GitLab

    - fixed compile error when KEY_ALG=ecdsa
    - add new option ecdsa for TF_MBEDTLS_KEY_ALG
    - add new option devel_ecdsa for ARM_ROTPK_LOCATION
    - add ecdsa key at plat/arm/board/common/rotpk/
    - reduce the mbedtls heap memory size to 13k

Change-Id: I3f7a6170af93fdbaaa7bf2fffb4680a9f6113c13
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

For Trusted Board Boot, BL1 RW section and BL2 need more space to
support the ECDSA algorithm. Specifically, PLAT_ARM_MAX_BL1_RW_SIZE
is increased on ARM platforms.

And on the Juno platform:
    - BL2 size, PLAT_ARM_MAX_BL2_SIZE is increased.
    - SCP_BL2 is loaded into the space defined by BL31_BASE ->
      BL31_RW_BASE. In order to maintain the same size space for
      SCP_BL2,PLAT_ARM_MAX_BL31_SIZE is increased.

Change-Id: I379083f918b40ab1c765da4e71780d89f0058040
Co-Authored-By: David Cunado <david.cunado@arm.com>
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

Earlier patches added errata workarounds 859972 for Cortex-A72, and
859972 for Cortex-A57 CPUs. Explicitly disable the workaround for Juno.

Also reorganize errata workaround flags.

No functional changes.

Change-Id: I3fe3745de57d77e5bf52012826d3969fe5d4844e
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch does the required changes to enable CSS platforms
to build and use the SDS framework. Since SDS is always coupled with
SCMI protocol, the preexisting SCMI build flag is now renamed to
`CSS_USE_SCMI_SDS_DRIVER` which will enable both SCMI and SDS on
CSS platforms. Also some of the workarounds applied for SCMI are
now removed with SDS in place.

Change-Id: I94e8b93f05e3fe95e475c5501c25bec052588a9c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch introduces the driver for Shared-Data-Structure (SDS)
framework which will be used for communication between SCP and AP
CPU. The SDS framework is intended to replace the Boot-Over-MHU
(BOM) protocol used currently for the communication

Change-Id: Ic174291121f4e581b174cce3389d22d6435f7269
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch factors out common files required for sp_min for all CSS
platforms from the JUNO specific makefile to a the new `css_sp_min.mk`
makefile. This also allows the common build options that affect CSS
platforms to be configured in a central makefile for sp_min.

Change-Id: Ida952d8833b1aa5eda77ae0a6664a4632aeab24c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

plat_get_my_entrypoint was branching to juno_do_reset_to_aarch_32_state,
which is not supposed to return, and in case of returning it implemented
an infinite loop. The problem was that plat_get_my_entrypoint was using
"b" instead of "bl", so juno_do_reset_to_aarch_32_state was returning to
the caller of plat_get_my_entrypoint instead of stop the system with a
panic.

To avoid this problem juno_do_reset_to_aarch_32_state was modified to
call directly to plat_panic_handler if it tries to return.

Change-Id: I591cf2dd78d27d8568fb15b91366e4b3dce027b5
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

The commit 3eb2d672

 optimizes the memory map for BL2 when TSP
is not present. But this also broke OP-TEE as it was reusing
the TSP mapping. This patch fixes this problem by adding a
separate mapping for OP-TEE in the BL2 memory map table.

Change-Id: I130a2ea552b7b62d8478081feb1f4ddf5292a118
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

The `KEY_ALG` variable is used to select the algorithm for key
generation by `cert_create` tool for signing the certificates. This
variable was previously undocumented and did not have a global default
value. This patch corrects this and also adds changes to derive the
value of `TF_MBEDTLS_KEY_ALG` based on `KEY_ALG` if it not set by the
platform. The corresponding assignment of these variables are also now
removed from the `arm_common.mk` makefile.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I78e2d6f4fc04ed5ad35ce2266118afb63127a5a4

This patch ensures that the ARM_MAP_TSP_SEC_MEM memory region is mapped
in BL2 only if the TSPD has been included in the build. This saves one
entry in the plat_arm_mmap[] array and avoids to map extra memory when
it's not needed.

