manage_extensions_nonsecure() is problematic because it updates both
context and in-place registers (unlike its secure/realm counterparts).
The in-place register updates make it particularly tricky, as those
never change for the lifetime of TF-A. However, they are only set when
exiting to NS world. As such, all of TF-A's execution before that
operates under a different context. This is inconsistent and could cause
problems.
This patch Introduce a real manage_extensions_nonsecure() which only
operates on the context structure. It also introduces a
cm_manage_extensions_el3() which only operates on register in-place that
are not context switched. It is called in BL31's entrypoints so that all
of TF-A executes with the same environment once all features have been
converted.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ic579f86c41026d2054863ef44893e0ba4c591da9
Adding basic CPU library code to support the Hermes CPU.
Change-Id: I61946033fe5fafb56ceb2d14d4c796d85b30457e
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
As the unit testing project uses the host machine GCC version to
compile, it is marking non-casted references as errors. This patch adds
the proper casting, so it compiles correctly for both Arm platforms and
host machines for unit testing.
Change-Id: Iee96e9117301ba28b6f164aac2cd36dc0f8b6be8
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
The current implementation of macro L/LL/UL/ULL concatenates the input
with "L"/"LL"/"UL"/"ULL" respectively.
In the case where a macro is passed to L/LL/UL/ULL as input,
the input macro name is concatenated with, rather than expanding
the input macro and then concatenating it.
The implementation of L/LL/UL/ULL is modified to two level macro,
so as to concatenate to the expansion of a macro argument.
Change 5b33ad174a "Unify type of "cpu_idx" across PSCI module."
has modified the implementation of U() to two level macros without
changing the implementation of other macros.
Change-Id: Ie93d67dff5ce96223a3faf6c98b98fcda530fc34
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
TF-A code supports SMCCC spec version 1.4 while version is still kept
1.2. Bump up the version.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie5476c4601bd504d3f3e8433e1d672ebd0a758b1
Figuring out the naming format of errata is annoying, so add a shorthand
for the custom checker functions. Also add some more semantic macros
instead of passing around constants.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ibdcf72146738026df4ebd047bfb30790fd4a1053
To support memcpy_s for better security purpose
to avoid overflowing the dest while copy from src.
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I63c3ea6a3e99c10d69be6bce04843c14b0a28a4d
Debugging assembly is painful as it is, and having no useful stack trace
does not help. Code must emit CFI directives whenever the stack moves to
enable stack traces. Otherwise, the layout of the stack frame is
ambiguous, the debugger gives up, and shows nothing. The compiler does
this automatically for C but not assembly.
Add this information to the (currently unused) func_prologue macro.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ief5fd672285df8d9d90fa6a2214b5c6e45eddd81
At the moment, TF-A does not need to access VAs or PAs larger than
48 bits, so this patch just enables proper detection of support
for 4KB and 16KB granularity with 52 bits address support.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: Iccebbd5acc21f09dbb234ef21a802300e290ec18
This patch adds a new optional member `pwr_domain_validate_suspend` to
the `plat_psci_ops_t` structure that allows a platform to optionally
perform platform specific validations in OS-initiated mode. This is
conditionally compiled into the build depending on the value of the
`PSCI_OS_INIT_MODE` build option.
In https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/17682,
the return type of the `pwr_domain_suspend` handler was updated from
`void` to `int` to allow a platform to optionally perform platform
specific validations in OS-initiated mode. However, when an error code
other than `PSCI_E_SUCCESS` is returned, the current exit path does not
undo the operations in `psci_suspend_to_pwrdown_start`, and as a result,
the system ends up in an unexpected state.
The fix in this patch prevents the need to undo the operations in
`psci_suspend_to_pwrdown_start`, by allowing the platform to first
perform any necessary platform specific validations before the PSCI
generic code proceeds to the point of no return where the CPU_SUSPEND
request is expected to complete successfully.
