GitLab

The watchdog is configured with a default value of 256 seconds in order
to implement the Trusted Board Boot Requirements.

For the FVP and Juno platforms, the FWU process relies on a watchdog
reset. In order to automate the test of FWU, the length of this process
needs to be as short as possible. Instead of waiting for those 4 minutes
to have a reset by the watchdog, tell it to reset immediately.

There are no side effects as the value of the watchdog's load register
resets to 0xFFFFFFFF.

Tested on Juno.

Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

The new API becomes the default one.

Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

BL2U should not build when RESET_TO_SP_MIN flag is set, like BL1 and
BL2.

Change-Id: Iac516121f98611ca1f58d2b5efdec6525b06ce4e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

N1SDP exhibits the behavior similar to Juno wherein CNTBaseN.CNTFRQ
can be written but does not reflect the value of the CNTFRQ register
in CNTCTLBase frame. This doesn't follow ARM ARM in that the value
updated in CNTCTLBase.CNTFRQ is not reflected in CNTBaseN.CNTFRQ.

Hence enable the workaround (applied to Juno) for N1SDP that updates
the CNTFRQ register in the Non Secure CNTBaseN frame.

Change-Id: Id89ee1bca0f25c9d62f8f794f2c4f4e618cdf092
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>

For security DMA should be blocked at the SMMU by default
unless explicitly enabled for a device. SMMU is disabled
after reset with all streams bypassing the SMMU, and
abortion of all incoming transactions implements a default
deny policy on reset.
This patch also moves "bl1_platform_setup()" function from
arm_bl1_setup.c to FVP platforms' fvp_bl1_setup.c and
fvp_ve_bl1_setup.c files.

Change-Id: Ie0ffedc10219b1b884eb8af625bd4b6753749b1a
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Change-Id: Ie649b3c367a93db057eeaee7e83fa3e43f8c2607
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

The BL1 stage setup code for ARM platforms sets up the SP805 watchdog
controller as the secure watchdog. But not all ARM platforms use SP805
as the secure watchdog controller.

So introduce two new ARM platform code specific wrapper functions to
start and stop the secure watchdog. These functions then replace the
calls to SP805 driver in common BL1 setup code. All the ARM platforms
implement these wrapper functions by either calling into SP805 driver
or the SBSA watchdog driver.

Change-Id: I1a9a11b124cf3fac2a84f22ca40acd440a441257
Signed-off-by: Aditya Angadi <aditya.angadi@arm.com>

The dummy implementation of the plat_init_apiakey() platform API uses
an internal 128-bit buffer to store the initial key value used for
Pointer Authentication support.

The intent - as stated in the file comments - was for this buffer to
be write-protected by the MMU. Initialization of the buffer would be
performed before enabling the MMU, thus bypassing write protection
checks.

However, the key buffer ended up into its own read-write section by
mistake due to a typo on the section name ('rodata.apiakey' instead of
'.rodata.apiakey', note the leading dot). As a result, the linker
script was not pulling it into the .rodata output section.

One way to address this issue could have been to fix the section
name. However, this approach does not work well for BL1. Being the
first image in the boot flow, it typically is sitting in real ROM
so we don't have the capacity to update the key buffer at any time.

The dummy implementation of plat_init_apiakey() provided at the moment
is just there to demonstrate the Pointer Authentication feature in
action. Proper key management and key generation would have to be a
lot more careful on a production system.

Therefore, the approach chosen here to leave the key buffer in
writable memory but move it to the BSS section. This does mean that
the key buffer could be maliciously updated for intalling unintended
keys on the warm boot path but at the feature is only at an
experimental stage right now, this is deemed acceptable.

Change-Id: I121ccf35fe7bc86c73275a4586b32d4bc14698d6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This feature is only supported on FVP.

Change-Id: I4e265610211d92a84bd2773c34acfbe02a1a1826
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Cortex A5 doesnt support VFP, Large Page addressing and generic timer
which are addressed in this patch. The device tree for Cortex a5
is also included.

Change-Id: I0722345721b145dfcc80bebd36a1afbdc44bb678
Signed-off-by: Usama Arif <usama.arif@arm.com>

This patch adds support for Versatile express FVP (Fast models).
Versatile express is a family of platforms that are based on ARM v7.
Currently this port has only been tested on Cortex A7, although it
should work with other ARM V7 cores that support LPAE, generic timers,
VFP and hardware divide. Future patches will support other
cores like Cortex A5 that dont support features like LPAE
and hardware divide. This platform is tested on and only expected to
work on single core models.

