- 21 Sep, 2018 1 commit
-
-
Daniel Boulby authored
Ensure case clauses: * Terminate with an unconditional break, return or goto statement. * Use conditional break, return or goto statements as long as the end of the case clause is unreachable; such case clauses must terminate with assert(0) /* Unreachable */ or an unconditional __dead2 function call * Only fallthough when doing otherwise would result in less readable/maintainable code; such case clauses must terminate with a /* Fallthrough */ comment to make it clear this is the case and indicate that a fallthrough is intended. This reduces the chance of bugs appearing due to unintended flow through a switch statement Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 22 Aug, 2018 1 commit
-
-
Antonio Nino Diaz authored
The codebase was using non-standard headers. It is needed to replace them by the correct ones so that we can use the new libc headers. Change-Id: I530f71d9510cb036e69fe79823c8230afe890b9d Acked-by: Sumit Garg <sumit.garg@linaro.org> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 17 Aug, 2018 1 commit
-
-
John Tsichritzis authored
If the system is in near idle conditions, this erratum could cause a deadlock or data corruption. This patch applies the workaround that prevents this. This DSU erratum affects only the DSUs that contain the ACP interface and it was fixed in r2p0. The workaround is applied only to the DSUs that are actually affected. Link to respective Arm documentation: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9 Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 10 Aug, 2018 1 commit
-
-
Antonio Nino Diaz authored
The translation library is useful elsewhere. Even though this repository doesn't exercise the EL2 support of the library, it is better to have it here as well to make it easier to maintain. enable_mmu_secure() and enable_mmu_direct() have been deprecated. The functions are still present, but they are behind ERROR_DEPRECATED and they call the new functions enable_mmu_svc_mon() and enable_mmu_direct_svc_mon(). Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 03 Aug, 2018 1 commit
-
-
Roberto Vargas authored
TF Makefile was linking all the objects files generated for the Mbed TLS library instead of creating a static library that could be used in the linking stage. Change-Id: I8e4cd843ef56033c9d3faeee71601d110b7e4c12 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 11 Jul, 2018 4 commits
-
-
Sandrine Bailleux authored
Wherever we use 'struct foo' and 'foo_t' interchangeably in a function's declaration and definition, use 'struct foo' consistently for both, as per the TF-A coding guidelines [1]. [1] https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Coding-Guidelines#avoid-anonymous-typedefs-of-structsenums-in-header-files Change-Id: I7998eb24a26746e87e9b6425529926406745b721 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
These sections are required by clang when the code is compiled for aarch32. These sections are related to the unwind of the stack in exceptions, but in the way that clang defines and uses them, the garbage collector cannot get rid of them. Change-Id: I085efc0cf77eae961d522472f72c4b5bad2237ab Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Clang linker doesn't support NEXT. As we are not using the MEMORY command to define discontinuous memory for the output file in any of the linker scripts, ALIGN and NEXT are equivalent. Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 14 Jun, 2018 1 commit
-
-
Roberto Vargas authored
RFC4122 defines that fields are stored in network order (big endian), but TF-A stores them in machine order (little endian by default in TF-A). We cannot change the future UUIDs that are already generated, but we can store all the bytes using arrays and modify fiptool to generate the UUIDs with the correct byte order. Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 13 Apr, 2018 2 commits
-
-
Roberto Vargas authored
Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined Fixed for: make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \ GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \ ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all Change-Id: Ie4cd6011b3e4fdcdd94ccb97a7e941f3b5b7aeb8 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
Roberto Vargas authored
Rule 8.3: All declarations of an object or function shall use the same names and type qualifiers Fixed for: make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \ GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \ ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 27 Mar, 2018 1 commit
