the PSCI stat residency.
      
      If any of these interfaces are overridden by the platform, it is
      recommended that all of them are.
      
      By default `ENABLE_PSCI_STAT` is disabled.  If `ENABLE_PSCI_STAT`
      is set but `ENABLE_PMF` is not set then an alternative PSCI stat
      collection backend must be provided.  If both are set, then default
      weak definitions of these functions are provided, using PMF to
      calculate the residency.
      
      NOTE: Previously, platforms did not have to explicitly set
      `ENABLE_PMF` since this was automatically done by the top-level
      Makefile.
      
      Change-Id: I17b47804dea68c77bc284df15ee1ccd66bc4b79b
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      04c1db1e
  5. 06 Feb, 2017 2 commits
    • Douglas Raillard's avatar
      Replace some memset call by zeromem · 32f0d3c6
      Douglas Raillard authored
      
      
      Replace all use of memset by zeromem when zeroing moderately-sized
      structure by applying the following transformation:
      memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x))
      
      As the Trusted Firmware is compiled with -ffreestanding, it forbids the
      compiler from using __builtin_memset and forces it to generate calls to
      the slow memset implementation. Zeromem is a near drop in replacement
      for this use case, with a more efficient implementation on both AArch32
      and AArch64.
      
      Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      32f0d3c6
    • Douglas Raillard's avatar
      Introduce unified API to zero memory · 308d359b
      Douglas Raillard authored
      
      
      Introduce zeromem_dczva function on AArch64 that can handle unaligned
      addresses and make use of DC ZVA instruction to zero a whole block at a
      time. This zeroing takes place directly in the cache to speed it up
      without doing external memory access.
      
      Remove the zeromem16 function on AArch64 and replace it with an alias to
      zeromem. This zeromem16 function is now deprecated.
      
      Remove the 16-bytes alignment constraint on __BSS_START__ in
      firmware-design.md as it is now not mandatory anymore (it used to comply
      with zeromem16 requirements).
      
      Change the 16-bytes alignment constraints in SP min's linker script to a
      8-bytes alignment constraint as the AArch32 zeromem implementation is now
      more efficient on 8-bytes aligned addresses.
      
      Introduce zero_normalmem and zeromem helpers in platform agnostic header
      that are implemented this way:
      * AArch32:
      	* zero_normalmem: zero using usual data access
      	* zeromem: alias for zero_normalmem
      * AArch64:
      	* zero_normalmem: zero normal memory  using DC ZVA instruction
      	                  (needs MMU enabled)
      	* zeromem: zero using usual data access
      
      Usage guidelines: in most cases, zero_normalmem should be preferred.
      
      There are 2 scenarios where zeromem (or memset) must be used instead:
      * Code that must run with MMU disabled (which means all memory is
        considered device memory for data accesses).
      * Code that fills device memory with null bytes.
      
      Optionally, the following rule can be applied if performance is
      important:
      * Code zeroing small areas (few bytes) that are not secrets should use
        memset to take advantage of compiler optimizations.
      
        Note: Code zeroing security-related critical information should use
        zero_normalmem/zeromem instead of memset to avoid removal by
        compilers' optimizations in some cases or misbehaving versions of GCC.
      
      Fixes ARM-software/tf-issues#408
      
      Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      308d359b
  6. 31 Jan, 2017 1 commit
  7. 26 Jan, 2017 1 commit
    • David Cunado's avatar
      Resolve build errors flagged by GCC 6.2 · 9edac047
      David Cunado authored
      
      
      With GCC 6.2 compiler, more C undefined behaviour is being flagged as
      warnings, which result in build errors in ARM TF build.
      
      The specific issue that this patch resolves is the use of (1 << 31),
      which is predominantly used in case statements, where 1 is represented
      as a signed int. When shifted to msb the behaviour is undefined.
      
      The resolution is to specify 1 as an unsigned int using a convenience
      macro ULL(). A duplicate macro MAKE_ULL() is replaced.
      
      Fixes ARM-software/tf-issues#438
      
      Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      9edac047
  8. 24 Jan, 2017 4 commits
  9. 23 Jan, 2017 2 commits
    • Masahiro Yamada's avatar
      Use #ifdef for AARCH32 instead of #if · 6af03f9c
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      For AARCH32/AARCH64, these macros are defined in the top-level
      Makefile as follows:
      
      ifeq (${ARCH},aarch32)
              $(eval $(call add_define,AARCH32))
      else
              $(eval $(call add_define,AARCH64))
      endif
      
      This means only one of the two is defined.  So, AARCH32/AARCH64
      belongs to the latter group where we should use #ifdef or #ifndef.
      The conditionals are mostly coded correctly, but I see some mistakes.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      6af03f9c
    • Masahiro Yamada's avatar
      Use #ifdef for IMAGE_BL* instead of #if · 3d8256b2
      Masahiro Yamada authored
      
      
      One nasty part of ATF is some of boolean macros are always defined
      as 1 or 0, and the rest of them are only defined under certain
      conditions.
      
