The current build system and driver requires the CCI product to be
specified at build time. The device constraints can be determined at run
time from its ID registers, obviating the need for specifying them
ahead.
This patch adds changes to identify and validate CCI at run time. Some
global variables are renamed to be in line with the rest of the code
base.
The build option ARM_CCI_PRODUCT_ID is now removed, and user guide is
updated.
The CCI crash dump macros assumes CCI base at build time. Since this
can't be the case for CCI on FVP, choose not to register dump CCI
registers for FVP.
In contrast with the non-multi-threading DTS, this enumerates MPIDR
values shifted by one affinity level to the left. The newly added DTS
reflects CPUs with a single thread in them.
Since both DTS files are the same apart from MPIDR contents, the common
bits have been moved to a separate file that's then included from the
top-level DTS files. The multi-threading version only updates the MPIDR
contents.
ARM CPUs with multi-threading implementation has more than one
Processing Element in a single physical CPU. Such an implementation will
reflect the following changes in the MPIDR register:
- The MT bit set;
- Affinity levels pertaining to cluster and CPUs occupy one level
higher than in a single-threaded implementation, and the lowest
affinity level pertains to hardware threads. MPIDR affinity level
fields essentially appear shifted to left than otherwise.
The FVP port henceforth assumes that both properties above to be
concomitant on a given FVP platform.
To accommodate for varied MPIDR formats at run time, this patch
re-implements the FVP platform-specific functions that translates MPIDR
values to a linear indices, along with required validation. The same
treatment is applied for GICv3 MPIDR hashing function as well.
An FVP-specific build option FVP_MAX_PE_PER_CPU is introduced which
specifies the maximum number of threads implemented per CPU. For
backwards compatibility, its value defaults to 1.
This patch changes the sign of the loop variable used in
xlat_tables_print(). It needs to be unsigned because it is compared
against another unsigned int.
David Cunado [Wed, 19 Jul 2017 11:14:07 +0000 (12:14 +0100)]
Address edge case for stale PSCI CPU data in cache
There is a theoretical edge case during CPU_ON where the cache
may contain stale data for the target CPU data - this can occur
under the following conditions:
- the target CPU is in another cluster from the current
- the target CPU was the last CPU to shutdown on its cluster
- the cluster was removed from coherency as part of the CPU shutdown
In this case the cache maintenace that was performed as part of the
target CPUs shutdown was not seen by the current CPU's cluster. And
so the cache may contain stale data for the target CPU.
This patch adds a cache maintenance operation (flush) for the
cache-line containing the target CPU data - this ensures that the
target CPU data is read from main memory.
Change-Id: If8cfd42639b03174f60669429b7f7a757027d0fb Signed-off-by: David Cunado <david.cunado@arm.com>
At the moment, various parts of the Trusted Firmware code assume
that the granule size used is 4 KB. For example, the linker scripts
enforce 4 KB alignment restrictions on some sections.
However, the ARMv8-A architecture allows 16 KB and 64 KB granule
sizes as well. Some other parts of the TF code, particularly the
architectural code and definitions, have been implemented with
this in mind and cater for all 3 cases.
This discrepancy creates some confusion as to what is effectively
supported in TF. This patch adds some code comments and clarification
in the documentation to make this limitation clearer.
When using __builtin_ctzll() in AArch32 code, the compiler may translate
that into a call to the __ctzdi2() function. In this case, the linking
phase fails because TF doesn't provide an implementation for it.
This patch imports the implementation of the __ctzdi2() function from
LLVM's compiler-rt project and hooks it into TF's build system. The
ctzdi2.c file is an unmodified copy from the master branch as of
July 19 2017 (SVN revision: 308480).
xlat lib v2: Remove hard-coded virtual address space size
Previous patches have made it possible to specify the physical and
virtual address spaces sizes for each translation context. However,
there are still some places in the code where the physical (resp.
virtual) address space size is assumed to be PLAT_PHY_ADDR_SPACE_SIZE
(resp. PLAT_VIRT_ADDR_SPACE_SIZE).
