- 22 Jan, 2020 1 commit
-
-
Andre Przywara authored
Moving the FDT helper functions to the common/ directory exposed the file to MISRA checking, which is mandatory for common code. Fix the complaints that the test suite reported. Change-Id: Ica8c8a95218bba5a3fd92a55407de24df58e8476 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
- 14 Nov, 2019 1 commit
-
-
Sandrine Bailleux authored
The pre-processor directives make it hard to read the non-TBB version of this function. Refactor the code to improve readability. No functional change introduced. In particular, introduce a new helper function load_image_flush(), that simply loads an image and flushes it out to main memory. This is the only thing load_auth_image_internal() needs to do when TBB is disabled or when authentication is dynamically disabled. In other cases, we need to recursively authenticate the parent images up to the root of trust. To make this clearer, this code gets moved to a TBB-specific helper function called load_auth_image_recursive(). As a result, load_auth_image_internal() now boils down to calling the right helper function (depending on TBB enablement and dynamic authentication status). Change-Id: I20a39a3b833810b97ecf4219358e7d2cac263890 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 25 Sep, 2019 2 commits
-
-
Andre Przywara authored
PSCI uses different function IDs for CPU_SUSPEND and CPU_ON, depending on the architecture used (AArch64 or AArch32). For recent PSCI versions the client will determine the right version, but for PSCI v0.1 we need to put some ID in the DT node. At the moment we always add the 64-bit IDs, which is not correct if TF-A is built for AArch32. Use the function IDs matching the TF-A build architecture, for the two IDs where this differs. This only affects legacy OSes using PSCI v0.1. On the way remove the sys_poweroff and sys_reset properties, which were never described in the official PSCI DT binding. Change-Id: If77bc6daec215faeb2dc67112e765aacafd17f33 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Andre Przywara authored
Since we moved some functions that amend a DT blob in memory to common code, let's add proper function documentation. This covers the three exported functions in common/fdt_fixup.c. Change-Id: I67d7d27344e62172c789d308662f78d54903cf57 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
- 13 Sep, 2019 3 commits
-
-
Andre Przywara authored
If a firmware component like TF-A reserves special memory regions for its own or secure payload services, it should announce the location and size of those regions to the non-secure world. This will avoid disappointment when some rich OS tries to acccess this memory, which will likely end in a crash. The traditional way of advertising reserved memory using device tree is using the special memreserve feature of the device tree blob (DTB). However by definition those regions mentioned there do not prevent the rich OS to map this memory, which may lead to speculative accesses to this memory and hence spurious bus errors. A safer way of carving out memory is to use the /reserved-memory node as part of the normal DT structure. Besides being easier to setup, this also defines an explicit "no-map" property to signify the secure-only nature of certain memory regions, which avoids the rich OS to accidentally step on it. Add a helper function to allow platform ports to easily add a region. Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Andre Przywara authored
The QEMU platform port scans its device tree to advertise PSCI as the CPU enable method. It does this by scanning *every* node in the DT and check whether its compatible string starts with "arm,cortex-a". Then it sets the enable-method to PSCI, if it doesn't already have one. Other platforms might want to use this functionality as well, so let's move it out of the QEMU platform directory and make it more robust by fixing some shortcomings: - A compatible string starting with a certain prefix is not a good way to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will match as well and is in turn favoured with an enable-method. - If the DT already has an enable-method, we won't change this to PSCI. Those two issues will for instance fail on the Raspberry Pi 4 DT. To fix those problems, we adjust the scanning method: The DT spec says that all CPU nodes are subnodes of the mandatory /cpus node, which is a subnode of the root node. Also each CPU node has to have a device_type = "cpu" property. So we find the /cpus node, then scan for a subnode with the proper device_type, forcing the enable-method to "psci". We have to restart this search after a property has been patched, as the node offsets might have changed meanwhile. This allows this routine to be reused for the Raspberry Pi 4 later. Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-
