1. 28 Jul, 2021 1 commit
    • Ming Huang's avatar
      services: Fix pmr_el1 rewrote issue in sdei_disaptch_event() · d21f1ddb
      Ming Huang authored
      Consider a RAS scenario:
      Enter EL3 by sync exception, then call spm_mm_sp_call() enter
      EL0s to handle this error, then call sdei_dispatch_event() to
      inform OS. Finally, return back to OS from sync exception flow.
      Similar flow is sgi_ras_intr_handler() in sgi_ras.c.
      
      The icc_pmr_el1 register will be change in above flow:
      1 cm_el1_sysregs_context_save(NON_SECURE);
        -> ehf_exited_normal_world();
          ##icc_pmr_el1: 0xf8 => 0x80
      2 spm_mm_sp_call();
      3 sdei_dispatch_event();
      4 ehf_activate_priority(sdei_event_priority(map));
          ##icc_pmr_el1: 0x80 => 0x60
      5 restore_and_resume_ns_context();
        -> ehf_exited_normal_world();
           ##return due to has_valid_pri_activations(pe_data) == 1
      6 ehf_deactivate_priority(sdei_event_priority(map));
          ##icc_pmr_el1: 0x60 => 0x80
      The icc_pmr_el1 was rewrote from 0xf8 to 0x80. This issue will
      result in OS hang when eret to OS from RAS flow.
      
      Move ehf_activate_priority(sdei_event_priority(map)) after
      restore_and_resum...
      d21f1ddb
  2. 23 Jul, 2021 1 commit
    • Daniel Boulby's avatar
      fix(sdei): set SPSR for SDEI based on TakeException · 37596fcb
      Daniel Boulby authored
      
      
      The SDEI specification now says that during an SDEI
      event handler dispatch the SPSR should be set according
      to the TakeException() pseudocode function defined in
      the Arm Architecture Reference Manual. This patch sets
      the SPSR according to the function given in
      ARM DDI 0487F.c page J1-7635
      
      Change-Id: Id2f8f2464fd69c701d81626162827e5c4449b658
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      37596fcb
  3. 03 Jun, 2021 1 commit
    • Olivier Deprez's avatar
      perf(spmd): omit sel1 context save if sel2 present · 678ce223
      Olivier Deprez authored
      
      
      The SPMC at S-EL2 manages S-EL1 execution contexts for SPs. The
      currently running SP vCPU state is always saved when the SPMC exits to
      SPMD. A fresh vCPU context is always restored when the SPMC is entered
      from the SPMD and a SP resumed. For performance optimization reasons
      this permits omitting the saving/restoring of the S-EL1 context from
      within the EL3 SPMD on entering/exiting the SPMC. The S-EL2 SPMC and
      NS-EL1 context save/restore remain done in the SPMD.
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: I66413ed5983913791ff5c9fc03c590ee65c6ccd7
      678ce223
  4. 25 May, 2021 2 commits
    • Jeremy Linton's avatar
      SMCCC/PCI: Handle std svc boilerplate · 1cdf1eb8
      Jeremy Linton authored
      
      
      Add SMC wrappers for handshaking the existence
      and basic parameter validation for the SMCCC/PCI
      API. The actual read/write/segment validation is
      implemented by a given platform which will enable
      the API by defining SMC_PCI_SUPPORT.
      Signed-off-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Change-Id: I4485ad0fe6003cec6f5eedef688914d100513c21
      1cdf1eb8
    • Jeremy Linton's avatar
      SMCCC: Hoist SMC_32 sanitization · 475333c8
      Jeremy Linton authored
      
      
      The SMCCC, part 3 indicates that only the bottom
      32-bits of a 32-bit SMC call are valid. The upper
      bits must be zero. Lets enforce that so standard
      service code can assume its been called that way.
      Signed-off-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Change-Id: I1bac50fbdc3b6ddca5fe2d1d1f96166a65ac4eb4
      475333c8
  5. 13 May, 2021 1 commit
    • Daniel Boulby's avatar
      feat(spmd): add support for FFA_SPM_ID_GET · 70c121a2
      Daniel Boulby authored
      
      
      Handle calls to the FFA_SPM_ID_GET interface. If FFA_SPM_ID_GET is
      invoked from the non-secure physical FF-A instance, return the SPMC id
      (defined in the SPMC manifest). If FFA_SPM_ID_GET is invoked from
      the secure physical FF-A instance (e.g. the SPMC), return the SPMD id.
      
