GitLab

At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.

This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.

This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.

 - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
   the read-only section still looks like this (padding omitted):

   |        ...        |
   +-------------------+
   | Exception vectors |
   +-------------------+
   |  Read-only data   |
   +-------------------+
   |       Code        |
   +-------------------+ BLx_BASE

   In this case, the linker script provides the limits of the whole
   read-only section.

 - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
   read-only data are swapped, such that the code and exception
   vectors are contiguous, followed by the read-only data. This
   gives the following new layout (padding omitted):

   |        ...        |
   +-------------------+
   |  Read-only data   |
   +-------------------+
   | Exception vectors |
   +-------------------+
   |       Code        |
   +-------------------+ BLx_BASE

   In this case, the linker script now exports 2 sets of addresses
   instead: the limits of the code and the limits of the read-only
   data. Refer to the Firmware Design guide for more details. This
   provides platform code with a finer-grained view of the image
   layout and allows it to map these 2 regions with the appropriate
   access permissions.

Note that SEPARATE_CODE_AND_RODATA applies to all BL images.

Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49

This patch adds a new linker symbol in BL1's linker script named
'__BL1_ROM_END__', which marks the end of BL1's ROM content. This
covers BL1's code, read-only data and read-write data to relocate
in Trusted SRAM. The address of this new linker symbol is exported
to C code through the 'BL1_ROM_END' macro.

The section related to linker symbols in the Firmware Design guide
has been updated and improved.

Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7

This patch adds following optional PSCI STAT functions:

- PSCI_STAT_RESIDENCY: This call returns the amount of time spent
  in power_state in microseconds, by the node represented by the
  `target_cpu` and the highest level of `power_state`.

- PSCI_STAT_COUNT: This call returns the number of times a
  `power_state` has been used by the node represented by the
  `target_cpu` and the highest power level of `power_state`.

These APIs provides residency statistics for power states that has
been used by the platform. They are implemented according to v1.0
of the PSCI specification.

By default this optional feature is disabled in the PSCI
implementation. To enable it, set the boolean flag
`ENABLE_PSCI_STAT` to 1. This also sets `ENABLE_PMF` to 1.

Change-Id: Ie62e9d37d6d416ccb1813acd7f616d1ddd3e8aff

This patch adds Performance Measurement Framework(PMF) in the
ARM Trusted Firmware. PMF is implemented as a library and the
SMC interface is provided through ARM SiP service.

The PMF provides capturing, storing, dumping and retrieving the
time-stamps, by enabling the development of services by different
providers, that can be easily integrated into ARM Trusted Firmware.
The PMF capture and retrieval APIs can also do appropriate cache
maintenance operations to the timestamp memory when the caller
indicates so.

`pmf_main.c` consists of core functions that implement service
registration, initialization, storing, dumping and retrieving
the time-stamp.
`pmf_smc.c` consists SMC handling for registered PMF services.
`pmf.h` consists of the macros that can be used by the PMF service
providers to register service and declare time-stamp functions.
`pmf_helpers.h` consists of internal macros that are used by `pmf.h`

By default this feature is disabled in the ARM trusted firmware.
To enable it set the boolean flag `ENABLE_PMF` to 1.

NOTE: The caller is responsible for specifying the appropriate cache
maintenance flags and for acquiring/releasing appropriate locks
before/after capturing/retrieving the time-stamps.

Change-Id: Ib45219ac07c2a81b9726ef6bd9c190cc55e81854

Add build time option 'cadence1' for ZYNQMP_CONSOLE to select the 2nd
UART available in the SoC.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>

This patch adds support for the QEMU virt ARMv8-A target.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

A production ROM with TBB enabled must have the ability to boot test software
before a real ROTPK is deployed (e.g. manufacturing mode). Previously the
function plat_get_rotpk_info() must return a valid ROTPK for TBB to succeed.
This patch adds an additional bit `ROTPK_NOT_DEPLOYED` in the output `flags`
parameter from plat_get_rotpk_info(). If this bit is set, then the ROTPK
in certificate is used without verifying against the platform value.

Fixes ARM-software/tf-issues#381

Change-Id: Icbbffab6bff8ed76b72431ee21337f550d8fdbbb

* Move stdlib header files from include/stdlib to include/lib/stdlib for
  consistency with other library headers.
* Fix checkpatch paths to continue excluding stdlib files.
* Create stdlib.mk to define the stdlib source files and include directories.
* Include stdlib.mk from the top level Makefile.
* Update stdlib header path in the fip_create Makefile.
* Update porting-guide.md with the new paths.

Change-Id: Ia92c2dc572e9efb54a783e306b5ceb2ce24d27fa

The system registers that are saved and restored in CPU context include
AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
AArch64-only (i.e. on hardware that does not implement AArch32, or at
least not at EL1 and higher ELs) platform leads to an exception. This patch
introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
include these AArch32 systems registers in the cpu context or not. By default
this build option is set to 1 to ensure compatibility. AArch64-only platforms
must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
verify this.

