feat(drtm): add DRTM parameters structure version check
Added DRTM parameters structure version check that as per
the current released DRTM specification [1].
Mainly to cater below mentioned in the specification [1]
section 3.12 -
For a given DRTM major version number this structure will
always be extended in a backwards compatible manner.
vallau01 [Mon, 8 Aug 2022 12:10:14 +0000 (14:10 +0200)]
fix(el3-spmc): compute full FF-A V1.1 desc size
This patch fixes an issue in spmc_ffa_fill_desc.
In order to compute the spmc_shm_get_v1_1_descriptor_size,
fragment_length which is a fraction of the descriptor size is used as
desc_size parameter. It has to be replaced with the
full V1.0 descriptor size(obj->desc_filled).
Boyan Karatotev [Mon, 3 Oct 2022 13:21:28 +0000 (14:21 +0100)]
fix(cpus): workaround for Cortex-A710 erratum 2291219
Cortex-A710 erratum 2291219 is a Cat B erratum that applies to revisions
r0p0, r1p0, and r2p0, and is fixed in r2p1. The workaround is to set
CPUACTLR2_EL1[36] to 1 before the power down sequence that sets
CORE_PWRDN_EN. This allows the cpu to retry the power down and prevents
the deadlock. TF-A never clears this bit even if it wakes up from the
wfi in the sequence since it is not expected to do anything but retry to
power down after and the bit is cleared on reset.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775101/latest
Boyan Karatotev [Mon, 3 Oct 2022 13:18:28 +0000 (14:18 +0100)]
fix(cpus): workaround for Cortex-X3 erratum 2313909
Cortex-X3 erratum 2313909 is a Cat B erratum that applies to revisions
r0p0 and r1p0, and is fixed in r1p1. The workaround is to set
CPUACTLR2_EL1[36] to 1 before the power down sequence that sets
CORE_PWRDN_EN. This allows the cpu to retry the power down and prevents
the deadlock. TF-A never clears this bit even if it wakes up from the
wfi in the sequence since it is not expected to do anything but retry to
power down after and the bit is cleared on reset.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2055130/latest
Boyan Karatotev [Mon, 3 Oct 2022 13:07:08 +0000 (14:07 +0100)]
fix(cpus): workaround for Neoverse-N2 erratum 2326639
Neoverse-N2 erratum 2326639 is a Cat B erratum that applies to revision
r0p0 and is fixed in r0p1. The workaround is to set CPUACTLR2_EL1[36] to
1 before the power down sequence that sets CORE_PWRDN_EN. This allows
the cpu to retry the power down and prevents the deadlock. TF-A never
clears this bit even if it wakes up from the wfi in the sequence since
it is not expected to do anything but retry to power down after and the
bit is cleared on reset.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1982442/latest/
Platforms which implement pwr_domain_pwr_down_wfi differ substantially
in behaviour. However, different cpus require similar sequences to power
down. This patch tightens the behaviour of these platforms to end on a
wfi loop after performing platform power down. This is required so that
platforms behave more consistently on power down, in cases where the wfi
can fall through.
Add documentation how to build EL3 SPMC,
briefly describes all FF-A interfaces,
SP boot flow, SP Manifest, Power Management,
Boot Info Protocol, Runtime model and state
transition and Interrupt Handling.
Boyan Karatotev [Tue, 25 Oct 2022 10:29:04 +0000 (11:29 +0100)]
chore: rename Makalu ELP to Cortex-X3
The Cortex-X3 cpu port was developed before its public release when it
was known as Makalu ELP. Now that it's released we can use the official
product name.
Bipin Ravi [Thu, 13 Oct 2022 22:25:51 +0000 (17:25 -0500)]
fix(security): optimisations for CVE-2022-23960
Optimised the loop workaround for Spectre_BHB mitigation:
1. use of speculation barrier for cores implementing SB instruction.