Change-Id: I6ae60822ff8f0de198145925b0b0d45355179a94
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This patch fixes the PLAT_LOG_LEVEL_ASSERT to 40 which corresponds
to LOG_LEVEL_INFO. Having this level of log for assertions means that the
`assert()` will not generate the strings implied in the expression taken
as parameter. This allows to save some memory when Juno is built for
LOG_LEVEL = LOG_LEVEL_VERBOSE and DEBUG = 1.

Fixes ARM-software/tf-issues#511

Change-Id: Id84a40f803ab07a5a8f6e587167af96694a07d04
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

zero_normalmem only can zero memory when caches are enabled
and the target memory is a normal memory, otherwise an abort is
generated. In the case of EL3_PAYLOAD_BASE bl2_platform_setup was
calling zero_normalmem with device memory and it generated an abort.

Change-Id: If013603f209a12af488a9c54481f97a8f395b26a
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

The current definition of ARM_INSTANTIATE_LOCK macro includes a
semicolon, which means it's omitted where it's used. This is anomalous
for a C statement in global scope.

Fix this by removing semicolon from the definition; and where it's a
NOP, declare a file-scoped variable explicitly tagged as unused to avoid
compiler warning.

No functional changes.

Change-Id: I2c1d92ece4777e272a025011e03b8003f3543335
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

If SPD_opteed is defined map ARM_OPTEE_PAGEABLE_LOAD_MEM in bl2 to
allow loading of OP-TEE paged part.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

At present, the MPIDR validation on FVP relies on MT bit set along
with shifted affinities. This currently is additionally dependent
on the FVP model being of variant C. This however should be based
on the presence of MT bit alone.

This patch makes the change to always assume that the affinities
are shifted in the FVP model when MT bit is present.

Change-Id: I09fcb0126e1b38d29124bdeaf3450a60b95d485d
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>

The nor_XXXXX functions may fail due to different reasons, and it
is convenient to do a full check to detect any failure. It is also
a good idea to have a specific function to do a full status check,
because new checks can be added to this function and they will be
incorporated automatically to any function calling it.

Change-Id: I54fed913e37ef574c1608e94139a519426348d12
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

NOR memory only supports setting bits to 1. To clear a bit, set to zero,
the NOR memory needs to be erased.

Change-Id: Ia82eb15a5af9a6d4fc7e5ea2b58e6db87226b351
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

The status register bits remain until explicitly cleared, which means
that a command can be incorrectly considered to have generated an error -
for example, after reset the status register contents may be unknown or
if a previous command had failed.

This patch clears the status register before beginning any command to
be sure that the status register only represents information about the
current operation.

Change-Id: I9e98110ee24179937215461c00b6543a3467b350
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

lock/unlock operation must wait until WSM bit
is set. Since we do not allow to loop forever then these functions
must return an error if WSM bit isn't enabled after a number of tries.

Change-Id: I21c9e292b514b28786ff4a225128bcd8c1bfa999
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

- Add comments to all the functions
- Simplify nor_poll_dws
- Simplify nor_word_program

Change-Id: I29c0199d2908a4fceb1ac3430fcfdd699be22bb3
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Trusted OS may have extra images to be loaded. Load them one by one
and do the parsing. In this patch, ARM TF need to load up to 3 images
for optee os: header, pager and paged images. Header image is the info
about optee os and images. Pager image include pager code and data.
Paged image include the paging parts using virtual memory.

Change-Id: Ia3bcfa6d8a3ed7850deb5729654daca7b00be394
Signed-off-by: Summer Qin <summer.qin@arm.com>

Since Trusted OS firmware may have extra images, need to
assign new uuid and image id for them.
The TBBR chain of trust has been extended to add support
for the new images within the existing Trusted OS firmware
content certificate.

