1. 22 Jan, 2020 1 commit
  2. 14 Nov, 2019 1 commit
    • Sandrine Bailleux's avatar
      Refactor load_auth_image_internal(). · 9e7d6631
      Sandrine Bailleux authored
      
      
      The pre-processor directives make it hard to read the non-TBB version of
      this function. Refactor the code to improve readability. No functional
      change introduced.
      
      In particular, introduce a new helper function load_image_flush(),
      that simply loads an image and flushes it out to main memory. This is
      the only thing load_auth_image_internal() needs to do when TBB is
      disabled or when authentication is dynamically disabled.
      
      In other cases, we need to recursively authenticate the parent images up
      to the root of trust. To make this clearer, this code gets moved to a
      TBB-specific helper function called load_auth_image_recursive().
      
      As a result, load_auth_image_internal() now boils down to calling the
      right helper function (depending on TBB enablement and dynamic
      authentication status).
      
      Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      9e7d6631
  3. 25 Sep, 2019 2 commits
    • Andre Przywara's avatar
      FDT helper functions: Respect architecture in PSCI function IDs · 66799507
      Andre Przywara authored
      
      
      PSCI uses different function IDs for CPU_SUSPEND and CPU_ON, depending on
      the architecture used (AArch64 or AArch32).
      For recent PSCI versions the client will determine the right version,
      but for PSCI v0.1 we need to put some ID in the DT node. At the moment
      we always add the 64-bit IDs, which is not correct if TF-A is built for
      AArch32.
      
      Use the function IDs matching the TF-A build architecture, for the two
      IDs where this differs. This only affects legacy OSes using PSCI v0.1.
      
      On the way remove the sys_poweroff and sys_reset properties, which were
      never described in the official PSCI DT binding.
      
      Change-Id: If77bc6daec215faeb2dc67112e765aacafd17f33
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      66799507
    • Andre Przywara's avatar
      FDT helper functions: Add function documentation · 6eaf928d
      Andre Przywara authored
      
      
      Since we moved some functions that amend a DT blob in memory to common
      code, let's add proper function documentation.
      This covers the three exported functions in common/fdt_fixup.c.
      
      Change-Id: I67d7d27344e62172c789d308662f78d54903cf57
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      6eaf928d
  4. 13 Sep, 2019 3 commits
    • Andre Przywara's avatar
      Add fdt_add_reserved_memory() helper function · 3ef45dda
      Andre Przywara authored
      
      
      If a firmware component like TF-A reserves special memory regions for
      its own or secure payload services, it should announce the location and
      size of those regions to the non-secure world. This will avoid
      disappointment when some rich OS tries to acccess this memory, which
      will likely end in a crash.
      
      The traditional way of advertising reserved memory using device tree is
      using the special memreserve feature of the device tree blob (DTB).
      However by definition those regions mentioned there do not prevent the
      rich OS to map this memory, which may lead to speculative accesses to
      this memory and hence spurious bus errors.
      
      A safer way of carving out memory is to use the /reserved-memory node as
      part of the normal DT structure. Besides being easier to setup, this
      also defines an explicit "no-map" property to signify the secure-only
      nature of certain memory regions, which avoids the rich OS to
      accidentally step on it.
      
      Add a helper function to allow platform ports to easily add a region.
      
      Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      3ef45dda
    • Andre Przywara's avatar
      qemu: Move and generalise FDT PSCI fixup · f240728b
      Andre Przywara authored
      
      
      The QEMU platform port scans its device tree to advertise PSCI as the
      CPU enable method. It does this by scanning *every* node in the DT and
      check whether its compatible string starts with "arm,cortex-a". Then it
      sets the enable-method to PSCI, if it doesn't already have one.
      
      Other platforms might want to use this functionality as well, so let's
      move it out of the QEMU platform directory and make it more robust by
      fixing some shortcomings:
      - A compatible string starting with a certain prefix is not a good way
      to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will
      match as well and is in turn favoured with an enable-method.
      - If the DT already has an enable-method, we won't change this to PSCI.
      
