- 12 Mar, 2020 2 commits
-
-
Max Shvetsov authored
This patch introduces the `SPCI_ID_GET` interface which will return the ID of the calling SPCI component. Returns 0 for requests from the non-secure world and the SPCI component ID as specified in the manifest for secure world requests. Change-Id: Icf81eb1d0e1d7d5c521571e04972b6e2d356e0d1 Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com> Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
-
Madhukar Pappireddy authored
The motivation behind this patch and following patches is to extract information about the platform in runtime rather than depending on compile time macros such as FVP_CLUSTER_COUNT. This partially enables us to use a single binary for a family of platforms which all have similar hardware capabilities but differ in configurations. we populate the data structure describing the power domain hierarchy of the platform dynamically by querying the number of clusters and cpus using fconf getter APIs. Compile time macro such as FVP_CLUSTER_COUNT is still needed as it determines the size of related data structures. Note that the cpu-map node in HW_CONFIG dts represents a logical hierarchy of power domains of CPU. However, in reality, the power domains may not have been physically built in such hierarchy. Change-Id: Ibcbb5ca7b2c969f8ad03ab2eab289725245af7a9 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 11 Mar, 2020 2 commits
-
-
Madhukar Pappireddy authored
Create, register( and implicitly invoke) fconf_populate_topology() function which extracts the topology related properties from dtb into the newly created fconf based configuration structure 'soc_topology'. Appropriate libfdt APIs are added to jmptbl.i file for use with USE_ROMLIB build feature. A new property which describes the power domain levels is added to the HW_CONFIG device tree source files. This patch also fixes a minor bug in the common device tree file fvp-base-gicv3-psci-dynamiq-common.dtsi As this file includes fvp-base-gicv3-psci-common.dtsi, it is necessary to delete all previous cluster node definitons because DynamIQ based models have upto 8 CPUs in each cluster. If not deleted, the final dts would have an inaccurate description of SoC topology, i.e., cluster0 with 8 or more core nodes and cluster1 with 4 core nodes. Change-Id: I9eb406da3ba4732008a66c01afec7c9fa8ef59bf Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
Madhukar Pappireddy authored
Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN. Created few populator() functions which parse HW_CONFIG device tree and registered them with fconf framework. Many of the changes are only applicable for fvp platform. This patch: 1. Adds necessary symbols and sections in BL31, SP_MIN linker script 2. Adds necessary memory map entry for translation in BL31, SP_MIN 3. Creates an abstraction layer for hardware configuration based on fconf framework 4. Adds necessary changes to build flow (makefiles) 5. Minimal callback to read hw_config dtb for capturing properties related to GIC(interrupt-controller node) 6. updates the fconf documentation Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 10 Mar, 2020 1 commit
-
-
Alexei Fedorov authored
This patch provides separation of GICD, GICR accessor functions and adds new macros for GICv3 registers access as a preparation for GICv3.1 and GICv4 support. NOTE: Platforms need to modify to include both 'gicdv3_helpers.c' and 'gicrv3_helpers.c' instead of the single helper file previously. Change-Id: I1641bd6d217d6eb7d1228be3c4177b2d556da60a Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 03 Mar, 2020 2 commits
-
-
Max Shvetsov authored
Added SPMD_SPM_AT_SEL2 build command line parameter. Set to 1 to run SPM at S-EL2. Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled). Removed runtime EL from SPM core manifest. Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0 Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
-
Manish Pandey authored
Add load address and UUID in fw config dts for Cactus and Ivy which are example SP's in tf-test repository. For prototype purpose these information is added manually but later on it will be updated at compile time from SP layout file and SP manifests provided by platform. Change-Id: I41f485e0245d882c7b514bad41fae34036597ce4 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 25 Feb, 2020 1 commit
-
-
Alexei Fedorov authored
This patch fixes incorrect setting for DEVICE1_SIZE for FVP platforms with more than 8 PEs. The current value of 0x200000 supports only 8 PEs and causes exception for FVP platforms with the greater number of PEs, e.g. FVP_Base_Cortex_A65AEx8 with 16 PEs in one cluster. Change-Id: Ie6391509fe6eeafb8ba779303636cd762e7d21b2 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 24 Feb, 2020 2 commits
-
-
Petre-Ionut Tudor authored
This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
-
Sandrine Bailleux authored
The cookie will be leveraged in the next commit. Change-Id: Ie8bad275d856d84c27466461cf815529dd860446 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 19 Feb, 2020 1 commit
-
-
Suyash Pathak authored
