GitLab

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
  of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
  which returns 128-bit value and uses Generic timer physical counter
  value to increase the randomness of the generated key.
  The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
  generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
  pauth_disable_el1()` and `pauth_disable_el3()` functions disable
  PAuth for EL1 and EL3 respectively;
  `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
  cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
  `save_gp_registers()` and `pauth_context_save()`;
  `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
  and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
  code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
  for 12 uint64_t PAuth registers instead of 10 by removal of macro
  CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
  and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
  in `msr	spsel`  instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.

Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

This patch adds support for the Undefined Behaviour sanitizer. There are
two types of support offered - minimalistic trapping support which
essentially immediately crashes on undefined behaviour and full support
with full debug messages.

The full support relies on ubsan.c which has been adapted from code used
by OPTEE.

Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

A new build flag, CTX_INCLUDE_MTE_REGS, has been added; this patch adds
documentation for it in the User Guide along with instructions of what
different values mean.

Change-Id: I430a9c6ced06b1b6be317edbeff4f5530e30f63a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

Signed-off-by: zelalem-aweke <zelalem.aweke@arm.com>
Change-Id: Ib12ecc0b283274c74cdfa57caf9e1a105dce3afe

At the time of writting, GCC 8.3-2019.03 is the latest version available
on developer.arm.com.

Switch to bare-metal toolchain (arm-eabi-) for AArch32. This allows to
have a finer control on the use of floating-point and SIMD instructions.

Change-Id: I4438401405eae1e5f6d531b0162e8fa06f69135e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Change-Id: I755e4c42242d9a052570fd1132ca3d937acadb13
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

Change-Id: I0d9dbef7041fcf950bcafcdbbc17c72b4dea9e40
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Change-Id: Ib021c721652d96f6c06ea18741f19a72bba1d00f
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.

Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

The documentation contains plenty of notes and warnings. Enable
special rendering of these blocks by converting the note prefix
into a .. note:: annotation.

Change-Id: I34e26ca6bf313d335672ab6c2645741900338822
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Several code blocks do not specify a language for syntax
highlighting. This results in Sphinx using a default highlighter
which is Python.

This patch adds the correct language to each code block that doesn't
already specify it.

Change-Id: Icce1949aabfdc11a334a42d49edf55fa673cddc3
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

These are no longer needed as there will always be a table of contents
rendered to the left of every page.

Some of these lists can be quite long and, when opening a page, the
reader sees nothing but a huge list of contents! After this patch,
the document contents are front-and-centre and the contents are
nicely rendered in the sidebar without duplication.

Change-Id: I444754d548ec91d00f2b04e861de8dde8856aa62
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

This patch attempts to standardise the document titles as well as
adding titles to documents that were missing one. The aim is to
remove needless references to "TF-A" or "Trusted Firmware" in the
title of every document and to make sure that the title matches
with the document content.

Change-Id: I9b93ccf43b5d57e8dc793a5311b8ed7c4dd245cc
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

This change creates the following directories under docs/
in order to provide a grouping for the content:

- components
- design
- getting_started
- perf
- process

In each of these directories an index.rst file is created
and this serves as an index / landing page for each of the
groups when the pages are compiled. Proper layout of the
top-level table of contents relies on this directory/index
structure.

Without this patch it is possible to build the documents
correctly with Sphinx but the output looks messy because
there is no overall hierarchy.

Change-Id: I3c9f4443ec98571a56a6edf775f2c8d74d7f429f
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Change-Id: I33c1bf49aa10867e1a2ca4c167112b99bf756dda
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

1) One space was missing from the indentation and, hence, rendering error
was generated in the user guide.
2) Partially reword Pointer Authentication related info.

Change-Id: Id5e65d419ec51dd7764f24d1b96b6c9942d63ba4
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

This patch fixes this issue:
https://github.com/ARM-software/tf-issues/issues/660



The introduced changes are the following:

1) Some cores implement cache coherency maintenance operation on the
hardware level. For those cores, such as - but not only - the DynamIQ
cores, it is mandatory that TF-A is compiled with the
HW_ASSISTED_COHERENCY flag. If not, the core behaviour at runtime is
unpredictable. To prevent this, compile time checks have been added and
compilation errors are generated, if needed.

2) To enable this change for FVP, a logical separation has been done for
the core libraries. A system cannot contain cores of both groups, i.e.
cores that manage coherency on hardware and cores that don't do it. As
such, depending on the HW_ASSISTED_COHERENCY flag, FVP includes the
libraries only of the relevant cores.

3) The neoverse_e1.S file has been added to the FVP sources.

Change-Id: I787d15819b2add4ec0d238249e04bf0497dc12f3
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

On certain platforms it does not make sense to generate
TF-A binary images. For example a platform could make use of serveral
memory areas, which are non-continuous and the resulting binary
therefore would suffer from the padding-bytes.
Typically these platforms use the ELF image.