Alexei Fedorov authored
This patch provides the following features and makes modifications listed below: - Individual APIAKey key generation for each CPU. - New key generation on every BL31 warm boot and TSP CPU On event. - Per-CPU storage of APIAKey added in percpu_data[] of cpu_data structure. - `plat_init_apiakey()` function replaced with `plat_init_apkey()` which returns 128-bit value and uses Generic timer physical counter value to increase the randomness of the generated key. The new function can be used for generation of all ARMv8.3-PAuth keys - ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`. - New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively; pauth_disable_el1()` and `pauth_disable_el3()` functions disable PAuth for EL1 and EL3 respectively; `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from cpu-data structure. - Combined `save_gp_pauth_registers()` function replaces calls to `save_gp_registers()` and `pauth_context_save()`; `restore_gp_pauth_registers()` replaces `pauth_context_restore()` and `restore_gp_registers()` calls. - `restore_gp_registers_eret()` function removed with corresponding code placed in `el3_exit()`. - Fixed the issue when `pauth_t pauth_ctx` structure allocated space for 12 uint64_t PAuth registers instead of 10 by removal of macro CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h` and assigning its value to CTX_PAUTH_REGS_END. - Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions in `msr spsel` instruction instead of hard-coded values. - Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI. Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 29 Aug, 2019 1 commit
-
-
Justin Chadwell authored
Printing a newline is a relatively common functionality for code to want to do. Therefore, this patch now moves this function into a common part of the code that anyone can use. Change-Id: I2cad699fde00ef8d2aabf8bf35742ddd88d090ba Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 15 Aug, 2019 1 commit
-
-
Alexei Fedorov authored
This patch modifies crash reporting for AArch64 to provide aligned output of register dump and GIC registers. Change-Id: I8743bf1d2d6d56086e735df43785ef28051c5fc3 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 01 Aug, 2019 1 commit
-
-
Julius Werner authored
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 24 Jul, 2019 1 commit
-
-
Julius Werner authored
BL31 used to take a single bl31_params_t parameter structure with entry point information in arg0. In commit 72600226 (Add new version of image loading.) this API was changed to a more flexible linked list approach, and the old parameter structure was copied into all platforms that still used the old format. This duplicated code unnecessarily among all these platforms. This patch adds a helper function that platforms can optionally link to outsource the task of interpreting arg0. Many platforms are just interested in the BL32 and BL33 entry point information anyway. Since some platforms still need to support the old version 1 parameters, the helper will support both formats when ERROR_DEPRECATED == 0. This allows those platforms to drop a bunch of boilerplate code and asynchronously update their BL2 implementation to the newer format. Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38 Signed-off-by: Julius Werner <jwerner@chromium.org>
-
- 17 Jul, 2019 1 commit
-
-
Louis Mayencourt authored
When pointer authentication is enabled, the LR value saved on the stack contains a Pointer Authentication Code (PAC). It must be stripped to retrieve the return address. The PAC field is stored on the high bits of the address and defined as: - PAC field = Xn[54:bottom_PAC_bit], when address tagging is used. - PAC field = Xn[63:56, 54:bottom_PAC_bit], without address tagging. With bottom_PAC_bit = 64 - TCR_ELx.TnSZ Change-Id: I21d804e58200dfeca1da4c2554690bed5d191936 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 10 Jul, 2019 1 commit
-
-
John Tsichritzis authored
The project has been renamed from "Arm Trusted Firmware (ATF)" to "Trusted Firmware-A (TF-A)" long ago. A few references to the old project name that still remained in various places have now been removed. This change doesn't affect any platform files. Any "ATF" references inside platform files, still remain. Change-Id: Id97895faa5b1845e851d4d50f5750de7a55bf99e Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
-
- 01 Mar, 2019 1 commit
-
-
Antonio Nino Diaz authored
Check for both IMPLEMENTATION_DEFINED and Architected algorithms of Address Authentication. Change-Id: I209dcc6087172cfef7baf8d09e0454628f02cbd0 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 27 Feb, 2019 1 commit
-
-
Antonio Nino Diaz authored
