Michal Simek [Wed, 15 Jun 2022 12:19:56 +0000 (14:19 +0200)]
fix(zynqmp): move bl31 with DEBUG=1 back to OCM
By default placing bl31 to addrexx 0x1000 is not good. Because this
location is used by U-Boot SPL. That's why move TF-A back to OCM where it
should be placed. BL31_BASE address exactly matches which requested address
for U-BOOT SPL boot flow.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Change-Id: I608c1b88baffec538c6ae528f057820e34971c4c
Bipin Ravi [Wed, 8 Jun 2022 21:28:46 +0000 (16:28 -0500)]
fix(errata): workaround for Neoverse-V1 erratum 2294912
Neoverse-V1 erratum 2294912 is a cat B erratum that applies to revisions
r0p0 - r1p1 and is still open. The workaround is to set bit[0] of
CPUACTLR2_EL1 to force PLDW/PFRM ST to behave like PLD/PRFM LD and not
cause invalidations to other PE caches.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401781/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Ia7afb4c42fe66b36fdf38a7d4281a0d168f68354
refactor(context mgmt): refactor EL2 context save and restore functions
This patch splits the el2_sysregs_context_save/restore functions
into multiple functions based on features. This will allow us to
selectively save and restore EL2 context registers based on
features enabled for a particular configuration.
For now feature build flags are used to decide which registers
to save and restore. The long term plan is to dynamically check
for features that are enabled and then save/restore registers
accordingly. Splitting el2_sysregs_context_save/restore functions
into smaller assembly functions makes that task easier. For more
information please take a look at:
https://trustedfirmware-a.readthedocs.io/en/latest/design_documents/context_mgmt_rework.html
Replay-protected memory block access is enabled by writing 0x3
to PARTITION_ACCESS (bit[2:0]). Instead the driver is using the
first boot partition, which does not provide any playback protection.
Additionally, it unconditionally activates the first boot partition,
potentially breaking boot for SoCs that consult boot partitions,
require boot ack or downgrading to an old bootloader if the first
partition happens to be the inactive one.
Also, neither enabling or disabling the RPMB observes the
PARTITION_SWITCH_TIME. As there are no in-tree users for these
functions, drop them for now until a properly functional implementation
is added. That one will likely share most code with the existing boot
partition switch, which doesn't suffer from the described issues.
Change-Id: Ia4a3f738f60a0dbcc33782f868cfbb1e1c5b664a Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Merge changes from topic "stm32mp-emmc-boot-fip" into integration
* changes:
feat(stm32mp1): extend STM32MP_EMMC_BOOT support to FIP format
refactor(mmc): replace magic value with new PART_CFG_BOOT_PARTITION_NO_ACCESS
refactor(mmc): export user/boot partition switch functions
Yann Gautier [Fri, 11 Mar 2022 13:18:13 +0000 (14:18 +0100)]
feat(st): search pinctrl node by compatible
Instead of searching pinctrl node with its name, search with its
compatible. This will be necessary before pin-controller name changes
to pinctrl due to kernel yaml changes.
feat(trbe): add trbe under feature detection mechanism
This change adds "FEAT_TRBE" to be part of feature detection mechanism.
Previously feature enablement flags were of boolean type, containing
either 0 or 1. With the introduction of feature detection procedure
we now support three states for feature enablement build flags(0 to 2).
Accordingly, "ENABLE_TRBE_FOR_NS" flag is now modified from boolean
to numeric type to align with the feature detection.
feat(brbe): add brbe under feature detection mechanism
This change adds "FEAT_BRBE" to be part of feature detection mechanism.
Previously feature enablement flags were of boolean type, possessing
either 0 or 1. With the introduction of feature detection procedure
we now support three states for feature enablement build flags(0 to 2).
Accordingly, "ENABLE_BRBE_FOR_NS" flag is now modified from boolean
to numeric type to align with the feature detection.
