- 08 Mar, 2017 1 commit
-
-
Antonio Nino Diaz authored
The files affected by this patch don't really depend on `xlat_tables.h`. By changing the included file it becomes easier to switch between the two versions of the translation tables library. Change-Id: Idae9171c490e0865cb55883b19eaf942457c4ccc Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Introduce zeromem_dczva function on AArch64 that can handle unaligned addresses and make use of DC ZVA instruction to zero a whole block at a time. This zeroing takes place directly in the cache to speed it up without doing external memory access. Remove the zeromem16 function on AArch64 and replace it with an alias to zeromem. This zeromem16 function is now deprecated. Remove the 16-bytes alignment constraint on __BSS_START__ in firmware-design.md as it is now not mandatory anymore (it used to comply with zeromem16 requirements). Change the 16-bytes alignment constraints in SP min's linker script to a 8-bytes alignment constraint as the AArch32 zeromem implementation is now more efficient on 8-bytes aligned addresses. Introduce zero_normalmem and zeromem helpers in platform agnostic header that are implemented this way: * AArch32: * zero_normalmem: zero using usual data access * zeromem: alias for zero_normalmem * AArch64: * zero_normalmem: zero normal memory using DC ZVA instruction (needs MMU enabled) * zeromem: zero using usual data access Usage guidelines: in most cases, zero_normalmem should be preferred. There are 2 scenarios where zeromem (or memset) must be used instead: * Code that must run with MMU disabled (which means all memory is considered device memory for data accesses). * Code that fills device memory with null bytes. Optionally, the following rule can be applied if performance is important: * Code zeroing small areas (few bytes) that are not secrets should use memset to take advantage of compiler optimizations. Note: Code zeroing security-related critical information should use zero_normalmem/zeromem instead of memset to avoid removal by compilers' optimizations in some cases or misbehaving versions of GCC. Fixes ARM-software/tf-issues#408 Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 20 Dec, 2016 1 commit
-
-
Sandrine Bailleux authored
The is_mem_free() function used to be local to bl_common.c. This patch exports it so that it can be used outside of bl_common.c. Change-Id: I01dcb4229f3a36f56a4724b567c5e6c416dc5e98 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 19 Dec, 2016 1 commit
-
-
Jeenu Viswambharan authored
ASM_ASSERT failure and panic messages are suppressed at present. This patch enables printing the PC location for panic messages, and file name and line number upon assembly assert failure. Change-Id: I80cb715988e7ce766f64da1e1d7065a74a096a0c Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 05 Dec, 2016 1 commit
-
-
Jeenu Viswambharan authored
There are many instances in ARM Trusted Firmware where control is transferred to functions from which return isn't expected. Such jumps are made using 'bl' instruction to provide the callee with the location from which it was jumped to. Additionally, debuggers infer the caller by examining where 'lr' register points to. If a 'bl' of the nature described above falls at the end of an assembly function, 'lr' will be left pointing to a location outside of the function range. This misleads the debugger back trace. This patch defines a 'no_ret' macro to be used when jumping to functions from which return isn't expected. The macro ensures to use 'bl' instruction for the jump, and also, for debug builds, places a 'nop' instruction immediately thereafter (unless instructed otherwise) so as to leave 'lr' pointing within the function range. Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0 Co-authored-by: Douglas Raillard <douglas.raillard@arm.com> Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
-
- 29 Nov, 2016 1 commit
-
-
Antonio Nino Diaz authored
When loading and authenticating an image, all parent images must also be authenticated. The parent images are just certificates that don't need to be used by any other CPU except the one loading the image, and so there is no need to flush the cache of memory regions where they are loaded. Change-Id: Ice8d6979d1c02eabf1a543281ae1a07d098e4a99 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 21 Sep, 2016 1 commit
-
-
Yatharth Kochar authored
This patch adds common changes to support AArch32 state in BL1 and BL2. Following are the changes: * Added functions for disabling MMU from Secure state. * Added AArch32 specific SMC function. * Added semihosting support. * Added reporting of unhandled exceptions. * Added uniprocessor stack support. * Added `el3_entrypoint_common` macro that can be shared by BL1 and BL32 (SP_MIN) BL stages. The `el3_entrypoint_common` is similar to the AArch64 counterpart with the main difference in the assembly instructions and the registers that are relevant to AArch32 execution state. * Enabled `LOAD_IMAGE_V2` flag in Makefile for `ARCH=aarch32` and added check to make sure that platform has not overridden to disable it. Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3
