test(tc): move platform tests in their own function
This is a bit cleaner, as it avoids cluttering the normal boot execution
path. It also gives us the opportunity to mark the tests function with
the __dead2 attribute, which inform both the compiler and the developer
that the test function never returns (since it suspends booting).
Note that this change only affects the platform tests execution
path. It has no impact on the normal boot flow.
Make individual test functions propagate an error code, instead of
calling the platform error handler at the point of failure. The latter
is now the responsibility of the caller - in this case
tc_bl31_common_platform_setup().
Note that right now, tc_bl31_common_platform_setup() does not look at
the said error code but this initial change opens up an opportunity to
centralize any error handling in tc_bl31_common_platform_setup(),
which we will seize in subsequent patches.
Merge changes from topic "allwinner_t507" into integration
* changes:
feat(allwinner): add support for Allwinner T507 SoC
feat(allwinner): add function to detect H616 die variant
feat(allwinner): add extra CPU control registers
refactor(allwinner): consolidate sunxi_cfg.h files
laurenw-arm [Wed, 3 May 2023 17:48:55 +0000 (12:48 -0500)]
fix(tc): only suspend booting after running plat tests
1. When doing a normal boot, tc_bl31_common_platform_setup() should
simply configure the platform and return.
2. When we are running the platform tests instead,
tc_bl31_common_platform_setup() should run the tests then suspend
booting (and thus never return).
We were incorreclty suspending the boot in case 1 as well. Put that
code under a preprocessor condition (PLATFORM_TEST_NV_COUNTERS or
PLATFORM_TEST_TFM_TESTSUITE) to fix this.
Olivier Deprez [Wed, 3 May 2023 16:15:40 +0000 (18:15 +0200)]
Merge changes from topic "mp/group0_support" into integration
* changes:
docs(spm): support for handling Group0 interrupts
feat(spmd): introduce platform handler for Group0 interrupt
feat(spmd): add support for FFA_EL3_INTR_HANDLE_32 ABI
feat(spmd): register handler for group0 interrupt from NWd
Chris Kay [Tue, 28 Mar 2023 16:38:02 +0000 (17:38 +0100)]
build(psci): move `runtime_errata.S` to PSCI
Move the runtime errata source file into the PSCI library, as PSCI is
the only component directly dependent on it, and it doesn't require
internal access to the CPUs library.
Change-Id: I92826714d49b1b0131f62c158543b4c167ab9aa8 Signed-off-by: Chris Kay <chris.kay@arm.com>
Chris Kay [Wed, 22 Mar 2023 15:42:32 +0000 (15:42 +0000)]
build: allow BL-specific includes/definitions
This change introduces the `BLx_INCLUDE_DIRS` and `BLx_DEFINES`
Makefile variables, which can be used to append include directories
and preprocessor definitions to specific images created using the
`MAKE_BL` Makefile macro.
Change-Id: I9431f9d1cbde5b0b2624d9ce128a4f043c74c87f Signed-off-by: Chris Kay <chris.kay@arm.com>
J-Alves [Thu, 16 Mar 2023 15:26:52 +0000 (15:26 +0000)]
feat(fvp): define ns memory in the SPMC manifest
The SPMC (Hafnium) looks for secure and non-secure ranges
in its manifest.
Those relate with ranges that can be used by SPs in their
FF-A manifests.
The NS memory that is not used by SPs will be assigned
to the NWd, for it to share memory with SPs as needed.
Thus, this limits the memory the NWd can share with SPs,
to prevent NWD VMs from sharing memory that belongs
to other critical components.
feat(spmd): introduce platform handler for Group0 interrupt
This patch introduces a handler for FVP platform to triage Group0
secure interrupts. Currently, it is empty but serves as a
placeholder for future Group0 interrupt sources.
Moreover, this patch also provides a dummy implementation of the
above mentioned platform hook for QEMU, corstone100, n1sdp and
hikey960 ports.
feat(spmd): add support for FFA_EL3_INTR_HANDLE_32 ABI
When Group0 Secure interrupts in secure world get trapped to S-EL2
SPMC, FFA_EL3_INTR_HANDLE ABI is invoked by SPMC to delegate
interrupt handling to EL3 firmware (i.e., SPMD).
SPMD further delegates to platform handler which successfully handles
the Group0 secure interrupt before returning control to SPMC.
feat(spmd): register handler for group0 interrupt from NWd
SPMD registers a generic handler with the interrupt management
framework to handle Group0 secure interrupt from normal world.
