GitLab

Some platforms are extremely memory constrained and must split BL31
between multiple non-contiguous areas in SRAM. Allow the NOBITS
sections (.bss, stacks, page tables, and coherent memory) to be placed
in a separate region of RAM from the loaded firmware image.

Because the NOBITS region may be at a lower address than the rest of
BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
region, or el3_entrypoint_common would attempt to invalidate the dcache
for the entire address space. New symbols __NOBITS_{START,END}__ are
added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
NOBITS region is invalidated separately.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37

The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.

This patch removes:

- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions

Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>

There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.

Before: ENABLE_SPM=1 is required for using either implementation.
        By default, the SPCI-based implementation is enabled and
        this is overridden if SPM_MM=1.

After: ENABLE_SPM=1 enables the SPCI-based implementation.
       SPM_MM=1 enables the MM-based implementation.
       The two build flags are mutually exclusive.

Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.

Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Provide an SMC interface to the 9p filesystem. This permits
accessing firmware drivers through a common interface, using
standardized read/write/control operations.
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9314662314bb060f6bc02714476574da158b2a7d

Sphinx was showing the following warning message:

docs/getting_started/build-options.rst:200: WARNING: Bullet list ends
without a blank line; unexpected unindent.

Change-Id: Iad5d49c1e0d25dd623ad15bce1af31babf860c03
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Add the support needed to enable using CryptoCell integration with
with RSA 3K support.
Signed-off-by: Gilad Ben-Yossef <gilad.benyossef@arm.com>
Change-Id: I95527cb0c41ae012109e8968dd20a4ae9fe67f17

This patch enables LTO for TF-A when compiled with GCC.
LTO is disabled by default and is enabled by
ENABLE_LTO=1 build option.

LTO is enabled only for aarch64 as there seem to be
a bug in the aarch32 compiler when LTO is enabled.

The changes in the makefiles include:
- Adding -flto and associated flags to enable LTO.
- Using gcc as a wrapper at link time instead of ld.
  This is recommended when using LTO as gcc internally
  takes care of invoking the necessary plugins for LTO.
- Adding switches to pass options to ld.
- Adding a flag to disable fix for erratum cortex-a53-843419
  unless explicitly enabled. This is needed because GCC
  seem to automatically add the erratum fix when used
  as a wrapper for LD.

Additionally, this patch updates the TF-A user guide with
the new build option.
Signed-off-by: zelalem-aweke <zelalem.aweke@arm.com>
Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468

The User Guide document has grown organically over time and
now covers a wide range of topics, making it difficult to
skim read and extract information from. Currently, it covers
these topics and maybe a couple more:

- Requirements (hardware, tools, libs)
- Checking out the repo
- Basic build instructions
- A comprehensive list of build flags
- FIP packaging
- Building specifically for Juno
- Firmware update images
- EL3 payloads
- Preloaded BL33 boot flow
- Running on FVPs
- Running on Juno

I have separated these out into a few groups that become new
documents. Broadly speaking, build instructions for the tools,
for TF-A generally, and for specific scenarios are separated.
Content relating to specific platforms (Juno and the FVPs are
Arm-specific platforms, essentially) has been moved into the
documentation that is specific to those platforms, under
docs/plat/arm.

Change-Id: Ica87c52d8cd4f577332be0b0738998ea3ba3bbec
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

From AArch64 state, arguments are passed in registers W0-W7(X0-X7)
and results are returned in W0-W7(X0-X7) for SMC32(SMC64) calls.
From AArch32 state, arguments are passed in registers R0-R7 and
results are returned in registers R0-R7 for SMC32 calls.

Most of the functions and macros already existed to support using
upto 8 registers for passing/returning parameters/results. Added
few helper macros for SMC calls from AArch32 state.

Link to the specification:
https://developer.arm.com/docs/den0028/c



Change-Id: I87976b42454dc3fc45c8343e9640aa78210e9741
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

A small set of misc changes to ensure correctness before the v2.2
release tagging.

Change-Id: I888840b9483ea1a1633d204fbbc0f9594072101e
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

User guide:
1. Remove obsolete note saying only FVP is supported with AArch32
2. Switch compiler for Juno AArch32 to arm-eabi
3. Mention SOFTWARE folder in Juno Linaro release

Index.rst:
1. Switch default FVP model to Version 11.6 Build 45
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
Change-Id: Ib47a2ea314e2b8394a20189bf91796de0e17de53

Tidying up a few Sphinx warnings that had built-up over time.
None of these are critical but it cleans up the Sphinx output.

