1. 11 Dec, 2018 2 commits
  2. 10 Dec, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Use SSBS for CVE_2018_3639 mitigation · 48e1d350
      Jeenu Viswambharan authored
      
      
      The Armv8.5 extensions introduces PSTATE.SSBS (Speculation Store Bypass
      Safe) bit to mitigate against Variant 4 vulnerabilities. Although an
      Armv8.5 feature, this can be implemented by CPUs implementing earlier
      version of the architecture.
      
      With this patch, when both PSTATE.SSBS is implemented and
      DYNAMIC_WORKAROUND_CVE_2018_3639 is active, querying for
      SMCCC_ARCH_WORKAROUND_2 via. SMCCC_ARCH_FEATURES call would return 1 to
      indicate that mitigation on the PE is either permanently enabled or not
      required.
      
      When SSBS is implemented, SCTLR_EL3.DSSBS is initialized to 0 at reset
      of every BL stage. This means that EL3 always executes with mitigation
      applied.
      
      For Cortex A76, if the PE implements SSBS, the existing mitigation (by
      using a different vector table, and tweaking CPU ACTLR2) is not used.
      
      Change-Id: Ib0386c5714184144d4747951751c2fc6ba4242b6
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      48e1d350
  3. 26 Nov, 2018 2 commits
    • Joel Hutton's avatar
      Initial Spectre V1 mitigations (CVE-2017-5753). · 9edd8912
      Joel Hutton authored
      Initial Spectre Variant 1 mitigations (CVE-2017-5753).
      A potential speculative data leak was found in PSCI code, this depends
      on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
      function. This is considered very low-risk. This patch adds a macro to
      mitigate this. Note not all code paths could be analyzed with current
      tools.
      
      Add a macro which makes a variable 'speculation safe', using the
       __builtin_speculation_safe_value function of GCC and llvm. This will be
      available in GCC 9, and is planned for llvm, but is not currently in
      mainline GCC or llvm. In order to implement this mitigation the compiler
      must support this builtin. Support is indicated by the
      __HAVE_SPECULATION_SAFE_VALUE flag.
      
      The -mtrack-speculation option maintains a 'tracker' register, which
      determines if the processor is in false speculation at any point. This
      adds instructions and increases code size, but avoids the performance
      impact of a hard barrier.
      
      Without the -mtrack-speculation option, __builtin_speculation_safe_value
      expands to a
      
          ISB
          DSB SY
      
      sequence after a conditional branch, before the
      speculation safe variable is used. With -mtrack-speculation a
      
          CSEL tracker, tracker, XZR, [cond];
          AND safeval,tracker;
          CSDB
      
      sequence is added instead, clearing the vulnerable variable by
      AND'ing it with the tracker register, which is zero during speculative
      execution. [cond] are the status flags which will only be true during
      speculative execution. For more information on
      __builtin_speculation_safe_value and the -mtrack-speculation option see
      https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations
      
      
      
      The -mtracking option was not added, as the performance impact of the
      mitigation is low, and there is only one occurence.
      
      Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
      Signed-off-by: default avatarJoel Hutton <Joel.Hutton@Arm.com>
      9edd8912
    • Antonio Nino Diaz's avatar
      Synchronise arch.h and arch_helpers.h with TF-A-Tests · 932b3ae2
      Antonio Nino Diaz authored
      
      
      The headers forked at some point in the past and have diverged a lot. In
      order to make it easier to share code between TF-A-Tests and TF-A, this
      patch synchronises most of the definitions in the mentioned headers.
      
      This is not a complete sync, it has to be followed by more cleanup.
      
      This patch also removes the read helpers for the AArch32 instructions
      ats1cpr and ats1hr (they are write-only).
      
