1. 20 Dec, 2019 2 commits
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  2. 17 Dec, 2019 1 commit
    • Olivier Deprez's avatar
      debugfs: add 9p device interface · 0ca3913d
      Olivier Deprez authored
      
      
      The 9p interface provides abstraction layers allowing the software
      that uses devices to be independent from the hardware.
      
      This patch provides a file system abstraction to link drivers to their
      devices and propose a common interface to expose driver operations to
      higher layers. This file system can be used to access and configure a
      device by doing read/write operations.
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
      0ca3913d
  3. 16 Dec, 2019 1 commit
    • Justin Chadwell's avatar
      Remove -Wpadded warning · 11a96e0e
      Justin Chadwell authored
      
      
      -Wpadded warns whenever the C compiler automatically includes any
      padding in a structure. Because TF-A has a large number of structures,
      this occurs fairly frequently and is incredibly verbose, and as such is
      unlikely to ever be fixed.
      
      The utility of this warning is also extremely limited - knowing that a
      structure includes padding does not point to the existence of an error,
      and is probably quite unlikely to indicate actually buggy behaviour.
      Therefore, it's probably best to keep this warning off at all times.
      
      Change-Id: I0797cb75f06b4fea0d2fdc16fd5ad978a31d76ec
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      11a96e0e
  4. 13 Dec, 2019 1 commit
    • Justin Chadwell's avatar
      Remove -Wmissing-declarations warning from WARNING1 level · 8cca5a79
      Justin Chadwell authored
      
      
      A function declaration declares the name of the function and the type of
      the parameter it returns. A function prototype is a function declaration
      that also specifies the type of the arguments of the function. Essentially,
      a function prototype helps the compiler ensure whether the function call
      matches the return type and the right number/type of arguments of function.
      A function prototype itself serves as a function declaration for new style
      functions.
      The warning flag -wmissing-prototype is good enough to check for missing
      function prototype and is exhaustive compared to -wmissing-declaration,
      therefore  making the later redundant.
      
      Note that, at this point, these flags are part of WARNING1 which is not
      used for TF-A build by default. Several platforms use upstream libraries
      (such as zlib etc) which are in old style c code. After the TF-A build
      process is restructred using CMake framework, we plan to enable WARNING1,
      WARNING2 and WARNING3 incrementally as the new build platform can compile
      each BL binary of a particular platform with set of  unique compilation
      flags.
      
      Change-Id: I9c6bf9da74e0840e4d2624bc12376e199953c213
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      8cca5a79
  5. 04 Dec, 2019 1 commit
    • Samuel Holland's avatar
      Reduce space lost to object alignment · ebd6efae
      Samuel Holland authored
      
      
      Currently, sections within .text/.rodata/.data/.bss are emitted in the
      order they are seen by the linker. This leads to wasted space, when a
      section with a larger alignment follows one with a smaller alignment.
      We can avoid this wasted space by sorting the sections.
      
      To take full advantage of this, we must disable generation of common
      symbols, so "common" data can be sorted along with the rest of .bss.
      
      An example of the improvement, from `make DEBUG=1 PLAT=sun50i_a64 bl31`:
        .text   => no change
        .rodata => 16 bytes saved
        .data   => 11 bytes saved
        .bss    => 576 bytes saved
      
      As a side effect, the addition of `-fno-common` in TF_CFLAGS makes it
      easier to spot bugs in header files.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: I073630a9b0b84e7302a7a500d4bb4b547be01d51
      ebd6efae
  6. 03 Dec, 2019 1 commit
    • Justin Chadwell's avatar
      Remove -Wunused-const-variable warning · 4960ef30
      Justin Chadwell authored
      
      
      -Wunused-const-variable=1 is already included by -Wunused-variable,
      which is part of -Wall. -Wunused-const-variable=2, which is what we have
      been using as part of W=1, warns for unused static const variables in
      headers, which will likely produce a lot of false positives that will
      take a large effort to fix.
      
      Additionally, some of these issues may be caused by different builds of
      TF-A where some features are used in some builds and ignored in others.
      
      Change-Id: Ifa0b16a75344cc1f6240e8d5745005f8f2046d34
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      4960ef30
  7. 02 Dec, 2019 1 commit
    • zelalem-aweke's avatar
      Enable Link Time Optimization in GCC · edbce9aa
      zelalem-aweke authored
      
      
      This patch enables LTO for TF-A when compiled with GCC.
      LTO is disabled by default and is enabled by
      ENABLE_LTO=1 build option.
      
      LTO is enabled only for aarch64 as there seem to be
      a bug in the aarch32 compiler when LTO is enabled.
      