This patch removes them and reads the relevant address space size
from the translation context itself instead. This information is now
passed in argument to the enable_mmu_arch() function, which needs it
to configure the TCR_ELx.T0SZ field (in AArch64) or the TTBCR.T0SZ
field (in AArch32) appropriately.
xlat lib v2: Refactor the functions enabling the MMU
This patch refactors both the AArch32 and AArch64 versions of the
function enable_mmu_arch().
In both versions, the code now computes the VMSA-related system
registers upfront then program them in one go (rather than interleaving
the 2).
In the AArch64 version, this allows to reduce the amount of code
generated by the C preprocessor and limits it to the actual differences
between EL1 and EL3.
In the AArch32 version, this patch also removes the function
enable_mmu_internal_secure() and moves its code directly inside
enable_mmu_arch(), as it was its only caller.
xlat lib v2: Remove init_xlat_tables_arch() function
In both the AArch32 and AArch64 versions, this function used to check
the sanity of the PLAT_PHY_ADDR_SPACE_SIZE in regard to the
architectural maximum value. Instead, export the
xlat_arch_get_max_supported_pa() function and move the debug
assertion in AArch-agnostic code.
The AArch64 used to also precalculate the TCR.PS field value, based
on the size of the physical address space. This is now done directly
by enable_mmu_arch(), which now receives the physical address space size
in argument.
In a previous patch, the xlat_ctx_t type has been made public.
This patch now makes the *_ctx() APIs public.
Each API now has a *_ctx() variant. Most of them were already implemented
and this patch just makes them public. However, some of them were missing
so this patch introduces them.
Now that all these APIs are public, there's no good reason for splitting
them accross 2 files (xlat_tables_internal.c and xlat_tables_common.c).
Therefore, this patch moves all code into xlat_tables_internal.c and
removes xlat_tables_common.c. It removes it from the library's makefile
as well.
This last change introduces a compatibility break for platform ports
that specifically include the xlat_tables_common.c file instead of
including the library's Makefile. The UniPhier platform makefile has
been updated to now omit this file from the list of source files.
The prototype of mmap_add_region_ctx() has been slightly changed. The
mmap_region_t passed in argument needs to be constant because it gets
called from map_add(), which receives a constant region. The former
implementation of mmap_add() used to cast the const qualifier away,
which is not a good practice.
Also remove init_xlation_table(), which was a sub-function of
init_xlat_tables(). Now there's just init_xlat_tables() (and
init_xlat_tables_ctx()). Both names were too similar, which was
confusing. Besides, now that all the code is in a single file,
it's no longer needed to have 2 functions for that.
Leo Yan [Wed, 26 Jul 2017 06:36:01 +0000 (14:36 +0800)]
hikey: Disable VBUS_DET interrupt for PMIC
After disconnect Jumper pin 1-2 in J15 header, the signal VBUS_DET is to
be pulled down to low level. This will assert the interrupt signal in
PMIC and trigger IRQ in GIC; the asserted signal from VBUS_DET is level
triggered and kernel reports the warning for unhooked interrupt handling;
and VBUS_DET stays with low level, this triggers IRQ storm in kernel.
This patch is to disable interrupt for VBUS_DET in PMIC, this can
dismiss the verbose log and IRQ storm after kernel booting.
xlat lib v2: Export translation context as an opaque type
At the moment, the translation context type (xlat_ctx_t) is a private
type reserved for the internal usage of the translation table library.
All exported APIs (implemented in xlat_tables_common.c) are wrappers
over the internal implementations that use such a translation context.
These wrappers unconditionally pass the current translation context
representing the memory mappings of the executing BL image. This means
that the caller has no control over which translation context the
library functions act on.
As a first step to make this code more flexible, this patch exports
the 'xlat_ctx_t' type. Note that, although the declaration of this type
is now public, its definition stays private. A macro is introduced to
statically allocate and initialize such a translation context.