      Those two issues will for instance fail on the Raspberry Pi 4 DT.
      To fix those problems, we adjust the scanning method:
      The DT spec says that all CPU nodes are subnodes of the mandatory
      /cpus node, which is a subnode of the root node. Also each CPU node has
      to have a device_type = "cpu" property. So we find the /cpus node, then
      scan for a subnode with the proper device_type, forcing the
      enable-method to "psci".
      We have to restart this search after a property has been patched, as the
      node offsets might have changed meanwhile.
      
      This allows this routine to be reused for the Raspberry Pi 4 later.
      
      Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      f240728b
    • Alexei Fedorov's avatar
      Refactor ARMv8.3 Pointer Authentication support code · ed108b56
      Alexei Fedorov authored
      
      
      This patch provides the following features and makes modifications
      listed below:
      - Individual APIAKey key generation for each CPU.
      - New key generation on every BL31 warm boot and TSP CPU On event.
      - Per-CPU storage of APIAKey added in percpu_data[]
        of cpu_data structure.
      - `plat_init_apiakey()` function replaced with `plat_init_apkey()`
        which returns 128-bit value and uses Generic timer physical counter
        value to increase the randomness of the generated key.
        The new function can be used for generation of all ARMv8.3-PAuth keys
      - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
      - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
        generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
        pauth_disable_el1()` and `pauth_disable_el3()` functions disable
        PAuth for EL1 and EL3 respectively;
        `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
        cpu-data structure.
      - Combined `save_gp_pauth_registers()` function replaces calls to
        `save_gp_registers()` and `pauth_context_save()`;
        `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
        and `restore_gp_registers()` calls.
      - `restore_gp_registers_eret()` function removed with corresponding
        code placed in `el3_exit()`.
      - Fixed the issue when `pauth_t pauth_ctx` structure allocated space
        for 12 uint64_t PAuth registers instead of 10 by removal of macro
        CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
        and assigning its value to CTX_PAUTH_REGS_END.
      - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
        in `msr	spsel`  instruction instead of hard-coded values.
      - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
      
      Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ed108b56
  5. 29 Aug, 2019 1 commit
  6. 15 Aug, 2019 1 commit
  7. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8
  8. 24 Jul, 2019 1 commit
    • Julius Werner's avatar
      Add helper to parse BL31 parameters (both versions) · d9af1f7b
      Julius Werner authored
      BL31 used to take a single bl31_params_t parameter structure with entry
      point information in arg0. In commit 72600226
      
       (Add new version of image
      loading.) this API was changed to a more flexible linked list approach,
      and the old parameter structure was copied into all platforms that still
      used the old format. This duplicated code unnecessarily among all these
      platforms.
      
      This patch adds a helper function that platforms can optionally link to
      outsource the task of interpreting arg0. Many platforms are just
      interested in the BL32 and BL33 entry point information anyway. Since
      some platforms still need to support the old version 1 parameters, the
      helper will support both formats when ERROR_DEPRECATED == 0. This allows
      those platforms to drop a bunch of boilerplate code and asynchronously
      update their BL2 implementation to the newer format.
      
      Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      d9af1f7b
  9. 17 Jul, 2019 1 commit
    • Louis Mayencourt's avatar
      backtrace: Strip PAC field when PAUTH is enabled · b8b31ad0
      Louis Mayencourt authored
      
      
      When pointer authentication is enabled, the LR value saved on the stack
      contains a Pointer Authentication Code (PAC). It must be stripped to
      retrieve the return address.
      
      The PAC field is stored on the high bits of the address and defined as:
      - PAC field = Xn[54:bottom_PAC_bit], when address tagging is used.
      - PAC field = Xn[63:56, 54:bottom_PAC_bit], without address tagging.
      
      With bottom_PAC_bit = 64 - TCR_ELx.TnSZ
      
      Change-Id: I21d804e58200dfeca1da4c2554690bed5d191936
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      b8b31ad0
  10. 10 Jul, 2019 1 commit
  11. 01 Mar, 2019 1 commit
  12. 27 Feb, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Add support for pointer authentication · b86048c4
      Antonio Nino Diaz authored
      
      
      The previous commit added the infrastructure to load and save
      ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but
      didn't actually enable pointer authentication in the firmware.
      