-
-
Joel Hutton authored
Void pointers have been used to access linker symbols, by declaring an extern pointer, then taking the address of it. This limits symbols values to aligned pointer values. To remove this restriction an IMPORT_SYM macro has been introduced, which declares it as a char pointer and casts it to the required type. Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0 Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>
-
- 26 Mar, 2018 1 commit
-
-
Jonathan Wright authored
Ensure (where possible) that switch statements in bl1 comply with MISRA rules 16.1 - 16.7 Return statements inside switch clauses mean that we do not comply with rule 16.3. Change-Id: I8342389ba525dfc68b88e67dbb3690a529abfeb1 Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
- 21 Mar, 2018 1 commit
-
-
Antonio Nino Diaz authored
When the source code says 'SMCC' it is talking about the SMC Calling Convention. The correct acronym is SMCCC. This affects a few definitions and file names. Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S) but the old files have been kept for compatibility, they include the new ones with an ERROR_DEPRECATED guard. Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 28 Feb, 2018 1 commit
-
-
Roberto Vargas authored
Rule 8.8: The static storage class specifier shall be used in all declarations of objects and functions that have internal linkage. Change-Id: I1e94371caaadebb2cec38d0ae0fa5c59e43369e0 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 27 Feb, 2018 1 commit
-
-
Antonio Nino Diaz authored
When the MMU is enabled and the translation tables are mapped, data read/writes to the translation tables are made using the attributes specified in the translation tables themselves. However, the MMU performs table walks with the attributes specified in TCR_ELx. They are completely independent, so special care has to be taken to make sure that they are the same. This has to be done manually because it is not practical to have a test in the code. Such a test would need to know the virtual memory region that contains the translation tables and check that for all of the tables the attributes match the ones in TCR_ELx. As the tables may not even be mapped at all, this isn't a test that can be made generic. The flags used by enable_mmu_xxx() have been moved to the same header where the functions are. Also, some comments in the linker scripts related to the translation tables have been fixed. Change-Id: I1754768bffdae75f53561b1c4a5baf043b45a304 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 26 Feb, 2018 2 commits
-
-
Soby Mathew authored
The `bl1_init_bl2_mem_layout()` API is now deprecated. The default weak implementation of `bl1_plat_handle_post_image_load()` calculates the BL2 memory layout and populates the same in x1(r1). This ensures compatibility for the deprecated API. Change-Id: Id44bdc1f572dc42ee6ceef4036b3a46803689315 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
Soby Mathew authored
This patch adds an argument to bl1_plat_post/pre_image_load() APIs to make it more future proof. The default implementation of these are moved to `plat_bl1_common.c` file. These APIs are now invoked appropriately in the FWU code path prior to or post image loading by BL1 and are not restricted to LOAD_IMAGE_V2. The patch also reorganizes some common platform files. The previous `plat_bl2_el3_common.c` and `platform_helpers_default.c` files are merged into a new `plat_bl_common.c` file. NOTE: The addition of an argument to the above mentioned platform APIs is not expected to have a great impact because these APIs were only recently added and are unlikely to be used. Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 21 Feb, 2018 1 commit
-
-
Antonio Nino Diaz authored
After executing a TLBI a DSB is needed to ensure completion of the TLBI. rk3328: The MMU is allowed to load TLB entries for as long as it is enabled. Because of this, the correct place to execute a TLBI is right after disabling the MMU. Change-Id: I8280f248d10b49a8c354a4ccbdc8f8345ac4c170 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 02 Feb, 2018 1 commit
-
-
Etienne Carriere authored
Add 'lr_svc' as a boot parameter in AArch32 bl1. This is used by Optee and Trusty to get the non-secure entry point on AArch32 platforms. This change is not ported in AArch64 mode where the BL31, not BL32, is in charge of booting the non secure image (BL33). Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
-
- 01 Feb, 2018 1 commit
-
-
Masahiro Yamada authored