For platforms that have two or more TZC400 controllers instantiated, allow the TZC400 driver to be usable with all those instances. This is achieved by allowing 'arm_tzc400_setup' function to accept the base address of the TZC400 controller. Change-Id: I4add470e6ddb58432cd066145e644112400ab924 Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>
-
- 18 Feb, 2020 3 commits
-
-
Jimmy Brisson authored
Also update copyright statements Change-Id: Iba0305522ac0f2ddc4da99127fd773f340e67300 Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
-
Jimmy Brisson authored
Change-Id: I686fd623b8264c85434853a2a26ecd71e9eeac01 Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
-
Alexei Fedorov authored
When TF-A is built with RESET_TO_BL31=1 option, BL31 is the first image to be run and should have all the memory allocated to it except for the memory reserved for Shared RAM at the start of Trusted SRAM. This patch fixes FVP BL31 load address and its image size for RESET_TO_BL31=1 option. BL31 startup address should be set to 0x400_1000 and its maximum image size to the size of Trusted SRAM minus the first 4KB of shared memory. Loading BL31 at 0x0402_0000 as it is currently stated in '\docs\plat\arm\fvp\index.rst' causes EL3 exception when the image size gets increased (i.e. building with LOG_LEVEL=50) but doesn't exceed 0x3B000 not causing build error. Change-Id: Ie450baaf247f1577112f8d143b24e76c39d33e91 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 10 Feb, 2020 2 commits
-
-
Achin Gupta authored
This patch reserves and maps the Trusted DRAM for SPM core execution. It also configures the TrustZone address space controller to run BL31 in secure DRAM. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: I7e1bb3bbc61a0fec6a9cb595964ff553620c21dc
-
Achin Gupta authored
This patch repurposes the TOS FW configuration file as the manifest for the SPM core component which will reside at the secure EL adjacent to EL3. The SPM dispatcher component will use the manifest to determine how the core component must be initialised. Routines and data structure to parse the manifest have also been added. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: Id94f8ece43b4e05609f0a1d364708a912f6203cb
-
- 07 Feb, 2020 3 commits
-
-
Louis Mayencourt authored
Currently, an IO setup failure will be ignored on arm platform release build. Change this to panic instead. Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use the firmware configuration framework to store the io_policies information inside the configuration device tree instead of the static structure in the code base. The io_policies required by BL1 can't be inside the dtb, as this one is loaded by BL1, and only available at BL2. This change currently only applies to FVP platform. Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
This patch introduces a better separation between the trusted-boot related properties, and the dynamic configuration DTBs loading information. The dynamic configuration DTBs properties are moved to a new node: `dtb-registry`. All the sub-nodes present will be provided to the dynamic config framework to be loaded. The node currently only contains the already defined configuration DTBs, but can be extended for future features if necessary. The dynamic config framework is modified to use the abstraction provided by the fconf framework, instead of directly accessing the DTBs. The trusted-boot properties are kept under the "arm,tb_fw" compatible string, but in a separate `tb_fw-config` node. The `tb_fw-config` property of the `dtb-registry` node simply points to the load address of `fw_config`, as the `tb_fw-config` is currently part of the same DTB. Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 06 Feb, 2020 2 commits
-
-
Max Shvetsov authored
Enables usage of ARM_ROTPK_LOCATION=regs for FVP board. Removes hard-coded developer keys. Instead, setting ARM_ROTPK_LOCATION=devel_* takes keys from default directory. In case of ROT_KEY specified - generates a new hash and replaces the original. Note: Juno board was tested by original feature author and was not tested for this patch since we don't have access to the private key. Juno implementation was moved to board-specific file without changing functionality. It is not known whether byte-swapping is still needed for this platform. Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986 Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
-
Louis Mayencourt authored
Stack usage reaches 90% with some configuration. Bump slightly the stack size to prevent a stack-overflow. Change-Id: I44ce8b12906586a42f152b7677785fcdc5e78ae1 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 04 Feb, 2020 1 commit
-
-
Zelalem authored
This patch removes unnecessary header file includes discovered by Coverity HFA option. Change-Id: I2827c37c1c24866c87db0e206e681900545925d4 Signed-off-by: Zelalem <zelalem.aweke@arm.com>
-
- 03 Feb, 2020 1 commit
-
-
Alexei Fedorov authored
This patch adds 'fdtw_read_bytes' and 'fdtw_write_inplace_bytes' functions for read/write array of bytes from/to a given property. It also adds 'fdt_setprop_inplace_namelen_partial' to jmptbl.i files for builds with USE_ROMLIB=1 option. Change-Id: Ied7b5c8b38a0e21d508aa7bcf5893e656028b14d Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 10 Jan, 2020 2 commits
-
-
Deepika Bhavnani authored
