1. 21 Sep, 2018 1 commit
    • Daniel Boulby's avatar
      Ensure the flow through switch statements is clear · a08a2014
      Daniel Boulby authored
      
      
      Ensure case clauses:
      *   Terminate with an unconditional break, return or goto statement.
      *   Use conditional break, return or goto statements as long as the end
          of the case clause is unreachable; such case clauses must terminate
          with assert(0) /* Unreachable */ or an unconditional  __dead2 function
          call
      *   Only fallthough when doing otherwise would result in less
          readable/maintainable code; such case clauses must terminate with a
          /* Fallthrough */ comment to make it clear this is the case and
          indicate that a fallthrough is intended.
      
      This reduces the chance of bugs appearing due to unintended flow through a
      switch statement
      
      Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      a08a2014
  2. 22 Aug, 2018 1 commit
  3. 17 Aug, 2018 1 commit
  4. 10 Aug, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Support the EL2 translation regime · 1a92a0e0
      Antonio Nino Diaz authored
      
      
      The translation library is useful elsewhere. Even though this repository
      doesn't exercise the EL2 support of the library, it is better to have it
      here as well to make it easier to maintain.
      
      enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
      functions are still present, but they are behind ERROR_DEPRECATED and
      they call the new functions enable_mmu_svc_mon() and
      enable_mmu_direct_svc_mon().
      
      Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      1a92a0e0
  5. 03 Aug, 2018 1 commit
  6. 11 Jul, 2018 4 commits
  7. 14 Jun, 2018 1 commit
    • Roberto Vargas's avatar
      Make TF UUID RFC 4122 compliant · 03364865
      Roberto Vargas authored
      
      
      RFC4122 defines that fields are stored in network order (big endian),
      but TF-A stores them in machine order (little endian by default in TF-A).
      We cannot change the future UUIDs that are already generated, but we can store
      all the bytes using arrays and modify fiptool to generate the UUIDs with
      the correct byte order.
      
      Change-Id: I97be2d3168d91f4dee7ccfafc533ea55ff33e46f
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      03364865
  8. 13 Apr, 2018 2 commits
    • Roberto Vargas's avatar
      Fix MISRA rule 8.4 Part 4 · 3b94189a
      Roberto Vargas authored
      
      
      Rule 8.4: A compatible declaration shall be visible when
                an object or function with external linkage is defined
      
      Fixed for:
      	make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
      	     GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
      	     ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
      
      Change-Id: Ie4cd6011b3e4fdcdd94ccb97a7e941f3b5b7aeb8
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      3b94189a
    • Roberto Vargas's avatar
      Fix MISRA rule 8.3 Part 4 · 735181b6
      Roberto Vargas authored
      
      
      Rule 8.3: All declarations of an object or function shall
                use the same names and type qualifiers
      
      Fixed for:
      	make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \
      	     GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
      	     ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all
      
      Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      735181b6
  9. 27 Mar, 2018 1 commit
    • Joel Hutton's avatar
      Clean usage of void pointers to access symbols · 9f85f9e3
      Joel Hutton authored
      
      
      Void pointers have been used to access linker symbols, by declaring an
      extern pointer, then taking the address of it. This limits symbols
      values to aligned pointer values. To remove this restriction an
      IMPORT_SYM macro has been introduced, which declares it as a char
      pointer and casts it to the required type.
      
      Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
      Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9f85f9e3
  10. 26 Mar, 2018 1 commit
  11. 21 Mar, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Rename 'smcc' to 'smccc' · 085e80ec
      Antonio Nino Diaz authored
      
      
      When the source code says 'SMCC' it is talking about the SMC Calling
      Convention. The correct acronym is SMCCC. This affects a few definitions
      and file names.
      
      Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
      but the old files have been kept for compatibility, they include the
      new ones with an ERROR_DEPRECATED guard.
      
      Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      085e80ec
  12. 28 Feb, 2018 1 commit
  13. 27 Feb, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Add comments about mismatched TCR_ELx and xlat tables · 883d1b5d
      Antonio Nino Diaz authored
      
      
      When the MMU is enabled and the translation tables are mapped, data
      read/writes to the translation tables are made using the attributes
      specified in the translation tables themselves. However, the MMU
      performs table walks with the attributes specified in TCR_ELx. They are
      completely independent, so special care has to be taken to make sure
      that they are the same.
      
      This has to be done manually because it is not practical to have a test
      in the code. Such a test would need to know the virtual memory region
      that contains the translation tables and check that for all of the
      tables the attributes match the ones in TCR_ELx. As the tables may not
      even be mapped at all, this isn't a test that can be made generic.
      
      The flags used by enable_mmu_xxx() have been moved to the same header
      where the functions are.
      
      Also, some comments in the linker scripts related to the translation
      tables have been fixed.
      
