The parameter over_sampling of stm32_uart_init_s is not required
as it can be computed dynamically from clock rate of the serial
device and the requested baudrate.
Oversampling by 8 is allowed only for higher speed
(up to clock_rate / 8) to reduce the maximum receiver tolerance
to clock deviation.
This patch update the driver, the serial init struct and the
only user, the stm32cubeprogrammer over uart support.
Change-Id: I422731089730a288defeb7fa49886db65d0902b2
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
- Removing platform dependencies from libc modules.
- Replacing panicking with actual error handling.
- Debug macros are included indirectly from assert.h. Removing
"platform_def.h" from assert.h and adding "common/debug.h"
where the macros are used.
- Removing hack for fixing PLAT_LOG_LEVEL_ASSERT to 40.
Instead removing assert with expression, as this
does not provide additional information.
Signed-off-by: Claus Pedersen <claustbp@google.com>
Change-Id: Icc201ea7b63c1277e423c1cfd13fd6816c2bc568
To initiate a reset or reboot, the nonsecure OS invokes the PSCI
SYSTEM_RESET function from any one core. As per the PSCI specification,
it is the responsibility of firmware to implement the system view of
the reset or reboot operation. For the platforms supported by CSS,
trigger the reset/reboot operation by sending an SGI to rest all CPUs
which are online. The CPUs respond to this interrupt by initiating its
powerdown sequence.
In addition to these changes, fix coding style issues that are not
directly related to the code being introduced in this patch.
Change-Id: I547253ee28ef7eefa78180d016893671a406bbfa
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
Before issuing the system power down command, set the trusted mailbox
to 0. This will ensure that in the case of a warm/cold reset, the
primary CPU executes from the cold boot sequence, clearing any stale
jump address at this location.
Change-Id: I491ef5baf7a6728acd7e90e4558939ba77b8f9bf
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
This patch adds two helper functions:
- plat_ic_raise_ns_sgi to raise a NS SGI
- plat_ic_raise_s_el1_sgi to raise a S-EL1 SGI
Signed-off-by: Florian Lugou <florian.lugou@provenrun.com>
Change-Id: I6f262dd1da1d77fec3f850eb74189e726b8e24da
The boot partition size of an eMMC is given in ext_csd register, at
offset 226 (BOOT_SIZE_MULT), which has to be multiplied by 128kB.
Add a helper function mmc_boot_part_size() to get this eMMC boot
partition size.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I0e8e0fc9632f147fa1b1b3374accb78439025403
The scratch buffer could be large. The new function allows
platform to defined its own external buffer or use the default
one.
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Change-Id: Ib7ab8ff19fa0a9cb06e364f058b91af58c3c471a
Instead of using hard-coded values in stm32_sdmmc2_read() function,
use a defined SDMMC_FIFO_SIZE, which is 64 on STM32MP1.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I1ace0a28fbddae474379f0187371b9c360ceb7b3
Although not recommended, the reset property could be made optional.
This way the driver will probe even if no reset property is provided
in an sdmmc node in DT. This reset is already optional in Linux.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I6e63ff00118d9497f505d6379982334dd62686ca
For SD-cards, CMD6 is used to switch functions, like setting high speed
mode. As it has another meaning for eMMC, and may not work on standard
capacity SD-cards, it must be checked with MMC_IS_SD_HC flag.
As ACMD6 is also used, and will have the same index, a check on
CMD/ACMD commands is done: a boolean is stored depending on previous
command. It is set to true if CMD55 is issued, for other commands
it is set to false.
Change-Id: I6c2b9c7637656f858601ec075de1cb5f57af271a
Signed-off-by: Yann Gautier <yann.gautier@st.com>
On SD-cards, Switch Function Command (CMD6) is used to switch
functions, like setting High Speed mode. It is useful for high capacity
cards to double frequency (from 25MHz by default to 50MHz).
If the SD-card is High Capacity, a CMD6 is issued after filling the
device information. If High Speed mode is supported and the switch is
OK, then the max_bus_freq can be set to 50MHz. The driver set_ios()
function should then be called to update peripheral configuration,
especially clock prescaler.
Change-Id: I2d6807aa7f9440d2b2f907a747cd3b47a2ba1545
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The ETZPC peripheral is always secure, and has a fixed address,
given by STM32MP1_ETZPC_BASE. This is then not needed to check
that in DT.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: Ifb0779abaf830e1e5a469c72181c2b2726fb47b5
Clock name is not used and can be removed for code size optimization.
Change-Id: I75f6a1828e4374004e31a7ce13fa6885c52bbac3
Signed-off-by: Gabriel Fernandez <gabriel.fernandez@foss.st.com>
The divn_max field is unused, remove it.
