1. 13 Mar, 2018 1 commit
  2. 29 Jan, 2018 1 commit
  3. 18 Jan, 2018 1 commit
  4. 03 Jan, 2018 1 commit
  5. 15 Nov, 2017 1 commit
    • David Cunado's avatar
      Move FPEXC32_EL2 to FP Context · 91089f36
      David Cunado authored
      
      
      The FPEXC32_EL2 register controls SIMD and FP functionality when the
      lower ELs are executing in AArch32 mode. It is architecturally mapped
      to AArch32 system register FPEXC.
      
      This patch removes FPEXC32_EL2 register from the System Register context
      and adds it to the floating-point context. EL3 only saves / restores the
      floating-point context if the build option CTX_INCLUDE_FPREGS is set to 1.
      
      The rationale for this change is that if the Secure world is using FP
      functionality and EL3 is not managing the FP context, then the Secure
      world will save / restore the appropriate FP registers.
      
      NOTE - this is a break in behaviour in the unlikely case that
      CTX_INCLUDE_FPREGS is set to 0 and the platform contains an AArch32
      Secure Payload that modifies FPEXC, but does not save and restore
      this register
      
      Change-Id: Iab80abcbfe302752d52b323b4abcc334b585c184
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      91089f36
  6. 08 Nov, 2017 1 commit
    • Etienne Carriere's avatar
      ARMv7 target is driven by ARM_ARCH_MAJOR==7 · 26e63c44
      Etienne Carriere authored
      
      
      External build environment shall sets directive ARM_ARCH_MAJOR to 7
      to specify a target ARMv7-A core.
      
      As ARM-TF expects AARCH to be set, ARM_ARCH_MAJOR==7 mandates
      AARCH=aarch32.
      
      The toolchain target architecture/cpu is delegated after the platform
      configuration is parsed. Platform shall define target core through
      ARM_CORTEX_A<x>=yes, <x> being 5, 7, 9, 12, 15 and/or 17.
      
      Platform can bypass ARM_CORTEX_A<x>=yes directive and provide straight
      the toolchain target directive through MARCH32_DIRECTIVE.
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      26e63c44
  7. 31 Oct, 2017 1 commit
  8. 23 Oct, 2017 2 commits
  9. 16 Oct, 2017 2 commits
    • Jeenu Viswambharan's avatar
      GIC: Allow specifying interrupt properties · c639e8eb
      Jeenu Viswambharan authored
      
      
      The GIC driver initialization currently allows an array of interrupts to
      be configured as secure. Future use cases would require more interrupt
      configuration other than just security, such as priority.
      
      This patch introduces a new interrupt property array as part of both
      GICv2 and GICv3 driver data. The platform can populate the array with
      interrupt numbers and respective properties. The corresponding driver
      initialization iterates through the array, and applies interrupt
      configuration as required.
      
      This capability, and the current way of supplying array (or arrays, in
      case of GICv3) of secure interrupts, are however mutually exclusive.
      Henceforth, the platform should supply either:
      
        - A list of interrupts to be mapped as secure (the current way).
          Platforms that do this will continue working as they were. With this
          patch, this scheme is deprecated.
      
        - A list of interrupt properties (properties include interrupt group).
          Individual interrupt properties are specified via. descriptors of
          type 'interrupt_prop_desc_t', which can be populated with the macro
          INTR_PROP_DESC().
      
      A run time assert checks that the platform doesn't specify both.
      
      Henceforth the old scheme of providing list of secure interrupts is
      deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
      that the interrupt properties are supplied instead of an array of secure
      interrupts.
      
      Add a section to firmware design about configuring secure interrupts.
      
      Fixes ARM-software/tf-issues#262
      
      Change-Id: I8eec29e72eb69dbb6bce77879febf32c95376942
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      c639e8eb
    • Qixiang Xu's avatar
      docs: Update Trusted Board Boot Requirements document number · 67b66903
      Qixiang Xu authored
      
      
      Update DEN0006B-5(2013) to DEN0006C-1(2015)
      
      Change-Id: I753a14214dde827d004fd04c47b5ba112df38d73
      Signed-off-by: default avatarQixiang Xu <qixiang.xu@arm.com>
      67b66903
  10. 13 Oct, 2017 1 commit
  11. 24 Aug, 2017 2 commits
    • Isla Mitchell's avatar
      Enable CnP bit for ARMv8.2 CPUs · 9fce2725
      Isla Mitchell authored
      
      
      This patch enables the CnP (Common not Private) bit for secure page
      tables so that multiple PEs in the same Inner Shareable domain can use
      the same translation table entries for a given stage of translation in
      a particular translation regime. This only takes effect when ARM
      Trusted Firmware is built with ARM_ARCH_MINOR >= 2.
      
