Soby Mathew [Thu, 15 Jan 2015 11:49:49 +0000 (11:49 +0000)]
Verify capabilities before handling PSCI calls
This patch implements conditional checks in psci_smc_handler() to verify
that the psci function invoked by the caller is supported by the platform
or SPD implementation. The level of support is saved in the 'psci_caps'
variable. This check allows the PSCI implementation to return an error
early.
As a result of the above verification, the checks performed within the psci
handlers for the pm hooks are now removed and replaced with assertions.
Soby Mathew [Wed, 7 Jan 2015 11:10:22 +0000 (11:10 +0000)]
Implement PSCI_FEATURES API
This patch implements the PSCI_FEATURES function which is a mandatory
API in the PSCI 1.0 specification. A capability variable is
constructed during initialization by examining the plat_pm_ops and
spd_pm_ops exported by the platform and the Secure Payload Dispatcher.
This is used by the PSCI FEATURES function to determine which
PSCI APIs are supported by the platform.
Soby Mathew [Thu, 23 Oct 2014 09:35:34 +0000 (10:35 +0100)]
Rework the PSCI migrate APIs
This patch reworks the PSCI MIGRATE, MIGRATE_INFO_TYPE and
MIGRATE_INFO_UP_CPU support for Trusted Firmware. The
implementation does the appropriate validation of parameters
and invokes the appropriate hook exported by the SPD.
The TSP is a MP Trusted OS. Hence the ability to actually
migrate a Trusted OS has not been implemented. The
corresponding function is not populated in the spd_pm_hooks
structure for the TSPD.
The `spd_pm_ops_t` has undergone changes with this patch.
SPD PORTS MAY NEED TO BE UPDATED.
Soby Mathew [Tue, 6 Jan 2015 21:36:55 +0000 (21:36 +0000)]
Return success if an interrupt is seen during PSCI CPU_SUSPEND
This patch adds support to return SUCCESS if a pending interrupt is
detected during a CPU_SUSPEND call to a power down state. The check
is performed as late as possible without losing the ability to return
to the caller. This reduces the overhead incurred by a CPU in
undergoing a complete power cycle when a wakeup interrupt is already
pending.
Soby Mathew [Thu, 2 Oct 2014 15:56:51 +0000 (16:56 +0100)]
Validate power_state and entrypoint when executing PSCI calls
This patch allows the platform to validate the power_state and
entrypoint information from the normal world early on in PSCI
calls so that we can return the error safely. New optional
pm_ops hooks `validate_power_state` and `validate_ns_entrypoint`
are introduced to do this.
As a result of these changes, all the other pm_ops handlers except
the PSCI_ON handler are expected to be successful. Also, the PSCI
implementation will now assert if a PSCI API is invoked without the
corresponding pm_ops handler being registered by the platform.
NOTE : PLATFORM PORTS WILL BREAK ON MERGE OF THIS COMMIT. The
pm hooks have 2 additional optional callbacks and the return type
of the other hooks have changed.
This patch adds support to save the "power state" parameter before the
affinity level specific handlers are called in a CPU_SUSPEND call.
This avoids the need to pass the power_state as a parameter to the
handlers and Secure Payload Dispatcher (SPD) suspend spd_pm_ops.
The power_state arguments in the spd_pm_ops operations are now reserved
and must not be used. The SPD can query the relevant power_state fields
by using the psci_get_suspend_afflvl() & psci_get_suspend_stateid() APIs.
NOTE: THIS PATCH WILL BREAK THE SPD_PM_OPS INTERFACE. HENCE THE SECURE
PAYLOAD DISPATCHERS WILL NEED TO BE REWORKED TO USE THE NEW INTERFACE.
Soby Mathew [Tue, 6 Jan 2015 15:36:38 +0000 (15:36 +0000)]
Rework internal API to save non-secure entry point info
This patch replaces the internal psci_save_ns_entry() API with a
psci_get_ns_ep_info() API. The new function splits the work done by the
previous one such that it populates and returns an 'entry_point_info_t'
structure with the information to enter the normal world upon completion
of the CPU_SUSPEND or CPU_ON call. This information is used to populate
the non-secure context structure separately.
