1. 12 Jun, 2018 1 commit
    • Daniel Boulby's avatar
      Fix MISRA Rule 5.3 Part 1 · d3775d46
      Daniel Boulby authored
      
      
      Conflict with function name and variable name within that function.
      Change the name of the function from image_size to get_image_size
      to remove conflict and make the function fit the normal project
      naming convention.
      
      Rule 5.3:  An identifier declared in an inner scope shall not
                 hide an identifier declared in an outer scope
      
      Fixed For:
          make LOG_LEVEL=50 PLAT=fvp
      
      Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      d3775d46
  2. 11 Jun, 2018 1 commit
  3. 08 Jun, 2018 5 commits
  4. 07 Jun, 2018 1 commit
    • Soby Mathew's avatar
      ARM platforms: Move BL31 below BL2 to enable BL2 overlay · c099cd39
      Soby Mathew authored
      
      
      The patch changes the layout of BL images in memory to enable
      more efficient use of available space. Previously BL31 was loaded
      with the expectation that BL2 memory would be reclaimed by BL32
      loaded in SRAM. But with increasing memory requirements in the
      firmware, we can no longer fit BL32 in SRAM anymore which means the
      BL2 memory is not reclaimed by any runtime image. Positioning BL2
      below BL1-RW and above BL31 means that the BL31 NOBITS can be
      overlaid on BL2 and BL1-RW.
      
      This patch also propogates the same memory layout to BL32 for AArch32
      mode. The reset addresses for the following configurations are also
      changed :
         * When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
         * When BL2_AT_EL3=1 for BL2
      
      The restriction on BL31 to be only in DRAM when SPM is enabled
      is now removed with this change. The update to the firmware design
      guide for the BL memory layout is done in the following patch.
      
      Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      c099cd39
  5. 24 May, 2018 1 commit
    • Antonio Nino Diaz's avatar
      plat/arm: SPM: Force BL31 to DRAM when SPM is used · e829a379
      Antonio Nino Diaz authored
      
      
      BL31 is running out of space, and the use-case of SPM doesn't require it
      to be in SRAM. To prevent BL31 from running out of space in the future,
      move BL31 to DRAM if SPM is enabled.
      
      Secure Partition Manager design document updated to reflect the changes.
      
      Increased the size of the stack of BL31 for builds with SPM.
      
      The translation tables used by SPM in Arm platforms have been moved back
      to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
      in DRAM now, so it doesn't make sense to treat them in a different way.
      
      Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      e829a379
  6. 23 May, 2018 6 commits
  7. 22 May, 2018 1 commit
  8. 21 May, 2018 1 commit
    • Soby Mathew's avatar
      FVP: Add dummy configs for BL31, BL32 and BL33 · 1d71ba14
      Soby Mathew authored
      
      
      This patch adds soc_fw_config, tos_fw_config and nt_fw_config to the FVP.
      The config files are placeholders and do not have any useful bindings
      defined. The tos_fw_config is packaged in FIP and loaded by BL2 only
      if SPD=tspd. The load address of these configs are specified in tb_fw_config
      via new bindings defined for these configs. Currently, in FVP, the
      soc_fw_config and tos_fw_config is loaded in the page between BL2_BASE
      and ARM_SHARED_RAM. This memory was typically used for BL32 when
      ARM_TSP_RAM_LOCATION=tsram but since we cannot fit BL32 in that
      space anymore, it should be safe to use this memory for these configs.
      There is also a runtime check in arm_bl2_dyn_cfg_init() which ensures
      that this overlap doesn't happen.
      
      The previous arm_dyn_get_hwconfig_info() is modified to accept configs
      other than hw_config and hence renamed to arm_dyn_get_config_load_info().
      The patch also corrects the definition of ARM_TB_FW_CONFIG_LIMIT to be
      BL2_BASE.
      
