GitLab

A per-cpu vbar is installed that implements the workaround by
invalidating the branch target buffer (BTB) directly in the case of A9
and A17 and indirectly by invalidating the icache in the case of A15.

For Cortex A57 and A72 there is currently no workaround implemented
when EL3 is in AArch32 mode so report it as missing.

For other vulnerable CPUs (e.g. Cortex A73 and Cortex A75), there are
no changes since there is currently no upstream AArch32 EL3 support
for these CPUs.

Change-Id: Ib42c6ef0b3c9ff2878a9e53839de497ff736258f
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

This patch introduces two workarounds for ARMv7 systems.  The
workarounds need to be applied prior to any `branch` instruction in
secure world.  This is achieved using a custom vector table where each
entry is an `add sp, sp, #1` instruction.

On entry to monitor mode, once the sequence of `ADD` instructions is
executed, the branch target buffer (BTB) is invalidated.  The bottom
bits of `SP` are then used to decode the exception entry type.

A side effect of this change is that the exception vectors are
installed before the CPU specific reset function.  This is now
consistent with how it is done on AArch64.

Note, on AArch32 systems, the exception vectors are typically tightly
integrated with the secure payload (e.g. the Trusted OS).  This
workaround will need porting to each secure payload that requires it.

The patch to modify the AArch32 per-cpu vbar to the corresponding
workaround vector table according to the CPU type will be done in a
later patch.

Change-Id: I5786872497d359e496ebe0757e8017fa98f753fa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Even though the workaround for CVE-2017-5715 is not a CPU erratum, the
code is piggybacking on the errata framework to print whether the
workaround was applied, missing or not needed.

Change-Id: I821197a4b8560c73fd894cd7cd9ecf9503c72fa3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

As we are using the errata framework to handle workarounds in a more
general sense, change the default string to reflect that.

Change-Id: I2e266af2392c9d95e18fe4e965f9a1d46fd0e95e
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

utils: rename struct mem_region_t to struct mem_region

Hikey960: Remove ca73 cpu nap state

typedef mem_region_t mem_region_t;

... seems to work because they belong to different name-spaces,
but humans are confused even if compilers are not.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

At early time, the CPU CA73 retention state has been supported on
Hikey960.  Later we found the system has the hang issue and for
resolving this issue Hisilicon released new MCU firmware, but
unfortunately the new MCU firmware has side effect and results in the
CA73 CPU cannot really enter retention state and roll back to WFI state.

After discussion we cannot see the possibility to enable CA73 retention
state anymore on Hikey960, based on this conclusion we should remove
this state supporting from ARM-TF and roll back to WFI state only.  We
will commit one patch to remove CA73 CPU retention state in kernel DT
binding as well.

Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Haojian Zhuang <haojian.zhuang@linaro.org>
Cc: Kevin Wang <jean.wangtao@linaro.org>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Signed-off-by: Leo Yan <leo.yan@linaro.org>

This reverts commit fdae60b6.

The commit fdae60b6

 changed the
parameter encoding for the hikey960.  However that implies a DT change
in the kernel side.  After submitting the DT change for upstreaming,
the backward compatibility issue and the interface change raise some
concerns from the Linux community about the issues related to kernel <->
ATF alignment.  There is no way to detect a mis-alignment of those
without a deep knowledge of the ATF and the kernel.  Furthermore, the
failing calls to PSCI in the idle path (because of bad parameters), will
lead to busy looping, implying: thermal issues and extra energy
consumption.

In regard of the Linux community concerns, the potential issues when the
ATF and the kernel are not aligned, it is preferable to revert the
commit.

Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Haojian Zhuang <haojian.zhuang@linaro.org>
Cc: Kevin Wang <jean.wangtao@linaro.org>
Co-authored-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Leo Yan <leo.yan@linaro.org>

emmc/dw_mmc: fix the assert on HLE bit

SPM: Fix version header definitions

xlat v2: Correctly unmap regions on map error

Hikey960: Fix hikey960 pcie mount fail

spd: tlkd: support for "NS memory ranges" function ID

Add documentation about plat_try_next_boot_source to bl1_platform_setup

uniphier: clean-up platform makefile

AMU: Remove unnecessary WARN()

If AMU is not supported by the hardware but it is enabled in Trusted
Firmware, the console will be spammed with warnings every time a CPU
is brought up with a CPU ON call.

Remove the warning message as this is more in line with how other
extensions like SPE and SVE are handled.

Change-Id: Iba6d367e4d1375ab554d23d2eaceab3ae1362c5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

AMUv1 support

Workarounds for CVE-2017-5715 on Cortex A57/A72/A73 and A75

Increase BL31 memory space by 2 pages

On some build configurations BL31 is running out of space.  Now that
TSP is moved to secure dram, we have a bit of additional space to use
in BL31.

Change-Id: Ib89fcd8bae99c85c9c5e5d9228bb42fb7048dcb6
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Signed-off-by: David Cunado <david.cunado@arm.com>

Change-Id: I504d3f65ca5829bc1f4ebadb764931f8379ee81f
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

On some systems, the AMU counters might reset to 0 when a CPU
powerdown happens.  This behaviour conflicts with the intended
use-case of AMU as lower ELs are only expected to see non-decreasing
counter values.

Change-Id: If25519965d4e6e47e09225d0e732947986cbb5ec
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Add some AMU helper functions to allow configuring, reading and
writing of the Group 0 and Group 1 counters.  Documentation for these
helpers will come in a separate patch.

