GitLab

Using variables as format strings can generate security problems when
the user can control those strings. Some compilers generate warnings
in that cases, even when the variables are constants and are not
controlled by the user.

Change-Id: I65dee1d1b66feab38cbf298290a86fa56e6cca40
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

The ARMv8.4 RAS extensions introduce architectural support for software
to inject faults into the system in order to test fault-handling
software. This patch introduces the build option FAULT_HANDLING_SUPPORT
to allow for lower ELs to use registers in the Standard Error Record to
inject fault. The build option RAS_EXTENSIONS must also be enabled along
with fault injection.

This feature is intended for testing purposes only, and is advisable to
keep disabled for production images.

Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

EHF currently allows for registering interrupt handlers for a defined
priority ranges. This is primarily targeted at various EL3 dispatchers
to own ranges of secure interrupt priorities in order to delegate
execution to lower ELs.

The RAS support added by earlier patches necessitates registering
handlers based on interrupt number so that error handling agents shall
receive and handle specific Error Recovery or Fault Handling interrupts
at EL3.

This patch introduces a macro, RAS_INTERRUPTS() to declare an array of
interrupt numbers and handlers. Error handling agents can use this macro
to register handlers for individual RAS interrupts. The array is
expected to be sorted in the increasing order of interrupt numbers.

As part of RAS initialisation, the list of all RAS interrupts are sorted
based on their ID so that, given an interrupt, its handler can be looked
up with a simple binary search.

For an error handling agent that wants to handle a RAS interrupt,
platform must:

  - Define PLAT_RAS_PRI to be the priority of all RAS exceptions.

  - Enumerate interrupts to have the GIC driver program individual EL3
    interrupts to the required priority range. This is required by EHF
    even before this patch.

Documentation to follow.

Change-Id: I9471e4887ff541f8a7a63309e9cd8f771f76aeda
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Previous patches added frameworks for handling RAS errors. This patch
introduces features that the platform can use to enumerate and iterate
RAS nodes:

  - The REGISTER_RAS_NODES() can be used to expose an array of
    ras_node_info_t structures. Each ras_node_info_t describes a RAS
    node, along with handlers for probing the node for error, and if
    did record an error, another handler to handle it.

  - The macro for_each_ras_node() can be used to iterate over the
    registered RAS nodes, probe for, and handle any errors.

The common platform EA handler has been amended using error handling
primitives introduced by both this and previous patches.

Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

The ARMv8 RAS Extensions introduced Standard Error Records which are a
set of standard registers through which:

  - Platform can configure RAS node policy; e.g., notification
    mechanism;

  - RAS nodes can record and expose error information for error handling
    agents.

Standard Error Records can either be accessed via. memory-mapped
or System registers. This patch adds helper functions to access
registers and fields within an error record.

Change-Id: I6594ba799f4a1789d7b1e45b3e17fd40e7e0ba5c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.

This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.

With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.

When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.

Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

At present, the function that restores general purpose registers also
does ERET. Refactor the restore code to restore general purpose
registers without ERET to complement the save function.

The macro save_x18_to_x29_sp_el0 was used only once, and is therefore
removed, and its contents expanded inline for readability.

No functional changes, but with this patch:

  - The SMC return path will incur an branch-return and an additional
    register load.

  - The unknown SMC path restores registers x0 to x3.

Change-Id: I7a1a63e17f34f9cde810685d70a0ad13ca3b7c50
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

In AArch64, the field ID_AA64MMFR0_EL1.PARange has a different set of
allowed values depending on the architecture version.

Previously, we only compiled the Trusted Firmware with the values that
were allowed by the architecture. However, given that this field is
read-only, it is easier to compile the code with all values regardless
of the target architecture.

Change-Id: I57597ed103dd0189b1fb738a9ec5497391c10dd1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Previously mem_protect used to be only supported from BL2. This is not
helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates
mem_protect from el3_runtime firmware on ARM Platforms specifically
when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent
in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap
tables temporarily and then the protected regions are then cleared. This
avoids the need to map the non secure DRAM permanently to BL31/sp_min.

The stack size is also increased, because DYNAMIC_XLAT_TABLES require
a bigger stack.

Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

According to the ARMv8 ARM issue C.a:

    AP[1] is valid only for stage 1 of a translation regime that can
    support two VA ranges. It is RES 1 when stage 1 translations can
    support only one VA range.

This means that, even though this bit is ignored, it should be set to 1
in the EL3 and EL2 translation regimes.

For translation regimes consisting on EL0 and a higher regime this bit
selects between control at EL0 or at the higher Exception level. The
regimes that support two VA ranges are EL1&0 and EL2&0 (the later one
is only available since ARMv8.1).

This fix has to be applied to both versions of the translation tables
library.

