As per SMCCC spec Table 2.1 bit 23:17 must be zero (MBZ),
for all Fast Calls, when bit[31] == 1.
Adding this check to ensure SMC FIDs when get to the SMC handler
have these bits (23:17) cleared, if not capture and report them
as an unknown SMCs at the core.
Also the C runtime stack is copied to the stackpointer well in
advance, to leverage the existing el3_exit routine for unknown SMC.
Mark Brown [Tue, 14 Mar 2023 20:13:03 +0000 (20:13 +0000)]
feat(tcr2): support FEAT_TCR2
Arm v8.9 introduces FEAT_TCR2, adding extended translation control
registers. Support this, context switching TCR2_EL2 and disabling
traps so lower ELs can access the new registers.
Change the FVP platform to default to handling this as a dynamic option so
the right decision can be made by the code at runtime.
Signed-off-by: Mark Brown <broonie@kernel.org>
Change-Id: I297452acd8646d58bac64fc15e05b06a543e5148
Maksims Svecovs [Wed, 15 Mar 2023 13:24:44 +0000 (13:24 +0000)]
style(hooks): adds Arm copyright style fix
Adds a check to pre-commit hook that makes sure "Arm" is written in a
correct case and not "arm" or "ARM". Same as a copyright-year check, the
hook will fix the issue and prompt user to stage the fix.
refactor(build): distinguish BL2 as TF-A entry point and BL2 running at EL3
BL2_AT_EL3 is an overloaded macro which has two uses:
1. When BL2 is entry point into TF-A(no BL1)
2. When BL2 is running at EL3 exception level
These two scenarios are not exactly same even though first implicitly
means second to be true. To distinguish between these two use cases we
introduce new macros.
BL2_AT_EL3 is renamed to RESET_TO_BL2 to better convey both 1. and 2.
Additional macro BL2_RUNS_AT_EL3 is added to cover all scenarious where
BL2 runs at EL3 (including four world systems).
BREAKING CHANGE: BL2_AT_EL3 renamed to RESET_TO_BL2 across the
repository.
feat(morello): implement methods to retrieve soc-id information
Added silicon revision in the platform information SDS structure.
Implemented platform functions to retrieve the soc-id information
for the morello SoC platform. SoC revision, which is same as
silicon revision, is fetched from the morello_plat_info structure
and SoC version is populated with the part number from SSC_VERSION
register, and is reflected in bits[0:15] of soc-id.
Marco Felsch [Wed, 9 Nov 2022 11:59:09 +0000 (12:59 +0100)]
feat(build): add support for new binutils versions
Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
of a new warning when linking the bl*.elf in the form:
ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
Fix it in a similar way to what the Linux kernel does, see:
https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
Following the reasoning there, we set "-z noexecstack" for all linkers
(although LLVM's LLD defaults to it) and optional add
--no-warn-rwx-segments since this a ld.bfd related.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
Marco Felsch [Thu, 24 Nov 2022 10:02:05 +0000 (11:02 +0100)]
build(makefile): add helper to detect linker options
This is a small helper to check for possible linker options. If the
linker supports the requested option it is returned and if not nothing
will be returned, e.g.:
Merge changes from topic "imx8m_misc_changes" into integration
* changes:
feat(imx8mq): enable dram dvfs support on imx8mq
feat(imx8m): use non-fast wakeup stop mode for system suspend
feat(imx8mq): correct the slot ack setting for STOP mode
feat(imx8mq): add anamix pll override setting for DSM mode
feat(imx8mq): add workaround code for ERR11171 on imx8mq
feat(imx8mq): add the dram retention support for imx8mq
feat(imx8mq): add version for B2
fix(imx8m): backup mr12/14 value from lpddr4 chip
fix(imx8m): add ddr4 dvfs sw workaround for ERR050712
fix(imx8m): fix coverity out of bound access issue
fix(imx8m): fix the dram retention random hang on some imx8mq Rev2.0
feat(imx8m): add more dram pll setting
fix(imx8m): fix the current fsp init
fix(imx8m): fix the rank to rank space issue
fix(imx8m): fix the dfiphymaster setting after dvfs
feat(imx8m): update the ddr4 dvfs flow to include ddr3l support
fix(imx8m): correct the rank info get fro mstr
feat(imx8m): fix the ddr4 dvfs random hang on imx8m
Olivier Deprez [Wed, 16 Nov 2022 15:46:23 +0000 (16:46 +0100)]
feat(spmd): fail safe if SPM fails to initialize
The spmd_setup function is made fail safe in that a failure in the
SPMC manifest parsing, SPMD or SPMC initialization returns a success
code to the standard services initialization routine (std_svc_setup).