      Change-Id: I03a137d9fa1f92c862c254be808b8330cfd17a5a
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      1d71ba14
  9. 18 May, 2018 3 commits
    • Soby Mathew's avatar
      Dynamic cfg: Enable support on CoT for other configs · 17bc617e
      Soby Mathew authored
      
      
      This patch implements support for adding dynamic configurations for
      BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
      necessary cert tool support and changes to default chain of trust are made
      for these configs.
      
      Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      17bc617e
    • Soby Mathew's avatar
      FVP: Enable capability to disable auth via dynamic config · 6e79f9fd
      Soby Mathew authored
      
      
      This patch adds capability to FVP to disable authentication dynamically
      via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
      the TB_FW_CONFIG for the `disable_auth` property and invokes the
      `load_dyn_disable_auth()` API to disable authentication if the
      property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
      FVP as it is a development platform. Note that the TB_FW_CONFIG has to
      be authenticated by BL1 irrespective of these settings.
      
      The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
      rather than in bl2_platform_setup() as we need to get the value of
      `disable_auth` property prior to authentication of any image by BL2.
      
      Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      6e79f9fd
    • Soby Mathew's avatar
      Allow disabling authentication dynamically · 209a60cc
      Soby Mathew authored
      
      
      This patch allows platforms to dynamically disable authentication of
      images during cold boot. This capability is controlled via the
      DYN_DISABLE_AUTH build flag and is only meant for development
      purposes.
      
      Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      209a60cc
  10. 17 May, 2018 1 commit
    • Daniel Boulby's avatar
      Ensure read and write of flags are 32 bit · 8abcdf92
      Daniel Boulby authored
      
      
      In 'console_set_scope' and when registering a console, field 'flags' of
      'console_t' is assigned a 32-bit value. However, when it is actually
      used, the functions perform 64-bit reads to access its value. This patch
      changes all 64-bit reads to 32-bit reads.
      
      Change-Id: I181349371409e60065335f078857946fa3c32dc1
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      8abcdf92
  11. 15 May, 2018 1 commit
  12. 11 May, 2018 6 commits
    • Chris Kay's avatar
      css: Do not map the non-secure RAM as secure · d0223211
      Chris Kay authored
      
      
      Change-Id: I7e73c0ab134da11c49f990b739245110c59eac2b
      Signed-off-by: default avatarChris Kay <chris.kay@arm.com>
      d0223211
    • Chris Kay's avatar
      css: Fix erroneous non-secure RAM base address/size for SGI-575 · d7ecac73
      Chris Kay authored
      
      
      SGI-575's NSRAM is neither in the same place nor the same size as Juno's.
      
      Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
      Signed-off-by: default avatarChris Kay <chris.kay@arm.com>
      d7ecac73
    • Chris Kay's avatar
      plat/arm: Fix incorrect bounds check in ARM_CASSERT_MMAP · 053b4f92
      Chris Kay authored
      
      
      The bounds check in ARM_CASSERT_MMAP does not take into account the
      array sentinel in plat_arm_mmap. This commit fixes this, and adds an
      additional check to ensure the number of entries in the array is
      within the bounds of PLAT_ARM_MMAP_ENTRIES.
      
      Change-Id: Ie6df10c0aa0890d62826bc3224ad7b3e36fd53e2
      Signed-off-by: default avatarChris Kay <chris.kay@arm.com>
      053b4f92
    • Chris Kay's avatar
      plat/arm: Fix incorrect number of reserved memory map entries · 3450fd62
      Chris Kay authored
      
      
      There are three calls to mmap_add_region() that always occur in
      arm_setup_page_tables(), and two further calls based on whether coherent
      memory is enabled, and whether SPM is enabled in BL31.
      
      This commit adapts the ARM_BL_REGIONS definition to match the number of
      calls made inside arm_setup_page_tables() so that the MAX_MMAP_REGIONS
      is realigned with what is actually occurring.
      
      Change-Id: I7adc05951abccf2cbd5c86280eb874911e6a1566
      Signed-off-by: default avatarChris Kay <chris.kay@arm.com>
      3450fd62
    • Antonio Nino Diaz's avatar
      plat/arm: Migrate AArch64 port to the multi console driver · 2f18aa1f
      Antonio Nino Diaz authored
      
      
      The old API is deprecated and will eventually be removed.
      
