GitLab

The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.

This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
   * When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
   * When BL2_AT_EL3=1 for BL2

The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.

Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

SGI-575's NSRAM is neither in the same place nor the same size as Juno's.

Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
Signed-off-by: Chris Kay <chris.kay@arm.com>

Previously mem_protect used to be only supported from BL2. This is not
helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates
mem_protect from el3_runtime firmware on ARM Platforms specifically
when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent
in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap
tables temporarily and then the protected regions are then cleared. This
avoids the need to map the non secure DRAM permanently to BL31/sp_min.

The stack size is also increased, because DYNAMIC_XLAT_TABLES require
a bigger stack.

Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Add TZMP1 support on Juno and increase the BL2 size accordingly due to the
extra data structures to describe the TZC regions and the additional code.
Signed-off-by: Summer Qin <summer.qin@arm.com>

This patch allows the ARM Platforms to specify the TZC regions to be
specified to the ARM TZC helpers in arm_tzc400.c and arm_tzc_dmc500.c.
If the regions are not specified then the default TZC region will be
configured by these helpers.

This override mechanism allows specifying special regions for TZMP1
usecase.
Signed-off-by: Summer Qin <summer.qin@arm.com>

Building TBBR(SPD=opteed) and non-TBBR TF-A images is breaking for
Juno for different configurations listed below:

* Overflow error of 4096 bytes for rsa algorithm.
* Overflow error of 8192 bytes for ecdsa algorithm.
* Overflow error of 4096 bytes for rsa+ecdsa algorithm.
* Overflow error of 4096 bytes for non-TBBR case.

So this patch increments macro PLAT_ARM_MAX_BL2_SIZE for all the above
cases accordingly.

Change-Id: I75ec6c0a718181d34553fe55437f0496f467683f
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>

Previously, Juno used to depend on the SSC_GPRETN register to inform
about the reset syndrome. This method was removed when SCP migrated
to the SDS framework. But even the SDS framework doesn't report the
reset syndrome correctly and hence Juno failed to enter Firmware
update mode if BL2 authentication failed.

In addition to that, the error code populated in V2M_SYS_NVFLAGS register
does not seem to be retained any more on Juno across resets. This could
be down to the motherboard firmware not doing the necessary to preserve
the value.

Hence this patch modifies the Juno platform to use the same mechanism to
trigger firmware update as FVP which is to corrupt the FIP TOC on
authentication failure. The implementation in `fvp_err.c` is made common
for ARM platforms and is moved to the new `arm_err.c` file in
plat/arm/common folder. The BL1 and BL2 mmap table entries for Juno
are modified to allow write to the Flash memory address.

Change-Id: Ica7d49a3e8a46a90efd4cf340f19fda3b549e945
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Rule 8.4: A compatible declaration shall be visible when
          an object or function with external linkage is defined

Fixed for:
	make DEBUG=1 PLAT=juno LOG_LEVEL=50 all

Change-Id: Ic8f611da734f356566e8208053296e6c62b54709
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

The SCP binaries provided in the 17.10 Linaro release (and onwards)
have migrated to the SCMI/SDS protocols. Therefore, the ARM TF should
now use the corresponding drivers by default.

This patch changes the default value of the CSS_USE_SCMI_SDS_DRIVER
build option to 1 for Juno.

Change-Id: Idb7e3c6af582f49e332167a2158703c2d781b437
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

The patch adds the necessary changes to load HW_CONFIG in BL2 for
ARM Platforms :

1. The load address of HW_CONFIG is specified via the `hw_config_addr`
property in TB_FW_CONFIG is loaded by BL1. The `hw_config_max_size`
property defines the maximum size to be expected for the HW_CONFIG.
The `arm_dyn_cfg_helpers.c` and corresponding header implements
utility functions to parse these DT properties defined.
The `arm_dyn_cfg.c` implements wrappers to these helpers to enable
them to be invoked from ARM platform layer.

2. `HW_CONFIG` is added to the `bl2_mem_params_descs[]` array which is
the list of images to be loaded by BL2.

3. The `libfdt` sources are now included when BL2 is built

4. A new helper `populate_next_bl_params_config()` is introduced in
desc_image_load.c to populate the subsequent executable BL images
with the `hw_config` and the corresponding `fw_config` if available.
The `plat_get_next_bl_params()` API for ARM platforms is modified to
invoke this new helper.

5. The implementation of `bl2_early_platform_setup2()` is modified to
consider `arg0` as well in addition to `arg1` passed from BL1.