This allows the new internal API `psci_get_ns_ep_info` to return error
and enable the code to return safely.
Soby Mathew [Mon, 12 Jan 2015 13:01:31 +0000 (13:01 +0000)]
PSCI: Check early for invalid CPU state during CPU ON
This patch moves the check for valid CPU state during
PSCI_CPU_ON to before the non secure entry point is programmed
so as to enable it to return early on error.
Remove `ns_entrypoint` and `mpidr` from parameters in pm_ops
This patch removes the non-secure entry point information being passed
to the platform pm_ops which is not needed. Also, it removes the `mpidr`
parameter for platform pm hooks which are meant to do power management
operations only on the current cpu.
NOTE: PLATFORM PORTS MUST BE UPDATED AFTER MERGING THIS COMMIT.
Soby Mathew [Thu, 8 Jan 2015 18:02:44 +0000 (18:02 +0000)]
Remove coherent memory from the BL memory maps
This patch extends the build option `USE_COHERENT_MEMORY` to
conditionally remove coherent memory from the memory maps of
all boot loader stages. The patch also adds necessary
documentation for coherent memory removal in firmware-design,
porting and user guides.
Soby Mathew [Thu, 8 Jan 2015 18:02:19 +0000 (18:02 +0000)]
Move bakery algorithm implementation out of coherent memory
This patch moves the bakery locks out of coherent memory to normal memory.
This implies that the lock information needs to be placed on a separate cache
line for each cpu. Hence the bakery_lock_info_t structure is allocated in the
per-cpu data so as to minimize memory wastage. A similar platform per-cpu
data is introduced for the platform locks.
As a result of the above changes, the bakery lock api is completely changed.
Earlier, a reference to the lock structure was passed to the lock implementation.
Now a unique-id (essentially an index into the per-cpu data array) and an offset
into the per-cpu data for bakery_info_t needs to be passed to the lock
implementation.
Soby Mathew [Tue, 30 Dec 2014 16:11:42 +0000 (16:11 +0000)]
Add macros for domain specific barriers.
This patch adds helper macros for barrier operations that specify
the type of barrier (dmb, dsb) and the shareability domain (system,
inner-shareable) it affects.
Soby Mathew [Tue, 18 Nov 2014 10:45:04 +0000 (10:45 +0000)]
Remove the wfe() for bounded wait in bakery_lock
This patch is an optimization in the bakery_lock_get() function
which removes the wfe() when waiting for other contenders to choose
their ticket i.e when their `entering` flag is set. Since the time
taken to execute bakery_get_ticket() by other contenders is bounded,
this wait is a bounded time wait. Hence the removal of wfe() and the
corresponding sev() and dsb() in bakery_get_ticket() may result
in better time performance during lock acquisition.
Soby Mathew [Tue, 18 Nov 2014 10:14:14 +0000 (10:14 +0000)]
Invalidate the dcache after initializing cpu-ops
This patch fixes a crash due to corruption of cpu_ops
data structure. During the secondary CPU boot, after the
cpu_ops has been initialized in the per cpu-data, the
dcache lines need to invalidated so that the update in
memory can be seen later on when the dcaches are turned ON.
Also, after initializing the psci per cpu data, the dcache
lines are flushed so that they are written back to memory
and dirty dcache lines are avoided.
Juan Castillo [Fri, 7 Nov 2014 09:44:58 +0000 (09:44 +0000)]
Juno: Add support for image overlaying in Trusted SRAM
This patch allows the BL3-1 NOBITS section to overlap the BL1 R/W
section since the former will always be used after the latter.
Similarly, the BL3-2 NOBITS section can overlay the BL2 image
when BL3-2 is loaded in Trusted SRAM.
Due to the current size of the images, there is no actual overlap.
