- 10 Feb, 2020 1 commit
-
-
Achin Gupta authored
This patch adds a rudimentary SPM dispatcher component in EL3. It does the following: - Consumes the TOS_FW_CONFIG to determine properties of the SPM core component - Initialises the SPM core component which resides in the BL32 image - Implements a handler for SPCI calls from either security state. Some basic validation is done for each call but in most cases it is simply forwarded as-is to the "other" security state. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: I7d116814557f7255f4f4ebb797d1619d4fbab590
-
- 22 Jan, 2020 1 commit
-
-
Anthony Steinhauser authored
Even though ERET always causes a jump to another address, aarch64 CPUs speculatively execute following instructions as if the ERET instruction was not a jump instruction. The speculative execution does not cross privilege-levels (to the jump target as one would expect), but it continues on the kernel privilege level as if the ERET instruction did not change the control flow - thus execution anything that is accidentally linked after the ERET instruction. Later, the results of this speculative execution are always architecturally discarded, however they can leak data using microarchitectural side channels. This speculative execution is very reliable (seems to be unconditional) and it manages to complete even relatively performance-heavy operations (e.g. multiple dependent fetches from uncached memory). This was fixed in Linux, FreeBSD, OpenBSD and Optee OS: https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8 https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61 https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2 https://github.com/OP-TEE/optee_os/commit/abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a It is demonstrated in a SafeSide example: https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cc https://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c Signed-off-by: Anthony Steinhauser <asteinhauser@google.com> Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
-
- 20 Dec, 2019 10 commits
-
-
Paul Beesley authored
Change-Id: I2bab67f319758dd033aa689d985227cad796cdea Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
Change-Id: I851be04fc5de8a95ea11270996f8ca33f0fccadb Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
Change-Id: I575188885ebed8c5f0682ac6e0e7dd159155727f Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
Change-Id: Ie47009158032c2e8f35febd7bf5458156f334ead Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
Change-Id: Idcd2a35cd2b30d77a7ca031f7e0172814bdb8cab Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
The contents of this header have been merged into the spm_mm_svc.h header file. Change-Id: I01530b2e4ec1b4c091ce339758025e2216e740a4 Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
Change-Id: I91c192924433226b54d33e57d56d146c1c6df81b Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
Before adding any new SPM-related components we should first do some cleanup around the existing SPM-MM implementation. The aim is to make sure that any SPM-MM components have names that clearly indicate that they are MM-related. Otherwise, when adding new SPM code, it could quickly become confusing as it would be unclear to which component the code belongs. The secure_partition.h header is a clear example of this, as the name is generic so it could easily apply to any SPM-related code, when it is in fact SPM-MM specific. This patch renames the file and the two structures defined within it, and then modifies any references in files that use the header. Change-Id: I44bd95fab774c358178b3e81262a16da500fda26 Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
The Secure Partition Manager (SPM) prototype implementation is being removed. This is preparatory work for putting in place a dispatcher component that, in turn, enables partition managers at S-EL2 / S-EL1. This patch removes: - The core service files (std_svc/spm) - The Resource Descriptor headers (include/services) - SPRT protocol support and service definitions - SPCI protocol support and service definitions Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426 Signed-off-by: Paul Beesley <paul.beesley@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
-
Paul Beesley authored
There are two different implementations of Secure Partition management in TF-A. One is based on the "Management Mode" (MM) design, the other is based on the Secure Partition Client Interface (SPCI) specification. Currently there is a dependency between their build flags that shouldn't exist, making further development harder than it should be. This patch removes that dependency, making the two flags function independently. Before: ENABLE_SPM=1 is required for using either implementation. By default, the SPCI-based implementation is enabled and this is overridden if SPM_MM=1. After: ENABLE_SPM=1 enables the SPCI-based implementation. SPM_MM=1 enables the MM-based implementation. The two build flags are mutually exclusive. Note that the name of the ENABLE_SPM flag remains a bit ambiguous - this will be improved in a subsequent patch. For this patch the intention was to leave the name as-is so that it is easier to track the changes that were made. Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 19 Nov, 2019 1 commit
-
-
Justin Chadwell authored
