GitLab

To demonstrate communication between SP's two instances of Cactus at
S-EL1 has been used.
This patch replaces Ivy SP with cactus-secondary SP which aligns with
changes in tf-a-tests repository.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iee84f1f7f023b7c4f23fbc13682a42614a7f3707

When using the SPM Dispatcher, the SPMC sits as a BL32 component
(BL32_IMAGE_ID). The SPMC manifest is passed as the TOS fw config
component (TOS_FW_CONFIG_ID). It defines platform specific attributes
(memory range and physical CPU layout) as well as the attributes for
each secure partition (mostly load address). This manifest is passed
to the SPMC on boot up. An SP package contains the SP dtb in the SPCI
defined partition manifest format. As the SPMC manifest was enriched
it needs an increase of tos_fw-config max-size in fvp_fw_config dts.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia1dce00c6c4cbaa118fa56617980d32e2956a94e

Rather than creating entry in plat_arm_mmap array to map the
entire DRAM region in BL31/SP_MIN, only map a smaller region holding
HW_CONFIG DTB. Consequently, an increase in number of sub-translation
tables(level-2 and level-3) i.e., MAX_XLAT_TABLES is necessary to map
the new region in memory.

In order to accommodate the increased code size in BL31 i.e.,
PROGBITS, the max size of BL31 image is increased by 0x1000(4K).

Change-Id: I540b8ee550588e22a3a9fb218183d2ab8061c851
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
removes the duplicate io_policies and functions definition.

This patch:
- replace arm_io_storage.c with the content of arm_fconf_io_storage.c
- rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
- use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
- propagate DEFINES when parsing dts.
- use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
- set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
  of fvp stays the same as it was before the introduction of fconf.

Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

This patch introduces the `SPCI_ID_GET` interface which will return the
ID of the calling SPCI component. Returns 0 for requests from the
non-secure world and the SPCI component ID as specified in the manifest
for secure world requests.

Change-Id: Icf81eb1d0e1d7d5c521571e04972b6e2d356e0d1
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>

The motivation behind this patch and following patches is to extract
information about the platform in runtime rather than depending on
compile time macros such as FVP_CLUSTER_COUNT. This partially enables
us to use a single binary for a family of platforms which all have
similar hardware capabilities but differ in configurations.

we populate the data structure describing the power domain hierarchy
of the platform dynamically by querying the number of clusters and cpus
using fconf getter APIs. Compile time macro such as FVP_CLUSTER_COUNT
is still needed as it determines the size of related data structures.

Note that the cpu-map node in HW_CONFIG dts represents a logical
hierarchy of power domains of CPU. However, in reality, the power
domains may not have been physically built in such hierarchy.

Change-Id: Ibcbb5ca7b2c969f8ad03ab2eab289725245af7a9
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Create, register( and implicitly invoke) fconf_populate_topology()
function which extracts the topology related properties from dtb into
the newly created fconf based configuration structure 'soc_topology'.
Appropriate libfdt APIs are added to jmptbl.i file for use with USE_ROMLIB
build feature.

A new property which describes the power domain levels is added to the
HW_CONFIG device tree source files.

This patch also fixes a minor bug in the common device tree file
fvp-base-gicv3-psci-dynamiq-common.dtsi
As this file includes fvp-base-gicv3-psci-common.dtsi, it is necessary
to delete all previous cluster node definitons because DynamIQ based
models have upto 8 CPUs in each cluster. If not deleted, the final dts
would have an inaccurate description of SoC topology, i.e., cluster0
with 8 or more core nodes and cluster1 with 4 core nodes.

Change-Id: I9eb406da3ba4732008a66c01afec7c9fa8ef59bf
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN.
Created few populator() functions which parse HW_CONFIG device tree
and registered them with fconf framework. Many of the changes are
only applicable for fvp platform.

This patch:
1. Adds necessary symbols and sections in BL31, SP_MIN linker script
2. Adds necessary memory map entry for translation in BL31, SP_MIN
3. Creates an abstraction layer for hardware configuration based on
   fconf framework
4. Adds necessary changes to build flow (makefiles)
5. Minimal callback to read hw_config dtb for capturing properties
   related to GIC(interrupt-controller node)
6. updates the fconf documentation

Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

This patch provides separation of GICD, GICR accessor
functions and adds new macros for GICv3 registers access
as a preparation for GICv3.1 and GICv4 support.
NOTE: Platforms need to modify to include both
'gicdv3_helpers.c' and 'gicrv3_helpers.c' instead of the
single helper file previously.

Change-Id: I1641bd6d217d6eb7d1228be3c4177b2d556da60a
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Added SPMD_SPM_AT_SEL2 build command line parameter.
Set to 1 to run SPM at S-EL2.
Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled).
Removed runtime EL from SPM core manifest.

Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Add load address and UUID in fw config dts for Cactus and Ivy which are
example SP's in tf-test repository.

For prototype purpose these information is added manually but later on
it will be updated at compile time from SP layout file and SP manifests
provided by platform.

Change-Id: I41f485e0245d882c7b514bad41fae34036597ce4
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

This patch fixes incorrect setting for DEVICE1_SIZE
for FVP platforms with more than 8 PEs.
The current value of 0x200000 supports only 8 PEs
and causes exception for FVP platforms with the greater
number of PEs, e.g. FVP_Base_Cortex_A65AEx8 with 16 PEs
in one cluster.

Change-Id: Ie6391509fe6eeafb8ba779303636cd762e7d21b2
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.

The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.

To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.

Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.

The caches are also flushed.
Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466

The cookie will be leveraged in the next commit.

Change-Id: Ie8bad275d856d84c27466461cf815529dd860446
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

For platforms that have two or more TZC400 controllers instantiated,
allow the TZC400 driver to be usable with all those instances.
This is achieved by allowing 'arm_tzc400_setup' function to accept
the base address of the TZC400 controller.

Change-Id: I4add470e6ddb58432cd066145e644112400ab924
Signed-off-by: Suyash Pathak <suyash.pathak@arm.com>

Also update copyright statements

Change-Id: Iba0305522ac0f2ddc4da99127fd773f340e67300
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

Change-Id: I686fd623b8264c85434853a2a26ecd71e9eeac01
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

When TF-A is built with RESET_TO_BL31=1 option, BL31 is the
first image to be run and should have all the memory allocated
to it except for the memory reserved for Shared RAM at the start
of Trusted SRAM.
This patch fixes FVP BL31 load address and its image size for
RESET_TO_BL31=1 option. BL31 startup address should be set to
0x400_1000 and its maximum image size to the size of Trusted SRAM
minus the first 4KB of shared memory.
Loading BL31 at 0x0402_0000 as it is currently stated in
'\docs\plat\arm\fvp\index.rst' causes EL3 exception when the
image size gets increased (i.e. building with LOG_LEVEL=50)
but doesn't exceed 0x3B000 not causing build error.

Change-Id: Ie450baaf247f1577112f8d143b24e76c39d33e91
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

This patch reserves and maps the Trusted DRAM for SPM core execution.
It also configures the TrustZone address space controller to run BL31
in secure DRAM.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: I7e1bb3bbc61a0fec6a9cb595964ff553620c21dc

This patch repurposes the TOS FW configuration file as the manifest for
the SPM core component which will reside at the secure EL adjacent to
EL3. The SPM dispatcher component will use the manifest to determine how
the core component must be initialised. Routines and data structure to
parse the manifest have also been added.
Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: Id94f8ece43b4e05609f0a1d364708a912f6203cb

Currently, an IO setup failure will be ignored on arm platform release
build. Change this to panic instead.

Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Use the firmware configuration framework to store the io_policies
information inside the configuration device tree instead of the static
structure in the code base.

The io_policies required by BL1 can't be inside the dtb, as this one is
loaded by BL1, and only available at BL2.

This change currently only applies to FVP platform.

Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

This patch introduces a better separation between the trusted-boot
related properties, and the dynamic configuration DTBs loading
information.

The dynamic configuration DTBs properties are moved to a new node:
`dtb-registry`. All the sub-nodes present will be provided to the
dynamic config framework to be loaded. The node currently only contains
the already defined configuration DTBs, but can be extended for future
features if necessary.
The dynamic config framework is modified to use the abstraction provided
by the fconf framework, instead of directly accessing the DTBs.

The trusted-boot properties are kept under the "arm,tb_fw" compatible
string, but in a separate `tb_fw-config` node.
The `tb_fw-config` property of the `dtb-registry` node simply points
to the load address of `fw_config`, as the `tb_fw-config` is currently
part of the same DTB.

Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Enables usage of ARM_ROTPK_LOCATION=regs for FVP board.
Removes hard-coded developer keys. Instead, setting
ARM_ROTPK_LOCATION=devel_* takes keys from default directory.
In case of ROT_KEY specified - generates a new hash and replaces the
original.

Note: Juno board was tested by original feature author and was not tested
for this patch since we don't have access to the private key. Juno
implementation was moved to board-specific file without changing
functionality. It is not known whether byte-swapping is still needed
for this platform.

Change-Id: I0fdbaca0415cdcd78f3a388551c2e478c01ed986
Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>

Stack usage reaches 90% with some configuration. Bump slightly the stack
size to prevent a stack-overflow.

Change-Id: I44ce8b12906586a42f152b7677785fcdc5e78ae1
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

This patch removes unnecessary header file includes
discovered by Coverity HFA option.