-
- 20 Sep, 2016 1 commit
-
-
Yatharth Kochar authored
This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
-
- 31 Aug, 2016 1 commit
-
-
Soby Mathew authored
This patch resolves a build error in Trusted Firmware when `ARCH=aarch32` and LOG_LEVEL >= 50. Change-Id: I62a23ded4a25304533cdcc5ff11442aee041709b
-
- 22 Aug, 2016 1 commit
-
-
Yatharth Kochar authored
This patch removes the tight loop that calls `plat_report_exception` in unhandled exceptions in AArch64 state. The new behaviour is to call the `plat_report_exception` only once followed by call to `plat_panic_handler`. This allows platforms to take platform-specific action when there is an unhandled exception, instead of always spinning in a tight loop. Note: This is a subtle break in behaviour for platforms that expect `plat_report_exception` to be continuously executed when there is an unhandled exception. Change-Id: Ie2453804b9b7caf9b010ee73e1a90eeb8384e4e8
-
- 17 Aug, 2016 1 commit
-
-
Dan Handley authored
At the end of successful image authentication in load_auth_image(), the data cache for the virtual address range corresponding to the image is invalidated (by a call to inv_dcache_range()). The intent seems to be to ensure the data caches do not contain any sensitive data used during authentication, which subsequent code can read. However, this same address range is already flushed (cleaned and invalidated by a call to flush_dcache_range()) at the end of load_image(), and the subsequent invalidate has no functional effect. This patch removes the redundant call to inv_dcache_range(). It also moves the flush_dcache_range() call from the end of load_image() to the end of load_auth_image(), so the image data will remain in the caches during authentication, improving performance. This also improves the comments that explain the rationale for calling flush_dcache_range() after image loading/authentication. Change-Id: I14f17ad2935075ef6f3d1327361c5088bfb2d284
-
- 10 Aug, 2016 3 commits
-
-
Soby Mathew authored
This patch adds an API in runtime service framework to invoke the registered handler corresponding to the SMC function identifier. This is helpful for AArch32 because the number of arguments required by the handler is more than registers available as per AArch32 program calling conventions and requires the use of stack. Hence this new API will do the necessary argument setup and invoke the appropriate handler. Although this API is primarily intended for AArch32, it can be used for AArch64 as well. Change-Id: Iefa15947fe5a1df55b0859886e677446a0fd7241
-
Soby Mathew authored
The tf_printf library uses 64 bit division to print numbers in appropriate formats but AArch32 mode cannot do 64 bit division natively. Hence this patch adds additional number printing routines to handle AArch32 mode in tf_printf library. The decimal format printing capability is limited to 32 bit integers whereas 64 bits are supported in hexadecimal format. The library assumes that secure world is running in Little-Endian mode to do bit manipulations on 64 bit. Suitable assertions are present to enforce this assumption. Change-Id: I55a21e448cef4915d1834d76e48a84ccf0bec36d
-
Soby Mathew authored
This patch adds various assembly helpers for AArch32 like : * cache management : Functions to flush, invalidate and clean cache by MVA. Also helpers to do cache operations by set-way are also added. * stack management: Macros to declare stack and get the current stack corresponding to current CPU. * Misc: Macros to access co processor registers in AArch32, macros to define functions in assembly, assert macros, generic `do_panic()` implementation and function to zero block of memory. Change-Id: I7b78ca3f922c0eda39beb9786b7150e9193425be
-
- 26 Jul, 2016 1 commit
-
-
Soby Mathew authored
This patch improves the debug assertion for runtime svc number - Remove useless comparison ensuring that the number of descriptors is a positive number. The variable is an unsigned integer so can't be negative. - Check that the end address of the descriptors is sane relative to the start address. Change-Id: Iea7be6b34e33b8b1cbd394eb923cc834ea964831
-
- 25 Jul, 2016 3 commits
-
-
Sandrine Bailleux authored