6. Bump up the BL2 size for Juno to accommodate the inclusion of libfdt.

Change-Id: I80f1554adec41753e0d179a5237364f04fe13a3f
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

With this patch, ARM platforms are expected to define the macros
PLAT_ARM_SDEI_PRIVATE_EVENTS and PLAT_ARM_SDEI_SHARED_EVENTS as a list
of private and shared events, respectively. This allows for individual
platforms to define their own events.

Change-Id: I66851fdcbff83fd9568c2777ade9eb12df284b49
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Pre-v8.2 platforms such as the Juno platform does not have
the Scalable Vector Extensions implemented and so the build
option ENABLE_SVE is set to zero.

This has a minor performance improvement with no functional
impact.

Change-Id: Ib072735db7a0247406f8b60e325b7e28b1e04ad1
Signed-off-by: David Cunado <david.cunado@arm.com>

The bl2_early_platform_setup() and bl2_platform_setup() were
redefined for Juno AArch32 eventhough CSS platform layer had
same definition for them. The CSS definitions definitions were
previously restricted to EL3_PAYLOAD_BASE builds and this is now
modified to include the Juno AArch32 builds as well thus
allowing us to remove the duplicate definitions in Juno platform
layer.

Change-Id: Ibd1d8c1428cc1d51ac0ba90f19f5208ff3278ab5
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch fixes a couple of issues for AArch32 builds on ARM reference
platforms :

1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
   AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
   the BL31 memory is empty when built for AArch32. Hence this patch allocates
   BL32 to the memory region occupied by BL31 for AArch32 builds.

   As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
   be used to control the load address of BL32 in AArch32 mode which was
   never the intention of the macro anyway.

2. A static assert is added to sp_min linker script to check that the progbits
   are within the bounds expected when overlaid with other images.

3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
   involved when building Juno for AArch32 mode, the build option SPD needed to
   specifed. This patch corrects this and also updates the documentation in the
   user-guide.

4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
   a result the previous assumption that BL31 must be always present is removed
   and the certificates for BL31 is only generated if `NEED_BL31` is defined.

Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

For Trusted Board Boot, BL2 needs more space to support the ECDSA
and ECDSA+RSA algorithms.

Change-Id: Ie7eda9a1315ce836dbc6d18d6588f8d17891a92d
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

An earlier patch added provision for the platform to provide secure
interrupt properties. ARM platforms already has a list of interrupts
that fall into different secure groups.

This patch defines macros that enumerate interrupt properties in the
same fashion, and points the driver driver data to a list of interrupt
properties rather than list of secure interrupts on ARM platforms.  The
deprecated interrupt list definitions are however retained to support
legacy builds.

Configuration applied to individual interrupts remain unchanged, so no
runtime behaviour change expected.

NOTE: Platforms that use the arm/common function
plat_arm_gic_driver_init() must replace their PLAT_ARM_G1S_IRQS and
PLAT_ARM_G0_IRQS macro definitions with PLAT_ARM_G1S_IRQ_PROPS and
PLAT_ARM_G0_IRQ_PROPS macros respectively, using the provided
INTR_PROP_DESC macro.

Change-Id: I24d643b83e3333753a3ba97d4b6fb71e16bb0952
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

On ARM platforms, the maximum size of the address space is limited
to 32-bits as defined in arm_def.h. In order to access DRAM2, which
is defined beyond the 32-bit address space, the maximum address space
is increased to 36-bits in AArch64. It is possible to increase the
virtual space for AArch32, but it is more difficult and not supported
for now.

NOTE - the actual maximum memory address space is platform dependent
and is checked at run-time by querying the PARange field in the
ID_AA64MMFR0_EL1 register.

Change-Id: I6cb05c78a63b1fed96db9a9773faca04a5b93d67
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

mem_protect needs some kind of non-volatile memory because it has
to remember its state across reset and power down events.
The most suitable electronic part for this feature is a NVRAM
which should be only accesible from the secure world. Juno and
FVP lack such hardware and for this reason the MEM_PROTECT
functionality is implemented with Flash EEPROM memory on both
boards, even though this memory is accesible from the non-secure
world. This is done only to show a full implementation of
these PSCI features, but an actual system shouldn't use a
non-secure NVRAM to implement it.

The EL3 runtime software will write the mem_protect flag and BL2
will read and clear the memory ranges if enabled. It is done in
BL2 because it reduces the time that TF needs access to the full
non-secure memory.

The memory layout of both boards is defined using macros which
take different values in Juno and FVP platforms. Generic platform
helpers are added that use the platform specific macros to generate
a mem_region_t that is valid for the platform.