Ahmad Fatoum [Thu, 19 May 2022 05:42:33 +0000 (07:42 +0200)]
feat(stm32mp1): extend STM32MP_EMMC_BOOT support to FIP format
STM32MP_EMMC_BOOT allowed placing SSBL into the eMMC boot
partition along with FSBL. This allows atomic update of both
FSBL and SSBL at the same time. Previously, this was only
possible for the FSBL, as the eMMC layout expected by TF-A
had a single SSBL GPT partition in the eMMC user area.
TEE binaries remained in dedicated GPT partitions whether
STM32MP_EMMC_BOOT was on or off.
The new FIP format collects SSBL and TEE partitions into
a single binary placed into a GPT partition.
Extend STM32MP_EMMC_BOOT, so eMMC-booted TF-A first uses
a FIP image placed at offset 256K into the active eMMC boot
partition. If no FIP magic is detected at that offset or if
STM32MP_EMMC_BOOT is disabled, the GPT on the eMMC user area
will be consulted as before.
This allows power fail-safe update of all firmware using the
built-in eMMC boot selector mechanism, provided it fits into
the boot partition - SZ_256K. SZ_256K was chosen because it's
the same offset used with the legacy format and because it's
the size of the on-chip SRAM, where the STM32MP15x BootROM
loads TF-A into. As such, TF-A may not exceed this size limit
for existing SoCs.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: Id7bec45652b3a289ca632d38d4b51316c5efdf8d
At the moment, mmc_boot_part_read_blocks() takes care to switch
to the boot partition before transfer and back afterwards.
This can introduce large overhead when reading small chunks.
Give consumers of the API more control by exporting
mmc_part_switch_current_boot() and mmc_part_switch_user().
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: Ib641f188071bb8e0196f4af495ec9ad4a292284f
Ahmad Fatoum [Thu, 2 Jun 2022 04:28:31 +0000 (06:28 +0200)]
fix(stm32mp1): fdts: stm32mp1: align DDR regulators with new driver
With recent changes, TF-A now panics on MC-1, Avenger96 and Odyssey:
NOTICE: CPU: STM32MP157C?? Rev.B
NOTICE: Model: Linux Automation MC-1 board
ERROR: regul ldo3: max value 750 is invalid
PANIC at PC : 0x2ffeebb7
as the driver takes great offense at the content of the device
tree. The parts in question were copy-pasted from ST DTs, but
those ST DTs were fixed by commit 67d95409baae
("refactor(stm32mp1-fdts): update regulator description").
Fix the breakage by transplanting the same changes into all
remaining STM32MP1 DTs.
Change was boot-tested on MC-1, but only build tested for the
other two.
Olivier Deprez [Thu, 12 May 2022 16:17:05 +0000 (18:17 +0200)]
docs(spm): update FF-A manifest binding
- Add security state attribute to memory and device regions.
- Rename device region reg attribution to base-address aligned with
memory regions.
- Add pages-count field to device regions.
- Refresh interrupt attributes description in device regions.
docs(threat-model): broaden the scope of threat #05
- Cite crash reports as an example of sensitive
information. Previously, it might have sounded like this was the
focus of the threat.
- Warn about logging high-precision timing information, as well as
conditionally logging (potentially nonsensitive) information
depending on sensitive information.
docs(threat-model): emphasize whether mitigations are implemented
For each threat, we now separate:
- how to mitigate against it;
- whether TF-A currently implements these mitigations.
A new "Mitigations implemented?" box is added to each threat to
provide the implementation status. For threats that are partially
mitigated from platform code, the original text is improved to make
these expectations clearer. The hope is that platform integrators will
have an easier time identifying what they need to carefully implement
in order to follow the security recommendations from the threat model.
Updated following sections to document implementation of the FF-A boot
information protocol:
- Describing secure partitions.
- Secure Partition Packages.
- Passing boot data to the SP.
Also updated description of the manifest field 'gp-register-num'.