This permits continuing the boot process and initialize services
beyond the SPMD to succeed for the system to operate in the normal
world. It operates in a degraded mode for the secure world.
feat(fvp): copy the Event Log to TZC secured DRAM area
Copied the Event Log from internal SRAM to the TZC secured DRAM
reserved area. Also passed this Trusted DRAM address to OPTEE via
NT FW configuration, and to SPMC via TOS FW configuration,
which is eventually used to extend PCR via fTPM application running
on top of OPTEE/SPMC.
Furthermore, this patch makes it easier to access Event Log in RME
enabled systems where Secure World firmware does not have access to
internal(Root) SRAM.
Change-Id: I005e9da1e6075511f412bdf4d8b541fa543df9ab Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Reserved 4KB area for Event Log in DRAM1. This area is used by BL2
to copy Event Log from internal SRAM to this carved out DRAM region
in the subsequent patch.
Change-Id: I7b405775c66d249e31edf7688d95770e6c05c175 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
laurenw-arm [Tue, 7 Feb 2023 19:40:05 +0000 (13:40 -0600)]
test(tc): test for AP/RSS NV counter interface
Change in PLATFORM_TEST build flag from boolean -> string, with the
current string options being tfm-testsuite and rss-nv-counters.
To get the old behavior, i.e. where we used to use PLATFORM_TEST=1,
we now need to pass PLATFORM_TEST=tfm-testsuite.
Adding new test of the AP/RSS interface for non-volatile counters.
The test reads, increments, and reads again each 3 types of NV
counters for: CCA, secure, and non-secure firmware. Enabled by
PLATFORM_TEST=rss-nv-counters.
Change-Id: I2044cc9b2f37984697e0754c9c824eab51a11e7f Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com> Signed-off-by: Raef Coles <raef.coles@arm.com>
Tintu Thomas [Tue, 21 Feb 2023 17:51:24 +0000 (17:51 +0000)]
fix(tc): change the FIP offset to 8 KiB boundary
* This change overrides the default PLAT_ARM_FIP_OFFSET_IN_GPT
* This aligns the FIP base in GPT image to the RSS ATU page size
boundary (8 KiB). RSS XIP feature requires the FIP to be aligned to
the page size boundary. TC platform will require the XIP feature.
* The aligned FIP_A is starting at sector 48. Hence the offset will be
48*512 = 0x6000.
Signed-off-by: Tintu Thomas <tintu.thomas@arm.com>
Change-Id: I8135ecd4168231847c80151c33ef8353a1586b9a
Andrew Davis [Tue, 7 Mar 2023 15:22:32 +0000 (09:22 -0600)]
fix(ti): do not take system power reference in bl31_platform_setup()
Taking a reference at this early stage can cause boot failure if the DM
firmware is not fully initialized. Remove this early call until the
fix in DM firmware is widely available.
Signed-off-by: Andrew Davis <afd@ti.com>
Change-Id: Ic9c47ccf1e9a1b9faeb1c7d2665d54cf55ef5396
AlexeiFedorov [Tue, 7 Mar 2023 13:34:45 +0000 (13:34 +0000)]
fix(pmu): switch FVP PMUv3 SPIs to PPI
FVP PMUv3 SPIs legacy interrupts are only listed for
cluster #0 and are missing for cluster #1.