Change-Id: I2c6818ac091a2966fa07a52c5ddf8f6fde4941e9
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

    - fixed compile error when KEY_ALG=ecdsa
    - add new option ecdsa for TF_MBEDTLS_KEY_ALG
    - add new option devel_ecdsa for ARM_ROTPK_LOCATION
    - add ecdsa key at plat/arm/board/common/rotpk/
    - reduce the mbedtls heap memory size to 13k

Change-Id: I3f7a6170af93fdbaaa7bf2fffb4680a9f6113c13
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

For Trusted Board Boot, BL1 RW section and BL2 need more space to
support the ECDSA algorithm. Specifically, PLAT_ARM_MAX_BL1_RW_SIZE
is increased on ARM platforms.

And on the Juno platform:
    - BL2 size, PLAT_ARM_MAX_BL2_SIZE is increased.
    - SCP_BL2 is loaded into the space defined by BL31_BASE ->
      BL31_RW_BASE. In order to maintain the same size space for
      SCP_BL2,PLAT_ARM_MAX_BL31_SIZE is increased.

Change-Id: I379083f918b40ab1c765da4e71780d89f0058040
Co-Authored-By: David Cunado <david.cunado@arm.com>
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

Earlier patches added errata workarounds 859972 for Cortex-A72, and
859972 for Cortex-A57 CPUs. Explicitly disable the workaround for Juno.

Also reorganize errata workaround flags.

No functional changes.

Change-Id: I3fe3745de57d77e5bf52012826d3969fe5d4844e
Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

This patch does the required changes to enable CSS platforms
to build and use the SDS framework. Since SDS is always coupled with
SCMI protocol, the preexisting SCMI build flag is now renamed to
`CSS_USE_SCMI_SDS_DRIVER` which will enable both SCMI and SDS on
CSS platforms. Also some of the workarounds applied for SCMI are
now removed with SDS in place.

Change-Id: I94e8b93f05e3fe95e475c5501c25bec052588a9c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch factors out common files required for sp_min for all CSS
platforms from the JUNO specific makefile to a the new `css_sp_min.mk`
makefile. This also allows the common build options that affect CSS
platforms to be configured in a central makefile for sp_min.

Change-Id: Ida952d8833b1aa5eda77ae0a6664a4632aeab24c
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

plat_get_my_entrypoint was branching to juno_do_reset_to_aarch_32_state,
which is not supposed to return, and in case of returning it implemented
an infinite loop. The problem was that plat_get_my_entrypoint was using
"b" instead of "bl", so juno_do_reset_to_aarch_32_state was returning to
the caller of plat_get_my_entrypoint instead of stop the system with a
panic.

To avoid this problem juno_do_reset_to_aarch_32_state was modified to
call directly to plat_panic_handler if it tries to return.

Change-Id: I591cf2dd78d27d8568fb15b91366e4b3dce027b5
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

This patch fixes the PLAT_LOG_LEVEL_ASSERT to 40 which corresponds
to LOG_LEVEL_INFO. Having this level of log for assertions means that the
`assert()` will not generate the strings implied in the expression taken
as parameter. This allows to save some memory when Juno is built for
LOG_LEVEL = LOG_LEVEL_VERBOSE and DEBUG = 1.

Fixes ARM-software/tf-issues#511

Change-Id: Id84a40f803ab07a5a8f6e587167af96694a07d04
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Trusted OS may have extra images to be loaded. Load them one by one
and do the parsing. In this patch, ARM TF need to load up to 3 images
for optee os: header, pager and paged images. Header image is the info
about optee os and images. Pager image include pager code and data.
Paged image include the paging parts using virtual memory.

Change-Id: Ia3bcfa6d8a3ed7850deb5729654daca7b00be394
Signed-off-by: Summer Qin <summer.qin@arm.com>

Recent patches to reduce the memory footprint of BL images have
resulted in saving several pages of memory. This patch reduces
the BL2 size limit by 20KB for Juno when ARM_BOARD_OPTIMISE_MEM=1
so that more free space can be freed up for Trusted OS (BL32). Also
SCP_BL2/SCP_BL2U size is now restricted to 80K.

Change-Id: I1573d7a34e24d15e4abce8a14da40dbb5dc81e37
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This fix modifies the order of #includes in ARM standard platforms
to meet the ARM TF coding standard.

Change-Id: Ide19aad6233babda4eea2d17d49e523645fed1b2
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>

This patch makes the necessary changes to enable ARM platform to
successfully integrate CryptoCell during Trusted Board Boot. The
changes are as follows:

* A new build option `ARM_CRYPTOCELL_INTEG` is introduced to select
  the CryptoCell crypto driver for Trusted Board boot.

