- 26 Sep, 2019 2 commits
-
-
Alexei Fedorov authored
This patch changes implementation for disabling Secure Cycle Counter. For ARMv8.5 the counter gets disabled by setting SDCR.SCCD bit on CPU cold/warm boot. For the earlier architectures PMCR register is saved/restored on secure world entry/exit from/to Non-secure state, and cycle counting gets disabled by setting PMCR.DP bit. In 'include\aarch32\arch.h' header file new ARMv8.5-PMU related definitions were added. Change-Id: Ia8845db2ebe8de940d66dff479225a5b879316f8 Signed-off-by:Alexei Fedorov <Alexei.Fedorov@arm.com>
-
Paul Beesley authored
* changes: hikey: fix to load FIP by partition table. hikey960: fix to load FIP by partition table drivers: partition: support different block size
-
- 25 Sep, 2019 3 commits
-
-
Paul Beesley authored
-
Paul Beesley authored
-
Sandrine Bailleux authored
The Fast Models provide a non-volatile counter component, which is used in the Trusted Board Boot implementation to protect against rollback attacks. This component comes in 2 versions (see [1]). - Version 0 is the default and models a locked non-volatile counter, whose value is fixed. - Version 1 of the counter may be incremented in a monotonic fashion. plat_set_nv_ctr() must cope with both versions. This is achieved by: 1) Attempting to write the new value in the counter. 2) Reading the value back. 3) If there is a mismatch, we know the counter upgrade failed. When using version 0 of the counter, no upgrade is possible so the function is expected to fail all the time. However, the code is missing a compiler barrier between the write operation and the next read. Thus, the compiler may optimize and remove the read operation on the basis that the counter value has not changed. With the default optimization level used in TF-A (-Os), this is what's happening. The fix introduced in this patch marks the write and subsequent read accesses to the counter as volatile, such that the compiler makes no assumption about the value of the counter. Note that the comment above plat_set_nv_ctr() was clearly stating that when using the read-only version of the non-volatile counter, "we expect the values in the certificates to always match the RO values so that this function is never called". However, the fact that the counter value was read back seems to contradict this comment, as it is implementing a counter-measure against misuse of the function. The comment has been reworded to avoid any confusion. Without this patch, this bug may be demonstrated on the Base AEM FVP: - Using version 0 of the non-volatile counter (default version). - With certificates embedding a revision number value of 32 (compiling TF-A with TFW_NVCTR_VAL=32). In this configuration, the non-volatile counter is tied to value 31 by default. When BL1 loads the Trusted Boot Firmware certificate, it notices that the two values do not match and tries to upgrade the non-volatile counter. This write operation is expected to fail (because the counter is locked) and the function is expected to return an error but it succeeds instead. As a result, the trusted boot does not abort as soon as it should and incorrectly boots BL2. The boot is finally aborted when BL2 verifies the BL31 image and figures out that the version of the SoC Firmware Key Certificate does not match. On Arm platforms, only certificates signed with the Root-of-Trust Key may trigger an upgrade of the non-volatile Trusted counter. [1] https://developer.arm.com/docs/100964/1160/fast-models-components/peripheral-components/nonvolatilecounter Change-Id: I9979f29c23b47b338b9b484013d1fb86c59db92f Signed-off-by:
Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 23 Sep, 2019 1 commit
-
-
Sandrine Bailleux authored
* changes: rockchip: Update BL31_BASE to 0x40000 rockchip: Fix typo for TF content text
-
- 20 Sep, 2019 3 commits
-
-
Paul Beesley authored
The documentation for Marvell platforms was not included in the rendered document output until now because, while it was mostly valid RST format, the files were saved with a .txt extension. This patch corrects some RST formatting errors, creates a document tree (index page) for the Marvell documents, and adds the Marvell subtree to the main index. Change-Id: Id7d4ac37eded636f8f62322a153e1e5f652ff51a Signed-off-by:Paul Beesley <paul.beesley@arm.com>
-
Kever Yang authored
Rockchip platform is using the first 1MB of DRAM as secure ram space, and there is a vendor loader who loads and runs the BL31/BL32/BL33, this loader is usually load by SoC BootRom to the start addres of DRAM, we need to reserve enough space for this loader so that it doesn't need to do the relocate when loading the BL31. eg. We use U-Boot SPL to load ATF BL31 and U-Boot proper as BL33, the SPL TEXT BASE is offset 0 of DRAM which is decide by Bootrom; if we update the BL31_BASE to offset 0x40000(256KB), then the 0~0x40000 should be enough for SPL and no need to do the relocate while the space size 0x10000(64KB) may not enough for SPL. After this update, the BL31 can use the rest 768KB of the first 1MB, which is also enough, and the loader who is using BL31 elf file can support this update without any change. Change-Id: I66dc685594d77f10f9a49c3be015fd6729250ece Signed-off-by:Kever Yang <kever.yang@rock-chips.com>