2. use str/ldr instead of stp/ldp as the loop uses only X2 register.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I8ac53ea1e42407ad8004c1d59c05f791011f195d
Shawn Guo [Wed, 26 Oct 2022 08:38:53 +0000 (16:38 +0800)]
fix(imx8m): update poweroff related SNVS_LPCR bits only
Function imx_system_off() writes SNVS_LPCR register to power off the SoC
without bit masking. This clears other bits like LPWUI_EN and breaks
the function of SoC wake-up using RTC alarm. Fix it by updating poweroff
related bits only.
Daniel Boulby [Wed, 5 Oct 2022 10:05:22 +0000 (11:05 +0100)]
feat(zlib): update zlib source files
Upgrade the zlib source files to the ones present in the version 1.2.13
of zlib [1]. Since 1.2.11 the use of Arm crc32 instructions has been
introduced so update the files to make use of this.
[1] https://github.com/madler/zlib/tree/v1.2.13
Change-Id: Ideef78c56f05ae7daec390d00dcaa8f66b18729e Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Merge changes from topic "imx8m-hab-support" into integration
* changes:
docs(imx8m): update for high assurance boot
feat(imx8m): add support for high assurance boot
feat(imx8mp): add hab and map required memory blocks
feat(imx8mn): add hab and map required memory blocks
feat(imx8mm): add hab and map required memory blocks
build: deprecate Arm rdn1edge and sgi575 FVP platforms
Arm has decided to deprecate the sgi575 and rdn1edge platforms.
The development of software and fast models for these platforms
has been discontinued. rdn1edge platform has been superseded by the
rdn2 platform, which is already supported in TF-A and CI work is
underway for this platform.
Change-Id: If2228fb73549b244c3a5b0e5746617b3f24fe771 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Marco Felsch [Mon, 22 Aug 2022 10:39:01 +0000 (12:39 +0200)]
feat(imx8mm): add BL31 PIE support
Enable PIE support so the BL31 firmware can be loaded from anywhere
within the OCRAM (SRAM). For the PIE support we only need to replace the
BL31_BASE define by the BL31_START symbol which is a relocatable and we
need to enable it by setting ENABLE_PIE := 1.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I52e654917167f0faf6aa437da233d8faf1f2bb26
Marco Felsch [Mon, 22 Aug 2022 10:30:11 +0000 (12:30 +0200)]
refactor(imx8mm): introduce BL2_SIZE and BL31_SIZE
No functional change.
Introduce BLx_SIZE defines and calculate the limits based on the
BLx_BASE and the BLx_SIZE define. Also make use of SZ_128K to make it
easier to read. This is required for later BL31 PIE support since it
drops the calculation based on the BL31_LIMIT and BL31_BASE.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I8670faa5d5a572ef230011594f3d0d594fb257d9
Marco Felsch [Mon, 22 Aug 2022 10:25:04 +0000 (12:25 +0200)]
refactor(imx8mm): make use of setup_page_tables()
No functional change. Use the setup_page_tables() helper function which
does the three calls for us. Also the function has some logging support
which will be nice during debugging.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Ic465491ff5468e812e805de56be3b6b92d245080
Marco Felsch [Mon, 22 Aug 2022 10:23:56 +0000 (12:23 +0200)]
refactor(imx8mm): cleanup the mmap region settings
No functional change.
Introduce the bl_regions array to gather all regions and make use of the
MAP_REGION_FLAT() macro. The array is than passed to mmap_add() to map
all regions. While on it introduce some defines so the addr, size and
flags can be read more easily.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I9f0ae9fc89514db71bef734b867c46574833831c
Marco Felsch [Mon, 4 Jul 2022 10:18:34 +0000 (12:18 +0200)]
feat(imx8mn): add BL31 PIE support
Enable PIE support so the BL31 firmware can be loaded from anywhere
within the OCRAM (SRAM). For the PIE support we only need to replace the
BL31_BASE define by the BL31_START symbol which is a relocatable and we
need to enable it by setting ENABLE_PIE := 1.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I33c8e35c35112d70d2725eebe484a853a8aad9e0
Marco Felsch [Mon, 4 Jul 2022 10:14:54 +0000 (12:14 +0200)]
refactor(imx8mn): introduce BL31_SIZE
Introduce BL31_SIZE define and calculate the limit based on the
BL31_BASE and the BL31_SIZE define. Also make use of SZ_128K to make it
easier to read. This is required for later BL31 PIE support since it
drops the calculation based on the BL31_LIMIT and BL31_BASE.
