ARMv7: GICv2 driver can manage GICv1 with security extension
Some SoCs integrate a GIC in version 1 that is currently not supported
by the trusted firmware. This change hijacks GICv2 driver to handle the
GICv1 as GICv1 is compatible enough with GICv2 as far as the platform
does not attempt to play with virtualization support or some GICv2
specific power features.
Note that current trusted firmware does not use these GICv2 features
that are not available in GICv1 Security Extension.
ARMv7-A Virtualization extensions brings new instructions and resources
that were supported by later architectures. Reference ARM ARM Issue C.c
[DDI0406C_C].
ERET and extended MSR/MRS instructions, as specified in [DDI0406C_C] in
ID_PFR1 description of bits[15:12] (Virtualization Extensions):
A value of 0b0001 implies implementation of the HVC, ERET, MRS
(Banked register), and MSR (Banked register) instructions. The ID_ISARs
do not identify whether these instructions are implemented.
UDIV/SDIV were introduced with the Virtualization extensions, even if
not strictly related to the virtualization extensions.
If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
shall define ARMV7_SUPPORTS_VIRTUALIZATION to enable virtualization
extension related resources.
ARCH_SUPPORTS_LARGE_PAGE_ADDRESSING allows build environment to
handle specific case when target ARMv7 core only supports 32bit MMU
descriptor mode.
If ARMv7 based platform does not set ARM_CORTEX_Ax=yes, platform
shall define ARMV7_SUPPORTS_LARGE_PAGE_ADDRESSING to enable
large page addressing support.
External build environment shall sets directive ARM_ARCH_MAJOR to 7
to specify a target ARMv7-A core.
As ARM-TF expects AARCH to be set, ARM_ARCH_MAJOR==7 mandates
AARCH=aarch32.
The toolchain target architecture/cpu is delegated after the platform
configuration is parsed. Platform shall define target core through
ARM_CORTEX_A<x>=yes, <x> being 5, 7, 9, 12, 15 and/or 17.
Platform can bypass ARM_CORTEX_A<x>=yes directive and provide straight
the toolchain target directive through MARCH32_DIRECTIVE.
Masahiro Yamada [Fri, 3 Nov 2017 18:14:03 +0000 (03:14 +0900)]
uniphier: make sure to create build directory before ROT key
Building the UniPhier platform in parallel with TRUSTED_BOARD_BOOT=1
could fail due to non-existing directory. It might be difficult to
reproduce, but here is an easier way to trigger the problem:
Roberto Vargas [Mon, 23 Oct 2017 07:22:17 +0000 (08:22 +0100)]
Fix usage of IMAGE_BLx macros
These macros are only defined for corresponding image,
and they are undefined for other images. It means that we have
to use ifdef or defined() instead of relying on being 0 by default.
Roberto Vargas [Fri, 20 Oct 2017 09:46:23 +0000 (10:46 +0100)]
Always define ARM_TSP_RAM_LOCATION_ID
ARM_TSP_RAM_LOCATION_ID was defined only in AARCH64, but the macro
was also used in AARCH32, and it meant that it was taking the value 0,
which happened to equal ARM_TRUSTED_SRAM_ID.
Roberto Vargas [Fri, 20 Oct 2017 09:37:48 +0000 (10:37 +0100)]
Include debug.h in debug.S
debug.S was using macros defined in debug.h, but since it didn't
include it, these macros were taking the value 0, which means that
all the preprocessor conditionals were wrong.
Etienne Carriere [Thu, 26 Oct 2017 10:05:01 +0000 (12:05 +0200)]
qemu/optee: load OP-TEE pageable part 2MB above OP-TEE image
OP-TEE dedicates the end of the Qemu secure DRAM as specific out-of-TEE
secure RAM. To support this configuration the trusted firmware should
not load OP-TEE resources in this area.
To overcome the issue, OP-TEE pageable image is now loaded 2MByte above
the secure RAM base address.
Michalis Pappas [Wed, 18 Oct 2017 01:43:37 +0000 (09:43 +0800)]
qemu: Add support for Trusted Board Boot
This patch adds support for TBB to qemu. An RSA ROT keypair is generated at
build time and is included into BL1/BL2. The key and content certificates
are read over semihosting.
These hooks are intended to allow one platform to try load
images from alternative places. There is a hook to initialize
the sequence of boot locations and a hook to pass to the next
sequence.
Etienne Carriere [Mon, 23 Oct 2017 23:09:52 +0000 (01:09 +0200)]
qemu: fix holding pen mailbox sequence
Before this change, plat_secondary_cold_boot_setup reads wake up mailbox
as a byte array but through 64bit accesses on unaligned 64bit addresses.