Change-Id: I678dac7ba1137e85c5779b05e0c4331134c10e06
Signed-off-by: Summer Qin <summer.qin@arm.com>

Revision C of the Base FVP has the same memory map as earlier revisions,
but has the following differences:

  - Implements CCI550 instead of CCI400,
  - Has a single instantiation of SMMUv3,
  - CPU MPIDs are shifted left by one level, and has MT bit set in them.

The correct interconnect to program is chosen at run time based on the
FVP revision. Therefore, this patch implements FVP functions for
interconnect programming, rather than depending on ARM generic ones. The
macros used have been renamed to reflect this change.

Additionally, this patch initializes SMMUv3 as part of FVP early
platform setup.

New ARM config flags are introduced for feature queries at run time.

Change-Id: Ic7b7f080953a51fceaf62ce7daa6de0573801f09
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The CCI crash dump macros assumes CCI base at build time. Since this
can't be the case for CCI on FVP, choose not to register dump CCI
registers for FVP.

Change-Id: I7374a037e7fd0a85b138e84b3cf0aa044262da97
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

ARM CPUs with multi-threading implementation has more than one
Processing Element in a single physical CPU. Such an implementation will
reflect the following changes in the MPIDR register:

  - The MT bit set;

  - Affinity levels pertaining to cluster and CPUs occupy one level
    higher than in a single-threaded implementation, and the lowest
    affinity level pertains to hardware threads. MPIDR affinity level
    fields essentially appear shifted to left than otherwise.

The FVP port henceforth assumes that both properties above to be
concomitant on a given FVP platform.

To accommodate for varied MPIDR formats at run time, this patch
re-implements the FVP platform-specific functions that translates MPIDR
values to a linear indices, along with required validation. The same
treatment is applied for GICv3 MPIDR hashing function as well.

An FVP-specific build option FVP_MAX_PE_PER_CPU is introduced which
specifies the maximum number of threads implemented per CPU. For
backwards compatibility, its value defaults to 1.

Change-Id: I729b00d3e121d16ce9a03de4f9db36dfac580e3f
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The DEVICE2 memory range is needed to access the Root of Trust Public
Key registers. This is not needed when Trusted Board Boot is disabled
so it's safer to not map it in this case. This also saves one level-2
page table in each of BL1 and BL2 images.

Also add some comments.

Change-Id: I67456b44f3fd5e145f6510a8499b7fdf720a7273
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

On ARM CSS platforms, the SCP_BL2/2U image is loaded below
BL1 read-write data. This same memory is used to load BL31
later on. But sufficient checks were not done to ensure that the
SCP_BL2 would not overwrite BL1 rw data. This patch adds the
required CASSERT checks to prevent overwrite into BL1 or BL2
memory by load of SCP_BL2/2U. Also the size of BL31 is increased
and SCP_BL2/2U size is decreased to accomodate it within the
allocated region.

Change-Id: I23b28b5e1589e91150852a06452bd52b273216ee
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

The SCP_BL2 is transferred to SCP during BL2 image load and authenticate
sequence. The Boot-Over-MHU (BOM) protocol is used as transport for this. After
the SCP boots using the transferred image, the AP CPU waits till the `READY`
message is received from SCP. This patch separates the API for transport of
image from the wait for `READY` message and also moves the related files to
the `css/drivers` folder. The previous API `scp_bootloader_transfer` is
renamed to `css_scp_boot_image_xfer` to reflect the css naming convention.
This reorganisation also allows easier switch to a different transport
(eg: Shared Data Structure based transfer) in future

Change-Id: I8a96f9c4616ffde6dbfdf7c18f6f6f8bfa40bbf0
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Recent patches to reduce the memory footprint of BL images have
resulted in saving several pages of memory. This patch reduces
the BL2 size limit by 20KB for Juno when ARM_BOARD_OPTIMISE_MEM=1
so that more free space can be freed up for Trusted OS (BL32). Also
SCP_BL2/SCP_BL2U size is now restricted to 80K.