NOTE for platform integrators: API `plat_psci_stat_get_residency()` third argument `last_cpu_idx` is changed from "signed int" to the "unsigned int" type. Issue / Trouble points 1. cpu_idx is used as mix of `unsigned int` and `signed int` in code with typecasting at some places leading to coverity issues. 2. Underlying platform API's return cpu_idx as `unsigned int` and comparison is performed with platform specific defines `PLAFORM_xxx` which is not consistent Misra Rule 10.4: The value of a complex expression of integer type may only be cast to a type that is narrower and of the same signedness as the underlying type of the expression. Based on above points, cpu_idx is kept as `unsigned int` to match the API's and low-level functions and platform defines are updated where ever required Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com> Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c
-
Alexei Fedorov authored
This patch removes re-definition of the following FVP build options from plat\arm\board\fvp\fvp_def.h: 'FVP_CLUSTER_COUNT' 'FVP_MAX_CPUS_PER_CLUSTER' 'FVP_MAX_PE_PER_CPU' which are set in platform.mk. This fixes a potential problem when a build option set in platform.mk file can be re-defined in fvp_def.h header file used by other build component with a different makefile which does not set this option. Ref. GENFW-3505. Change-Id: I4288629920516acf2c239c7b733f92a0c5a812ff Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 07 Jan, 2020 1 commit
-
-
Ambroise Vincent authored
The reclaim init code functionality relies on forward reference in the linker script. The LLVM linker does not process it correctly. Change-Id: I993aeb9587bfa07af25b60ed823a6a2c5e970c94 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
-
- 20 Dec, 2019 3 commits
-
-
Paul Beesley authored
Before adding any new SPM-related components we should first do some cleanup around the existing SPM-MM implementation. The aim is to make sure that any SPM-MM components have names that clearly indicate that they are MM-related. Otherwise, when adding new SPM code, it could quickly become confusing as it would be unclear to which component the code belongs. The secure_partition.h header is a clear example of this, as the name is generic so it could easily apply to any SPM-related code, when it is in fact SPM-MM specific. This patch renames the file and the two structures defined within it, and then modifies any references in files that use the header. Change-Id: I44bd95fab774c358178b3e81262a16da500fda26 Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
The Secure Partition Manager (SPM) prototype implementation is being removed. This is preparatory work for putting in place a dispatcher component that, in turn, enables partition managers at S-EL2 / S-EL1. This patch removes: - The core service files (std_svc/spm) - The Resource Descriptor headers (include/services) - SPRT protocol support and service definitions - SPCI protocol support and service definitions Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426 Signed-off-by: Paul Beesley <paul.beesley@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
-
Paul Beesley authored
There are two different implementations of Secure Partition management in TF-A. One is based on the "Management Mode" (MM) design, the other is based on the Secure Partition Client Interface (SPCI) specification. Currently there is a dependency between their build flags that shouldn't exist, making further development harder than it should be. This patch removes that dependency, making the two flags function independently. Before: ENABLE_SPM=1 is required for using either implementation. By default, the SPCI-based implementation is enabled and this is overridden if SPM_MM=1. After: ENABLE_SPM=1 enables the SPCI-based implementation. SPM_MM=1 enables the MM-based implementation. The two build flags are mutually exclusive. Note that the name of the ENABLE_SPM flag remains a bit ambiguous - this will be improved in a subsequent patch. For this patch the intention was to leave the name as-is so that it is easier to track the changes that were made. Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 18 Dec, 2019 1 commit
-
-
Ambroise Vincent authored
Provide an SMC interface to the 9p filesystem. This permits accessing firmware drivers through a common interface, using standardized read/write/control operations. Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Change-Id: I9314662314bb060f6bc02714476574da158b2a7d
-
- 09 Dec, 2019 1 commit
-
-
Ambroise Vincent authored
Previously the .init section was created even when the reclaim flag was manually set to 0. Change-Id: Ia9e7c7997261f54a4eca725d7ea605192f60bcf8 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Zelalem Aweke <zelalem.aweke@arm.com>
-
- 18 Nov, 2019 1 commit
-
-
Louis Mayencourt authored
ROMLIB extract functions code from BL images to put them inside ROM. This has for effect to reduce the size of the BL images. This patch take this size reduction into consideration to optimize the memory layout of BL2. A new "PLAT_ARM_BL2_ROMLIB_OPTIMIZATION" macro is defined and used to reduce "PLAT_ARM_MAX_BL2_SIZE". This allows to remove the gap between BL1 and BL2 when ROMLIB is used and provides more room for BL31. The current memory gain is 0x6000 for fvp and 0x8000 for juno. Change-Id: I71c2c2c63b57bce5b22a125efaefc486ff3e87be Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 15 Nov, 2019 1 commit
