BL32_LIMIT has been increased from 2MB to 4MB to accommodate
the latest tee.bin (it is around ~2.1MB).
Change-Id: I47b770bf23c23d38931a2b3316d076b829338d70 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Co-developed-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Govindraj Raja [Wed, 10 May 2023 19:50:36 +0000 (14:50 -0500)]
fix(spmd): fix build error with spmd
Currently when we build with 'SPD=spmd SPMD_SPM_AT_SEL2=0'
options, this causes a build failure as
'plat_spmd_handle_group0_interrupt' is called irrespective of
'SPMD_SPM_AT_SEL2' usage in 'spmd_group0_interrupt_handler_nwd'
So make 'plat_spmd_handle_group0_interrupt' dummy implementation
available just when spmd is enabled and SPMC_AT_EL3 is disabled.
Change-Id: Iaccd38faab81671c98f9165f318145187dca9bc2 Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Stephan Gerhold [Thu, 6 Apr 2023 19:43:37 +0000 (21:43 +0200)]
fix(msm8916): add timeout for crash console TX flush
Resetting the UART DM controller while there are still remaining
characters in the FIFO often results in corruption on the UART receiver
side. To avoid this the msm8916 crash console implementation tries to
wait until the TX FIFO is empty.
Unfortunately this might spin forever if the transmitter was disabled
before it has fully finished transmitting. In this case the TXEMT bit
console_uartdm_core_flush is waiting for will never get set.
There seems to be no good way to detect if the transmitter is actually
enabled via the status registers. However, the TX FIFO is fairly small
and should not take too long to get flushed, so fix this by simply
limiting the amount of iterations with a short timeout.
Move the code to console_uartdm_core_init to ensure that this always
happens before resetting the transmitter (also during initialization).
Change-Id: I5bb43cb0b6c029bcd15e253d60d36c0b310e108b Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Stephan Gerhold [Wed, 22 Mar 2023 17:15:15 +0000 (18:15 +0100)]
feat(msm8916): expose more timer frames
The memory-mapped generic timer on msm8916 has 7 timer frames, but
currently only one is exposed for usage in the non-secure world.
The platform port is currently only designed to be used as minimal PSCI
implementation, without secure world that could make use of the other
timer frames. Let's make all of them available to the normal world.
If needed this could still be changed later by reserving some timer
frames conditionally to a specific SPD being enabled in the build.
Change-Id: Ib59df16aa1fd3dbc875ab6369c133737830c98c6 Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Stephan Gerhold [Wed, 22 Mar 2023 17:15:15 +0000 (18:15 +0100)]
fix(msm8916): drop unneeded initialization of CNTACR
Normal world software is responsible to initialize CNTACR as needed.
There is no existing software for msm8916 that depends on having this
initialization in BL31 so drop it before anything starts to rely on it.
Related issue: https://github.com/ARM-software/tf-issues/issues/170
Change-Id: I9d037ab218c0c1c8a5d5523722013eba531f4728 Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Stephan Gerhold [Tue, 14 Mar 2023 10:09:44 +0000 (11:09 +0100)]
build(msm8916): disable unneeded workarounds
The Cortex-A53 cores used in the msm8916 platform are not affected by
CVE-2017-5715 and CVE-2022-23960, so disable the workarounds for them
to drop the unused code from the compiled binary.
Change-Id: I9df5a4657c4fd90702b4db4e82d4ee1a2f60303c Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Stephan Gerhold [Sat, 17 Sep 2022 16:21:20 +0000 (18:21 +0200)]
fix(msm8916): flush dcache after writing msm8916_entry_point
msm8916_entry_point is read with caches off (and even from two
different physical addresses when read through the "boot remapper"),
so it should be flushed to RAM after writing it.
Change-Id: I5c8193954bb28043b0a46fb2038f629bd8796c74 Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Stephan Gerhold [Tue, 23 Aug 2022 20:33:11 +0000 (22:33 +0200)]
fix(msm8916): print \r before \n on UART console
UART drivers in TF-A are expected to print \r before \n. Some terminal
emulators expect \r\n as line endings by default so not doing this
causes broken line breaks.
Change-Id: I271a35a7c6907441bc71713b0b6a1da19da96878 Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Andre Przywara [Fri, 27 Jan 2023 12:25:49 +0000 (12:25 +0000)]
refactor(cpufeat): enable FEAT_RAS for FEAT_STATE_CHECKED
At the moment we only support FEAT_RAS to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (FEAT_RAS=2), by splitting
is_armv8_2_feat_ras_present() into an ID register reading function and
a second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we access RAS related registers.
