GitLab

Conflicts:
	bl2/bl2_main.c

Change-Id: I2f2ee2db6ee70536deaefc562a04037bf16c22a4

The generic image loading and IO FIP code no longer forces the
platform to create BL3-2 (Secure-EL1 Payload) specific
definitions. The BL3-2 loading code in bl2/bl2main.c is wrapped
by a #ifdef BL32_BASE blocks, allowing the BL3-2 definitions to
be optional. Similarly for the name_uuid array defintion in
drivers/io/io_fip.c.

Also update the porting guide to reflect this change.

The BL3-2 platform definitions remain non-configurably present
in the FVP port.

Fixes ARM-software/tf-issues#68

Change-Id: Iea28b4e94d87a31f5522f271e290919a8a955460

Conflicts:
	plat/fvp/bl32_plat_setup.c
	plat/fvp/platform.mk
	services/spd/tspd/tspd_main.c

Change-Id: Ib4bad39a8a476a6b1796298f95dfb97c8b100975

Conflicts:
	plat/fvp/bl2_plat_setup.c
	plat/fvp/platform.h

Change-Id: I5bcc5180a2b4f944d07969b2e17e0f92cca72c89

Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.

Change-Id: I04780757a149eeb5482a12a61e821be947b882c0

The TSP used to execute from secure DRAM on the FVPs because there was
not enough space in Trusted SRAM to fit it in. Thanks to recent RAM
usage enhancements being implemented, we have made enough savings for
the TSP to execute in SRAM.

However, there is no contiguous free chunk of SRAM big enough to hold
the TSP. Therefore, the different bootloader images need to be moved
around to reduce memory fragmentation. This patch keeps the overall
memory layout (i.e. keeping BL1 R/W at the bottom, BL2 at the top and
BL3-1 in between) but moves the base addresses of all the bootloader
images in such a way that:
 - memory fragmentation is reduced enough to fit BL3-2 in;
 - new base addresses are suitable for release builds as well as debug
   ones;
 - each image has a few extra kilobytes for future growth.
   BL3-1 and BL3-2 are the images which received the biggest slice
   of the cake since they will most probably grow the most.

A few useful numbers for reference (valid at the time of this patch):
        |-----------------------|-------------------------------
        |  image size (debug)   |  extra space for the future
--------|-----------------------|-------------------------------
BL1 R/W |         20 KB         |            4 KB
BL2     |         44 KB         |            4 KB
BL3-1   |        108 KB         |           12 KB
BL3-2   |         56 KB         |            8 KB
--------|-----------------------|-------------------------------
Total   |        228 KB         |           28 KB       = 256 KB
--------|-----------------------|-------------------------------

Although on FVPs the TSP now executes from Trusted SRAM by default,
this patch keeps the option to execute it from Trusted DRAM. This is
controlled by the build configuration 'TSP_RAM_LOCATION'.

Fixes ARM-Software/tf-issues#81

Change-Id: Ifb9ef2befa9a2d5ac0813f7f79834df7af992b94

The TSP's linker script used to assume that the TSP would
execute from secure DRAM. Although it is currently the case
on FVPs, platforms are free to use any secure memory they wish.

This patch introduces the flexibility to load the TSP into any
secure memory. The platform code gets to specify the extents of
this memory in the platform header file, as well as the BL3-2 image
limit address. The latter definition allows to check in a generic way
that the BL3-2 image fits in its bounds.

Change-Id: I9450f2d8b32d74bd00b6ce57a0a1542716ab449c

Modify the BL3-1 read/write memory extent to cover all of the SRAM

Change-Id: I1143feaff0313f7d0b88948997b81d6f3aeddc29

Addresses were declared as "unsigned int" in drivers/arm/peripherals/pl011/pl011.h and in function init_xlation_table. Changed to use "unsigned long" instead
Fixes ARM-software/tf-issues#156

This change adds optional reset vector support to BL3-1
which means BL3-1 entry point can detect cold/warm boot,
initialise primary cpu, set up cci and mail box.

When using BL3-1 as a reset vector it is assumed that
the BL3-1 platform code can determine the location of
the BL3-2 images, or load them as there are no parameters
that can be passed to BL3-1 at reset.