      Change-Id: Id13ecd7aeb83bd2318cd47156d71a42f1c9f6ba2
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      932b3ae2
  4. 22 Nov, 2018 2 commits
    • Antonio Nino Diaz's avatar
      Revert "aarch32: Apply workaround for errata 813419 of Cortex-A57" · c4cdd9e4
      Antonio Nino Diaz authored
      This reverts commit 6f512a3d
      
      .
      
      According to the 'Cortex-A57 MPCore Software Developers Errata Notice':
      
          This bug will only affect secure AArch64 EL3. If the above
          conditions occur, the CPU will not invalidate the targeted EL3 TLB
          entries and incorrect translations might occur.
      
      For this reason it is not needed in AArch32.
      
      Change-Id: I6f7b333817515499723e8f306145790ad6af9975
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c4cdd9e4
    • Antonio Nino Diaz's avatar
      xlat v2: Support mapping regions with allocated VA · 9056f108
      Antonio Nino Diaz authored
      
      
      Provide new APIs to add new regions without specifying the base VA.
      
      - `mmap_add_region_alloc_va` adds a static region to mmap choosing as
        base VA the first possible address after all the currently mapped
        regions. It is aligned to an appropriate boundary in relation to the
        size and base PA of the requested region. No attempt is made to fill
        any unused VA holes.
      
      - `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
        `mmap_add_region_alloc_va` does, but it's dynamic instead of static.
      
      - `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
        maps them in the same way as `mmap_add_region_alloc_va` and fills
        their `base_va` field. A helper macro has been created to help create
        the array, called `MAP_REGION_ALLOC_VA`.
      
      Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      9056f108
  5. 15 Nov, 2018 1 commit
  6. 09 Nov, 2018 1 commit
    • Yann Gautier's avatar
      psci: put __dead2 attribute after void in plat_psci_ops · 3c471c35
      Yann Gautier authored
      
      
      These warnings were issued by sparse:
      plat/st/stm32mp1/stm32mp1_pm.c:365:36:
       warning: incorrect type in initializer (different modifiers)
          expected void ( *[noreturn] pwr_domain_pwr_down_wfi )( ... )
          got void ( [noreturn] *<noident> )( ... )
      plat/st/stm32mp1/stm32mp1_pm.c:366:23:
       warning: incorrect type in initializer (different modifiers)
          expected void ( *[noreturn] system_off )( ... )
          got void ( [noreturn] *<noident> )( ... )
      plat/st/stm32mp1/stm32mp1_pm.c:367:25:
       warning: incorrect type in initializer (different modifiers)
          expected void ( *[noreturn] system_reset )( ... )
          got void ( [noreturn] *<noident> )( ... )
      
      This cannot be changed the other way in all platforms pm drivers
      or else there is a compilation error:
      plat/st/stm32mp1/stm32mp1_pm.c:234:1: error: attributes should be specified
       before the declarator in a function definition
      Signed-off-by: default avatarYann Gautier <yann.gautier@st.com>
      3c471c35
  7. 08 Nov, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Standardise header guards across codebase · c3cf06f1
      Antonio Nino Diaz authored
      
      
      All identifiers, regardless of use, that start with two underscores are
      reserved. This means they can't be used in header guards.
      
      The style that this project is now to use the full name of the file in
      capital letters followed by 'H'. For example, for a file called
      "uart_example.h", the header guard is UART_EXAMPLE_H.
      
      The exceptions are files that are imported from other projects:
      
      - CryptoCell driver
      - dt-bindings folders
      - zlib headers
      
      Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      c3cf06f1
  8. 02 Nov, 2018 1 commit
  9. 01 Nov, 2018 2 commits
  10. 30 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      libfdt: Downgrade to version 1.4.6-9 · 00f588bf
      Antonio Nino Diaz authored
      
      
      Version 1.4.7 introduces a big performance hit to functions that access
      the FDT. Downgrade the library to version 1.4.6-9, before the changes
      that introduce the problem. Version 1.4.6 isn't used because one of the
      libfdt files (fdt_overlay.c) is missing the license header. This
      problem is also fixed in 1.4.6-9.
      