Just like bl2_, add pre/post image load handlers for BL1. No argument is needed since BL2 is the only image loaded by BL1. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 18 Jan, 2018 1 commit
-
-
Roberto Vargas authored
This patch modifies the makefiles to avoid the definition of BL1_SOURCES and BL2_SOURCES in the tbbr makefiles, and it lets to the platform makefiles to define them if they actually need these images. In the case of BL2_AT_EL3 BL1 will not be needed usually because the Boot ROM will jump directly to BL2. Change-Id: Ib6845a260633a22a646088629bcd7387fe35dcf9 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 29 Nov, 2017 1 commit
-
-
Antonio Nino Diaz authored
When defining different sections in linker scripts it is needed to align them to multiples of the page size. In most linker scripts this is done by aligning to the hardcoded value 4096 instead of PAGE_SIZE. This may be confusing when taking a look at all the codebase, as 4096 is used in some parts that aren't meant to be a multiple of the page size. Change-Id: I36c6f461c7782437a58d13d37ec8b822a1663ec1 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Jul, 2017 1 commit
-
-
Isla Mitchell authored
This fix modifies the order of system includes to meet the ARM TF coding standard. There are some exceptions in order to retain header groupings, minimise changes to imported headers, and where there are headers within the #if and #ifndef statements. Change-Id: I65085a142ba6a83792b26efb47df1329153f1624 Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
-
- 23 Jun, 2017 3 commits
-
-
Etienne Carriere authored
This change avoids warnings when setting -Wmissing-prototypes or when using sparse tool. Signed-off-by: Yann Gautier <yann.gautier@st.com> Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
-
Etienne Carriere authored
This change avoids warning when setting -Wmissing-prototypes to compile bl1_context_mgmt.c. Reported-by: Yann Gautier <yann.gautier@st.com> Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
-
Etienne Carriere authored
security_state is either 0 or 1. Prevent sign conversion potential error (setting -Werror=sign-conversion results in a build error). Signed-off-by: Yann Gautier <yann.gautier@st.com> Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
-
- 21 Jun, 2017 2 commits
-
-
David Cunado authored
This patch updates the el3_arch_init_common macro so that it fully initialises essential control registers rather then relying on hardware to set the reset values. The context management functions are also updated to fully initialise the appropriate control registers when initialising the non-secure and secure context structures and when preparing to leave EL3 for a lower EL. This gives better alignement with the ARM ARM which states that software must initialise RES0 and RES1 fields with 0 / 1. This patch also corrects the following typos: "NASCR definitions" -> "NSACR definitions" Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc Signed-off-by: David Cunado <david.cunado@arm.com>
-
Soby Mathew authored
This patch fixes the following issues in Firmware Update (FWU) code: 1. The FWU layer maintains a list of loaded image ids and while checking for image overlaps, INVALID_IMAGE_IDs were not skipped. The patch now adds code to skip INVALID_IMAGE_IDs. 2. While resetting the state corresponding to an image, the code now resets the memory used by the image only if the image were copied previously via IMAGE_COPY smc. This prevents the invalid zeroing of image memory which are not copied but are directly authenticated via IMAGE_AUTH smc. Change-Id: Idf18e69bcba7259411c88807bd0347d59d9afb8f Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 01 Jun, 2017 2 commits
-
-
Antonio Nino Diaz authored
This SMC is as a means for the image loading state machine to go from COPYING, COPIED or AUTHENTICATED states to RESET state. Previously, this was only done when the authentication of an image failed or when the execution of the image finished. Documentation updated. Change-Id: Ida6d4c65017f83ae5e27465ec36f54499c6534d9 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Added checks to FWU_SMC_IMAGE_COPY to prevent loading data into a memory region where another image data is already loaded. Without this check, if two images are configured to be loaded in overlapping memory regions, one of them can be loaded and authenticated and the copy function is still able to load data from the second image on top of the first one. Since the first image is still in authenticated state, it can be executed, which could lead to the execution of unauthenticated arbitrary code of the second image. Firmware update documentation updated. Change-Id: Ib6871e569794c8e610a5ea59fe162ff5dcec526c Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 May, 2017 1 commit
