GitLab

Cortex A77 erratum 1800714 is a Cat B erratum, present in older
revisions of the Cortex A77 processor core.  The workaround is to
set a bit in the ECTLR_EL1 system register, which disables allocation
of splintered pages in the L2 TLB.

Since this is the first errata workaround implemented for Cortex A77,
this patch also adds the required cortex_a77_reset_func in the file
lib/cpus/aarch64/cortex_a77.S.

This errata is explained in this SDEN:
https://static.docs.arm.com/101992/0010/Arm_Cortex_A77_MP074_Software_Developer_Errata_Notice_v10.pdf

Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I844de34ee1bd0268f80794e2d9542de2f30fd3ad

Increased the size of firmware configuration area to accommodate
all configs.

Updated maximum size of following bootloaders due to increase
in firmware configs size and addition of the code in the BL2.

1. Increased maximum size of BL2 for Juno platform in no
   optimisation case.
2. Reduced maximum size of BL31 for fvp and Juno platform.
3. Reduced maximum size of BL32 for Juno platform.

Change-Id: Ifba0564df0d1fe86175bed9fae87fdcf013b1831
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

Modified the code to do below changes:

1. Load tb_fw_config along with fw_config by BL1.
2. Populate fw_config device tree information in the
   BL1 to load tb_fw_config.
3. In BL2, populate fw_config information to retrieve
   the address of tb_fw_config and then tb_fw_config
   gets populated using retrieved address.
4. Avoid processing of configuration file in case of error
   value returned from "fw_config_load" function.
5. Updated entrypoint information for BL2 image so
   that it's arg0 should point to fw_config address.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Change-Id: Ife6f7b673a074e7f544ee3d1bda7645fd5b2886c

Updated 'fconf_load_config' function to return
the error.
Error from 'fconf_load_config" gets handled
by BL1 in subsequent patches.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I4360f4df850e355b5762bb2d9666eb285101bc68

Modified the `fconf_load_config` function so that it can
additionally support loading of tb_fw_config along with
fw_config.
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ie060121d367ba12e3fcac5b8ff169d415a5c2bcd

Cleaned up confused naming between TB_FW and FW_CONFIG.
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I9e9f6e6ca076d38fee0388f97d370431ae067f08

fw_config image is authenticated using secure boot framework by
adding it into the single root and dual root chain of trust.

The COT for fw_config image looks as below:

+------------------+       +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Boot fw   |
+------------------+       | Certificate       |
                           | (Auth Image)      |
                          /+-------------------+
                         /                   |
                        /                    |
                       /                     |
                      /                      |
                     L                       v
+------------------+       +-------------------+
| fw_config hash   |------>| fw_config         |
|                  |       | (Data Image)      |
+------------------+       +-------------------+
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I08fc8ee95c29a95bb140c807dd06e772474c7367

Updated cert_tool to add hash information of fw_config image into
the existing "trusted boot fw" certificate.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I720319225925806a2a9f50a1ac9c8a464be975f0

Added support in fiptool to include fw_config image
in FIP.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ibbd14723a4141598d9d7f6bfcf88a0ef92cf87bc

Change handler of FFA version interface:
- Return SPMD's version if the origin of the call is secure;
- Return SPMC's version if origin is non-secure.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I0d1554da79b72b1e02da6cc363a2288119c32f44

Cortex A76 erratum 1800710 is a Cat B erratum, present in older
revisions of the Cortex A76 processor core.  The workaround is to
set a bit in the ECTLR_EL1 system register, which disables allocation
of splintered pages in the L2 TLB.

This errata is explained in this SDEN:
https://static.docs.arm.com/sden885749/g/Arm_Cortex_A76_MP052_Software_Developer_Errata_Notice_v20.pdf

Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Ifc34f2e9e053dcee6a108cfb7df7ff7f497c9493

Cortex A76 erratum 1791580 is a Cat B erratum present in earlier
revisions of the Cortex A76. The workaround is to set a bit in the
implementation defined CPUACTLR2 register, which forces atomic store
operations to write-back memory to be performed in the L1 data cache.

This errata is explained in this SDEN:
https://static.docs.arm.com/sden885749/g/Arm_Cortex_A76_MP052_Software_Developer_Errata_Notice_v20.pdf

Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Iefd58159b3f2e2286138993317b98e57dc361925

It is desired to have the peripheral writes completed to clear the
interrupt condition and de-assert the interrupt request to GIC before
EOI write. Failing which spurious interrupt will occurred.

A barrier is needed to ensure peripheral register write transfers are
complete before EOI is done.