Change-Id: I10893af65b8bb64da7b3bd851cab8231718e61dd
Signed-off-by: Usama Arif <usama.arif@arm.com>

The variable is renamed to PLAT_ARM_RUN_UART as
the UART is used outside BL31 as well.

Change-Id: I00e3639dfb2001758b7d24548c11236c6335f64a
Signed-off-by: Usama Arif <usama.arif@arm.com>

Many parts of the code were duplicating symbols that are defined in
include/common/bl_common.h. It is better to only use the definitions in
this header.

As all the symbols refer to virtual addresses, they have to be
uintptr_t, not unsigned long. This has also been fixed in bl_common.h.

Change-Id: I204081af78326ced03fb05f69846f229d324c711
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The BL33 image must not go past the end of DRAM.

Change-Id: I56668ab760d82332d69a8904d125d9a055aa91d5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

PLAT_ARM_NS_IMAGE_OFFSET is in fact not an offset relative to some base
address, it is an absolute address. Rename it to avoid any confusion.

Change-Id: I1f7f5e8553cb267786afe7e5f3cd4d665b610d3f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Use full include paths like it is done for common includes.

This cleanup was started in commit d40e0e08283a ("Sanitise includes
across codebase"), but it only cleaned common files and drivers. This
patch does the same to Arm platforms.

Change-Id: If982e6450bbe84dceb56d464e282bcf5d6d9ab9b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
descriptors describing the list of executable images are created in BL2
R/W memory, which could be possibly corrupted later on by BL31/BL32 due
to overlay. This patch creates a reserved location in SRAM for these
descriptors and are copied over by BL2 before handing over to next BL
image.

Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
is enabled.

Fixes ARM-Software/tf-issues#626

Change-Id: I755735706fa702024b4032f51ed4895b3687377f
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

The SPM implementation based on MM is going to be kept for the
foreseeable future.

Change-Id: I11e96778a4f52a1aa803e7e048d9a7cb24a53954
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

From now on, platform_def.h must include any header with definitions that
are platform-specific (like arm_def.h) and the included headers mustn't
include back platform_def.h, and shouldn't be used by other files. Only
platform_def.h should be included in other files. This will ensure that all
needed definitions are present, rather than needing to include all the
headers in all the definitions' headers just in case.

This also prevents problems like cyclic dependencies.

Change-Id: I9d3cf4d1de4b956fa035c79545222697acdaf5ca
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The definitions in bl1/bl1_private.h and bl2/bl2_private.h are useful for
platforms that may need to access them.

Change-Id: Ifd1880f855ddafcb3bfcaf1ed4a4e0f121eda174
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The patch SHA 55cf015c

 enabled PIE support when RESET_TO_BL31=1 for
all ARM platforms. But it seems n1sdp platform doesn't work with PIE
support yet. Hence restrict the ENABLE_PIE=1 to fvp platform.

Change-Id: If44e42528e4b0b57c69084503f346576fe0748bd
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This option was removed in v2.0.

Change-Id: I0c929fddb57d60c5eff9e45dd5ee8c636b28e6c3
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Load SP and RD from package instead of relying on RD being already
loaded in memory and the SP being loaded as a BL32 image.

Change-Id: I18d4fbf4597656c6a7e878e1d7c01a8a324f3f8a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Introduce helpers to create resource description struct, as well as code
to load the information from DTB files.

Change-Id: I0f5bb94eb8b01c6cb53fe807a9db0c05a70d7a43
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

In order to allow Arm platforms to override the default list of PSCI
callbacks, remove the existing weak implementation of
'plat_arm_psci_override_pm_ops' function and let all the Arm platforms
implement their own 'plat_arm_psci_override_pm_ops' function.

For platforms that support SCMI protocol, the function
'css_scmi_override_pm_ops' can be additionally used as well to
override the default PSCI callbacks.

Change-Id: If7c27468bd51a00ea9c2a3716b5894163f5a9f3c
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>

The headers forked at some point in the past and have diverged a lot. In
order to make it easier to share code between TF-A-Tests and TF-A, this
patch synchronises most of the definitions in the mentioned headers.

This is not a complete sync, it has to be followed by more cleanup.

