Skip to content

GitLab

Switch branch/tag
  1. 06 Mar, 2020 1 commit
  3. 10 Feb, 2020 1 commit
  5. 07 Feb, 2020 2 commits
  7. 05 Feb, 2020 1 commit
  9. 03 Feb, 2020 1 commit
  11. 22 Jan, 2020 1 commit
  13. 14 Nov, 2019 1 commit
    • Sandrine Bailleux's avatar
      Refactor load_auth_image_internal(). · 9e7d6631
      Sandrine Bailleux authored 
      

The pre-processor directives make it hard to read the non-TBB version of
this function. Refactor the code to improve readability. No functional
change introduced.

In particular, introduce a new helper function load_image_flush(),
that simply loads an image and flushes it out to main memory. This is
the only thing load_auth_image_internal() needs to do when TBB is
disabled or when authentication is dynamically disabled.

In other cases, we need to recursively authenticate the parent images up
to the root of trust. To make this clearer, this code gets moved to a
TBB-specific helper function called load_auth_image_recursive().

As a result, load_auth_image_internal() now boils down to calling the
right helper function (depending on TBB enablement and dynamic
authentication status).

Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890
Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      9e7d6631
  15. 25 Sep, 2019 2 commits
    • Andre Przywara's avatar
      FDT helper functions: Respect architecture in PSCI function IDs · 66799507
      Andre Przywara authored 
      

PSCI uses different function IDs for CPU_SUSPEND and CPU_ON, depending on
the architecture used (AArch64 or AArch32).
For recent PSCI versions the client will determine the right version,
but for PSCI v0.1 we need to put some ID in the DT node. At the moment
we always add the 64-bit IDs, which is not correct if TF-A is built for
AArch32.

Use the function IDs matching the TF-A build architecture, for the two
IDs where this differs. This only affects legacy OSes using PSCI v0.1.

On the way remove the sys_poweroff and sys_reset properties, which were
never described in the official PSCI DT binding.

Change-Id: If77bc6daec215faeb2dc67112e765aacafd17f33
Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      66799507
    • Andre Przywara's avatar
      FDT helper functions: Add function documentation · 6eaf928d
      Andre Przywara authored 
      

Since we moved some functions that amend a DT blob in memory to common
code, let's add proper function documentation.
This covers the three exported functions in common/fdt_fixup.c.

Change-Id: I67d7d27344e62172c789d308662f78d54903cf57
Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      6eaf928d
  17. 13 Sep, 2019 3 commits
    • Andre Przywara's avatar
      Add fdt_add_reserved_memory() helper function · 3ef45dda
      Andre Przywara authored 
      

If a firmware component like TF-A reserves special memory regions for
its own or secure payload services, it should announce the location and
size of those regions to the non-secure world. This will avoid
disappointment when some rich OS tries to acccess this memory, which
will likely end in a crash.

The traditional way of advertising reserved memory using device tree is
using the special memreserve feature of the device tree blob (DTB).
However by definition those regions mentioned there do not prevent the
rich OS to map this memory, which may lead to speculative accesses to
this memory and hence spurious bus errors.

A safer way of carving out memory is to use the /reserved-memory node as
part of the normal DT structure. Besides being easier to setup, this
also defines an explicit "no-map" property to signify the secure-only
nature of certain memory regions, which avoids the rich OS to
accidentally step on it.

Add a helper function to allow platform ports to easily add a region.

Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      3ef45dda
    • Andre Przywara's avatar
      qemu: Move and generalise FDT PSCI fixup · f240728b
      Andre Przywara authored 
      

The QEMU platform port scans its device tree to advertise PSCI as the
CPU enable method. It does this by scanning *every* node in the DT and
check whether its compatible string starts with "arm,cortex-a". Then it
sets the enable-method to PSCI, if it doesn't already have one.

Other platforms might want to use this functionality as well, so let's
move it out of the QEMU platform directory and make it more robust by
fixing some shortcomings:
- A compatible string starting with a certain prefix is not a good way
to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
match as well and is in turn favoured with an enable-method.
- If the DT already has an enable-method, we won't change this to PSCI.

Those two issues will for instance fail on the Raspberry Pi 4 DT.
To fix those problems, we adjust the scanning method:
The DT spec says that all CPU nodes are subnodes of the mandatory
/cpus node, which is a subnode of the root node. Also each CPU node has
to have a device_type = "cpu" property. So we find the /cpus node, then
scan for a subnode with the proper device_type, forcing the
enable-method to "psci".
We have to restart this search after a property has been patched, as the
node offsets might have changed meanwhile.

This allows this routine to be reused for the Raspberry Pi 4 later.

Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      f240728b
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored 
      

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
  of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
  which returns 128-bit value and uses Generic timer physical counter
  value to increase the randomness of the generated key.
  The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
  generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
  pauth_disable_el1()` and `pauth_disable_el3()` functions disable
  PAuth for EL1 and EL3 respectively;
  `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
  cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
  `save_gp_registers()` and `pauth_context_save()`;
  `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
  and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
  code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
  for 12 uint64_t PAuth registers instead of 10 by removal of macro
  CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
  and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
  in `msr	spsel`  instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.

Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  19. 29 Aug, 2019 1 commit
  21. 15 Aug, 2019 1 commit
  23. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored 
      

NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.