-
-
Imre Kis authored
The number of levels in the topology has not changed but the count of processing elements on the lowest layer is now multiplied by the value of FVP_MAX_PE_PER_CPU. Signed-off-by: Imre Kis <imre.kis@arm.com> Change-Id: Ia1568a40ea33dbbbcdfab6c8ab6d19f4db0b8eb4
-
- 07 Nov, 2019 1 commit
-
-
Manish Pandey authored
Earlier PIE support was enabled for all arm platforms when RESET_TO_BL31=1, but later on it was restricted only to FVP with patch SHA d4580d17 because of n1sdp platform. Now it has been verified that PIE does work for n1sdp platform also, so enabling it again for all arm platforms. Change-Id: I05ad4f1775ef72e7cb578ec9245cde3fbce971a5 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 03 Oct, 2019 1 commit
-
-
Imre Kis authored
Change-Id: I1ea2bf088f1e001cdbd377cbfb7c6a2866af0422 Signed-off-by: Imre Kis <imre.kis@arm.com>
-
- 02 Oct, 2019 1 commit
-
-
Imre Kis authored
Change-Id: I645442d52a295706948e2cac88c36c1a3cb0bc47 Signed-off-by: Imre Kis <imre.kis@arm.com>
-
- 30 Sep, 2019 1 commit
-
-
Artsem Artsemenka authored
Not tested on FVP Model. Change-Id: Iedebc5c1fbc7ea577e94142b7feafa5546f1f4f9 Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
-
- 26 Sep, 2019 1 commit
-
-
Madhukar Pappireddy authored
This patch invokes the new function gicv3_rdistif_probe() in the ARM platform specific gicv3 driver. Since this API modifies the shared GIC related data structure, it must be invoked coherently by using the platform specific pwr_domain_on_finish_late hook. Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 25 Sep, 2019 1 commit
-
-
Sandrine Bailleux authored
The Fast Models provide a non-volatile counter component, which is used in the Trusted Board Boot implementation to protect against rollback attacks. This component comes in 2 versions (see [1]). - Version 0 is the default and models a locked non-volatile counter, whose value is fixed. - Version 1 of the counter may be incremented in a monotonic fashion. plat_set_nv_ctr() must cope with both versions. This is achieved by: 1) Attempting to write the new value in the counter. 2) Reading the value back. 3) If there is a mismatch, we know the counter upgrade failed. When using version 0 of the counter, no upgrade is possible so the function is expected to fail all the time. However, the code is missing a compiler barrier between the write operation and the next read. Thus, the compiler may optimize and remove the read operation on the basis that the counter value has not changed. With the default optimization level used in TF-A (-Os), this is what's happening. The fix introduced in this patch marks the write and subsequent read accesses to the counter as volatile, such that the compiler makes no assumption about the value of the counter. Note that the comment above plat_set_nv_ctr() was clearly stating that when using the read-only version of the non-volatile counter, "we expect the values in the certificates to always match the RO values so that this function is never called". However, the fact that the counter value was read back seems to contradict this comment, as it is implementing a counter-measure against misuse of the function. The comment has been reworded to avoid any confusion. Without this patch, this bug may be demonstrated on the Base AEM FVP: - Using version 0 of the non-volatile counter (default version). - With certificates embedding a revision number value of 32 (compiling TF-A with TFW_NVCTR_VAL=32). In this configuration, the non-volatile counter is tied to value 31 by default. When BL1 loads the Trusted Boot Firmware certificate, it notices that the two values do not match and tries to upgrade the non-volatile counter. This write operation is expected to fail (because the counter is locked) and the function is expected to return an error but it succeeds instead. As a result, the trusted boot does not abort as soon as it should and incorrectly boots BL2. The boot is finally aborted when BL2 verifies the BL31 image and figures out that the version of the SoC Firmware Key Certificate does not match. On Arm platforms, only certificates signed with the Root-of-Trust Key may trigger an upgrade of the non-volatile Trusted counter. [1] https://developer.arm.com/docs/100964/1160/fast-models-components/peripheral-components/nonvolatilecounter Change-Id: I9979f29c23b47b338b9b484013d1fb86c59db92f Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 11 Sep, 2019 1 commit
-
-
John Tsichritzis authored
Some cores support only AArch64 from EL1 and above, e.g. A76, N1 etc. If TF-A is compiled with CTX_INCLUDE_AARCH32_REGS=0 so as to properly handle those cores, only the AArch64 cores' assembly is included in the TF-A binary. In other words, for FVP, TF-A assumes that AArch64 only cores will never exist in the same cluster with cores that also support AArch32. However, A55 and A75 can be used as AArch64 only cores, despite supporting AArch32, too. This patch enables A55 and A75 to exist in clusters together with AArch64 cores. Change-Id: I58750ad6c3d76ce77eb354784c2a42f2c179031d Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-