- 11 Mar, 2020 2 commits
-
-
Madhukar Pappireddy authored
Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN. Created few populator() functions which parse HW_CONFIG device tree and registered them with fconf framework. Many of the changes are only applicable for fvp platform. This patch: 1. Adds necessary symbols and sections in BL31, SP_MIN linker script 2. Adds necessary memory map entry for translation in BL31, SP_MIN 3. Creates an abstraction layer for hardware configuration based on fconf framework 4. Adds necessary changes to build flow (makefiles) 5. Minimal callback to read hw_config dtb for capturing properties related to GIC(interrupt-controller node) 6. updates the fconf documentation Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
Madhukar Pappireddy authored
A populate() function essentially captures the value of a property, defined by a platform, into a fconf related c structure. Such a callback is usually platform specific and is associated to a specific configuration source. For example, a populate() function which captures the hardware topology of the platform can only parse HW_CONFIG DTB. Hence each populator function must be registered with a specific 'config_type' identifier. It broadly represents a logical grouping of configuration properties which is usually a device tree source file. Example: > TB_FW: properties related to trusted firmware such as IO policies, base address of other DTBs, mbedtls heap info etc. > HW_CONFIG: properties related to hardware configuration of the SoC such as topology, GIC controller, PSCI hooks, CPU ID etc. This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate() to register and invoke the appropriate callbacks selectively based on configuration type. Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 04 Mar, 2020 1 commit
-
-
Manish Pandey authored
This patch implements loading of Secure Partition packages using existing framework of loading other bl images. The current framework uses a statically defined array to store all the possible image types and at run time generates a link list and traverse through it to load different images. To load SPs, a new array of fixed size is introduced which will be dynamically populated based on number of SPs available in the system and it will be appended to the loadable images list. Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 03 Mar, 2020 1 commit
-
-
Olivier Deprez authored
Use the firmware configuration framework to retrieve information about Secure Partitions to facilitate loading them into memory. To load a SP image we need UUID look-up into FIP and the load address where it needs to be loaded in memory. This patch introduces a SP populator function which gets UUID and load address from firmware config device tree and updates its C data structure. Change-Id: I17faec41803df9a76712dcc8b67cadb1c9daf8cd Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 27 Feb, 2020 1 commit
-
-
Louis Mayencourt authored
MISRA C-2012 Rule 20.7: Macro parameter expands into an expression without being wrapped by parentheses. MISRA C-2012 Rule 12.1: Missing explicit parentheses on sub-expression. MISRA C-2012 Rule 18.4: Essential type of the left hand operand is not the same as that of the right operand. Include does not provide any needed symbols. Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 25 Feb, 2020 1 commit
-
-
Andre Przywara authored
Since now the generic console_t structure holds the UART base address as well, let's use that generic location and drop the UART driver specific data structure at all. Change-Id: I7a23327394d142af4b293ea7ccd90b843c54587c Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
- 24 Feb, 2020 2 commits
-
-
Petre-Ionut Tudor authored
This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
-
Sandrine Bailleux authored
- Use the development PROTPK if using the dualroot CoT. Note that unlike the ROTPK, the PROTPK key hash file is not generated from the key file, instead it has to be provided. This might be enhanced in the future. - Define a CoT build flag for the platform code to provide different implementations where needed. Change-Id: Iaaf25183b94e77a99a5d8d875831d90c102a97ea Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 19 Feb, 2020 1 commit
-
-
Suyash Pathak authored
For platforms that have two or more TZC400 controllers instantiated, allow the TZC400 driver to be usable with all those instances. This is achieved by allowing 'arm_tzc400_setup' function to accept the base address of the TZC400 controller. Change-Id: I4add470e6ddb58432cd066145e644112400ab924 Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>
-
- 10 Feb, 2020 2 commits
-
-
Achin Gupta authored
This patch adds support to the build system to include support for the SPM dispatcher when the SPD configuration option is spmd. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: Ic1ae50ecd7403fcbcf1d318abdbd6ebdc642f732
-
Achin Gupta authored
This patch repurposes the TOS FW configuration file as the manifest for the SPM core component which will reside at the secure EL adjacent to EL3. The SPM dispatcher component will use the manifest to determine how the core component must be initialised. Routines and data structure to parse the manifest have also been added. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: Id94f8ece43b4e05609f0a1d364708a912f6203cb
-
- 07 Feb, 2020 9 commits
-
-
Louis Mayencourt authored
Currently, an IO setup failure will be ignored on arm platform release build. Change this to panic instead. Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Change the return type of "arm_io_is_toc_valid()" and "plat_arm_bl1_fwu_needed()" to bool, to match function behavior. Change-Id: I503fba211219a241cb263149ef36ca14e3362a1c Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use the firmware configuration framework to store the io_policies information inside the configuration device tree instead of the static structure in the code base. The io_policies required by BL1 can't be inside the dtb, as this one is loaded by BL1, and only available at BL2. This change currently only applies to FVP platform. Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use the firmware configuration framework in arm dynamic configuration to retrieve mbedtls heap information between bl1 and bl2. For this, a new fconf getter is added to expose the device tree base address and size. Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use fconf to retrieve the `disable_authentication` property. Move this access from arm dynamic configuration to bl common. Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