      ARM Trusted Firmware Design has been updated to include a description
      of this feature usage.
      
      Change-Id: I698305f047400119aa1900d34c65368022e410b8
      Signed-off-by: default avatarIsla Mitchell <isla.mitchell@arm.com>
      9fce2725
    • Jeenu Viswambharan's avatar
      firmware-design.rst: Fix formatting · 579b4adb
      Jeenu Viswambharan authored
      
      
      The format conversion wrongly formatted a couple of sections. These were
      also missing from the Table of Contents.
      
      Change-Id: I324216c27e7b4711e6cc5e25782f4b53842140cc
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      579b4adb
  12. 23 Aug, 2017 1 commit
  13. 08 Aug, 2017 1 commit
  14. 29 Jun, 2017 3 commits
  15. 28 Jun, 2017 1 commit
  16. 21 Jun, 2017 1 commit
    • David Cunado's avatar
      Fully initialise essential control registers · 18f2efd6
      David Cunado authored
      
      
      This patch updates the el3_arch_init_common macro so that it fully
      initialises essential control registers rather then relying on hardware
      to set the reset values.
      
      The context management functions are also updated to fully initialise
      the appropriate control registers when initialising the non-secure and
      secure context structures and when preparing to leave EL3 for a lower
      EL.
      
      This gives better alignement with the ARM ARM which states that software
      must initialise RES0 and RES1 fields with 0 / 1.
      
      This patch also corrects the following typos:
      
      "NASCR definitions" -> "NSACR definitions"
      
      Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      18f2efd6
  17. 02 Jun, 2017 1 commit
  18. 26 Apr, 2017 1 commit
  19. 20 Mar, 2017 1 commit
  20. 14 Feb, 2017 1 commit
    • Jeenu Viswambharan's avatar
      Introduce locking primitives using CAS instruction · c877b414
      Jeenu Viswambharan authored
      
      
      The ARMv8v.1 architecture extension has introduced support for far
      atomics, which includes compare-and-swap. Compare and Swap instruction
      is only available for AArch64.
      
      Introduce build options to choose the architecture versions to target
      ARM Trusted Firmware:
      
        - ARM_ARCH_MAJOR: selects the major version of target ARM
          Architecture. Default value is 8.
      
        - ARM_ARCH_MINOR: selects the minor version of target ARM
          Architecture. Default value is 0.
      
      When:
      
        (ARM_ARCH_MAJOR > 8) || ((ARM_ARCH_MAJOR == 8) && (ARM_ARCH_MINOR >= 1)),
      
      for AArch64, Compare and Swap instruction is used to implement spin
      locks. Otherwise, the implementation falls back to using
      load-/store-exclusive instructions.
      
      Update user guide, and introduce a section in Firmware Design guide to
      summarize support for features introduced in ARMv8 Architecture
      Extensions.
      
      Change-Id: I73096a0039502f7aef9ec6ab3ae36680da033f16
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      c877b414
  21. 06 Feb, 2017 1 commit
    • Douglas Raillard's avatar
      Introduce unified API to zero memory · 308d359b
      Douglas Raillard authored
      
      
      Introduce zeromem_dczva function on AArch64 that can handle unaligned
      addresses and make use of DC ZVA instruction to zero a whole block at a
      time. This zeroing takes place directly in the cache to speed it up
      without doing external memory access.
      
      Remove the zeromem16 function on AArch64 and replace it with an alias to
      zeromem. This zeromem16 function is now deprecated.
      
      Remove the 16-bytes alignment constraint on __BSS_START__ in
      firmware-design.md as it is now not mandatory anymore (it used to comply
      with zeromem16 requirements).
      
