1. 10 Feb, 2020 1 commit
  2. 07 Feb, 2020 1 commit
    • Alexei Fedorov's avatar
      Make PAC demangling more generic · 68c76088
      Alexei Fedorov authored
      
      
      At the moment, address demangling is only used by the backtrace
      functionality. However, at some point, other parts of the TF-A
      codebase may want to use it.
      The 'demangle_address' function is replaced with a single XPACI
      instruction which is also added in 'do_crash_reporting()'.
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      Change-Id: I4424dcd54d5bf0a5f9b2a0a84c4e565eec7329ec
      68c76088
  3. 04 Feb, 2020 1 commit
  4. 28 Jan, 2020 1 commit
  5. 27 Jan, 2020 1 commit
    • Madhukar Pappireddy's avatar
      Changes necessary to support SEPARATE_NOBITS_REGION feature · c367b75e
      Madhukar Pappireddy authored
      
      
      Since BL31 PROGBITS and BL31 NOBITS sections are going to be
      in non-adjacent memory regions, potentially far from each other,
      some fixes are needed to support it completely.
      
      1. adr instruction only allows computing the effective address
      of a location only within 1MB range of the PC. However, adrp
      instruction together with an add permits position independent
      address of any location with 4GB range of PC.
      
      2. Since BL31 _RW_END_ marks the end of BL31 image, care must be
      taken that it is aligned to page size since we map this memory
      region in BL31 using xlat_v2 lib utils which mandate alignment of
      image size to page granularity.
      
      Change-Id: I3451cc030d03cb2032db3cc088f0c0e2c84bffda
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      c367b75e
  6. 24 Jan, 2020 1 commit
    • Masahiro Yamada's avatar
      BL31: discard .dynsym .dynstr .hash sections to make ENABLE_PIE work · 511046ea
      Masahiro Yamada authored
      
      
      When I tried ENABLE_PIE for my PLAT=uniphier platform, BL31 crashed
      at its entry. When it is built with ENABLE_PIE=1, some sections are
      inserted before the executable code.
      
      $ make PLAT=uniphier CROSS_COMPILE=aarch64-linux-gnu- ENABLE_PIE=1 bl31
      $ aarch64-linux-gnu-objdump -h build/uniphier/release/bl31/bl31.elf | head -n 13
      
      build/uniphier/release/bl31/bl31.elf:     file format elf64-littleaarch64
      
      Sections:
      Idx Name          Size      VMA               LMA               File off  Algn
        0 .dynsym       000002a0  0000000081000000  0000000081000000  00010000  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
        1 .dynstr       000002a0  00000000810002a0  00000000810002a0  000102a0  2**0
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
        2 .hash         00000124  0000000081000540  0000000081000540  00010540  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, DATA
        3 ro            0000699c  0000000081000664  0000000081000664  00010664  2**11
                        CONTENTS, ALLOC, LOAD, CODE
      
      The previous stage loader generally jumps over to the base address of
      BL31, where no valid instruction exists.
      
      I checked the linker script of Linux (arch/arm64/kernel/vmlinux.lds.S)
      and U-Boot (arch/arm/cpu/armv8/u-boot.lds), both of which support
      relocation. They simply discard those sections.
      
      Do similar in TF-A too.
      
      Change-Id: I6c33e9143856765d4ffa24f3924b0ab51a17cde9
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      511046ea
  7. 22 Jan, 2020 3 commits
  8. 29 Dec, 2019 1 commit
    • Samuel Holland's avatar
      bl31: Split into two separate memory regions · f8578e64
      Samuel Holland authored
      
      
      Some platforms are extremely memory constrained and must split BL31
      between multiple non-contiguous areas in SRAM. Allow the NOBITS
      sections (.bss, stacks, page tables, and coherent memory) to be placed
      in a separate region of RAM from the loaded firmware image.
      
      Because the NOBITS region may be at a lower address than the rest of
      BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
      region, or el3_entrypoint_common would attempt to invalidate the dcache
      for the entire address space. New symbols __NOBITS_{START,END}__ are
      added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
      NOBITS region is invalidated separately.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
      f8578e64
  9. 20 Dec, 2019 3 commits
    • Paul Beesley's avatar
      spm-mm: Rename component makefile · 442e0928
      Paul Beesley authored
      
      
      Change-Id: Idcd2a35cd2b30d77a7ca031f7e0172814bdb8cab
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      442e0928
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  10. 18 Dec, 2019 1 commit
  11. 17 Dec, 2019 2 commits
  12. 12 Dec, 2019 1 commit
    • Manish Pandey's avatar
      PIE: make call to GDT relocation fixup generalized · da90359b
      Manish Pandey authored
      When a Firmware is complied as Position Independent Executable it needs
      to request GDT fixup by passing size of the memory region to
      el3_entrypoint_common macro.
      The Global descriptor table fixup will be done early on during cold boot
      process of primary core.
      