Change-Id: I971912bcc035f16963d98dfa88782c8aed4415f2
Signed-off-by: Gabriel Fernandez <gabriel.fernandez@foss.st.com>
Initialising these registers with header address will not work when
get_empty_slot returns anything other than 0 because these registers
should point to the starting of transfer request list instead of the
current descriptor
Change-Id: I60b3b59e2be6e2635a59b14dd1f11d93b9d95a1f
Signed-off-by: anans <anans@google.com>
The entire packet including UPIUs and PRDT is 0x400 but the controller
just looks for the header (32-bytes) from the UTRL
Change-Id: Ibd5d22b4a841c107fdf6447d598c5c600998e0f8
Signed-off-by: Anand Saminathan <anans@google.com>
This patch introduces support to validate the GIC-700 multichip data
structure passed by the platform.
GIC-700 provides support for SPI ID 4096 to 5119. Platforms using the
GIC-700 in a multichip configuration can enable these SPI IDs. The
driver needs to validate the data before using it and this patch
implements the support.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I6f85ec21ef7a59f397fcf6271f8c13c24fe47697
utrlbau should point to header and not upiu
this is the case everywhere except for ufs_prepare_cmd
Signed-off-by: anans <anans@google.com>
Change-Id: I02695824c1409124a60e63c3a7ff3278a4dc5fa8
These polling loops are not required according to the spec
Signed-off-by: anans <anans@google.com>
Change-Id: I50d832ba495f30cc7a0553c84e58b747d51e0a4e
This change replaces the polling loop with fixed number of retries,
returns error values and handles them in ufs_enum.
Signed-off-by: Rohit Ner <rohitner@google.com>
Change-Id: Ia769ef26703c7525091e55ff46aaae4637db933c
Add function to return the partition by type.
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Change-Id: I87729dc5e68fbc45a523c894b67595b0079dd8fb
Add braces to correct MISRA C2012 15.6 warning:
The body of an iteration-statement or a selection-statement shall be a
compound-statement.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If26f3732d31df11bf389a16298ec9e9d8a4a2279
The function clk_oscillator_wait_ready() was wrongly checking the set
bit and not the ready bit. Correct that by using osc_data->gate_rdy_id
when calling _clk_stm32_gate_wait_ready().
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: Ida58f14d7f0f326b580ae24b98d6b9f592d2d711
Firmware buffer has already been mapped when loading 1D firmware,
so the same buffer address will be re-mapped when loading 2D
firmware. Move the buffer mapping to be out of load_fw().
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: Idb29d504bc482a1e7ca58bc51bec09ffe6068324
According to TCG PC Client Platform Firmware Profile Specification
(Section 10.2.2, TCG_PCR_EVENT2 Structure, and 10.4.5 EV_NO_ACTION Event
Types), all EV_NO_ACTION events shall set TCG_PCR_EVENT2.digests to all
0x00's for each allocated Hash algorithm.
Right now, this is not enforced. Only part of the buffer is zeroed due
to the wrong macro being used for the size of the buffer in the clearing
operation (TPM_ALG_ID instead of TCG_DIGEST_SIZE). This could confuse
a TPM event log parser.
Also, add an assertion to ensure that the Event Log size is large enough
before writing the Event Log header.
Change-Id: I6d4bc3fb28fd10c227e33c8c7bb4a40b08c3fd5e
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
With RSS now introduced, we have 2 Measured Boot backends. Both backends
can be used in the same firmware build with potentially different hash
algorithms, so now there can be more than one hash algorithm in a build.
Therefore the logic for selecting the measured boot hash algorithm needs
to be updated and the coordination of algorithm selection added. This is
done by:
- Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm
to replace TPM_HASH_ALG, removing reference to TPM.
- Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to
replace TPM_HASH_ALG.
- Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the
Measured Boot configuration macros through defining
TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either
backend requires a stronger algorithm than SHA-256.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a
If the interrupt being targeted is released from the CPU before the
CLEAR command is sent to the CPU then a subsequent SET command may not
be delivered in a finite time. To workaround this, issue an unblocking
event by toggling GICR_CTLR.DPG* bits after clearing the cpu group
enable (EnableGrp* bits of GIC CPU interface register)
This fix is implemented as per the errata 2384374-part 2 workaround
mentioned here:
https://developer.arm.com/documentation/sden892601/latest/
Change-Id: I13926ceeb7740fa4c05cc5b43170e7ce49598f70
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This chain of trust is targeted at Arm CCA solutions and defines 3
independent signing domains:
1) CCA signing domain. The Arm CCA Security Model (Arm DEN-0096.A.a) [1]
refers to the CCA signing domain as the provider of CCA components
running on the CCA platform. The CCA signing domain might be independent
from other signing domains providing other firmware blobs.