GICv2 memory mapped DEVICE nGnR(n)E writes are ordered from core point
of view. However these writes may pass over different interconnects,
bridges, buffers leaving some rare chances for the actual write to
complete out of order.

GICv3 ICC EOI system register writes have no ordering against nGnR(n)E
memory writes as they are over different interfaces.

Hence a dsb can ensure from core no writes are issued before the previous
writes are *complete*.
Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Change-Id: Ie6362009e2f91955be99dca8ece14ade7b4811d6

Signed-off-by: Sheetal Tigadoli <sheetal.tigadoli@broadcom.com>
Change-Id: Iaf6deaeee2069720518221157edbb052bc42850a

Adjust the latest OP-TEE memory definitions to the
newest TF-A baseline.

Change-Id: Ib9c82b85f868adaf3c7285eb340486bda9c59c36
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

Add llc_sram_enable() and llc_sram_disable() APIs to Marvell
cache_lls driver.
Add LLC_SRAM definition to Marvell common makefile - disabled
by the default.
Add description of LLC_SRAM flag to the build documentation.

Change-Id: Ib348e09752ce1206d29268ef96c9018b781db182
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

- Remove
    TRUSTED_DRAM_BASE
    TRUSTED_DRAM_SIZE
    MARVELL_TRUSTED_SRAM_BASE
- Rename
    PLAT_MARVELL_TRUSTED_DRAM_* -> PLAT_MARVELL_TRUSTED_RAM_*
    PLAT_MARVELL_TRUSTED_SRAM_* -> MARVELL_TRUSTED_DRAM_*
    MARVELL_MAP_SHARED_RAM -> MARVELL_MAP_SECURE_RAM
- Move
    MARVELL_TRUSTED_DRAM_SIZE to marvell_def.h
- Enable MARVELL_MAP_SECURE_RAM region in BL2U memory map
- Add dependency of MARVELL_MAP_SHARED_RAM on LLC_SRAM
- Add minor style improvents

Change-Id: Iebc03361e4f88489af1597f54e137b27c241814c
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
[Improve patch after rebase]
Signed-off-by: Marcin Wojtas <mw@semihalf.com>

Add ccu_is_win_enabled() API for checking the CCU window
state using AP and window indexes.

Change-Id: Ib955a2cac28b2729b0a763f3bbbea28b476a2fe4
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

Make all LLC-related macros to start with the same prefix
Add more LLC control registers definitions
This patch is a preparation step for LLC SRAM support

Change-Id: I0a4f0fc83e8ef35be93dd239a85f2a9f88d1ab19
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>

As a preparation to support proper loading the OPTEE OS image,
enable the BL32 specific defines in case the SPD is used.

On the occasion move two BL32-related macros to marvell_def.h
and fix BL32_LIMIT definition.

Change-Id: Id4e2d81833bc1895650cca8b0fc0bfc341cf77f3
Signed-off-by: Konstantin Porotchkin <kostap@marvell.com>
Signed-off-by: Marcin Wojtas <mw@semihalf.com>

The Marvell Armada 37xx SoCs-based platforms contain a bit
awkward directory structure because the currently only one
supported PLAT and PLAT_FAMILY are the same. Modify the latter
to 'a3k' in order to improve it and keep plat/marvell/armada
tree more consistent:

plat/marvell/
├── armada
│   ├── a3k
│   │   ├── a3700

[...]

│   ├── a8k
│   │   ├── a70x0

[...]

Change-Id: I693a6ef88e6ce49a326a3328875c90bbc186066a
Signed-off-by: Marcin Wojtas <mw@semihalf.com>

This change implements SCMI channels for reading a SCMI message from a
shared memory and call the SCMI message drivers to route the message
to the target platform services.

SMT refers to the shared memory management protocol which is used
to get/put message/response in shared memory. SMT is a 28byte header
stating shared memory state and exchanged protocol data.

The processing entry for a SCMI message can be a secure interrupt
or fastcall SMCCC invocation.

SMT description in this implementation is based on the OP-TEE
project [1] itself based in the SCP-firmware implementation [2].

Link: [1] https://github.com/OP-TEE/optee_os/commit/a58c4d706d2333d2b21a3eba7e2ec0cb257bca1d
Link: [2] https://github.com/ARM-software/SCP-firmware.git



Change-Id: I416c7dab5c67954c6fe80bae8d8cdfdcda66873e
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

Adds SCMI reset domain protocol support in the SCMI message drivers
as defined in SCMI specification v2.0 [1]. Not all the messages
defined in the specification are supported.

scmi_msg_get_rd_handler() sanitizes the message_id value
against any speculative use of reset domain ID as a index since by
SCMI specification, IDs are indices.