Variable shadowing is, according to the C standard, permitted and valid behaviour. However, allowing a local variable to take the same name as a global one can cause confusion and can make refactoring and bug hunting more difficult. This patch moves -Wshadow from WARNING2 into the general warning group so it is always used. It also fixes all warnings that this introduces by simply renaming the local variable to a new name Change-Id: I6b71bdce6580c6e58b5e0b41e4704ab0aa38576e Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 06 Aug, 2019 1 commit
-
-
Justin Chadwell authored
All other returns from this function unlock the responses_lock, so we also should release the lock in this case. Change-Id: Ie2cfa8755723fed79e809f9480190d11f373a217 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 05 Aug, 2019 1 commit
-
-
Sumit Garg authored
Enable dispatcher to save/restore unbanked timer registers. So that both secure (OP-TEE) and non-secure (Linux) worlds can have independent access control over timer registers. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Change-Id: I4d58d5ff8298587ed478c8433fcbc3aef538d668
-
- 01 Aug, 2019 2 commits
-
-
Julius Werner authored
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
Julius Werner authored
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__. All common C compilers predefine a macro called __ASSEMBLER__ when preprocessing a .S file. There is no reason for TF-A to define it's own __ASSEMBLY__ macro for this purpose instead. To unify code with the export headers (which use __ASSEMBLER__ to avoid one extra dependency), let's deprecate __ASSEMBLY__ and switch the code base over to the predefined standard. Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 10 Jul, 2019 1 commit
-
-
John Tsichritzis authored
The project has been renamed from "Arm Trusted Firmware (ATF)" to "Trusted Firmware-A (TF-A)" long ago. A few references to the old project name that still remained in various places have now been removed. This change doesn't affect any platform files. Any "ATF" references inside platform files, still remain. Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 09 Apr, 2019 1 commit
-
-
Paul Beesley authored
The spm_sp_get_by_uuid() function is used to look up the secure partition that provides a given service. Within this function, memcmp() is used to compare the service UUIDs but it uses the size of the rdsvc->uuid pointer instead of the size of its content (missing dereference). This means that only a partial comparison is performed as UUIDs are 128 bits in length and rdsvc->uuid is a uint32_t typed pointer. Instead, use the size of the array pointed to by the svc_uuid parameter, which will be the full 128 bits, for the comparison. Change-Id: I258fb0cca3bf19f97b8f2a4c133981647cd050e4 Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 03 Apr, 2019 4 commits
-
-
Ambroise Vincent authored
Now it is needed to use the full path of the common header files. Commit 09d40e0e ("Sanitise includes across codebase") provides more information. Change-Id: Ifedc79d9f664d208ba565f5736612a3edd94c647 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
Antonio Nino Diaz authored
Rather than using a fixed virtual address space size, read all regions in the resource description of each partition and restrict the virtual address space size to the one the partition actually needs. This also allows SPM to take advantage of the extension ARMv8.4-TTST if the virtual address space size is small enough. Change-Id: I8646aa95e659136b58b44b040364cdee631f7e82 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Right now the virtual address space is fixed to PLAT_VIRT_ADDR_SPACE_SIZE, so all base translation tables are the same size and need the same alignment. The current code allocates the exact space needed by this initial table. However, a following patch is going to allow each partition to choose the size of its address space based on the memory regions defined in their resource description, so it isn't possible to determine this at build time. As this optimization no longer applies, it has to be removed. Change-Id: Ia8d19f4981e1017e4ffe0ba136de73d701044cb0 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
This gives each Secure Partition complete freedom on its address space. Previously, the memory used by the exception vectors was reserved and couldn't be used. Also, it always had to be mapped, forcing SPM to generate translation tables that included the exception vectors as well as the Partition memory regions. With this change, partitions can reduce their address space size easily. Change-Id: I67fb5e9bdf2870b73347f23bff702fab0a8f8711 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 02 Apr, 2019 1 commit
-
-
Antonio Nino Diaz authored
Instead of letting the code run until another error is reached, return early. Change-Id: I6277a8c65101d3e39b0540099c2a3063584a7dbd Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 01 Apr, 2019 3 commits
-
-
Ambroise Vincent authored
Fix variable shadowing warnings and prevent code duplication. Change-Id: Idb29cc95d6b6943bc012d7bd430afa0e4a7cbf8c Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
Ambroise Vincent authored
Improved support for W=2 compilation flag by solving some nested-extern and sign-compare warnings. The libraries are compiling with warnings (which turn into errors with the Werror flag). Outside of libraries, some warnings cannot be fixed. Change-Id: I06b1923857f2a6a50e93d62d0274915b268cef05 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
Ambroise Vincent authored