Varun Wadekar [Wed, 25 May 2022 11:45:22 +0000 (12:45 +0100)]
fix(include/aarch64): fix encodings for MPAMVPM* registers
This patch fixes the following encodings in the System register
encoding space for the MPAM registers. The encodings now match
with the Arm® Architecture Reference Manual Supplement for MPAM.
Varun Wadekar [Tue, 24 May 2022 14:00:06 +0000 (15:00 +0100)]
fix(cpus/denver): use CPU_NO_EXTRA3_FUNC for all variants
Denver CPUs use the same workaround for CVE-2017-5715 and CVE-2022-23960
vulnerabilities. The workaround for CVE-2017-5715 is always enabled, so
all Denver variants use CPU_NO_EXTRA3_FUNC as a placeholder for the
mitigation for CVE-2022-23960. This patch implements the approach.
Lucas Stach [Fri, 20 May 2022 10:37:39 +0000 (12:37 +0200)]
fix(imx8mq): correct architected counter frequency
Different from other i.MX SoCs, which typically use a 24MHz reference clock,
the i.MX8MQ uses a 25MHz reference clock. As the architected timer clock
frequency is directly sourced from the reference clock via a /3 divider this
SoC runs the timers at 8.33MHz.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Change-Id: Ief36af9ffebce7cb75a200124134828d3963e744
Ronak Jain [Fri, 6 May 2022 11:45:59 +0000 (04:45 -0700)]
feat(plat/xilinx/zynqmp): optimization on pinctrl_functions
Optimizing the pinctrl_functions structure. Remove the pointer to
array of u16 type which consumes a lot of memory (64bits pointer to
array + 16B for END_OF_GROUPS + almost useless 8bits on every entry
which is the same for every group) and add two new members of type
u16 and u8 with the name called group_base and group_size
respectively.
The group_base member contains the base value of pinctrl group whereas
the group_size member contains the total number of groups requested
from the pinctrl function.
Overall, it saves around ~2KB of RAM and ~0.7KB of code memory.
Signed-off-by: Michal Simek <michal.simek@amd.com> Signed-off-by: Ronak Jain <ronak.jain@xilinx.com>
Change-Id: I79b761b45df350d390fa344d411b340d9b2f13ac
Marc Bonnici [Fri, 20 May 2022 13:38:55 +0000 (14:38 +0100)]
fix(spmc): fix incorrect FF-A version usage
Fix the wrong FF-A version being used for retrieving existing memory
descriptors for v1.0 clients. Internally these should always be stored
using the latest version rather than client version.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ibee1b2452c8d6ebd23bbd9d703c96ca185444093
Daniel Boulby [Tue, 3 May 2022 15:46:16 +0000 (16:46 +0100)]
fix(build): use DWARF 4 when building debug
GCC 11 and Clang 14 now use the DWARF 5 standard by default however
Arm-DS currently only supports up to version 4. Therefore, for debug
builds, ensure the DWARF 4 standard is used.
Also update references for Arm DS-5 to it's successor Arm-DS (Arm
Development Studio).
Change-Id: Ica59588de3d121c1b795b3699f42c31f032cee49 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Olivier Deprez [Thu, 19 May 2022 16:33:03 +0000 (18:33 +0200)]
Merge changes from topic "ffa_el3_spmc" into integration
* changes:
feat(fvp): add plat hook for memory transactions
feat(spmc): enable handling of the NS bit
feat(spmc): add support for v1.1 FF-A memory data structures
feat(spmc/mem): prevent duplicated sharing of memory regions
feat(spmc/mem): support multiple endpoints in memory transactions
feat(spmc): add support for v1.1 FF-A boot protocol
feat(plat/fvp): introduce accessor function to obtain datastore
feat(spmc/mem): add FF-A memory management code
Marc Bonnici [Mon, 21 Feb 2022 15:02:36 +0000 (15:02 +0000)]
feat(fvp): add plat hook for memory transactions
Add call to platform hooks upon successful transmission of a
memory transaction request and as part of a memory reclaim request.