While on it remove the duplicated <lib/utils_def.h> include.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Ifca40bd5682ef993db986439115abd9e9a66a5b2
Marco Felsch [Mon, 4 Jul 2022 10:11:01 +0000 (12:11 +0200)]
refactor(imx8mn): make use of setup_page_tables()
No functional change.
Use the setup_page_tables() helper function which does the three calls
for us. Also the function has some logging support which will be nice
during debugging.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I2f0182f19300a3a57bbeb7e2107c5fb5525dd0c1
Marco Felsch [Mon, 4 Jul 2022 10:07:59 +0000 (12:07 +0200)]
refactor(imx8mn): cleanup the mmap region settings
No functional change.
Introduce the bl_regions array to gather all regions and make use of the
MAP_REGION_FLAT() macro. The array is than passed to mmap_add() to map
all regions. While on it introduce some defines so the addr, size and
flags can be read more easily.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Id5849d2a7326a943927f458f1c6abbc041f5be18
Marco Felsch [Fri, 1 Jul 2022 13:55:30 +0000 (15:55 +0200)]
feat(imx8mp): add BL31 PIE support
Enable PIE support so the BL31 firmware can be loaded from anywhere
within the OCRAM (SRAM). How important this is shows the back and forth
of the BL31_BASE address starting with TF-A v2.5. Since then the
BL31_BASE address wasn't stable and choosing the correct combination of
SPL version loadaddress and TF-A version loadaddr was tricky.
For the PIE support we only need to replace the BL31_BASE by the
BL31_START which is a relocatable symbol and to enable it by setting
ENABLE_PIE := 1.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I4214db1f27120f9f9cd1413ccd7a5a7d095ff45d
Marco Felsch [Mon, 4 Jul 2022 09:09:46 +0000 (11:09 +0200)]
refactor(imx8mp): introduce BL2_SIZE and BL31_SIZE
No functional change.
Introduce BLx_SIZE defines and calculate the limits based on the
BLx_BASE and the BLx_SIZE define. Also make use of SZ_128K to make it
easier to read. This is required for later BL31 PIE support since it
drops the calculation based on the BL31_LIMIT and BL31_BASE.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Idae34c1dfcedd35238fe083149080a199d50eed0
Marco Felsch [Fri, 1 Jul 2022 13:50:05 +0000 (15:50 +0200)]
refactor(imx8mp): make use of setup_page_tables()
No functional change. Use the setup_page_tables() helper function which
does the three calls for us. Also the function has some logging support
which will be nice during debugging.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I350965414939865220f745ef5b24d2cdc3095e7b
Marco Felsch [Fri, 1 Jul 2022 13:44:09 +0000 (15:44 +0200)]
refactor(imx8mp): cleanup the mmap region settings
Introduce the bl_regions array to gather all regions and make use of the
MAP_REGION_FLAT() macro. The array is than passed to mmap_add() to map
all regions. While on it introduce some defines so the addr, size and
flags can be read more easily. No functional change done.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I7f637beea61138a86d691cd78fba2dd17e4dc925
Marco Felsch [Tue, 5 Jul 2022 13:00:44 +0000 (15:00 +0200)]
feat(imx8m): make psci common code pie compatible
Swap the BL31_BASE define with the BL31_START symbol. This is required
for later added PIE support because the symbol location can be relocated
whereas the define can't be relocated. In case of disabled PIE support
BL31_START equals BL31_BASE and so we don't need a ifdef.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: Ic1bbf3af5b346898bfcbb207ffc27d9a5bdcaae7
Marco Felsch [Wed, 21 Sep 2022 15:48:35 +0000 (17:48 +0200)]
fix(imx8m): fix dram retention fsp_table access
The fsp_table access by [i-1] can cause invalid memory access in case of
i=0. This can be the case if no fsp_table is available. Fix this by
adding the idx variable which tracks the correct index.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: If2285517eb9fe837f3ad54360307a77a658bf62c
Andre Przywara [Fri, 7 Oct 2022 11:19:05 +0000 (12:19 +0100)]
fix(aarch64): make AArch64 FGT feature detection more robust
The ARMv8 ARM says about the values in the ID register scheme:
==== D17.1.3 Principles of the ID scheme for fields in ID registers ===
The ID fields, which are either signed or unsigned, use increasing
numerical values to indicate increases in functionality. Therefore,
if a value of 0x1 indicates the presence of some instructions, then
the value 0x2 will indicate the presence of those instructions plus
some additional instructions or functionality. This means software
can be written in the form:
if (value >= number) {
// do something that relies on the value of the feature
}
=======================================================================
So to check for the presence of a certain architecture feature, we
should not check against a certain specific value, as it's done right
now in several cases.