This implementation is based on the OP-TEE project implementation [2]
itself based on the SCP-firmware implementation [3] of the SCMI
protocol server side.

Link: [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
Link: [2] https://github.com/OP-TEE/optee_os/commit/56a1f10ed99d683ee3a8af29b6147a59a99ef3e0
Link: [3] https://github.com/ARM-software/SCP-firmware.git



Change-Id: If7cf13de40a815dedb40dcd5af8b6bb6725d9078
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

Adds SCMI clock protocol support in the SCMI message drivers as
defined in SCMI specification v2.0 [1] for clock protocol messages.

Platform can provide one of the plat_scmi_clock_*() handler for the
supported operations set/get state/rate and others.

scmi_msg_get_clock_handler() sanitizes the message_id value
against any speculative use of clock ID as a index since by
SCMI specification, IDs are indices.

This implementation is based on the OP-TEE project implementation [2]
itself based on the SCP-firmware implementation [3] of the SCMI
protocol server side.

Link: [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
Link: [2] https://github.com/OP-TEE/optee_os/commit/a7a9e3ba71dd908aafdc4c5ed9b29b15faa9692d
Link: [3] https://github.com/ARM-software/SCP-firmware.git



Change-Id: Ib56e096512042d4f7b9563d1e4181554eb8ed02c
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

This change introduces drivers to allow a platform to create a basic
SCMI service and register handlers for client request (SCMI agent) on
system resources. This is the first piece of the drivers: an entry
function, the SCMI base protocol support and helpers for create
the response message.

With this change, scmi_process_message() is the entry function to
process an incoming SCMI message. The function expect the message
is already copied from shared memory into secure memory. The message
structure stores message reference and output buffer reference where
response message shall be stored.

scmi_process_message() calls the SCMI protocol driver according to
the protocol ID in the message. The SCMI protocol driver will call
defined platform handlers according to the message content.

This change introduces only the SCMI base protocol as defined in
SCMI specification v2.0 [1]. Not all the messages defined
in the specification are supported.

The SCMI message implementation is derived from the OP-TEE project [2]
itself based on the SCP-firmware implementation [3] of the SCMI protocol
server side.

Link: [1] http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
Link: [2] https://github.com/OP-TEE/optee_os/commit/ae8c8068098d291e6e55744dbc237ec39fd9840a
Link: [3] https://github.com/ARM-software/SCP-firmware/tree/v2.6.0



Change-Id: I639c4154a39fca60606264baf8d32452641f45e9
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

This patch adds a build config 'RAS_TRAP_LOWER_EL_ERR_ACCESS' to set
SCR_EL3.TERR during CPU boot. This bit enables trapping RAS register
accesses from EL1 or EL2 to EL3.

RAS_TRAP_LOWER_EL_ERR_ACCESS is disabled by default.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Ifb0fb0afedea7dd2a29a0b0491a1161ecd241438

This patch adds all Tegra194 RAS nodes definitions and support to
handle all uncorrectable RAS errors.

Change-Id: I109b5a8dbca91d92752dc282c4ca30f273c475f9
Signed-off-by: David Pu <dpu@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

with sha 0792dd7d

, support to generate certificate for Secure
Partitions was added for dualroot CoT only, this patch extends
this support for tbbr CoT.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I451c0333536dd1cbe17861d454bdb0dc7a17c63f

Using the fconf framework, the Group 0 and Group 1 secure interrupt
descriptors are moved to device tree and retrieved in runtime. This
feature is enabled by the build flag SEC_INT_DESC_IN_FCONF.

Change-Id: I360c63a83286c7ecc2426cd1ff1b4746d61e633c
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

The only difference between GIC-500 and GIC-600 relevant to TF-A is the
differing power management sequence.
A certain GIC implementation is detectable at runtime, for instance by
checking the IIDR register. Let's add that test before initiating the
GIC-600 specific sequence, so the code can be used on both GIC-600 and
GIC-500 chips alike, without deciding on a GIC chip at compile time.

This means that the GIC-500 "driver" is now redundant. To allow minimal
platform support, add a switch to disable GIC-600 support.

Change-Id: I17ea97d9fb05874772ebaa13e6678b4ba3415557
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
owned Secure Partitions(SP). A similar support for Platform owned SP can
be added in future. The certificate is also protected against anti-
rollback using the trusted Non-Volatile counter.

To avoid deviating from TBBR spec, support for SP CoT is only provided
in dualroot.
Secure Partition content certificate is assigned image ID 31 and SP
images follows after it.