      The changes in the makefiles include:
      - Adding -flto and associated flags to enable LTO.
      - Using gcc as a wrapper at link time instead of ld.
        This is recommended when using LTO as gcc internally
        takes care of invoking the necessary plugins for LTO.
      - Adding switches to pass options to ld.
      - Adding a flag to disable fix for erratum cortex-a53-843419
        unless explicitly enabled. This is needed because GCC
        seem to automatically add the erratum fix when used
        as a wrapper for LD.
      
      Additionally, this patch updates the TF-A user guide with
      the new build option.
      Signed-off-by: default avatarzelalem-aweke <zelalem.aweke@arm.com>
      Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468
      edbce9aa
  8. 25 Nov, 2019 1 commit
  9. 19 Nov, 2019 4 commits
    • Justin Chadwell's avatar
      Enable -Wlogical-op always · d7b4cd41
      Justin Chadwell authored
      
      
      -Wlogical-op prevents common errors with using numerical constants where
      a boolean one is expected as well as when the operands of a logical
      operator are the same. While these are perfectly valid behavior, they
      can be a sign that something is slightly off.
      
      This patch adds this warning to gcc and it's closest equivalent to
      clang, while also fixing any warnings that enabling them causes.
      
      Change-Id: Iabadfc1e6ee0c44eef6685a23b0aed8abef8ce89
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      d7b4cd41
    • Justin Chadwell's avatar
      Enable -Wshadow always · b7f6525d
      Justin Chadwell authored
      
      
      Variable shadowing is, according to the C standard, permitted and valid
      behaviour. However, allowing a local variable to take the same name as a
      global one can cause confusion and can make refactoring and bug hunting
      more difficult.
      
      This patch moves -Wshadow from WARNING2 into the general warning group
      so it is always used. It also fixes all warnings that this introduces
      by simply renaming the local variable to a new name
      
      Change-Id: I6b71bdce6580c6e58b5e0b41e4704ab0aa38576e
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      b7f6525d
    • Justin Chadwell's avatar
      Remove unnecessary warning options · b8baa934
      Justin Chadwell authored
      
      
      Both -Wmissing-field-initializers and -Wsign-compare are both covered by
      -Wextra which is enabled at W=1 anyway. Therefore, the explicit options
      are not required.
      
      Change-Id: I2e7d95b5fc14af7c70895859a7ebbeac5bc0d2a4
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      b8baa934
    • Justin Chadwell's avatar
      Refactor the warning flags · 9ab81b5e
      Justin Chadwell authored
      
      
      This patch keeps the same warnings, and simply reorders them to keep all
      the warning options together in one place.
      
      Change-Id: Ibb655dcabc84f3af01a0d7f71f5af7e0479c2521
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9ab81b5e
  10. 15 Oct, 2019 1 commit
  11. 04 Oct, 2019 1 commit
    • Soby Mathew's avatar
      Fix the CAS spinlock implementation · c97cba4e
      Soby Mathew authored
      
      
      Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
      on a platform build option. The CAS-based implementation used to be
      unconditionally selected for all ARM8.1+ platforms.
      
      The previous CAS spinlock implementation had a bug wherein the spin_unlock()
      implementation had an `sev` after `stlr` which is not sufficient. A dsb is
      needed to ensure that the stlr completes prior to the sev. Having a dsb is
      heavyweight and a better solution would be to use load exclusive semantics
      to monitor the lock and wake up from wfe when a store happens to the lock.
      The patch implements the same.
      
      Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      c97cba4e
  12. 12 Sep, 2019 2 commits
  13. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
  14. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  15. 01 Aug, 2019 2 commits
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
    • Julius Werner's avatar
      Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__ · d5dfdeb6
      Julius Werner authored
      
      
      NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
      
      All common C compilers predefine a macro called __ASSEMBLER__ when
      preprocessing a .S file. There is no reason for TF-A to define it's own
      __ASSEMBLY__ macro for this purpose instead. To unify code with the
      export headers (which use __ASSEMBLER__ to avoid one extra dependency),
      let's deprecate __ASSEMBLY__ and switch the code base over to the
      predefined standard.
      
      Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d5dfdeb6
  16. 12 Jul, 2019 1 commit
    • Justin Chadwell's avatar
      Enable -Wshift-overflow=2 to check for undefined shift behavior · 93c690eb
      Justin Chadwell authored
      
      
      The -Wshift-overflow=2 option enables checks for left bit shifts.
      Specifically, the option will warn when the result of a shift will be
      placed into a signed integer and overflow the sign bit there, which
      results in undefined behavior.
      