      This patch adds the functionality needed for platforms to provide
      authentication keys for the firmware, and a new option (ENABLE_PAUTH) to
      enable pointer authentication in the firmware itself. This option is
      disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be
      enabled.
      
      Change-Id: I35127ec271e1198d43209044de39fa712ef202a5
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b86048c4
  13. 31 Jan, 2019 1 commit
  14. 30 Jan, 2019 1 commit
  15. 23 Jan, 2019 1 commit
    • Sathees Balya's avatar
      plat/arm: Save BL2 descriptors to reserved memory. · 5b8d50e4
      Sathees Balya authored
      
      
      On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
      descriptors describing the list of executable images are created in BL2
      R/W memory, which could be possibly corrupted later on by BL31/BL32 due
      to overlay. This patch creates a reserved location in SRAM for these
      descriptors and are copied over by BL2 before handing over to next BL
      image.
      
      Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR
      is enabled.
      
      Fixes ARM-Software/tf-issues#626
      
      Change-Id: I755735706fa702024b4032f51ed4895b3687377f
      Signed-off-by: default avatarSathees Balya <sathees.balya@arm.com>
      5b8d50e4
  16. 15 Jan, 2019 1 commit
    • Paul Beesley's avatar
      Correct typographical errors · 8aabea33
      Paul Beesley authored
      
      
      Corrects typos in core code, documentation files, drivers, Arm
      platforms and services.
      
      None of the corrections affect code; changes are limited to comments
      and other documentation.
      
      Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      8aabea33
  17. 04 Jan, 2019 1 commit
    • Antonio Nino Diaz's avatar
      Sanitise includes across codebase · 09d40e0e
      Antonio Nino Diaz authored
      Enforce full include path for includes. Deprecate old paths.
      
      The following folders inside include/lib have been left unchanged:
      
      - include/lib/cpus/${ARCH}
      - include/lib/el3_runtime/${ARCH}
      
      The reason for this change is that having a global namespace for
      includes isn't a good idea. It defeats one of the advantages of having
      folders and it introduces problems that are sometimes subtle (because
      you may not know the header you are actually including if there are two
      of them).
      
      For example, this patch had to be created because two headers were
      called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform
      to avoid collision."). More recently, this patch has had similar
      problems: 46f9b2c3 ("drivers: add tzc380 support").
      
      This problem was introduced in commit 4ecca339
      
       ("Move include and
      source files to logical locations"). At that time, there weren't too
      many headers so it wasn't a real issue. However, time has shown that
      this creates problems.
      
      Platforms that want to preserve the way they include headers may add the
      removed paths to PLAT_INCLUDES, but this is discouraged.
      
      Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      09d40e0e
  18. 19 Nov, 2018 1 commit
  19. 02 Nov, 2018 2 commits
  20. 04 Oct, 2018 1 commit
  21. 03 Oct, 2018 1 commit
  22. 28 Sep, 2018 1 commit
  23. 11 Sep, 2018 1 commit
    • Junhan Zhou's avatar
      Allow setting log level back to compile time value · 2adb7867
      Junhan Zhou authored
      
      
      When using the tf_log_set_max_level() function, one can dynamically
      set the log level to a value smaller than then compile time specified
      one, but not equal. This means that when the log level have been
      lowered, it can't be reset to the previous value. This commit modifies
      this function to allow setting the log level back to the compile time
      value.
      
      Fixes ARM-software/tf-issues#624
      
      Change-Id: Ib157715c8835982ce4977ba67a48e18ff23d5a61
      Signed-off-by: default avatarJunhan Zhou <Junhan@mellanox.com>
      2adb7867
  24. 30 Aug, 2018 3 commits
    • Daniel Boulby's avatar
      Remove rt_svc_descs pointer from global scope · e19ea3f2
      Daniel Boulby authored
      
      
      A pointer to rt_svc_desc_t is defined both in the function
      handle_runtime_svc() and globally. Since the value of the
      pointer RT_SVC_DESCS_START is defined by the linker and
      never changes make this definition local in both
      handle_runtime_svc() and runtime_svc_init() to reduce the
      number of loads
      
      Change-Id: Iea42c778d8599a26c87700009163b5a8d7d60be2
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      e19ea3f2
    • Antonio Nino Diaz's avatar
      Fix MISRA defects in log helpers · 5a22e461
      Antonio Nino Diaz authored
      
      
      No functional changes.
      