This patch changes FVP SPIs to PMUv3 PPI as in
arm_fpga.dtsi, morello.dtsi and n1sdp.dtsi.
David Vincze [Mon, 6 Mar 2023 14:02:08 +0000 (15:02 +0100)]
fix(rss): fix msg deserialization bugs in comms
-fix1: size of struct instead of pointer during reply_size check
-fix2: update the out_vec length with the actual length from reply
message (e.g. in case of an output buffer, the returned output
data length remained the size of the buffer and was not updated
with the size of the actual data in it)
Change-Id: Ibed5520ca1fb05df358de4bdf85ace219183866c Signed-off-by: David Vincze <david.vincze@arm.com>
Akshay Belsare [Mon, 27 Feb 2023 06:34:26 +0000 (12:04 +0530)]
fix(zynqmp): conditional reservation of memory in DTB
When the TF-A is placed in DDR memory range, the DDR memory range is
getting explicitly reserved in the default device tree by TF-A.
This creates an error condition in the use case where Device tree is
not present or it is present at a different location.
To fix this, a new build time parameter, XILINX_OF_BOARD_DTB_ADDR, is
introduced. The TF-A will reserve the DDR memory only when a valid
DTB address is provided to XILINX_OF_BOARD_DTB_ADDR during build.
Now the user has options, either manually reserve the desired
DDR address range for TF-A in device tree or let TF-A access and modify
the device tree, to reserve the DDR address range, in runtime using
the build parameter.
refactor(auth): use a single function for parsing extensions
Previously, extensions were parsed twice: once with error checking for
validation, and a second time without error checking to extract the
extension data. This is error prone and caused TFV-10 (CVE-2022-47630).
A simpler approach is to have get_ext() be responsible for all extension
parsing, and to treat a NULL OID as an indicator that get_ext() is only
being called for validation. cert_parse() checks that get_ext() returns
IMG_PARSER_OK and fails otherwise.
Change-Id: I65a2ff053a188351ba54799827a2b7bd833bb037 Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
fix(cpufeat): resolve build errors due to compiler optimization
Currently most of the architectural feature build flags are set
to 2(FEATURE_STATE_CHECK) for fvp platform only.
However other platforms still configure them by default to 0, which
would lead to build failures in cases when compiler configured
to build TF-A with zero optimization (CFLAGS='-O0').
This patch addresses such build issues and thereby resolves the failures
seen under CI-l3 test_configurations.
Govindraj Raja [Tue, 28 Feb 2023 11:37:02 +0000 (11:37 +0000)]
fix(mbedtls): fix mbedtls coverity issues
commit (a8eadc51a refactor(mbedtls): avoid including
MBEDTLS_CONFIG_FILE) avoids using config file directly and relies on
config file usage from mbedtls version.h
But we could build trusted boot without mbedtls dir so guard version.h
include in cot_def.h with availability of config file.
Also we refactored in same commit to break dependencies between
auth_mod.h and cot_def.h, So add cot_def.h include in nxp tbbr
cot file.
Change-Id: I4779e90c18f04c73d2121c88df6420b4b1109c8b Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Jacky Bai [Wed, 8 Jan 2020 08:56:01 +0000 (16:56 +0800)]
feat(imx8mq): add workaround code for ERR11171 on imx8mq
This new workaround takes advantage of the per core IMR
registers in GPC in order to unmask the IRQ0, still generated
by the 12bit in IOMUX_GPR register (which now remains always set),
so it can only wake up one core at the time.Also, this entire
workaround has now been moved here in TF-A, allowing the kernel
side to be minimal.
Another advantage this workaround brings is the removal of the
50us delay (which was necessary before in gic_raise_softirq in
kernel) by allowing the core that is waking up to mask his own
IRQ0 in the suspend finish callback.
One important change here is the way the cores are woken up in
dram_dvfs_handler. Since the wake up mechanism has changed from
asserting the 12th bit in IOMUX_GPR and leaving the IMR1 1st bit
on for each core to exactly the reverse, that is, leaving the
IOMUX_GPR 12th bit always set and then masking/unmasking the IMR1
1st bit for each independent core, we need to use the imx_gpc_core_wake
to wake up the cores.
