1. 03 Feb, 2020 1 commit
    • Sandrine Bailleux's avatar
      BL2: Print ID of images we fail loading · a416325b
      Sandrine Bailleux authored
      
      
      When Trusted Boot is enabled, images are loaded and authenticated
      following up the root of trust. This means that between the initial
      console message saying that an image is being loaded, and the final one
      where it says that it failed to load it, BL2 may print several messages
      about other images on the chain of trust being loaded, thus it is not
      always clear which image we failed loading at the end of the day.
      
      Change-Id: I3b189ec9d12c2a6203d16c8dbbb4fc117639c3c1
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      a416325b
  2. 24 Jan, 2020 1 commit
  3. 22 Jan, 2020 1 commit
  4. 12 Dec, 2019 1 commit
    • Manish Pandey's avatar
      PIE: make call to GDT relocation fixup generalized · da90359b
      Manish Pandey authored
      When a Firmware is complied as Position Independent Executable it needs
      to request GDT fixup by passing size of the memory region to
      el3_entrypoint_common macro.
      The Global descriptor table fixup will be done early on during cold boot
      process of primary core.
      
      Currently only BL31 supports PIE, but in future when BL2_AT_EL3 will be
      compiled as PIE, it can simply pass fixup size to the common el3
      entrypoint macro to fixup GDT.
      
      The reason for this patch was to overcome the bug introduced by SHA
      330ead80
      
       which called fixup routine for each core causing
      re-initializing of global pointers thus overwriting any changes
      done by the previous core.
      
      Change-Id: I55c792cc3ea9e7eef34c2e4653afd04572c4f055
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      da90359b
  5. 04 Dec, 2019 1 commit
    • Samuel Holland's avatar
      Reduce space lost to object alignment · ebd6efae
      Samuel Holland authored
      
      
      Currently, sections within .text/.rodata/.data/.bss are emitted in the
      order they are seen by the linker. This leads to wasted space, when a
      section with a larger alignment follows one with a smaller alignment.
      We can avoid this wasted space by sorting the sections.
      
      To take full advantage of this, we must disable generation of common
      symbols, so "common" data can be sorted along with the rest of .bss.
      
      An example of the improvement, from `make DEBUG=1 PLAT=sun50i_a64 bl31`:
        .text   => no change
        .rodata => 16 bytes saved
        .data   => 11 bytes saved
        .bss    => 576 bytes saved
      
      As a side effect, the addition of `-fno-common` in TF_CFLAGS makes it
      easier to spot bugs in header files.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: I073630a9b0b84e7302a7a500d4bb4b547be01d51
      ebd6efae
  6. 13 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  7. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
  8. 14 Jun, 2019 1 commit
  9. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  10. 13 Mar, 2019 1 commit
    • Bryan O'Donoghue's avatar
      bl2-el3: Fix exit to bl32 by ensuring a more complete write to SPSR · eb20f04e
      Bryan O'Donoghue authored
      Prior to entry into BL32 we set the SPSR by way of msr spsr, r1.
      This unfortunately only writes the bits f->[31:24] and c->[7:0].
      
      This patch updates the bl2 exit path to write the x->[15:8] and c->[7:0]
      fields of the SPSR. For the purposes of initial setup of the SPSR the x and
      c fields should be sufficient and importantly will capture the necessary
      lower-order control bits that f:c alone do not.
      
      This is important to do to ensure the SPSR is set to the mode the platform
      intends prior to performing an eret.
      
      Fixes: b1d27b48
      
       ("bl2-el3: Add BL2_EL3 image")
      Signed-off-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
      eb20f04e
  11. 12 Mar, 2019 1 commit
    • John Tsichritzis's avatar
      Apply stricter speculative load restriction · 02b57943
      John Tsichritzis authored
      
      
      The SCTLR.DSSBS bit is zero by default thus disabling speculative loads.
      However, we also explicitly set it to zero for BL2 and TSP images when
      each image initialises its context. This is done to ensure that the
      image environment is initialised in a safe state, regardless of the
      reset value of the bit.
      