      Change the 16-bytes alignment constraints in SP min's linker script to a
      8-bytes alignment constraint as the AArch32 zeromem implementation is now
      more efficient on 8-bytes aligned addresses.
      
      Introduce zero_normalmem and zeromem helpers in platform agnostic header
      that are implemented this way:
      * AArch32:
      	* zero_normalmem: zero using usual data access
      	* zeromem: alias for zero_normalmem
      * AArch64:
      	* zero_normalmem: zero normal memory  using DC ZVA instruction
      	                  (needs MMU enabled)
      	* zeromem: zero using usual data access
      
      Usage guidelines: in most cases, zero_normalmem should be preferred.
      
      There are 2 scenarios where zeromem (or memset) must be used instead:
      * Code that must run with MMU disabled (which means all memory is
        considered device memory for data accesses).
      * Code that fills device memory with null bytes.
      
      Optionally, the following rule can be applied if performance is
      important:
      * Code zeroing small areas (few bytes) that are not secrets should use
        memset to take advantage of compiler optimizations.
      
        Note: Code zeroing security-related critical information should use
        zero_normalmem/zeromem instead of memset to avoid removal by
        compilers' optimizations in some cases or misbehaving versions of GCC.
      
      Fixes ARM-software/tf-issues#408
      
      Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      308d359b
  22. 30 Jan, 2017 1 commit
    • Jeenu Viswambharan's avatar
      Report errata workaround status to console · 10bcd761
      Jeenu Viswambharan authored
      
      
      The errata reporting policy is as follows:
      
        - If an errata workaround is enabled:
      
          - If it applies (i.e. the CPU is affected by the errata), an INFO
            message is printed, confirming that the errata workaround has been
            applied.
      
          - If it does not apply, a VERBOSE message is printed, confirming
            that the errata workaround has been skipped.
      
        - If an errata workaround is not enabled, but would have applied had
          it been, a WARN message is printed, alerting that errata workaround
          is missing.
      
      The CPU errata messages are printed by both BL1 (primary CPU only) and
      runtime firmware on debug builds, once for each CPU/errata combination.
      
      Relevant output from Juno r1 console when ARM Trusted Firmware is built
      with PLAT=juno LOG_LEVEL=50 DEBUG=1:
      
        VERBOSE: BL1: cortex_a57: errata workaround for 806969 was not applied
        VERBOSE: BL1: cortex_a57: errata workaround for 813420 was not applied
        INFO:    BL1: cortex_a57: errata workaround for disable_ldnp_overread was applied
        WARNING: BL1: cortex_a57: errata workaround for 826974 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 826977 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 828024 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 829520 was missing!
        WARNING: BL1: cortex_a57: errata workaround for 833471 was missing!
        ...
        VERBOSE: BL31: cortex_a57: errata workaround for 806969 was not applied
        VERBOSE: BL31: cortex_a57: errata workaround for 813420 was not applied
        INFO:    BL31: cortex_a57: errata workaround for disable_ldnp_overread was applied
        WARNING: BL31: cortex_a57: errata workaround for 826974 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 826977 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 828024 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 829520 was missing!
        WARNING: BL31: cortex_a57: errata workaround for 833471 was missing!
        ...
        VERBOSE: BL31: cortex_a53: errata workaround for 826319 was not applied
        INFO:    BL31: cortex_a53: errata workaround for disable_non_temporal_hint was applied
      
      Also update documentation.
      
      Change-Id: Iccf059d3348adb876ca121cdf5207bdbbacf2aba
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      10bcd761
  23. 15 Dec, 2016 1 commit
    • Jeenu Viswambharan's avatar
      Add provision to extend CPU operations at more levels · 5dd9dbb5
      Jeenu Viswambharan authored
      
      
      Various CPU drivers in ARM Trusted Firmware register functions to handle
      power-down operations. At present, separate functions are registered to
      power down individual cores and clusters.
      
      This scheme operates on the basis of core and cluster, and doesn't cater
      for extending the hierarchy for power-down operations. For example,
      future CPUs might support multiple threads which might need powering
      down individually.
      
      This patch therefore reworks the CPU operations framework to allow for
      registering power down handlers on specific level basis. Henceforth:
      
        - Generic code invokes CPU power down operations by the level
          required.
      