The CCA platform is a collective term used to identify all hardware and
firmware components involved in delivering the CCA security guarantee.
Hence, all hardware and firmware components on a CCA enabled system that
a Realm is required to trust.
In the context of TF-A, this corresponds to BL1, BL2, BL31, RMM and
associated configuration files.
The CCA signing domain is rooted in the Silicon ROTPK, just as in the
TBBR CoT.
2) Non-CCA Secure World signing domain. This includes SPMC (and
associated configuration file) as the expected BL32 image as well as
SiP-owned secure partitions. It is rooted in a new SiP-owned key called
Secure World ROTPK, or SWD_ROTPK for short.
3) Platform owner signing domain. This includes BL33 (and associated
configuration file) and the platform owner's secure partitions. It is
rooted in the Platform ROTPK, or PROTPK.
[1] https://developer.arm.com/documentation/DEN0096/A_a
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I6ffef3f53d710e6a2072fb4374401249122a2805
Replay-protected memory block access is enabled by writing 0x3
to PARTITION_ACCESS (bit[2:0]). Instead the driver is using the
first boot partition, which does not provide any playback protection.
Additionally, it unconditionally activates the first boot partition,
potentially breaking boot for SoCs that consult boot partitions,
require boot ack or downgrading to an old bootloader if the first
partition happens to be the inactive one.
Also, neither enabling or disabling the RPMB observes the
PARTITION_SWITCH_TIME. As there are no in-tree users for these
functions, drop them for now until a properly functional implementation
is added. That one will likely share most code with the existing boot
partition switch, which doesn't suffer from the described issues.
Change-Id: Ia4a3f738f60a0dbcc33782f868cfbb1e1c5b664a
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Disabling access to the boot partition reverts the MMC to read from the
user area. Add a macro to make this clearer.
Suggested-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: I34a5a987980bb4690d08d255f465b11a4697ed5a
At the moment, mmc_boot_part_read_blocks() takes care to switch
to the boot partition before transfer and back afterwards.
This can introduce large overhead when reading small chunks.
Give consumers of the API more control by exporting
mmc_part_switch_current_boot() and mmc_part_switch_user().
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Change-Id: Ib641f188071bb8e0196f4af495ec9ad4a292284f
Created a function to abort all pending NS DMA transactions to
engage complete DMA protection. This call will be used by the
subsequent DRTM implementation changes.
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Signed-off-by: Lucian Paul-Trifu <lucian.paultrifu@gmail.com>
Change-Id: I94992b54c570327d6746295073822a9c0ebdc85d
This change makes use of 32-bit crc for calculating gpt header crc
and compares it with the given value.
Signed-off-by: Rohit Ner <rohitner@google.com>
Change-Id: I49bca7aab2c3884881c4b7d90d31786a895290e6
Corrects the function reporting the SCMI protocols supported by the
platform to not assume 8 protocol IDs at most can be returned. Indeed
the number of protocol IDs returned depends on the SCMI output buffer
size.
Change-Id: Idafbe02d2b25b3bcacaf25977c560c0ac5bb8d62
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Corrects the size of the SCMI response payload when querying the list
of the supported protocol. This response payload size depends on the
number of protocols enumerated by the response.
Change-Id: Ib01eb5cec6c6656dfd7d88ccdd5a720c1deee7a3
Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Runtime Security Subsystem (RSS) provides for the host:
- Runtime service to store measurments, which were
computed by the host during measured boot.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ia9e4e8a1fe8f01a28da1fd8c434b780f2a08f94e
This commit adds a driver to conduct the AP's communication
with the Runtime Security Subsystem (RSS).
RSS is Arm's reference implementation for the CCA HES [1].
It can be considered as a secure enclave to which, for example,
certain services can be offloaded such as initial attestation.
RSS comms driver:
- Relies on MHU v2.x communication IP, using a generic MHU API,
- Exposes the psa_call(..) API to the upper layers.
[1] https://developer.arm.com/documentation/DEN0096/latest
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ib174ac7d1858834006bbaf8aad0eb31e3a3ad107
The Arm Message Handling Unit (MHU) is a mailbox controller used to
communicate with other processing element(s). Adding a driver to
enable the communication:
- Adding generic MHU driver interface,
- Adding MHU_v2_x driver.
Driver supports:
- Discovering available MHU channels,
- Sending / receiving words over MHU channels,
- Signaling happens over a dedicated channel.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: I41a5b968f6b8319cdbdf7907d70bd8837839862e
Waiting for SR_BUSY bit when receiving a new command is not needed.
SR_BUSY bit is already managed in the previous command treatment.
Change-Id: I736e8488d354cb165ae765022d864cca1dbdc9ee
Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
Currently, SR_TCF flag is checked in case there is data, this criteria
is not correct.