Change-Id: I1573d7a34e24d15e4abce8a14da40dbb5dc81e37
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This fix modifies the order of #includes in ARM standard platforms
to meet the ARM TF coding standard.

Change-Id: Ide19aad6233babda4eea2d17d49e523645fed1b2
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>

This patch implements the platform APIs plat_get_rotpk_info,
plat_get_nv_ctr, plat_set_nv_ctr to invoke CryptoCell SBROM
APIs when ARM_CRYPTOCELL_INT is set.

Change-Id: I693556b3c7f42eceddd527abbe6111e499f55c45
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch makes the necessary changes to enable ARM platform to
successfully integrate CryptoCell during Trusted Board Boot. The
changes are as follows:

* A new build option `ARM_CRYPTOCELL_INTEG` is introduced to select
  the CryptoCell crypto driver for Trusted Board boot.

* The TrustZone filter settings for Non Secure DRAM is modified
  to allow CryptoCell to read this memory. This is required to
  authenticate BL33 which is loaded into the Non Secure DDR.

* The CSS platforms are modified to use coherent stacks in BL1 and BL2
  when CryptoCell crypto is selected. This is because CryptoCell makes
  use of DMA to transfer data and the CryptoCell SBROM library allocates
  buffers on the stack during signature/hash verification.

Change-Id: I1e6f6dcd1899784f1edeabfa2a9f279bbfb90e31
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

On Juno AArch32, the L2 cache may contain garbage after the warm reset
from AArch64 to AArch32.  This is all fine until the MMU is configured
and the data caches enabled.  To avoid fetching stale data from the L2
unified cache, invalidate it before the warm reset to AArch32 state.

Change-Id: I7d27e810692c02c3e83c9f31de67f6bae59a960a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Before BL2 loads the SCP ram firmware, `SCP_BOOT_CFG_ADDR` specifies
the primary core.  After the SCP ram firmware has started executing,
`SCP_BOOT_CFG_ADDR` is modified.  This is not normally an issue but
the Juno AArch32 boot flow is a special case.  BL1 does a warm reset
into AArch32 and the core jumps to the `sp_min` entrypoint.  This is
effectively a `RESET_TO_SP_MIN` configuration.  `sp_min` has to be
able to determine the primary core and hence we need to restore
`SCP_BOOT_CFG_ADDR` to the cold boot value before `sp_min` runs.

This magically worked when booting on A53 because the core index was
zero and it just so happened to match with the new value in
`SCP_BOOT_CFG_ADDR`.

Change-Id: I105425c680cf6238948625c1d1017b01d3517c01
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html



Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.

Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769

Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419

The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.

Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.

Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

SPE is only supported in non-secure state.  Accesses to SPE specific
registers from SEL1 will trap to EL3.  During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained.  This is to
avoid a potential invalid memory access in SEL1.

SPE is architecturally specified only for AArch64.

Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Commit 6de8b24f

 broke Juno AArch32
build.

Change-Id: Ied70d9becb86e53ccb46a2e3245e2a551d1bf701
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

On ARM platforms before exiting from SP_MIN ensure that
the default console is switched to the runtime serial port.

Change-Id: I0ca0d42cc47e345d56179eac16aa3d6712767c9b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

The ARM_PLAT_MT bit enables the support for MT bit in
MPIDR format. This means that the level 0 affinity
represents the thread and CPU / Cluster levels are
at affinity level 1 and 2 respectively.
This was not catered for in the scpi 'css_scp_get_power_state, API.
Since the SCPI driver can only cater for single threaded CPUs,
this patch fixes the problem by catering for this shift by
effectively ignoring the Thread (level 0) affinity level.

Change-Id: If44f55c9fb2773c8d3f8a9bbcf5420a6f7409dfe
Signed-off-by: jagadeesh ujja <jagadeesh.ujja@arm.com>

This patch makes all the defines in the CPU libraries unique,
by prefixing them with the CPU name.

NOTE: PLATFORMS USING THESE MACROS WILL HAVE TO UPDATE THEIR CODE
TO START USING THE UPDATED NAMES
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>