      Change-Id: If25a8396641edb640f7f298b8d3309d5cba3cd79
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      02b57943
  12. 27 Feb, 2019 2 commits
    • Antonio Nino Diaz's avatar
      BL2_AT_EL3: Enable pointer authentication support · dcbfa11b
      Antonio Nino Diaz authored
      
      
      The size increase after enabling options related to ARMv8.3-PAuth is:
      
      +----------------------------+-------+-------+-------+--------+
      |                            |  text |  bss  |  data | rodata |
      +----------------------------+-------+-------+-------+--------+
      | CTX_INCLUDE_PAUTH_REGS = 1 |   +44 |   +0  |   +0  |   +0   |
      |                            |  0.2% |       |       |        |
      +----------------------------+-------+-------+-------+--------+
      | ENABLE_PAUTH = 1           |  +712 |   +0  |  +16  |   +0   |
      |                            |  3.1% |       |  0.9% |        |
      +----------------------------+-------+-------+-------+--------+
      
      The results are valid for the following build configuration:
      
          make PLAT=fvp SPD=tspd DEBUG=1 \
          BL2_AT_EL3=1                   \
          CTX_INCLUDE_PAUTH_REGS=1       \
          ENABLE_PAUTH=1
      
      Change-Id: I1c0616e7dea30962a92b4fd113428bc30a018320
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      dcbfa11b
    • Antonio Nino Diaz's avatar
      BL2: Enable pointer authentication support · 9d93fc2f
      Antonio Nino Diaz authored
      
      
      The size increase after enabling options related to ARMv8.3-PAuth is:
      
      +----------------------------+-------+-------+-------+--------+
      |                            |  text |  bss  |  data | rodata |
      +----------------------------+-------+-------+-------+--------+
      | CTX_INCLUDE_PAUTH_REGS = 1 |   +40 |   +0  |   +0  |   +0   |
      |                            |  0.2% |       |       |        |
      +----------------------------+-------+-------+-------+--------+
      | ENABLE_PAUTH = 1           |  +664 |   +0  |  +16  |   +0   |
      |                            |  3.1% |       |  0.9% |        |
      +----------------------------+-------+-------+-------+--------+
      
      Results calculated with the following build configuration:
      
          make PLAT=fvp SPD=tspd DEBUG=1 \
          SDEI_SUPPORT=1                 \
          EL3_EXCEPTION_HANDLING=1       \
          TSP_NS_INTR_ASYNC_PREEMPT=1    \
          CTX_INCLUDE_PAUTH_REGS=1       \
          ENABLE_PAUTH=1
      
      The changes for BL2_AT_EL3 aren't done in this commit.
      
      Change-Id: I8c803b40c7160525a06173bc6cdca21c4505837d
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      9d93fc2f
  13. 15 Jan, 2019 1 commit
  14. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  15. 10 Dec, 2018 1 commit
  16. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  17. 29 Oct, 2018 1 commit
    • Soby Mathew's avatar
      PIE: Use PC relative adrp/adr for symbol reference · f1722b69
      Soby Mathew authored
      
      
      This patch fixes up the AArch64 assembly code to use
      adrp/adr instructions instead of ldr instruction for
      reference to symbols. This allows these assembly
      sequences to be Position Independant. Note that the
      the reference to sizes have been replaced with
      calculation of size at runtime. This is because size
      is a constant value and does not depend on execution
      address and using PC relative instructions for loading
      them makes them relative to execution address. Also
      we cannot use `ldr` instruction to load size as it
      generates a dynamic relocation entry which must *not*
      be fixed up and it is difficult for a dynamic loader
      to differentiate which entries need to be skipped.
      
      Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      f1722b69
  18. 28 Sep, 2018 1 commit
  19. 17 Aug, 2018 1 commit
  20. 03 Aug, 2018 1 commit
  21. 11 Jul, 2018 3 commits
    • Roberto Vargas's avatar
      Add end_vector_entry assembler macro · a9203eda
      Roberto Vargas authored
      
      
      Check_vector_size checks if the size of the vector fits
      in the size reserved for it. This check creates problems in
      the Clang assembler. A new macro, end_vector_entry, is added
      and check_vector_size is deprecated.
      
      This new macro fills the current exception vector until the next
      exception vector. If the size of the current vector is bigger
      than 32 instructions then it gives an error.
      
      Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      a9203eda
    • Roberto Vargas's avatar
      Add .extab and .exidx sections · ad925094
      Roberto Vargas authored
      
      
      These sections are required by clang when the code is compiled for
      aarch32. These sections are related to the unwind of the stack in
      exceptions, but in the way that clang defines and uses them, the
      garbage collector cannot get rid of them.
      
      Change-Id: I085efc0cf77eae961d522472f72c4b5bad2237ab
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      ad925094
    • Roberto Vargas's avatar
      Use ALIGN instead of NEXT in linker scripts · 5629b2b1
      Roberto Vargas authored
      
      
      Clang linker doesn't support NEXT. As we are not using the MEMORY command
      to define discontinuous memory for the output file in any of the linker
      scripts, ALIGN and NEXT are equivalent.
      
      Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      5629b2b1
  22. 26 Apr, 2018 1 commit
  23. 13 Apr, 2018 1 commit
  24. 07 Apr, 2018 1 commit
    • Jiafei Pan's avatar
      Add support for BL2 in XIP memory · 7d173fc5
      Jiafei Pan authored
      
      
      In some use-cases BL2 will be stored in eXecute In Place (XIP) memory,
      like BL1. In these use-cases, it is necessary to initialize the RW sections
      in RAM, while leaving the RO sections in place. This patch enable this
      use-case with a new build option, BL2_IN_XIP_MEM. For now, this option
      is only supported when BL2_AT_EL3 is 1.
      Signed-off-by: default avatarJiafei Pan <Jiafei.Pan@nxp.com>
      7d173fc5
  25. 05 Mar, 2018 1 commit
  26. 28 Feb, 2018 2 commits
  27. 27 Feb, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Add comments about mismatched TCR_ELx and xlat tables · 883d1b5d
      Antonio Nino Diaz authored
      
      
      When the MMU is enabled and the translation tables are mapped, data
      read/writes to the translation tables are made using the attributes
      specified in the translation tables themselves. However, the MMU
      performs table walks with the attributes specified in TCR_ELx. They are
      completely independent, so special care has to be taken to make sure
      that they are the same.
      
      This has to be done manually because it is not practical to have a test
      in the code. Such a test would need to know the virtual memory region
      that contains the translation tables and check that for all of the
      tables the attributes match the ones in TCR_ELx. As the tables may not
      even be mapped at all, this isn't a test that can be made generic.
      
      The flags used by enable_mmu_xxx() have been moved to the same header
      where the functions are.
      
      Also, some comments in the linker scripts related to the translation
      tables have been fixed.
      
      Change-Id: I1754768bffdae75f53561b1c4a5baf043b45a304
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      883d1b5d
  28. 26 Feb, 2018 2 commits
    • Soby Mathew's avatar
      Introduce the new BL handover interface · a6f340fe
      Soby Mathew authored
      
      
      This patch introduces a new BL handover interface. It essentially allows
      passing 4 arguments between the different BL stages. Effort has been made
      so as to be compatible with the previous handover interface. The previous
      blx_early_platform_setup() platform API is now deprecated and the new
      blx_early_platform_setup2() variant is introduced. The weak compatiblity
      implementation for the new API is done in the `plat_bl_common.c` file.
      Some of the new arguments in the new API will be reserved for generic
      code use when dynamic configuration support is implemented. Otherwise
      the other registers are available for platform use.
      
      Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      a6f340fe
    • Soby Mathew's avatar
      Add image_id to bl1_plat_handle_post/pre_image_load() · 566034fc
      Soby Mathew authored
      
      
      This patch adds an argument to bl1_plat_post/pre_image_load() APIs
      to make it more future proof. The default implementation of
      these are moved to `plat_bl1_common.c` file.
      
      These APIs are now invoked appropriately in the FWU code path prior
      to or post image loading by BL1 and are not restricted
      to LOAD_IMAGE_V2.
      
      The patch also reorganizes some common platform files. The previous
      `plat_bl2_el3_common.c` and `platform_helpers_default.c` files are
      merged into a new `plat_bl_common.c` file.
      
      NOTE: The addition of an argument to the above mentioned platform APIs
      is not expected to have a great impact because these APIs were only
      recently added and are unlikely to be used.
      
      Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      566034fc
  29. 06 Feb, 2018 1 commit
  30. 05 Feb, 2018 1 commit
    • Etienne Carriere's avatar
      aarch32: optee: define the OP-TEE secure payload · 10c66958
      Etienne Carriere authored
      
      
      AArch32 only platforms can boot the OP-TEE secure firmware as
      a BL32 secure payload. Such configuration can be defined through
      AARCH32_SP=optee.
      
      The source files can rely on AARCH32_SP_OPTEE to condition
      OP-TEE boot specific instruction sequences.
      
      OP-TEE does not expect ARM Trusted Firmware formatted structure
      as boot argument. Load sequence is expected to have already loaded
      to OP-TEE boot arguments into the bl32 entrypoint info structure.
      
      Last, AArch32 platform can only boot AArch32 OP-TEE images.
      
      Change-Id: Ic28eec5004315fc9111051add6bb1a1d607fc815
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      10c66958
  31. 01 Feb, 2018 1 commit
  32. 18 Jan, 2018 3 commits
    • Roberto Vargas's avatar
      bl2-el3: Don't compile BL1 when BL2_AT_EL3 is defined in FVP · 76d26733
      Roberto Vargas authored
      
      
      This patch modifies the makefiles to avoid the definition
      of BL1_SOURCES and BL2_SOURCES in the tbbr makefiles, and
      it lets to the platform makefiles to define them if they
      actually need these images. In the case of BL2_AT_EL3
      BL1 will not be needed usually because the Boot ROM will
      jump directly to BL2.
      
      Change-Id: Ib6845a260633a22a646088629bcd7387fe35dcf9
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      76d26733
    • Roberto Vargas's avatar
      bl2-el3: Mark all the assembly functions in bl2 at el3 · 487d3bf2
      Roberto Vargas authored
      
      
      When BL2_AT_EL3 option is enabled some platforms are going to
      need a resident part in BL2 because the boot rom may jump to it
      after a reset. This patch introduces __TEXT_RESIDENT_START__ and
      __TEXT_RESIDENT_END__ linker symbols that mark the resident region.
      
      Change-Id: Ib20c1b8ee257831bcc0ca7d3df98d0cb617a04f8
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      487d3bf2
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored
      
      
      This patch enables BL2 to execute at the highest exception level
      without any dependancy on TF BL1. This enables platforms which already
      have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
      stages without need for BL1.  This is not currently possible because
      BL2 executes at S-EL1 and cannot jump straight to EL3.
      
      Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  33. 29 Nov, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Replace magic numbers in linkerscripts by PAGE_SIZE · a2aedac2
      Antonio Nino Diaz authored
      
      
      When defining different sections in linker scripts it is needed to align
      them to multiples of the page size. In most linker scripts this is done
      by aligning to the hardcoded value 4096 instead of PAGE_SIZE.
      
      This may be confusing when taking a look at all the codebase, as 4096
      is used in some parts that aren't meant to be a multiple of the page
      size.
      
      Change-Id: I36c6f461c7782437a58d13d37ec8b822a1663ec1
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a2aedac2