      Arm platforms now use the multi console driver for boot and runtime
      consoles. However, the crash console uses the direct console API because
      it doesn't need any memory access to work. This makes it more robust
      during crashes.
      
      The AArch32 port of the Trusted Firmware doesn't support this new API
      yet, so it is only enabled in AArch64 builds. Because of this, the
      common code must maintain compatibility with both systems. SP_MIN
      doesn't have to be updated because it's only used in AArch32 builds.
      The TSP is only used in AArch64, so it only needs to support the new
      API without keeping support for the old one.
      
      Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
      causes the UARTs to reset (except for the one used by the TSP). This
      means that they must be unregistered when suspending and re-registered
      when resuming. This wasn't a problem with the old driver because it just
      restarted the UART, and there were no problems associated with
      registering and unregistering consoles.
      
      The size of BL31 has been increased in builds with SPM.
      
      Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2f18aa1f
    • Antonio Nino Diaz's avatar
      multi console: Assert that consoles aren't registered twice · c2e05bb7
      Antonio Nino Diaz authored
      
      
      In the multi console driver, allowing to register the same console more
      than once may result in an infinte loop when putc is called.
      
      If, for example, a boot message is trying to be printed, but the
      consoles in the loop in the linked list are runtime consoles, putc will
      iterate forever looking for a console that can print boot messages (or
      a NULL pointer that will never come).
      
      This loop in the linked list can occur after restoring the system from a
      system suspend. The boot console is registered during the cold boot in
      BL31, but the runtime console is registered even in the warm boot path.
      Consoles are always added to the start of the linked list when they are
      registered, so this it what should happen if they were actually
      different structures:
      
         console_list -> NULL
         console_list -> BOOT -> NULL
         console_list -> RUNTIME -> BOOT -> NULL
         console_list -> RUNTIME -> RUNTIME -> BOOT -> NULL
      
      In practice, the two runtime consoles are the same one, so they create
      this loop:
      
         console_list -> RUNTIME -.    X -> BOOT -> NULL
                             ^    |
                             `----'
      
      This patch adds an assertion to detect this problem. The assertion will
      fail whenever the same structure tries to be registered while being on
      the list.
      
      In order to assert this, console_is_registered() has been implemented.
      It returns 1 if the specified console is registered, 0 if not.
      
      Change-Id: I922485e743775ca9bd1af9cbd491ddd360526a6d
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c2e05bb7
  13. 09 May, 2018 1 commit
  14. 04 May, 2018 7 commits
    • Jeenu Viswambharan's avatar
      ARM Platforms: Support RAS · 0b9ce906
      Jeenu Viswambharan authored
      
      
        - Assign 0x10 for RAS exceptions on ARM platforms, and install
          EHF priority descriptor.
      
        - Call the common RAS initialisation from ARM BL31 setup.
      
        - Add empty definitions for platform error records and RAS interrupts.
      
      Change-Id: I0675f299b7840be4c83a9c7a81073a95c605dc90
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      0b9ce906
    • Jeenu Viswambharan's avatar
      RAS: Add fault injection support · 1a7c1cfe
      Jeenu Viswambharan authored
      
      
      The ARMv8.4 RAS extensions introduce architectural support for software
      to inject faults into the system in order to test fault-handling
      software. This patch introduces the build option FAULT_HANDLING_SUPPORT
      to allow for lower ELs to use registers in the Standard Error Record to
      inject fault. The build option RAS_EXTENSIONS must also be enabled along
      with fault injection.
      
      This feature is intended for testing purposes only, and is advisable to
      keep disabled for production images.
      
      Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      1a7c1cfe
    • Jeenu Viswambharan's avatar
      RAS: Allow individual interrupt registration · ca6d9185
      Jeenu Viswambharan authored
      
      
      EHF currently allows for registering interrupt handlers for a defined
      priority ranges. This is primarily targeted at various EL3 dispatchers
      to own ranges of secure interrupt priorities in order to delegate
      execution to lower ELs.
      