Change-Id: I05d92c7ea3f5364da09af630d44d78252185db20
Signed-off-by: Wing Li <wingers@google.com>
The framework currently supports QE feature only for Macronix devices.
Kioxia devices also support this feature, but this feature can not be
set based on the manufacturer ID as Kioxia first SPI NAND generation
does not support the QE feature when the second generation does.
Use a flag to manage QE feature. This flag will be added at board level
to manage the device.
Change-Id: I7a3683a2df8739967b17b4abbec32c51bf206b93
Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
With the current implementation of stripping the last null
byte from a string, there was no way to get the TF-M measured
boot test suite to pass. It would expect the size of the string
passed into extend measurement to be unaffected by the call.
This fix should allow passing a string with the null char
pre-stripped, allowing the tests to exclude the null char in
their test data and not have the length decremented.
Further, This patch adds an early exit if either the version
or sw_type is larger than its buffer. Without this check,
it may be possible to pass a length one more than the maximum,
and if the last element is a null, the length will be truncated
to fit. This is instead suppsed to return an error.
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Change-Id: I98e1bb53345574d4645513009883c6e7b6612531
AArch32 is not being ported to the errata framework. However, the
runtime errata list is needed at runtime for the upcoming errata ABI.
Add wrappers to populate this information and make it accessible in the
same way as AArch64.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I084720f34d6ed4e00e94b09babd3c90a5393298a
Using the errata framework per-cpu data structure, errata can all be
reported automatically through a single standard errata reporter which
can replace the cpu-specific ones.
This reporter can also enforce the ordering requirement of errata.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I7d2d5ac5bcb9d21aed0d560d7d23919a323ffdab
Errata implementation involves adding a lot of boilerplate to random
places with just conventions on how to do them. Copy pasting is the
usual method for doing this. The result is an error-prone and verbose
patch that is a nightmare to get through review.
Errata workarounds have a very large degree of similarity - most of them
involve setting a bit at reset. As such most of the boilerplate is not
strictly necessary. To solve this, add a collection of assembly macros
to wrap errata implementations such that only the actual mitigations
need to be written. A new erratum mitigation looks something like:
workaround_reset_start cortex_a77, ERRATUM(1925769), ERRATA_A77_1925769
sysreg_bit_set CORTEX_A77_CPUECTLR_EL1, CORTEX_A77_CPUECTLR_EL1_BIT_8
workaround_reset_end cortex_a77, ERRATUM(1925769)
check_erratum_ls cortex_a77, ERRATUM(1925769), CPU_REV(1, 1)
Note, that the long comment on every mitigation is missing. This is on
purpose, as this new format includes all of its contents into an easily
readable format.
The workaround wrappers add an erratum entry (24 bytes) to a per-cpu
data structure which can then be read by a standard reset function to
apply all errata automatically. This has the added benefit of collecting
all errata TF-A knows about in a central way, which was previously
missing. This can then be used at runtime with the errata ABI.
If an erratum doesn't fit this standard definition (eg. the
CVE_2022_23960), it can progressively be unwrapped to the old
convention. The only differences are that the naming format is slightly
more verbose and a call to add_erratum_entry is needed to inform the
framework about the errata.
Finally, the internal workaround names change a tiny bit, especially
CVEs.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Iac644f85dcf85b8279b25e83baf1e7d08b253b16
The function is called in a fully initialised C environment and calls
into other C functions. The Aarch differences are minimal and are hidden
by the pre-existing headers. Converting it results into cleaner code
that is the same across both Aarch64 and Aarch32.
To avoid having to do very ugly pointer arithmetic, define a C struct
for the cpu_ops for both Aarch64 and Aarch32.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Idc07c4064e03143c88a4a0e2d10ceda70ba19a50
The ERRATA_XXX macros, used in cpu_helpers.S, are necessary for the
check_errata_xxx family of functions. The CPU_REV should be used in the
cpu files but for whatever reason the values have been hard-coded so far
(at the cost of readability). It's evident this file is not strictly for
status reporting.