This allows for platform specific functionality to be performed
accordingly.
Note the hooks must be placed in the initial share request and final
reclaim to prevent order dependencies with operations that may take
place in the normal world without visibility of the SPMC.
Add a dummy implementation to the FVP platform.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0c7441a9fdf953c4db0651512e5e2cdbc6656c79
Marc Bonnici [Tue, 19 Apr 2022 15:52:59 +0000 (16:52 +0100)]
feat(spmc): enable handling of the NS bit
In FF-A v1.1 the NS bit is used by the SPMC to specify the
security state of a memory region retrieved by a SP.
Enable the SPMC to set the bit for v1.1 callers or v1.0
callers that explicitly request the usage via FFA_FEATURES.
In this implementation the sender of the memory region must
reside in the normal world and the SPMC does not support
changing the security state of memory regions therefore
always set the NS bit if required by the caller.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I215756b28e2382082933ba1dcc7584e7faf4b36b
Marc Bonnici [Tue, 19 Apr 2022 16:42:53 +0000 (17:42 +0100)]
feat(spmc): add support for v1.1 FF-A memory data structures
Add support for the FF-A v1.1 data structures to the EL3 SPMC
and enable the ability to convert between v1.0 and the v1.1
forwards compatible data structures.
The SPMC now uses the v1.1 data structures internally and will
convert descriptors as required depending on the FF-A version
supported by the calling partition.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ic14a95ea2e49c989aecf19b927a6b21ac50f863e
Marc Bonnici [Fri, 21 Jan 2022 10:34:55 +0000 (10:34 +0000)]
feat(spmc/mem): prevent duplicated sharing of memory regions
Allow the SPMC to reject incoming memory sharing/lending requests
that contain memory regions which overlap with an existing
request.
To enable this functionality the SPMC compares each requested
memory region to those in ongoing memory transactions and rejects
the request if the ranges overlap.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I7588846f272ec2add2a341d9f24836c73a046e2f
Marc Bonnici [Thu, 13 Jan 2022 11:39:10 +0000 (11:39 +0000)]
feat(spmc/mem): support multiple endpoints in memory transactions
Enable FFA_MEM_LEND and FFA_MEM_SHARE transactions to support multiple
borrowers and add the appropriate validation. Since we currently
only support a single S-EL1 partition, this functionality is to
support the use case where a VM shares or lends memory to one or
more VMs in the normal world as part of the same transaction to
the SP.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ia12c4357e9d015cb5f9b38e518b7a25b1ea2e30e
Manish Pandey [Thu, 19 May 2022 13:15:49 +0000 (15:15 +0200)]
Merge changes from topic "mb/drtm-work-phase-1" into integration
* changes:
build(changelog): add new scope for Arm SMMU driver
feat(smmu): add SMMU abort transaction function
docs(build): add build option for DRTM support
build(drtm): add DRTM support build option
Merge changes from topic "sb/threat-model" into integration
* changes:
docs(threat-model): remove some redundant text in threat #08
docs(threat-model): make experimental features out of scope
docs(threat-model): cosmetic changes
Achin Gupta [Tue, 19 Oct 2021 11:21:16 +0000 (12:21 +0100)]
feat(spmc): add support for v1.1 FF-A boot protocol
A partition can request the use of the FF-A boot protocol via
an entry in its manifest along with the register (0-3)
that should be populated with a pointer to a data structure
containing boot related information. Currently the boot
information consists of an allocated memory region
containing the SP's manifest, allowing it to map and parse
any extra information as required.
This implementation only supports the v1.1 data structures
and will return an error if a v1.0 client requests the usage
of the protocol.
Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I67692553a90a7e7d94c64fe275edd247b512efca
Marc Bonnici [Thu, 16 Dec 2021 18:31:02 +0000 (18:31 +0000)]
feat(plat/fvp): introduce accessor function to obtain datastore
In order to provide the EL3 SPMC a sufficient datastore to
record memory descriptors, a accessor function is used.
