Skip to content

GitLab

Switch branch/tag
  1. 04 May, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Introduce External Abort handling · 76454abf
      Jeenu Viswambharan authored 
      

At present, any External Abort routed to EL3 is reported as an unhandled
exception and cause a panic. This patch enables ARM Trusted Firmware to
handle External Aborts routed to EL3.

With this patch, when an External Abort is received at EL3, its handling
is delegated to plat_ea_handler() function. Platforms can provide their
own implementation of this function. This patch adds a weak definition
of the said function that prints out a message and just panics.

In order to support handling External Aborts at EL3, the build option
HANDLE_EA_EL3_FIRST must be set to 1.

Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to
compilation; this patch fixes that too.

Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1
Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      76454abf
  3. 28 Feb, 2018 2 commits
  5. 26 Feb, 2018 3 commits
    • Soby Mathew's avatar
      BL1: Deprecate the `bl1_init_bl2_mem_layout()` API · 101d01e2
      Soby Mathew authored 
      

The `bl1_init_bl2_mem_layout()` API is now deprecated. The default weak
implementation of `bl1_plat_handle_post_image_load()` calculates the
BL2 memory layout and populates the same in x1(r1). This ensures
compatibility for the deprecated API.

Change-Id: Id44bdc1f572dc42ee6ceef4036b3a46803689315
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      101d01e2
    • Soby Mathew's avatar
      Introduce the new BL handover interface · a6f340fe
      Soby Mathew authored 
      

This patch introduces a new BL handover interface. It essentially allows
passing 4 arguments between the different BL stages. Effort has been made
so as to be compatible with the previous handover interface. The previous
blx_early_platform_setup() platform API is now deprecated and the new
blx_early_platform_setup2() variant is introduced. The weak compatiblity
implementation for the new API is done in the `plat_bl_common.c` file.
Some of the new arguments in the new API will be reserved for generic
code use when dynamic configuration support is implemented. Otherwise
the other registers are available for platform use.

Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      a6f340fe
    • Soby Mathew's avatar
      Add image_id to bl1_plat_handle_post/pre_image_load() · 566034fc
      Soby Mathew authored 
      

This patch adds an argument to bl1_plat_post/pre_image_load() APIs
to make it more future proof. The default implementation of
these are moved to `plat_bl1_common.c` file.

These APIs are now invoked appropriately in the FWU code path prior
to or post image loading by BL1 and are not restricted
to LOAD_IMAGE_V2.

The patch also reorganizes some common platform files. The previous
`plat_bl2_el3_common.c` and `platform_helpers_default.c` files are
merged into a new `plat_bl_common.c` file.

NOTE: The addition of an argument to the above mentioned platform APIs
is not expected to have a great impact because these APIs were only
recently added and are unlikely to be used.

Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      566034fc
  7. 01 Feb, 2018 2 commits
  9. 18 Jan, 2018 1 commit
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored 
      

This patch enables BL2 to execute at the highest exception level
without any dependancy on TF BL1. This enables platforms which already
have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
stages without need for BL1.  This is not currently possible because
BL2 executes at S-EL1 and cannot jump straight to EL3.

Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  11. 13 Nov, 2017 2 commits
  13. 08 Nov, 2017 1 commit
    • Antonio Nino Diaz's avatar
      SPM: Introduce Secure Partition Manager · 2fccb228
      Antonio Nino Diaz authored 
      

A Secure Partition is a software execution environment instantiated in
S-EL0 that can be used to implement simple management and security
services. Since S-EL0 is an unprivileged exception level, a Secure
Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
granted access to system and processor resources. Essentially, it is a
software sandbox that runs under the control of privileged software in
the Secure World and accesses the following system resources:

- Memory and device regions in the system address map.
- PE system registers.
- A range of asynchronous exceptions e.g. interrupts.
- A range of synchronous exceptions e.g. SMC function identifiers.

A Secure Partition enables privileged firmware to implement only the
absolutely essential secure services in EL3 and instantiate the rest in
a partition. Since the partition executes in S-EL0, its implementation
cannot be overly complex.