      Change-Id: I1754768bffdae75f53561b1c4a5baf043b45a304
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      883d1b5d
  14. 26 Feb, 2018 2 commits
    • Soby Mathew's avatar
      BL1: Deprecate the `bl1_init_bl2_mem_layout()` API · 101d01e2
      Soby Mathew authored
      
      
      The `bl1_init_bl2_mem_layout()` API is now deprecated. The default weak
      implementation of `bl1_plat_handle_post_image_load()` calculates the
      BL2 memory layout and populates the same in x1(r1). This ensures
      compatibility for the deprecated API.
      
      Change-Id: Id44bdc1f572dc42ee6ceef4036b3a46803689315
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      101d01e2
    • Soby Mathew's avatar
      Add image_id to bl1_plat_handle_post/pre_image_load() · 566034fc
      Soby Mathew authored
      
      
      This patch adds an argument to bl1_plat_post/pre_image_load() APIs
      to make it more future proof. The default implementation of
      these are moved to `plat_bl1_common.c` file.
      
      These APIs are now invoked appropriately in the FWU code path prior
      to or post image loading by BL1 and are not restricted
      to LOAD_IMAGE_V2.
      
      The patch also reorganizes some common platform files. The previous
      `plat_bl2_el3_common.c` and `platform_helpers_default.c` files are
      merged into a new `plat_bl_common.c` file.
      
      NOTE: The addition of an argument to the above mentioned platform APIs
      is not expected to have a great impact because these APIs were only
      recently added and are unlikely to be used.
      
      Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      566034fc
  15. 21 Feb, 2018 1 commit
  16. 02 Feb, 2018 1 commit
  17. 01 Feb, 2018 1 commit
  18. 18 Jan, 2018 1 commit
  19. 29 Nov, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Replace magic numbers in linkerscripts by PAGE_SIZE · a2aedac2
      Antonio Nino Diaz authored
      
      
      When defining different sections in linker scripts it is needed to align
      them to multiples of the page size. In most linker scripts this is done
      by aligning to the hardcoded value 4096 instead of PAGE_SIZE.
      
      This may be confusing when taking a look at all the codebase, as 4096
      is used in some parts that aren't meant to be a multiple of the page
      size.
      
      Change-Id: I36c6f461c7782437a58d13d37ec8b822a1663ec1
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a2aedac2
  20. 12 Jul, 2017 1 commit
    • Isla Mitchell's avatar
      Fix order of #includes · 2a4b4b71
      Isla Mitchell authored
      
      
      This fix modifies the order of system includes to meet the ARM TF coding
      standard. There are some exceptions in order to retain header groupings,
      minimise changes to imported headers, and where there are headers within
      the #if and #ifndef statements.
      
      Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
      Signed-off-by: default avatarIsla Mitchell <isla.mitchell@arm.com>
      2a4b4b71
  21. 23 Jun, 2017 3 commits
  22. 21 Jun, 2017 2 commits
    • David Cunado's avatar
      Fully initialise essential control registers · 18f2efd6
      David Cunado authored
      
      
      This patch updates the el3_arch_init_common macro so that it fully
      initialises essential control registers rather then relying on hardware
      to set the reset values.
      
      The context management functions are also updated to fully initialise
      the appropriate control registers when initialising the non-secure and
      secure context structures and when preparing to leave EL3 for a lower
      EL.
      
      This gives better alignement with the ARM ARM which states that software
      must initialise RES0 and RES1 fields with 0 / 1.
      
      This patch also corrects the following typos:
      
      "NASCR definitions" -> "NSACR definitions"
      
      Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      18f2efd6
    • Soby Mathew's avatar
      Fix issues in FWU code · ee05ae16
      Soby Mathew authored
      
      
      This patch fixes the following issues in Firmware Update (FWU) code:
      
      1. The FWU layer maintains a list of loaded image ids and
         while checking for image overlaps, INVALID_IMAGE_IDs were not
         skipped. The patch now adds code to skip INVALID_IMAGE_IDs.
      
      2. While resetting the state corresponding to an image, the code
         now resets the memory used by the image only if the image were
         copied previously via IMAGE_COPY smc. This prevents the invalid
         zeroing of image memory which are not copied but are directly
         authenticated via IMAGE_AUTH smc.
      
      Change-Id: Idf18e69bcba7259411c88807bd0347d59d9afb8f
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      ee05ae16
  23. 01 Jun, 2017 2 commits
    • Antonio Nino Diaz's avatar
      FWU: Introduce FWU_SMC_IMAGE_RESET · 9d6fc3c3
      Antonio Nino Diaz authored
      
      
      This SMC is as a means for the image loading state machine to go from
      COPYING, COPIED or AUTHENTICATED states to RESET state. Previously, this
      was only done when the authentication of an image failed or when the
      execution of the image finished.
      
      Documentation updated.
      