It also fixes the incorrect initialisation of mailbox
registers on the FVP platform

This feature can be enabled by building the code with
make variable RESET_TO_BL31 set as 1

Fixes ARM-software/TF-issues#133
Fixes ARM-software/TF-issues#20

Change-Id: I4e23939b1c518614b899f549f1e8d412538ee570

The issues addressed in this patch are:

1. Remove meminfo_t from the common interfaces in BL3-x,
expecting that platform code will find a suitable mechanism
to determine the memory extents in these images and provide
it to the BL3-x images

2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x
code as the images use link-time information to determine
memory extents.

meminfo_t is still used by common interface in BL1/BL2 for
loading images

Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f

This patch rearranges the bl31_args  struct into
bl31_params and bl31_plat_params which provide the
information needed for Trusted firmware and platform
specific data via x0 and x1

On the FVP platform BL3-1 params and BL3-1 plat params
and its constituents are stored at the start of TZDRAM.

The information about memory availability and size for
BL3-1, BL3-2 and BL3-3 is moved into platform specific data.

Change-Id: I8b32057a3d0dd3968ea26c2541a0714177820da9

This patch reworks the handover interface from: BL1 to BL2 and
BL2 to BL3-1. It removes the raise_el(), change_el() and
run_image() functions as they catered for code paths that were
never exercised. BL1 calls drop_el() to jump into BL2 instead of
doing the same by calling run_image(). Similarly, BL2 issues the
SMC to transfer execution to BL3-1 through BL1 directly. Only x0
and x1 are used to pass arguments to BL31. These arguments and
parameters for running BL3-1 are passed through a reference to a
'el_change_info_t' structure. They were being passed value in
general purpose registers earlier.

Change-Id: Id4fd019a19a9595de063766d4a66295a2c9307e1

Extended SPSR definitions with all the fields to allow full use
of EL2/EL1 execution modes for entry points

Replaced make_spsr() with SPSR_64 macro and added SPSR_32 macro
for generating AARCH32 mode SPSR

Change-Id: I9425dda0923e8d5f03d03ddb8fa0e28392c4c61e

TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.

Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
UEFI earliest commit matching this change updated in documentation.

Replaced magic numbers with #define for memory region definition in the
platform security initialization function.

Fixes ARM-software/tf-issues#149

Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe

Provide some information about the expected use of BL3-0.

Fixes ARM-software/tf-issues#144

Change-Id: I5c8d59a675578394be89481ae4ec39ca37522750

Implements support for Non Secure Interrupts preempting the
Standard SMC call in EL1. Whenever an IRQ is trapped in the
Secure world we securely handover to the Normal world
to process the interrupt. The normal world then issues
"resume" smc call to resume the previous interrupted SMC call.
Fixes ARM-software/tf-issues#105

Change-Id: I72b760617dee27438754cdfc9fe9bcf4cc024858

This patch enables secure physical timer during TSP initialisation and
maintains it across power management operations so that a timer
interrupt is generated every half second.

Fixes ARM-software/tf-issues#104
Fixes ARM-software/tf-issues#134

Change-Id: I66c6cfd24bd5e6035ba75ebf0f047e568770a369

This patch adds support in the TSPD for registering a handler for
S-EL1 interrupts. This handler ferries the interrupts generated in the
non-secure state to the TSP at 'tsp_fiq_entry'. Support has been added
to the smc handler to resume execution in the non-secure state once
interrupt handling has been completed by the TSP.

There is also support for resuming execution in the normal world if
the TSP receives a EL3 interrupt. This code is currently unused.

Change-Id: I816732595a2635e299572965179f11aa0bf93b69

This patch adds support in the TSP to handle FIQ interrupts that are
generated when execution is in the TSP. S-EL1 interrupt are handled
normally and execution resumes at the instruction where the exception
was originally taken. S-EL3 interrupts i.e. any interrupt not
recognized by the TSP are handed to the TSPD. Execution resumes
normally once such an interrupt has been handled at EL3.

Change-Id: Ia3ada9a4fb15670afcc12538a6456f21efe58a8f

This patch adds support in the TSP for handling S-EL1 interrupts
handed over by the TSPD. It includes GIC support in its platform port,
updates various statistics related to FIQ handling, exports an entry
point that the TSPD can use to hand over interrupts and defines the
handover protocol w.r.t what context is the TSP expected to preserve
and the state in which the entry point is invoked by the TSPD.