This patch adds some runtime checks to prevent some potential pointer overflow issues in the is_mem_free() function. The overflow could happen in the case where the end addresses, computed as the sum of a base address and a size, results in a value large enough to wrap around. This, in turn, could lead to unpredictable behaviour. If such an overflow is detected, the is_mem_free() function will now declare the memory region as not free. The overflow is detected using a new macro, called check_uptr_overflow(). This patch also modifies all other places in the 'bl_common.c' file where an end address was computed as the sum of a base address and a size and instead keeps the two values separate. This avoids the need to handle pointer overflows everywhere. The code doesn't actually need to compute any end address before the is_mem_free() function is called other than to print information message to the serial output. This patch also introduces 2 slight changes to the reserve_mem() function: - It fixes the end addresses passed to choose_mem_pos(). It was incorrectly passing (base + size) instead of (base + size - 1). - When the requested allocation size is 0, the function now exits straight away and says so using a warning message. Previously, it used to actually reserve some memory. A zero-byte allocation was not considered as a special case so the function was using the same top/bottom allocation mechanism as for any other allocation. As a result, the smallest area of memory starting from the requested base address within the free region was reserved. Change-Id: I0e695f961e24e56ffe000718014e0496dc6e1ec6
-
Sandrine Bailleux authored
- Added some debug assertions checking that the runtime services indexes computed by get_unique_oen() are sane. - Do not print the name of the service when its descriptor is invalid. If the descriptor is corrupted then its name field could be corrupted as well and we would end up reading an arbitrary amount of invalid memory. Change-Id: I16f61065277d01fe1555d5a9cf743f7b52ccaa60
-
Sandrine Bailleux authored
Light refactoring of the code in runtime_svc.c file. - Declare validate_rt_svc_desc()'s argument as const. - Remove 'goto' path in runtime_svc_init(). It was used in one place only. - Improve code readability by declaring a local variable holding the service pointer. Change-Id: I3b15c5adb9f37b786b5b993a9be70ea9dd017a83
-
- 18 Jul, 2016 2 commits
-
-
Soby Mathew authored
This patch moves the PSCI services and BL31 frameworks like context management and per-cpu data into new library components `PSCI` and `el3_runtime` respectively. This enables PSCI to be built independently from BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant PSCI library sources and gets included by `bl31.mk`. Other changes which are done as part of this patch are: * The runtime services framework is now moved to the `common/` folder to enable reuse. * The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture specific folder. * The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder to `plat/common` folder. The original file location now has a stub which just includes the file from new location to maintain platform compatibility. Most of the changes wouldn't affect platform builds as they just involve changes to the generic bl1.mk and bl31.mk makefiles. NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION. Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
-
Soby Mathew authored
This patch reworks type usage in generic code, drivers and ARM platform files to make it more portable. The major changes done with respect to type usage are as listed below: * Use uintptr_t for storing address instead of uint64_t or unsigned long. * Review usage of unsigned long as it can no longer be assumed to be 64 bit. * Use u_register_t for register values whose width varies depending on whether AArch64 or AArch32. * Use generic C types where-ever possible. In addition to the above changes, this patch also modifies format specifiers in print invocations so that they are AArch64/AArch32 agnostic. Only files related to upcoming feature development have been reworked. Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
-
- 07 Jun, 2016 1 commit
-
-
Sandrine Bailleux authored
- Fix the function documentation. Since commit 16948ae1, load_image() uses image IDs rather than image names. - Clarify the consequences of a null entry point argument. - Slightly reorganize the code to remove an unnecessary 'if' statement. Change-Id: Iebea3149a37f23d3b847a37a206ed23f7e8ec717
-
- 03 Jun, 2016 1 commit
-
-
Soby Mathew authored
The system registers that are saved and restored in CPU context include AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ, DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an AArch64-only (i.e. on hardware that does not implement AArch32, or at least not at EL1 and higher ELs) platform leads to an exception. This patch introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to include these AArch32 systems registers in the cpu context or not. By default this build option is set to 1 to ensure compatibility. AArch64-only platforms must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to verify this. Fixes ARM-software/tf-issues#386 Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