Nevertheless, this reorganization may help to optimise the Trusted
SRAM usage when the images size grows.
Note that because BL3-1 NOBITS section is allowed to overlap the
BL1 R/W section, BL1 global variables will remain valid only until
execution reaches the BL3-1 entry point during a cold boot.
User Guide: Enable secure memory on Foundation FVP
Previously, the User Guide recommended launching the Foundation
FVP with the parameter --no-secure-memory, which disabled security
control of the address map. This was due to missing support for
secure memory regions in v1 of the Foundation FVP. This is no longer
needed as secure memory is now supported on the Foundation FVP.
This patch updates the User Guide to recommend enabling secure
memory instead.
Juan Castillo [Thu, 13 Nov 2014 17:04:33 +0000 (17:04 +0000)]
Bug fix: initialize bl30_image_info fields before use
This patch initializes the version field in the bl30_image_info
structure when loading BL30. This initialization must be done before
calling load_image().
Calls to system register read accessors functions may be optimised
out by the compiler if called twice in a row for the same register.
This is because the compiler is not aware that the result from
the instruction may be modified by external agents. Therefore, if
nothing modifies the register between the 2 reads as far as the
compiler knows then it might consider that it is useless to read
it twice and emit only 1 call.
This behaviour is faulty for registers that may not have the same
value if read twice in succession. E.g.: counters, timer
control/countdown registers, GICv3 interrupt status registers and
so on.
The same problem happens for calls to system register write
accessors functions. The compiler might optimise out some calls
if it considers that it will produce the same result. Again, this
behaviour is faulty for cases where intermediate writes to these
registers make a difference in the system.
This patch fixes the problem by making these assembly register
accesses volatile.
Juan Castillo [Mon, 24 Nov 2014 11:45:12 +0000 (11:45 +0000)]
Specify FIP filename at build time
This patch allows to define the name of the FIP at build time by
defining the FIP_NAME variable. If FIP_NAME is not defined, default
name 'fip.bin' is used.
Soby Mathew [Thu, 2 Oct 2014 16:24:19 +0000 (17:24 +0100)]
Fix CPU_SUSPEND when invoked with affinity level higher than get_max_afflvl()
This patch fixes the assertion failure when CPU_SUSPEND is invoked with
an affinity level higher than supported by the platform by adding suitable
checks for affinity level within `psci_cpu_suspend`. Also added suitable
bound checks within `psci_aff_map_get_idx` to prevent indexing beyond array
limits.
Kévin Petit [Mon, 8 Dec 2014 13:23:09 +0000 (13:23 +0000)]
fip_create: don't succeed if one of the passed files doesn't exist
If one of the files passed to fip_create on the command line doesn't
exist, it will print an error message but produce an incomplete
fip.bin file and report success. This behaviour could potentially
hide errors made in the command line arguments.
This patch addresses the issue by having the tool bail out if one of
the supplied files can't be processed.
Signed-off-by: Kévin Petit <kevin.petit@arm.com>
Fixes ARM-software/tf-issues#279
In both FVP and Juno ports, IRQ #16, which is a PPI, is incorrectly
identified as secure SGI #8 through the constant IRQ_SEC_SGI_8.
This patch removes it.
Fix problem of dependencies on the fiptool makefile target
The 'fiptool' target doesn't depend on fip_create's source files,
neither directly nor indirectly. As a result, the FIP tool is not
rebuilt whenever its source files change.
This patch makes the ${FIPTOOL} target into a phony target so that the
FIP tool's sub-makefile is always called. The sub-makefile correctly
handles the dependencies. It also moves the completion message into
the sub-makefile so that it is only displayed when the tool is
actually recompiled.
Achin Gupta [Mon, 10 Nov 2014 11:50:30 +0000 (11:50 +0000)]
Precede a 'sev' with a 'dsb' in bakery lock code
This patch fixes a bug in the bakery lock implementation where a data
synchronisation barrier instruction is not issued before sending an event as
mandated by the ARMv8 ARM. This can cause a event to be signalled before the
related memory accesses have completed resulting in erroneous execution.