Change-Id: I93b22e5a8133400e4da366f5fc862f871038df39

This patch adds support in the TSP to program the secure physical
generic timer to generate a EL-1 interrupt every half second. It also
adds support for maintaining the timer state across power management
operations. The TSPD ensures that S-EL1 can access the timer by
programming the SCR_EL3.ST bit.

This patch does not actually enable the timer. This will be done in a
subsequent patch once the complete framework for handling S-EL1
interrupts is in place.

Change-Id: I1b3985cfb50262f60824be3a51c6314ce90571bc

This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.

This patch also removes 'cm_macros.S' as its contents have been moved
to 'runtime_exceptions.S'

Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093

This patch introduces a set of functions which allow generic firmware
code e.g. the interrupt management framework to access the platform
interrupt controller. APIs for finding the type and id of the highest
pending interrupt, acknowledging and EOIing an interrupt and finding
the security state of an interrupt have been added. It is assumed that
the platform interrupt controller implements the v2.0 of the ARM GIC
architecture specification. Support for v3.0 of the specification for
managing interrupts in EL3 and the platform port will be added in the
future.

Change-Id: Ib3a01c2cf3e3ab27806930f1be79db2b29f91bcf

This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.

Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
currently unsupported.

A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.

Change-Id: Idf7c023b34fcd4800a5980f2bef85e4b5c29e649

This patch adds an API to write to any bit in the SCR_EL3 member of
the 'cpu_context' structure of the current CPU for a specified
security state. This API will be used in subsequent patches which
introduce interrupt management in EL3 to specify the interrupt routing
model when execution is not in EL3.

It also renames the cm_set_el3_elr() function to cm_set_elr_el3()
which is more in line with the system register name being targeted by
the API.

Change-Id: I310fa7d8f827ad3f350325eca2fb28cb350a85ed

This patch lays the foundation for using the per-cpu 'state' field in
the 'tsp_context' structure for other flags apart from the power state
of the TSP.

It allocates 2 bits for the power state, introduces the necessary
macros to manipulate the power state in the 'state' field and
accordingly reworks all use of the TSP_STATE_* states.

It also allocates a flag bit to determine if the TSP is handling a
standard SMC. If this flag is set then the TSP was interrupted due to
non-secure or EL3 interupt depending upon the chosen routing
model. Macros to get, set and clear this flag have been added as
well. This flag will be used by subsequent patches.

Change-Id: Ic6ee80bd5895812c83b35189cf2c3be70a9024a6

At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
unnecessary.

This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
them.

Fixes ARM-software/tf-issues#148

Change-Id: I1b9d623606acb9797c3e0b02fb5ec7c0a414f37e

Change-Id: I6bd077955bf3780168a874705974bbe72ea0f5f1

At present, various build options are initialized at various places in
the Makefile. This patch gathers all build option declarations at the
top of the Makefile and assigns them default values.

Change-Id: I9f527bc8843bf69c00cb754dc60377bdb407a951

This patch introduces two convenience functions to the build system:

  - assert_boolean: asserts that a given option is assigned either 0 or
    1 as values

  - add_define: helps add/append macro definitions to build tool command
    line. This also introduces the variable DEFINES which is used to
    collect and pass all relevant configurations to build tools

Change-Id: I3126894b034470d39858ebb3bd183bda681c7126

SCR_EL3.RW was not updated immediately before exiting bl31_main() and
running BL3-3. If a AArch32 Secure-EL1 Payload had just been
initialised, then the SCR_EL3.RW bit would be left indicating a
32-bit BL3-3, which may not be correct.

This patch explicitly sets SCR_EL3.RW appropriately based on the
provided SPSR_EL3 value for the BL3-3 image.

Fixes ARM-software/tf-issues#126

Change-Id: Ic7716fe8bc87e577c4bfaeb46702e88deedd9895

This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.

This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.

panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.

The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.

Fixes ARM-software/tf-issues#79 Improve reporting of unhandled exception

Change-Id: I260791dc05536b78547412d147193cdccae7811a