The library now internally uses this macro to allocate the default
translation context for the running BL image.
Move the header files that provide translation tables architectural
definitions from the library v2 source files to the library include
directory. This allows to share these definitions between both
versions (v1 and v2) of the library.
Create a new header file that includes the AArch32 or AArch64
definitions based on the AARCH32 build flag, so that the library user
doesn't have to worry about handling it on their side.
Also repurpose some of the definitions the header files provide to
concentrate on the things that differ between AArch32 and AArch64.
As a result they now contain the following information:
- the first table level that allows block descriptors;
- the architectural limits of the virtual address space;
- the initial lookup level to cover the entire address space.
Additionally, move the XLAT_TABLE_LEVEL_MIN macro from
xlat_tables_defs.h to the AArch32/AArch64 architectural definitions.
This new organisation eliminates duplicated information in the AArch32
and AArch64 versions. It also decouples these architectural files from
any platform-specific information. Previously, they were dependent on
the address space size, which is platform-specific.
Finally, for the v2 of the library, move the compatibility code for
ADDR_SPACE_SIZE into a C file as it is not needed outside of this
file. For v1, this code hasn't been changed and stays in a header
file because it's needed by several files.
FVP: Do not map DEVICE2 memory range when TBB is disabled
The DEVICE2 memory range is needed to access the Root of Trust Public
Key registers. This is not needed when Trusted Board Boot is disabled
so it's safer to not map it in this case. This also saves one level-2
page table in each of BL1 and BL2 images.
This patch adds some debug prints to display some statistics about page
tables usage. They are printed only if the LOG_LEVEL is at least 50
(i.e. VERBOSE).
Sample output for BL1:
VERBOSE: Translation tables state:
VERBOSE: Max allowed PA: 0xffffffff
VERBOSE: Max allowed VA: 0xffffffff
VERBOSE: Max mapped PA: 0x7fffffff
VERBOSE: Max mapped VA: 0x7fffffff
VERBOSE: Initial lookup level: 1
VERBOSE: Entries @initial lookup level: 4
VERBOSE: Used 4 sub-tables out of 5 (spare: 1)
Soby Mathew [Tue, 13 Jun 2017 17:00:53 +0000 (18:00 +0100)]
CSS: Prevent SCP_BL2/2U from overwriting BL1 RW data
On ARM CSS platforms, the SCP_BL2/2U image is loaded below
BL1 read-write data. This same memory is used to load BL31
later on. But sufficient checks were not done to ensure that the
SCP_BL2 would not overwrite BL1 rw data. This patch adds the
required CASSERT checks to prevent overwrite into BL1 or BL2
memory by load of SCP_BL2/2U. Also the size of BL31 is increased
and SCP_BL2/2U size is decreased to accomodate it within the
allocated region.
Soby Mathew [Wed, 3 May 2017 11:58:41 +0000 (12:58 +0100)]
CSS: Reorganize the SCP Image transfer functionality
The SCP_BL2 is transferred to SCP during BL2 image load and authenticate
sequence. The Boot-Over-MHU (BOM) protocol is used as transport for this. After
the SCP boots using the transferred image, the AP CPU waits till the `READY`
message is received from SCP. This patch separates the API for transport of
image from the wait for `READY` message and also moves the related files to
the `css/drivers` folder. The previous API `scp_bootloader_transfer` is
renamed to `css_scp_boot_image_xfer` to reflect the css naming convention.
This reorganisation also allows easier switch to a different transport
(eg: Shared Data Structure based transfer) in future
Soby Mathew [Tue, 13 Jun 2017 16:59:17 +0000 (17:59 +0100)]
Resize the BL2 size limit for Juno
Recent patches to reduce the memory footprint of BL images have
resulted in saving several pages of memory. This patch reduces
the BL2 size limit by 20KB for Juno when ARM_BOARD_OPTIMISE_MEM=1
so that more free space can be freed up for Trusted OS (BL32). Also
SCP_BL2/SCP_BL2U size is now restricted to 80K.
