- 01 Nov, 2018 1 commit
-
-
Antonio Nino Diaz authored
The macro EL_IMPLEMENTED() has been deprecated in favour of the new function el_implemented(). Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9 Signed-off-by:Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 29 Oct, 2018 1 commit
-
-
Soby Mathew authored
This patch introduces Position Independant Executable(PIE) support in TF-A. As a initial prototype, only BL31 can support PIE. A trivial dynamic linker is implemented which supports fixing up Global Offset Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc() helper function implements this linker and this needs to be called early in the boot sequence prior to invoking C functions. The GOT is placed in the RO section of BL31 binary for improved security and the BL31 linker script is modified to export the appropriate symbols required for the dynamic linker. The C compiler always generates PC relative addresses to linker symbols and hence referencing symbols exporting constants are a problem when relocating the binary. Hence the reference to the `__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated at runtime based on start and end addresses. Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d Signed-off-by:Soby Mathew <soby.mathew@arm.com>
-
- 16 Oct, 2018 1 commit
-
-
Roberto Vargas authored
When HW_ASSISTED_COHERENCY is enabled we can use spinlocks instead of using the more complex and slower bakery algorithm. Change-Id: I9d791a70050d599241169b9160a67e57d5506564 Signed-off-by:Roberto Vargas <roberto.vargas@arm.com>
-
- 04 Oct, 2018 1 commit
-
-
Antonio Nino Diaz authored
No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by:
-
- 03 Oct, 2018 1 commit
-
-
Daniel Boulby authored
Mark the initialization functions in BL31, such as context management, EHF, RAS and PSCI as __init so that they can be reclaimed by the platform when no longer needed Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130 Signed-off-by:Daniel Boulby <daniel.boulby@arm.com>
-
- 28 Sep, 2018 1 commit
-
-
Antonio Nino Diaz authored
Change-Id: I2d4a21a80a768bc422e9707e6d7e98d20a716275 Signed-off-by:
-
- 18 Sep, 2018 1 commit
-
-
Antonio Nino Diaz authored
The expected value for failure is 0, so the warning only has to be shown in that case. This is the way the TSPD has done it since it was introduced, and the way SPM and OP-TEE do it. Trusty wrongly returns 0 on success. In the case of TLK, the return value of tlkd_init() is passed from the secure world in register X1 when calling the SMC TLK_ENTRY_DONE. Change-Id: I39106d67631ee57f109619f8830bf4b9d96155e6 Signed-off-by:
-
- 06 Sep, 2018 1 commit
-
-
Antonio Nino Diaz authored
If BL32 isn't present or it fails to initialize the current code prints an error message in both debug and release builds. This is too verbose for release builds, so it has been converted into a warning. Also, it was missing a newline at the end of the message. Change-Id: I91e18d5d5864dbb19d47ecd54f174d2d8c06296c Signed-off-by:
-
- 30 Aug, 2018 1 commit
-
-
Antonio Nino Diaz authored
Change-Id: I5993b425445ee794e6d2a792c244c0af53640655 Signed-off-by:
-
- 20 Aug, 2018 2 commits
-
-
Jeenu Viswambharan authored
These changes address most of the required MISRA rules. In the process, some from generic code are also fixed. No functional changes. Change-Id: I19786070af7bc5e1f6d15bdba93e22a4451d8fe9 Signed-off-by:Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
Jeenu Viswambharan authored
Memory Partitioning And Monitoring is an Armv8.4 feature that enables various memory system components and resources to define partitions. Software running at various ELs can then assign themselves to the desired partition to control their performance aspects. With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows lower ELs to access their own MPAM registers without trapping to EL3. This patch however doesn't make use of partitioning in EL3; platform initialisation code should configure and use partitions in EL3 if required. Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd Co-authored-by:
James Morse <james.morse@arm.com> Signed-off-by:
-
- 17 Aug, 2018 1 commit
-
-
John Tsichritzis authored