This patch introduces a better separation between the trusted-boot related properties, and the dynamic configuration DTBs loading information. The dynamic configuration DTBs properties are moved to a new node: `dtb-registry`. All the sub-nodes present will be provided to the dynamic config framework to be loaded. The node currently only contains the already defined configuration DTBs, but can be extended for future features if necessary. The dynamic config framework is modified to use the abstraction provided by the fconf framework, instead of directly accessing the DTBs. The trusted-boot properties are kept under the "arm,tb_fw" compatible string, but in a separate `tb_fw-config` node. The `tb_fw-config` property of the `dtb-registry` node simply points to the load address of `fw_config`, as the `tb_fw-config` is currently part of the same DTB. Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Use the dtb provided by bl1 as configuration file for fconf. Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Move the loading of the dtb from arm_dym_cfg to fconf. The new loading function is not associated to arm platform anymore, and can be moved to bl_main if wanted. Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
Louis Mayencourt authored
Introduce the Firmware CONfiguration Framework (fconf). The fconf is an abstraction layer for platform specific data, allowing a "property" to be queried and a value retrieved without the requesting entity knowing what backing store is being used to hold the data. The default backing store used is C structure. If another backing store has to be used, the platform integrator needs to provide a "populate()" function to fill the corresponding C structure. The "populate()" function must be registered to the fconf framework with the "FCONF_REGISTER_POPULATOR()". This ensures that the function would be called inside the "fconf_populate()" function. A two level macro is used as getter: - the first macro takes 3 parameters and converts it to a function call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c). - the second level defines a__b_getter(c) to the matching C structure, variable, array, function, etc.. Ex: Get a Chain of trust property: 1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id) 2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id] Change-Id: Id394001353ed295bc680c3f543af0cf8da549469 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 05 Feb, 2020 1 commit
-
-
Zelalem authored
Fix code that violates the MISRA rule: MISRA C-2012 Rule 11.9: Literal "0" shall not be used as null pointer constant. The fix explicitly checks whether a pointer is NULL. Change-Id: Ibc318dc0f464982be9a34783f24ccd1d44800551 Signed-off-by: Zelalem <zelalem.aweke@arm.com>
-
- 04 Feb, 2020 1 commit
-
-
Zelalem authored
This patch removes unnecessary header file includes discovered by Coverity HFA option. Change-Id: I2827c37c1c24866c87db0e206e681900545925d4 Signed-off-by: Zelalem <zelalem.aweke@arm.com>
-
- 29 Jan, 2020 1 commit
-
-
Sandrine Bailleux authored
Allows to select the chain of trust to use when the Trusted Boot feature is enabled. This affects both the cert_create tool and the firmware itself. Right now, the only available CoT is TBBR. Change-Id: I7ab54e66508a1416cb3fcd3dfb0f055696763b3d Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 28 Jan, 2020 1 commit
-
-
Louis Mayencourt authored
The Secure Configuration Register is 64-bits in AArch64 and 32-bits in AArch32. Use u_register_t instead of unsigned int to reflect this. Change-Id: I51b69467baba36bf0cfaec2595dc8837b1566934 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 27 Jan, 2020 1 commit
-
-
Madhukar Pappireddy authored
In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate the build to require that ARM_BL31_IN_DRAM is enabled as well. Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code cannot be reclaimed to be used for runtime data such as secondary cpu stacks. Memory map for BL31 NOBITS region also has to be created. Change-Id: Ibbc8c9499a32e63fd0957a6e254608fbf6fa90c9 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 23 Jan, 2020 1 commit
-
-
Mark Dykes authored
This reverts commit d433bbdd. Change-Id: I46c69dce704a1ce1b50452dd4d62425c4a67f7f0
-
- 22 Jan, 2020 1 commit
-
-
Madhukar Pappireddy authored
In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate the build to require that ARM_BL31_IN_DRAM is enabled as well. Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code cannot be reclaimed to be used for runtime data such as secondary cpu stacks. Memory map for BL31 NOBITS region also has to be created. Change-Id: Ibd480f82c1dc74e9cbb54eec07d7a8fecbf25433 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 20 Dec, 2019 3 commits
-
-
Paul Beesley authored
Before adding any new SPM-related components we should first do some cleanup around the existing SPM-MM implementation. The aim is to make sure that any SPM-MM components have names that clearly indicate that they are MM-related. Otherwise, when adding new SPM code, it could quickly become confusing as it would be unclear to which component the code belongs. The secure_partition.h header is a clear example of this, as the name is generic so it could easily apply to any SPM-related code, when it is in fact SPM-MM specific. This patch renames the file and the two structures defined within it, and then modifies any references in files that use the header. Change-Id: I44bd95fab774c358178b3e81262a16da500fda26 Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