-
-
dp-arm authored
This patch adds `TRUSTED_BOARD_BOOT` support for AArch32 mode. To build this patch the "mbedtls/include/mbedtls/bignum.h" needs to be modified to remove `#define MBEDTLS_HAVE_UDBL` when `MBEDTLS_HAVE_INT32` is defined. This is a workaround for "https://github.com/ARMmbed/mbedtls/issues/708 " NOTE: TBBR support on Juno AArch32 is not currently supported. Change-Id: I86d80e30b9139adc4d9663f112801ece42deafcf Signed-off-by: dp-arm <dimitris.papastamos@arm.com> Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>
-
- 12 May, 2017 1 commit
-
-
Soby Mathew authored
The current SMC context data structure `smc_ctx_t` and related helpers are optimized for case when SMC call does not result in world switch. This was the case for SP_MIN and BL1 cold boot flow. But the firmware update usecase requires world switch as a result of SMC and the current SMC context helpers were not helping very much in this regard. Therefore this patch does the following changes to improve this: 1. Add monitor stack pointer, `spmon` to `smc_ctx_t` The C Runtime stack pointer in monitor mode, `sp_mon` is added to the SMC context, and the `smc_ctx_t` pointer is cached in `sp_mon` prior to exit from Monitor mode. This makes is easier to retrieve the context when the next SMC call happens. As a result of this change, the SMC context helpers no longer depend on the stack to save and restore the register. This aligns it with the context save and restore mechanism in AArch64. 2. Add SCR in `smc_ctx_t` Adding the SCR register to `smc_ctx_t` makes it easier to manage this register state when switching between non secure and secure world as a result of an SMC call. Change-Id: I5e12a7056107c1701b457b8f7363fdbf892230bf Signed-off-by: Soby Mathew <soby.mathew@arm.com> Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 03 May, 2017 1 commit
-
-
dp-arm authored
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 02 May, 2017 1 commit
-
-
Jeenu Viswambharan authored
Replace all instances of checks with the new macro. Change-Id: I0eec39b9376475a1a9707a3115de9d36f88f8a2a Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 20 Apr, 2017 2 commits
-
-
Antonio Nino Diaz authored
Many asserts depend on code that is conditionally compiled based on the DEBUG define. This patch modifies the conditional inclusion of such code so that it is based on the ENABLE_ASSERTIONS build option. Change-Id: I6406674788aa7e1ad7c23d86ce94482ad3c382bd Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
SMC_RET0 should only be used when the SMC code works as a function that returns void. If the code of the SMC uses SMC_RET1 to return a value to signify success and doesn't return anything in case of an error (or the other way around) SMC_RET1 should always be used to return clearly identifiable values. This patch fixes two cases in which the code used SMC_RET0 instead of SMC_RET1. It also introduces the define SMC_OK to use when an SMC must return a value to tell that it succeeded, the same way as SMC_UNK is used in case of failure. Change-Id: Ie4278b51559e4262aced13bbde4e844023270582 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 31 Mar, 2017 2 commits
-
-
Douglas Raillard authored
Introduce new build option ENABLE_STACK_PROTECTOR. It enables compilation of all BL images with one of the GCC -fstack-protector-* options. A new platform function plat_get_stack_protector_canary() is introduced. It returns a value that is used to initialize the canary for stack corruption detection. Returning a random value will prevent an attacker from predicting the value and greatly increase the effectiveness of the protection. A message is printed at the ERROR level when a stack corruption is detected. To be effective, the global data must be stored at an address lower than the base of the stacks. Failure to do so would allow an attacker to overwrite the canary as part of an attack which would void the protection. FVP implementation of plat_get_stack_protector_canary is weak as there is no real source of entropy on the FVP. It therefore relies on a timer's value, which could be predictable. Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
Antonio Nino Diaz authored
Call console_flush() before execution either terminates or leaves an exception level. Fixes: ARM-software/tf-issues#123 Change-Id: I64eeb92effb039f76937ce89f877b68e355588e3 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-