This patch adds support for supplying pre-built BL binaries for BL2,
BL3-1 and BL3-2 during trusted firmware build. Specifying BLx = <path_to_BLx>
in the build command line, where 'x' is any one of BL2, BL3-1 or BL3-2, will
skip building that BL stage from source and include the specified binary in
final fip image.
This patch also makes BL3-3 binary for FIP optional depending on the
value of 'NEED_BL33' flag which is defined by the platform.
FixesARM-software/tf-issues#244FixesARM-software/tf-issues#245
Change-Id: I3ebe1d4901f8b857e8bb51372290978a3323bfe7
Final updates to readme.md and change-log.md for ARM Trusted
Firmware version 1.0. Also increment the version in the Makefile.
Change-Id: I00fe1016c8b936834bbf7bbba7aab07f51261bbb
* Fix broken link to SCP download.
* Remove requirement to install `ia32-libs`. This package is no
longer available in current versions of Ubuntu and is no
longer required when using the Linaro toolchain.
Change-Id: I9823d535a1d69136685754b7707b73e1eef0978d
This patch gathers miscellaneous minor fixes to the documentation, and comments
in the source code.
Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Co-Authored-By: Dan Handley <dan.handley@arm.com>
This patch reorganizes the firmware design guide to add information about the
port of the ARM Trusted Firmware to the Juno ARM development platform.
Change-Id: I0b80e2e7a35ccad1af2e971506cfb7fe505f8b84
This patch makes the Trusted Firmware build instructions in the
user guide platform independent.
FVP specific instructions have been grouped together under a new
section dedicated to FVP.
Juno specific instructions to build and run the Trusted Firmware,
UEFI and Linux have been added.
Change-Id: I9bfb1b9d732b1f73abbe29f68ac931e1773a4fd5
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#100 (commit 186c1d4). This is distinct
from the similar issue fixed in commit bfb1dd5.
Also clarify the dependence on the FVP_SHARED_DATA_LOCATION and
FVP_TSP_RAM_LOCATION build options, and tidy up the "Notes
regarding Base FVP configuration options" section.
Change-Id: I6b03452a71f0c69efa169852712bcb184242696e
Move up the version numbers of the following Trusted Firmware
dependencies in the user guide:
* Foundation and Base FVPs (latest publically available
versions).
* EDK2 implementation. The guide now uses the latest version from
https://github.com/ARM-software/edk2.git. This requires the
`iasl` package to also be installed.
* Linux kernel. The guide now uses the latest version from
https://github.com/ARM-software/linux.git.
* Linaro OpenEmbedded file system.
* ARM Development Studio 5.
Change-Id: I95bb863a61e47b9ef8be3d110f7087375ee78add
This patch adds documentation for CPU specific abstraction in the firmware-
design.md and adds a new document cpu-errata-workarounds.md to describe
the cpu errata workaround build flags.
Change-Id: Ia08c2fec0b868a0a107d0264e87a60182797a1bd
This patch adds CPU core and cluster power down sequences to the CPU specific
operations framework introduced in a earlier patch. Cortex-A53, Cortex-A57 and
generic AEM sequences have been added. The latter is suitable for the
Foundation and Base AEM FVPs. A pointer to each CPU's operations structure is
saved in the per-cpu data so that it can be easily accessed during power down
seqeunces.
An optional platform API has been introduced to allow a platform to disable the
Accelerator Coherency Port (ACP) during a cluster power down sequence. The weak
definition of this function (plat_disable_acp()) does not take any action. It
should be overriden with a strong definition if the ACP is present on a
platform.
Change-Id: I8d09bd40d2f528a28d2d3f19b77101178778685d
This patch adds an optional platform API (plat_reset_handler) which allows the
platform to perform any actions immediately after a cold or warm reset
e.g. implement errata workarounds. The function is called with MMU and caches
turned off. This API is weakly defined and does nothing by default but can be
overriden by a platform with a strong definition.
Change-Id: Ib0acdccbd24bc756528a8bd647df21e8d59707ff
* Move TSP platform porting functions to new file:
include/bl32/tsp/platform_tsp.h.
* Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
TSP interrupt handling code, instead of depending on the FVP
specific definition IRQ_SEC_PHY_TIMER.
* Rename TSP platform porting functions from bl32_* to tsp_*, and
definitions from BL32_* to TSP_*.
* Update generic TSP code to use new platform porting function names
and definitions.
* Update FVP port accordingly and move all TSP source files to:
plat/fvp/tsp/.
* Update porting guide with above changes.
Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
BE UPDATED
FixesARM-software/tf-issues#167
Change-Id: Ic0ff8caf72aebb378d378193d2f017599fc6b78f
The intent of io_init() was to allow platform ports to provide
a data object (io_plat_data_t) to the IO storage framework to
allocate into. The abstraction was incomplete because io_plat_data_t
uses a platform defined constant and the IO storage framework
internally allocates other arrays using platform defined constants.
This change simplifies the implementation by instantiating the
supporting objects in the IO storage framework itself. There is now
no need for the platform to call io_init().
The FVP port has been updated accordingly.
THIS CHANGE REQUIRES ALL PLATFORM PORTS THAT USE THE IO STORAGE
FRAMEWORK TO BE UDPATED.
Change-Id: Ib48ac334de9e538064734334c773f8b43df3a7dc
This patch groups the current contents of the Trusted DRAM region at
address 0x00_0600_0000 (entrypoint mailboxes and BL3-1 parameters) in
a single shared memory area that may be allocated to Trusted SRAM
(default) or Trusted DRAM at build time by setting the
FVP_SHARED_DATA_LOCATION make variable. The size of this shared
memory is 4096 bytes.
The combination 'Shared data in Trusted SRAM + TSP in Trusted DRAM'
is not currently supported due to restrictions in the maximum number
of mmu tables that can be created.
Documentation has been updated to reflect these changes.
FixesARM-software/tf-issues#100
Change-Id: I26ff04d33ce4cacf8d770d1a1e24132b4fc53ff0
Fix the instructions for resetting to the BL3-1 entrypoint in the
user guide. The BL3-1 and BL3-2 image locations changed in the fix
to ARM-software/tf-issues#117 (commit a1b6db6).
FixesARM-software/tf-issues#237
Change-Id: I764eb17c66034511efb984c0e7cfda29bd99198f
Create new LOG_LEVEL build option, which controls the amount of
console output compiled into the build. This should be one of the
following:
0 (LOG_LEVEL_NONE)
10 (LOG_LEVEL_NOTICE)
20 (LOG_LEVEL_ERROR)
30 (LOG_LEVEL_WARNING)
40 (LOG_LEVEL_INFO)
50 (LOG_LEVEL_VERBOSE)
All log output up to and including the log level is compiled into the
build. The default value is 40 in debug builds and 20 in release
builds.
Complement the existing INFO, WARN and ERROR console output macros
with NOTICE and VERBOSE macros, which are conditionally compiled in
depending on the value of LOG_LEVEL.
FixesARM-software/tf-issues#232
Change-Id: I951e2f333e7b90fc4b1060741d9a6db699d5aa72
Secure ROM at address 0x0000_0000 is defined as FVP_TRUSTED_ROM
Secure RAM at address 0x0400_0000 is defined as FVP_TRUSTED_SRAM
Secure RAM at address 0x0600_0000 is defined as FVP_TRUSTED_DRAM
BLn_BASE and BLn_LIMIT definitions have been updated and are based on
these new memory regions.
The available memory for each bootloader in the linker script is
defined by BLn_BASE and BLn_LIMIT, instead of the complete memory
region.
TZROM_BASE/SIZE and TZRAM_BASE/SIZE are no longer required as part of
the platform porting.
FVP common definitions are defined in fvp_def.h while platform_def.h
contains exclusively (with a few exceptions) the definitions that are
mandatory in the porting guide. Therefore, platform_def.h now includes
fvp_def.h instead of the other way around.
Porting guide has been updated to reflect these changes.
Change-Id: I39a6088eb611fc4a347db0db4b8f1f0417dbab05
This patch defines a compile time macro for each boot loader stage
which allows compilation of code only for a specific stage.
Change-Id: I3a4068404cd3dc26d652556ca9ca7afea8dd28ef
Tests show a slight reduction in code size compared to 13.11.
User guide updated.
FixesARM-software/tf-issues#207
Change-Id: I9b80a5d7820cdfd443cac4d4b63f925b74a8c3a3
This patch adds support for BL3-2 initialization by asynchronous
method where BL3-1 transfers control to BL3-2 using world switch.
After BL3-2 initialization, it transfers control to BL3-3 via SPD
service handler. The SPD service handler initializes the CPU context
to BL3-3 entrypoint depending on the return function indentifier from
TSP initialization.
FixesARM-software/TF-issues#184
Change-Id: I7b135c2ceeb356d3bb5b6a287932e96ac67c7a34
The purpose of platform_is_primary_cpu() is to determine after reset
(BL1 or BL3-1 with reset handler) if the current CPU must follow the
cold boot path (primary CPU), or wait in a safe state (secondary CPU)
until the primary CPU has finished the system initialization.
