1. 10 Oct, 2018 2 commits
  2. 08 Oct, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat: Fix checks in mmap_add() and mmap_add_ctx() · a5fa5658
      Antonio Nino Diaz authored
      Commit 79621f00
      
       broke sgi575.
      
      It is possible to have a region with 0 as value for the attributes. It
      means device memory, read only, secure, executable. This is legitimate
      if the code is in flash and the code is executed from there.
      
      This is the case for SGI_MAP_FLASH0_RO, defined in the file
      plat/arm/css/sgi/sgi_plat.c.
      
      This problem is solved by checking both size and attributes in xlat v1.
      In xlat v2, it is enough to check the granularity, as it can never be 0.
      
      Change-Id: I7be11f1b0e51c4c2ffd560b4a6cdfbf15de2c276
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      a5fa5658
  3. 03 Oct, 2018 3 commits
    • Daniel Boulby's avatar
      Mark xlat tables initialization code · aff2863f
      Daniel Boulby authored
      
      
      Mark the xlat tables code only used in BL31 initialization as
      __init to be reclaimed once no longer needed
      
      Change-Id: I3106bfd994706a57c578624573bcfa525fbbd3c4
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      aff2863f
    • Daniel Boulby's avatar
      Mark BL31 initialization functions · 87c85134
      Daniel Boulby authored
      
      
      Mark the initialization functions in BL31, such as context management,
      EHF, RAS and PSCI as __init so that they can be reclaimed by the
      platform when no longer needed
      
      Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      87c85134
    • Daniel Boulby's avatar
      xlat: Change check in mmap_add and mmap_add_ctx() · 79621f00
      Daniel Boulby authored
      
      
      Depending on the build flags it is possible that some of the memory
      regions mapped in page table setup could have a size of 0. In this
      case we simply want to do nothing but still wish to map the other
      regions in the array. Therefore we cannot only use size == 0 as
      the termination logic for the loop.
      
      Since an attributes field with value 0 means that the region is
      device memory, read only, secure and executable. Device memory
      can't be executable, so this combination should never be used
      and it is safe to use as a terminator value.
      
      Therefore by changing the termination logic to use attributes
      instead of size we prevent terminating the loop when we don't
      intend to.
      
      Change-Id: I92fc7f689ab08543497be6be4896dace2ed7b66a
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      79621f00
  4. 28 Sep, 2018 4 commits
  5. 21 Sep, 2018 1 commit
    • Daniel Boulby's avatar
      Ensure the flow through switch statements is clear · a08a2014
      Daniel Boulby authored
      
      
      Ensure case clauses:
      *   Terminate with an unconditional break, return or goto statement.
      *   Use conditional break, return or goto statements as long as the end
          of the case clause is unreachable; such case clauses must terminate
          with assert(0) /* Unreachable */ or an unconditional  __dead2 function
          call
      *   Only fallthough when doing otherwise would result in less
          readable/maintainable code; such case clauses must terminate with a
          /* Fallthrough */ comment to make it clear this is the case and
          indicate that a fallthrough is intended.
      
      This reduces the chance of bugs appearing due to unintended flow through a
      switch statement
      
      Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      a08a2014
  6. 10 Sep, 2018 1 commit
  7. 07 Sep, 2018 1 commit
  8. 05 Sep, 2018 4 commits
    • Jeenu Viswambharan's avatar
      Add missing barriers to Bakery Locks · 24dc9709
      Jeenu Viswambharan authored
      
      
      With the current implementation, it's possible for a contender to
      observe accesses in the Critical Section before acquiring or releasing
      the lock. Insert fencing in the locking and release codes to prevent any
      reorder.
      
      Fixes ARM-software/tf-issues#609
      
      Change-Id: I773b82aa41dd544a2d3dbacb9a4b42c9eb767bbb
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      24dc9709
    • Varun Wadekar's avatar
      cpus: denver: Implement static workaround for CVE-2018-3639 · 6cf8d65f
      Varun Wadekar authored
      
      
      For Denver CPUs, this approach enables the mitigation during EL3
      initialization, following every PE reset. No mechanism is provided to
      disable the mitigation at runtime.
      
      This approach permanently mitigates the EL3 software stack only. Other
      software components are responsible to enable it for their exception
      levels.
      
      TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
      and earlier:
      
      *   By setting bit 11 (Disable speculative store buffering) of
          `ACTLR_EL3`
      
      *   By setting bit 9 (Disable speculative memory disambiguation) of
          `ACTLR_EL3`
      
      TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
      and later:
      
      *   By setting bit 18 (Disable speculative store buffering) of
          `ACTLR_EL3`
      
      *   By setting bit 17 (Disable speculative memory disambiguation) of
          `ACTLR_EL3`
      
      Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      6cf8d65f
    • Varun Wadekar's avatar
      cpus: denver: reset power state to 'C1' on boot · cf3ed0dc
      Varun Wadekar authored
      
      
      Denver CPUs expect the power state field to be reset to 'C1'
      during boot. This patch updates the reset handler to reset the
      ACTLR_.PMSTATE field to 'C1' state during CPU boot.
      
      Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      cf3ed0dc
    • Varun Wadekar's avatar
      denver: use plat_my_core_pos() to get core position · 1593cae4
      Varun Wadekar authored
      
      
      The current functions to disable and enable Dynamic Code Optimizer
      (DCO) assume that all denver cores are in the same cluster. They
      ignore AFF1 field of the mpidr_el1 register, which leads to
      incorect logical core id calculation.
      