Also, the 50us udelay is moved to TF-A (inside imx_pwr_domain_off)
from kernel(gic_raise_softirq), since the new cpuidle workaround
does not need it in order to clean the IOMUX_GPC 12bit. For now,
the udelay seems to be still needed in order to delay the affinity
info OFF for the dying core. This is something that needs further
investigation.
Signed-off-by: Abel Vesa <abel.vesa@nxp.com> Signed-off-by: Jacky Bai <ping.bai@nxp.com>
Change-Id: I9f17ff6fc3452b8225a50b232964712aafeab78a
Jacky Bai [Tue, 7 Jan 2020 08:44:46 +0000 (16:44 +0800)]
feat(imx8mq): add the dram retention support for imx8mq
Add the dram retention support for i.MX8MQ. As there is
no enough ocram space available before entering TF-A,
so the timing info need to be copied from dram into ocram.
Signed-off-by: Jacky Bai <ping.bai@nxp.com>
Change-Id: Id8264c342fd62e297b1969cba5ed505450c78a25
Manish Pandey [Tue, 28 Feb 2023 10:40:54 +0000 (11:40 +0100)]
Merge changes from topic "feat_state_part2" into integration
* changes:
refactor(trf): enable FEAT_TRF for FEAT_STATE_CHECKED
refactor(brbe): enable FEAT_BRBE for FEAT_STATE_CHECKED
refactor(trbe): enable FEAT_TRBE for FEAT_STATE_CHECKED
fix(cpufeat): context-switch: move FGT availability check to callers
feat(cpufeat): extend check_feature() to deal with min/max
refactor(cpufeat): wrap CPU ID register field isolation
Jacky Bai [Tue, 16 Mar 2021 08:42:54 +0000 (16:42 +0800)]
fix(imx8m): add ddr4 dvfs sw workaround for ERR050712
APB Write data corruption following MRCTRL0.mr_wr=1 while
hardware-driven MR access is occurring
When performing a software driven MR access, the following
sequence must be done automatically before performing other
APB register accesses:
1. Set MRCTRL0.mr_wr=1
2. Check for MRSTAT.mr_wr_busy=0. If not, go to step (2)
3. Check for MRSTAT.mr_wr_busy=0 again (for the second time),
if not, go to step (2).
Signed-off-by: Jacky Bai <ping.bai@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com>
Change-Id: Ie26e08bcc83d3ed4844ed04a853162308dcdccd0
Jacky Bai [Thu, 22 Oct 2020 06:35:12 +0000 (14:35 +0800)]
fix(imx8m): fix the dram retention random hang on some imx8mq Rev2.0
It seems the DRAM APB clock root slice can NOT work normally
if the PLLs is power down in DSM mode. So update this clock
slice's setting explicitly to make it work. This piece of code
is there for a long while on previous release, so just add
it back to align with previous flow.
Signed-off-by: Jacky Bai <ping.bai@nxp.com> Reviewed-by: Anson Huang <Anson.Huang@nxp.com>
Change-Id: I113069494074194e116fdb1229052d2956bf90ea
Andre Przywara [Thu, 17 Nov 2022 17:30:43 +0000 (17:30 +0000)]
refactor(trf): enable FEAT_TRF for FEAT_STATE_CHECKED
At the moment we only support FEAT_TRF to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_TRF_FOR_NS=2), by splitting
is_feat_trf_present() into an ID register reading function and a second
function to report the support status. That function considers both
build time settings and runtime information (if needed), and is used
before we access TRF related registers.
Also move the context saving code from assembly to C, and use the new
is_feat_trf_supported() function to guard its execution.
The FVP platform decided to compile in support unconditionally (=1),
even though FEAT_TRF is an ARMv8.4 feature, so is not available with the
FVP model's default command line.
Change that to the now supported dynamic option (=2), so the right
decision can be made by the code at runtime.