Also move the context saving code from assembly to C, and use the new
is_feat_ras_supported() function to guard its execution.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I30498f72fd80b136850856244687400456a03d0e Signed-off-by: Andre Przywara <andre.przywara@arm.com> Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Manish Pandey [Mon, 13 Feb 2023 12:39:17 +0000 (12:39 +0000)]
refactor(ras): replace RAS_EXTENSION with FEAT_RAS
The current usage of RAS_EXTENSION in TF-A codebase is to cater for two
things in TF-A :
1. Pull in necessary framework and platform hooks for Firmware first
handling(FFH) of RAS errors.
2. Manage the FEAT_RAS extension when switching the worlds.
FFH means that all the EAs from NS are trapped in EL3 first and signaled
to NS world later after the first handling is done in firmware. There is
an alternate way of handling RAS errors viz Kernel First handling(KFH).
Tying FEAT_RAS to RAS_EXTENSION build flag was not correct as the
feature is needed for proper handling KFH in as well.
This patch breaks down the RAS_EXTENSION flag into a flag to denote the
CPU architecture `ENABLE_FEAT_RAS` which is used in context management
during world switch and another flag `RAS_FFH_SUPPORT` to pull in
required framework and platform hooks for FFH.
Proper support for KFH will be added in future patches.
BREAKING CHANGE: The previous RAS_EXTENSION is now deprecated. The
equivalent functionality can be achieved by the following
2 options:
- ENABLE_FEAT_RAS
- RAS_FFH_SUPPORT
Manish Pandey [Tue, 9 May 2023 09:26:11 +0000 (11:26 +0200)]
Merge changes from topic "assert_boolean_set" into integration
* changes:
build!: check boolean flags are not empty
fix(build): add a default value for INVERTED_MEMMAP
fix(a5ds): add default value for ARM_DISABLE_TRUSTED_WDOG
fix(st-crypto): move flag control into source code
fix(stm32mp1): always define PKA algos flags
fix(stm32mp1): remove boolean check on PLAT_TBBR_IMG_DEF
Govindraj Raja [Fri, 5 May 2023 14:09:36 +0000 (09:09 -0500)]
fix(build): allow lower address access with gcc-12
With gcc-12 any lower address access can trigger a warning/error
this would be useful in other parts of system but in TF-A
there are various reasons to access to the lower address ranges,
example using mmio_read_*/writes_*
So setup to allow access to lower addresses while using gcc-12
Change-Id: Id1b4012b13bc6876d83b90a347fee12478a1921d Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Sona Mathew [Tue, 14 Mar 2023 22:58:13 +0000 (17:58 -0500)]
feat(fvp): enable errata management interface
Errata ABI feature specific build flag, flag to enable
CPUs in the cpu list, flags to test non-arm interconnect based
errata flags when enabled from a platform level.
Added to the FVP platform makefile to test the errata abi feature
implementation.
The flags to enable CPUs in the cpu list will be removed once
synchronized with the errata framework.
Change-Id: I30877a22ac1348906a6ddfb26f9e8839912d3572 Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
The workarounds for these below mentioned errata are not implemented
in EL3, but the flags can be enabled/disabled at a platform level
based on arm/non-arm interconnect IP. The ABI helps assist the Kernel
in the process of mitigation for the following errata:
EL3 provides an appropriate return value via errata ABI when the
kernel makes an SMC call using the EM_CPU_ERRATUM_FEATURES FID with the
appropriate erratum ID.
Change-Id: I35bd69d812dba37410dd8bc2bbde20d4955b0850 Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
This patch adds the errata management firmware interface for lower ELs
to discover details about CPU erratum. Based on the CPU erratum
identifier the interface enables the OS to find the mitigation of an
erratum in EL3.
The ABI can only be present in a system that is compliant with SMCCCv1.1
or higher. This implements v1.0 of the errata ABI spec.
For details on all possible return values, refer the design
documentation below:
ABI design documentation:
https://developer.arm.com/documentation/den0100/1-0?lang=en
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
Change-Id: I70f0e2569cf92e6e02ad82e3e77874546232b89a
Boyan Karatotev [Tue, 6 Dec 2022 09:03:42 +0000 (09:03 +0000)]
fix(pmu): unconditionally save PMCR_EL0
Reading back a RES0 bit does not necessarily mean it will be read as 0.
The Arm ARM explicitly warns against doing this. The PMU initialisation
code tries to set such bits to 1 (in MDCR_EL3) regardless of whether
they are in use or are RES0, checking their value could be wrong and
PMCR_EL0 might not end up being saved.
Save PMCR_EL0 unconditionally to prevent this. Remove the security state
change as the outgoing state is not relevant to what the root world
context should look like.
Boyan Karatotev [Wed, 8 Mar 2023 16:29:26 +0000 (16:29 +0000)]
refactor(cm): make SVE and SME build dependencies logical
Currently, enabling SME forces SVE off. However, the SME enablement
requires SVE to be enabled, which is reflected in code. This is the
opposite of what the build flags require.