This allows for the backing memory to be allocated in a
platform defined manner, to accommodate memory constraints
and desired use cases.
Provide an implementation for the Arm FVP platform to
use a default value of 512KB memory allocated in the
TZC RAM section.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I92bc55ba6e04bdad429eb52f0d2960ceda682804
Marc Bonnici [Fri, 1 Oct 2021 15:06:04 +0000 (16:06 +0100)]
feat(spmc/mem): add FF-A memory management code
Originally taken from the downstream Trusty SPD [1]
implementation and modified to integrate with
the EL3 SPMC internals.
Add support to the EL3 SPMC for a subset of the FF-A
memory management ABIs:
- FFA_MEM_SHARE
- FFA_MEM_LEND
- FFA_MEM_RETRIEVE_REQ
- FFA_MEM_RETRIEVE_RESP
- FFA_MEM_RELINQUISH
- FFA_MEM_RECLAIM
- FFA_MEM_FRAG_RX
- FFA_MEM_FRAG_TX
This implementation relies on a datastore allocated in
platform specific code in order to store memory descriptors
about ongoing memory transactions. This mechanism
will be implemented in the following commit.
docs(threat-model): make measured boot out of scope
Add an explicit note that measured boot is out of scope of the threat
model. For example, we have no threat related to the secure
management of measurements, nor do we list its security benefits
(e.g. in terms of repudiation).
This might be a future improvement to the threat model but for now
just acknowledge it is not considered.
Created a function to abort all pending NS DMA transactions to
engage complete DMA protection. This call will be used by the
subsequent DRTM implementation changes.
refactor(context mgmt): refactor initialization of EL1 context registers
When SPMC is present at S-EL2, EL1 context registers don't need to be
initialized for Secure state. This patch makes sure that EL1 context
registers are initialized only for Non-secure state, and when SPMC is
not present at S-EL2
Harrison Mutai [Wed, 11 May 2022 10:05:02 +0000 (11:05 +0100)]
fix(bl1): invalidate SP in data cache during secure SMC
Invalidate the SP holding `smc_ctx_t` prior to enabling the data cache
when handling SMCs from the secure world. Enabling the data cache
without doing so results in dirty data either being evicted into main
memory, or being used directly from bl1. This corrupted data causes
system failure as the SMC handler attempts to use it.
Change-Id: I5b7225a6fdd1fcfe34ee054ca46dffea06b84b7d Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
fix(stm32mp1): include assert.h to fix build failure
stm32mp1 platform build failed with the error [1] in the coverity, to
fix it included assert.h file.
Including bl32/sp_min/sp_min.mk
plat/st/stm32mp1/plat_image_load.c: In function
'plat_get_bl_image_load_info':
plat/st/stm32mp1/plat_image_load.c:30:2: error: implicit declaration of
function 'assert' [-Werror=implicit-function-declaration]
30 | assert(bl33 != NULL);
| ^~~~~~
plat/st/stm32mp1/plat_image_load.c:9:1: note: 'assert' is defined in
header '<assert.h>'; did you forget to '#include <assert.h>'?
8 | #include <plat/common/platform.h>
+++ |+#include <assert.h>
9 |
cc1: all warnings being treated as errors
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: I486bd695298798c05008158545668020babb3eca
Update supported models list according to changes for v2.7 release in
ci/tf-a-ci-scripts repository:
* general FVP model update: 5c54251
* CSS model update: 3bd12fb
Yann Gautier [Tue, 17 May 2022 14:21:25 +0000 (16:21 +0200)]
fix(stm32mp1-fdts): correct memory mapping for STM32MP13
On STM32MP13, OP-TEE will be loaded at the beginning of the secure
memory, and will be responsible for its shared memory.
The memory allocated to OP-TEE is then 32MB, and the shared memory
does no more appear in the STM32MP13 fw-config DT file.
projects / arm-tf.git / log