      Change-Id: Id6d4e96b1da2510386d344e09c4553dba01227ec
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      70c121a2
  6. 04 May, 2021 1 commit
    • Andre Przywara's avatar
      fix(services): drop warning on unimplemented calls · 67fad514
      Andre Przywara authored
      
      
      Standard Secure Services, complying to the SMCCC specification, are
      discoverable: Any user can do the SMC call, and derive from the return
      value (-1) if the service is implemented. Consequently we should not
      *warn* if BL31 does not implement a service, as some services (TRNG, for
      instance) might never be implemented for devices, as they are lacking
      hardware.
      
      Short of dropping the existing warning message altogether, change the
      level to VERBOSE, which should prevent it actually being printed in
      normal situations.
      
      This removes the pointless TF-A messages on the console when booting
      Linux, as modern kernels now call the SOCID and the TRNG service
      unconditionally.
      
      Change-Id: I08b0b02e0f46322ebe0b40b3991c3c9b5bed4f97
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      67fad514
  7. 20 Apr, 2021 1 commit
    • Olivier Deprez's avatar
      spmd: add FFA_INTERRUPT forwarding · 386dc365
      Olivier Deprez authored
      
      
      In the case of a SP pre-empted by a non-secure interrupt, the SPMC
      returns to the SPMD through the FFA_INTERRUPT ABI. It is then forwarded
      to the normal world driver hinting the SP has to be resumed after the
      non-secure interrupt has been serviced.
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: I51a694dddcb8ea30fa84e1f11d018bc2abec0a56
      386dc365
  8. 19 Apr, 2021 1 commit
    • Mayur Gudmeti's avatar
      services: spm_mm: Use sp_boot_info to set SP context · 21583a31
      Mayur Gudmeti authored
      
      
      The current SPM_MM implementations expects the SP image addresses
      as static macros. This means platforms wanting to use dynamically
      allocated memory addresses are left out. This patch gets sp_boot_info
      at the beginning of spm_sp_setup function and uses member variables
      of sp_boot_info to setup the context. So member variables of
      struct sp_boot_info and consequently the context can be initialized
      by static macros or dynamiclly allocated memory address..
      
      Change-Id: I1cb75190ab8026b845ae20a9c6cc416945b5d7b9
      Signed-off-by: default avatarMayur Gudmeti <mgudmeti@nvidia.com>
      21583a31
  9. 19 Mar, 2021 1 commit
    • J-Alves's avatar
      SPM: Fix error codes size in SPMD handler · e46b2fd2
      J-Alves authored
      
      
      FF-A specification states that error codes should be typed int32_t.
      SPMD's uses uint64_t for return values, which if assigned with a signed
      type would have sign extension, and change the size of the return from
      32-bit to 64-bit.
      Signed-off-by: default avatarJ-Alves <joao.alves@arm.com>
      Change-Id: I288ab2ffec8330a2fe1f21df14e22c34bd83ced3
      e46b2fd2
  10. 18 Mar, 2021 1 commit
    • Madhukar Pappireddy's avatar
      Bug fix in tspd interrupt handling when TSP_NS_INTR_ASYNC_PREEMPT is enabled · 51bb1d73
      Madhukar Pappireddy authored
      
      
      Typically, interrupts for a specific security state get handled in the
      same security execption level if the execution is in the same security
      state. For example, if a non-secure interrupt gets fired when CPU is
      executing in NS-EL2 it gets handled in the non-secure world.
      
      However, interrupts belonging to the opposite security state typically
      demand a world(context) switch. This is inline with the security
      principle which states a secure interrupt has to be handled in the
      secure world. Hence, the TSPD in EL3 expects the context(handle) for a
      secure interrupt to be non-secure and vice versa.
      
      The function "tspd_sel1_interrupt_handler" is the handler registered
      for S-EL1 interrupts by the TSPD. Based on the above assumption, it
      provides an assertion to validate if the interrupt originated from
      non-secure world and upon success arranges entry into the TSP at
      'tsp_sel1_intr_entry' for handling the interrupt.
      
      However, a race condition between non-secure and secure interrupts can
      lead to a scenario where the above assumptions do not hold true and
      further leading to following assert fail.
      
      This patch fixes the bug which causes this assert fail:
      
      	ASSERT: services/spd/tspd/tspd_main.c:105
      	BACKTRACE: START: assert
      	0: EL3: 0x400c128
      	1: EL3: 0x400faf8
      	2: EL3: 0x40099a4
      	3: EL3: 0x4010d54
      	BACKTRACE: END: assert
      
      Change-Id: I359d30fb5dbb1429a4a3c3fff37fdc64c07e9414
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      51bb1d73
  11. 15 Mar, 2021 2 commits
  12. 05 Mar, 2021 1 commit
  13. 18 Feb, 2021 1 commit
  14. 12 Feb, 2021 1 commit
  15. 10 Feb, 2021 1 commit
    • Andre Przywara's avatar
      services: TRNG: Fix -O0 compilation · 323b6c63
      Andre Przywara authored
      
      
      The code to check for the presence of the TRNG service relies on
      toolchain garbage collection, which is not enabled with -O0.
      