Further, the few platforms that enable SME also explicitly enable SVE.
Their platform.mk runs after the defaults.mk file so this override never
materializes. As a result, the override is only present on the
commandline.
Change it to something sensible where if SME is on then code can rely on
SVE being on too. Do this with a check in the Makefile as it is the more
widely used pattern. This maintains all valid use cases but subtly
changes corner cases no one uses at the moment to require a slightly
different combination of flags.
While doing RAS related tests there were few patches related with
fault injection and handling were applied through CI hooks.
These patches were invisible as they were applied and removed after the
build is done.
This patch introduces build macro PLATFORM_TEST_RAS_FFH and moves the
patches applied through CI under this.
feat(tc): allow secure watchdog timer to trigger periodically
This patch does the following:
1. Configures SBSA secure watchdog timer as Group0 interrupt for
TC platform while keeping it as Group1 secure interrupt for
other CSS based SoCs.
2. Programs the watchdog timer to trigger periodically
3. Provides a Group0 interrupt handler for TC platform port to
deactivate the EL3 interrupt due to expiry of secure watchdog
timer and refresh it explicitly.
Merge changes from topic "allwinner_t507" into integration
* changes:
feat(allwinner): add support for Allwinner T507 SoC
feat(allwinner): add function to detect H616 die variant
feat(allwinner): add extra CPU control registers
refactor(allwinner): consolidate sunxi_cfg.h files
laurenw-arm [Wed, 3 May 2023 17:48:55 +0000 (12:48 -0500)]
fix(tc): only suspend booting after running plat tests
1. When doing a normal boot, tc_bl31_common_platform_setup() should
simply configure the platform and return.
2. When we are running the platform tests instead,
tc_bl31_common_platform_setup() should run the tests then suspend
booting (and thus never return).
We were incorreclty suspending the boot in case 1 as well. Put that
code under a preprocessor condition (PLATFORM_TEST_NV_COUNTERS or
PLATFORM_TEST_TFM_TESTSUITE) to fix this.
For numeric flags, there is a check for the value to be set. Do the same
for boolean flags. This avoids issues where a flag is defined but
without a value, leading to potential unexpected behaviors.
Olivier Deprez [Wed, 3 May 2023 16:15:40 +0000 (18:15 +0200)]
Merge changes from topic "mp/group0_support" into integration
* changes:
docs(spm): support for handling Group0 interrupts
feat(spmd): introduce platform handler for Group0 interrupt
feat(spmd): add support for FFA_EL3_INTR_HANDLE_32 ABI
feat(spmd): register handler for group0 interrupt from NWd
Andre Przywara [Thu, 27 Apr 2023 12:46:41 +0000 (13:46 +0100)]
fix(psci): do not panic on illegal MPIDR
Commit 66327414fb1e ("fix(psci): potential array overflow with cpu on")
changed an assert in the PSCI library's psci_cpu_on_start() function to
a runtime error message, followed by a panic. This does not seem right
for two reasons:
- We must not panic() triggered by conditions influenced by lower EL
callers. If non-secure world provides illegal arguments to a PSCI
call, we can easily detect this and return -PSCI_E_INVALID_PARAMS, as
the PSCI spec demands. In fact this is done already, which brings us
to the next reason:
- psci_cpu_on_start() is effectively a function private to the PSCI
library: its prototype is in psci_private.h. It's just not static
because it lives in a different code file from the main PSCI code.
We check for illegal MPID values already in psci_cpu_on(), and return
an error value to the caller, as we should. This function is the ONLY
caller of psci_cpu_on_start(), so there is no way we get an illegal
target_cpu argument into this function. An assert() is thus the proper
way to check for this.
Mostly revert the patch mentioned above, just extending the assert so
that it does also check for not exceeding the array boundaries.
To harden the code, add a check against PLATFORM_MAX_CORE_COUNT in
psci_validate_mpidr(), and return with the proper PSCI error code if
this number is exceeded.
This also fixes the sun50i_a64 build with DEBUG=1, which exceeded an
SRAM limit due to the error message.
Change-Id: I48fc58d96b0173da5b934750f4cadf7884ef5e42 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Werner Lewis [Wed, 15 Feb 2023 16:03:27 +0000 (16:03 +0000)]
fix(morello): add platform-specific power domain functions
Commit 4d8c18196378824e388cf31ef991ba8fbbb09cbf added a redistributor
power off to resolve an error on N1SDP/Morello. Prior to this fix,
turning off both cores in a cluster would cause a hang when powering
back on either core. This change introduced issues on other platforms
with a different GIC implementation, and was reverted in commit 60719e4e0965aead49d927f12bf2a37bd2629012.
This commit uses the previous fix in platform-specific implementations
of power domain off/suspend functions.