-
Kever Yang authored
The 'txet' should be 'text'. Change-Id: I2217a1adf50c3b86f3087b83c77d9291b280627c Signed-off-by:
-
- 18 Sep, 2019 9 commits
-
-
Sandrine Bailleux authored
-
Sandrine Bailleux authored
* changes: mediatek: mt8183: add MTK MCDI driver mediatek: mt8183: add MTK SSPM driver mediatek: mt8183: add MTK SPM driver mediatek: mt8183: add MTK uart driver for controlling clock gate mediatek: mt8183: configure MCUSYS DCM mediatek: mt8173: refactor RTC and PMIC drivers
-
Sandrine Bailleux authored
* changes: Unsigned long should not be used as per coding guidelines SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64
-
Sandrine Bailleux authored
* changes: qemu: Simplify the image size calculation qemu: introducing sub-platforms to qemu platform
-
Radoslaw Biernacki authored
Patch introduce the macro NS_IMAGE_MAX_SIZE to simplify the image size calculation. Use of additional parenthesis removes the possibility of improper calculations due nested macro expansion for subtraction. In case of platforms with DRAM window over 32bits, patch also removes potential problems with type casting, as meminfo.image_size is uint32_t but macro calculations were done in 64bit space. Signed-off-by:Radoslaw Biernacki <radoslaw.biernacki@linaro.org> Change-Id: I2d05a2d9dd6000dba6114df53262995cf85af018
-
Radoslaw Biernacki authored
This commit change the plat/qemu directory structure into: `-- plat `-- qemu |-- common (files shared with all qemu subplatforms) |-- qemu (original qemu platform) |-- qemu_sbsa (new sqemu_sbsa platform) |-- subplat1 `-- subplat2 This opens the possibility of adding new qemu sub-platforms which reuse existing common platform code. The first platform which will leverage new structure will be SBSA platform. Signed-off-by: -
Haojian Zhuang authored
Avoid to load FIP by hacking address. Load it by partition table instead. Signed-off-by:Haojian Zhuang <haojian.zhuang@linaro.org> Change-Id: I0283fc2e6e459bff14de19d92db4158e05106ee4
-
Haojian Zhuang authored
Avoid to load FIP by hacking address. Load it by partition table instead. Signed-off-by: -
Haojian Zhuang authored
The block size of some storage device is 4096-byte long, such as UFS. But PARTITION_BLOCK_SIZE is defined as 512-byte long. So replace it by PLAT_PARTITION_BLOCK_SIZE. Make it configurable in platform. Signed-off-by:
-
- 17 Sep, 2019 1 commit
-
-
Carlo Caione authored
Both kernel and U-Boot use a SMC call to the secure monitor to get the chip ID. This call is translated by BL31 to a call to the SCP to retrieve the ID. Add a new SiP call and the backing SCPI command. Signed-off-by:Carlo Caione <ccaione@baylibre.com> Change-Id: Ib128f5645ee92866e7ebbcd550dacd33f573524b
-
- 16 Sep, 2019 10 commits
-
-
Sandrine Bailleux authored
* changes: rpi3: Do prescaler and control setup in C rpi3: Prepare for supporting a GIC (in RPi4) rpi3: Make SHARED_RAM optional rpi3: Rename RPI3_IO_BASE to RPI_IO_BASE rpi3: Move shared rpi3 files into common directory
-
Sandrine Bailleux authored
* changes: Add fdt_add_reserved_memory() helper function qemu: Move and generalise FDT PSCI fixup
-
Sandrine Bailleux authored
* changes: rpi3: Move rng driver to drivers rpi3: Move VC mailbox driver into generic drivers directory rpi3: Move rpi3_hw.h header file to include/rpi_hw.h
-
Sandrine Bailleux authored
-
kenny liang authored
Add MCDI driver for power saving. Signed-off-by:kenny liang <kenny.liang@mediatek.com> Change-Id: I93ecff4d7581f678be09dd8fb5dfaaccd5f2c22c
-
kenny liang authored
Add MTK SSPM driver. Signed-off-by: -
kenny liang authored
Add MTK SPM driver for suspend/resume scenario. Signed-off-by: -
kenny liang authored
Add uart clock gate contol for suspend/resume scenario. Signed-off-by: -
kenny liang authored
Configure MCUSYS DCM. Signed-off-by: -
kenny liang authored
Refactor RTC and PMIC drivers. Signed-off-by:
-
- 13 Sep, 2019 11 commits
-
-
Deepika Bhavnani authored
We should either change them to `unsigned int` or `unsigned long long` when the size of the variable is the same in AArch64 and AArch32 or to `u_register_t` if it is supposed to be 32 bit wide in AArch32 and 64 bit wide in AArch64. Signed-off-by:Deepika Bhavnani <deepika.bhavnani@arm.com> Change-Id: I80e2a6edb33248ee88be395829abbd4c36c89abe
-
Deepika Bhavnani authored
AArch64 System register SCTLR_EL1[31:0] is architecturally mapped to AArch32 System register SCTLR[31:0] AArch64 System register ACTLR_EL1[31:0] is architecturally mapped to AArch32 System register ACTLR[31:0]. `u_register_t` should be used when it's important to store the contents of a register in its native size Signed-off-by: -
Andre Przywara authored
