1. 04 Mar, 2020 1 commit
    • Manish Pandey's avatar
      SPMD: loading Secure Partition payloads · cb3b5344
      Manish Pandey authored
      
      
      This patch implements loading of Secure Partition packages using
      existing framework of loading other bl images.
      
      The current framework uses a statically defined array to store all the
      possible image types and at run time generates a link list and traverse
      through it to load different images.
      
      To load SPs, a new array of fixed size is introduced which will be
      dynamically populated based on number of SPs available in the system
      and it will be appended to the loadable images list.
      
      Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      cb3b5344
  2. 03 Mar, 2020 1 commit
  3. 27 Feb, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Fix misra issues · 845db722
      Louis Mayencourt authored
      
      
      MISRA C-2012 Rule 20.7:
      Macro parameter expands into an expression without being wrapped by parentheses.
      
      MISRA C-2012 Rule 12.1:
      Missing explicit parentheses on sub-expression.
      
      MISRA C-2012 Rule 18.4:
      Essential type of the left hand operand is not the same as that of the right
      operand.
      
      Include does not provide any needed symbols.
      
      Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      845db722
  4. 25 Feb, 2020 1 commit
  5. 24 Feb, 2020 2 commits
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
    • Sandrine Bailleux's avatar
      plat/arm: Add support for dualroot CoT · 1035a706
      Sandrine Bailleux authored
      
      
      - Use the development PROTPK if using the dualroot CoT.
      
        Note that unlike the ROTPK, the PROTPK key hash file is not generated
        from the key file, instead it has to be provided. This might be
        enhanced in the future.
      
      - Define a CoT build flag for the platform code to provide different
        implementations where needed.
      
      Change-Id: Iaaf25183b94e77a99a5d8d875831d90c102a97ea
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      1035a706
  6. 19 Feb, 2020 1 commit
  7. 10 Feb, 2020 2 commits
  8. 07 Feb, 2020 9 commits
    • Louis Mayencourt's avatar
      arm-io: Panic in case of io setup failure · 97399821
      Louis Mayencourt authored
      
      
      Currently, an IO setup failure will be ignored on arm platform release
      build. Change this to panic instead.
      
      Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      97399821
    • Louis Mayencourt's avatar
      MISRA fix: Use boolean essential type · d6dcbcad
      Louis Mayencourt authored
      
      
      Change the return type of "arm_io_is_toc_valid()" and
      "plat_arm_bl1_fwu_needed()" to bool, to match function behavior.
      
      Change-Id: I503fba211219a241cb263149ef36ca14e3362a1c
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      d6dcbcad
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
    • Louis Mayencourt's avatar
      fconf: Add mbedtls shared heap as property · 6c972317
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework in arm dynamic configuration
      to retrieve mbedtls heap information between bl1 and bl2.
      
      For this, a new fconf getter is added to expose the device tree base
      address and size.
      
      Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c972317
    • Louis Mayencourt's avatar
      fconf: Add TBBR disable_authentication property · ce852841
      Louis Mayencourt authored
      
      
      Use fconf to retrieve the `disable_authentication` property.
      Move this access from arm dynamic configuration to bl common.
      
      Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ce852841
    • Louis Mayencourt's avatar
      fconf: Add dynamic config DTBs info as property · 25ac8794
      Louis Mayencourt authored
      
      
      This patch introduces a better separation between the trusted-boot
      related properties, and the dynamic configuration DTBs loading
      information.
      
      The dynamic configuration DTBs properties are moved to a new node:
      `dtb-registry`. All the sub-nodes present will be provided to the
      dynamic config framework to be loaded. The node currently only contains
      the already defined configuration DTBs, but can be extended for future
      features if necessary.
      The dynamic config framework is modified to use the abstraction provided
      by the fconf framework, instead of directly accessing the DTBs.
      
      The trusted-boot properties are kept under the "arm,tb_fw" compatible
      string, but in a separate `tb_fw-config` node.
      The `tb_fw-config` property of the `dtb-registry` node simply points
      to the load address of `fw_config`, as the `tb_fw-config` is currently
      part of the same DTB.
      
      Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      25ac8794
    • Louis Mayencourt's avatar
      fconf: Populate properties from dtb during bl2 setup · 9814bfc1
      Louis Mayencourt authored
      
      
      Use the dtb provided by bl1 as configuration file for fconf.
      
      Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      9814bfc1
    • Louis Mayencourt's avatar
      fconf: Load config dtb from bl1 · 3b5ea741
      Louis Mayencourt authored
      
      
      Move the loading of the dtb from arm_dym_cfg to fconf. The new loading
      function is not associated to arm platform anymore, and can be moved
      to bl_main if wanted.
      
      Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      3b5ea741
    • Louis Mayencourt's avatar
      fconf: initial commit · ab1981db
      Louis Mayencourt authored
      
      
      Introduce the Firmware CONfiguration Framework (fconf).
      
      The fconf is an abstraction layer for platform specific data, allowing
      a "property" to be queried and a value retrieved without the requesting
      entity knowing what backing store is being used to hold the data.
      