* The TrustZone filter settings for Non Secure DRAM is modified
  to allow CryptoCell to read this memory. This is required to
  authenticate BL33 which is loaded into the Non Secure DDR.

* The CSS platforms are modified to use coherent stacks in BL1 and BL2
  when CryptoCell crypto is selected. This is because CryptoCell makes
  use of DMA to transfer data and the CryptoCell SBROM library allocates
  buffers on the stack during signature/hash verification.

Change-Id: I1e6f6dcd1899784f1edeabfa2a9f279bbfb90e31
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

On Juno AArch32, the L2 cache may contain garbage after the warm reset
from AArch64 to AArch32.  This is all fine until the MMU is configured
and the data caches enabled.  To avoid fetching stale data from the L2
unified cache, invalidate it before the warm reset to AArch32 state.

Change-Id: I7d27e810692c02c3e83c9f31de67f6bae59a960a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Before BL2 loads the SCP ram firmware, `SCP_BOOT_CFG_ADDR` specifies
the primary core.  After the SCP ram firmware has started executing,
`SCP_BOOT_CFG_ADDR` is modified.  This is not normally an issue but
the Juno AArch32 boot flow is a special case.  BL1 does a warm reset
into AArch32 and the core jumps to the `sp_min` entrypoint.  This is
effectively a `RESET_TO_SP_MIN` configuration.  `sp_min` has to be
able to determine the primary core and hence we need to restore
`SCP_BOOT_CFG_ADDR` to the cold boot value before `sp_min` runs.

This magically worked when booting on A53 because the core index was
zero and it just so happened to match with the new value in
`SCP_BOOT_CFG_ADDR`.

Change-Id: I105425c680cf6238948625c1d1017b01d3517c01
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

These errata are only applicable to AArch64 state. See the errata notice
for more details:
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html



Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
Enable both of them for Juno.

Apply the 835769 workaround as following:
* Compile with -mfix-cortex-a53-835769
* Link with --fix-cortex-a53-835769

Apply the 843419 workaround as following:
* Link with --fix-cortex-a53-843419

The erratum 843419 workaround can lead the linker to create new sections
suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
linker to create new "*.stub" sections with no particular alignment.

Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
architecture-specific linker options.

Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

Commit 6de8b24f

 broke Juno AArch32
build.

Change-Id: Ied70d9becb86e53ccb46a2e3245e2a551d1bf701
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

This patch makes all the defines in the CPU libraries unique,
by prefixing them with the CPU name.

NOTE: PLATFORMS USING THESE MACROS WILL HAVE TO UPDATE THEIR CODE
TO START USING THE UPDATED NAMES
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This patch adds the memory map region for the SCMI payload memory
and maps the Juno core indices to SCMI power domains via the
`plat_css_core_pos_to_scmi_dmn_id_map` array.

Change-Id: I0d2bb2a719ff5b6a9d8e22e91e1625ab14453665
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

The header tbbr_oid.h contains OIDs obtained by ARM Ltd.
so there is no good reason to use platform_oid.h
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Platforms aligned with TBBR are supposed to use their own OIDs, but
defining the same macros with different OIDs does not provide any
value (at least technically).

For easier use of TBBR, this commit allows platforms to reuse the OIDs
obtained by ARM Ltd.  This will be useful for non-ARM vendors that
do not need their own extension fields in their certificate files.

The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h

Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
defining USE_TBBR_DEFS as 1.  USE_TBBR_DEFS is 0 by default to keep the
backward compatibility.

For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

The commit abd2aba9

 introduced a
regression to the AArch32 sp_min Juno build. This patch fixes that.

Change-Id: I4b141717684d6aee60c761ea17f23170aa6708c3
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/



Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

utils.h is included in various header files for the defines in it.
Some of the other header files only contain defines.  This allows the
header files to be shared between host and target builds for shared defines.

Recently types.h has been included in utils.h as well as some function
prototypes.

Because of the inclusion of types.h conflicts exist building host tools
abd these header files now.  To solve this problem,
move the defines to utils_def.h and have this included by utils.h and
change header files to only include utils_def.h and not pick up the new
types.h being introduced.

Fixes ARM-software/tf-issues#461
Signed-off-by: Scott Branden <scott.branden@broadcom.com>

Remove utils_def.h from utils.h

This patch removes utils_def.h from utils.h as it is not required.
And also makes a minor change to ensure Juno platform compiles.

Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29