At the same time, fixing some spelling errors that were detected.

Change-Id: I38209e235481eed287f8008c6de9dedd6b12ab2e
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

This new page contains instructions for doing a local
build of the documentation, plus information on the environment
setup that needs to be done beforehand.

Change-Id: If563145ab40639cabbe25d0f62759981a33692c6
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Currently links between documents are using the format:

<path/to/><filename>.rst

This was required for services like GitHub because they render each
document in isolation - linking to another document is like linking
to any other file, just provide the full path.

However, with the new approach, the .rst files are only the raw
source for the documents. Once the documents have been rendered
the output is now in another format (HTML in our case) and so,
when linking to another document, the link must point to the
rendered version and not the .rst file.

The RST spec provides a few methods for linking between content.
The parent of this patch enabled the automatic creation of anchors
for document titles - we will use these anchors as the targets for
our links. Additional anchors can be added by hand if needed, on
section and sub-section titles, for example.

An example of this new format, for a document with the title
"Firmware Design" is :ref:`Firmware Design`.

One big advantage of this is that anchors are not dependent on
paths. We can then move documents around, even between directories,
without breaking any links between documents. Links will need to be
updated only if the title of a document changes.

Change-Id: I9e2340a61dd424cbd8fd1ecc2dc166f460d81703
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
on a platform build option. The CAS-based implementation used to be
unconditionally selected for all ARM8.1+ platforms.

The previous CAS spinlock implementation had a bug wherein the spin_unlock()
implementation had an `sev` after `stlr` which is not sufficient. A dsb is
needed to ensure that the stlr completes prior to the sev. Having a dsb is
heavyweight and a better solution would be to use load exclusive semantics
to monitor the lock and wake up from wfe when a store happens to the lock.
The patch implements the same.

Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

Change-Id: I3b866e927d93f4b690aa4891940fc8afabf4146e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

- Updated Linaro release version number to 19.06
- Updated links to Linaro instructions and releases
- Removed the Linaro old releases link
Signed-off-by: zelalem-aweke <zelalem.aweke@arm.com>
Change-Id: Ib786728106961e89182b42183e7b889f6fc74190

This PSCI hook is similar to pwr_domain_on_finish but is
guaranteed to be invoked with the respective core and cluster are
participating in coherency. This will be necessary to safely invoke
the new GICv3 API which modifies shared GIC data structures concurrently.

Change-Id: I8e54f05c9d4ef5712184c9c18ba45ac97a29eb7a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

The block size of some storage device is 4096-byte long, such as UFS. But
PARTITION_BLOCK_SIZE is defined as 512-byte long. So replace it by
PLAT_PARTITION_BLOCK_SIZE. Make it configurable in platform.
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Change-Id: Iada05f7c646d0a0f2c0d3b8545540b3cb7153de3

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
  of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
  which returns 128-bit value and uses Generic timer physical counter
  value to increase the randomness of the generated key.
  The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
  generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
  pauth_disable_el1()` and `pauth_disable_el3()` functions disable
  PAuth for EL1 and EL3 respectively;
  `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
  cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
  `save_gp_registers()` and `pauth_context_save()`;
  `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
  and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
  code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
  for 12 uint64_t PAuth registers instead of 10 by removal of macro
  CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
  and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
  in `msr	spsel`  instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.

Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Support for PKCS#1 v1.5 was deprecated in SHA 1001202d and fully removed
in SHA fe199e3b

, however, cert_tool is still able to generate
certificates in that form. This patch fully removes the ability for
cert_tool to generate these certificates.

Additionally, this patch also fixes a bug where the issuing certificate
was a RSA and the issued certificate was EcDSA. In this case, the issued
certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per
PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now
that PKCS#1 v1.5 support is removed, all certificates that are signed
with RSA now use the more modern padding scheme.

Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

This patch adds documentation for the new KEY_SIZE build option that is
exposed by cert_create, and instructions on how to use it.

Change-Id: I09b9b052bfdeeaca837e0f0026e2b01144f2472c
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

Some of the platform (ie. Agilex) make use of CCU IPs which will only be
initialized during bl2_el3_early_platform_setup. Any operation to the
cache beforehand will crash the platform. Hence, this will provide an
option to skip the data cache invalidation upon bl2 entry at EL3
Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com>
Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06

This patch adds support for the Undefined Behaviour sanitizer. There are
two types of support offered - minimalistic trapping support which
essentially immediately crashes on undefined behaviour and full support
with full debug messages.

