GitLab

Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com>
Change-Id: Ia03701e2e37e3a00a501b144960a4a65aedbfde9

Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
on a platform build option. The CAS-based implementation used to be
unconditionally selected for all ARM8.1+ platforms.

The previous CAS spinlock implementation had a bug wherein the spin_unlock()
implementation had an `sev` after `stlr` which is not sufficient. A dsb is
needed to ensure that the stlr completes prior to the sev. Having a dsb is
heavyweight and a better solution would be to use load exclusive semantics
to monitor the lock and wake up from wfe when a store happens to the lock.
The patch implements the same.

Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

Previously, TF-A could not support large RSA key sizes as the
configuration options passed to MBEDTLS prevented storing and performing
calculations with the larger, higher-precision numbers required. With
these changes to the arguments passed to MBEDTLS, TF-A now supports
using 3072 (3K) and 4096 (4K) keys in certificates.

Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

Some of the platform (ie. Agilex) make use of CCU IPs which will only be
initialized during bl2_el3_early_platform_setup. Any operation to the
cache beforehand will crash the platform. Hence, this will provide an
option to skip the data cache invalidation upon bl2 entry at EL3
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06

This patch adds support for the Undefined Behaviour sanitizer. There are
two types of support offered - minimalistic trapping support which
essentially immediately crashes on undefined behaviour and full support
with full debug messages.

The full support relies on ubsan.c which has been adapted from code used
by OPTEE.

Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

This patch adds support for the new Memory Tagging Extension arriving in
ARMv8.5. MTE support is now enabled by default on systems that support
at EL0. To enable it at ELx for both the non-secure and the secure
world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
and restoring when necessary in order to prevent register leakage
between the worlds.

Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.

All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)

Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>

NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.

All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.

Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>

The -Wshift-overflow=2 option enables checks for left bit shifts.
Specifically, the option will warn when the result of a shift will be
placed into a signed integer and overflow the sign bit there, which
results in undefined behavior.

To avoid the warnings from these checks, the left operand of a shift can
be made an unsigned integer by using the U() macro or appending the u
suffix.

Change-Id: I50c67bedab86a9fdb6c87cfdc3e784f01a22d560
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

The project has been renamed from "Arm Trusted Firmware (ATF)" to
"Trusted Firmware-A (TF-A)" long ago. A few references to the old
project name that still remained in various places have now been
removed.

This change doesn't affect any platform files. Any "ATF" references
inside platform files, still remain.

Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

The new API becomes the default one.

Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.

Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

The flags are taken from the different warning levels of the build
system when they do not generate any error with the current upstreamed
platforms.

Change-Id: Ia70cff83bedefb6d2f0dd266394ef77fe47e7f65
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

When TF-A is compiled with BTI enabled, the branches in the ROMLIB
jumptable must be preceded by a "bti j" instruction.

Moreover, when the additional "bti" instruction is inserted, the
jumptable entries have a distance of 8 bytes between them instead of 4.
Hence, the wrappers are also modified accordinly.

If TF-A is compiled without BTI enabled, the ROMLIB jumptable and
wrappers are generated as before.

Change-Id: Iaa59897668f8e59888d39046233300c2241d8de7
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Changes to make the help text a bit more readable:
1) The "usage" part is now a one-liner
2) The supported platforms list is printed separately

Change-Id: I93e48a6cf1d28f0ef9f3db16ce17725e4dff33c9
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Previously checkpatch was invoked with options to make it ignore
Markdown (md) files as this was the dominant format for TF-A
documents. Now that rst is being used everywhere this option needs
updating.

Change-Id: I59b5a0bcc45d2386df4f880b8d333baef0bbee77
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Pointer authentication is supported only in AArch64. A relevant check is
added for that in the Makefile.

Change-Id: I021ba65a9bd5764fd33292bee42617015e04a870
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Now it is needed to use the full path of the common header files.

Commit 09d40e0e

 ("Sanitise includes across codebase") provides more
information.

Change-Id: Ifedc79d9f664d208ba565f5736612a3edd94c647
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Change-Id: I6d8a6419df4d4924214115facbce90715a1a0371
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Declare ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS
build options as experimental.
Pointer Authentication is enabled for Non-secure world
irrespective of the value of these build flags if the
CPU supports it.
The patch also fixes the description of fiptool 'help' command.

Change-Id: I46de3228fbcce774a2624cd387798680d8504c38
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Change-Id: I56ea088f415bdb9077c385bd3450ff4b2cfa2eac
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Since binutils 1a9ccd70f9a7[1] TFA will not link when the PIE option is
used:

    aarch64-linux-gnu-ld: build/fvp/debug/bl31/bl31.elf: Not enough room
        for program headers, try linking with -N
    aarch64-linux-gnu-ld: final link failed: Bad value

This issue was also encountered by u-boot[2] and linux powerpc kernel
[3]. The fix is to provide --no-dynamic-linker for the linker. This
tells the linker that PIE does not need loaded program program headers.