Paul Beesley authored
The Secure Partition Manager (SPM) prototype implementation is being removed. This is preparatory work for putting in place a dispatcher component that, in turn, enables partition managers at S-EL2 / S-EL1. This patch removes: - The core service files (std_svc/spm) - The Resource Descriptor headers (include/services) - SPRT protocol support and service definitions - SPCI protocol support and service definitions Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426 Signed-off-by: Paul Beesley <paul.beesley@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
-
Paul Beesley authored
There are two different implementations of Secure Partition management in TF-A. One is based on the "Management Mode" (MM) design, the other is based on the Secure Partition Client Interface (SPCI) specification. Currently there is a dependency between their build flags that shouldn't exist, making further development harder than it should be. This patch removes that dependency, making the two flags function independently. Before: ENABLE_SPM=1 is required for using either implementation. By default, the SPCI-based implementation is enabled and this is overridden if SPM_MM=1. After: ENABLE_SPM=1 enables the SPCI-based implementation. SPM_MM=1 enables the MM-based implementation. The two build flags are mutually exclusive. Note that the name of the ENABLE_SPM flag remains a bit ambiguous - this will be improved in a subsequent patch. For this patch the intention was to leave the name as-is so that it is easier to track the changes that were made. Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 19 Dec, 2019 1 commit
-
-
Alexei Fedorov authored
This patch fixes the bug in BL2 dynamic configuration initialisation which prevents loading NT_FW_CONFIG image (ref. GENFW-3471). It also adds parentheses around 'if' statement conditions to fix Coverity defect. Change-Id: I353566c29b84341887e13bf8098a4fedfc4e00ff Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 18 Dec, 2019 1 commit
-
-
Ambroise Vincent authored
Provide an SMC interface to the 9p filesystem. This permits accessing firmware drivers through a common interface, using standardized read/write/control operations. Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Change-Id: I9314662314bb060f6bc02714476574da158b2a7d
-
- 17 Dec, 2019 2 commits
-
-
Bence Szépkúti authored
Ported the pmf asm macros and the asm code in the bl31 entrypoint necessary for the instrumentation to AArch32. Since smc dispatch is handled by the bl32 payload on AArch32, we provide this service only if AARCH32_SP=sp_min is set. Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com> Change-Id: Id33b7e9762ae86a4f4b40d7f1b37a90e5130c8ac
-
Bence Szépkúti authored
Switching execution states is only possible if EL3 is AArch64. As such there is no need to validate the entrypoint on AArch32 builds. Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com> Change-Id: I3c1eb25b5df296a492870641d274bf65213c6608
-
- 10 Dec, 2019 1 commit
-
-
Ambroise Vincent authored
C99 standard: "What constitutes an access to an object that has volatile-qualified type is implementation-defined". GCC is not considering the cast to void of volatile structures as an access and so is not actually issuing reads. Clang does read those structures by copying them on the stack, which in this case creates an overflow because of their large size. This patch removes the cast to void and instead uses the USED attribute to tell the compiler to retain the static variables. Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Zelalem Aweke <zelalem.aweke@arm.com>
-
- 09 Dec, 2019 1 commit
-
-
Louis Mayencourt authored
Currently tb_fw_cfg_dtb size is fixed to max, which is generally a page (but depend on the platform). Instead, read the actual size of the dtb with the libfdt "fdt_totalsize" function. This avoid flushing extra memory after updating the dtb with mbedtls heap information when shared heap is used. Change-Id: Ibec727661116429f486464a0c9f15e9760d7afe2 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 07 Nov, 2019 1 commit
-
-
Manish Pandey authored
Earlier PIE support was enabled for all arm platforms when RESET_TO_BL31=1, but later on it was restricted only to FVP with patch SHA d4580d17 because of n1sdp platform. Now it has been verified that PIE does work for n1sdp platform also, so enabling it again for all arm platforms. Change-Id: I05ad4f1775ef72e7cb578ec9245cde3fbce971a5 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 05 Nov, 2019 1 commit
-
-
Vijayenthiran Subramaniam authored
ARM platform can have a non-contiguous GICR frames. For instance, a multi socket platform can have two or more GIC Redistributor frames which are 4TB apart. Hence it is necessary for the `gicv3_rdistif_probe` function to probe all the GICR frames available in the platform. Introduce `plat_arm_override_gicr_frames` function which platforms can use to override the default gicr_frames which holds the GICR base address of the primary cpu. Change-Id: I1f537b0d871a679cb256092944737f2e55ab866e Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
-
- 21 Oct, 2019 1 commit
-
-
Manish Pandey authored
There are some platforms which uses MPIDR Affinity level 3 for storing extra affinity information e.g. N1SDP uses it for keeping chip id in a multichip setup, for such platforms MPIDR validation should not fail. This patch adds Aff3 bits also as part of mpidr validation mask, for platforms which does not uses Aff3 will not have any impact as these bits will be all zeros. Change-Id: Ia8273972fa7948fdb11708308d0239d2dc4dfa85 Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
-
- 26 Sep, 2019 1 commit
-
-
Madhukar Pappireddy authored
This patch invokes the new function gicv3_rdistif_probe() in the ARM platform specific gicv3 driver. Since this API modifies the shared GIC related data structure, it must be invoked coherently by using the platform specific pwr_domain_on_finish_late hook. Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-