      Change-Id: I850f08718abb69d5d58856b0e3de036266d8c2f4
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      5a22e461
    • Douglas Raillard's avatar
      backtrace: Introduce backtrace function · 0c62883f
      Douglas Raillard authored
      
      
      This function diplays the backtrace, the current EL and security state
      to allow a post-processing tool to choose the right binary to interpret
      the dump.
      
      The output can be fed to GNU addr2line to resolve function names given
      an ELF binary compiled with debug information. The "-i" flag is
      recommended to improve display in case of inlined functions. The *.dump
      files generated during the build process can also be used.
      
      The function works in AArch64 and AArch32. In AArch32 it only works in
      A32 mode (without T32 interworking), which is enforced in the Makefile.
      
      Sample output of a backtrace at EL3:
      
          BACKTRACE: START: function_name
          0: EL3: 0x798
          1: EL3: 0x538
          2: EL3: 0x550
          3: EL3: 0x55c
          4: EL3: 0x568
          5: EL3: 0x5a8
          6: EL3: 0xf4
          BACKTRACE: END: function_name
      
      In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
      This option is set to 1 by default only in AArch64 debug builds. As
      usual, it can be overridden by the platform makefile and in the build
      command line.
      
      Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      0c62883f
  25. 22 Aug, 2018 2 commits
  26. 10 Aug, 2018 1 commit
  27. 11 Jul, 2018 1 commit
    • Roberto Vargas's avatar
      Add end_vector_entry assembler macro · a9203eda
      Roberto Vargas authored
      
      
      Check_vector_size checks if the size of the vector fits
      in the size reserved for it. This check creates problems in
      the Clang assembler. A new macro, end_vector_entry, is added
      and check_vector_size is deprecated.
      
      This new macro fills the current exception vector until the next
      exception vector. If the size of the current vector is bigger
      than 32 instructions then it gives an error.
      
      Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      a9203eda
  28. 12 Jun, 2018 2 commits
    • Daniel Boulby's avatar
      Fix MISRA Rule 5.3 Part 2 · 896a5902
      Daniel Boulby authored
      
      
      Use a _ prefix for Macro arguments to prevent that argument from
      hiding variables of the same name in the outer scope
      
      Rule 5.3: An identifier declared in an inner scope shall not
                hide an identifier declared in an outer scope
      
      Fixed For:
          make LOG_LEVEL=50 PLAT=fvp
      
      Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      896a5902
    • Daniel Boulby's avatar
      Fix MISRA Rule 5.3 Part 1 · d3775d46
      Daniel Boulby authored
      
      
      Conflict with function name and variable name within that function.
      Change the name of the function from image_size to get_image_size
      to remove conflict and make the function fit the normal project
      naming convention.
      
      Rule 5.3:  An identifier declared in an inner scope shall not
                 hide an identifier declared in an outer scope
      
      Fixed For:
          make LOG_LEVEL=50 PLAT=fvp
      
      Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7
      Signed-off-by: default avatarDaniel Boulby <daniel.boulby@arm.com>
      d3775d46
  29. 08 Jun, 2018 1 commit
  30. 25 May, 2018 1 commit
  31. 18 May, 2018 1 commit
  32. 23 Apr, 2018 1 commit
    • Antonio Nino Diaz's avatar
      Add support for the SMC Calling Convention 2.0 · 2f370465
      Antonio Nino Diaz authored
      
      
      Due to differences in the bitfields of the SMC IDs, it is not possible
      to support SMCCC 1.X and 2.0 at the same time.
      
      The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
      option that specifies the major version of the SMCCC that the Trusted
      Firmware supports. The only two allowed values are 1 and 2, and it
      defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.
      
      Note: Support for SMCCC v2.0 is an experimental feature to enable
      prototyping of secure partition specifications. Support for this
      convention is disabled by default and could be removed without notice.
      
      Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2f370465