The component in ARM Trusted Firmware responsible for managing a Secure
Partition is called the Secure Partition Manager (SPM). The SPM is
responsible for the following:

- Validating and allocating resources requested by a Secure Partition.
- Implementing a well defined interface that is used for initialising a
  Secure Partition.
- Implementing a well defined interface that is used by the normal world
  and other secure services for accessing the services exported by a
  Secure Partition.
- Implementing a well defined interface that is used by a Secure
  Partition to fulfil service requests.
- Instantiating the software execution environment required by a Secure
  Partition to fulfil a service request.

Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: default avatarAchin Gupta <achin.gupta@arm.com>
Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2fccb228
  15. 24 Oct, 2017 1 commit
  17. 16 Oct, 2017 10 commits
  19. 11 Sep, 2017 1 commit
    • Soby Mathew's avatar
      Implement log framework · 7f56e9a3
      Soby Mathew authored 
      

This patch gives users control over logging messages printed from the C
code using the LOG macros defined in debug.h Users now have the ability
to reduce the log_level at run time using the tf_log_set_max_level()
function. The default prefix string can be defined by platform by
overriding the `plat_log_get_prefix()` platform API which is also
introduced in this patch.

The new log framework results in saving of some RO data. For example,
when BL1 is built for FVP with LOG_LEVEL=LOG_LEVEL_VERBOSE, resulted
in saving 384 bytes of RO data and increase of 8 bytes of RW data. The
framework also adds about 108 bytes of code to the release build of FVP.

Fixes ARM-software/tf-issues#462

Change-Id: I476013d9c3deedfdd4c8b0b0f125665ba6250554
Co-authored-by: default avatarEleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      7f56e9a3
  21. 03 May, 2017 1 commit
  23. 31 Mar, 2017 2 commits
    • Douglas Raillard's avatar
      Add support for GCC stack protection · 51faada7
      Douglas Raillard authored 
      

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      51faada7
    • Antonio Nino Diaz's avatar
      Add and use plat_crash_console_flush() API · 801cf93c
      Antonio Nino Diaz authored 
      

This API makes sure that all the characters sent to the crash console
are output before returning from it.

Porting guide updated.

Change-Id: I1785f970a40f6aacfbe592b6a911b1f249bb2735
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      801cf93c
  25. 13 Feb, 2017 1 commit
    • dp-arm's avatar
      PSCI: Decouple PSCI stat residency calculation from PMF · 04c1db1e
      dp-arm authored 
      

This patch introduces the following three platform interfaces:

* void plat_psci_stat_accounting_start(const psci_power_state_t *state_info)

  This is an optional hook that platforms can implement in order
  to perform accounting before entering a low power state.  This
  typically involves capturing a timestamp.

* void plat_psci_stat_accounting_stop(const psci_power_state_t *state_info)

  This is an optional hook that platforms can implement in order
  to perform accounting after exiting from a low power state.  This
  typically involves capturing a timestamp.

* u_register_t plat_psci_stat_get_residency(unsigned int lvl,
	const psci_power_state_t *state_info,
	unsigned int last_cpu_index)

  This is an optional hook that platforms can implement in order
  to calculate the PSCI stat residency.

If any of these interfaces are overridden by the platform, it is
recommended that all of them are.

By default `ENABLE_PSCI_STAT` is disabled.  If `ENABLE_PSCI_STAT`
is set but `ENABLE_PMF` is not set then an alternative PSCI stat
collection backend must be provided.  If both are set, then default
weak definitions of these functions are provided, using PMF to
calculate the residency.

NOTE: Previously, platforms did not have to explicitly set
`ENABLE_PMF` since this was automatically done by the top-level
Makefile.

Change-Id: I17b47804dea68c77bc284df15ee1ccd66bc4b79b
Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      04c1db1e
  27. 15 Dec, 2016 1 commit
    • dp-arm's avatar
      tbbr: Fix updating of Non-Trusted NV counter · d35dee23
      dp-arm authored 
      

The previous code required that a certificate be signed with the ROT
key before the platform's NV counter could be updated with the value
in the certificate.  This implies that the Non-Trusted NV counter was
not being updated for Non-Trusted content certificates, as they cannot
be signed with the ROT key in the TBBR CoT scheme.

The code is reworked to only allow updating the platform's Trusted NV
counter when a certificate protected by the Trusted NV counter is
signed with the ROT key.

Content certificates protected by the Non-Trusted NV counter are
allowed to update the platform's Non-Trusted NV counter, assuming
that the certificate value is higher than the platform's value.