The new purpose of this file is to make it a one-stop-shop for all
things errata.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1ce22dd36df5aa0bcfc5f2772251f91af8703dfb
The cpu_macros.S file is loaded with lots of definitions for the cpu_ops
structure. However, since they are defined as .equ directives they are
inaccessible for C code. Convert them to #defines, put them into order,
refactor them for readability, and extract them to a separate file to
make this possible.
This has the benefit of removing some Aarch differences and a lot of
duplicate code.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I72861794b6c9131285a9297d5918822ed718b228
Extends cert_create tool with a new option for CCA NV
counter: ccafw_nvctr.
And changes the non-volatile counter used to protect
the CCA Content Certificate from the Trusted FW NV counter
to the CCA FW NV counter in the CCA CoT description.
Change-Id: I27f3ab2e25809f0dcc56fa05e5c3a25a2e861ef6
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
This patch enables CTX_INCLUDE_PAUTH_REGS for RME builds.
The RMM-EL3 specification is also updated to reflect the changes
and also version of the same is bumped from 0.1 to 0.2.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: I2e96a592d2b75abaee24294240c1727c5ceba420
When using the ENABLE_STACK_PROTECTOR=strong build option, the QEMU code
will try to use the RNDR CPU instructions to initialise the stack
canary. Since the instructions are defined for AArch64 only, this will
fail to build for AArch32.
And even though we now always return "false" when asked about the
availability of the RNDR instruction, the compiler will still leave the
reference to read_rdnr() in, if optimisations are turned off (-O0).
Avoid this by providing a dummy read_rndr() implementation, that makes
the linker happy in any case.
This fixes the QEMU build for AArch32 with ENABLE_STACK_PROTECTOR=strong
Change-Id: Ibf450ba4a46167fdf3a14a527d338350ced8b5ba
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Many newer architecture features are defined for AArch64 only, so cannot
be used in an AArch32 build.
To avoid #ifdef-ing every single user, just provide trivial
implementations of the feature check functions is_feat_xxx_supported(),
which always return "false" in AArch32. The compiler will then optimise
out the dependent code automatically.
Change-Id: I1e7d653fca0e676a11858efd953c2d623f2d5c9e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
FEAT_PAN is implemented in AArch32 as well, provide the helper functions
to query the feature availability at runtime.
Change-Id: I375e3eb7b05955ea28a092ba99bb93302af48a0e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This adds creation of a device tree that will be passed to OP-TEE.
Currently that device tree only contains the coreboot table per the
Linux coreboot device tree specification. This device tree is then
passed to OP-TEE so it can extract the CBMEM console information from
the coreboot table for logging purposes.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I6a26d335e16f7226018c56ad571cca77b81b0f6a
BL32_LIMIT has been increased from 2MB to 4MB to accommodate
the latest tee.bin (it is around ~2.1MB).
Change-Id: I47b770bf23c23d38931a2b3316d076b829338d70
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Co-developed-by: Juan Pablo Conde <juanpablo.conde@arm.com>
At the moment we only support FEAT_RAS to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (FEAT_RAS=2), by splitting
is_armv8_2_feat_ras_present() into an ID register reading function and
a second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we access RAS related registers.
Also move the context saving code from assembly to C, and use the new
is_feat_ras_supported() function to guard its execution.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I30498f72fd80b136850856244687400456a03d0e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
The current usage of RAS_EXTENSION in TF-A codebase is to cater for two
things in TF-A :
1. Pull in necessary framework and platform hooks for Firmware first
handling(FFH) of RAS errors.
2. Manage the FEAT_RAS extension when switching the worlds.
FFH means that all the EAs from NS are trapped in EL3 first and signaled
to NS world later after the first handling is done in firmware. There is
an alternate way of handling RAS errors viz Kernel First handling(KFH).