      Add #ifdef guards around the call to the TRNG service handler to
      cover builds without optimisation as well.
      
      Change-Id: I08ece2005ea1c8fa96afa13904a851dec6b24216
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      323b6c63
  16. 05 Feb, 2021 1 commit
  17. 30 Nov, 2020 1 commit
    • Alexei Fedorov's avatar
      Aarch64: Add support for FEAT_PANx extensions · a83103c8
      Alexei Fedorov authored
      
      
      This patch provides the changes listed below:
      - Adds new bit fields definitions for SCTLR_EL1/2 registers
      - Corrects the name of SCTLR_EL1/2.[20] bit field from
      SCTLR_UWXN_BIT to SCTLR_TSCXT_BIT
      - Adds FEAT_PANx bit field definitions and their possible
      values for ID_AA64MMFR1_EL1 register.
      - Adds setting of SCTLR_EL1.SPAN bit to preserve PSTATE.PAN
      on taking an exception to EL1 in spm_sp_setup() function
      (services\std_svc\spm_mm\spm_mm_setup.c)
      
      Change-Id: If51f20e7995c649126a7728a4d0867041fdade19
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      a83103c8
  18. 02 Oct, 2020 1 commit
    • Andre Przywara's avatar
      spmd: Fix signedness comparison warning · 6e4da01f
      Andre Przywara authored
      
      
      With -Wsign-compare, compilers issue a warning in the SPMD code:
      ====================
      services/std_svc/spmd/spmd_pm.c:35:22: error: comparison of integer
      expressions of different signedness: 'int' and 'unsigned int'
      [-Werror=sign-compare]
         35 |  if ((id < 0) || (id >= PLATFORM_CORE_COUNT)) {
            |                      ^~
      cc1: all warnings being treated as errors
      ====================
      
      Since we just established that "id" is positive, we can safely cast it
      to an unsigned type to make the comparison have matching types.
      
      Change-Id: I6ef24804c88136d7e3f15de008e4fea854f10ffe
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      6e4da01f
  19. 07 Sep, 2020 1 commit
  20. 01 Sep, 2020 1 commit
    • Varun Wadekar's avatar
      spmd: remove assert for SPMC PC value · 75e1dfa0
      Varun Wadekar authored
      
      
      This patch removes the assert that expects the SPMC PC
      value to be same as BL32_BASE. This assumption is not
      true for all platforms e.g. Tegra, and so will be removed
      from the SPMD.
      
      Platforms can always add this check to the platform files,
      if required.
      
      Change-Id: Ic40620b43d160feb4f72f4af18e6d01861d4bf37
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      75e1dfa0
  21. 31 Aug, 2020 1 commit
    • Varun Wadekar's avatar
      spd: trusty: allow clients to retrieve service UUID · fc198188
      Varun Wadekar authored
      
      
      This patch implements support for the 64-bit and 32-bit versions of
      0xBF00FF01 SMC function ID, as documented by the SMCCC, to allow
      non-secure world clients to query SPD's UUID.
      
      In order to service this FID, the Trusty SPD now increases the range
      of SMCs that it services. To restrict Trusty from receiving the extra
      SMC FIDs, this patch drops any unsupported FID.
      
      Verified with TFTF tests for UID query and internal gtest for Trusty.
      
      Change-Id: If96fe4993f7e641595cfe67cc6b4210a0d52403f
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      fc198188
  22. 21 Aug, 2020 1 commit
  23. 20 Aug, 2020 8 commits
  24. 18 Aug, 2020 1 commit
    • Manish V Badarkhe's avatar
      Add wrapper for AT instruction · 86ba5853
      Manish V Badarkhe authored
      
      
      In case of AT speculative workaround applied, page table walk
      is disabled for lower ELs (EL1 and EL0) in EL3.
      Hence added a wrapper function which temporarily enables page
      table walk to execute AT instruction for lower ELs and then
      disables page table walk.
      
      Execute AT instructions directly for lower ELs (EL1 and EL0)
      assuming page table walk is enabled always when AT speculative
      workaround is not applied.
      
