Skip to content

GitLab

Switch branch/tag
  1. 28 Feb, 2019 1 commit
  3. 27 Feb, 2019 2 commits
    • Antonio Nino Diaz's avatar
      Add ARMv8.3-PAuth registers to CPU context · 5283962e
      Antonio Nino Diaz authored 
      

ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.

This feature is supported only in AArch64 state.

This feature is mandatory in ARMv8.3 implementations.

This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.

To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.

Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5283962e
    • Antonio Nino Diaz's avatar
      Cleanup context handling library · 4d1ccf0e
      Antonio Nino Diaz authored 
      

Minor style cleanup.

Change-Id: Ief19dece41a989e2e8157859a265701549f6c585
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      4d1ccf0e
  5. 26 Feb, 2019 3 commits
  7. 19 Feb, 2019 5 commits
  9. 14 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Update macro to check need for CVE-2017-5715 mitigation · ff6f62e1
      Antonio Nino Diaz authored 
      

Armv8.5 introduces the field CSV2 to register ID_AA64PFR0_EL1. It can
have the following 3 values:

- 0: Branch targets trained in one hardware described context may affect
     speculative execution in a different hardware described context. In
     some CPUs it may be needed to apply mitigations.

- 1: Branch targets trained in one hardware described context can only
     affect speculative execution in a different hardware described
     context in a hard-to-determine way. No mitigation required.

- 2: Same as 1, but the device is also aware of SCXTNUM_ELx register
     contexts. The TF doesn't use the registers, so there is no
     difference with 1.

The field CSV2 was originally introduced in the TRM of the Cortex-A76
before the release of the Armv8.5 architecture. That TRM only mentions
the meaning of values 0 and 1. Because of this, the code only checks if
the field has value 1 to know whether to enable or disable the
mitigations.

This patch makes it aware of value 2 as well. Both values 1 and 2
disable the mitigation, and 0 enables it.

Change-Id: I5af33de25a0197c98173f52c6c8c77b51a51429f
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ff6f62e1
  11. 11 Feb, 2019 2 commits
    • Antonio Nino Diaz's avatar
      cpus: Add casts to all definitions in CPU headers · 1a74e4a8
      Antonio Nino Diaz authored 
      

There are some incorrect casts and some missing casts in the headers.
This patch fixes the ones that were 64-bit or 32-bit wide wrongly and
adds casts where they were missing.

Note that none of the changes of the patch actually changes the values
of the definitions. This patch is just for correctness.

Change-Id: Iad6458021bad521922ce4f91bafff38b116b49eb
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      1a74e4a8
    • Antonio Nino Diaz's avatar
      cpus: Fix some incorrect definitions in CPU headers · a69817ed
      Antonio Nino Diaz authored 
      

There are some values that should be 64-bit immediates but that resolve
to 0 because the type of the value is 32-bit wide. This patch casts the
expressions to 64-bit before the shift so that the definition has the
correct value.

The definitions are only used in assembly so far, so the code is not
actually affected by this bug. The assembler treats all values as 64-bit
values, so there are no overflows.

Change-Id: I965e4be631c1d28787c0913661d224c82a6b9155
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a69817ed
  13. 08 Feb, 2019 1 commit
  15. 30 Jan, 2019 2 commits
    • Antonio Nino Diaz's avatar
      Remove support for the SMC Calling Convention 2.0 · 0709055e
      Antonio Nino Diaz authored 
      This reverts commit 2f370465

 ("Add support for the SMC Calling
Convention 2.0").

SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.

The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.

Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      0709055e
    • Sathees Balya's avatar
      lib/xlat_tables: Add support for ARMv8.4-TTST · cedfa04b
      Sathees Balya authored 
      

ARMv8.4-TTST (Small Translation tables) relaxes the lower limit on the
size of translation tables by increasing the maximum permitted value
of the T1SZ and T0SZ fields in TCR_EL1, TCR_EL2, TCR_EL3, VTCR_EL2 and
VSTCR_EL2.

This feature is supported in AArch64 state only.

This patch adds support for this feature to both versions of the
translation tables library. It also removes the static build time
checks for virtual address space size checks to runtime assertions.

Change-Id: I4e8cebc197ec1c2092dc7d307486616786e6c093
Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      cedfa04b
  17. 04 Jan, 2019 2 commits
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored 
      Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
    • Antonio Nino Diaz's avatar
      Reorganize architecture-dependent header files · f5478ded
      Antonio Nino Diaz authored 
      

The architecture dependant header files in include/lib/${ARCH} and
include/common/${ARCH} have been moved to /include/arch/${ARCH}.

Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      f5478ded
  19. 03 Jan, 2019 1 commit
  21. 18 Dec, 2018 3 commits
  23. 11 Dec, 2018 2 commits
  25. 10 Dec, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Use SSBS for CVE_2018_3639 mitigation · 48e1d350
      Jeenu Viswambharan authored 
      

The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
Armv8.5 feature, this can be implemented by CPUs implementing earlier
version of the architecture.

With this patch, when both PSTATE.SSBS is implemented and
DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
indicate that mitigation on the PE is either permanently enabled or not
required.

When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
of every BL stage. This means that EL3 always executes with mitigation
applied.

For Cortex A76, if the PE implements SSBS, the existing mitigation (by
using a different vector table, and tweaking CPU ACTLR2) is not used.

Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      48e1d350
  27. 26 Nov, 2018 2 commits
    • Joel Hutton's avatar
      Initial Spectre V1 mitigations (CVE-2017-5753). · 9edd8912
      Joel Hutton authored 
      Initial Spectre Variant 1 mitigations (CVE-2017-5753).
A potential speculative data leak was found in PSCI code, this depends
on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
function. This is considered very low-risk. This patch adds a macro to
mitigate this. Note not all code paths could be analyzed with current
tools.

Add a macro which makes a variable 'speculation safe', using the
 __builtin_speculation_safe_value function of GCC and llvm. This will be
available in GCC 9, and is planned for llvm, but is not currently in
mainline GCC or llvm. In order to implement this mitigation the compiler
must support this builtin. Support is indicated by the
__HAVE_SPECULATION_SAFE_VALUE flag.

The -mtrack-speculation option maintains a 'tracker' register, which
determines if the processor is in false speculation at any point. This
adds instructions and increases code size, but avoids the performance
impact of a hard barrier.

Without the -mtrack-speculation option, __builtin_speculation_safe_value
expands to a

    ISB
    DSB SY

sequence after a conditional branch, before the
speculation safe variable is used. With -mtrack-speculation a

    CSEL tracker, tracker, XZR, [cond];
    AND safeval,tracker;
    CSDB

sequence is added instead, clearing the vulnerable variable by
AND'ing it with the tracker register, which is zero during speculative
execution. [cond] are the status flags which will only be true during
speculative execution. For more information on
__builtin_speculation_safe_value and the -mtrack-speculation option see
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations



The -mtracking option was not added, as the performance impact of the
mitigation is low, and there is only one occurence.

Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9edd8912
    • Antonio Nino Diaz's avatar
      Synchronise arch.h and arch_helpers.h with TF-A-Tests · 932b3ae2
      Antonio Nino Diaz authored 
      

The headers forked at some point in the past and have diverged a lot. In
order to make it easier to share code between TF-A-Tests and TF-A, this
patch synchronises most of the definitions in the mentioned headers.

This is not a complete sync, it has to be followed by more cleanup.

This patch also removes the read helpers for the AArch32 instructions
ats1cpr and ats1hr (they are write-only).

Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      932b3ae2
  29. 22 Nov, 2018 2 commits
    • Antonio Nino Diaz's avatar
      Revert "aarch32: Apply workaround for errata 813419 of Cortex-A57" · c4cdd9e4
      Antonio Nino Diaz authored 
      This reverts commit 6f512a3d

.

According to the 'Cortex-A57 MPCore Software Developers Errata Notice':

    This bug will only affect secure AArch64 EL3. If the above
    conditions occur, the CPU will not invalidate the targeted EL3 TLB
    entries and incorrect translations might occur.

For this reason it is not needed in AArch32.

Change-Id: I6f7b333817515499723e8f306145790ad6af9975
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c4cdd9e4
    • Antonio Nino Diaz's avatar
      xlat v2: Support mapping regions with allocated VA · 9056f108
      Antonio Nino Diaz authored 
      

Provide new APIs to add new regions without specifying the base VA.

- `mmap_add_region_alloc_va` adds a static region to mmap choosing as
  base VA the first possible address after all the currently mapped
  regions. It is aligned to an appropriate boundary in relation to the
  size and base PA of the requested region. No attempt is made to fill
  any unused VA holes.

- `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
  `mmap_add_region_alloc_va` does, but it's dynamic instead of static.

- `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
  maps them in the same way as `mmap_add_region_alloc_va` and fills
  their `base_va` field. A helper macro has been created to help create
  the array, called `MAP_REGION_ALLOC_VA`.

Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      9056f108
  31. 15 Nov, 2018 1 commit
  33. 09 Nov, 2018 1 commit
    • Yann Gautier's avatar
      psci: put __dead2 attribute after void in plat_psci_ops · 3c471c35
      Yann Gautier authored 
      

These warnings were issued by sparse:
plat/st/stm32mp1/stm32mp1_pm.c:365:36:
 warning: incorrect type in initializer (different modifiers)
    expected void ( *[noreturn] pwr_domain_pwr_down_wfi )( ... )
    got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:366:23:
 warning: incorrect type in initializer (different modifiers)
    expected void ( *[noreturn] system_off )( ... )
    got void ( [noreturn] *<noident> )( ... )
plat/st/stm32mp1/stm32mp1_pm.c:367:25:
 warning: incorrect type in initializer (different modifiers)
    expected void ( *[noreturn] system_reset )( ... )
    got void ( [noreturn] *<noident> )( ... )

This cannot be changed the other way in all platforms pm drivers
or else there is a compilation error:
plat/st/stm32mp1/stm32mp1_pm.c:234:1: error: attributes should be specified
 before the declarator in a function definition
Signed-off-by: default avatarYann Gautier <yann.gautier@st.com>
      3c471c35
  35. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored 
      

All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.

The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.

The exceptions are files that are imported from other projects:

- CryptoCell driver
- dt-bindings folders
- zlib headers

Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  37. 02 Nov, 2018 1 commit
  39. 01 Nov, 2018 2 commits
  41. 30 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      libfdt: Downgrade to version 1.4.6-9 · 00f588bf
      Antonio Nino Diaz authored 
      

Version 1.4.7 introduces a big performance hit to functions that access
the FDT. Downgrade the library to version 1.4.6-9, before the changes
that introduce the problem. Version 1.4.6 isn't used because one of the
libfdt files (fdt_overlay.c) is missing the license header. This
problem is also fixed in 1.4.6-9.

This version corresponds to commit <aadd0b65c987> checks: centralize
printing of property names in failure messages.

Fixes ARM-software/tf-issues#643

Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      00f588bf
  43. 29 Oct, 2018 3 commits