Fix https://github.com/ARM-software/tf-issues/issues/675

[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=1a9ccd70f9a7
[2] http://git.denx.de/?p=u-boot.git;a=commit;h=e391b1e64b0bd65709a28a4764afe4f32d408243
[3] https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?h=next&id=ff45000fcb56b5b0f1a14a865d3541746d838a0a



Change-Id: Ic3c33c795a9b7bdeab0e87c4345153ce2703a524
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

It can be handy for example to add --strict option which can detect more
coding issues, even if not mandated by TF-A coding rules.
To use it:
 CHECKPATCH_OPTS="--strict" make checkpatch

Change-Id: I707e4cc2d1250b21f18ff16169b5f1e5ab03a7ed
Signed-off-by: Yann Gautier <yann.gautier@st.com>

This patch provides support for using the scatterfile format as
the linker script with the 'armlink' linker for Tegra platforms.

In order to enable the scatterfile usage the following changes
have been made:

* provide mapping for ld.S symbols in bl_common.h
* include bl_common.h from all the affected files
* update the makefile rules to use the scatterfile and armlink
  to compile BL31
* update pubsub.h to add sections to the scatterfile

NOTE: THIS CHANGE HAS BEEN VERIFIED WITH TEGRA PLATFORMS ONLY.

Change-Id: I7bb78b991c97d74a842e5635c74cb0b18e0fce67
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

The previous commit added the infrastructure to load and save
ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
didn't actually enable pointer authentication in the firmware.

This patch adds the functionality needed for platforms to provide
authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
enable pointer authentication in the firmware itself. This option is
disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
enabled.

Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.

This feature is supported only in AArch64 state.

This feature is mandatory in ARMv8.3 implementations.

This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.

To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.

Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch introduces a build option 'OVERRIDE_LIBC' that platforms
can set to override libc from the BL image. The default value is '0'
to keep the library.

Change-Id: I10a0b247f6a782eeea4a0359e30a8d79b1e9e4e1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This reverts commit 2f370465

 ("Add support for the SMC Calling
Convention 2.0").

SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.

The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.

Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Following changes are done to make DT pre-processing similar to that of
U-boot/Linux kernel.

1. Creating seperate CPPFLAGS for DT preprocessing so that compiler
options specific to it can be accommodated.
e.g: "-undef" compiler option avoids replacing "linux" string(used in
device trees) with "1" as "linux" is a pre-defined macro in gnu99
standard.

2. Replace CPP with PP for DT pre-processing, as CPP in U-boot/Linux is
exported as "${CROSS_COMPILE}gcc -E" while in TF-A it is exported as
"${CROSS_COMPILE}cpp".

Change-Id: If4c61a249d51614d9f53ae30b602036d50c02349
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

The SPM implementation based on MM is going to be kept for the
foreseeable future.

Change-Id: I11e96778a4f52a1aa803e7e048d9a7cb24a53954
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

This flag was removed in 79eb1aff

 ("Remove `DISABLE_PEDANTIC` build
option").

Change-Id: Ic3584a4c5f0100ed9e57b068ec672b0baae8cfab
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

ASM_ASSERTION was deprecated long ago, this check is no longer needed.

Change-Id: I2a5770f76ea1317461c0059dad8dba9dc0e5af32
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca339

 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

The architecture dependant header files in include/lib/${ARCH} and
include/common/${ARCH} have been moved to /include/arch/${ARCH}.

Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch allows platforms to define their
own jump table list for library at ROM. The
file has the list of functions to be used
from library at ROM. It can also include
other list files.

Change-Id: I721c35d7dad3dcadbb3a7f3277bfd5d3e1f6e00a
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

This is done for other compilers, and without this some code does not
compile, like inline assembly code.

Fixes ARM-software/tf-issues#657.
Signed-off-by: Yann Gautier <yann.gautier@st.com>

This patch modifies the search criteria to see if we are using 'armclang'
as the compiler. Switch over to using 'findstring' which enables platforms
to do fancy stuff using scripts e.g. check if armclang timed out and retry
compilation.

Change-Id: If2162ebadb9033f6457a4e8d4243345e711defe6
Signed-off-by: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

This tool packages Secure Partitions and Resource Descriptor blobs into
a simple file that can be loaded by SPM.

Change-Id: If3800064f30bdc3d7fc6a15ffbb3007ef632bcaa
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Setting E=0 in the make command line disables -Werror in CPPFLAGS.
Signed-off-by: Yann Gautier <yann.gautier@st.com>

The list of warning is taken from kernel and also divided in 3.
The option to activate that is W=x, with x=1, 2 or 3.
Signed-off-by: Yann Gautier <yann.gautier@st.com>