      To avoid the warnings from these checks, the left operand of a shift can
      be made an unsigned integer by using the U() macro or appending the u
      suffix.
      
      Change-Id: I50c67bedab86a9fdb6c87cfdc3e784f01a22d560
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      93c690eb
  17. 10 Jul, 2019 1 commit
  18. 28 Jun, 2019 1 commit
  19. 24 May, 2019 4 commits
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
    • Ambroise Vincent's avatar
      Makefile: Add default warning flags · 00296576
      Ambroise Vincent authored
      
      
      The flags are taken from the different warning levels of the build
      system when they do not generate any error with the current upstreamed
      platforms.
      
      Change-Id: Ia70cff83bedefb6d2f0dd266394ef77fe47e7f65
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      00296576
    • John Tsichritzis's avatar
      Introduce BTI support in ROMLIB · bbb24f61
      John Tsichritzis authored
      
      
      When TF-A is compiled with BTI enabled, the branches in the ROMLIB
      jumptable must be preceded by a "bti j" instruction.
      
      Moreover, when the additional "bti" instruction is inserted, the
      jumptable entries have a distance of 8 bytes between them instead of 4.
      Hence, the wrappers are also modified accordinly.
      
      If TF-A is compiled without BTI enabled, the ROMLIB jumptable and
      wrappers are generated as before.
      
      Change-Id: Iaa59897668f8e59888d39046233300c2241d8de7
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      bbb24f61
    • John Tsichritzis's avatar
      Beautify "make help" · 7c23126c
      John Tsichritzis authored
      
      
      Changes to make the help text a bit more readable:
      1) The "usage" part is now a one-liner
      2) The supported platforms list is printed separately
      
      Change-Id: I93e48a6cf1d28f0ef9f3db16ce17725e4dff33c9
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      7c23126c
  20. 22 May, 2019 1 commit
  21. 09 May, 2019 1 commit
  22. 03 Apr, 2019 1 commit
  23. 26 Mar, 2019 1 commit
  24. 18 Mar, 2019 1 commit
    • Alexei Fedorov's avatar
      Declare PAuth for Secure world as experimental · 06715f85
      Alexei Fedorov authored
      
      
      Declare ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS
      build options as experimental.
      Pointer Authentication is enabled for Non-secure world
      irrespective of the value of these build flags if the
      CPU supports it.
      The patch also fixes the description of fiptool 'help' command.
      
      Change-Id: I46de3228fbcce774a2624cd387798680d8504c38
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      06715f85
  25. 12 Mar, 2019 2 commits
  26. 11 Mar, 2019 1 commit
  27. 27 Feb, 2019 3 commits
    • Varun Wadekar's avatar
      Tegra: Support for scatterfile for the BL31 image · c2ad38ce
      Varun Wadekar authored
      
      
      This patch provides support for using the scatterfile format as
      the linker script with the 'armlink' linker for Tegra platforms.
      
      In order to enable the scatterfile usage the following changes
      have been made:
      
      * provide mapping for ld.S symbols in bl_common.h
      * include bl_common.h from all the affected files
      * update the makefile rules to use the scatterfile and armlink
        to compile BL31
      * update pubsub.h to add sections to the scatterfile
      
      NOTE: THIS CHANGE HAS BEEN VERIFIED WITH TEGRA PLATFORMS ONLY.
      
      Change-Id: I7bb78b991c97d74a842e5635c74cb0b18e0fce67
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      c2ad38ce
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored
      
      
      The previous commit added the infrastructure to load and save
      ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
      didn't actually enable pointer authentication in the firmware.
      
      This patch adds the functionality needed for platforms to provide
      authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
      enable pointer authentication in the firmware itself. This option is
      disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
      enabled.
      
      Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
    • Antonio Nino Diaz's avatar
      Add ARMv8.3-PAuth registers to CPU context · 5283962e
      Antonio Nino Diaz authored
      
      
      ARMv8.3-PAuth adds functionality that supports address authentication of
      the contents of a register before that register is used as the target of
      an indirect branch, or as a load.
      
      This feature is supported only in AArch64 state.
      
      This feature is mandatory in ARMv8.3 implementations.
      
      This feature adds several registers to EL1. A new option called
      CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
      them during Non-secure <-> Secure world switches. This option must be
      enabled if the hardware has the registers or the values will be leaked
      during world switches.
      
      To prevent leaks, this patch also disables pointer authentication in the
      Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
      be trapped in EL3.
      
      Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5283962e
  28. 05 Feb, 2019 1 commit