This format is understood by almost all the UNIX tools (vi, emacs, acme, ...),
and it allows these tools to jump directly to the line where the assert
failed.
The board features the Hi3798C V200 with an integrated quad-core
64-bit ARM Cortex A53 processor and high performance Mali T720 GPU,
making it capable of running any commercial set-top solution based on
Linux or Android. Its high performance specification also supports a
premium user experience with up to H.265 HEVC decoding of 4K video at
60 frames per second.
SOC Hisilicon Hi3798CV200
CPU Quad-core ARM Cortex-A53 64 bit
DRAM DDR3/3L/4 SDRAM interface, maximum 32-bit data width 2 GB
USB Two USB 2.0 ports One USB 3.0 ports
CONSOLE USB-micro port for console support
ETHERNET 1 GBe Ethernet
PCIE One PCIe 2.0 interfaces
JTAG 8-Pin JTAG
EXPANSION INTERFACE Linaro 96Boards Low Speed Expansion slot
DIMENSION Standard 160×120 mm 96Boards Enterprice Edition form factor
WIFI 802.11AC 2*2 with Bluetooth
CONNECTORS One connector for Smart Card One connector for TSI
The platform boot sequence is as follows:
l-loader --> arm_trusted_firmware --> u-boot
U-Boot is also upstream in the project's master branch.
Make sure you are using the correct branch on each one of these
repositories. The definition of "correct" might change over time (at
this moment in time this would be the "latest" branch).
Build Line:
make CROSS_COMPILE=aarch64-linux-gnu- all fip SPD=none DEBUG=1
PLAT=poplar BL33=/path/to/u-boot.bin
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> Signed-off-by: Leo Yan <leo.yan@linaro.org> Signed-off-by: Alex Elder <elder@linaro.org> Tested-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org> Tested-by: Leo Yan <leo.yan@linaro.org> Tested-by: Alex Elder <elder@linaro.org>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions to this change in order to retain
header groupings and where there are headers within #if statements.
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Victor Chong [Sat, 27 May 2017 15:14:25 +0000 (00:14 +0900)]
hikey: Remove unnecessary code
PLATFORM_LINKER_FORMAT
and
PLATFORM_LINKER_ARCH
defines are removed from
plat/hisilicon/hikey/include/platform_def.h
since there are already defined in
include/plat/common/common_def.h
which is included by
plat/hisilicon/hikey/hikey_def.h
which is included by
plat/hisilicon/hikey/include/platform_def.h
The line
$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
is removed from
plat/hisilicon/hikey/platform.mk
to clear the warning below:
Makefile:544: warning: overriding commands for target `check_SCP_BL2'
plat/hisilicon/hikey/platform.mk:19: warning: ignoring old commands for target `check_SCP_BL2'
$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
already exists in
Makefile
and applies to plat hikey so is redundant in
plat/hisilicon/hikey/platform.mk
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Victor Chong [Sat, 27 May 2017 15:14:37 +0000 (00:14 +0900)]
hikey960: platform.mk: Remove FIP_ADD_IMG SCP_BL2
The line
$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
is removed from
plat/hisilicon/hikey960/platform.mk
to clear the warning below:
Makefile:544: warning: overriding commands for target `check_SCP_BL2'
plat/hisilicon/hikey960/platform.mk:13: warning: ignoring old commands for
target `check_SCP_BL2'
$(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw))
already exists in
Makefile
and applies to plat hikey960 so is redundant in
plat/hisilicon/hikey960/platform.mk
Signed-off-by: Victor Chong <victor.chong@linaro.org> Acked-by: Haojian Zhuang <haojian.zhuang@linaro.org>
This patch updates the User Guide is to state that Linaro
release 17.04 is supported.
Additionally, the following fixes are made to the User Guide:
- Removed out of date reference to Linaro release 16.06.
- Updated the Juno variant coverage to include r2.