Use the BL3-1 runtime console as the crash console.
This patch reassigns the crash console on Juno and FVP to use the runtime
BL3-1 console. The crash console is changed to SoC UART0 (UART2) from the
previous FPGA UART0 (UART0) on Juno. In FVP, it is changed from UART0 to
UART1.
Juan Castillo [Mon, 20 Oct 2014 11:29:58 +0000 (12:29 +0100)]
Juno: Use the generic ARM GIC driver
This patch replaces the usage of the GIC private driver in Juno with
the generic ARM GIC driver. The private driver is no longer necessary
and has been removed from the Juno port.
Juan Castillo [Mon, 20 Oct 2014 11:27:28 +0000 (12:27 +0100)]
Improvements to ARM GIC driver
This patch introduces several improvements to the ARM GIC driver:
* In function gicd_set_itargetsr(), target CPU is specified using
the same bit mask detailed in the GICD_ITARGETSRn register instead
of the CPU linear ID, removing the dependency between bit position
and linear ID in the platform porting. The current CPU bit mask
may be obtained by reading GICD_ITARGETSR0.
* PPIs and SGIs are initialized in arm_gic_pcpu_distif_setup().
SPIs are initialized in arm_gic_distif_setup().
* By default, non secure interrupts are assigned the maximum
priority allowed to a non secure interrupt (defined by
GIC_HIGHEST_NS_PRIORITY).
* GICR base address is allowed to be NULL for GICv1 and GICv2.
Optimize Cortex-A57 cluster power down sequence on Juno
This patch optimizes the Cortex-A57 cluster power down sequence by not
flushing the Level1 data cache. The L1 data cache and the L2 unified
cache are inclusive. A flush of the L2 by set/way flushes any dirty
lines from the L1 as well. This is a known safe deviation from the
Cortex-A57 TRM defined power down sequence. This optimization can be
enabled by the platform through the 'SKIP_A57_L1_FLUSH_PWR_DWN' build
flag. Each Cortex-A57 based platform must make its own decision on
whether to use the optimization.
This patch also renames the cpu-errata-workarounds.md to
cpu-specific-build-macros.md as this facilitates documentation
of both CPU Specific errata and CPU Specific Optimization
build macros.
Apply errata workarounds only when major/minor revisions match.
Prior to this patch, the errata workarounds were applied for any version
of the CPU in the release build and in the debug build an assert
failure resulted when the revision did not match. This patch applies
errata workarounds in the Cortex-A57 reset handler only if the 'variant'
and 'revision' fields read from the MIDR_EL1 match. In the debug build,
a warning message is printed for each errata workaround which is not
applied.
The patch modifies the register usage in 'reset_handler` so
as to adhere to ARM procedure calling standards.
Add support for level specific cache maintenance operations
This patch adds level specific cache maintenance functions
to cache_helpers.S. The new functions 'dcsw_op_levelx',
where '1 <= x <= 3', allow to perform cache maintenance by
set/way for that particular level of cache. With this patch,
functions to support cache maintenance upto level 3 have
been implemented since it is the highest cache level for
most ARM SoCs.
These functions are now utilized in CPU specific power down
sequences to implement them as mandated by processor specific
technical reference manual.
Juan Castillo [Wed, 24 Sep 2014 09:00:06 +0000 (10:00 +0100)]
FVP: keep shared data in Trusted SRAM
This patch deprecates the build option to relocate the shared data
into Trusted DRAM in FVP. After this change, shared data is always
located at the base of Trusted SRAM. This reduces the complexity
of the memory map and the number of combinations in the build
options.