Change-Id: I656e070d2dae830c22414f694aa655341d4e2c40
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

A new platform macro `PLAT_AMU_GROUP1_COUNTERS_MASK` controls which
group 1 counters should be enabled. The maximum number of group 1
counters supported by AMUv1 is 16 so the mask can be at most 0xffff.
If the platform does not define this mask, no group 1 counters are
enabled.

A related platform macro `PLAT_AMU_GROUP1_NR_COUNTERS` is used by
generic code to allocate an array to save and restore the counters on
CPU suspend.

Change-Id: I6d135badf4846292de931a43bb563077f42bb47b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

The suspend hook is published at the start of a CPU powerdown
operation.  The resume hook is published at the end of a CPU powerup
operation.

Change-Id: I50c05e2dde0d33834095ac41b4fcea4c161bb434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

If the CSV2 field reads as 1 then branch targets trained in one
context cannot affect speculative execution in a different context.
In that case skip the workaround on Cortex A75.

Change-Id: I4d5504cba516a67311fb5f0657b08f72909cbd38
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Invalidate the Branch Target Buffer (BTB) on entry to EL3 by
temporarily dropping into AArch32 Secure-EL1 and executing the
`BPIALL` instruction.

This is achieved by using 3 vector tables.  There is the runtime
vector table which is used to handle exceptions and 2 additional
tables which are required to implement this workaround.  The
additional tables are `vbar0` and `vbar1`.

The sequence of events for handling a single exception is
as follows:

1) Install vector table `vbar0` which saves the CPU context on entry
   to EL3 and sets up the Secure-EL1 context to execute in AArch32 mode
   with the MMU disabled and I$ enabled.  This is the default vector table.

2) Before doing an ERET into Secure-EL1, switch vbar to point to
   another vector table `vbar1`.  This is required to restore EL3 state
   when returning from the workaround, before proceeding with normal EL3
   exception handling.

3) While in Secure-EL1, the `BPIALL` instruction is executed and an
   SMC call back to EL3 is performed.

4) On entry to EL3 from Secure-EL1, the saved context from step 1) is
   restored.  The vbar is switched to point to `vbar0` in preparation to
   handle further exceptions.  Finally a branch to the runtime vector
   table entry is taken to complete the handling of the original
   exception.

This workaround is enabled by default on the affected CPUs.

NOTE
====

There are 4 different stubs in Secure-EL1.  Each stub corresponds to
an exception type such as Sync/IRQ/FIQ/SError.  Each stub will move a
different value in `R0` before doing an SMC call back into EL3.
Without this piece of information it would not be possible to know
what the original exception type was as we cannot use `ESR_EL3` to
distinguish between IRQs and FIQs.

Change-Id: I90b32d14a3735290b48685d43c70c99daaa4b434
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

Invalidate the Branch Target Buffer (BTB) on entry to EL3 by disabling
and enabling the MMU.  To achieve this without performing any branch
instruction, a per-cpu vbar is installed which executes the workaround
and then branches off to the corresponding vector entry in the main
vector table.  A side effect of this change is that the main vbar is
configured before any reset handling.  This is to allow the per-cpu
reset function to override the vbar setting.

This workaround is enabled by default on the affected CPUs.

Change-Id: I97788d38463a5840a410e3cea85ed297a1678265
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>

When check HLE bit in interrupt register, it should check whether
HLE bit is set, not clear.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>

`mm_cursor` doesn't have the needed data because the `memmove()` that
is called right before it overwrites that information. In order to get
the information of the region that was being mapped, `mm` has to be used
instead (like it is done to fill the fields of `unmap_mm`).

If the incorrect information is read, this check isn't reliable and
`xlat_tables_unmap_region` may be requested to unmap memory that isn't
mapped at all, triggering assertions.

Change-Id: I602d4ac83095d4e5dac9deb34aa5d00d00e6c289
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Rename SP_VERSION macros to MM_VERSION, which is the name used in the MM
specification [1]. Also, a few more helper macros have been added.

MM-specific definitions have been moved to their own header file.

[1] http://infocenter.arm.com/help/topic/com.arm.doc.den0060a/DEN0060A_ARM_MM_Interface_Specification.pdf



Change-Id: Ia10e48c7e81a7a1f5eeca29a5270cae740a4a88a
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

plat: xilinx: Add ZynqMP IPI mailbox service [v4]

If boot redundancy is required in BL1 then the initialization
of the boot sequence must be done in bl1_platform_setup. In BL2,
we had to add a new function, bl2_preload_setup, because
bl2_platform_setup is called after the images are loaded, making it
invalid for the boot sequence initialization.

Change-Id: I5c177ff142608ed38b4192288b06614343b2b83b
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>

Build: trivial fixes

hikey960: set isp clks as unsecure mode

Set IOC_AO_IOMG_033 function from GPIO213 to PCIE_CLKREQ_N

bit[0-2]:  000: GPIO_213;
           001: PCIE_CLKREQ_N;
           010: GPIO_018_SH;
           100: GPIO_014_SE;
           110: FAC_TEST24;
           111: FAC_TEST24;
bit[3-31]: reserved
Signed-off-by: Guangtao Zhang <zhangguangtao@hisilicon.com>
Tested-by: Yao Chen <chenyao11@huawei.com>
Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>

Set alignment size to 512B for Hikey/Hikey960

Use zynqmp_ipi APIs to access IPI registers in pm_service.
As the zynqmp_ipi APIs doesn't cover IPI buffers, the pm_ipi
in pm_service will still directly access the IPI buffers.
Signed-off-by: Wendy Liang <jliang@xilinx.com>