      The default backing store used is C structure. If another backing store
      has to be used, the platform integrator needs to provide a "populate()"
      function to fill the corresponding C structure.
      The "populate()" function must be registered to the fconf framework with
      the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
      be called inside the "fconf_populate()" function.
      
      A two level macro is used as getter:
      - the first macro takes 3 parameters and converts it to a function
        call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
      - the second level defines a__b_getter(c) to the matching C structure,
        variable, array, function, etc..
      
      Ex: Get a Chain of trust property:
          1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
          2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
      
      Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ab1981db
  9. 05 Feb, 2020 1 commit
  10. 04 Feb, 2020 1 commit
  11. 29 Jan, 2020 1 commit
  12. 28 Jan, 2020 1 commit
  13. 27 Jan, 2020 1 commit
    • Madhukar Pappireddy's avatar
      plat/arm: Add support for SEPARATE_NOBITS_REGION · 0c1f197a
      Madhukar Pappireddy authored
      
      
      In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
      BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
      the build to require that ARM_BL31_IN_DRAM is enabled as well.
      
      Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
      cannot be reclaimed to be used for runtime data such as secondary cpu stacks.
      
      Memory map for BL31 NOBITS region also has to be created.
      
      Change-Id: Ibbc8c9499a32e63fd0957a6e254608fbf6fa90c9
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      0c1f197a
  14. 23 Jan, 2020 1 commit
  15. 22 Jan, 2020 1 commit
    • Madhukar Pappireddy's avatar
      plat/arm: Add support for SEPARATE_NOBITS_REGION · d433bbdd
      Madhukar Pappireddy authored
      
      
      In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
      BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
      the build to require that ARM_BL31_IN_DRAM is enabled as well.
      
      Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
      cannot be reclaimed to be used for runtime data such as secondary cpu stacks.
      
      Memory map for BL31 NOBITS region also has to be created.
      
      Change-Id: Ibd480f82c1dc74e9cbb54eec07d7a8fecbf25433
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      d433bbdd
  16. 20 Dec, 2019 3 commits
    • Paul Beesley's avatar
      spm-mm: Refactor secure_partition.h and its contents · aeaa225c
      Paul Beesley authored
      
      
      Before adding any new SPM-related components we should first do
      some cleanup around the existing SPM-MM implementation. The aim
      is to make sure that any SPM-MM components have names that clearly
      indicate that they are MM-related. Otherwise, when adding new SPM
      code, it could quickly become confusing as it would be unclear to
      which component the code belongs.
      
      The secure_partition.h header is a clear example of this, as the
      name is generic so it could easily apply to any SPM-related code,
      when it is in fact SPM-MM specific.
      
      This patch renames the file and the two structures defined within
      it, and then modifies any references in files that use the header.
      
      Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      aeaa225c
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  17. 19 Dec, 2019 1 commit
  18. 18 Dec, 2019 1 commit
  19. 17 Dec, 2019 2 commits
  20. 10 Dec, 2019 1 commit
    • Ambroise Vincent's avatar
      arm: gicv3: Fix compiler dependent behavior · d0196911
      Ambroise Vincent authored
      
      
      C99 standard: "What constitutes an access to an object that has
      volatile-qualified type is implementation-defined".
      
      GCC is not considering the cast to void of volatile structures as an
      access and so is not actually issuing reads.
      
      Clang does read those structures by copying them on the stack, which in
      this case creates an overflow because of their large size.
      
      This patch removes the cast to void and instead uses the USED attribute
      to tell the compiler to retain the static variables.
      
      Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      	       Zelalem Aweke <zelalem.aweke@arm.com>
      d0196911
  21. 09 Dec, 2019 1 commit
    • Louis Mayencourt's avatar
      Use the proper size for tb_fw_cfg_dtb · 6c77dfc5
      Louis Mayencourt authored
      
      
      Currently tb_fw_cfg_dtb size is fixed to max, which is generally a page
      (but depend on the platform). Instead, read the actual size of the dtb
      with the libfdt "fdt_totalsize" function.
      This avoid flushing extra memory after updating the dtb with mbedtls
      heap information when shared heap is used.
      
      Change-Id: Ibec727661116429f486464a0c9f15e9760d7afe2
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c77dfc5
  22. 07 Nov, 2019 1 commit
  23. 05 Nov, 2019 1 commit
  24. 21 Oct, 2019 1 commit
    • Manish Pandey's avatar
      plat/arm: use Aff3 bits also to validate mpidr · b30646a8
      Manish Pandey authored
      
      
      There are some platforms which uses MPIDR Affinity level 3 for storing
      extra affinity information e.g. N1SDP uses it for keeping chip id in a
      multichip setup, for such platforms MPIDR validation should not fail.
      
      This patch adds Aff3 bits also as part of mpidr validation mask, for
      platforms which does not uses Aff3 will not have any impact as these
      bits will be all zeros.
      
      Change-Id: Ia8273972fa7948fdb11708308d0239d2dc4dfa85
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      b30646a8
  25. 26 Sep, 2019 1 commit
  26. 13 Sep, 2019 1 commit
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  27. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8