SR_TCF flags is set when programmed number of bytes have been
transferred to the memory device ("bytes" comprised command and data
send to the SPI device).
So even if there is no data, we must check SR_TCF flag.
Change-Id: I99c4145e639c1b842feb3690dd78329179c18132
Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
This change performs a basic configuration of the SMMU root registers
interface on an RME enabled system. This permits enabling GPC checks
for transactions originated from a non-secure or secure device upstream
to an SMMU. It re-uses the boot time GPT base address and configuration
programmed on the PE.
The root register file offset is platform dependent and has to be
supplied on a model command line.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I4f889be6b7afc2afb4d1d147c5c1c3ea68f32e07
according to the spec, the response to read attr comes in the
ts.attr.value field and not in the data segment.
Signed-off-by: anans <anans@google.com>
Change-Id: Iaf21883bb7e364fd7c7e4bccb33359367a0cf99d
ufs controller needs to be disabled if already enabled, without
this we noticed a crash at linkstartup during reinit
Signed-off-by: anans <anans@google.com>
Change-Id: I523c5d57c1d34f6404a6368ee3f364fbffd2e542
Upgrade to the latest and greatest 2.x release of Mbed TLS library
(i.e. v2.28.0) to take advantage of their bug fixes.
Note that the Mbed TLS project published version 3.x some time
ago. However, as this is a major release with API breakages, upgrading
to 3.x might require some more involved changes in TF-A, which we are
not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7
release of TF-A.
Actually, the upgrade this time simply boils down to including the new
source code module 'constant_time.c' into the firmware.
To quote mbed TLS v2.28.0 release notes [1]:
The mbedcrypto library includes a new source code module
constant_time.c, containing various functions meant to resist timing
side channel attacks. This module does not have a separate
configuration option, and functions from this module will be
included in the build as required.
As a matter of fact, if one is attempting to link TF-A against mbed
TLS v2.28.0 without the present patch, one gets some linker errors
due to missing symbols from this new module.
Apart from this, none of the items listed in mbed TLS release
notes [1] directly affect TF-A. Special note on the following one:
Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32.
In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption
feature is enabled with AES-GCM as the authenticated decryption
algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable
which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a
32-bit value which by definition is always less than 2**32. Therefore,
we are immune to this bug.
With this upgrade, the size of BL1 and BL2 binaries does not appear to
change on a standard sample test build (with trusted boot and measured
boot enabled).
[1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0
Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
time taken for device init varies based on different devices,
instead of waiting for 200ms - we can poll on fdevice init
until it gets cleared, similar to what linux does
Change-Id: I571649231732fde0cd6d5be89b6f14fe905fcaff
Signed-off-by: anans <anans@google.com>
The result variable is not being used so it's better to delete it.
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: Icae614076ce1ba7cdc86267473d59a8bec682f6c
The following SMIDs are disabled by default.
* GICD: MBIST REQ error and GICD FMU ClkGate override
* PPI: MBIST REQ error and PPI FMU ClkGate override
* ITS: MBIST REQ error and ITS FMU ClkGate override
This patch explicitly enables them during the FMU init sequence.
Change-Id: I573e64786e3318d4cbcd07d0a1caf25f8e6e9200
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch updates the gic600_fmu_init function to disable all safety
mechanisms for a block ID that is not present on the platform. All
safety mechanisms for GIC-600AE are enabled by default and should be
disabled for blocks that are not present on the platform to avoid
false positive RAS errors.
Change-Id: I52dc3bee9a8b49fd2e51d7ed851fdc803a48e6e3
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
The GIC-600AE uses a range of RAS features for all RAMs, which include
SECDED, ECC, and Scrub, software and bus error reporting. The GIC makes
all necessary information available to software through Armv8.2 RAS
architecture compliant register space.
This patch introduces support to probe the FMU_ERRGSR register to find
the right error record. Once the correct record is identified, the
"handler" function queries the FMU_ERR<m>STATUS register to further
identify the block ID, safety mechanism and the architecturally defined
primary error code. The description of the error is displayed on the
console to simplify debug.
Change-Id: I7e543664b74457afee2da250549f4c3d9beb1a03
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Patrick Delaunay
Claus Pedersen
Pranav Madhu
Florian Lugou
Jayanth Dodderi Chidanand
Yann Gautier
Lionel Debieve
Yann Gautier
Gabriel Fernandez
anans
Varun Wadekar
Rohit Ner
Jiafei Pan
Manish V Badarkhe
laurenw-arm
Ahmad Fatoum
Lucian Paul-Trifu
Etienne Carriere
Tamas Ban
Christophe Kerello
Olivier Deprez
Sandrine Bailleux
Jorge Troncoso