The previous commit added the infrastructure to load and save ARMv8.3-PAuth registers during Non-secure <-> Secure world switches, but didn't actually enable pointer authentication in the firmware. This patch adds the functionality needed for platforms to provide authentication keys for the firmware, and a new option (ENABLE_PAUTH) to enable pointer authentication in the firmware itself. This option is disabled by default, and it requires CTX_INCLUDE_PAUTH_REGS to be enabled. Change-Id: I35127ec271e1198d43209044de39fa712ef202a5 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 31 Jan, 2019 1 commit
-
-
Sandrine Bailleux authored
Commit ed51b51f ("Remove build option LOAD_IMAGE_V2") intended to remove all code related to LOAD_IMAGE_V2=0 but missed a few things. Change-Id: I16aaf52779dd4af1e134e682731328c5f1e5d622 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
- 30 Jan, 2019 1 commit
-
-
Antonio Nino Diaz authored
This reverts commit 2f370465 ("Add support for the SMC Calling Convention 2.0"). SMCCC v2.0 is no longer required for SPM, and won't be needed in the future. Removing it makes the SMC handling code less complicated. The SPM implementation based on SPCI and SPRT was using it, but it has been adapted to SMCCC v1.0. Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 23 Jan, 2019 1 commit
-
-
Sathees Balya authored
On ARM platforms, the BL2 memory can be overlaid by BL31/BL32. The memory descriptors describing the list of executable images are created in BL2 R/W memory, which could be possibly corrupted later on by BL31/BL32 due to overlay. This patch creates a reserved location in SRAM for these descriptors and are copied over by BL2 before handing over to next BL image. Also this patch increases the PLAT_ARM_MAX_BL2_SIZE for juno when TBBR is enabled. Fixes ARM-Software/tf-issues#626 Change-Id: I755735706fa702024b4032f51ed4895b3687377f Signed-off-by: Sathees Balya <sathees.balya@arm.com>
-
- 15 Jan, 2019 1 commit
-
-
Paul Beesley authored
Corrects typos in core code, documentation files, drivers, Arm platforms and services. None of the corrections affect code; changes are limited to comments and other documentation. Change-Id: I5c1027b06ef149864f315ccc0ea473e2a16bfd1d Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 04 Jan, 2019 1 commit
-
-
Antonio Nino Diaz authored
Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca339 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 19 Nov, 2018 1 commit
-
-
Antonio Nino Diaz authored
It's better to have them in a separate file instead of having them spread across the Makefile. This is what the stack protector is already doing. Change-Id: Id30742c0af10de5ea6d10674ca25bf52b0f2b262 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 02 Nov, 2018 2 commits
-
-
Antonio Nino Diaz authored
fdtw_read_cells() can only read one or two cells, sometimes it may be needed to read more cells from one property. Change-Id: Ie70dc76d1540cd6a04787cde7cccb4d1bafc7282 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Introduced fdtw_read_string() to read string properties. Change-Id: I854eef0390632cf2eaddd2dce60cdb98c117de43 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 04 Oct, 2018 1 commit
-
-
Antonio Nino Diaz authored
No functional changes. Change-Id: I9638e02acb9b22eb794ebf45aad84348a710287e Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 03 Oct, 2018 1 commit
-
-
Daniel Boulby authored
Mark the initialization functions in BL31, such as context management, EHF, RAS and PSCI as __init so that they can be reclaimed by the platform when no longer needed Change-Id: I7446aeee3dde8950b0f410cb766b7a2312c20130 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 28 Sep, 2018 1 commit
-
-
Roberto Vargas authored
The code of LOAD_IMAGE_V2=0 has been removed. Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 11 Sep, 2018 1 commit
-
-
Junhan Zhou authored
When using the tf_log_set_max_level() function, one can dynamically set the log level to a value smaller than then compile time specified one, but not equal. This means that when the log level have been lowered, it can't be reset to the previous value. This commit modifies this function to allow setting the log level back to the compile time value. Fixes ARM-software/tf-issues#624 Change-Id: Ib157715c8835982ce4977ba67a48e18ff23d5a61 Signed-off-by: Junhan Zhou <Junhan@mellanox.com>
-
- 30 Aug, 2018 3 commits
-
-
Daniel Boulby authored
A pointer to rt_svc_desc_t is defined both in the function handle_runtime_svc() and globally. Since the value of the pointer RT_SVC_DESCS_START is defined by the linker and never changes make this definition local in both handle_runtime_svc() and runtime_svc_init() to reduce the number of loads Change-Id: Iea42c778d8599a26c87700009163b5a8d7d60be2 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