      For the former group, "#if FOO" or "#if !FOO" must be used because
      "#ifdef FOO" is always true.  (Options passed by $(call add_define,)
      are the cases.)
      
      For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
      checking the value of an undefined macro is strange.
      
      Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
      follows:
      
        $(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
      
        $(OBJ): $(2)
                @echo "  CC      $$<"
                $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
      
      This means, IMAGE_BL* is defined when building the corresponding
      image, but *undefined* for the other images.
      
      So, IMAGE_BL* belongs to the latter group where we should use #ifdef
      or #ifndef.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      3d8256b2
  10. 18 Jan, 2017 3 commits
  11. 14 Jan, 2017 1 commit
  12. 12 Jan, 2017 1 commit
  13. 06 Jan, 2017 1 commit
  14. 04 Jan, 2017 1 commit
  15. 20 Dec, 2016 2 commits
    • Masahiro Yamada's avatar
      zynqmp: add "override" directive to mandatory options · 34071d6a
      Masahiro Yamada authored
      
      
      The platform.mk sets build options required for ZynqMP, but users
      can still change them from the command line, like:
      
        make PLAT=zynqmp RESET_TO_BL31=0 CROSS_COMPILE=...
      
      Then, the makefile shows an error message in that case:
        Using BL31 as the reset vector is only one option supported on ZynqMP.
        Please set RESET_TO_BL31 to 1.
      
      If the option is not user-configurable, the makefile can specify
      "override" to prevent users from changing it.  We do not need the
      error message for the case that never happens.
      
      Likewise, ENABLE_PLAT_COMPAT := 0 and PROGRAMMABLE_RESET_ADDRESS := 1
      are mandatory to avoid build error.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Acked-by: default avatarSoren Brinkmann <soren.brinkmann@xilinx.com>
      34071d6a
    • Sandrine Bailleux's avatar
      Fix integer overflows in BL1 FWU code · 949a52d2
      Sandrine Bailleux authored
      
      
      Before adding a base address and a size to compute the end
      address of an image to copy or authenticate, check this
      won't result in an integer overflow. If it does then consider
      the input arguments are invalid.
      
      As a result, bl1_plat_mem_check() can now safely assume the
      end address (computed as the sum of the base address and size
      of the memory region) doesn't overflow, as the validation is
      done upfront in bl1_fwu_image_copy/auth(). A debug assertion
      has been added nonetheless in the ARM implementation in order
      to help catching such problems, should bl1_plat_mem_check()
      be called in a different context in the future.
      
      Fixes TFV-1: Malformed Firmware Update SMC can result in copy
      of unexpectedly large data into secure memory
      
      Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Signed-off-by: default avatarDan Handley <dan.handley@arm.com>
      949a52d2
  16. 19 Dec, 2016 1 commit
  17. 15 Dec, 2016 3 commits
    • dp-arm's avatar
      tbbr: Fix updating of Non-Trusted NV counter · d35dee23
      dp-arm authored
      
      
      The previous code required that a certificate be signed with the ROT
      key before the platform's NV counter could be updated with the value
      in the certificate.  This implies that the Non-Trusted NV counter was
      not being updated for Non-Trusted content certificates, as they cannot
      be signed with the ROT key in the TBBR CoT scheme.
      
      The code is reworked to only allow updating the platform's Trusted NV
      counter when a certificate protected by the Trusted NV counter is
      signed with the ROT key.
      
      Content certificates protected by the Non-Trusted NV counter are
      allowed to update the platform's Non-Trusted NV counter, assuming
      that the certificate value is higher than the platform's value.
      
      A new optional platform API has been introduced, named
      plat_set_nv_ctr2().  Platforms may choose to implement it and perform
      additional checks based on the authentication image descriptor before
      modifying the NV counters.  A default weak implementation is available
      that just calls into plat_set_nv_ctr().
      
      Fixes ARM-software/tf-issues#426
      
      Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d35dee23
    • Jeenu Viswambharan's avatar
      FVP: Avail GIC Redistributor power management · 74a9578c
      Jeenu Viswambharan authored
      
      
      Earlier patches introduced GIC Redistributor power management for ARM
      platforms. This patch modifies FVP power management to power down
      Redistributor during CPU power on/off.
      
      Change-Id: I2adb9c50a7dd750019fe3b4e576b5d5fc364bffb
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      74a9578c
    • Jeenu Viswambharan's avatar
      Introduce ARM platform APIs for GICv3 Redistributor · d17b953a
      Jeenu Viswambharan authored
      
      
      As with other ARM platform GIC APIs, these directly invoke the GICv3
      driver APIs for Redistributor power management.
      
      For the sake of uniform GIC API, empty stubs are placed for those GIC
      drivers that lack Redistributor component.
      
      Change-Id: Iad0d760d4dbca790998f7768cda621ff3b15a864
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      d17b953a