A new optional platform API has been introduced, named
plat_set_nv_ctr2().  Platforms may choose to implement it and perform
additional checks based on the authentication image descriptor before
modifying the NV counters.  A default weak implementation is available
that just calls into plat_set_nv_ctr().

Fixes ARM-software/tf-issues#426

Change-Id: I4fc978fd28a3007bc0cef972ff1f69ad0413b79c
Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d35dee23
  29. 21 Sep, 2016 1 commit
    • Yatharth Kochar's avatar
      AArch32: Common changes needed for BL1/BL2 · 1a0a3f06
      Yatharth Kochar authored 
      This patch adds common changes to support AArch32 state in
BL1 and BL2. Following are the changes:

* Added functions for disabling MMU from Secure state.
* Added AArch32 specific SMC function.
* Added semihosting support.
* Added reporting of unhandled exceptions.
* Added uniprocessor stack support.
* Added `el3_entrypoint_common` macro that can be
  shared by BL1 and BL32 (SP_MIN) BL stages. The
  `el3_entrypoint_common` is similar to the AArch64
  counterpart with the main difference in the assembly
  instructions and the registers that are relevant to
  AArch32 execution state.
* Enabled `LOAD_IMAGE_V2` flag in Makefile for
  `ARCH=aarch32` and added check to make sure that
  platform has not overridden to disable it.

Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3
      1a0a3f06
  31. 20 Sep, 2016 1 commit
    • Yatharth Kochar's avatar
      Add new version of image loading. · 72600226
      Yatharth Kochar authored 
      This patch adds capability to load BL images based on image
descriptors instead of hard coded way of loading BL images.
This framework is designed such that it can be readily adapted
by any BL stage that needs to load images.

In order to provide the above capability the following new
platform functions are introduced:

  bl_load_info_t *plat_get_bl_image_load_info(void);
    This function returns pointer to the list of images that the
    platform has populated to load.

  bl_params_t *plat_get_next_bl_params(void);
    This function returns a pointer to the shared memory that the
    platform has kept aside to pass trusted firmware related
    information that next BL image needs.

  void plat_flush_next_bl_params(void);
    This function flushes to main memory all the params that
    are passed to next image.

  int bl2_plat_handle_post_image_load(unsigned int image_id)
    This function can be used by the platforms to update/use
    image information for given `image_id`.

`desc_image_load.c` contains utility functions which can be used
by the platforms to generate, load and executable, image list
based on the registered image descriptors.

This patch also adds new version of `load_image/load_auth_image`
functions in-order to achieve the above capability.

Following are the changes for the new version as compared to old:
  - Refactor the signature and only keep image_id and image_info_t
    arguments. Removed image_base argument as it is already passed
    through image_info_t. Given that the BL image base addresses and
    limit/size are already provided by the platforms, the meminfo_t
    and entry_point_info arguments are not needed to provide/reserve
    the extent of free memory for the given BL image.

  - Added check for the image size against the defined max size.
    This is needed because the image size could come from an
    unauthenticated source (e.g. the FIP header).
    To make this check, new member is added to the image_info_t
    struct for identifying the image maximum size.

New flag `LOAD_IMAGE_V2` is added in the Makefile.
Default value is 0.

NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when
      `LOAD_IMAGE_V2` is enabled.

Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
      72600226
  33. 18 Jul, 2016 1 commit
    • Soby Mathew's avatar
      Rework type usage in Trusted Firmware · 4c0d0390
      Soby Mathew authored 
      This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:

* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
  whether AArch64 or AArch32.
* Use generic C types where-ever possible.

In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.

Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
      4c0d0390
  35. 03 Jun, 2016 1 commit
    • Soby Mathew's avatar
      Allow dynamic overriding of ROTPK verification · 04943d33
      Soby Mathew authored 
      A production ROM with TBB enabled must have the ability to boot test software
before a real ROTPK is deployed (e.g. manufacturing mode). Previously the
function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed.
This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags`
parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK
in certificate is used without verifying against the platform value.