The handler further delegates to the platform for successful
handling of the interrupt.
feat(el3-runtime): handle traps for IMPDEF registers accesses
This patch introduces support to handle traps from lower ELs for
IMPDEF system register accesses. The actual support is left to the
platforms to implement.
fix(tegra): remove dependency on CPU registers to get boot parameters
Commit 3e14df6f6 removed the code to clear the CPU registers X0 - X3,
which affected the Tegra platforms. Tegra platforms rely on the boot
parameters passed through custom mechanisms and do not use these
general purpose registers, but maintained sanity checks to support
legacy bootloaders. These sanity checks went out of sync due to the
code cleanup from bl31_entrypoint().
This patch removes the checks and calls the SOC specific handlers to
retrieve the boot parameters.
refactor(cpus): use BIT macro in a consistent manner
In assembly code, BIT macro is used with a preceding hash #. Let's
update Cortex X1 code to follow the same convention. Excluding hash
doesn't cause compilation to fail or emit incorrect code.
FEAT_SME2 is an extension of FEAT_SME and an optional feature
from v9.2. Its an extension of SME, wherein it not only
processes matrix operations efficiently, but also provides
outer-product instructions to accelerate matrix operations.
It affords instructions for multi-vector operations.
Further, it adds an 512 bit architectural register ZT0.
This patch implements all the changes introduced with FEAT_SME2
to ensure that the instructions are allowed to access ZT0
register from Non-secure lower exception levels.
Additionally, it adds support to ensure FEAT_SME2 is aligned
with the existing FEATURE DETECTION mechanism, and documented.
Macro esb used in TF-A executes the instruction "esb" and is kept under
RAS_EXTENSION macro. RAS_EXTENSION, as it stands today, is only enabled
for platforms which wants RAS errors to be handled in Firmware while esb
instruction is available when RAS architecture feature is present
irrespective of its handling.
Currently TF-A does not have mechanism to detect whether RAS is present
or not in HW, define this macro unconditionally.
Its harmless for non-RAS cores as this instruction executes as NOP.
Tamas Ban [Fri, 21 Apr 2023 07:31:48 +0000 (09:31 +0200)]
fix(tc): enable the execution of both platform tests
The C preprocessor cannot compare defines against strings.
Such an expression is always evaluated to be true. Therefore,
its usage in a conditional expression results that always the
first branch is taken. Other branches cannot be reached by
any configuration value. The fix removes this string comparison
and instead it introduces distinct defines for all the cases.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ia1142b31b6778686c74e1e882fe4604fe3b6501d
This patch implements the pwr_domain_off_early handler for
Tegra platforms.
Powering off the boot core on some Tegra platforms is not
allowed and the SOC specific helper functions for Tegra194,
Tegra210 and Tegra186 implement this restriction.
Merge changes from topic "ti-sci-cleanup" into integration
* changes:
feat(ti): synchronize access to secure proxy threads
refactor(ti): remove inline directive from ti_sci and sec_proxy drivers
refactor(ti): refactor ti_sci_{setup,do}_xfer to allow zero size response
feat(ti): add sub and patch version number support
feat(allwinner): add support for Allwinner T507 SoC
The Allwinner T507 SoC is using the same die as the H616, but in a
different package. On top of this, there is at least one different die
revision out there, which uses a different CPU cluster control block.
The same die revision has been spotted in some, but not all, H313 SoCs.
Apart from that IP block, the rest of the SoC seems the same, so we can
support them using the existing H616 port. The die revision can be
auto-detected, so there is no extra build option or knowledge needed.
Provide the deviating CPU power up/down sequence for the die variant.
The new IP block uses per-core instead of per-cluster registers, but
follows the same pattern otherwise.
Since the CPU ops code is shared among all Allwinner SoCs, we need to
dummy-define the new register names for the older SoCs. The actual new
code is guarded by a predicate function, that is hard coded to return
true on the other SoCs. Since this is a static inline function in a
header file, the compiler will optimise away the unneeded branch there,
so the generated code for the other SoCs stays the same.
Change-Id: Ib5ade99d34b4ccb161ccde0e34f280ca6bd16ecd Signed-off-by: Mikhail Kalashnikov <iuncuim@gmail.com> Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Andre Przywara [Mon, 3 Apr 2023 20:33:45 +0000 (21:33 +0100)]
feat(allwinner): add function to detect H616 die variant
Allwinner provides a number of SoCs that use the same die as the H616.