Change-Id: Iebbced3356f8c6b3c2bff2df62574db9f937ca7b Signed-off-by: David Cunado <david.cunado@arm.com>
David Cunado [Tue, 27 Jun 2017 16:31:12 +0000 (17:31 +0100)]
Update Foundation, AEM and Cortex Models versions
Trusted Firmware has been tested as part of its CI system against Cortex
and Foundation models in the 11.0 Model release available on
developer.arm.com. Trusted Firmware has also been tested against the v8.5
AEM model.
This patch updates the user guide documentation to reflect the version of
the Foundation, AEM and Cortex Models that Trusted Firmware has been
tested against.
Change-Id: I3b5b4d1e4220bda1dcc88aa9cfa01fa711ed92cd Signed-off-by: David Cunado <david.cunado@arm.com>
Caesar Wang [Mon, 19 Jun 2017 06:02:52 +0000 (14:02 +0800)]
rockchip/rk3399: fixes the typo and the WARNINGS during suspend/resume
This patch fixes the two things as follows:
1) rk3399_flash_l2_b" seems to be a typo. That's "flush", not "flash".
2) fixes the warnings log.
We always hit the warnings thing during the suspend, as below log:
..
[ 51.022334] CPU5: shutdown
[ 51.025069] psci: CPU5 killed.
INFO: sdram_params->ddr_freq = 928000000
WARNING: rk3399_flash_l2_b:reg 28830380,wait
When the L2 completes the clean and invalidate sequence, it asserts the
L2FLUSHDONE signal. The SoC can now deassert L2FLUSHREQ signal and then
the L2 deasserts L2FLUSHDONE.
Then, a loop without a delay isn't really great to measure time. We should
probably add a udelay(10) or so in there and then maybe replace the WARN()
after the loop. In the actual tests, the L2 cache will take ~4ms by
default for big cluster.
In the real world that give 10ms for the enough margin, like the
ddr/cpu/cci frequency and other factors that will affect it.
Change-Id: I55788c897be232bf72e8c7b0e10cf9b06f7aa50d Signed-off-by: Caesar Wang <wxt@rock-chips.com>
Douglas Raillard [Wed, 28 Jun 2017 14:23:03 +0000 (15:23 +0100)]
Convert documentation to reStructuredText
Due to recent issues in the rendering of the documentation on GitHub and
some long-standing issues like the lack of automatic table of content in
Markdown, the documentation has been converted to reStructuredText.
Basic constructs looks pretty similar to Markdown.
Automatically convert GitHub markdown documentation to reStructuredText
using pandoc.
Change-Id: If20b695acedc6d1b49c8d9fb64efd6b6ba23f4a9 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Soby Mathew [Fri, 2 Jun 2017 16:44:07 +0000 (17:44 +0100)]
Use CryptoCell to set/get NVcounters and ROTPK
This patch implements the platform APIs plat_get_rotpk_info,
plat_get_nv_ctr, plat_set_nv_ctr to invoke CryptoCell SBROM
APIs when ARM_CRYPTOCELL_INT is set.
Soby Mathew [Mon, 5 Jun 2017 14:55:59 +0000 (15:55 +0100)]
Do basic CryptoCell LCS check
This patch implements the basic lifecycle state check when CryptoCell
SBROM is initialized. Currently the check ensures that if the lifecycle
state is Security Disabled (SD), the boot process does not proceed
further.
Soby Mathew [Wed, 10 May 2017 10:50:30 +0000 (11:50 +0100)]
ARM plat changes to enable CryptoCell integration
This patch makes the necessary changes to enable ARM platform to
successfully integrate CryptoCell during Trusted Board Boot. The
changes are as follows:
* A new build option `ARM_CRYPTOCELL_INTEG` is introduced to select
the CryptoCell crypto driver for Trusted Board boot.
* The TrustZone filter settings for Non Secure DRAM is modified
to allow CryptoCell to read this memory. This is required to
authenticate BL33 which is loaded into the Non Secure DDR.