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
Change-Id: Ib7689a5e08ada3862406fa92019a6f0bcfb48d79
Chris Kay [Tue, 28 Mar 2023 16:38:02 +0000 (17:38 +0100)]
build(psci): move `runtime_errata.S` to PSCI
Move the runtime errata source file into the PSCI library, as PSCI is
the only component directly dependent on it, and it doesn't require
internal access to the CPUs library.
Change-Id: I92826714d49b1b0131f62c158543b4c167ab9aa8 Signed-off-by: Chris Kay <chris.kay@arm.com>
Chris Kay [Wed, 22 Mar 2023 15:42:32 +0000 (15:42 +0000)]
build: allow BL-specific includes/definitions
This change introduces the `BLx_INCLUDE_DIRS` and `BLx_DEFINES`
Makefile variables, which can be used to append include directories
and preprocessor definitions to specific images created using the
`MAKE_BL` Makefile macro.
Change-Id: I9431f9d1cbde5b0b2624d9ce128a4f043c74c87f Signed-off-by: Chris Kay <chris.kay@arm.com>
J-Alves [Thu, 16 Mar 2023 15:26:52 +0000 (15:26 +0000)]
feat(fvp): define ns memory in the SPMC manifest
The SPMC (Hafnium) looks for secure and non-secure ranges
in its manifest.
Those relate with ranges that can be used by SPs in their
FF-A manifests.
The NS memory that is not used by SPs will be assigned
to the NWd, for it to share memory with SPs as needed.
Thus, this limits the memory the NWd can share with SPs,
to prevent NWD VMs from sharing memory that belongs
to other critical components.
feat(spmd): introduce platform handler for Group0 interrupt
This patch introduces a handler for FVP platform to triage Group0
secure interrupts. Currently, it is empty but serves as a
placeholder for future Group0 interrupt sources.
Moreover, this patch also provides a dummy implementation of the
above mentioned platform hook for QEMU, corstone100, n1sdp and
hikey960 ports.
feat(spmd): add support for FFA_EL3_INTR_HANDLE_32 ABI
When Group0 Secure interrupts in secure world get trapped to S-EL2
SPMC, FFA_EL3_INTR_HANDLE ABI is invoked by SPMC to delegate
interrupt handling to EL3 firmware (i.e., SPMD).
SPMD further delegates to platform handler which successfully handles
the Group0 secure interrupt before returning control to SPMC.
feat(spmd): register handler for group0 interrupt from NWd
SPMD registers a generic handler with the interrupt management
framework to handle Group0 secure interrupt from normal world.
The handler further delegates to the platform for successful
handling of the interrupt.
feat(el3-runtime): handle traps for IMPDEF registers accesses
This patch introduces support to handle traps from lower ELs for
IMPDEF system register accesses. The actual support is left to the
platforms to implement.
fix(tegra): remove dependency on CPU registers to get boot parameters
Commit 3e14df6f6 removed the code to clear the CPU registers X0 - X3,
which affected the Tegra platforms. Tegra platforms rely on the boot
parameters passed through custom mechanisms and do not use these
general purpose registers, but maintained sanity checks to support
legacy bootloaders. These sanity checks went out of sync due to the
code cleanup from bl31_entrypoint().
This patch removes the checks and calls the SOC specific handlers to
retrieve the boot parameters.
docs: remove plat_convert_pk() interface from release doc
The code was already removed as part of commit 4ac5b3949d87
"refactor(auth): replace plat_convert_pk". The present commit just
removes it from the release documentation.
refactor(cpus): use BIT macro in a consistent manner
In assembly code, BIT macro is used with a preceding hash #. Let's
update Cortex X1 code to follow the same convention. Excluding hash
doesn't cause compilation to fail or emit incorrect code.
FEAT_SME2 is an extension of FEAT_SME and an optional feature
from v9.2. Its an extension of SME, wherein it not only
processes matrix operations efficiently, but also provides
outer-product instructions to accelerate matrix operations.
It affords instructions for multi-vector operations.
Further, it adds an 512 bit architectural register ZT0.
This patch implements all the changes introduced with FEAT_SME2
to ensure that the instructions are allowed to access ZT0
register from Non-secure lower exception levels.
Additionally, it adds support to ensure FEAT_SME2 is aligned
with the existing FEATURE DETECTION mechanism, and documented.
Macro esb used in TF-A executes the instruction "esb" and is kept under
RAS_EXTENSION macro. RAS_EXTENSION, as it stands today, is only enabled
for platforms which wants RAS errors to be handled in Firmware while esb
instruction is available when RAS architecture feature is present
irrespective of its handling.
Currently TF-A does not have mechanism to detect whether RAS is present
or not in HW, define this macro unconditionally.
Its harmless for non-RAS cores as this instruction executes as NOP.
projects / arm-tf.git / log