      Change-Id: Ida6d4c65017f83ae5e27465ec36f54499c6534d9
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      9d6fc3c3
    • Antonio Nino Diaz's avatar
      FWU: Check for overlaps when loading images · 128daee2
      Antonio Nino Diaz authored
      
      
      Added checks to FWU_SMC_IMAGE_COPY to prevent loading data into a
      memory region where another image data is already loaded.
      
      Without this check, if two images are configured to be loaded in
      overlapping memory regions, one of them can be loaded and
      authenticated and the copy function is still able to load data from
      the second image on top of the first one. Since the first image is
      still in authenticated state, it can be executed, which could lead to
      the execution of unauthenticated arbitrary code of the second image.
      
      Firmware update documentation updated.
      
      Change-Id: Ib6871e569794c8e610a5ea59fe162ff5dcec526c
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      128daee2
  24. 15 May, 2017 1 commit
  25. 12 May, 2017 1 commit
    • Soby Mathew's avatar
      AArch32: Rework SMC context save and restore mechanism · b6285d64
      Soby Mathew authored
      
      
      The current SMC context data structure `smc_ctx_t` and related helpers are
      optimized for case when SMC call does not result in world switch. This was
      the case for SP_MIN and BL1 cold boot flow. But the firmware update usecase
      requires world switch as a result of SMC and the current SMC context helpers
      were not helping very much in this regard. Therefore this patch does the
      following changes to improve this:
      
      1. Add monitor stack pointer, `spmon` to `smc_ctx_t`
      
      The C Runtime stack pointer in monitor mode, `sp_mon` is added to the
      SMC context, and the `smc_ctx_t` pointer is cached in `sp_mon` prior
      to exit from Monitor mode. This makes is easier to retrieve the
      context when the next SMC call happens. As a result of this change,
      the SMC context helpers no longer depend on the stack to save and
      restore the register.
      
      This aligns it with the context save and restore mechanism in AArch64.
      
      2. Add SCR in `smc_ctx_t`
      
      Adding the SCR register to `smc_ctx_t` makes it easier to manage this
      register state when switching between non secure and secure world as a
      result of an SMC call.
      
      Change-Id: I5e12a7056107c1701b457b8f7363fdbf892230bf
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      b6285d64
  26. 03 May, 2017 1 commit
  27. 02 May, 2017 1 commit
  28. 20 Apr, 2017 2 commits
    • Antonio Nino Diaz's avatar
      Control inclusion of helper code used for asserts · aa61368e
      Antonio Nino Diaz authored
      
      
      Many asserts depend on code that is conditionally compiled based on the
      DEBUG define. This patch modifies the conditional inclusion of such code
      so that it is based on the ENABLE_ASSERTIONS build option.
      
      Change-Id: I6406674788aa7e1ad7c23d86ce94482ad3c382bd
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      aa61368e
    • Antonio Nino Diaz's avatar
      tspd:FWU:Fix usage of SMC_RET0 · 7a317a70
      Antonio Nino Diaz authored
      
      
      SMC_RET0 should only be used when the SMC code works as a function that
      returns void. If the code of the SMC uses SMC_RET1 to return a value to
      signify success and doesn't return anything in case of an error (or the
      other way around) SMC_RET1 should always be used to return clearly
      identifiable values.
      
      This patch fixes two cases in which the code used SMC_RET0 instead of
      SMC_RET1.
      
      It also introduces the define SMC_OK to use when an SMC must return a
      value to tell that it succeeded, the same way as SMC_UNK is used in case
      of failure.
      
      Change-Id: Ie4278b51559e4262aced13bbde4e844023270582
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      7a317a70
  29. 31 Mar, 2017 2 commits
    • Douglas Raillard's avatar
      Add support for GCC stack protection · 51faada7
      Douglas Raillard authored
      
      
      Introduce new build option ENABLE_STACK_PROTECTOR. It enables
      compilation of all BL images with one of the GCC -fstack-protector-*
      options.
      
      A new platform function plat_get_stack_protector_canary() is introduced.
      It returns a value that is used to initialize the canary for stack
      corruption detection. Returning a random value will prevent an attacker
      from predicting the value and greatly increase the effectiveness of the
      protection.
      
      A message is printed at the ERROR level when a stack corruption is
      detected.
      
      To be effective, the global data must be stored at an address
      lower than the base of the stacks. Failure to do so would allow an
      attacker to overwrite the canary as part of an attack which would void
      the protection.
      
      FVP implementation of plat_get_stack_protector_canary is weak as
      there is no real source of entropy on the FVP. It therefore relies on a
      timer's value, which could be predictable.
      
      Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      51faada7
    • Antonio Nino Diaz's avatar
      Flush console where necessary · 0b32628e
      Antonio Nino Diaz authored
      
      
      Call console_flush() before execution either terminates or leaves an
      exception level.
      
      Fixes: ARM-software/tf-issues#123
      
      Change-Id: I64eeb92effb039f76937ce89f877b68e355588e3
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      0b32628e