Fixes ARM-software/tf-issues#386

Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee

This patch adds a new optional platform hook `pwr_domain_pwr_down_wfi()` in
the plat_psci_ops structure. This hook allows the platform to perform platform
specific actions including the wfi invocation to enter powerdown. This hook
is invoked by both psci_do_cpu_off() and psci_cpu_suspend_start() functions.
The porting-guide.md is also updated for the same.

This patch also modifies the `psci_power_down_wfi()` function to invoke
`plat_panic_handler` incase of panic instead of the busy while loop.

Fixes ARM-Software/tf-issues#375

Change-Id: Iba104469a1445ee8d59fb3a6fdd0a98e7f24dfa3

This patch adds support to select CCN driver for FVP during build.
A new build option `FVP_INTERCONNECT_DRIVER` is added to allow
selection between the CCI and CCN driver. Currently only the CCN-502
variant is supported on FVP.

The common ARM CCN platform helper file now verifies the cluster
count declared by platform is equal to the number of root node
masters exported by the ARM Standard platform.

Change-Id: I71d7b4785f8925ed499c153b2e9b9925fcefd57a

Added a build flag to select the generic delay timer on FVP instead
of the SP804 timer. By default, the generic one will be selected. The
user guide has been updated.

Change-Id: Ica34425c6d4ed95a187b529c612f6d3b26b78bc6

Added plat_get_syscnt_freq2, which is a 32 bit variant of the 64 bit
plat_get_syscnt_freq. The old one has been flagged as deprecated.
Common code has been updated to use this new version. Porting guide
has been updated.

Change-Id: I9e913544926c418970972bfe7d81ee88b4da837e

This patch changes the default driver for FVP platform from the deprecated
GICv3 legacy to the GICv3 only driver. This means that the default build of
Trusted Firmware will not be able boot Linux kernel with GICv2 FDT blob. The
user guide is also updated to reflect this change of default GIC driver for
FVP.

Change-Id: Id6fc8c1ac16ad633dabb3cd189b690415a047764

This patch removes support for legacy Versatile Express memory map for the
GIC peripheral in the FVP platform. The user guide is also updated for the
same.

Change-Id: Ib8cfb819083aca359e5b46b5757cb56cb0ea6533

Add MAX_IO_BLOCK_DEVICES in porting guide. It's necessary to define
this macro to support io block device. With this macro, multiple
block devices could be opened at the same time. Each block device
stores its own state.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>

The translation table library code has moved from lib/aarch64/ to
lib/xlat_tables/ since commit 3ca9928d but the Porting Guide still
points to the old location. This patch fixes this issue.

Change-Id: I983a9a100d70eacf6bac71725ffbb4bb5f3732b0

Parse the parameter structure the FSBL populates, to populate the bl32
and bl33 image structures.

Cc: Sarat Chand Savitala <saratcha@xilinx.com>
Cc: petalinux-dev@xilinx.com
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
[ SB
 - pass pointers to structs instead of structs
 - handle execution state parameter
 - populate bl32 SPSR
 - add documentation
 - query bootmode and consider missing handoff parameters an error when
   not in JTAG boot mode
]
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

Drop the current configuration options for selecting the location of
the ATF and TSP (ZYNQMP_ATF_LOCATION, ZYNQMP_TSP_RAM_LOCATION).
The new configuration provides one default setup (ATF in OCM,
BL32 in DRAM). Additionally, the new configuration options
 - ZYNQMP_ATF_MEM_BASE
 - ZYNQMP_ATF_MEM_SIZE
 - ZYNQMP_BL32_MEM_BASE
 - ZYNQMP_BL32_MEM_SIZE
can be used to freely configure the memory locations used for ATF and
secure payload.

Also, allow setting the BL33 entry point via PRELOADED_BL33_BASE.

Cc: petalinux-dev@xilinx.com
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>

This patch adds links to the Cortex-A53 and Cortex-A57 MPCores
Software Developers Errata Notice documents in the ARM CPU Specific
Build Macros document.

Change-Id: I0aa26d7f373026097ed012a02bc61ee2c5b9d6fc

Change-Id: I86ac81ffd7cd094ce68c4cceb01c16563671a063

Change-Id: Icaacd19c4cef9c10d02adcc2f84a4d7c97d4bcfa

Change-Id: Ia2ce8aa752efb090cfc734c1895c8f2539e82439

Change-Id: I632a8c5bb517ff89c69268e865be33101059be7d

Change-Id: I45641551474f4c58c638aff8c42c0ab9a8ec78b4

It is up to the platform to implement the new plat_crash_print_regs macro to
report all relevant platform registers helpful for troubleshooting.

plat_crash_print_regs merges or calls previously defined plat_print_gic_regs
and plat_print_interconnect_regs macros for each existing platforms.