      The RAS support added by earlier patches necessitates registering
      handlers based on interrupt number so that error handling agents shall
      receive and handle specific Error Recovery or Fault Handling interrupts
      at EL3.
      
      This patch introduces a macro, RAS_INTERRUPTS() to declare an array of
      interrupt numbers and handlers. Error handling agents can use this macro
      to register handlers for individual RAS interrupts. The array is
      expected to be sorted in the increasing order of interrupt numbers.
      
      As part of RAS initialisation, the list of all RAS interrupts are sorted
      based on their ID so that, given an interrupt, its handler can be looked
      up with a simple binary search.
      
      For an error handling agent that wants to handle a RAS interrupt,
      platform must:
      
        - Define PLAT_RAS_PRI to be the priority of all RAS exceptions.
      
        - Enumerate interrupts to have the GIC driver program individual EL3
          interrupts to the required priority range. This is required by EHF
          even before this patch.
      
      Documentation to follow.
      
      Change-Id: I9471e4887ff541f8a7a63309e9cd8f771f76aeda
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      ca6d9185
    • Jeenu Viswambharan's avatar
      RAS: Add support for node registration · 362599ec
      Jeenu Viswambharan authored
      
      
      Previous patches added frameworks for handling RAS errors. This patch
      introduces features that the platform can use to enumerate and iterate
      RAS nodes:
      
        - The REGISTER_RAS_NODES() can be used to expose an array of
          ras_node_info_t structures. Each ras_node_info_t describes a RAS
          node, along with handlers for probing the node for error, and if
          did record an error, another handler to handle it.
      
        - The macro for_each_ras_node() can be used to iterate over the
          registered RAS nodes, probe for, and handle any errors.
      
      The common platform EA handler has been amended using error handling
      primitives introduced by both this and previous patches.
      
      Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      362599ec
    • Jeenu Viswambharan's avatar
      RAS: Add helpers to access Standard Error Records · 30d81c36
      Jeenu Viswambharan authored
      
      
      The ARMv8 RAS Extensions introduced Standard Error Records which are a
      set of standard registers through which:
      
        - Platform can configure RAS node policy; e.g., notification
          mechanism;
      
        - RAS nodes can record and expose error information for error handling
          agents.
      
      Standard Error Records can either be accessed via. memory-mapped
      or System registers. This patch adds helper functions to access
      registers and fields within an error record.
      
      Change-Id: I6594ba799f4a1789d7b1e45b3e17fd40e7e0ba5c
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      30d81c36
    • Jeenu Viswambharan's avatar
      AArch64: Introduce RAS handling · 14c6016a
      Jeenu Viswambharan authored
      
      
      RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
      extensions to base ARMv8.0 architecture.
      
      This patch adds build system support to enable RAS features in ARM
      Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
      this.
      
      With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
      inserted at all EL3 vector entry and exit. ESBs will synchronize pending
      external aborts before entering EL3, and therefore will contain and
      attribute errors to lower EL execution. Any errors thus synchronized are
      detected via. DISR_EL1 register.
      
      When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
      
      Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      14c6016a
    • Jeenu Viswambharan's avatar
      AArch64: Introduce External Abort handling · 76454abf
      Jeenu Viswambharan authored
      
      
      At present, any External Abort routed to EL3 is reported as an unhandled
      exception and cause a panic. This patch enables ARM Trusted Firmware to
      handle External Aborts routed to EL3.
      
      With this patch, when an External Abort is received at EL3, its handling
      is delegated to plat_ea_handler() function. Platforms can provide their
      own implementation of this function. This patch adds a weak definition
      of the said function that prints out a message and just panics.
      
      In order to support handling External Aborts at EL3, the build option
      HANDLE_EA_EL3_FIRST must be set to 1.
      
      Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to
      compilation; this patch fixes that too.
      
      Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      76454abf
  15. 02 May, 2018 1 commit
  16. 01 May, 2018 1 commit
    • Roberto Vargas's avatar
      ARM platforms: Demonstrate mem_protect from el3_runtime · 638b034c
      Roberto Vargas authored
      
      
      Previously mem_protect used to be only supported from BL2. This is not
      helpful in the case when ARM TF-A BL2 is not used. This patch demonstrates
      mem_protect from el3_runtime firmware on ARM Platforms specifically
      when RESET_TO_BL31 or RESET_TO_SP_MIN flag is set as BL2 may be absent
      in these cases. The Non secure DRAM is dynamically mapped into EL3 mmap
      tables temporarily and then the protected regions are then cleared. This
      avoids the need to map the non secure DRAM permanently to BL31/sp_min.
      
      The stack size is also increased, because DYNAMIC_XLAT_TABLES require
      a bigger stack.
      
      Change-Id: Ia44c594192ed5c5adc596c0cff2c7cc18c001fde
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      638b034c
  17. 27 Apr, 2018 2 commits
    • Masahiro Yamada's avatar
      types: use int-ll64 for both aarch32 and aarch64 · 0a2d5b43
      Masahiro Yamada authored
      Since commit 031dbb12
      
       ("AArch32: Add essential Arch helpers"),
      it is difficult to use consistent format strings for printf() family
      between aarch32 and aarch64.
      
      For example, uint64_t is defined as 'unsigned long long' for aarch32
      and as 'unsigned long' for aarch64.  Likewise, uintptr_t is defined
      as 'unsigned int' for aarch32, and as 'unsigned long' for aarch64.
      
      A problem typically arises when you use printf() in common code.
      
      One solution could be, to cast the arguments to a type long enough
      for both architectures.  For example, if 'val' is uint64_t type,
      like this:
      
        printf("val = %llx\n", (unsigned long long)val);
      
      Or, somebody may suggest to use a macro provided by <inttypes.h>,
      like this:
      
        printf("val = %" PRIx64 "\n", val);
      
      But, both would make the code ugly.
      
      The solution adopted in Linux kernel is to use the same typedefs for
      all architectures.  The fixed integer types in the kernel-space have
      been unified into int-ll64, like follows:
      
          typedef signed char           int8_t;
          typedef unsigned char         uint8_t;
      
          typedef signed short          int16_t;
          typedef unsigned short        uint16_t;
      
          typedef signed int            int32_t;
          typedef unsigned int          uint32_t;
      
          typedef signed long long      int64_t;
          typedef unsigned long long    uint64_t;
      
      [ Linux commit: 0c79a8e29b5fcbcbfd611daf9d500cfad8370fcf ]
      
      This gets along with the codebase shared between 32 bit and 64 bit,
      with the data model called ILP32, LP64, respectively.
      
      The width for primitive types is defined as follows:
      
                         ILP32           LP64
          int            32              32
          long           32              64
          long long      64              64
          pointer        32              64
      
      'long long' is 64 bit for both, so it is used for defining uint64_t.
      'long' has the same width as pointer, so for uintptr_t.
      
      We still need an ifdef conditional for (s)size_t.
      
      All 64 bit architectures use "unsigned long" size_t, and most 32 bit
      architectures use "unsigned int" size_t.  H8/300, S/390 are known as
      exceptions; they use "unsigned long" size_t despite their architecture
      is 32 bit.
      
      One idea for simplification might be to define size_t as 'unsigned long'
      across architectures, then forbid the use of "%z" string format.
      However, this would cause a distortion between size_t and sizeof()
      operator.  We have unknowledge about the native type of sizeof(), so
      we need a guess of it anyway.  I want the following formula to always
      return 1:
      
        __builtin_types_compatible_p(size_t, typeof(sizeof(int)))
      
      Fortunately, ARM is probably a majority case.  As far as I know, all
      32 bit ARM compilers use "unsigned int" size_t.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      0a2d5b43
    • Masahiro Yamada's avatar
      arch_helpers: use u_register_t for register read/write · 8f4dbaab
      Masahiro Yamada authored
      
      
      u_register_t is preferred rather than uint64_t.  This is more
      consistent with the aarch32 implementation.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      8f4dbaab