GitLab

Reported the status (applies, missing) of AT speculative workaround
which is applicable for below CPUs.

 +---------+--------------+
 | Errata  |      CPU     |
 +=========+==============+
 | 1165522 |  Cortex-A76  |
 +---------+--------------+
 | 1319367 |  Cortex-A72  |
 +---------+--------------+
 | 1319537 |  Cortex-A57  |
 +---------+--------------+
 | 1530923 |  Cortex-A55  |
 +---------+--------------+
 | 1530924 |  Cortex-A53  |
 +---------+--------------+

Also, changes are done to enable common macro 'ERRATA_SPECULATIVE_AT'
if AT speculative errata workaround is enabled for any of the above
CPUs using 'ERRATA_*' CPU specific build macro.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I3e6a5316a2564071f3920c3ce9ae9a29adbe435b

In case of AT speculative workaround applied, page table walk
is disabled for lower ELs (EL1 and EL0) in EL3.
Hence added a wrapper function which temporarily enables page
table walk to execute AT instruction for lower ELs and then
disables page table walk.

Execute AT instructions directly for lower ELs (EL1 and EL0)
assuming page table walk is enabled always when AT speculative
workaround is not applied.

Change-Id: I4ad4c0bcbb761448af257e9f72ae979473c0dde8
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

As per latest mailing communication [1], we decided to
update AT speculative workaround implementation in order to
disable page table walk for lower ELs(EL1 or EL0) immediately
after context switching to EL3 from lower ELs.

Previous implementation of AT speculative workaround is available
here: 45aecff0

AT speculative workaround is updated as below:
1. Avoid saving and restoring of SCTLR and TCR registers for EL1
   in context save and restore routine respectively.
2. On EL3 entry, save SCTLR and TCR registers for EL1.
3. On EL3 entry, update EL1 system registers to disable stage 1
   page table walk for lower ELs (EL1 and EL0) and enable EL1
   MMU.
4. On EL3 exit, restore SCTLR and TCR registers for EL1 which
   are saved in step 2.

[1]:
https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html



Change-Id: Iee8de16f81dc970a8f492726f2ddd57e7bd9ffb5
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

SCTLR and TCR registers of EL1 plays role in enabling/disabling of
page table walk for lower ELs (EL0 and EL1).
Hence re-arranged EL1 context offsets to have SCTLR and TCR registers
values one after another in the stack so that these registers values
can be saved and restored using stp and ldp instruction respectively.

Change-Id: Iaa28fd9eba82a60932b6b6d85ec8857a9acd5f8b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

As per latest mailing communication [1], we decided
not to update SCTLR and TCR registers in EL1 and EL2 context
restore routine when AT speculative workaround is enabled
hence reverted the changes done as part of this commit: 45aecff0.

[1]:
https://lists.trustedfirmware.org/pipermail/tf-a/2020-July/000586.html



Change-Id: I8c5f31d81fcd53770a610e302a5005d98772b71f
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

SP804 TIMER is not platform specific, and current code base adds
multiple defines to use this driver. Like FVP_USE_SP804_TIMER and
FVP_VE_USE_SP804_TIMER.

This patch removes platform specific build flag and adds generic
flag `USE_SP804_TIMER` to be set to 1 by platform if needed.

Change-Id: I5ab792c189885fd1b98ddd187f3a38ebdd0baba2
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

* changes:
  doc: Mention the TF-A Tech Forum as a way to contact developers
  doc: Emphasize that security issues must not be reported as normal bugs

* changes:
  Tegra: memctrl: remove unused TZRAM setup function
  Tegra: reorganize drivers and lib folders

Include the GICv2 makefile in STM32MP1 SP_min makefile, and use
${GICV2_SOURCES} instead of taking drivers/arm/gic files directly.

Change-Id: Ibcaed5b0bd17f6d8cf200e208c11cc10cd6d2ee5
Signed-off-by: Yann Gautier <yann.gautier@st.com>

* changes:
  SPM: Add owner field to cactus secure partitions
  SPM: Alter sp_gen.mk entry depending on owner of partition
  plat/arm: enable support for Plat owned SPs

For supporting dualroot CoT for Secure Partitions a new optional field
"owner" is introduced which will be used to sign the SP with
corresponding signing domain. To demonstrate its usage, this patch adds
owners to cactus Secure Partitions.
Signed-off-by: Ruari Phipps <ruari.phipps@arm.com>
Change-Id: I7b760580355fc92edf5402cecc38c38125dc1cae

With recently introduced dualroot CoT for SPs where they are owned
either by SiP or by Platform. SiP owned SPs index starts at SP_PKG1_ID
while Plat owned SPs index starts at SP_PKG5_ID.

This patch modifies SP makefile generator script to take CoT as an
argument and if it is "dualroot" then generates SP_PKG in order
mentioned above, otherwise generates it sequentially.
Signed-off-by: Ruari Phipps <ruari.phipps@arm.com>
Change-Id: Iffad1131787be650a9462f6f8cc09b603cddb3b8

For Arm platforms SPs are loaded by parsing tb_fw_config.dts and
adding them to SP structure sequentially, which in-turn is appended to
loadable image list.

With recently introduced dualroot CoT for SPs where they are owned
either by SiP or by Platform. SiP owned SPs index starts at SP_PKG1_ID
and Plat owned SPs index starts at SP_PKG5_ID. As the start index of SP
depends on the owner, there should be a mechanism to parse owner of a SP
and put it at the correct index in SP structure.

This patch adds support for parsing a new optional field "owner" and
based on it put SP details(UUID & Load-address) at the correct index in
SP structure.