Tying FEAT_RAS to RAS_EXTENSION build flag was not correct as the
feature is needed for proper handling KFH in as well.
This patch breaks down the RAS_EXTENSION flag into a flag to denote the
CPU architecture `ENABLE_FEAT_RAS` which is used in context management
during world switch and another flag `RAS_FFH_SUPPORT` to pull in
required framework and platform hooks for FFH.
Proper support for KFH will be added in future patches.
BREAKING CHANGE: The previous RAS_EXTENSION is now deprecated. The
equivalent functionality can be achieved by the following
2 options:
- ENABLE_FEAT_RAS
- RAS_FFH_SUPPORT
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I1abb9ab6622b8f1b15712b12f17612804d48a6ec
This patch adds the errata management firmware interface for lower ELs
to discover details about CPU erratum. Based on the CPU erratum
identifier the interface enables the OS to find the mitigation of an
erratum in EL3.
The ABI can only be present in a system that is compliant with SMCCCv1.1
or higher. This implements v1.0 of the errata ABI spec.
For details on all possible return values, refer the design
documentation below:
ABI design documentation:
https://developer.arm.com/documentation/den0100/1-0?lang=en
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
Change-Id: I70f0e2569cf92e6e02ad82e3e77874546232b89a
This patch does the following:
1. Configures SBSA secure watchdog timer as Group0 interrupt for
TC platform while keeping it as Group1 secure interrupt for
other CSS based SoCs.
2. Programs the watchdog timer to trigger periodically
3. Provides a Group0 interrupt handler for TC platform port to
deactivate the EL3 interrupt due to expiry of secure watchdog
timer and refresh it explicitly.
Change-Id: I3847d6eb7347c6ea0e527b97b096119ca1e6701b
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch adds a helper API to explicitly refresh SBSA secure watchdog
timer. Please refer section A.3 of the following spec:
https://developer.arm.com/documentation/den0029/latest/
Change-Id: I2d0943792aea0092bee1e51d74b908348587e66b
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Subsequent code will assume that it version-independent, so check it
with a CASSERT.
Change-Id: I233b51ef700103f1a0789d5608e3b02c96d0eeb7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Remove the control from the include file to avoid compilation
issue. Add the check in the source code instead.
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Change-Id: I533f829607f76389399a3e8dbc3c6095278562ab
When Group0 Secure interrupts in secure world get trapped to S-EL2
SPMC, FFA_EL3_INTR_HANDLE ABI is invoked by SPMC to delegate
interrupt handling to EL3 firmware (i.e., SPMD).
SPMD further delegates to platform handler which successfully handles
the Group0 secure interrupt before returning control to SPMC.
Change-Id: I8cc0fec20803b96c81582910ad2668e38b167fb8
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch introduces support to handle traps from lower ELs for
IMPDEF system register accesses. The actual support is left to the
platforms to implement.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I623d5c432b4ce4328b68f238c15b1c83df97c1e5
FEAT_SME2 is an extension of FEAT_SME and an optional feature
from v9.2. Its an extension of SME, wherein it not only
processes matrix operations efficiently, but also provides
outer-product instructions to accelerate matrix operations.
It affords instructions for multi-vector operations.
Further, it adds an 512 bit architectural register ZT0.
This patch implements all the changes introduced with FEAT_SME2
to ensure that the instructions are allowed to access ZT0
register from Non-secure lower exception levels.
Additionally, it adds support to ensure FEAT_SME2 is aligned
with the existing FEATURE DETECTION mechanism, and documented.
Change-Id: Iee0f61943304a9cfc3db8f986047b1321d0a6463
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Macro esb used in TF-A executes the instruction "esb" and is kept under
RAS_EXTENSION macro. RAS_EXTENSION, as it stands today, is only enabled
for platforms which wants RAS errors to be handled in Firmware while esb
instruction is available when RAS architecture feature is present
irrespective of its handling.