This patch removes redundant calls to platform_is_primary_cpu() in
subsequent bootloader entrypoints since the reset handler already
guarantees that code is executed exclusively on the primary CPU.
Additionally, this patch removes the weak definition of
platform_is_primary_cpu(), so the implementation of this function
becomes mandatory. Removing the weak symbol avoids other
bootloaders accidentally picking up an invalid definition in case the
porting layer makes the real function available only to BL1.
The define PRIMARY_CPU is no longer mandatory in the platform porting
because platform_is_primary_cpu() hides the implementation details
(for instance, there may be platforms that report the primary CPU in
a system register). The primary CPU definition in FVP has been moved
to fvp_def.h.
The porting guide has been updated accordingly.
FixesARM-software/tf-issues#219
Change-Id: If675a1de8e8d25122b7fef147cb238d939f90b5e
This patch adds the CPUECTLR_EL1 register and the CCI Snoop Control
register to the list of registers being reported when an unhandled
exception occurs.
Change-Id: I2d997f2d6ef3d7fa1fad5efe3364dc9058f9f22c
The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.
FixesARM-software/tf-issues#95
Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
This patch introduces platform APIs to initialise and
print a character on a designated crash console.
For the FVP platform, PL011_UART0 is the designated
crash console. The platform porting guide is also updated
to document the new APIs.
Change-Id: I5e97d8762082e0c88c8c9bbb479353eac8f11a66
This patch removes the allocation of memory for coherent stacks, associated
accessor function and some dead code which called the accessor function. It also
updates the porting guide to remove the concept and the motivation behind using
stacks allocated in coherent memory.
FixesARM-software/tf-issues#198
Change-Id: I00ff9a04f693a03df3627ba39727e3497263fc38
Update the "Memory layout on FVP platforms" section in the Firmware
Design document to reflect the overlaying of BL1 and BL2 images
by BL3-1 and BL3-2.
Also update the Porting Guide document to mention the
BL31_PROGBITS_LIMIT and BL32_PROGBITS_LIMIT constants.
Change-Id: I0b23dae5b5b4490a01be7ff7aa80567cff34bda8
- Add support for loading a BL3-0 image in BL2. Information about
memory extents is populated by platform-specific code. Subsequent
handling of BL3-0 is also platform specific.
The BL2 main function has been broken down to improve readability.
The BL3-2 image is now loaded before the BL3-3 image to align with
the boot flow.
- Build system: Add support for specifying a BL3-0 image that will be
included into the FIP image.
- IO FIP driver: Add support for identifying a BL3-0 image inside a
FIP image.
- Update the documentation to reflect the above changes.
Change-Id: I067c184afd52ccaa86569f13664757570c86fc48
Refactor the FVP gic code in plat/fvp/fvp_gic.c to be a generic ARM
GIC driver in drivers/arm/gic/arm_gic.c. Provide the platform
specific inputs in the arm_gic_setup() function so that the driver
has no explicit dependency on platform code.
Provide weak implementations of the platform interrupt controller
API in a new file, plat/common/plat_gic.c. These simply call through
to the ARM GIC driver.
Move the only remaining FVP GIC function, fvp_gic_init() to
plat/fvp/aarch64/fvp_common.c and remove plat/fvp/fvp_gic.c
FixesARM-software/tf-issues#182
Change-Id: Iea82fe095fad62dd33ba9efbddd48c57717edd21
This concept is no longer required since we now support loading of
images at fixed addresses only.
The image loader now automatically detects the position of the image
inside the current memory layout and updates the layout such that
memory fragmentation is minimised.
The 'attr' field of the meminfo data structure, which used to hold
the bottom/top loading information, has been removed. Also the 'next'
field has been removed as it wasn't used anywhere.
The 'init_bl2_mem_layout()' function has been moved out of common
code and put in BL1-specific code. It has also been renamed into
'bl1_init_bl2_mem_layout'.
FixesARM-software/tf-issues#109
Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
The array of affinity nodes is currently allocated for 32 entries
with the PSCI_NUM_AFFS value defined in psci.h. This is not enough
for large systems, and will substantially over allocate the array
for small systems.
This patch introduces an optional platform definition
PLATFORM_NUM_AFFS to platform_def.h. If defined this value is
used for PSCI_NUM_AFFS, otherwise a value of two times the number
of CPU cores is used.
The FVP port defines PLATFORM_NUM_AFFS to be 10 which saves
nearly 1.5KB of memory.