NOTE: THIS COMMIT REQUIRES ALL PLATFORMS THAT ENABLE THE `CRASH_REPORTING`
BUILD FLAG TO MIGRATE TO USE THE NEW `plat_crash_print_regs()` MACRO. BY
DEFAULT, `CRASH_REPORTING` IS ENABLED IN DEBUG BUILDS FOR ALL PLATFORMS.

Fixes: arm-software/tf-issues#373
Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>

This patch updates the TF User Guide, simplifying some of the steps
to build and run TF and trying to avoid duplicated information that
is already available on the ARM Connected Community or the Linaro
website.

The recommended Linaro release is now 16.02.

Change-Id: I21db486d56a07bb10f5ee9a33014ccc59ca12986

To avoid confusion the build option BL33_BASE has been renamed to
PRELOADED_BL33_BASE, which is more descriptive of what it does and
doesn't get mistaken by similar names like BL32_BASE that work in a
completely different way.

NOTE: PLATFORMS USING BUILD OPTION `BL33_BASE` MUST CHANGE TO THE NEW
BUILD OPTION `PRELOADED_BL33_BASE`.

Change-Id: I658925ebe95406edf0325f15aa1752e1782aa45b

This patch enables the SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and
BL31 common architectural setup code. When in secure state, this disables
instruction fetches from Non-secure memory.

NOTE: THIS COULD BREAK PLATFORMS THAT HAVE SECURE WORLD CODE EXECUTING FROM
NON-SECURE MEMORY, BUT THIS IS CONSIDERED UNLIKELY AND IS A SERIOUS SECURITY
RISK.

Fixes ARM-Software/tf-issues#372

Change-Id: I684e84b8d523c3b246e9a5fabfa085b6405df319

The Xilinx Zynq UltraScale+ MPSOC containes a quad A53 cluster. This
patch adds the platform port for that SoC.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

This patch modifies the return type of the platform API
`plat_get_ns_image_entrypoint()` from `unsigned long` to
`uintptr_t` in accordance with the coding guidelines.

Change-Id: Icb4510ca98b706aa4d535fe27e203394184fb4ca

To get round problems encountered when building in a DOS build
environment the generation of the .o file containing build identifier
strings is modified.
The problems encounterred were:
   1. DOS echo doesn't strip ' characters from the output text.
   2. git is not available from CMD.EXE so the BUILD_STRING value needs
      some other origin.

A BUILD_STRING value of "development build" is used for now.

MAKE_BUILD_STRINGS is used to customise build string generation in a DOS
environment. This variable is not defined in the UNIX build environment
make file helper, and so the existing build string generation behaviour
is retained in these build environments.

NOTE: This commit completes a cumulative series aimed at improving
      build portability across development environments.
      This enables the build to run on several new build environments,
      if the relevant tools are available.
      At this point the build is tested on Windows 7 Enterprise SP1,
      using CMD.EXE, Cygwin and Msys (MinGW),as well as a native
      Linux envionment".  The Windows platform builds used
      aarch64-none-elf-gcc.exe 4.9.1.  CMD.EXE and Msys used Gnu
      Make 3.81, cygwin used Gnu Make 4.1.

CAVEAT: The cert_create tool build is not tested on the Windows
        platforms (openssl-for-windows has a GPL license).

Change-Id: Iaa4fc89dbe2a9ebae87e2600c9eef10a6af30251

lib/aarch64/xlat_helpers.c defines helper functions to build
translation descriptors, but no common code or upstream platform
port uses them. As the rest of the xlat_tables code evolves, there
may be conflicts with these helpers, therefore this code should be
removed.

Change-Id: I9f5be99720f929264818af33db8dada785368711

This patch adds support for non-volatile counter authentication to
the Authentication Module. This method consists of matching the
counter values provided in the certificates with the ones stored
in the platform. If the value from the certificate is lower than
the platform, the boot process is aborted. This mechanism protects
the system against rollback.

The TBBR CoT has been updated to include this method as part of the
authentication process. Two counters are used: one for the trusted
world images and another for the non trusted world images.

** NEW PLATFORM APIs (mandatory when TBB is enabled) **

int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr);

    This API returns the non-volatile counter value stored
    in the platform. The cookie in the first argument may be
    used to select the counter in case the platform provides
    more than one (i.e. TBSA compliant platforms must provide
    trusted and non-trusted counters). This cookie is specified
    in the CoT.

int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr);

    This API sets a new counter value. The cookie may be
    used to select the counter to be updated.

An implementation of these new APIs for ARM platforms is also
provided. The values are obtained from the Trusted Non-Volatile
Counters peripheral. The cookie is used to pass the extension OID.
This OID may be interpreted by the platform to know which counter
must return. On Juno, The trusted and non-trusted counter values
have been tied to 31 and 223, respectively, and cannot be modified.