Change-Id: Ibd255b60d5c45023cc7fdb10971bef6626cb560b
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Ensuring that each file changed by a patch has the correct copyright and
license information does not only apply to documentation files but to
all files within the source tree.

Move the guidance for copyright and license headers out of the paragraph
about updating the documentation to avoid any confusion.

Also do some cosmetic changes (adding empty lines, fitting in longer
lines in the 80-column limit, ...) to improve the readability of the RST
file.

Change-Id: I241a2089ca9db70f5a9f26b7070b947674b43265
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Change-Id: Ib4ad853ebb6e28adcf9ed14714d43799f9370343
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Change-Id: I43e452c9993a8608b20ec029562982f5dcf8e6b2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

We have noticed that Phabricator (the ticketing system on tf.org [1])
has far less visibility within the community than the mailing list [2].
For this reason, let's drop usage of Phabricator for anything else than
bug reports. For the rest, advise contributors to start a discussion on
the mailing list, where they are more likely to get feedback.

[1] https://developer.trustedfirmware.org/project/board/1/
[2] https://lists.trustedfirmware.org/mailman/listinfo/tf-a



Change-Id: I7d2d3d305ad0a0f8aacc2a2f25eb5ff429853a3f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

* changes:
  dualroot: add chain of trust for Platform owned SPs
  cert_create: add Platform owned secure partitions support

* changes:
  Specify signed-ness of constants
  Prevent colliding identifiers

This resolves MISRA defects such as:

    plat/common/plat_bl1_common.c:63:[MISRA C-2012 Rule 14.4 (required)]
    The condition expression "1" does not have an essentially boolean type.

Change-Id: I679411980ad661191fbc834a44a5eca5494fd0e2
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

We relyed on the default signed-ness of constants, which is usually
signed. This can create MISRA violations, such as:

     bl1/bl1_main.c:257:[MISRA C-2012 10.8 (required)] Cast of composite
     expression off essential type signed to essential type unsigned

These constants were only used as unsigned, so this patch makes them
explicitly unsigned.

Change-Id: I5f1310c881e936077035fbb1d5ffb449b45de3ad
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

There was a collision between the name of the typedef in the CASSERT and
something else, so we make the name of the typedef unique to the
invocation of DEFFINE_SVC_UUID2 by appending the name that's passed into
the macro. This eliminates the following MISRA violation:

    bl1/bl1_main.c:233:[MISRA C-2012 Rule 5.6 (required)] Identifier
    "invalid_svc_uuid" is already used to represent a typedef.

This also resolves MISRA rule 5.9.

These renamings are as follows:
  * tzram -> secram. This matches the function call name as it has
  sec_mem in it's  name
  * fw_config_base -> config_base. This file does not mess with
  hw_conig, so there's little chance of confusion

Change-Id: I8734ba0956140c8e29b89d0596d10d61a6ef351e
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

This patch adds RNG driver and use it to generate random number for stack
protection.

Change-Id: I73d79e68d08b5aa902dc7fad48e17a03f996178d
Signed-off-by: Saurabh Gorecha <sgorecha@codeaurora.org>

Following f3ccf036

 the INFO print in amu_enable is causing
a lot of print outs on UART1 in DEBUG mode especially on PSCI test
cases because CPU_ON or SUSPEND operations call:
cm_prepare_el3_exit => enable_extensions_nonsecure => amu_enable.
PSCI SUSPEND is also very frequent in linux boot cases causing test
timeout failures.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I63581f8fa489d44b3b1d10af3b7f6fdf3af44720

For dualroot CoT there are two sets of SP certificates, one owned by
Silicon Provider(SiP) and other owned by Platform. Each certificate can
have a maximum of 4 SPs.

This patch reduces the number of SiP owned SPs from 8 to 4 and adds
the remaining 4 to Plat owned SP.
Plat owned SP certificate is signed using Platform RoT key and
protected against anti-rollback using the Non-trusted Non-volatile
counter.

Change-Id: Idc3ddd87d6d85a5506a7435f45a6ec17c4c50425
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Add support to generate a certificate named "plat-sp-cert" for Secure
Partitions(SP) owned by Platform.
Earlier a single certificate file "sip-sp-cert" was generated which
contained hash of all 8 SPs, with this change SPs are divided into
two categories viz "SiP owned" and "Plat owned" containing 4 SPs each.

Platform RoT key pair is used for signing.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6

* changes:
  docs: marvell: update PHY porting layer description
  docs: marvell: update path in marvell documentation
  docs: marvell: update build instructions with CN913x
  plat: marvell: octeontx: add support for t9130
  plat: marvell: t9130: add SVC support
  plat: marvell: t9130: update AVS settings
  plat: marvell: t9130: pass actual CP count for load_image
  plat: marvell: armada: a7k: add support to SVC validation mode
  plat: marvell: armada: add support for twin-die combined memory device

This patch fixes the bug when AMUv1 group1 counters was
always assumed being implemented without checking for its
presence which was causing exception otherwise.
The AMU extension code was also modified as listed below:
- Added detection of AMUv1 for ARMv8.6
- 'PLAT_AMU_GROUP1_NR_COUNTERS' build option is removed and
number of group1 counters 'AMU_GROUP1_NR_COUNTERS' is now
calculated based on 'AMU_GROUP1_COUNTERS_MASK' value
- Added bit fields definitions and access functions for
AMCFGR_EL0/AMCFGR and AMCGCR_EL0/AMCGCR registers
- Unification of amu.c Aarch64 and Aarch32 source files
- Bug fixes and TF-A coding style compliant changes.

Change-Id: I14e407be62c3026ebc674ec7045e240ccb71e1fb
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>