-
- 26 May, 2016 1 commit
-
-
Sandrine Bailleux authored
This patch introduces some assembler macros to simplify the declaration of the exception vectors. It abstracts the section the exception code is put into as well as the alignments constraints mandated by the ARMv8 architecture. For all TF images, the exception code has been updated to make use of these macros. This patch also updates some invalid comments in the exception vector code. Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
-
- 18 Apr, 2016 1 commit
-
-
Soren Brinkmann authored
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
-
- 13 Apr, 2016 1 commit
-
-
Soby Mathew authored
The AArch32 long descriptor format and the AArch64 descriptor format correspond to each other which allows possible sharing of xlat_tables library code between AArch64 and AArch32. This patch refactors the xlat_tables library code to seperate the common functionality from architecture specific code. Prior to this patch, all of the xlat_tables library code were in `lib/aarch64/xlat_tables.c` file. The refactored code is now in `lib/xlat_tables/` directory. The AArch64 specific programming for xlat_tables is in `lib/xlat_tables/aarch64/xlat_tables.c` and the rest of the code common to AArch64 and AArch32 is in `lib/xlat_tables/xlat_tables_common.c`. Also the data types used in xlat_tables library APIs are reworked to make it compatible between AArch64 and AArch32. The `lib/aarch64/xlat_tables.c` file now includes the new xlat_tables library files to retain compatibility for existing platform ports. The macros related to xlat_tables library are also moved from `include/lib/aarch64/arch.h` to the header `include/lib/xlat_tables.h`. NOTE: THE `lib/aarch64/xlat_tables.c` FILE IS DEPRECATED AND PLATFORM PORTS ARE EXPECTED TO INCLUDE THE NEW XLAT_TABLES LIBRARY FILES IN THEIR MAKEFILES. Change-Id: I3d17217d24aaf3a05a4685d642a31d4d56255a0f
-
- 07 Apr, 2016 1 commit
-
-
Soby Mathew authored
This patch adds support to differentiate between `long` and `long long` format specifiers in tf_printf(). In AArch64, they are the same which is a 64-bit word. But, in AArch32 they are different and tf_printf() needs to handle these format specifiers separately. This patch also fixes the type of variables used to generic C types. Change-Id: If3bbb0245cd0183acbe13bc1fe0d9743f417578f
-
- 30 Mar, 2016 1 commit
-
-
Gerald Lejeune authored
Asynchronous abort exceptions generated by the platform during cold boot are not taken in EL3 unless SCR_EL3.EA is set. Therefore EA bit is set along with RES1 bits in early BL1 and BL31 architecture initialisation. Further write accesses to SCR_EL3 preserve these bits during cold boot. A build flag controls SCR_EL3.EA value to keep asynchronous abort exceptions being trapped by EL3 after cold boot or not. For further reference SError Interrupts are also known as asynchronous external aborts. On Cortex-A53 revisions below r0p2, asynchronous abort exceptions are taken in EL3 whatever the SCR_EL3.EA value is. Fixes arm-software/tf-issues#368 Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>
-
- 23 Mar, 2016 1 commit
-
-
Scott Branden authored
Add support for %z format specific in tf_printf() to support printing data of type size_t Fixes ARM-software/tf-issues#380 Signed-off-by Scott Branden <scott.branden@broadcom.com>
-
- 14 Mar, 2016 1 commit
-
-
Antonio Nino Diaz authored
Added a new platform porting function plat_panic_handler, to allow platforms to handle unexpected error situations. It must be implemented in assembly as it may be called before the C environment is initialized. A default implementation is provided, which simply spins. Corrected all dead loops in generic code to call this function instead. This includes the dead loop that occurs at the end of the call to panic(). All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have been removed. Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
-
- 18 Feb, 2016 1 commit
-
-
Antonio Nino Diaz authored
This patch adds support for the `%p` format specifier in tf_printf() following the example of the printf implementation of the stdlib used in the trusted firmware. Fixes ARM-software/tf-issues#292 Change-Id: I0b3230c783f735d3e039be25a9405f00023420da
-
- 21 Dec, 2015 1 commit
-
-
Sandrine Bailleux authored
Change-Id: I6f49bd779f2a4d577c6443dd160290656cdbc59b
-
- 14 Dec, 2015 1 commit
-
-
Juan Castillo authored
This patch removes the dash character from the image name, to follow the image terminology in the Trusted Firmware Wiki page: https://github.com/ARM-software/arm-trusted-firmware/wiki Changes apply to output messages, comments and documentation. non-ARM platform files have been left unmodified. Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
