1. 11 Mar, 2020 2 commits
    • Madhukar Pappireddy's avatar
      fconf: necessary modifications to support fconf in BL31 & SP_MIN · 26d1e0c3
      Madhukar Pappireddy authored
      
      
      Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN.
      Created few populator() functions which parse HW_CONFIG device tree
      and registered them with fconf framework. Many of the changes are
      only applicable for fvp platform.
      
      This patch:
      1. Adds necessary symbols and sections in BL31, SP_MIN linker script
      2. Adds necessary memory map entry for translation in BL31, SP_MIN
      3. Creates an abstraction layer for hardware configuration based on
         fconf framework
      4. Adds necessary changes to build flow (makefiles)
      5. Minimal callback to read hw_config dtb for capturing properties
         related to GIC(interrupt-controller node)
      6. updates the fconf documentation
      
      Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      26d1e0c3
    • Madhukar Pappireddy's avatar
      fconf: enhancements to firmware configuration framework · 25d740c4
      Madhukar Pappireddy authored
      
      
      A populate() function essentially captures the value of a property,
      defined by a platform, into a fconf related c structure. Such a
      callback is usually platform specific and is associated to a specific
      configuration source.
      For example, a populate() function which captures the hardware topology
      of the platform can only parse HW_CONFIG DTB. Hence each populator
      function must be registered with a specific 'config_type' identifier.
      It broadly represents a logical grouping of configuration properties
      which is usually a device tree source file.
      
      Example:
      > TB_FW: properties related to trusted firmware such as IO policies,
      	 base address of other DTBs, mbedtls heap info etc.
      > HW_CONFIG: properties related to hardware configuration of the SoC
      	 such as topology, GIC controller, PSCI hooks, CPU ID etc.
      
      This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
      to register and invoke the appropriate callbacks selectively based on
      configuration type.
      
      Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      25d740c4
  2. 04 Mar, 2020 1 commit
    • Manish Pandey's avatar
      SPMD: loading Secure Partition payloads · cb3b5344
      Manish Pandey authored
      
      
      This patch implements loading of Secure Partition packages using
      existing framework of loading other bl images.
      
      The current framework uses a statically defined array to store all the
      possible image types and at run time generates a link list and traverse
      through it to load different images.
      
      To load SPs, a new array of fixed size is introduced which will be
      dynamically populated based on number of SPs available in the system
      and it will be appended to the loadable images list.
      
      Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      cb3b5344
  3. 03 Mar, 2020 1 commit
  4. 27 Feb, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Fix misra issues · 845db722
      Louis Mayencourt authored
      
      
      MISRA C-2012 Rule 20.7:
      Macro parameter expands into an expression without being wrapped by parentheses.
      
      MISRA C-2012 Rule 12.1:
      Missing explicit parentheses on sub-expression.
      
      MISRA C-2012 Rule 18.4:
      Essential type of the left hand operand is not the same as that of the right
      operand.
      
      Include does not provide any needed symbols.
      
      Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      845db722
  5. 25 Feb, 2020 1 commit
  6. 24 Feb, 2020 2 commits
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
    • Sandrine Bailleux's avatar
      plat/arm: Add support for dualroot CoT · 1035a706
      Sandrine Bailleux authored
      
      
      - Use the development PROTPK if using the dualroot CoT.
      
        Note that unlike the ROTPK, the PROTPK key hash file is not generated
        from the key file, instead it has to be provided. This might be
        enhanced in the future.
      
      - Define a CoT build flag for the platform code to provide different
        implementations where needed.
      
      Change-Id: Iaaf25183b94e77a99a5d8d875831d90c102a97ea
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      1035a706
  7. 19 Feb, 2020 1 commit
  8. 10 Feb, 2020 2 commits
  9. 07 Feb, 2020 9 commits
    • Louis Mayencourt's avatar
      arm-io: Panic in case of io setup failure · 97399821
      Louis Mayencourt authored
      
      
      Currently, an IO setup failure will be ignored on arm platform release
      build. Change this to panic instead.
      
      Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      97399821
    • Louis Mayencourt's avatar
      MISRA fix: Use boolean essential type · d6dcbcad
      Louis Mayencourt authored
      
      
      Change the return type of "arm_io_is_toc_valid()" and
      "plat_arm_bl1_fwu_needed()" to bool, to match function behavior.
      
      Change-Id: I503fba211219a241cb263149ef36ca14e3362a1c
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      d6dcbcad
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
    • Louis Mayencourt's avatar
      fconf: Add mbedtls shared heap as property · 6c972317
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework in arm dynamic configuration
      to retrieve mbedtls heap information between bl1 and bl2.
      
      For this, a new fconf getter is added to expose the device tree base
      address and size.
      
      Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c972317
    • Louis Mayencourt's avatar
      fconf: Add TBBR disable_authentication property · ce852841
      Louis Mayencourt authored
      
      
      Use fconf to retrieve the `disable_authentication` property.
      Move this access from arm dynamic configuration to bl common.
      
      Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ce852841
    • Louis Mayencourt's avatar
      fconf: Add dynamic config DTBs info as property · 25ac8794
      Louis Mayencourt authored
      
      
      This patch introduces a better separation between the trusted-boot
      related properties, and the dynamic configuration DTBs loading
      information.
      
      The dynamic configuration DTBs properties are moved to a new node:
      `dtb-registry`. All the sub-nodes present will be provided to the
      dynamic config framework to be loaded. The node currently only contains
      the already defined configuration DTBs, but can be extended for future
      features if necessary.
      The dynamic config framework is modified to use the abstraction provided
      by the fconf framework, instead of directly accessing the DTBs.
      
      The trusted-boot properties are kept under the "arm,tb_fw" compatible
      string, but in a separate `tb_fw-config` node.
      The `tb_fw-config` property of the `dtb-registry` node simply points
      to the load address of `fw_config`, as the `tb_fw-config` is currently
      part of the same DTB.
      
      Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      25ac8794
    • Louis Mayencourt's avatar
      fconf: Populate properties from dtb during bl2 setup · 9814bfc1
      Louis Mayencourt authored
      
      
      Use the dtb provided by bl1 as configuration file for fconf.
      
      Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      9814bfc1
    • Louis Mayencourt's avatar
      fconf: Load config dtb from bl1 · 3b5ea741
      Louis Mayencourt authored
      
      
      Move the loading of the dtb from arm_dym_cfg to fconf. The new loading
      function is not associated to arm platform anymore, and can be moved
      to bl_main if wanted.
      
      Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      3b5ea741
    • Louis Mayencourt's avatar
      fconf: initial commit · ab1981db
      Louis Mayencourt authored
      
      
      Introduce the Firmware CONfiguration Framework (fconf).
      
      The fconf is an abstraction layer for platform specific data, allowing
      a "property" to be queried and a value retrieved without the requesting
      entity knowing what backing store is being used to hold the data.
      
      The default backing store used is C structure. If another backing store
      has to be used, the platform integrator needs to provide a "populate()"
      function to fill the corresponding C structure.
      The "populate()" function must be registered to the fconf framework with
      the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
      be called inside the "fconf_populate()" function.
      
      A two level macro is used as getter:
      - the first macro takes 3 parameters and converts it to a function
        call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
      - the second level defines a__b_getter(c) to the matching C structure,
        variable, array, function, etc..
      
      Ex: Get a Chain of trust property:
          1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
          2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
      
      Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ab1981db
  10. 05 Feb, 2020 1 commit
  11. 04 Feb, 2020 1 commit
  12. 29 Jan, 2020 1 commit
  13. 28 Jan, 2020 1 commit
  14. 27 Jan, 2020 1 commit
    • Madhukar Pappireddy's avatar
      plat/arm: Add support for SEPARATE_NOBITS_REGION · 0c1f197a
      Madhukar Pappireddy authored
      
      
      In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
      BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
      the build to require that ARM_BL31_IN_DRAM is enabled as well.
      
      Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
      cannot be reclaimed to be used for runtime data such as secondary cpu stacks.
      
      Memory map for BL31 NOBITS region also has to be created.
      
      Change-Id: Ibbc8c9499a32e63fd0957a6e254608fbf6fa90c9
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      0c1f197a
  15. 23 Jan, 2020 1 commit
  16. 22 Jan, 2020 1 commit
    • Madhukar Pappireddy's avatar
      plat/arm: Add support for SEPARATE_NOBITS_REGION · d433bbdd
      Madhukar Pappireddy authored
      
      
      In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
      BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
      the build to require that ARM_BL31_IN_DRAM is enabled as well.
      
      Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
      cannot be reclaimed to be used for runtime data such as secondary cpu stacks.
      
      Memory map for BL31 NOBITS region also has to be created.
      
      Change-Id: Ibd480f82c1dc74e9cbb54eec07d7a8fecbf25433
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      d433bbdd
  17. 20 Dec, 2019 3 commits
    • Paul Beesley's avatar
      spm-mm: Refactor secure_partition.h and its contents · aeaa225c
      Paul Beesley authored
      
      
      Before adding any new SPM-related components we should first do
      some cleanup around the existing SPM-MM implementation. The aim
      is to make sure that any SPM-MM components have names that clearly
      indicate that they are MM-related. Otherwise, when adding new SPM
      code, it could quickly become confusing as it would be unclear to
      which component the code belongs.
      
      The secure_partition.h header is a clear example of this, as the
      name is generic so it could easily apply to any SPM-related code,
      when it is in fact SPM-MM specific.
      
      This patch renames the file and the two structures defined within
      it, and then modifies any references in files that use the header.
      
      Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      aeaa225c
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  18. 19 Dec, 2019 1 commit
  19. 18 Dec, 2019 1 commit
  20. 17 Dec, 2019 2 commits
  21. 10 Dec, 2019 1 commit
    • Ambroise Vincent's avatar
      arm: gicv3: Fix compiler dependent behavior · d0196911
      Ambroise Vincent authored
      
      
      C99 standard: "What constitutes an access to an object that has
      volatile-qualified type is implementation-defined".
      
      GCC is not considering the cast to void of volatile structures as an
      access and so is not actually issuing reads.
      
      Clang does read those structures by copying them on the stack, which in
      this case creates an overflow because of their large size.
      
      This patch removes the cast to void and instead uses the USED attribute
      to tell the compiler to retain the static variables.
      
      Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      	       Zelalem Aweke <zelalem.aweke@arm.com>
      d0196911
  22. 09 Dec, 2019 1 commit
    • Louis Mayencourt's avatar
      Use the proper size for tb_fw_cfg_dtb · 6c77dfc5
      Louis Mayencourt authored
      
      
      Currently tb_fw_cfg_dtb size is fixed to max, which is generally a page
      (but depend on the platform). Instead, read the actual size of the dtb
      with the libfdt "fdt_totalsize" function.
      This avoid flushing extra memory after updating the dtb with mbedtls
      heap information when shared heap is used.
      
      Change-Id: Ibec727661116429f486464a0c9f15e9760d7afe2
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c77dfc5
  23. 07 Nov, 2019 1 commit
  24. 05 Nov, 2019 1 commit
  25. 21 Oct, 2019 1 commit
    • Manish Pandey's avatar
      plat/arm: use Aff3 bits also to validate mpidr · b30646a8
      Manish Pandey authored
      
      
      There are some platforms which uses MPIDR Affinity level 3 for storing
      extra affinity information e.g. N1SDP uses it for keeping chip id in a
      multichip setup, for such platforms MPIDR validation should not fail.
      
      This patch adds Aff3 bits also as part of mpidr validation mask, for
      platforms which does not uses Aff3 will not have any impact as these
      bits will be all zeros.
      
      Change-Id: Ia8273972fa7948fdb11708308d0239d2dc4dfa85
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      b30646a8
  26. 26 Sep, 2019 1 commit