Some of those chips apparently use a slight variation of that die, that
differs in the way the CPU cores' power and reset controls are handled.
This die variation can be detected by reading the SRAM version register.
Provide a predicate function that returns false if that die variant is
used. Since the CPU power control code is shared for all supported SoCs,
we provide an instance of this function for each SoC, as a static
inline, and return true on all other SoCs. This allows to always use
this function, and still let the compiler optimise away the unneeded
branch for those older SoCs.
This function is unused for now, but is needed in the next patch.
Change-Id: I49e014b895b7e2f55b4e7dc2b3d8aa31cee711b5 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The die used in several variants of the Allwinner H616 SoC (H313, T507)
seems to produced in at least two revisions. The newer one differs from
the original by using a different CPU control register IP block.
Add those newly used register offsets to the respective header file. The
MMIO block itself is actually present in both variants, though the
registers are different. The new registers tend to use one register per
core, in contrast to one register per cluster in the older revisions.
Change-Id: Ifbda1bdc67a6a16fbb901dbc83996e4a148b7602 Signed-off-by: Mikhail Kalashnikov <iuncuim@gmail.com> Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The header files describing the CPU cluster configuration IP block for
the H6 and H616 are actually identical, so merge them into one file and
move that to a common location. There is an upcoming SoC which will
similarly share a header file with the R329 SoC, so move that to the
same location already. In Allwinner's BSP source those two SoC groups
are typically called "NCAT" and "NCAT2", so use those names for the
shared header files. No functional change.
Change-Id: I98318373577344dbe228a81fa331ce660df32b5f Signed-off-by: Andre Przywara <andre.przywara@arm.com>
build(fvp): reduce the number of cpu libraries included by default
The fvp build includes a very large number of cpus so that it can run on
a wide range of models. One config (HW_ASSISTED_COHERENCY=1
CTX_INCLUDE_AARCH32_REGS=0) includes an unusually large number of cpus.
Well, the list is quite arbitrary and incomplete. As we're currently out
of BL31 space on the fvp, remove all that are not routinely run in the
CI to buy us some time.
Also use the opportunity to reorder the list into something searchable.
Merge changes from topic "align-sections" into integration
* changes:
build(trp): sort sections by alignment by default
build(tsp): sort sections by alignment by default
build(sp-min): sort sections by alignment by default
build(bl31): sort sections by alignment by default
build(bl2u): sort sections by alignment by default
build(bl2): sort sections by alignment by default
This patch introduces the 'pwr_domain_off_early' hook for
platforms wanting to perform housekeeping steps before the
PSCI framework starts the CPU power off sequence. Platforms
might also want to use ths opportunity to ensure that the
CPU off sequence can proceed.
The PSCI framework expects a return code of PSCI_E_DENIED,
if the platform wants to halt the CPU off sequence.
Rohit Ner [Tue, 25 Apr 2023 07:14:41 +0000 (00:14 -0700)]
fix(ufs): poll UCRDY for all commands
Host must only set UICCMD if HCS.UCRDY is set to 1.
At present, SW polls for UCRDY only before sending DME_GET.
Generalise this behaviour for DME_SET, DME_LINKSTARTUP,
DME_HIBERNATE_EXIT by moving polling logic inside ufshc_send_uic_cmd.
Signed-off-by: Rohit Ner <rohitner@google.com>
Change-Id: Iece777f803a660fdd144a073834c221e889371a6
Harrison Mutai [Mon, 24 Apr 2023 08:58:17 +0000 (09:58 +0100)]
docs: patch Poetry build instructions
Some parts of the documentation referring to Poetry provides incorrect
build instructions and has some minor formatting errors. Reformat the
bits that require formatting, and fix the build instructions. These
were originally part of the patch stack that added Poetry support but
were accidentally reverted prior to merge.
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Change-Id: I336d3a7bbe99f75262430ae436f8ebc2cb050d2c
Andre Przywara [Thu, 26 Jan 2023 16:47:52 +0000 (16:47 +0000)]
refactor(cpufeat): enable FEAT_DIT for FEAT_STATE_CHECKED
At the moment we only support FEAT_DIT to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_DIT=2), by splitting
is_armv8_4_dit_present() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed).
We use ENABLE_DIT in two occassions in assembly code, where we just set
the DIT bit in the DIT system register.