      This version corresponds to commit <aadd0b65c987> checks: centralize
      printing of property names in failure messages.
      
      Fixes ARM-software/tf-issues#643
      
      Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      00f588bf
  11. 29 Oct, 2018 6 commits
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in PMF · 195e363f
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: I64abd72026082218a40b1a4b8f7dc26ff2478ba6
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      195e363f
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in workaround and errata framework · 43534997
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: Iaab0310848be587b635ce5339726e92a50f534e0
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      43534997
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in extension libs · 40daecc1
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: I2f28f20944f552447ac4e9e755493cd7c0ea1192
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      40daecc1
    • Soby Mathew's avatar
      Make errata reporting mandatory for CPU files · 12af5ed4
      Soby Mathew authored
      
      
      Previously the errata reporting was optional for CPU operation
      files and this was achieved by making use of weak reference to
      resolve to 0 if the symbol is not defined. This is error prone
      when adding new CPU operation files and weak references are
      problematic when fixing up dynamic relocations. Hence this patch
      removes the weak reference and makes it mandatory for the CPU
      operation files to define the errata reporting function.
      
      Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      12af5ed4
    • Soby Mathew's avatar
      PIE: Use PC relative adrp/adr for symbol reference · f1722b69
      Soby Mathew authored
      
      
      This patch fixes up the AArch64 assembly code to use
      adrp/adr instructions instead of ldr instruction for
      reference to symbols. This allows these assembly
      sequences to be Position Independant. Note that the
      the reference to sizes have been replaced with
      calculation of size at runtime. This is because size
      is a constant value and does not depend on execution
      address and using PC relative instructions for loading
      them makes them relative to execution address. Also
      we cannot use `ldr` instruction to load size as it
      generates a dynamic relocation entry which must *not*
      be fixed up and it is difficult for a dynamic loader
      to differentiate which entries need to be skipped.
      
      Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      f1722b69
    • Soby Mathew's avatar
      Add helper to return reference to a symbol · 6a7b3005
      Soby Mathew authored
      
      
      This patch adds a utility function to return
      the address of a symbol. By default, the compiler
      generates adr/adrp instruction pair to return
      the reference and this utility is used to override
      this compiler generated to code and use `ldr`
      instruction.
      
      This is needed for Position Independent Executable
      when it needs to reference a symbol which is constant
      and does not depend on the execute address of the
      binary.
      
      For example, on the FVP, the GICv3 register context is
      stored in a secure carveout (arm_el3_tzc_dram) within
      DDR and does not relocate with the BL image. Now if
      BL31 is executing at a different address other than
      the compiled address, using adrp/adr instructions to
      reference this memory will not work as they generate an
      address that is PC relative. The way to get around this
      problem is to reference it as non-PC relative (i.e
      non-relocatable location) via `ldr` instruction.
      
      Change-Id: I5008a951b007144258121690afb68dc8e12ee6f7
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      6a7b3005
  12. 26 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat: Fix compatibility between v1 and v2 · 03987d01
      Antonio Nino Diaz authored
      
      
      There are several platforms using arm_setup_page_tables(), which is
      supposed to be Arm platform only. This creates several dependency
      problems between platforms.
      
      This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
      v2 makefile. This way it is possible to detect from C code which version
      is being used and include the correct header.
      
      The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
      moved to a common folder. This way, when in doubt, this header can be
      used to guarantee compatibility, as it includes the correct header based
      on XLAT_TABLES_LIB_V2.
      
      This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
      that is now locked in xlat lib v2) and ZynqMP (where it was added as a
      workaround).
      
      Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      03987d01
  13. 23 Oct, 2018 3 commits
  14. 18 Oct, 2018 1 commit
  15. 16 Oct, 2018 1 commit
    • Jeenu Viswambharan's avatar
      AArch64: Enable lower ELs to use pointer authentication · 3ff4aaac
      Jeenu Viswambharan authored
      
      
      Pointer authentication is an Armv8.3 feature that introduces
      instructions that can be used to authenticate and verify pointers.
      