      This patch calls the platform handler, plat_my_core_pos(), to get
      the logical core id to disable/enable DCO for the core.
      
      Original change by: Krishna Sitaraman <ksitaraman@nvidia.com>
      
      Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830
      Signed-off-by: default avatarVarun Wadekar <vwadekar@nvidia.com>
      1593cae4
  9. 30 Aug, 2018 3 commits
  10. 23 Aug, 2018 2 commits
    • nathan-menhorn's avatar
      Fixed ARM-software/tf-issues#603 · b554e768
      nathan-menhorn authored
      
      
      Updated optee_utils.c to fix ARM-software/tf-issues#603 related to the
      tee-validate-header bug.
      
      Minor updates to the header valid checking logic. It would never make
      sense to have less than 1 image to load so this is now checked.
      
      Changed OPTEE_MAX_IMAGE_NUM to OPTEE_MAX_NUM_IMAGES to clarify its
      definition. OPTEE_MAX_IMAGE_NUM sounds like an ID assigned to the last
      image to load. OPTEE_MAX_NUM_IMAGES sounds like the maximum number of
      images to load.
      Signed-off-by: default avatarNathan Menhorn <nathan.menhorn@xilinx.com>
      b554e768
    • John Tsichritzis's avatar
      DSU erratum 936184 workaround: bug fix · 7436d5d3
      John Tsichritzis authored
      
      
      The initial implementation was corrupting registers that it shouldn't.
      Now this is fixed.
      
      Change-Id: Iaa407c18e668b2d9381391bf10d6876fe936aded
      Signed-off-by: default avatarJohn Tsichritzis <john.tsichritzis@arm.com>
      7436d5d3
  11. 22 Aug, 2018 12 commits
  12. 20 Aug, 2018 2 commits
    • Jeenu Viswambharan's avatar
      RAS: MISRA fixes · 30a8d96e
      Jeenu Viswambharan authored
      
      
      These changes address most of the required MISRA rules. In the process,
      some from generic code is also fixed.
      
      No functional changes.
      
      Change-Id: I76cacf6e1d73b09510561b5090c2bb66d81bec88
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      30a8d96e
    • Jeenu Viswambharan's avatar
      AArch64: Enable MPAM for lower ELs · 5f835918
      Jeenu Viswambharan authored
      
      
      Memory Partitioning And Monitoring is an Armv8.4 feature that enables
      various memory system components and resources to define partitions.
      Software running at various ELs can then assign themselves to the
      desired partition to control their performance aspects.
      
      With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
      lower ELs to access their own MPAM registers without trapping to EL3.
      This patch however doesn't make use of partitioning in EL3; platform
      initialisation code should configure and use partitions in EL3 if
      required.
      
      Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
      Co-authored-by: default avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      5f835918
  13. 17 Aug, 2018 2 commits
  14. 10 Aug, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Support the EL2 translation regime · 1a92a0e0
      Antonio Nino Diaz authored
      
      
      The translation library is useful elsewhere. Even though this repository
      doesn't exercise the EL2 support of the library, it is better to have it
      here as well to make it easier to maintain.
      
      enable_mmu_secure() and enable_mmu_direct() have been deprecated. The
      functions are still present, but they are behind ERROR_DEPRECATED and
      they call the new functions enable_mmu_svc_mon() and
      enable_mmu_direct_svc_mon().
      
      Change-Id: I13ad10cd048d9cc2d55e0fff9a5133671b67dcba
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      1a92a0e0
  15. 07 Aug, 2018 1 commit
    • Antonio Nino Diaz's avatar
      xlat v2: Flush xlat tables after being modified · 3e318e40
      Antonio Nino Diaz authored
      During cold boot, the initial translation tables are created with data
      caches disabled, so all modifications go to memory directly. After the
      MMU is enabled and data cache is enabled, any modification to the tables
      goes to data cache, and eventually may get flushed to memory.
      
      If CPU0 modifies the tables while CPU1 is off, CPU0 will have the
      modified tables in its data cache. When CPU1 is powered on, the MMU is
      enabled, then it enables coherency, and then it enables the data cache.
      Until this is done, CPU1 isn't in coherency, and the translation tables
      it sees can be outdated if CPU0 still has some modified entries in its
      data cache.
      
      This can be a problem in some cases. For example, the warm boot code
      uses only the tables mapped during cold boot, which don't normally
      change. However, if they are modified (and a RO page is made RW, or a XN
      page is made executable) the CPU will see the old attributes and crash
      when it tries to access it.
      
      This doesn't happen in systems with HW_ASSISTED_COHERENCY or
      WARMBOOT_ENABLE_DCACHE_EARLY. In these systems, the data cache is
      enabled at the same time as the MMU. As soon as this happens, the CPU is
      in coherency.
      
      There was an attempt of a fix in psci_helpers.S, but it didn't solve the
      problem. That code has been deleted. The code was introduced in commit
      <26441030
      
      > ("Invalidate TLB entries during warm boot").
      
      Now, during a map or unmap operation, the memory associated to each
      modified table is flushed. Traversing a table will also flush it's
      memory, as there is no way to tell in the current implementation if the
      table that has been traversed has also been modified.
      
      Change-Id: I4b520bca27502f1018878061bc5fb82af740bb92
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      3e318e40