All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)

Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
  25. 24 Jul, 2019 1 commit
    • Julius Werner's avatar
      Add helper to parse BL31 parameters (both versions) · d9af1f7b
      Julius Werner authored 
      BL31 used to take a single bl31_params_t parameter structure with entry
point information in arg0. In commit 72600226

 (Add new version of image
loading.) this API was changed to a more flexible linked list approach,
and the old parameter structure was copied into all platforms that still
used the old format. This duplicated code unnecessarily among all these
platforms.

This patch adds a helper function that platforms can optionally link to
outsource the task of interpreting arg0. Many platforms are just
interested in the BL32 and BL33 entry point information anyway. Since
some platforms still need to support the old version 1 parameters, the
helper will support both formats when ERROR_DEPRECATED == 0. This allows
those platforms to drop a bunch of boilerplate code and asynchronously
update their BL2 implementation to the newer format.

Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38
Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d9af1f7b
  27. 17 Jul, 2019 1 commit
    • Louis Mayencourt's avatar
      backtrace: Strip PAC field when PAUTH is enabled · b8b31ad0
      Louis Mayencourt authored 
      

When pointer authentication is enabled, the LR value saved on the stack
contains a Pointer Authentication Code (PAC). It must be stripped to
retrieve the return address.

The PAC field is stored on the high bits of the address and defined as:
- PAC field = Xn[54:bottom_PAC_bit], when address tagging is used.
- PAC field = Xn[63:56, 54:bottom_PAC_bit], without address tagging.

With bottom_PAC_bit = 64 - TCR_ELx.TnSZ

Change-Id: I21d804e58200dfeca1da4c2554690bed5d191936
Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      b8b31ad0
  29. 10 Jul, 2019 1 commit
  31. 01 Mar, 2019 1 commit
  33. 27 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored 
      

The previous commit added the infrastructure to load and save
ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
didn't actually enable pointer authentication in the firmware.

This patch adds the functionality needed for platforms to provide
authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
enable pointer authentication in the firmware itself. This option is
disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
enabled.

Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
  35. 31 Jan, 2019 1 commit
  37. 30 Jan, 2019 1 commit
  39. 23 Jan, 2019 1 commit
    • Sathees Balya's avatar
      plat/arm: Save BL2 descriptors to reserved memory. · 5b8d50e4
      Sathees Balya authored 
      

On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
descriptors describing the list of executable images are created in BL2
R/W memory, which could be possibly corrupted later on by BL31/BL32 due
to overlay. This patch creates a reserved location in SRAM for these
descriptors and are copied over by BL2 before handing over to next BL
image.

Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
is enabled.

Fixes ARM-Software/tf-issues#626

Change-Id: I755735706fa702024b4032f51ed4895b3687377f
Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      5b8d50e4
  41. 15 Jan, 2019 1 commit
    • Paul Beesley's avatar
      Correct typographical errors · 8aabea33
      Paul Beesley authored 
      

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      8aabea33
  43. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored 
      Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  45. 19 Nov, 2018 1 commit
  47. 02 Nov, 2018 2 commits
  49. 04 Oct, 2018 1 commit
  51. 03 Oct, 2018 1 commit
  53. 28 Sep, 2018 1 commit
  55. 11 Sep, 2018 1 commit
    • Junhan Zhou's avatar
      Allow setting log level back to compile time value · 2adb7867
      Junhan Zhou authored 
      

When using the tf_log_set_max_level() function, one can dynamically
set the log level to a value smaller than then compile time specified
one, but not equal. This means that when the log level have been
lowered, it can't be reset to the previous value. This commit modifies
this function to allow setting the log level back to the compile time
value.

Fixes ARM-software/tf-issues#624

Change-Id: Ib157715c8835982ce4977ba67a48e18ff23d5a61
Signed-off-by: default avatarJunhan Zhou <Junhan@mellanox.com>
      2adb7867
  57. 30 Aug, 2018 3 commits
    • Daniel Boulby's avatar
      Remove rt_svc_descs pointer from global scope · e19ea3f2
      Daniel Boulby authored 
      

A pointer to rt_svc_desc_t is defined both in the function
handle_runtime_svc() and globally. Since the value of the
pointer RT_SVC_DESCS_START is defined by the linker and
never changes make this definition local in both
handle_runtime_svc() and runtime_svc_init() to reduce the
number of loads

Change-Id: Iea42c778d8599a26c87700009163b5a8d7d60be2
Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      e19ea3f2
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in log helpers · 5a22e461
      Antonio Nino Diaz authored 
      

No functional changes.

Change-Id: I850f08718abb69d5d58856b0e3de036266d8c2f4
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5a22e461
    • Douglas Raillard's avatar
      backtrace: Introduce backtrace function · 0c62883f
      Douglas Raillard authored 
      

This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.

The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.

The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.

Sample output of a backtrace at EL3:

    BACKTRACE: START: function_name
    0: EL3: 0x798
    1: EL3: 0x538
    2: EL3: 0x550
    3: EL3: 0x55c
    4: EL3: 0x568
    5: EL3: 0x5a8
    6: EL3: 0xf4
    BACKTRACE: END: function_name

In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.

Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      0c62883f
  59. 22 Aug, 2018 2 commits
  61. 10 Aug, 2018 1 commit
  63. 11 Jul, 2018 1 commit
    • Roberto Vargas's avatar
      Add end_vector_entry assembler macro · a9203eda
      Roberto Vargas authored 
      

Check_vector_size checks if the size of the vector fits
in the size reserved for it. This check creates problems in
the Clang assembler. A new macro, end_vector_entry, is added
and check_vector_size is deprecated.

This new macro fills the current exception vector until the next
exception vector. If the size of the current vector is bigger
than 32 instructions then it gives an error.

Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      a9203eda