Improved support for W=1 compilation flag by solving missing-prototypes and old-style-definition warnings. The libraries are compiling with warnings (which turn into errors with the Werror flag). Outside of libraries, some warnings cannot be fixed without heavy structural changes. Change-Id: I1668cf99123ac4195c2a6a1d48945f7a64c67f16 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
-
- 04 Mar, 2019 1 commit
-
-
Dimitris Papastamos authored
SSBS support is determined by checking ID_AA64PFR1_EL1 and not ID_AA64PFR0_EL1. Fixes ARM-Software/tf-issues#679 Change-Id: I8ecba13b850995ec6a6ede3c2a1e02e69a3a95db Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
-
- 27 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
The GIC definitions used in this file have to be provided by the platform but platform_def.h wasn't included. Change-Id: I858cdf7e60c50577c8e798d64ec2cbc4f067f33b Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 14 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
Since commit 01fc1c24 ("BL31: Use helper function to save registers in SMC handler") all the general-purpose registers are saved when entering EL3. It isn't needed to save them here. Change-Id: Ic540a5441b89b70888da587ab8fc3b2508cef8cc Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 12 Feb, 2019 2 commits
-
-
Antonio Nino Diaz authored
Rather than letting the Trusty makefile set the option to enable dynamic translation tables, make platforms do it themselves. This also allows platforms to replace the implementation of the translation tables library as long as they use the same function prototypes. Change-Id: Ia60904f61709ac323addcb57f7a83391d9e21cd0 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Commit 09d40e0e ("Sanitise includes across codebase") modified the include paths of the TSP includes but it didn't remove the include path from the makefile or did the same for TLK. This patch does the remaining work. Change-Id: Iecee2e88fabcd06989d35568c3a4c1f4e7d93572 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 08 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
Instead of having a custom implementation of setjmp() and longjmp() it is better to follow the C standard. The comments in setjmp.h are no longer needed as there are no deviations from the expected one, so they have been removed. All SDEI code that relied on them has been fixed to use the new function prototypes and structs. Change-Id: I6cd2e21cb5a5bcf81ba12283f2e4c067bd5172ca Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
Trusty requires dynamic translation tables support, so the makefile of Trusty itself should request it. Not doing so causes platforms such as FVP to fail to build with Trusty. Other platforms like Tegra still build because they use dynamic translation tables by default. Change-Id: Id67d3b9e1f7d0547fa81e81cefa3faf1e0e6f876 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 05 Feb, 2019 1 commit
-
-
Varun Wadekar authored
This patch dynamically maps the first page of trusty's code memory, before accessing it to find out if we are running a 32-bit or 64-bit image. On Tegra platforms, this means we have to increase the mappings to accomodate the new memmap entry. Change-Id: If370d1e6cfcccd69b260134c1b462d8d17bee03d Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
- 31 Jan, 2019 3 commits
-
-
Stephen Wolfe authored
During System Suspend, the entire system loses its state. To allow Trusty to save/restore its context and allow its TAs to participate in the suspend process, it needs to look at the max affinity level being suspended. This patch passes the max affinity level to Trusty to enable to do so. Change-Id: If7838dae10c3f5a694baedb15ec56fbad41f2b36 Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
-
Mihir Joshi authored
c_rt_ctx is used to store current SP before the system goes into suspend. The assert for its value being zero is not really necessary as the value gets over-written eventually. This patch removes assert(tlk_ctx->c_rt_ctx == 0) from the System Suspend path, as a result. Change-Id: If41f15e74ebbbfd82958d8e179114899b2ffb0a7 Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
-
Mihir Joshi authored
This patch adds support to handle following TLK SMCs: {TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST} These SMCs need to be supported in ATF in order to forward them to TLK. Otherwise, these functionalities won't work. Brief: TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to set up secure storage buffers. TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to pass NS memory ranges to TLK. TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass Verified Boot parameters to TLK. Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc Reviewed-on: https://git-master.nvidia.com/r/1643851 Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
-
- 30 Jan, 2019 1 commit
-
-
Antonio Nino Diaz authored
This reverts commit 2f370465 ("Add support for the SMC Calling Convention 2.0"). SMCCC v2.0 is no longer required for SPM, and won't be needed in the future. Removing it makes the SMC handling code less complicated. The SPM implementation based on SPCI and SPRT was using it, but it has been adapted to SMCCC v1.0. Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 24 Jan, 2019 1 commit
-
-
David Lin authored
When an unknown Trusty image is found, there's no point of still trying to register the BL32 init handler. Instead, we just should bail out of the trusty_setup() and allow the system to continue to boot. Signed-off-by: David Lin <dtwlin@google.com>
-