Antonio Nino Diaz authored
No functional changes. Change-Id: I850f08718abb69d5d58856b0e3de036266d8c2f4 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Douglas Raillard authored
This function diplays the backtrace, the current EL and security state to allow a post-processing tool to choose the right binary to interpret the dump. The output can be fed to GNU addr2line to resolve function names given an ELF binary compiled with debug information. The "-i" flag is recommended to improve display in case of inlined functions. The *.dump files generated during the build process can also be used. The function works in AArch64 and AArch32. In AArch32 it only works in A32 mode (without T32 interworking), which is enforced in the Makefile. Sample output of a backtrace at EL3: BACKTRACE: START: function_name 0: EL3: 0x798 1: EL3: 0x538 2: EL3: 0x550 3: EL3: 0x55c 4: EL3: 0x568 5: EL3: 0x5a8 6: EL3: 0xf4 BACKTRACE: END: function_name In order to enable it the new option ENABLE_BACKTRACE must be set to 1. This option is set to 1 by default only in AArch64 debug builds. As usual, it can be overridden by the platform makefile and in the build command line. Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794 Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 22 Aug, 2018 2 commits
-
-
Antonio Nino Diaz authored
Change their names to printf and snprintf. They are much smaller than the previous versions we had, which makes them better suited for the Trusted Firmware. Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
The C standard says that printf() has to return the number of characters it has printed. Change-Id: I0ef50b1d6766d140724ac0a2fa2c5d023431f984 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 10 Aug, 2018 1 commit
-
-
Antonio Nino Diaz authored
Change-Id: Ia3a159444e638f63de7dc5a6a4b76169c757188a Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 11 Jul, 2018 1 commit
-
-
Roberto Vargas authored
Check_vector_size checks if the size of the vector fits in the size reserved for it. This check creates problems in the Clang assembler. A new macro, end_vector_entry, is added and check_vector_size is deprecated. This new macro fills the current exception vector until the next exception vector. If the size of the current vector is bigger than 32 instructions then it gives an error. Change-Id: Ie8545cf1003a1e31656a1018dd6b4c28a4eaf671 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 12 Jun, 2018 2 commits
-
-
Daniel Boulby authored
Use a _ prefix for Macro arguments to prevent that argument from hiding variables of the same name in the outer scope Rule 5.3: An identifier declared in an inner scope shall not hide an identifier declared in an outer scope Fixed For: make LOG_LEVEL=50 PLAT=fvp Change-Id: I67b6b05cbad4aeca65ce52981b4679b340604708 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
Daniel Boulby authored
Conflict with function name and variable name within that function. Change the name of the function from image_size to get_image_size to remove conflict and make the function fit the normal project naming convention. Rule 5.3: An identifier declared in an inner scope shall not hide an identifier declared in an outer scope Fixed For: make LOG_LEVEL=50 PLAT=fvp Change-Id: I1a63d2730113e2741fffa79730459c584b0224d7 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 08 Jun, 2018 1 commit
-
-
Dimitris Papastamos authored
-
- 25 May, 2018 1 commit
-
-
Daniel Boulby authored
A pointer to rt_svc_desc_t was defined both in the function and globally. The innermost definition hid the global definition which is the one we want to use so remove the innermost definition to prevent this Change-Id: Idabdbc0947178ae83224bd17a9b170df7c278d51 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 18 May, 2018 1 commit
-
-
Soby Mathew authored
This patch allows platforms to dynamically disable authentication of images during cold boot. This capability is controlled via the DYN_DISABLE_AUTH build flag and is only meant for development purposes. Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 23 Apr, 2018 1 commit
-
-
Antonio Nino Diaz authored
Due to differences in the bitfields of the SMC IDs, it is not possible to support SMCCC 1.X and 2.0 at the same time. The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build option that specifies the major version of the SMCCC that the Trusted Firmware supports. The only two allowed values are 1 and 2, and it defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it. Note: Support for SMCCC v2.0 is an experimental feature to enable prototyping of secure partition specifications. Support for this convention is disabled by default and could be removed without notice. Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-