In the other hand qemu_pwr_domain_on wakes secondary cores by writing
into a 64bit array.
This change forces the 64bit mailbox format as PLAT_QEMU_HOLD_ENTRY_SIZE
explicitly specifies it.
This light-weight framework enables some EL3 components to publish
events which other EL3 components can subscribe to. Publisher can
optionally pass opaque data for subscribers. The order in which
subscribers are called is not defined.
Eleanor Bonnici [Wed, 4 Oct 2017 14:03:33 +0000 (15:03 +0100)]
Update Foundation, AEM and Cortex Models versions
Trusted Firmware has been tested as part of its CI system against Cortex
and Foundation models in the 11.1 Model release available on
developer.arm.com. Trusted Firmware has also been tested against the
v8.7 AEM model. This patch updates the user guide documentation to
reflect the version of the Foundation, AEM and Cortex Models that
Trusted Firmware has been tested against.
Change-Id: Ia0f51469032427b6056567d151bf8144a7cf0e42 Signed-off-by: Eleanor Bonnici <Eleanor.bonnici@arm.com>
Haojian Zhuang [Wed, 18 Oct 2017 11:52:20 +0000 (19:52 +0800)]
HiKey: init EDMA controller with non secure mode
Init EDMA controller with non secure mode. A lot of peripherals are
depend on EDMA controller. But EDMA controller is in secure mode
by default. And this operation has to be executed in secure mode.
Evan Lloyd [Thu, 25 May 2017 18:16:53 +0000 (19:16 +0100)]
fiptool: Enable Visual Studio build
Updates are required to enable the fiptool utility to be built on a
Windows platform. This change modifies the source files to enable
building with Visual Studio (detected via preprocessor settings).
The primary changes are:
1. Provide an implementation of the getopt_long function. This does
not exist in the Visual Studio CRT libraries because Windows
commands normally use '/' not '-' as an option indicator.
2. Redirect some function names to match those supported by the
Visual Studio libraries (when building with Visual Studio).
2. Modify a structure name (stat) to match that provided
by the Visual Studio libraries (_stat).
Note - this change does not provide makefile updates. It only modifies
the sources to enable the fiptool to be built from a Visual
Studio project. In normal use the presence of FIPTOOL.EXE is
enough to satisfy the make requirements. A makefile change may
be derived from the Visual Studio command line information at
some point in the future.
xlat: Introduce API to change memory attributes of a region
This patch introduces a new API in the translation tables library
(v2), that allows to change the memory attributes of a memory
region. It may be used to change its execution permissions and
data access permissions.
As a prerequisite, the memory must be already mapped. Moreover, it
must be mapped at the finest granularity (currently 4 KB).
Change-Id: I242a8c6f0f3ef2b0a81a61e28706540462faca3c Co-authored-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Previously, in AArch32, `IMAGE_XLAT_DEFAULT_REGIME` wasn't defined. The
translation regime is only used in the AArch64 port of the translation
tables library v2, so this is not a problem for now, but future patches
will use it.
`IMAGE_EL` isn't used in AArch32, so it isn't needed to define it.
Change-Id: I4acdb01a58658956ab94bd82ed5b7fee1aa6ba90 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The GIC driver initialization currently allows an array of interrupts to
be configured as secure. Future use cases would require more interrupt
configuration other than just security, such as priority.
This patch introduces a new interrupt property array as part of both
GICv2 and GICv3 driver data. The platform can populate the array with
interrupt numbers and respective properties. The corresponding driver
initialization iterates through the array, and applies interrupt
configuration as required.
This capability, and the current way of supplying array (or arrays, in
case of GICv3) of secure interrupts, are however mutually exclusive.
Henceforth, the platform should supply either:
- A list of interrupts to be mapped as secure (the current way).
Platforms that do this will continue working as they were. With this
patch, this scheme is deprecated.
- A list of interrupt properties (properties include interrupt group).
Individual interrupt properties are specified via. descriptors of
type 'interrupt_prop_desc_t', which can be populated with the macro
INTR_PROP_DESC().
A run time assert checks that the platform doesn't specify both.
Henceforth the old scheme of providing list of secure interrupts is
deprecated. When built with ERROR_DEPRECATED=1, GIC drivers will require
that the interrupt properties are supplied instead of an array of secure
interrupts.
Add a section to firmware design about configuring secure interrupts.