If the system is in near idle conditions, this erratum could cause a deadlock or data corruption. This patch applies the workaround that prevents this. This DSU erratum affects only the DSUs that contain the ACP interface and it was fixed in r2p0. The workaround is applied only to the DSUs that are actually affected. Link to respective Arm documentation: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm138168/index.html Change-Id: I033213b3077685130fc1e3f4f79c4d15d7483ec9 Signed-off-by:
John Tsichritzis <john.tsichritzis@arm.com>
-
- 19 Jul, 2018 3 commits
-
-
Jeenu Viswambharan authored
External Aborts while executing in EL3 is fatal in nature. This patch allows for the platform to define a handler for External Aborts received while executing in EL3. A default implementation is added which falls back to platform unhandled exception. Change-Id: I466f2c8113a33870f2c7d2d8f2bf20437d9fd354 Signed-off-by: -
Jeenu Viswambharan authored
Double fault is when the PE receives another error whilst one is being handled. To detect double fault condition, a per-CPU flag is introduced to track the status of error handling. The flag is checked/modified while temporarily masking external aborts on the PE. This patch routes double faults to a separate platform-defined handler. Change-Id: I70e9b7ba4c817273c55a0af978d9755ff32cc702 Signed-off-by: -
Jeenu Viswambharan authored
Uncontainable errors are the most severe form of errors, which typically mean that the system state can't be trusted any more. This further means that normal error recovery process can't be followed, and an orderly shutdown of the system is often desirable. This patch allows for the platform to define a handler for Uncontainable errors received. Due to the nature of Uncontainable error, the handler is expected to initiate an orderly shutdown of the system, and therefore is not expected to return. A default implementation is added which falls back to platform unhandled exception. Also fix ras_arch.h header guards. Change-Id: I072e336a391a0b382e77e627eb9e40729d488b55 Signed-off-by:
-
- 17 Jul, 2018 2 commits
-
-
Jeenu Viswambharan authored
RAS handling flows might involve using setjmp/longjump calls introduced in earlier patches; therefore, it'd be good to make sure the stack has been unwound completely after the handling. This patch inserts ASM assertions on the RAS handling path to validate stack. Change-Id: I59d40d3122010c977cdeab3cce3160f3909e7e69 Signed-off-by: -
Jeenu Viswambharan authored
A new file ea_delegate.S is introduced, and all EA-related functions are moved into it. This makes runtime_exceptions.S less crowded and reads better. No functional changes. Change-Id: I64b653b3931984cffd420563f8e8d1ba263f329f Signed-off-by:
-
- 11 Jul, 2018 2 commits
-
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: -
Roberto Vargas authored
Clang linker doesn't support NEXT. As we are not using the MEMORY command to define discontinuous memory for the output file in any of the linker scripts, ALIGN and NEXT are equivalent. Change-Id: I867ffb9c9a76d4e81c9ca7998280b2edf10efea0 Signed-off-by:
-
- 27 Jun, 2018 1 commit
-
-
Jeenu Viswambharan authored
Having an active stack while enabling MMU has shown coherency problems. This patch builds on top of translation library changes that introduces MMU-enabling without using stacks. Previously, with HW_ASSISTED_COHERENCY, data caches were disabled while enabling MMU only because of active stack. Now that we can enable MMU without using stack, we can enable both MMU and data caches at the same time. NOTE: Since this feature depends on using translation table library v2, disallow using translation table library v1 with HW_ASSISTED_COHERENCY. Fixes ARM-software/tf-issues#566 Change-Id: Ie55aba0c23ee9c5109eb3454cb8fa45d74f8bbb2 Signed-off-by:
-
- 21 Jun, 2018 2 commits
-
-
Jeenu Viswambharan authored