Change-Id: If19aaf588551bac7aeb6e9a686cf0c2068e7c181
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I989c1f4aef8e3cb20d5d19e6347575e6449bb60b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

A fix for errata 835769 may be available in revisions r0p2, r0p3 or r0p4
of the Cortex-A53 processor. The presence of the fix is determined by
checking bit 7 in the REVIDR register.

If the fix is present we report ERRATA_NOT_APPLIES which silences the
erroneous 'missing workaround' warning.

Change-Id: Ib75b008e755e9ac648554ca9398024fdbea4a91a
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>

A fix for errata 843419 may be available in revision r0p4 of the
Cortex-A53 processor. The presence of the fix is determined by checking
bit 8 in the REVIDR register.

If the fix is present we report ERRATA_NOT_APPLIES which silences the
erroneous 'missing workaround' warning.

Change-Id: Ibd2a478df3e2a6325442a6a48a0bb0259dcfc1d7
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>

The last entry in the mapping table is not necessarily the same as the
end of the table. This patch loops through the table to find the last
entry marker, on every new mmap addition. The memove operation then
has to only move the memory between current entry and the last entry.
For platforms that arrange their MMIO map properly, this opearation
turns out to be a NOP.

The previous implementation added significant overhead per mmap
addition as the memmove operation always moved the difference between
the current mmap entry and the end of the table.

Tested on Tegra platforms and this new approach improves the memory
mapping time by ~75%, thus significantly reducing boot time on some
platforms.

Change-Id: Ie3478fa5942379282ef58bee2085da799137e2ca
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

Initializes each element of the last_cpu_in_non_cpu_pd array in PSCI
stat implementation to -1, the reset value. This satisfies MISRA rule
9.3.

Previously, only the first element of the array was initialized to -1.

Change-Id: I666c71e6c073710c67c6d24c07a219b1feb5b773
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>

Void pointers have been used to access linker symbols, by declaring an
extern pointer, then taking the address of it. This limits symbols
values to aligned pointer values. To remove this restriction an
IMPORT_SYM macro has been introduced, which declares it as a char
pointer and casts it to the required type.

Change-Id: I89877fc3b13ed311817bb8ba79d4872b89bfd3b0
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>

Ensure (where possible) that switch statements in lib comply with MISRA
rules 16.1 - 16.7.

Change-Id: I52bc896fb7094d2b7569285686ee89f39f1ddd84
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>

When the source code says 'SMCC' it is talking about the SMC Calling
Convention. The correct acronym is SMCCC. This affects a few definitions
and file names.

Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S)
but the old files have been kept for compatibility, they include the
new ones with an ERROR_DEPRECATED guard.

Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Ensures compliance with MISRA C-2012 Rule 22.7

Change-Id: Ifbe0926a24ba0dca18174e1aa87313a63bba50fb
Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>

When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`,
return either:
  * -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called
    requires firmware mitigation for CVE-2017-5715 but the mitigation
    is not compiled in.
  * 0 to indicate that firmware mitigation is required, or
  * 1 to indicate that no firmware mitigation is required.

This patch complies with v1.2 of the firmware interfaces
specification (ARM DEN 0070A).

Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A72 and A73.

Change-Id: Ide24fb6efc77c548e4296295adc38dca87d042ee
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Rule 8.4: A compatible declaration shall be visible when
          an object or function with external linkage is defined

Fixed for:
	make DEBUG=1 PLAT=fvp LOG_LEVEL=50 all

Change-Id: I7c2ad3f5c015411c202605851240d5347e4cc8c7
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Rule 8.4: A compatible declaration shall be visible when
          an object or function with external linkage is defined.

Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Rule 8.3: All declarations of an object or function shall
          use the same names and type qualifiers.

Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

MISRA C-2012 Rule 7.3 violation: lowercase l shall not be used as literal suffixes.

This patch resolves this for the ULL() macro by using ULL suffix instead
of the ull suffix.

Change-Id: Ia8183c399e74677e676956e8653e82375d0e0a01
Signed-off-by: David Cunado <david.cunado@arm.com>

During the warm boot sequence:

1. The MMU is enabled with the data cache disabled. The MMU table walker
   is set up to access the translation tables as in cacheable memory,
   but its accesses are non-cacheable because SCTLR_EL3.C controls them
   as well.
2. The interconnect is set up and the CPU enters coherency with the
   rest of the system.
3. The data cache is enabled.

If the support for dynamic translation tables is enabled and another CPU
makes changes to a region, the changes may only be present in the data
cache, not in RAM. The CPU that is booting isn't in coherency with the
rest of the system, so the table walker of that CPU isn't either. This
means that it may read old entries from RAM and it may have invalid TLB
entries corresponding to the dynamic mappings.

This is not a problem for the boot code because the mapping is 1:1 and
the regions are static. However, the code that runs after the boot
sequence may need to access the dynamically mapped regions.