To initialise the arch timer configuration and some clock prescaler, we need to do two MMIO access *once*, early during boot. As tempting as it may sound, plat_reset_handler() is not the right place to do this, as it will be called on every CPU coming up, both for secondary cores as well as during warmboots. So this access will be done multiple times, and even during a rich OS' runtime. Whether doing so anyway is actually harmful is hard to say, but we should definitely avoid this if possible. Move the initialisation of these registers to C code in bl1_early_platform_setup(), where it will still be executed early enough (before enabling the console), but only once during the whole boot process. Change-Id: I081c41a5476d424411411488ff8f633e87d3bcc5 Signed-off-by:Andre Przywara <andre.przywara@arm.com>
-
Andre Przywara authored
If a firmware component like TF-A reserves special memory regions for its own or secure payload services, it should announce the location and size of those regions to the non-secure world. This will avoid disappointment when some rich OS tries to acccess this memory, which will likely end in a crash. The traditional way of advertising reserved memory using device tree is using the special memreserve feature of the device tree blob (DTB). However by definition those regions mentioned there do not prevent the rich OS to map this memory, which may lead to speculative accesses to this memory and hence spurious bus errors. A safer way of carving out memory is to use the /reserved-memory node as part of the normal DT structure. Besides being easier to setup, this also defines an explicit "no-map" property to signify the secure-only nature of certain memory regions, which avoids the rich OS to accidentally step on it. Add a helper function to allow platform ports to easily add a region. Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c Signed-off-by: -
Andre Przywara authored
To allow sharing the driver between the RPi3 and RPi4, move the random number generator driver into the generic driver directory. Change-Id: Iae94d7cb22c6bce3af9bff709d76d4caf87b14d1 Signed-off-by: -
Andre Przywara authored
With the incoming support for the Raspberry Pi 4 boards, one directory to serve both versions will not end up well. Create an additional layer by inserting a "rpi" directory betweeen /plat and rpi3, so that we can more easily share or separate files between the two later. Change-Id: I75adbb054fe7902f34db0fd5e579a55612dd8a5f Signed-off-by: -
Andre Przywara authored
As the PSCI "power" management functions for the Raspberry Pi 3 port will be shared with the upcoming RPi4 support, we need to prepare them for dealing with the GIC interrupt controller. Splitting this code just for those simple calls to the generic GIC routines does not seem worthwhile, so just use a #define the protect the GIC code from being included by the existing RPi3 code. Change-Id: Iaca6b0214563852b28ad4a088ec45348ae8be40d Signed-off-by: -
Andre Przywara authored
The QEMU platform port scans its device tree to advertise PSCI as the CPU enable method. It does this by scanning *every* node in the DT and check whether its compatible string starts with "arm,cortex-a". Then it sets the enable-method to PSCI, if it doesn't already have one. Other platforms might want to use this functionality as well, so let's move it out of the QEMU platform directory and make it more robust by fixing some shortcomings: - A compatible string starting with a certain prefix is not a good way to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will match as well and is in turn favoured with an enable-method. - If the DT already has an enable-method, we won't change this to PSCI. Those two issues will for instance fail on the Raspberry Pi 4 DT. To fix those problems, we adjust the scanning method: The DT spec says that all CPU nodes are subnodes of the mandatory /cpus node, which is a subnode of the root node. Also each CPU node has to have a device_type = "cpu" property. So we find the /cpus node, then scan for a subnode with the proper device_type, forcing the enable-method to "psci". We have to restart this search after a property has been patched, as the node offsets might have changed meanwhile. This allows this routine to be reused for the Raspberry Pi 4 later. Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139 Signed-off-by: -
Andre Przywara authored
To allow sharing the driver between the RPi3 and RPi4, move the mailbox driver into the generic driver directory. Change-Id: I463e49acf82b02bf004f3d56482b7791f3020bc0 Signed-off-by: -
Andre Przywara authored
The existing Raspberry Pi 3 port sports a number of memory regions, which are used for several purposes. The upcoming RPi4 port will not use all of those, so make the SHARED_RAM region optional, by only mapping it if it has actually been defined. This helps to get a cleaner RPi4 port. Change-Id: Id69677b7fb6ed48d9f238854b610896785db8cab Signed-off-by: -
Andre Przywara authored
With the advent of Raspberry Pi 4 support, we need to separate some board specific headers between the RPi3 and RPi4. Rename and move the "rpi3_hw.h" header, so that .c files just include rpi_hw.h, and automatically get the correct version. Change-Id: I03b39063028d2bee1429bffccde71dddfe2dcde8 Signed-off-by:
-