This patch introduces a variable DISABLE_BIN_GENERATION, which
can be set to '1' in the platform makefile to prevent the binary
generation.
Signed-off-by: Christoph Müllner <christophm30@gmail.com>
Change-Id: I62948e88bab685bb055fe6167d9660d14e604462

The current stack-protector support is for none, "strong" or "all".
The default use of the flag enables the stack-protection to all
functions that declare a character array of eight bytes or more in
length on their stack.
This option can be tuned with the --param=ssp-buffer-size=N option.

Change-Id: I11ad9568187d58de1b962b8ae04edd1dc8578fb0
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

The user guide documentation for the cert_create tool needs to
mention that a platform must have a platform_oid.h header file
in order to successfully build the cert_create tool when
USE_TBBR_DEFS is 0.

Change-Id: I77f86a022d207e88a79c97741be3eafbfa0c86f1
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Change-Id: I0a81f4ea94d41245cd5150de341b51fc70babffe
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Update the documentation for trustedfirmware.org migration

Change-Id: Ibb7052b0becbec3326164f1503806ca2c2fd4dcc
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

The latest version of GCC are required to use the new features of TF-A.
Suggest to use the latest version available on developer.arm.com instead
of the version specified on the Linaro Release notes.
At the time of writing, GCC 8.2-2019.01 is the latest version available.

Change-Id: Idd5c00749e39ca9dc8b7c5623b5d64356c9ce6e5
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Update both the readme and user guide on their shared "platform"
section.

Change-Id: Ia1f30acda45ac8facdcb7d540800191cdf6cdacf
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Make sure the steps in the user guide are up to date and can be
performed out of the box.

Change-Id: Ib4d959aa771cf515f74e150aaee2fbad24c18c38
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Change-Id: I4261fec500184383980b7fc9475620a485cf6c28
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Declare ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS
build options as experimental.
Pointer Authentication is enabled for Non-secure world
irrespective of the value of these build flags if the
CPU supports it.
The patch also fixes the description of fiptool 'help' command.

Change-Id: I46de3228fbcce774a2624cd387798680d8504c38
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Change-Id: I1854b5830dbd48e909a4ce1b931c13fb3e997600
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

Fix some typos and clarify some sentences.

Change-Id: Id276d1ced9a991b4eddc5c47ad9a825e6b29ef74
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

This patch provides support for using the scatterfile format as
the linker script with the 'armlink' linker for Tegra platforms.

In order to enable the scatterfile usage the following changes
have been made:

* provide mapping for ld.S symbols in bl_common.h
* include bl_common.h from all the affected files
* update the makefile rules to use the scatterfile and armlink
  to compile BL31
* update pubsub.h to add sections to the scatterfile

NOTE: THIS CHANGE HAS BEEN VERIFIED WITH TEGRA PLATFORMS ONLY.

Change-Id: I7bb78b991c97d74a842e5635c74cb0b18e0fce67
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

The previous commit added the infrastructure to load and save
ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
didn't actually enable pointer authentication in the firmware.

This patch adds the functionality needed for platforms to provide
authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
enable pointer authentication in the firmware itself. This option is
disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
enabled.

Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.

This feature is supported only in AArch64 state.

This feature is mandatory in ARMv8.3 implementations.

This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.

To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.

Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Using Sphinx linkcheck on the TF-A docs revealed some broken
or permanently-redirected links. These have been updated where
possible.

Change-Id: Ie1fead47972ede3331973759b50ee466264bd2ee
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Just like has been done in the porting guide a couple of patches
earlier, kill all escaped underscore characters in all documents.

Change-Id: I7fb5b806412849761d9221a6ce3cbd95ec43d611
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Change-Id: I915303cea787d9fb188428b98ac6cfc610cc4470
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This patch introduces a build option 'OVERRIDE_LIBC' that platforms
can set to override libc from the BL image. The default value is '0'
to keep the library.

Change-Id: I10a0b247f6a782eeea4a0359e30a8d79b1e9e4e1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

ARM_PLAT_MT build flag is specific to Arm platforms so should not
be classified as a common build option.

Change-Id: I79e411958846759a5b60d770e53f44bbec5febe6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This reverts commit 2f370465

 ("Add support for the SMC Calling
Convention 2.0").

SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.

The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.

Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Adds a link from user-guide.rst to coding-guidelines.rst and merges
the information about using checkpatch from both files into the user
guide document.

Change-Id: Iffbb4225836a042d20024faf28b8bdd6b2c4043e
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Corrects typos in core code, documentation files, drivers, Arm
platforms and services.

None of the corrections affect code; changes are limited to comments
and other documentation.

Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>