Change-Id: I2827c37c1c24866c87db0e206e681900545925d4
Signed-off-by: Zelalem <zelalem.aweke@arm.com>

This patch adds 'fdtw_read_bytes' and 'fdtw_write_inplace_bytes'
functions for read/write array of bytes from/to a given property.
It also adds 'fdt_setprop_inplace_namelen_partial' to jmptbl.i
files for builds with USE_ROMLIB=1 option.

Change-Id: Ied7b5c8b38a0e21d508aa7bcf5893e656028b14d
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

NOTE for platform integrators:
   API `plat_psci_stat_get_residency()` third argument
   `last_cpu_idx` is changed from "signed int" to the
   "unsigned int" type.

Issue / Trouble points
1. cpu_idx is used as mix of `unsigned int` and `signed int` in code
with typecasting at some places leading to coverity issues.

2. Underlying platform API's return cpu_idx as `unsigned int`
and comparison is performed with platform specific defines
`PLAFORM_xxx` which is not consistent

Misra Rule 10.4:
The value of a complex expression of integer type may only be cast to
a type that is narrower and of the same signedness as the underlying
type of the expression.

Based on above points, cpu_idx is kept as `unsigned int` to match
the API's and low-level functions and platform defines are updated
where ever required
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c

This patch removes re-definition of the following FVP build
options from plat\arm\board\fvp\fvp_def.h:
 'FVP_CLUSTER_COUNT'
 'FVP_MAX_CPUS_PER_CLUSTER'
 'FVP_MAX_PE_PER_CPU'
which are set in platform.mk.

This fixes a potential problem when a build option set in
platform.mk file can be re-defined in fvp_def.h header file
used by other build component with a different makefile which
does not set this option.
Ref. GENFW-3505.

Change-Id: I4288629920516acf2c239c7b733f92a0c5a812ff
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

The reclaim init code functionality relies on forward reference in the
linker script. The LLVM linker does not process it correctly.

Change-Id: I993aeb9587bfa07af25b60ed823a6a2c5e970c94
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>

Before adding any new SPM-related components we should first do
some cleanup around the existing SPM-MM implementation. The aim
is to make sure that any SPM-MM components have names that clearly
indicate that they are MM-related. Otherwise, when adding new SPM
code, it could quickly become confusing as it would be unclear to
which component the code belongs.

The secure_partition.h header is a clear example of this, as the
name is generic so it could easily apply to any SPM-related code,
when it is in fact SPM-MM specific.

This patch renames the file and the two structures defined within
it, and then modifies any references in files that use the header.

Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.

This patch removes:

- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions

Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>

There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.

Before: ENABLE_SPM=1 is required for using either implementation.
        By default, the SPCI-based implementation is enabled and
        this is overridden if SPM_MM=1.

After: ENABLE_SPM=1 enables the SPCI-based implementation.
       SPM_MM=1 enables the MM-based implementation.
       The two build flags are mutually exclusive.

Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.

Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Provide an SMC interface to the 9p filesystem. This permits
accessing firmware drivers through a common interface, using
standardized read/write/control operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9314662314bb060f6bc02714476574da158b2a7d

Previously the .init section was created even when the reclaim flag was
manually set to 0.

Change-Id: Ia9e7c7997261f54a4eca725d7ea605192f60bcf8
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
	       Zelalem Aweke <zelalem.aweke@arm.com>

ROMLIB extract functions code from BL images to put them inside ROM.
This has for effect to reduce the size of the BL images.

This patch take this size reduction into consideration to optimize the
memory layout of BL2.
A new "PLAT_ARM_BL2_ROMLIB_OPTIMIZATION" macro is defined and used to
reduce "PLAT_ARM_MAX_BL2_SIZE". This allows to remove the gap between
BL1 and BL2 when ROMLIB is used and provides more room for BL31.

The current memory gain is 0x6000 for fvp and 0x8000 for juno.

Change-Id: I71c2c2c63b57bce5b22a125efaefc486ff3e87be
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

The number of levels in the topology has not changed but the count of
processing elements on the lowest layer is now multiplied by the value
of FVP_MAX_PE_PER_CPU.
Signed-off-by: Imre Kis <imre.kis@arm.com>
Change-Id: Ia1568a40ea33dbbbcdfab6c8ab6d19f4db0b8eb4

Earlier PIE support was enabled for all arm platforms when
RESET_TO_BL31=1, but later on it was restricted only to FVP with patch
SHA d4580d17

 because of n1sdp platform.

Now it has been verified that PIE does work for n1sdp platform also, so
enabling it again for all arm platforms.

Change-Id: I05ad4f1775ef72e7cb578ec9245cde3fbce971a5
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Change-Id: I1ea2bf088f1e001cdbd377cbfb7c6a2866af0422
Signed-off-by: Imre Kis <imre.kis@arm.com>

Change-Id: I645442d52a295706948e2cac88c36c1a3cb0bc47
Signed-off-by: Imre Kis <imre.kis@arm.com>