Juan Castillo [Fri, 5 Sep 2014 16:29:38 +0000 (17:29 +0100)]
Juno: Reserve some DDR-DRAM for secure use
This patch configures the TrustZone Controller in Juno to split
the 2GB DDR-DRAM memory at 0x80000000 into Secure and Non-Secure
regions:
- Secure DDR-DRAM: top 16 MB, except for the last 2 MB which are
used by the SCP for DDR retraining
- Non-Secure DDR-DRAM: remaining DRAM starting at base address
Build option PLAT_TSP_LOCATION selects the location of the secure
payload (BL3-2):
- 'tsram' : Trusted SRAM (default option)
- 'dram' : Secure region in the DDR-DRAM (set by the TrustZone
controller)
The MMU memory map has been updated to give BL2 permission to load
BL3-2 into the DDR-DRAM secure region.
Juan Castillo [Thu, 4 Sep 2014 13:43:09 +0000 (14:43 +0100)]
Juno: Use TZC-400 driver calls
This patch replaces direct accesses to the TZC-400 registers by the
appropiate calls to the generic driver available in the Trusted
Firmware in order to initialize the TrustZone Controller.
Functions related to the initialization of the secure memory,
like the TZC-400 configuration, have been moved to a new file
'plat_security.c'. This reorganization makes easier to set up
the secure memory from any BL stage.
TZC-400 initialization has been moved from BL1 to BL2 because BL1
does not access the non-secure memory. It is BL2's responsibility
to enable and configure the TZC-400 before loading the next BL
images.
In Juno, BL3-0 initializes some of the platform peripherals, like
the DDR controller. Thus, BL3-0 must be loaded before configuring
the TrustZone Controller. As a consequence, the IO layer
initialization has been moved to early platform initialization.
This patch uses the IMAGE_BL<x> constants to create translation tables specific
to a boot loader stage. This allows each stage to create mappings only for areas
in the memory map that it needs.
Remove BSS section access by 'plat_print_gic' during crash reporting
This patch avoids the problem of crash reporting mechanism accessing
global data in BSS by 'plat_print_gic_regs' for FVP platforms. Earlier
it depended on the global 'plat_config' object for the GIC Base address
in FVP platforms which would have caused exception if it were accessed
before the BSS was initialized. It is now fixed by dynamically
querying the V2M_SYS_ID to find the FVP model type and accordingly
selecting the appropriate GIC Base address.
This patch also fixes the 'plat_print_gic_regs' to use the correct GIC
Distributor base address for printing GICD_IS_PENDR register values
for both Juno and FVP platforms.
Add support for specifying pre-built BL binaries in Makefile
This patch adds support for supplying pre-built BL binaries for BL2,
BL3-1 and BL3-2 during trusted firmware build. Specifying BLx = <path_to_BLx>
in the build command line, where 'x' is any one of BL2, BL3-1 or BL3-2, will
skip building that BL stage from source and include the specified binary in
final fip image.
This patch also makes BL3-3 binary for FIP optional depending on the
value of 'NEED_BL33' flag which is defined by the platform.
Soby Mathew [Fri, 29 Aug 2014 13:41:58 +0000 (14:41 +0100)]
Reset CNTVOFF_EL2 register before exit into EL1 on warm boot
This patch resets the value of CNTVOFF_EL2 before exit to EL1 on
warm boot. This needs to be done if only the Trusted Firmware exits
to EL1 instead of EL2, otherwise the hypervisor would be responsible
for this.
Dan Handley [Thu, 28 Aug 2014 13:04:06 +0000 (14:04 +0100)]
Fix minor issues in user guide
* Fix broken link to SCP download.
* Remove requirement to install `ia32-libs`. This package is no
longer available in current versions of Ubuntu and is no
longer required when using the Linaro toolchain.
Dan Handley [Tue, 26 Aug 2014 15:02:19 +0000 (16:02 +0100)]
Fix reset to BL3-1 instructions in user guide, part 2
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#100 (commit 186c1d4). This is distinct
from the similar issue fixed in commit bfb1dd5.
Also clarify the dependence on the FVP_SHARED_DATA_LOCATION and
FVP_TSP_RAM_LOCATION build options, and tidy up the "Notes
regarding Base FVP configuration options" section.