SDEI event dispatches currently only sets up the Non-secure context before returning to the caller. The actual dispatch only happens upon exiting EL3 next time. However, for various error handling scenarios, it's beneficial to have the dispatch happen synchronously. I.e. when receiving SDEI interrupt, or for a successful sdei_dispatch_event() call, the event handler is executed; and upon the event completion, dispatcher execution resumes after the point of dispatch. The jump primitives introduced in the earlier patch facilitates this feature. With this patch: - SDEI interrupts and calls to sdei_dispatch_event prepares the NS context for event dispatch, then sets a jump point, and immediately exits EL3. This results in the client handler executing in Non-secure. - When the SDEI client completes the dispatched event, the SDEI dispatcher does a longjmp to the jump pointer created earlier. For the caller of the sdei_dispatch_event() in particular, this would appear as if call returned successfully. The dynamic workaround for CVE_2018_3639 is slightly shifted around as part of related minor refactoring. It doesn't affect the workaround functionality. Documentation updated. NOTE: This breaks the semantics of the explicit dispatch API, and any exiting usages should be carefully reviewed. Change-Id: Ib9c876d27ea2af7fb22de49832e55a0da83da3f9 Signed-off-by: -
Jeenu Viswambharan authored
This patch introduces setjmp() and ongjmp() primitives to enable standard setjmp/longjmp style execution. Both APIs parameters take a pointer to struct jmpbuf type, which hosts CPU registers saved/restored during jump. As per the standard usage: - setjmp() return 0 when a jump is setup; and a non-zero value when returning from jump. - The caller of setjmp() must not return, or otherwise update stack pointer since. Change-Id: I4af1d32e490cfa547979631b762b4cba188d0551 Signed-off-by:
-
- 13 Jun, 2018 1 commit
-
-
Sandrine Bailleux authored
The translation tables allocated for the Secure Partition do not need to be treated as a special case. They can be put amongst the other tables mapping BL31's general purpose memory. They will be mapped with the same attributes as them, which is fine. The explicit alignment constraint in BL31's linker script to pad the last page of memory allocated to the Secure Partition's translation tables is useless too, as page tables are per se pages, thus their end address is naturally aligned on a page-boundary. In fact, this patch does not change the existing behaviour. Since patch 22282bb6 ("SPM: Move all SP-related info to SP context struct"), the secure_partition.c file has been renamed into sp_xlat.c but the linker script has not been properly updated. As a result, the SP translation tables are not specifically put at the start of the xlat_table linker section, the __SP_IMAGE_XLAT_TABLES_START__/_END__ symbols have the same value, the size of the resulting mmap_region covering these xlat tables is 0 and so it is ignored. Change-Id: I4cf0a4cc090298811cca53fc9cee74df0f2b1512 Signed-off-by:
Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 23 May, 2018 1 commit
-
-
Dimitris Papastamos authored
This patch renames symbols and files relating to CVE-2017-5715 to make it easier to introduce new symbols and files for new CVE mitigations. Change-Id: I24c23822862ca73648c772885f1690bed043dbc7 Signed-off-by:Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 04 May, 2018 3 commits
-
-
Jeenu Viswambharan authored
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional extensions to base ARMv8.0 architecture. This patch adds build system support to enable RAS features in ARM Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for this. With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is inserted at all EL3 vector entry and exit. ESBs will synchronize pending external aborts before entering EL3, and therefore will contain and attribute errors to lower EL execution. Any errors thus synchronized are detected via. DISR_EL1 register. When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1. Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a Signed-off-by: -
Jeenu Viswambharan authored
At present, any External Abort routed to EL3 is reported as an unhandled exception and cause a panic. This patch enables ARM Trusted Firmware to handle External Aborts routed to EL3. With this patch, when an External Abort is received at EL3, its handling is delegated to plat_ea_handler() function. Platforms can provide their own implementation of this function. This patch adds a weak definition of the said function that prints out a message and just panics. In order to support handling External Aborts at EL3, the build option HANDLE_EA_EL3_FIRST must be set to 1. Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to compilation; this patch fixes that too. Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1 Signed-off-by: -