        - CPU drivers explicitly mention CPU_NO_RESET_FUNC when the CPU has no
          reset function.
      
        - CPU drivers register power down handlers as a list: a mandatory
          handler for level 0, and optional handlers for higher levels.
      
      All existing CPU drivers are adapted to the new CPU operations framework
      without needing any functional changes within.
      
      Also update firmware design guide.
      
      Change-Id: I1826842d37a9e60a9e85fdcee7b4b8f6bc1ad043
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      5dd9dbb5
  24. 14 Nov, 2016 1 commit
  25. 12 Oct, 2016 1 commit
  26. 11 Oct, 2016 1 commit
  27. 28 Sep, 2016 1 commit
    • Soby Mathew's avatar
      Docs: Add the PSCI library integration guide · 9e534b20
      Soby Mathew authored
      This patch adds the PSCI library integration guide for AArch32 ARMv8-A
      systems `psci-lib-integration-guide.md` to the documentation. The
      patch also adds appropriate reference to the new document in
      the `firmware-design.md` document.
      
      Change-Id: I2d5b5c6b612452371713399702e318e3c73a8ee0
      9e534b20
  28. 15 Sep, 2016 1 commit
    • Jeenu Viswambharan's avatar
      PSCI: Add support for PSCI NODE_HW_STATE API · 28d3d614
      Jeenu Viswambharan authored
      This patch adds support for NODE_HW_STATE PSCI API by introducing a new
      PSCI platform hook (get_node_hw_state). The implementation validates
      supplied arguments, and then invokes this platform-defined hook and
      returns its result to the caller. PSCI capabilities are updated
      accordingly.
      
      Also updates porting and firmware design guides.
      
      Change-Id: I808e55bdf0c157002a7c104b875779fe50a68a30
      28d3d614
  29. 29 Jul, 2016 1 commit
    • dp-arm's avatar
      Replace fip_create with fiptool · 819281ee
      dp-arm authored
      fiptool provides a more consistent and intuitive interface compared to
      the fip_create program.  It serves as a better base to build on more
      features in the future.
      
      fiptool supports various subcommands.  Below are the currently
      supported subcommands:
      
      1) info   - List the images contained in a FIP file.
      2) create - Create a new FIP file with the given images.
      3) update - Update an existing FIP with the given images.
      4) unpack - Extract a selected set or all the images from a FIP file.
      5) remove - Remove images from a FIP file.  This is a new command that
         was not present in fip_create.
      
      To create a new FIP file, replace "fip_create" with "fiptool create".
      
      To update a FIP file, replace "fip_create" with "fiptool update".
      
      To dump the contents of a FIP file, replace "fip_create --dump" with
      "fiptool info".
      
      A compatibility script that emulates the basic functionality of
      fip_create is provided.  Existing scripts might or might not work with
      the compatibility script.  Users are strongly encouraged to migrate to
      fiptool.
      
      Fixes ARM-Software/tf-issues#87
      Fixes ARM-Software/tf-issues#108
      Fixes ARM-Software/tf-issues#361
      
      Change-Id: I7ee4da7ac60179cc83cf46af890fd8bc61a53330
      819281ee
  30. 28 Jul, 2016 1 commit
  31. 18 Jul, 2016 1 commit
    • Soby Mathew's avatar
      Introduce `el3_runtime` and `PSCI` libraries · 532ed618
      Soby Mathew authored
      This patch moves the PSCI services and BL31 frameworks like context
      management and per-cpu data into new library components `PSCI` and
      `el3_runtime` respectively. This enables PSCI to be built independently from
      BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
      PSCI library sources and gets included by `bl31.mk`. Other changes which
      are done as part of this patch are:
      
      * The runtime services framework is now moved to the `common/` folder to
        enable reuse.
      * The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
        specific folder.
      * The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
        to `plat/common` folder. The original file location now has a stub which
        just includes the file from new location to maintain platform compatibility.
      
      Most of the changes wouldn't affect platform builds as they just involve
      changes to the generic bl1.mk and bl31.mk makefiles.
      
      NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
      THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
      MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.
      
      Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
      532ed618
  32. 08 Jul, 2016 2 commits
    • Sandrine Bailleux's avatar
      Introduce SEPARATE_CODE_AND_RODATA build flag · 5d1c104f
      Sandrine Bailleux authored
      At the moment, all BL images share a similar memory layout: they start
      with their code section, followed by their read-only data section.
      The two sections are contiguous in memory. Therefore, the end of the
      code section and the beginning of the read-only data one might share
      a memory page. This forces both to be mapped with the same memory
      attributes. As the code needs to be executable, this means that the
      read-only data stored on the same memory page as the code are
      executable as well. This could potentially be exploited as part of
      a security attack.
      
      This patch introduces a new build flag called
      SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
      on separate memory pages. This in turn allows independent control of
      the access permissions for the code and read-only data.
      
      This has an impact on memory footprint, as padding bytes need to be
      introduced between the code and read-only data to ensure the
      segragation of the two. To limit the memory cost, the memory layout
      of the read-only section has been changed in this case.
      
       - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
         the read-only section still looks like this (padding omitted):
      
         |        ...        |
         +-------------------+
         | Exception vectors |
         +-------------------+
         |  Read-only data   |
         +-------------------+
         |       Code        |
         +-------------------+ BLx_BASE
      
         In this case, the linker script provides the limits of the whole
         read-only section.
      
       - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
         read-only data are swapped, such that the code and exception
         vectors are contiguous, followed by the read-only data. This
         gives the following new layout (padding omitted):
      
         |        ...        |
         +-------------------+
         |  Read-only data   |
         +-------------------+
         | Exception vectors |
         +-------------------+
         |       Code        |
         +-------------------+ BLx_BASE
      
         In this case, the linker script now exports 2 sets of addresses
         instead: the limits of the code and the limits of the read-only
         data. Refer to the Firmware Design guide for more details. This
         provides platform code with a finer-grained view of the image
         layout and allows it to map these 2 regions with the appropriate
         access permissions.
      
      Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
      
      Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
      5d1c104f
    • Sandrine Bailleux's avatar
      BL1: Add linker symbol identifying end of ROM content · c02fcc4a
      Sandrine Bailleux authored
      This patch adds a new linker symbol in BL1's linker script named
      '__BL1_ROM_END__', which marks the end of BL1's ROM content. This
      covers BL1's code, read-only data and read-write data to relocate
      in Trusted SRAM. The address of this new linker symbol is exported
      to C code through the 'BL1_ROM_END' macro.
      
      The section related to linker symbols in the Firmware Design guide
      has been updated and improved.
      
      Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7
      c02fcc4a
  33. 16 Jun, 2016 1 commit
    • Yatharth Kochar's avatar
      Add optional PSCI STAT residency & count functions · 170fb93d
      Yatharth Kochar authored
      This patch adds following optional PSCI STAT functions:
      
      - PSCI_STAT_RESIDENCY: This call returns the amount of time spent
        in power_state in microseconds, by the node represented by the
        `target_cpu` and the highest level of `power_state`.
      
      - PSCI_STAT_COUNT: This call returns the number of times a
        `power_state` has been used by the node represented by the
        `target_cpu` and the highest power level of `power_state`.
      
      These APIs provides residency statistics for power states that has
      been used by the platform. They are implemented according to v1.0
      of the PSCI specification.
      
      By default this optional feature is disabled in the PSCI
      implementation. To enable it, set the boolean flag
      `ENABLE_PSCI_STAT` to 1. This also sets `ENABLE_PMF` to 1.
      
      Change-Id: Ie62e9d37d6d416ccb1813acd7f616d1ddd3e8aff
      170fb93d
  34. 07 Apr, 2016 1 commit
    • Soby Mathew's avatar
      Enable SCR_EL3.SIF bit · 99e58f9e
      Soby Mathew authored
      This patch enables the SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and
      BL31 common architectural setup code. When in secure state, this disables
      instruction fetches from Non-secure memory.
      
      NOTE: THIS COULD BREAK PLATFORMS THAT HAVE SECURE WORLD CODE EXECUTING FROM
      NON-SECURE MEMORY, BUT THIS IS CONSIDERED UNLIKELY AND IS A SERIOUS SECURITY
      RISK.
      
      Fixes ARM-Software/tf-issues#372
      
      Change-Id: I684e84b8d523c3b246e9a5fabfa085b6405df319
      99e58f9e