      Currently only BL31 supports PIE, but in future when BL2_AT_EL3 will be
      compiled as PIE, it can simply pass fixup size to the common el3
      entrypoint macro to fixup GDT.
      
      The reason for this patch was to overcome the bug introduced by SHA
      330ead80
      
       which called fixup routine for each core causing
      re-initializing of global pointers thus overwriting any changes
      done by the previous core.
      
      Change-Id: I55c792cc3ea9e7eef34c2e4653afd04572c4f055
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      da90359b
  13. 04 Dec, 2019 1 commit
    • Samuel Holland's avatar
      Reduce space lost to object alignment · ebd6efae
      Samuel Holland authored
      
      
      Currently, sections within .text/.rodata/.data/.bss are emitted in the
      order they are seen by the linker. This leads to wasted space, when a
      section with a larger alignment follows one with a smaller alignment.
      We can avoid this wasted space by sorting the sections.
      
      To take full advantage of this, we must disable generation of common
      symbols, so "common" data can be sorted along with the rest of .bss.
      
      An example of the improvement, from `make DEBUG=1 PLAT=sun50i_a64 bl31`:
        .text   => no change
        .rodata => 16 bytes saved
        .data   => 11 bytes saved
        .bss    => 576 bytes saved
      
      As a side effect, the addition of `-fno-common` in TF_CFLAGS makes it
      easier to spot bugs in header files.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: I073630a9b0b84e7302a7a500d4bb4b547be01d51
      ebd6efae
  14. 04 Oct, 2019 1 commit
    • laurenw-arm's avatar
      Neoverse N1 Errata Workaround 1542419 · 80942622
      laurenw-arm authored
      
      
      Coherent I-cache is causing a prefetch violation where when the core
      executes an instruction that has recently been modified, the core might
      fetch a stale instruction which violates the ordering of instruction
      fetches.
      
      The workaround includes an instruction sequence to implementation
      defined registers to trap all EL0 IC IVAU instructions to EL3 and a trap
      handler to execute a TLB inner-shareable invalidation to an arbitrary
      address followed by a DSB.
      Signed-off-by: default avatarLauren Wehrmeister <lauren.wehrmeister@arm.com>
      Change-Id: Ic3b7cbb11cf2eaf9005523ef5578a372593ae4d6
      80942622
  15. 13 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  16. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
  17. 29 Aug, 2019 1 commit
  18. 21 Aug, 2019 1 commit
    • Alexei Fedorov's avatar
      AArch64: Disable Secure Cycle Counter · e290a8fc
      Alexei Fedorov authored
      
      
      This patch fixes an issue when secure world timing information
      can be leaked because Secure Cycle Counter is not disabled.
      For ARMv8.5 the counter gets disabled by setting MDCR_El3.SCCD
      bit on CPU cold/warm boot.
      For the earlier architectures PMCR_EL0 register is saved/restored
      on secure world entry/exit from/to Non-secure state, and cycle
      counting gets disabled by setting PMCR_EL0.DP bit.
      'include\aarch64\arch.h' header file was tided up and new
      ARMv8.5-PMU related definitions were added.
      
      Change-Id: I6f56db6bc77504634a352388990ad925a69ebbfa
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      e290a8fc
  19. 15 Aug, 2019 1 commit
  20. 22 Jul, 2019 1 commit
  21. 24 May, 2019 1 commit
    • Alexei Fedorov's avatar
      Add support for Branch Target Identification · 9fc59639
      Alexei Fedorov authored
      
      
      This patch adds the functionality needed for platforms to provide
      Branch Target Identification (BTI) extension, introduced to AArch64
      in Armv8.5-A by adding BTI instruction used to mark valid targets
      for indirect branches. The patch sets new GP bit [50] to the stage 1
      Translation Table Block and Page entries to denote guarded EL3 code
      pages which will cause processor to trap instructions in protected
      pages trying to perform an indirect branch to any instruction other
      than BTI.
      BTI feature is selected by BRANCH_PROTECTION option which supersedes
      the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
      and is disabled by default. Enabling BTI requires compiler support
      and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
      The assembly macros and helpers are modified to accommodate the BTI
      instruction.
      This is an experimental feature.
      Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
      is now made as an internal flag and BRANCH_PROTECTION flag should be
      used instead to enable Pointer Authentication.
      Note. USE_LIBROM=1 option is currently not supported.
      
      Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      9fc59639
  22. 21 May, 2019 1 commit
    • Madhukar Pappireddy's avatar
      Rework smc_unknown return code path in smc_handler · cc485e27
      Madhukar Pappireddy authored
      
      
      The intention of this patch is to leverage the existing el3_exit() return
      routine for smc_unknown return path rather than a custom set of instructions.
      In order to leverage el3_exit(), the necessary counteraction (i.e., saving the
      system registers apart from GP registers) must be performed. Hence a series of
      instructions which save system registers( like SPSR_EL3, SCR_EL3 etc) to stack
      are moved to the top of group of instructions which essentially decode the OEN
      from the smc function identifier and obtain the specific service handler in
      rt_svc_descs_array. This ensures that the control flow for both known and
      unknown smc calls will be similar.
      
      Change-Id: I67f94cfcba176bf8aee1a446fb58a4e383905a87
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      cc485e27
  23. 05 Apr, 2019 1 commit
  24. 25 Mar, 2019 1 commit
  25. 18 Mar, 2019 1 commit
  26. 07 Mar, 2019 1 commit
    • Alexei Fedorov's avatar
      BL31: Enable pointer authentication support in warm boot path · 7dcbb4f3
      Alexei Fedorov authored
      In the current Pointer Authentication support added in
      commit b86048c4
      
      
      PAuth gets enabled in BL31 cold boot entrypoint only,
      (see bl31_entrypoint() in bl31\aarch64\bl31_entrypoint.S)
      but not in bl31_warm_entrypoint().
      This results in EnIA bit [31] in SCTLR_EL3 not being set
      and pointer authentication disabled after CPU wake-up event.
      
      Fixes ARM-software/tf-issues#684
      
      Change-Id: I27a67804764dfba2a6d72ca119ca2bcff4f536d6
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      7dcbb4f3
  27. 28 Feb, 2019 1 commit
  28. 27 Feb, 2019 3 commits
    • Antonio Nino Diaz's avatar
      BL31: Enable pointer authentication support · 88cfd9a6
      Antonio Nino Diaz authored
      
      
      The size increase after enabling options related to ARMv8.3-PAuth is:
      
      +----------------------------+-------+-------+-------+--------+
      |                            |  text |  bss  |  data | rodata |
      +----------------------------+-------+-------+-------+--------+
      | CTX_INCLUDE_PAUTH_REGS = 1 |  +192 | +1536 |   +0  |   +0   |
      |                            |  0.3% |  3.1% |       |        |
      +----------------------------+-------+-------+-------+--------+
      | ENABLE_PAUTH = 1           | +1848 | +1536 |  +16  |   +0   |
      |                            |  3.3% |  3.1% |  3.1% |        |
      +----------------------------+-------+-------+-------+--------+
      
      Results calculated with the following build configuration:
      
          make PLAT=fvp SPD=tspd DEBUG=1 \
          SDEI_SUPPORT=1                 \
          EL3_EXCEPTION_HANDLING=1       \
          TSP_NS_INTR_ASYNC_PREEMPT=1    \
          CTX_INCLUDE_PAUTH_REGS=1       \
          ENABLE_PAUTH=1
      
      Change-Id: I43db7e509a4f39da6599ec2faa690d197573ec1b
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      88cfd9a6
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored
      
      
      The previous commit added the infrastructure to load and save
      ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
      didn't actually enable pointer authentication in the firmware.
      
      This patch adds the functionality needed for platforms to provide
      authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
      enable pointer authentication in the firmware itself. This option is
      disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
      enabled.
      
      Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
    • Antonio Nino Diaz's avatar
      Add ARMv8.3-PAuth registers to CPU context · 5283962e
      Antonio Nino Diaz authored
      
      
      ARMv8.3-PAuth adds functionality that supports address authentication of
      the contents of a register before that register is used as the target of
      an indirect branch, or as a load.
      
      This feature is supported only in AArch64 state.
      
      This feature is mandatory in ARMv8.3 implementations.
      
      This feature adds several registers to EL1. A new option called
      CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
      them during Non-secure <-> Secure world switches. This option must be
      enabled if the hardware has the registers or the values will be leaked
      during world switches.
      
      To prevent leaks, this patch also disables pointer authentication in the
      Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
      be trapped in EL3.
      
      Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5283962e
  29. 08 Feb, 2019 1 commit
  30. 07 Feb, 2019 1 commit
    • Varun Wadekar's avatar
      locks: linker variables to calculate per-cpu bakery lock size · 596929b9
      Varun Wadekar authored
      
      
      This patch introduces explicit linker variables to mark the start and
      end of the per-cpu bakery lock section to help bakery_lock_normal.c
      calculate the size of the section. This patch removes the previously
      used '__PERCPU_BAKERY_LOCK_SIZE__' linker variable to make the code
      uniform across GNU linker and ARM linker.
      
      Change-Id: Ie0c51702cbc0fe8a2076005344a1fcebb48e7cca
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      596929b9
  31. 30 Jan, 2019 1 commit
  32. 22 Jan, 2019 2 commits