This patch invalidates all TLBs during warm boot when the dynamic
translation tables support is enabled to prevent this problem.

Change-Id: I80264802dc0aa1cb3edd77d0b66b91db6961af3d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Change-Id: I61c9fdfda0c0b3c3ec6249519db23602cf4c2100
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

This patch also fixes the assumption that the counters are disabled on
the resume path.  This is incorrect as the AMU counters are enabled
early in the CPU reset function before `cpuamu_context_restore()`
runs.

Change-Id: I38a94eb166a523f00de18e86860434ffccff2131
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

This patch also fixes `cpuamu_write_cpuamcntenclr_el0()` to use an MSR
instruction instead of an MRS instruction.

Change-Id: Ia6531f64b5ebc60ba432124eaa8d8eaccba40ed0
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Change-Id: I38470528111410cf12b187eb1397d87b812c9416
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

AArch32 uses odd-even pairs when passing 64-bit arguments to
functions.  For example in `amu_group0_cnt_write_internal()` the
second argument is a uint64_t which is passed in r2 and r3.

In `amu_group1_set_evtype_internal()` the value that needs to be
written to the system register is in r1 not in r0.

Change-Id: I20196268fdb1dc9ef6c4ebe61e761fba9623b3f2
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Before suspend the AMU counters should be enabled and after resume
they should be disabled.  Assert that to be consistent with the
AArch64 implementation of `amu_context_{save,restore}()`.

Change-Id: Ia46f77e4062b93afb93721a2890a9b9d2a7f300e
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Implement helpers to test if the core supports SPE/SVE.  We have a
similar helper for AMU and this patch makes all extensions consistent
in their implementation.

Change-Id: I3e6f7522535ca358259ad142550b19fcb883ca67
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

The AArch32 assembly implementation of `print_errata_status` did not save
a register which was getting clobbered by a `get_cpu_ops_ptr`. This
patch fixes that.

Change-Id: Id0711e46b7c685a18a10328d4b513e952a5d860b
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

When enabling VERBOSE() traces, the zlib library fails to compile
because of an incompatible format specifier string. Fix that.

Change-Id: I74ff1c8dc2e6157ee982f7754bce4504599e3013
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Currently optee header info is only printed after it is validated,
but this does not help with debugging in case of error, so print it
before.
Signed-off-by: Victor Chong <victor.chong@linaro.org>

AArch32 only platforms can boot the OP-TEE secure firmware as
a BL32 secure payload. Such configuration can be defined through
AARCH32_SP=optee.

The source files can rely on AARCH32_SP_OPTEE to condition
OP-TEE boot specific instruction sequences.

OP-TEE does not expect ARM Trusted Firmware formatted structure
as boot argument. Load sequence is expected to have already loaded
to OP-TEE boot arguments into the bl32 entrypoint info structure.

Last, AArch32 platform can only boot AArch32 OP-TEE images.

Change-Id: Ic28eec5004315fc9111051add6bb1a1d607fc815
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

This commit adds some more files to use zlib from TF.

To use zlib, ->zalloc and ->zfree hooks are needed.  The implementation
depends on the system.  For user-space, the libc provides malloc() and
friends.  Unfortunately, ARM Trusted Firmware does not provide malloc()
or any concept of dynamic memory allocation.

I implemented very simple calloc() and free() for this.  Stupidly,
zfree() never frees memory, but it works enough for this.

The purpose of using zlib is to implement gunzip() - this function
takes compressed data from in_buf, then dumps the decompressed data
to oub_buf.  The work_buf is used for memory allocation during the
decompress.  Upon exit, it updates in_buf and out_buf.  If successful,
in_buf points to the end of input data, out_buf to the end of the
decompressed data.

To use this feature, you need to do:

 - include lib/zlib/zlib.mk from your platform.mk

 - add $(ZLIB_SOURCES) to your BL*_SOURCES
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Import the following files from zlib 1.2.11:

   adler32.c
   crc32.c
   crc32.h
   inffast.c
   inffast.h
   inffixed.h
   inflate.c
   inflate.h
   inftrees.c
   inftrees.h
   zconf.h
   zlib.h
   zutil.c
   zutil.h

The original tarball is available from http://zlib.net/

The zlib is free software, distributed under the zlib license.  The
license text is included in the "zlib.h" file.  It should be compatible
with BSD-3-Clause.

The zlib license is included in the SPDX license list available at
https://spdx.org/licenses/

, but I did not add the SPDX license tag to
the imported files above, to keep them as they are in the upstream
project.  This seems the general policy for ARM Trusted Firmware, as
SPDX License Identifier was not added to files imported from FreeBSD.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

The assertion in zero_normalmem() fails for BL2_AT_EL3.  This mode is
executed in EL3, so it should check sctlr_el3 instead of sctlr_el1.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>