Fixes ARM-software/tf-issues#381

Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb
      04943d33
  37. 20 May, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Add 32 bit version of plat_get_syscnt_freq · d4486391
      Antonio Nino Diaz authored 
      Added plat_get_syscnt_freq2, which is a 32 bit variant of the 64 bit
plat_get_syscnt_freq. The old one has been flagged as deprecated.
Common code has been updated to use this new version. Porting guide
has been updated.

Change-Id: I9e913544926c418970972bfe7d81ee88b4da837e
      d4486391
  39. 21 Apr, 2016 1 commit
    • Yatharth Kochar's avatar
      Move `plat_get_syscnt_freq()` to arm_common.c · c073fda1
      Yatharth Kochar authored 
      This patch moves the definition for `plat_get_syscnt_freq()`
from arm_bl31_setup.c to arm_common.c. This could be useful
in case a delay timer needs to be installed based on the
generic timer in other BLs.
This patch also modifies the return type for this function
from `uint64_t` to `unsigned long long` within ARM and other
platform files.

Change-Id: Iccdfa811948e660d4fdcaae60ad1d700e4eda80d
      c073fda1
  41. 01 Apr, 2016 1 commit
    • Soby Mathew's avatar
      Modify return type of plat_get_ns_image_entrypoint() · a0ad6019
      Soby Mathew authored 
      This patch modifies the return type of the platform API
`plat_get_ns_image_entrypoint()` from `unsigned long` to
`uintptr_t` in accordance with the coding guidelines.

Change-Id: Icb4510ca98b706aa4d535fe27e203394184fb4ca
      a0ad6019
  43. 31 Mar, 2016 1 commit
    • Juan Castillo's avatar
      TBB: add non-volatile counter support · 48279d52
      Juan Castillo authored 
      This patch adds support for non-volatile counter authentication to
the Authentication Module. This method consists of matching the
counter values provided in the certificates with the ones stored
in the platform. If the value from the certificate is lower than
the platform, the boot process is aborted. This mechanism protects
the system against rollback.

The TBBR CoT has been updated to include this method as part of the
authentication process. Two counters are used: one for the trusted
world images and another for the non trusted world images.

** NEW PLATFORM APIs (mandatory when TBB is enabled) **

int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr);

    This API returns the non-volatile counter value stored
    in the platform. The cookie in the first argument may be
    used to select the counter in case the platform provides
    more than one (i.e. TBSA compliant platforms must provide
    trusted and non-trusted counters). This cookie is specified
    in the CoT.

int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr);

    This API sets a new counter value. The cookie may be
    used to select the counter to be updated.

An implementation of these new APIs for ARM platforms is also
provided. The values are obtained from the Trusted Non-Volatile
Counters peripheral. The cookie is used to pass the extension OID.
This OID may be interpreted by the platform to know which counter
must return. On Juno, The trusted and non-trusted counter values
have been tied to 31 and 223, respectively, and cannot be modified.

** IMPORTANT **

THIS PATCH BREAKS THE BUILD WHEN TRUSTED_BOARD_BOOT IS ENABLED. THE
NEW PLATFORM APIs INTRODUCED IN THIS PATCH MUST BE IMPLEMENTED IN
ORDER TO SUCCESSFULLY BUILD TF.

Change-Id: Ic943b76b25f2a37f490eaaab6d87b4a8b3cbc89a
      48279d52
  45. 14 Mar, 2016 1 commit
    • Antonio Nino Diaz's avatar
      Remove all non-configurable dead loops · 1c3ea103
      Antonio Nino Diaz authored 
      Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.

Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().

All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.

Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
      1c3ea103
  47. 14 Jan, 2016 1 commit
  49. 15 Dec, 2015 1 commit
    • Dan Handley's avatar
      FWU: Pass client cookie to FWU_SMC_UPDATE_DONE · 1f37b944
      Dan Handley authored 
      The current FWU_SMC_UPDATE_DONE implementation incorrectly passes
an unused framework cookie through to the 1st argument in the
platform function `bl1_plat_fwu_done`. The intent is to allow
the SMC caller to pass a cookie through to this function.

This patch fixes FWU_SMC_UPDATE_DONE to pass x1 from the caller
through to `bl1_plat_fwu_done`. The argument names are updated
for clarity.

Upstream platforms currently do not use this argument so no
impact is expected.

Change-Id: I107f4b51eb03e7394f66d9a534ffab1cbc09a9b2
      1f37b944