** IMPORTANT **

THIS PATCH BREAKS THE BUILD WHEN TRUSTED_BOARD_BOOT IS ENABLED. THE
NEW PLATFORM APIs INTRODUCED IN THIS PATCH MUST BE IMPLEMENTED IN
ORDER TO SUCCESSFULLY BUILD TF.

Change-Id: Ic943b76b25f2a37f490eaaab6d87b4a8b3cbc89a

This patch adds an option to the ARM common platforms to load BL31 in the
TZC secured DRAM instead of the default secure SRAM.

To enable this feature, set `ARM_BL31_IN_DRAM` to 1 in build options.
If TSP is present, then setting this option also sets the TSP location
to DRAM and ignores the `ARM_TSP_RAM_LOCATION` build flag.

To use this feature, BL2 platform code must map in the DRAM used by
BL31. The macro ARM_MAP_BL31_SEC_DRAM is provided for this purpose.
Currently, only the FVP BL2 platform code maps in this DRAM.

Change-Id: If5f7cc9deb569cfe68353a174d4caa48acd78d67

Asynchronous abort exceptions generated by the platform during cold boot are
not taken in EL3 unless SCR_EL3.EA is set.

Therefore EA bit is set along with RES1 bits in early BL1 and BL31 architecture
initialisation. Further write accesses to SCR_EL3 preserve these bits during
cold boot.

A build flag controls SCR_EL3.EA value to keep asynchronous abort exceptions
being trapped by EL3 after cold boot or not.

For further reference SError Interrupts are also known as asynchronous external
aborts.

On Cortex-A53 revisions below r0p2, asynchronous abort exceptions are taken in
EL3 whatever the SCR_EL3.EA value is.

Fixes arm-software/tf-issues#368
Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>

The Firmware Design document is meant to provide a general overview
of the Trusted Firmware code. Although it is useful to provide some
guidance around the responsibilities of the platform layer, it should
not provide too much platform specific implementation details. Right
now, some sections are too tied to the implementation on ARM
platforms. This makes the Firmware Design document harder to digest.

This patch simplifies this aspect of the Firmware Design document.
The sections relating the platform initialisations performed by the
different BL stages have been simplified and the extra details about
the ARM platforms implementation have been moved to the Porting Guide
when appropriate.

This patch also provides various documentation fixes and additions
in the Firmware Design and Platform Porting Guide. In particular:

 - Update list of SMCs supported by BL1.

 - Remove MMU setup from architectural inits, as it is actually
   performed by platform code.

 - Similarly, move runtime services initialisation, BL2 image
   initialization and BL33 execution out of the platform
   initialisation paragraph.

 - List SError interrupt unmasking as part of BL1 architectural
   initialization.

 - Mention Trusted Watchdog enabling in BL1 on ARM platforms.

 - Fix order of steps in "BL2 image load and execution" section.

 - Refresh section about GICv3/GICv2 drivers initialisation on
   ARM platforms.

Change-Id: I32113c4ffdc26687042629cd8bbdbb34d91e3c14

Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.

Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().

All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.

Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134

The previous reset code in BL1 performed the following steps in
order:

1. Warm/Cold boot detection.
   If it's a warm boot, jump to warm boot entrypoint.

2. Primary/Secondary CPU detection.
   If it's a secondary CPU, jump to plat_secondary_cold_boot_setup(),
   which doesn't return.

3. CPU initialisations (cache, TLB...).

4. Memory and C runtime initialization.

For a secondary CPU, steps 3 and 4 are never reached. This shouldn't
be a problem in most cases, since current implementations of
plat_secondary_cold_boot_setup() either panic or power down the
secondary CPUs.

The main concern is the lack of secondary CPU initialization when
bare metal EL3 payloads are used in case they don't take care of this
initialisation themselves.

This patch moves the detection of primary/secondary CPU after step 3
so that the CPU initialisations are performed per-CPU, while the
memory and the C runtime initialisation are only performed on the
primary CPU. The diagrams used in the ARM Trusted Firmware Reset
Design documentation file have been updated to reflect the new boot
flow.

Platforms ports might be affected by this patch depending on the
behaviour of plat_secondary_cold_boot_setup(), as the state of the
platform when entering this function will be different.

Fixes ARM-software/tf-issues#342

Change-Id: Icbf4a0ee2a3e5b856030064472f9fa6696f2eb9e

This patch clarifies a porting API in the Porting Guide that do not
follow the ARM Architecture Program Calling Standards (AAPCS). The
list of registers that are allowed to be clobbered by this API has
been updated in the Porting Guide.

Fixes ARM-software/tf-issues#259

Change-Id: Ibf2adda2e1fb3e9b8f53d8a918d5998356eb8fce