This patch also removes the read helpers for the AArch32 instructions
ats1cpr and ats1hr (they are write-only).

Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Register a priority level, PLAT_SP_PRI, for secure partition with EL3
exception handling framework(ehf) module.

The secure partition manager(SPM) would raise the core's priority to
PLAT_SP_PRI before entering the secure partition, to protect the core
from getting interrupted while in secure partition.

Change-Id: I686897f052a4371e0efa9b929c07d3ad77249e95
Signed-off-by: Sughosh Ganu <sughosh.ganu@arm.com>

Change-Id: I2419416fadfcdf64da8b7690a348007591c4edf3
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This option allows the Trusted Firmware to directly jump to Linux
kernel for aarch32 without the need of an intermediate loader such
as U-Boot.

Similar to AArch64 ARM_LINUX_KERNEL_AS_BL33 only available with
RESET_TO_SP_MIN=1 as well as BL33 and DTB are preloaded in memory.

Change-Id: I908bc1633696be1caad0ce2f099c34215c8e0633
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Change-Id: Iae6758ca6395560131d1e1a69a1ecfe50ca8bf83
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The macro EL_IMPLEMENTED() has been deprecated in favour of the new
function el_implemented().

Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

No functional changes.

Change-Id: I9b9f8d3dfde08d57706ad5450de6ff858a55ac01
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch enabled PIE for FVP when RESET_TO_BL31=1. The references
to BL31_BASE are replaced by BL31_START as being a symbol exported by
the linker, will create a dynamic relocation entry in .rela.dyn and
hence will be fixed up by dynamic linker at runtime. Also, we disable
RECLAIM_INIT_CODE when PIE is enabled as the init section overlay
creates some static relocations which cannot be handled by the
dynamic linker currently.

Change-Id: I86df1b0a8b2a8bbbe7c3f3c0b9a08c86c2963ec0
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This patch adds a utility function to return
the address of a symbol. By default, the compiler
generates adr/adrp instruction pair to return
the reference and this utility is used to override
this compiler generated to code and use `ldr`
instruction.

This is needed for Position Independent Executable
when it needs to reference a symbol which is constant
and does not depend on the execute address of the
binary.

For example, on the FVP, the GICv3 register context is
stored in a secure carveout (arm_el3_tzc_dram) within
DDR and does not relocate with the BL image. Now if
BL31 is executing at a different address other than
the compiled address, using adrp/adr instructions to
reference this memory will not work as they generate an
address that is PC relative. The way to get around this
problem is to reference it as non-PC relative (i.e
non-relocatable location) via `ldr` instruction.

Change-Id: I5008a951b007144258121690afb68dc8e12ee6f7
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

This function is not related to Arm platforms and can be reused by other
platforms if needed.

Change-Id: Ia9c328ce57ce7e917b825a9e09a42b0abb1a53e8
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

There are several platforms using arm_setup_page_tables(), which is
supposed to be Arm platform only. This creates several dependency
problems between platforms.

This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
v2 makefile. This way it is possible to detect from C code which version
is being used and include the correct header.

The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
moved to a common folder. This way, when in doubt, this header can be
used to guarantee compatibility, as it includes the correct header based
on XLAT_TABLES_LIB_V2.

This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
that is now locked in xlat lib v2) and ZynqMP (where it was added as a
workaround).

Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

In Arm platforms the crash console doesn't print anything if the crash
happens early enough. This happens in all images, not only BL1. The
reason is that they the files ``plat/common/aarch64/platform_helpers.S``
and ``plat/arm/common/aarch64/arm_helpers.S``, and the crash console
functions are defined as weak in both files. In practice, the linker
can pick the one in ``plat/common``, which simply switches the multi
console to crash mode when it wants to initialize the crash console.
In the case of Arm platforms, there are no console drivers registered
at that point, so nothing is printed.

This patch makes the functions in plat/arm strong so that they override
the weak functions in plat/common.

Change-Id: Id358db7d2567d7df0951790a695636cf6c9ac57f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The definitions FAIL_CONTROL_*_SHIFT were incorrect, they have been
fixed.

The types tzc_region_attributes_t and tzc_action_t have been removed and
replaced by unsigned int because it is not allowed to do logical
operations on enums.

Also, fix some address definitions in arm_def.h.

Change-Id: Id37941d76883f9fe5045a5f0a4224c133c504d8b
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>