ARM platforms: Migrate to using interrupt properties
An earlier patch added provision for the platform to provide secure
interrupt properties. ARM platforms already has a list of interrupts
that fall into different secure groups.
This patch defines macros that enumerate interrupt properties in the
same fashion, and points the driver driver data to a list of interrupt
properties rather than list of secure interrupts on ARM platforms. The
deprecated interrupt list definitions are however retained to support
legacy builds.
Configuration applied to individual interrupts remain unchanged, so no
runtime behaviour change expected.
NOTE: Platforms that use the arm/common function
plat_arm_gic_driver_init() must replace their PLAT_ARM_G1S_IRQS and
PLAT_ARM_G0_IRQS macro definitions with PLAT_ARM_G1S_IRQ_PROPS and
PLAT_ARM_G0_IRQ_PROPS macros respectively, using the provided
INTR_PROP_DESC macro.
These APIs allow the GIC implementation to categorize interrupt numbers
into SPIs, PPIs, and SGIs. The default implementations for GICv2 and
GICv3 follows interrupt numbering as specified by the ARM GIC
architecture.
The PE target mask is used to translate linear PE index (returned by
platform core position) to a bit mask used when targeting interrupts to
a PE, viz. when raising SGIs and routing SPIs.
The platform shall:
- Populate the driver data with a pointer to array that's to contain
per-PE target masks.
- Invoke the new driver API 'gicv2_set_pe_target_mask()' during
per-CPU initialization so that the driver populates the target mask
for that CPU.
Platforms that don't intend to target interrupts or raise SGIs need not
populate this.
The macro DEFINE_SYSREG_WRITE_CONST_FUNC defines an inline function
to an assembly statement that uses the MSR (immediate) instruction
to access the PSTATE. The "i" (immediate) assembly constraint on
the operand was only satisfied when compiling with optimizations
enabled which resulted in the function being optimized out - the
"const uint64_t v" parameter was optimized out and replaced by a
literal value.
When compiling without optimizations, the function call remained and
therefore the parameter is not optimized out - compilation fails as
the constraint is impossible to satisfy by the compiler.
This patch replaces the function encapsulating the use of
the MSR (immediate) with a macro that allows the literal value to be
directly fed to the inline assembly statement
Roberto Vargas [Thu, 12 Oct 2017 09:57:40 +0000 (10:57 +0100)]
mem_protect: Fix PSCI FEATURES API for MEM_PROTECT_CHECK
With this patch the PSCI_FEATURES API correctly reports availability
of the PSCI_MEM_PROTECT_CHECK API - PSCI_MEM_CHK_RANGE_AARCH64 is
added to the PSCI capabilities mask, PSCI_CAP_64BIT_MASK
David Cunado [Mon, 2 Oct 2017 16:41:39 +0000 (17:41 +0100)]
Init and save / restore of PMCR_EL0 / PMCR
Currently TF does not initialise the PMCR_EL0 register in
the secure context or save/restore the register.
In particular, the DP field may not be set to one to prohibit
cycle counting in the secure state, even though event counting
generally is prohibited via the default setting of MDCR_EL3.SMPE
to 0.
This patch initialises PMCR_EL0.DP to one in the secure state
to prohibit cycle counting and also initialises other fields
that have an architectually UNKNOWN reset value.
Additionally, PMCR_EL0 is added to the list of registers that are
saved and restored during a world switch.
Similar changes are made for PMCR for the AArch32 execution state.
NOTE: secure world code at lower ELs that assume other values in PMCR_EL0
will be impacted.
Change-Id: Iae40e8c0a196d74053accf97063ebc257b4d2f3a Signed-off-by: David Cunado <david.cunado@arm.com>
The common implementation of css_scp_sys_shutdown and
css_scp_warm_reset is refactored into a new function,
css_scp_system_off() that allows the desired power state to be
specified.
The css_scp_system_off can be used in the implementation of
SYSTEM_RESET2 for PSCI v1.1.
This patch implements PSCI_SYSTEM_RESET2 API as defined in PSCI
v1.1 specification. The specification allows architectural and
vendor-specific resets via this API. In the current specification,
there is only one architectural reset, the warm reset. This reset is
intended to provide a fast reboot path that guarantees not to reset
system main memory.
Evan Lloyd [Thu, 25 May 2017 18:06:47 +0000 (19:06 +0100)]
fiptool: Precursor changes for Visual Studio
In order to compile the source of Fiptool using Visual Studio a number
of adjustments are required to the source. This commit modifies the
source with changes that will be required, but makes no functional
modification. The intent is to allow confirmation that the GCC build
is unaffected.
projects / arm-tf.git / log