-
- 09 Dec, 2015 1 commit
-
-
Yatharth Kochar authored
The upcoming Firmware Update feature needs transitioning across Secure/Normal worlds to complete the FWU process and hence requires context management code to perform this task. Currently context management code is part of BL31 stage only. This patch moves the code from (include)/bl31 to (include)/common. Some function declarations/definitions and macros have also moved to different files to help code sharing. Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c
-
- 02 Nov, 2015 2 commits
-
-
Juan Castillo authored
Patch 7e26fe1f deprecates IO specific return definitions in favour of standard errno codes. This patch removes those definitions and its usage from the IO framework, IO drivers and IO platform layer. Following this patch, standard errno codes must be used when checking the return value of an IO function. Change-Id: Id6e0e9d0a7daf15a81ec598cf74de83d5768650f
-
Sandrine Bailleux authored
This patch introduces a new function called 'print_entry_point_info' that prints an entry_point_t structure for debugging purposes. As such, it can be used to display the entry point address, SPSR and arguments passed from a firmware image to the next one. This function is now called in the following images transitions: - BL1 to BL2 - BL1 to BL31 - BL31 to the next image (typically BL32 or BL33) The following changes have been introduced: - Fix the output format of the SPSR value : SPSR is a 32-bit value, not a 64-bit one. - Print all arguments values. The entry_point_info_t structure allows to pass up to 8 arguments. In most cases, only the first 2 arguments were printed. print_entry_point_info() now prints all of them as 'VERBOSE' traces. Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
-
- 23 Oct, 2015 1 commit
-
-
Juan Castillo authored
This patch replaces custom definitions used as return values for the load_auth_image() function with standard error codes defined in errno.h. The custom definitions have been removed. It also replaces the usage of IO framework error custom definitions, which have been deprecated. Standard errno definitions are used instead. Change-Id: I1228477346d3876151c05b470d9669c37fd231be
-
- 02 Sep, 2015 1 commit
-
-
Vikram Kanigiri authored
BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to run in secure world otherwise BL3-1/BL3-2 have to execute from non-secure memory. Hence, This patch removes the change_security_state() call in bl1_run_bl2() and replaces it with an assert to confirm the BL2 as secure. Fixes ARM-software/tf-issues#314 Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
-
- 20 Aug, 2015 1 commit
-
-
Juan Castillo authored
BL3-2 image (Secure Payload) is optional. If the image cannot be loaded a warning message is printed and the boot process continues. According to the TBBR document, this behaviour should not apply in case of an authentication error, where the boot process should be aborted. This patch modifies the load_auth_image() function to distinguish between a load error and an authentication error. The caller uses the return value to abort the boot process or continue. In case of authentication error, the memory region used to store the image is wiped clean. Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
-
- 25 Jun, 2015 2 commits
-
-
Juan Castillo authored
After updating the main authentication module to use the transport and crypto modules and the CoT description, the PolarSSL authentication module is no longer required. This patch deletes it. Change-Id: I8ba1e13fc1cc7b2fa9df14ff59eb798f0460b878
-
Juan Castillo authored
This patch modifies the Trusted Board Boot implementation to use the new authentication framework, making use of the authentication module, the cryto module and the image parser module to authenticate the images in the Chain of Trust. A new function 'load_auth_image()' has been implemented. When TBB is enabled, this function will call the authentication module to authenticate parent images following the CoT up to the root of trust to finally load and authenticate the requested image. The platform is responsible for picking up the right makefiles to build the corresponding cryptographic and image parser libraries. ARM platforms use the mbedTLS based libraries. The platform may also specify what key algorithm should be used to sign the certificates. This is done by declaring the 'KEY_ALG' variable in the platform makefile. FVP and Juno use ECDSA keys. On ARM platforms, BL2 and BL1-RW regions have been increased 4KB each to accommodate the ECDSA code. REMOVED BUILD OPTIONS: * 'AUTH_MOD' Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
-