      Change-Id: I4ad4c0bcbb761448af257e9f72ae979473c0dde8
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      86ba5853
  25. 26 Jul, 2020 1 commit
    • Manish V Badarkhe's avatar
      SMCCC: Introduce function to check SMCCC function availability · 6f0a2f04
      Manish V Badarkhe authored
      
      
      Currently, 'SMCCC_ARCH_FEATURES' SMC call handler unconditionally
      returns 'SMC_OK' for 'SMCCC_ARCH_SOC_ID' function. This seems to
      be not correct for the platform which doesn't implement soc-id
      functionality i.e. functions to retrieve both soc-version and
      soc-revision.
      Hence introduced a platform function which will check whether SMCCC
      feature is available for the platform.
      
      Also, updated porting guide for the newly added platform function.
      
      Change-Id: I389f0ef6b0837bb24c712aa995b7176117bc7961
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      6f0a2f04
  26. 23 Jun, 2020 1 commit
    • J-Alves's avatar
      FFA Version interface update · 4388f28f
      J-Alves authored
      
      
      Change handler of FFA version interface:
      - Return SPMD's version if the origin of the call is secure;
      - Return SPMC's version if origin is non-secure.
      Signed-off-by: default avatarJ-Alves <joao.alves@arm.com>
      Change-Id: I0d1554da79b72b1e02da6cc363a2288119c32f44
      4388f28f
  27. 02 Jun, 2020 1 commit
    • Masahisa Kojima's avatar
      xlat_tables_v2: add base table section name parameter for spm_mm · 0922e481
      Masahisa Kojima authored
      Core spm_mm code expects the translation tables are located in the
      inner & outer WBWA & shareable memory.
      REGISTER_XLAT_CONTEXT2 macro is used to specify the translation
      table section in spm_mm.
      
      In the commit 363830df
      
       (xlat_tables_v2: merge
      REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE}), REGISTER_XLAT_CONTEXT2
      macro explicitly specifies the base xlat table goes into .bss by default.
      This change affects the existing SynQuacer spm_mm implementation.
      plat/socionext/synquacer/include/plat.ld.S linker script intends to
      locate ".bss.sp_base_xlat_table" into "sp_xlat_table" section,
      but this implementation is no longer available.
      
      This patch adds the base table section name parameter for
      REGISTER_XLAT_CONTEXT2 so that platform can specify the
      inner & outer WBWA & shareable memory for spm_mm base xlat table.
      If PLAT_SP_IMAGE_BASE_XLAT_SECTION_NAME is not defined, base xlat table
      goes into .bss by default, the result is same as before.
      
      Change-Id: Ie0e1a235e5bd4288dc376f582d6c44c5df6d31b2
      Signed-off-by: default avatarMasahisa Kojima <masahisa.kojima@linaro.org>
      0922e481
  28. 25 May, 2020 1 commit
    • J-Alves's avatar
      SPCI is now called PSA FF-A · 662af36d
      J-Alves authored
      
      
      SPCI is renamed as PSA FF-A which stands for Platform Security
      Architecture Firmware Framework for A class processors.
      This patch replaces the occurrence of SPCI with PSA FF-A(in documents)
      or simply FFA(in code).
      
      Change-Id: I4ab10adb9ffeef1ff784641dfafd99f515133760
      Signed-off-by: default avatarJ-Alves <joao.alves@arm.com>
      662af36d
  29. 15 May, 2020 1 commit
  30. 13 May, 2020 2 commits
    • Olivier Deprez's avatar
      SPMD: extract SPMC DTB header size from SPMD · 23d5ba86
      Olivier Deprez authored
      
      
      Currently BL2 passes TOS_FW_CONFIG address and size through registers to
      BL31. This corresponds to SPMC manifest load address and size. The SPMC
      manifest is mapped in BL31 by dynamic mapping. This patch removes BL2
      changes from generic code (which were enclosed by SPD=spmd) and retrieves
      SPMC manifest size directly from within SPMD. The SPMC manifest load
      address is still passed through a register by generic code.
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: I35c5abd95c616ae25677302f0b1d0c45c51c042f
      23d5ba86
    • Olivier Deprez's avatar
      SPMD: code/comments cleanup · 52696946
      Olivier Deprez authored
      As a follow-up to bdd2596d
      
      , and related to SPM Dispatcher
      EL3 component and SPM Core S-EL2/S-EL1 component: update
      with cosmetic and coding rules changes. In addition:
      -Add Armv8.4-SecEL2 arch detection helper.
      -Add an SPMC context (on current core) get helper.
      -Return more meaningful error return codes.
      -Remove complexity in few spmd_smc_handler switch-cases.
      -Remove unused defines and structures from spmd_private.h
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: I99e642450b0dafb19d3218a2f0e2d3107e8ca3fe
      52696946