Protect those two cases by reading the CPU ID register when ENABLE_DIT
is set to 2.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I506d352f18e23c60db8cdf08edb449f60adbe098 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Harrison Mutai [Mon, 24 Apr 2023 16:13:07 +0000 (17:13 +0100)]
fix: add missing click dependency
Click is used in parts of the CI scripts (see run_config/fvp-linux.tc
for instance), add it back as part of a new dependency group. Future
dependencies that are required only in CI should be added to the
``ci`` dependency group.
Change-Id: I5da7fea703495dd4006d86334626f126a850bb10 Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Manish Pandey [Wed, 29 Mar 2023 14:20:32 +0000 (15:20 +0100)]
fix(cpus): do not put RAS check before using esb
If RAS Extension is not implemented esb instruction executes as a NOP.
No need to have a check for RAS presence in the code.
Also, The handler is related to a synchronous exceptions which
implicitly is part of BL31 image only, so remove that check too.
Manish Pandey [Tue, 14 Mar 2023 13:44:53 +0000 (13:44 +0000)]
fix(fvp): correct ehf priority for SPM_MM
PLAT_SP_PRI is used by SPM_MM and it is assigned same value as RAS
priority. Which is not allowed by exception handling framework and
causes build failure if both SPM_MM and RAS is enabled.
To fix this problem assign SP a different priority than RAS.
Merge changes from topic "mb/trusted-boot-update" into integration
* changes:
refactor(auth)!: unify REGISTER_CRYPTO_LIB
refactor(auth): replace plat_convert_pk
docs(auth): add auth_decrypt in CM chapter
feat(auth): compare platform and certificate ROTPK for authentication
docs(auth): add 'calc_hash' function's details in CM
Our process documentation already mentions that if a platform is no
longer maintained, it is best to deprecate it to keep the project's
source tree clean and healthy.
The same argument stands for drivers or library interfaces so extend
this policy to those.
Yann Gautier [Wed, 15 Mar 2023 10:31:25 +0000 (11:31 +0100)]
refactor(auth)!: unify REGISTER_CRYPTO_LIB
Have only one definition for REGISTER_CRYPTO_LIB macro, with all the
possible fields. Worst case adds 4 u64 to crypto_lib_desc.
While at it, correct some MISRA violations:
MC3R1.R12.1: (advisory) The precedence of operators within expressions
should be made explicit.
Yann Gautier [Tue, 24 Jan 2023 08:39:47 +0000 (09:39 +0100)]
refactor(auth): replace plat_convert_pk
Following discussions in the reviews of the patch that introduced
plat_convert_pk() function [1], it was decided to deprecate it to
avoid weak function declaration.
A new optional function pointer convert_pk is added to crypto_lib_desc_t.
A new function crypto_mod_convert_pk() will either call
crypto_lib_desc.convert_pk() if it is defined, or do the same
as what was done by the weak function otherwise.
Arm has decided to deprecate the rde1edge platform. The development
of software and fast model for this platform have been discontinued.
Hence, updated the makefile to warn about the deprecation of this
platform, and also reflected it in the documentation.
Change-Id: I0d44de4590dd5dce02c7c4b433df25dc438e6c49 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Harrison Mutai [Thu, 16 Feb 2023 10:20:48 +0000 (10:20 +0000)]
feat: add support for poetry
New python dependencies are introduced by the memory mapping script.
Rather than add another `requirements.txt` utilise poetry. This is a
proper dependency management framework for Python. The two main upsides
of using poetry instead of the traditional requirements.txt are
maintainability and reproducibility.
Poetry provides a proper lock file for pinning dependencies, similar to
npm for JavaScript. This allows for separate environments (i.e. docs,
tools) to be created efficiently, and in a reproducible manner, wherever
the project is deployed. Having dependencies pinned in this manner is a
boon as a security focused project. An additional upside is that we will
receive security updates for dependencies via GitHub's Dependabot.
Change-Id: I5a3c2003769b878a464c8feac0f789e5ecf8d56c Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
docs(threat-model): add a notes related to the Measured Boot
TF-A currently does not have any TPM2 driver for extending
measurements into a discrete TPM chip. In TPM-based attestation
scheme, measurements are just stored into a TCG-compatible event
log buffer in secure memory.
In light of the fact that Event Log measurements are taken by BL1 and
BL2, we need to trust these components to store genuine measurements,
and the Generic Threat Model always mitigates against attacks on these
components, therefore, there is no explicit document for the Measured
Boot threat model at this time is needed.
Change-Id: I41b037b2f5956d327b53cd834345e5aefdcfb5ef Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>