Currently TF-A does not have mechanism to detect whether RAS is present
or not in HW, define this macro unconditionally.
Its harmless for non-RAS cores as this instruction executes as NOP.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I556f2bcf5669c378bda05909525a0a4f96c7b336
This patch introduces the 'pwr_domain_off_early' hook for
platforms wanting to perform housekeeping steps before the
PSCI framework starts the CPU power off sequence. Platforms
might also want to use ths opportunity to ensure that the
CPU off sequence can proceed.
The PSCI framework expects a return code of PSCI_E_DENIED,
if the platform wants to halt the CPU off sequence.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I6980e84fc4d6cb80537a178d0d3d26fb28a13853
At the moment we only support FEAT_DIT to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_DIT=2), by splitting
is_armv8_4_dit_present() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed).
We use ENABLE_DIT in two occassions in assembly code, where we just set
the DIT bit in the DIT system register.
Protect those two cases by reading the CPU ID register when ENABLE_DIT
is set to 2.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I506d352f18e23c60db8cdf08edb449f60adbe098
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Have only one definition for REGISTER_CRYPTO_LIB macro, with all the
possible fields. Worst case adds 4 u64 to crypto_lib_desc.
While at it, correct some MISRA violations:
MC3R1.R12.1: (advisory) The precedence of operators within expressions
should be made explicit.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I1342a20e6eef2354753182c2a81ff959e03e5c81
Following discussions in the reviews of the patch that introduced
plat_convert_pk() function [1], it was decided to deprecate it to
avoid weak function declaration.
A new optional function pointer convert_pk is added to crypto_lib_desc_t.
A new function crypto_mod_convert_pk() will either call
crypto_lib_desc.convert_pk() if it is defined, or do the same
as what was done by the weak function otherwise.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/17174
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: I9358867f8bfd5e96b5ee238c066877da368e43c6
Compared the full ROTPK with the ROTPK obtained from the certificate
when the platform supports full ROTPK instead of hash of ROTPK.
Additionally, changed the code to verify the ROTPK before relying on
it for signature verification.
Change-Id: I52bb9deb1a1dd5b184d3156bddad14c238692de7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Updated the code to get and set the 'tpm_event_log_max_size' property
in the event_log.dtsi.
In this change, the maximum Event Log buffer size allocated by BL1 is
passed to BL2, rather than both relying on the maximum Event Log buffer
size macro.
Change-Id: I7aa6256390872171e362b6f166f3f7335aa6e425
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Arm v9.4 introduces support for Guarded Control Stack, providing
mitigations against some forms of RPO attacks and an efficient mechanism
for obtaining the current call stack without requiring a full stack
unwind. Enable access to this feature for EL2 and below, context
switching the newly added EL2 registers as appropriate.
Change the FVP platform to default to handling this as a dynamic option
so the right decision can be made by the code at runtime.
Signed-off-by: Mark Brown <broonie@kernel.org>
Change-Id: I691aa7c22e3547bb3abe98d96993baf18c5f0e7b
These include directives were missing from both `uuid.h` files.
Change-Id: I875dfda3e0985728277b72f0e7597dde5cf9d304
Signed-off-by: Chris Kay <chris.kay@arm.com>
Boyan Karatotev
Govindraj Raja
Juan Pablo Conde
Omkar Anand Kulkarni
Akshay Belsare
Manish Pandey
Jit Loon Lim
Raghu Krishnamurthy
Javier Almansa Sobrino
Wing Li
Christophe Kerello
Jimmy Brisson
Harrison Mutai
laurenw-arm
Shruti Gupta
Andre Przywara
Jeffrey Kardatzke
Manish V Badarkhe
Elyes Haouas
Sona Mathew
Madhukar Pappireddy
Demi Marie Obenour
Lionel Debieve
Varun Wadekar
Sandrine Bailleux
Jayanth Dodderi Chidanand
Yann Gautier
Yann Gautier
Mark Brown
Chris Kay