Relax the test for Fine Grained Trapping (FGT) to just check against
the field being 0 or not.
This fixes TF-A crashing due to an unhandled exception, when running a
Linux kernel on an FVP enabling ARMv8.9 features. The value of
ID_AA64MMFR0_EL1.FGT went from 0b0001 to 0b0010 there.
Change-Id: Ic3f1625a7650306ed388a0660429ca8823c673c2 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Add a section into documentation listing the support for High Assurance
Boot (HABv4), note on the DRAM mapping, and reference to the external
documentation.
Introduce support for High Assurance Boot (HABv4), which is used to
establish and extend the Root-of-Trust during FW loading at any given
boot stage.
This commit introduces support for HAB ROM Vector Table (RVT) API, which
is normally used by post-ROM code to authenticate additional boot images
(Kernel, FDT, FIT, etc.) that are taking part in the Root-of-Trust.
feat(imx8mp): add hab and map required memory blocks
In order for HAB to perform operations, memory regions has to be mapped
in TF-A, which HAB ROM code would use internally.
Include those memory blocks for i.MX8M+ SoC. Of a special note, the DRAM
block is mapped with complete size available on the platform and uses
MT_RW attributes, this is required to minimize the size of translation
tables and provide a possibility to exchange the execution results
between EL3 and EL1&2, see details in [1].
feat(imx8mn): add hab and map required memory blocks
In order for HAB to perform operations, memory regions has to be mapped
in TF-A, which HAB ROM code would use internally.
Include those memory blocks for i.MX8MN SoC. Of a special note, the DRAM
block is mapped with complete size available on the platform and uses
MT_RW attributes, this is required to minimize the size of translation
tables and provide a possibility to exchange the execution results
between EL3 and EL1&2, see details in [1].
feat(imx8mm): add hab and map required memory blocks
In order for HAB to perform operations, memory regions has to be mapped
in TF-A, which HAB ROM code would use internally.
Include those memory blocks for i.MX8MM SoC. Of a special note, the DRAM
block is mapped with complete size available on the platform and uses
MT_RW attributes, this is required to minimize the size of translation
tables and provide a possibility to exchange the execution results
between EL3 and EL1&2, see details in [1].
Daniel Boulby [Fri, 23 Sep 2022 08:37:20 +0000 (09:37 +0100)]
docs(prerequisites): upgrade to Mbed TLS 2.28.1
In anticpation of the next Trusted Firmware release update the to newest
2.x Mbed TLS library [1].
Note that the Mbed TLS project published version 3.x some time ago.
However, as this is a major release with API breakages, upgrading to
this one might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to Mbed TLS 3.x after the v2.8 release
of TF-A.
Akshay Belsare [Tue, 11 Oct 2022 09:42:02 +0000 (15:12 +0530)]
fix(versal_net): Enable a78 errata workarounds
TF-A is reporting that erratum are missing to be enabled.