The CoT for secure partition look like below.
+------------------+       +-------------------+
| ROTPK/ROTPK Hash |------>| Trusted Key       |
+------------------+       | Certificate       |
                           | (Auth Image)      |
                          /+-------------------+
                         /                   |
                        /                    |
                       /                     |
                      /                      |
                     L                       v
+------------------+       +-------------------+
| Trusted World    |------>| SiP owned SPs     |
| Public Key       |       | Content Cert      |
+------------------+       | (Auth Image)      |
                        /   +-------------------+
                       /                      |
                      /                      v|
+------------------+ L     +-------------------+
| SP_PKG1 Hash     |------>| SP_PKG1           |
|                  |       | (Data Image)      |
+------------------+       +-------------------+
        .                           .
        .                           .
        .                           .
+------------------+       +-------------------+
| SP_PKG8 Hash     |------>| SP_PKG8           |
|                  |       | (Data Image)      |
+------------------+       +-------------------+
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f

Add support to generate certificate "sip-sp-cert" for Secure
Partitions(SP) owned by Silicon provider(SiP).
To avoid deviation from TBBR specification the support is only added for
dualroot CoT and not for TBBR CoT.

A single certificate file is generated containing hash of individual
packages. Maximum 8 secure partitions are supported.

Following new options added to cert_tool:
 --sip-sp-cert --> SiP owned Secure Partition Content Certificate
 --sp-pkg1 --> Secure Partition Package1 file
 --sp-pkg2
 .....
 --sp-pkg8

Trusted world key pair is used for signing.

Going forward, this feature can be extended for Platfrom owned
Partitions, if required.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d

Remove pll powerdown from pll configuration sequence to improve
stability. Remove redundant cases, which no longer exist.
Also get rid of irrelevant definition of CPU_2200_DDR_1200_RCLK_1200,
which is not used by 806/807.

Change-Id: If911e7dee003dfb9a42fafd7ffe34662f026fd23
Signed-off-by: Alex Leibovich <alexl@marvell.com>

The mci_initialize function name was misleading. The function itself
doesn't initialize MCI in general but performs MCI link tuning for
performance improvement.

Change-Id: I13094ad2235182a14984035bbe58013ebde84a7e
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>

By default all external CPs start with configuration address space set to
0xf200_0000. To overcome this issue, go in the loop and initialize the
CP one by one, using temporary window configuration which allows to access
each CP and update its configuration space according to decoding
windows scheme defined for each platform.

In case of cn9130 after this procedure bellow addresses will be used:
CP0 - f2000000
CP1 - f4000000
CP2 - f6000000

When the re-configuration is done there is need to restore previous
decoding window configuration(init_io_win).

Change-Id: I1a652bfbd0bf7106930a7a4e949094dc9078a981
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>

Change-Id: Icb8fe14417665d6aadd5a5ee2b77547b4ef78773
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>

This commit is a preparation for upcoming support for OcteonTX and
OcteonTX2 product families. Armada platform related files (docs,
plat, include/plat) are moved to the new "armada" sub-folder.

Change-Id: Icf03356187078ad6a2e56c9870992be3ca4c9655
Signed-off-by: Grzegorz Jaszczyk <jaz@semihalf.com>
Signed-off-by: Marcin Wojtas <mw@semihalf.com>

ETZPC stands for Extended TrustZone Protection Controller. It is a
resource conditional access device. It is mainly based on Arm TZPC.

ST ETZPC exposes memory mapped DECPROT cells to set access permissions
to SoC peripheral interfaces as I2C, SPI, DDR controllers, and some
of the SoC internal memories.

ST ETZPC exposes memory mapped TZMA cells to set access permissions
to some SoC internal memories.

Change-Id: I47ce20ffcfb55306dab923153b71e1bcbe2a5570
Co-developed-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>

Enhanced Counter Virtualization, ECV, is an architecture extension introduced
in ARMv8.6. This extension allows the hypervisor, at EL2, to setup
self-synchronizing views of the timers for it's EL1 Guests. This patch pokes the
control register to enable this extension when booting a hypervisor at EL2.

Change-Id: I4e929ecdf400cea17eff1de5cf8704aa7e40973d
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

The Fine Grained Traps (FGT) architecture extension was added to aarch64 in
ARMv8.6. This extension primarily allows hypervisors, at EL2, to trap specific
instructions in a more fine grained manner, with an enable bit for each
instruction. This patch adds support for this extension by enabling the
extension when booting an hypervisor at EL2.

Change-Id: Idb9013ed118b6a1b7b76287237096de992ca4da3
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>