* The CSS platforms are modified to use coherent stacks in BL1 and BL2
when CryptoCell crypto is selected. This is because CryptoCell makes
use of DMA to transfer data and the CryptoCell SBROM library allocates
buffers on the stack during signature/hash verification.
Soby Mathew [Wed, 10 May 2017 10:49:58 +0000 (11:49 +0100)]
Add CC crypto driver to the Auth module
This patch adds a crypto driver which utilizes the ARM® TrustZone®
CryptoCell-712 to verify signature and hash during Trusted Board Boot. Along
with this driver, the CryptoCell SBROM library is required to successfully
build the BL image. The path to this library is specified via
the `CCSBROM_LIB_PATH` variable. Please note that, mbedTLS is still required
to do the X509 certificate ASN.1 parsing and CryptoCell is only utilized for
signature and hash verification.
Soby Mathew [Wed, 10 May 2017 10:48:40 +0000 (11:48 +0100)]
Add headers to enable CryptoCell integration
This patch adds header files with required declarations and
macro definitions to enable integration with CryptoCell SBROM
version `CC712 – Release 1.0.0.1061`. These headers enable ARM
Trusted Firmware to build and link with CryptoCell SBROM
library.
Douglas Raillard [Thu, 22 Jun 2017 14:03:50 +0000 (15:03 +0100)]
Document CFLAGS make option
CFLAGS content can be set on the command line to allow passing extra
options to the compiler. Its content is appended after the options set
by the Makefile (TF_CFLAGS).
The Makefiles must use TF_CFLAGS instead of CFLAGS, as the latter can be
completely overriden by setting it on the command line.
Also tell about LDFLAGS in the "Debugging options" section.
Change-Id: Iaf27b424002898ef3040133f78cb133983a37aee Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Douglas Raillard [Thu, 22 Jun 2017 13:44:48 +0000 (14:44 +0100)]
Introduce TF_LDFLAGS
Use TF_LDFLAGS from the Makefiles, and still append LDFLAGS as well to
the compiler's invocation. This allows passing extra options from the
make command line using LDFLAGS.
Document new LDFLAGS Makefile option.
Change-Id: I88c5ac26ca12ac2b2d60a6f150ae027639991f27 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Caesar Wang [Wed, 28 Jun 2017 00:40:26 +0000 (08:40 +0800)]
rockchip: enable A53's erratum 855873 for rk3399
For rk3399, the L2ACTLR[14] is 0 by default, as ACE CCI-500 doesn't
support WriteEvict. and you will hit the condition L2ACTLR[3] with 0,
as the Evict transactions should propagate to CCI-500 since it has
snoop filters.
Maybe this erratum applies to all Cortex-A53 cores so far, especially
if RK3399's A53 is a r0p4. we should enable it to avoid data corruption,
Change-Id: Ib86933f1fc84f8919c8e43dac41af60fd0c3ce2f Signed-off-by: Caesar Wang <wxt@rock-chips.com>
Douglas Raillard [Thu, 22 Jun 2017 14:36:02 +0000 (15:36 +0100)]
Fix broken link in documentation
Fix link in docs/firmware-update.md and docs/change-log.md:
https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Image-Terminology
Change-Id: I2d51d373fd0f7da59b548cd6bed52c47772014fd Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
David Cunado [Wed, 21 Jun 2017 15:52:45 +0000 (16:52 +0100)]
Resolve signed-unsigned comparison issues
A recent commit 030567e6f51731982a7e71cbd387de93bc0e35fd added U()/ULL()
macro to TF constants. This has caused some signed-unsigned comparison
warnings / errors in the TF static analysis.
This patch addresses these issues by migrating impacted variables from
signed ints to unsigned ints and vice verse where applicable.
Change-Id: I4b4c739a3fa64aaf13b69ad1702c66ec79247e53 Signed-off-by: David Cunado <david.cunado@arm.com>
projects / arm-tf.git / log