Enable the Following errata workaround to Cortex-A78 AE CPU for versal_net
ERRATA_A78_AE_1941500
ERRATA_A78_AE_1951502
ERRATA_A78_AE_2376748
ERRATA_A78_AE_2395408
For further information refer to
https://developer.arm.com/documentation/SDEN1707912/1300/
Right now, the delegated attestation module is not used in TF-A. This
means it's not even getting built and so the CI system cannot detect
build regressions.
Eventually, delegated attestation will be involved in a new runtime
service exposed by BL31 to lower exception levels. We are not there
yet but let's already include it into BL31 image, so we get build
coverage and static analysis on the code. Note that we make sure to
cover both PLAT_RSS_NOT_SUPPORTED=0 and PLAT_RSS_NOT_SUPPORTED=1
configurations.
Delegated attestation is currently made dependent on measured boot
support. This dependency is not at the source code level (attestation
code does not invoke any measured boot interfaces) but it is rather a
logical dependency: attestation without boot measurements is not very
useful...
For now, this is good enough for our purpose but the conditions under
which the attestation code is included might change in the future.
Boyan Karatotev [Thu, 13 Oct 2022 12:51:05 +0000 (13:51 +0100)]
fix(sme): add missing ISBs
EL3 is configured to trap accesses to SME registers (via
CPTR_EL3.ESM=0). To allow SME instructions, this needs to be temporarily
disabled before changing system registers. If the PE delays the effects
of writes to system registers then accessing the SME registers will trap
without an isb. This patch adds the isb to restore functionality.
Michal Simek [Fri, 7 Oct 2022 06:15:19 +0000 (08:15 +0200)]
fix(versal): enable a72 erratum 859971 and 1319367
TF-A is reporting that above two erratum are missing to be enabled that's
why enable them by default.
For futher information please refer to
https://developer.arm.com/documentation/epm012079/11/
where
859971 is "Speculative instruction prefetch to Execute-never (XN) memory
could cause deadlock or data integrity issue" and 1319367 is "Speculative AT instruction using out-of-context translation
regime could cause subsequent request to generate an incorrect
translation".
Change-Id: I408706713a169e53db63ac5657751b0b003e646d Signed-off-by: Michal Simek <michal.simek@amd.com>
Boyan Karatotev [Wed, 5 Oct 2022 13:43:54 +0000 (14:43 +0100)]
chore(rpi3): remove redundant code
The pwr_domain_pwr_down_wfi entry is overridden by a newer
implementation. This removes the last reference to
rpi3_pwr_domain_pwr_down_wfi. Remove both as they are not needed
Scott Parlane [Mon, 5 Sep 2022 22:59:57 +0000 (10:59 +1200)]
fix(rk3399): explicitly define the sys_sleep_flag_sram type
Recent GCC versions now do array-bounds checking which fails for
sys_sleep_flag_sram because the struct is larger than the 8-bytes
size that (void *) is
This variable is only used in one place as the struct,
so it can be defined with the struct type.
Resolves:
plat/rockchip/px30/drivers/pmu/pmu.c: In function 'rockchip_soc_sys_pwr_dm_suspend':
plat/rockchip/px30/drivers/pmu/pmu.c:977:23: error: array subscript 'struct psram_data_t[0]' is partly outside array bounds of 'void[8]' [-Werror=array-bounds]
977 | psram_boot_cfg->pm_flag &= ~PM_WARM_BOOT_BIT;
Change-Id: Ifbe42d11d0c7875f6cb23dc0b7ffb3f3f90c55a8 Signed-off-by: Scott Parlane <scott@parlanenz.com>
fix(gicv3/multichip): fix overflow caused by left shift
When spi_id_max is 5119, the expression `(spi_id_max - 4096U + 1U >> 5)`
evaluates to 32 leading to undefined behavior when using it to left
shift 1. Fix this undefined behavior.
```
large_shift: In expression 1 << (spi_id_max - 4096U + 1U >> 5), left
shifting by more than 31 bits has undefined behavior. The shift
amount, spi_id_max - 4096U + 1U >> 5, is as much as 32.
```