      Pointer authentication instructions are allowed to be accessed from all
      ELs but only when EL3 explicitly allows for it; otherwise, their usage
      will trap to EL3. Since EL3 doesn't have trap handling in place, this
      patch unconditionally disables all related traps to EL3 to avoid
      potential misconfiguration leading to an unhandled EL3 exception.
      
      Fixes ARM-software/tf-issues#629
      
      Change-Id: I9bd2efe0dc714196f503713b721ffbf05672c14d
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      3ff4aaac
  16. 15 Oct, 2018 1 commit
  17. 11 Oct, 2018 1 commit
    • Sandrine Bailleux's avatar
      Introduce object pool allocator · 9cc4651c
      Sandrine Bailleux authored
      
      
      The object pool allocator provides a simplistic interface to manage
      allocation in a fixed-size static array. The caller creates a static
      "object pool" out of such an array and may then call pool_alloc() to
      get the next available object within the pool. There is also a variant
      to get multiple consecutive objects: pool_alloc_n().
      
      Note that this interface does not provide any way to free the objects
      afterwards. This is by design and it is not a limitation. We do not
      want to introduce complexity induced by memory freeing, such as
      use-after-free bugs, memory fragmentation and so on.
      
      Change-Id: Iefc2e153767851fbde5841a295f92ae48adda71f
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      9cc4651c
  18. 04 Oct, 2018 1 commit
  19. 03 Oct, 2018 1 commit
    • Daniel Boulby's avatar
      Introduce RECLAIM_INIT_CODE build flag · 1dcc28cf
      Daniel Boulby authored
      
      
      This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
      code which allows platforms to place this memory in an appropriate
      section to be reclaimed later. This features is primarily targeted for
      BL31. Appropriate documentation updates are also done.
      
      Change-Id: If0ca062851614805d769c332c771083d46599194
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      1dcc28cf
  20. 28 Sep, 2018 5 commits
  21. 25 Sep, 2018 1 commit
  22. 20 Sep, 2018 1 commit
  23. 05 Sep, 2018 3 commits
    • Jeenu Viswambharan's avatar
      ARMv7: Alias dmbld() to dmb() · e43422b7
      Jeenu Viswambharan authored
      
      
      'dmb ld' is not a recognized instruction for ARMv7. Since generic code
      may use 'dmb ld', alias it to 'dmb' when building for ARMv7.
      
      Change-Id: I502f360cb6412897ca9580b725d9f79469a7612e
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      e43422b7
    • Varun Wadekar's avatar
      cpus: denver: Implement static workaround for CVE-2018-3639 · 6cf8d65f
      Varun Wadekar authored
      
      
      For Denver CPUs, this approach enables the mitigation during EL3
      initialization, following every PE reset. No mechanism is provided to
      disable the mitigation at runtime.
      
      This approach permanently mitigates the EL3 software stack only. Other
      software components are responsible to enable it for their exception
      levels.
      
      TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
      and earlier:
      
      *   By setting bit 11 (Disable speculative store buffering) of
          `ACTLR_EL3`
      
      *   By setting bit 9 (Disable speculative memory disambiguation) of
          `ACTLR_EL3`
      
      TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
      and later:
      
      *   By setting bit 18 (Disable speculative store buffering) of
          `ACTLR_EL3`
      
      *   By setting bit 17 (Disable speculative memory disambiguation) of
          `ACTLR_EL3`
      
      Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      6cf8d65f
    • Varun Wadekar's avatar
      cpus: denver: reset power state to 'C1' on boot · cf3ed0dc
      Varun Wadekar authored
      
      
      Denver CPUs expect the power state field to be reset to 'C1'
      during boot. This patch updates the reset handler to reset the
      ACTLR_.PMSTATE field to 'C1' state during CPU boot.
      
      Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      cf3ed0dc