Soby Mathew [Thu, 21 Aug 2014 14:20:27 +0000 (15:20 +0100)]
Rationalize UART usage among different BL stages
This patch changes the UART port assignment for various BL stages
so as to make it consistent on the platform ports. The BL1, BL2 and
BL3-1 now uses UART0 on the FVP port and SoC UART0 on the Juno port.
The BL3-2 uses UART2 on the FVP port and FPGA UART0 on the Juno
port.
This provides an interim fix to ARM-software/tf-issues#220 until
support is added for changing the UART port for a BL image between
cold boot and runtime.
Dan Handley [Thu, 14 Aug 2014 08:14:52 +0000 (09:14 +0100)]
Move up dependency versions in user guide
Move up the version numbers of the following Trusted Firmware
dependencies in the user guide:
* Foundation and Base FVPs (latest publically available
versions).
* EDK2 implementation. The guide now uses the latest version from
https://github.com/ARM-software/edk2.git. This requires the
`iasl` package to also be installed.
* Linux kernel. The guide now uses the latest version from
https://github.com/ARM-software/linux.git.
Juan Castillo [Tue, 12 Aug 2014 16:24:30 +0000 (17:24 +0100)]
Juno: Read primary CPU MPID from SCC GPR_1
This patch removes the PRIMARY_CPU definition hardcoded in the
Juno port. Instead, the primary CPU is obtained at runtime by
reading the SCC General Purpose Register 1 (GPR_1), whose value
is copied by the SCP into shared memory during the boot process.
This patch implements the TSP on Juno. It executes from on-chip Trusted
SRAM.
Also, the other bootloader images (i.e. BL1 R/W, BL2 and BL3-1) have
been moved around. The reason is, although there was enough space
overall to store the TSP in SRAM, there was no contiguous free chunk
of SRAM big enough to hold it.
This patch keeps the overall memory layout (i.e. keeping BL1 R/W at
the bottom, BL2 at the top and BL3-1 in between) but moves the base
addresses of all the bootloader images in such a way that:
- memory fragmentation is reduced enough to fit BL3-2 in;
- new base addresses are suitable for release builds as well as debug
ones;
- each image has a few extra kilobytes for future growth.
BL3-1 and BL3-2 are the images which received the biggest allocations
since they will most probably grow the most.
This patch also adds instruction synchronization barriers around the code which
handles the timer interrupt in the TSP. This ensures that the interrupt is not
acknowledged after or EOIed before it is deactivated at the peripheral.
Achin Gupta [Mon, 18 Aug 2014 13:40:27 +0000 (14:40 +0100)]
Juno: Implement PSCI CPU_OFF and CPU_SUSPEND APIs
This patch adds support for PSCI CPU_OFF and CPU_SUSPEND APIs to the Juno port
of the ARM Trusted Firmware. The maximum affinity level that can be suspended is
the cluster level (affinity level 1). Support for suspending the system level is
not present.
This patch adds the initial port of the ARM Trusted Firmware on the Juno
development platform. This port does not support a BL3-2 image or any PSCI APIs
apart from PSCI_VERSION and PSCI_CPU_ON. It enables workarounds for selected
Cortex-A57 (#806969 & #813420) errata and implements the workaround for a Juno
platform errata (Defect id 831273).
Achin Gupta [Wed, 20 Aug 2014 16:33:09 +0000 (17:33 +0100)]
FVP: Update device trees to match cpuidle driver
This patch updates the representation of idle tables and cpu/cluster topology in
the device tree source files for the FVP to what the latest cpuidle driver in
Linux expects. The device tree binaries have also been updated.
Soby Mathew [Mon, 18 Aug 2014 15:57:56 +0000 (16:57 +0100)]
Add documentation for CPU specific abstraction and Errata workarounds
This patch adds documentation for CPU specific abstraction in the firmware-
design.md and adds a new document cpu-errata-workarounds.md to describe
the cpu errata workaround build flags.
projects / arm-tf.git / log