Jeenu Viswambharan authored
At present, the function that restores general purpose registers also does ERET. Refactor the restore code to restore general purpose registers without ERET to complement the save function. The macro save_x18_to_x29_sp_el0 was used only once, and is therefore removed, and its contents expanded inline for readability. No functional changes, but with this patch: - The SMC return path will incur an branch-return and an additional register load. - The unknown SMC path restores registers x0 to x3. Change-Id: I7a1a63e17f34f9cde810685d70a0ad13ca3b7c50 Signed-off-by:
-
- 23 Apr, 2018 1 commit
-
-
Antonio Nino Diaz authored
Due to differences in the bitfields of the SMC IDs, it is not possible to support SMCCC 1.X and 2.0 at the same time. The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build option that specifies the major version of the SMCCC that the Trusted Firmware supports. The only two allowed values are 1 and 2, and it defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it. Note: Support for SMCCC v2.0 is an experimental feature to enable prototyping of secure partition specifications. Support for this convention is disabled by default and could be removed without notice. Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7 Signed-off-by:
-
- 14 Mar, 2018 1 commit
-
-
Dimitris Papastamos authored
When querying `SMCCC_ARCH_WORKAROUND_1` through `SMCCC_ARCH_FEATURES`, return either: * -1 to indicate the PE on which `SMCCC_ARCH_FEATURES` is called requires firmware mitigation for CVE-2017-5715 but the mitigation is not compiled in. * 0 to indicate that firmware mitigation is required, or * 1 to indicate that no firmware mitigation is required. This patch complies with v1.2 of the firmware interfaces specification (ARM DEN 0070A). Change-Id: Ibc32d6620efdac6c340758ec502d95554a55f02a Signed-off-by:
-
- 01 Mar, 2018 1 commit
-
-
Dan Handley authored
Some generic compatibility functions emit deprecated declaration warnings even when platforms do not use the deprecated functions directly. This can be confusing. Suppress these warnings by using: `#pragma GCC diagnostic ignored "-Wdeprecated-declarations"` Also emit a runtime warning if the weak plat/common implemntation of plat_get_syscnt_freq2() is used, as this implies the platform has not migrated from plat_get_syscnt_freq(). The deprecated declaration warnings only help detect when platforms are calling deprecated functions, not when they are defining deprecated functions. Fixes ARM-software/tf-issues#550 Change-Id: Id14a92279c2634c1e76db8ef210da8affdbb2a5d Signed-off-by:Dan Handley <dan.handley@arm.com>
-
- 28 Feb, 2018 2 commits
-
-
Roberto Vargas authored
Rule 8.4: A compatible declaration shall be visible when an object or function with external linkage is defined. Change-Id: I26e042cb251a6f9590afa1340fdac73e42f23979 Signed-off-by: -
Roberto Vargas authored
Rule 8.3: All declarations of an object or function shall use the same names and type qualifiers. Change-Id: Iff384187c74a598a4e73f350a1893b60e9d16cec Signed-off-by:
-
- 27 Feb, 2018 2 commits
-
-
Jeenu Viswambharan authored
When a Yielding SMC is preempted, it's possible that Non-secure world is resumed afterwards. In this case, Non-secure execution would find itself in a state where the SMC has returned. However, the dispatcher might not get an opportunity to populate the corrected return code for having been preempted, and therefore the caller of the Yielding SMC cannot reliably determine whether the SMC had successfully completed or had been preempted. To solve this, this patch introduces a new parameter to the ehf_allow_ns_preemption() API. An SPD, through this parameter, would provide the expected error code when a Yielding SMC is preempted. EHF can then populate the specified value in x0 of the Non-secure context so that the caller of the Yielding SMC correctly identifies the SMC return as a preemption. Documentation updates to follow. Change-Id: Ia9c3f8f03f9d72d81aa235eaae2ee0374b972e1e Signed-off-by: -