The full support relies on ubsan.c which has been adapted from code used
by OPTEE.

Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

A new build flag, CTX_INCLUDE_MTE_REGS, has been added; this patch adds
documentation for it in the User Guide along with instructions of what
different values mean.

Change-Id: I430a9c6ced06b1b6be317edbeff4f5530e30f63a
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

Signed-off-by: zelalem-aweke <zelalem.aweke@arm.com>
Change-Id: Ib12ecc0b283274c74cdfa57caf9e1a105dce3afe

At the time of writting, GCC 8.3-2019.03 is the latest version available
on developer.arm.com.

Switch to bare-metal toolchain (arm-eabi-) for AArch32. This allows to
have a finer control on the use of floating-point and SIMD instructions.

Change-Id: I4438401405eae1e5f6d531b0162e8fa06f69135e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Add uml sequence and class diagram to illustrate the behavior of the
storage abstraction layer.

Change-Id: I338262729f8034cc3d3eea1d0ce19cca973a91bb
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Change-Id: I755e4c42242d9a052570fd1132ca3d937acadb13
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

Change-Id: I0d9dbef7041fcf950bcafcdbbc17c72b4dea9e40
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Change-Id: Ib021c721652d96f6c06ea18741f19a72bba1d00f
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.

Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

The documentation contains plenty of notes and warnings. Enable
special rendering of these blocks by converting the note prefix
into a .. note:: annotation.

Change-Id: I34e26ca6bf313d335672ab6c2645741900338822
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Several code blocks do not specify a language for syntax
highlighting. This results in Sphinx using a default highlighter
which is Python.

This patch adds the correct language to each code block that doesn't
already specify it.

Change-Id: Icce1949aabfdc11a334a42d49edf55fa673cddc3
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

One of the current issues with the documentation is that terms and
abbreviations are frequently redefined. For example, we might have
a sentence like "... the SCP (System Control Processor) will ...".

These definitions might be repeated several times across pages, or
even within the same document. Equally, some of these abbreviations
are missed and are never expanded.

Sphinx provides a :term: keyword that takes some text and,
if that text is defined in a glossary document, links to its glossary
entry. Using this functionality will prevent repeated definitions
and will make the docs more maintainable by using a single
definition source.

The glossary added in this patch was created from a quick scrub of
the source code - there may be missing entries. The SDEI abbreviation
was used as an example.

Note that a global_substitutions file was created. This file contains
the RST 'replace' statements that convert plain text terms into linked
terms (by adding the ':term:' keyword to them). An example is:

.. |TF-A| replace:: :term:`TF-A`

The 'rst_prolog' variable in conf.py is used to inject this list of
replacements into each page. Terms must be surrounded with the pipe
character to be turned into links - this means that we can still
prevent certain terms from being linked if we don't want them to be.

Change-Id: I87010ed9cfa4a60011a9b4a431b98cb4bb7baa28
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

These are no longer needed as there will always be a table of contents
rendered to the left of every page.

Some of these lists can be quite long and, when opening a page, the
reader sees nothing but a huge list of contents! After this patch,
the document contents are front-and-centre and the contents are
nicely rendered in the sidebar without duplication.

Change-Id: I444754d548ec91d00f2b04e861de8dde8856aa62
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Required work to make all documents sit at the correct levels within
the document tree and any derived content like the table of contents
and the categories in the sidebar.

Change-Id: I4885fbe30864a87c8822ee67482b71fb46a8fbc6
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

This patch attempts to standardise the document titles as well as
adding titles to documents that were missing one. The aim is to
remove needless references to "TF-A" or "Trusted Firmware" in the
title of every document and to make sure that the title matches
with the document content.

Change-Id: I9b93ccf43b5d57e8dc793a5311b8ed7c4dd245cc
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

This change creates the following directories under docs/
in order to provide a grouping for the content:

- components
- design
- getting_started
- perf
- process

In each of these directories an index.rst file is created
and this serves as an index / landing page for each of the
groups when the pages are compiled. Proper layout of the
top-level table of contents relies on this directory/index
structure.

Without this patch it is possible to build the documents
correctly with Sphinx but the output looks messy because
there is no overall hierarchy.

Change-Id: I3c9f4443ec98571a56a6edf775f2c8d74d7f429f
Signed-off-by: Paul Beesley <paul.beesley@arm.com>