FixesARM-software/tf-issues#192
Change-Id: I68e30ac950de88cfbd02982ba882a18fb69c1445
This patch makes the console crash dump of processor register
state optional based on the CRASH_REPORTING make variable.
This defaults to only being enabled for DEBUG builds. This can
be overridden by setting a different value in the platform
makefile or on the make command line.
Change-Id: Icfa1b2d7ff0145cf0a85e8ad732f9cee7e7e993f
This patch adds documentation that describes the design of the Interrupt
management framework in the ARM Trusted Firmware. The porting-guide.md has also
been updated to describe the interface that should be implemented by each
platform to support this framework.
Change-Id: I3eda48e5c9456e6a9516956bee16a29e366633b7
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Update documentation with BL3-1 hardening interface
changes and for using BL3-1 as a reset vector feature
Change-Id: Iafdd05e7a8e66503409f2acc934372efef5bc51b
Update the Linux kernel, Linaro file system, FVP and DS-5 versions used for the
v0.4 release in user-guide.md.
Change-Id: I2265fc17c229d4b8cc52165d6583a4a579cdcee3
This patch modifies and adds to the existing documentation
for the crash reporting implementation in BL3-1.
Change-Id: I2cfbfeeeb64996ec7d19a9ddf95295482899b4bd
Following recent refactoring changes to platform.h, this commit updates
porting-guide.md to correctly refer to platform.h and platform_def.h where
appropriate.
Change-Id: Idf1e77503c24358696f8f3c14caa0cc1d579deb4
Rework the "Memory layout on FVP platforms" section in the Firmware
Design document. Add information about where the TSP image fits
in the memory layout when present.
Add documentation for the base addresses of each bootloader image
in the porting guide.
Change-Id: I4afb2605e008a1cb28c44a697804f2cb6bb4c9aa
The generic image loading and IO FIP code no longer forces the
platform to create BL3-2 (Secure-EL1 Payload) specific
definitions. The BL3-2 loading code in bl2/bl2main.c is wrapped
by a #ifdef BL32_BASE blocks, allowing the BL3-2 definitions to
be optional. Similarly for the name_uuid array defintion in
drivers/io/io_fip.c.
Also update the porting guide to reflect this change.
The BL3-2 platform definitions remain non-configurably present
in the FVP port.
FixesARM-software/tf-issues#68
Change-Id: Iea28b4e94d87a31f5522f271e290919a8a955460
This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.
This patch also removes 'cm_macros.S' as its contents have been moved
to 'runtime_exceptions.S'
Change-Id: I3c85ecf8eaf43a3fac429b119ed0bd706d2e2093
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
currently unsupported.
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
Change-Id: Idf7c023b34fcd4800a5980f2bef85e4b5c29e649
Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.
Change-Id: I04780757a149eeb5482a12a61e821be947b882c0
The TSP's linker script used to assume that the TSP would
execute from secure DRAM. Although it is currently the case
on FVPs, platforms are free to use any secure memory they wish.
This patch introduces the flexibility to load the TSP into any
secure memory. The platform code gets to specify the extents of
this memory in the platform header file, as well as the BL3-2 image
limit address. The latter definition allows to check in a generic way
that the BL3-2 image fits in its bounds.
Change-Id: I9450f2d8b32d74bd00b6ce57a0a1542716ab449c
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
FixesARM-software/tf-issues#149
Change-Id: Ia5d070244aae6c5288ea0e6c8e89d92859522bfe
At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
unnecessary.
This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
them.
FixesARM-software/tf-issues#148
Change-Id: I1b9d623606acb9797c3e0b02fb5ec7c0a414f37e
This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.
This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.
panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.
The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.
FixesARM-software/tf-issues#79 Improve reporting of unhandled exception
Change-Id: I260791dc05536b78547412d147193cdccae7811a
The TZC configuration on FVP was incorrectly allowing both secure
and non-secure accesses to the DRAM, which can cause aliasing
problems for software. It was also not enabling virtio access on
some models.
This patch fixes both of those issues. The patch also enabless
non-secure access to the DDR RAM for all devices with defined IDs.
The third region of DDR RAM has been removed from the configuration
as this is not used in any of the FVP models.
FixesARM-software/tf-issues#150FixesARM-software/tf-issues#151
Change-Id: I60ad5daaf55e14f178affb8afd95d17e7537abd7
Jens Wiklander
Soby Mathew
Dan Handley
Sandrine Bailleux
Juan Castillo
Vikram Kanigiri
Achin Gupta
Andrew Thoelke
Harry Liebel
Jeenu Viswambharan