Antonio Nino Diaz authored
When the MMU is enabled and the translation tables are mapped, data read/writes to the translation tables are made using the attributes specified in the translation tables themselves. However, the MMU performs table walks with the attributes specified in TCR_ELx. They are completely independent, so special care has to be taken to make sure that they are the same. This has to be done manually because it is not practical to have a test in the code. Such a test would need to know the virtual memory region that contains the translation tables and check that for all of the tables the attributes match the ones in TCR_ELx. As the tables may not even be mapped at all, this isn't a test that can be made generic. The flags used by enable_mmu_xxx() have been moved to the same header where the functions are. Also, some comments in the linker scripts related to the translation tables have been fixed. Change-Id: I1754768bffdae75f53561b1c4a5baf043b45a304 Signed-off-by:
-
- 26 Feb, 2018 1 commit
-
-
Soby Mathew authored
This patch introduces a new BL handover interface. It essentially allows passing 4 arguments between the different BL stages. Effort has been made so as to be compatible with the previous handover interface. The previous blx_early_platform_setup() platform API is now deprecated and the new blx_early_platform_setup2() variant is introduced. The weak compatiblity implementation for the new API is done in the `plat_bl_common.c` file. Some of the new arguments in the new API will be reserved for generic code use when dynamic configuration support is implemented. Otherwise the other registers are available for platform use. Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404 Signed-off-by:
-
- 15 Feb, 2018 1 commit
-
-
Antonio Nino Diaz authored
According to the SMC Calling Convention (ARM DEN0028B): The Unknown SMC Function Identifier is a sign-extended value of (-1) that is returned in R0, W0 or X0 register. The value wasn't sign-extended because it was defined as a 32-bit unsigned value (0xFFFFFFFF). SMC_PREEMPT has been redefined as -2 for the same reason. NOTE: This might be a compatibility break for some AArch64 platforms that don't follow the previous version of the SMCCC (ARM DEN0028A) correctly. That document specifies that only the bottom 32 bits of the returned value must be checked. If a platform relies on the top 32 bits of the result being 0 (so that SMC_UNK is 0x00000000FFFFFFFF), it will have to fix its code to comply with the SMCCC. Change-Id: I7f7b109f6b30c114fe570aa0ead3c335383cb54d Signed-off-by:
-
- 12 Feb, 2018 1 commit
-
-
Jeenu Viswambharan authored
When deactivating, it's not an error if the priority being deactivating is equal to the active priority. Fix this. Change-Id: I66f0e9e775ac9aba8a7cc48cd3ecd3b358be63c0 Signed-off-by:
-
- 29 Jan, 2018 2 commits
-
-
Dimitris Papastamos authored
SMCCC v1.1 comes with a relaxed calling convention for AArch64 callers. The caller only needs to save x0-x3 before doing an SMC call. This patch adds support for SMCCC_VERSION and SMCCC_ARCH_FEATURES. Refer to "Firmware Interfaces for mitigating CVE_2017_5715 System Software on Arm Systems"[0] for more information. [0] https://developer.arm.com/-/media/developer/pdf/ARM%20DEN%200070A%20Firmware%20interfaces%20for%20mitigating%20CVE-2017-5715_V1.0.pdf Change-Id: If5b1c55c17d6c5c7cb9c2c3ed355d3a91cdad0a9 Signed-off-by:
-
Dimitris Papastamos authored
In preparation for SMCCC v1.1 support, save x4 to x29 unconditionally. Previously we expected callers coming from AArch64 mode to preserve x8-x17. This is no longer the case with SMCCC v1.1 as AArch64 callers only need to save x0-x3. Change-Id: Ie62d620776533969ff4a02c635422f1b9208be9c Signed-off-by:
-
- 11 Jan, 2018 1 commit
-
-
Dimitris Papastamos authored
Add some AMU helper functions to allow configuring, reading and writing of the Group 0 and Group 1 counters. Documentation for these helpers will come in a separate patch. Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40 Signed-off-by:
-