Change-Id: Ia97b01adbe24970a4d837afd463dc5506b7295a3 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Andre Przywara [Thu, 17 Nov 2022 16:42:09 +0000 (16:42 +0000)]
refactor(brbe): enable FEAT_BRBE for FEAT_STATE_CHECKED
At the moment we only support FEAT_BRBE to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_BRBE_FOR_NS=2), by splitting
is_feat_brbe_present() into an ID register reading function and a second
function to report the support status. That function considers both
build time settings and runtime information (if needed), and is used
before we access BRBE related registers.
The FVP platform decided to compile in support unconditionally (=1),
even though FEAT_BRBE is an ARMv9 feature, so is not available with the
FVP model's default command line.
Change that to the now supported dynamic option (=2), so the right
decision can be made by the code at runtime.
Change-Id: I5f2e2c9648300f65f0fa9a5f8e2f34e73529d053 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Andre Przywara [Thu, 17 Nov 2022 16:42:09 +0000 (16:42 +0000)]
refactor(trbe): enable FEAT_TRBE for FEAT_STATE_CHECKED
At the moment we only support FEAT_TRBE to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_TRBE_FOR_NS=2), by splitting
is_feat_trbe_present() into an ID register reading function and a second
function to report the support status. That function considers both
build time settings and runtime information (if needed), and is used
before we access TRBE related registers.
The FVP platform decided to compile in support unconditionally (=1),
even though FEAT_TRBE is an ARMv9 feature, so is not available with the
FVP model's default command line.
Change that to the now supported dynamic option (=2), so the right
decision can be made by the code at runtime.
Change-Id: Iee7f88ea930119049543a8a4a105389997e7692c Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Andre Przywara [Wed, 15 Feb 2023 15:56:15 +0000 (15:56 +0000)]
fix(cpufeat): context-switch: move FGT availability check to callers
To be inline with other features, and to allow the availability to be
checked for different contexts, move the FGT availability check out of
the save/restore functions. This is instead now checked at the caller.
Change-Id: I96e0638714f9d1b6fdadc1cb989cbd33bd48b1f6 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Andre Przywara [Wed, 1 Feb 2023 11:46:31 +0000 (11:46 +0000)]
feat(cpufeat): extend check_feature() to deal with min/max
So far the check_feature() function compares the subfield of a CPU ID
register against 0, to learn if a feature is enabled or not.
This is problematic for checks that require a certain revision of a
feature, so we should check against a minimum version number instead.
On top of that we might need to add code to support newer versions of a
feature, so we should be alerted if new hardware introduces a higher
number.
Extend the check_feature() function to take two extra arguments: the
minimum version, and the greatest currently known number.
Then make sure that the CPU ID field is in this range.
Change-Id: I425b68535a2ba9eafd31854e74d142183b521cd5 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Andre Przywara [Wed, 25 Jan 2023 12:26:14 +0000 (12:26 +0000)]
refactor(cpufeat): wrap CPU ID register field isolation
Some MISRA test complains about our code to isolate CPU ID register
fields: the ID registers (and associated masks) are 64 bits wide, but
the eventual field is always 4 bits wide only, so we use an unsigned
int to represent that. MISRA dislikes the differing width here.
Since the code to extract a feature field from a CPU ID register is very
schematic already, provide a wrapper macro to make this more readable,
and do the proper casting in one central place on the way.
While at it, use the same macro for the AArch32 feature detection side.
Change-Id: Ie102a9e7007a386f5879ec65e159ff041504a4ee Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Merge changes from topic "mbedtls3_support" into integration
* changes:
feat(stm32mp1): add mbedtls-3.3 support config
refactor(fvp): minor cleanup with TRUSTED_BOARD_BOOT
style(crypto): add braces for if statement
feat(fvp): increase BL1_RW and BL2 size
feat(mbedtls): add support for mbedtls-3.3
refactor(crypto): avoid using struct mbedtls_pk_rsassa_pss_options
refactor(mbedtls): avoid including MBEDTLS_CONFIG_FILE