Follow up to [1] and [2], for systems implementing the SPMC at S-EL2,
it is necessary to leave the option for handling Group0 interrupts
(while the normal world runs) through the EHF by the use of the
EL3_EXCEPTION_HANDLING option.
Specifically for RAS, the handling through EHF is still required because
the platform function provided by the SPMD doesn't provide the facility
to link back to the RAS handling framework.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/16047
[2] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/19897
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Idf8741887904a286fb3f5ab2d754afd2fc78d3b0
If the size of a shmem descriptor is not a multiple of 16, the
descriptor would be unusable, but the problem would be caught much
later.
Change-Id: I907f3862b55c6341e39a6b8b2e24784127230478
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The information is already available inline. No functional change
intended.
Change-Id: I13d2ad62a9315b233d7a5fd3ffcaac3dd01b055c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Hopefully this will be a tiny speedup. No functional change intended.
Change-Id: Ia052c7f9b24d5ece6209a6fa2903b1271215ece7
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
If it is called on an invalid mtd, out-of-bounds memory reads are
likely. Checks elsewhere in the code ensure that the mtd has been
validated before calling this function.
Change-Id: If598680a5b79e1786a6e0a213779ec80cbf37494
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This ensures that descriptor size calculation does not overflow and
removes a bounds check that does not actually work.
Change-Id: If8da2bb1b312941b7f9d0debf3149b984fc3809a
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
size_t is not guaranteed to be 64 bits, although it happens to be 64
bits on all systems that el3-spmc supports.
Change-Id: Ieae11722a15448641de50233597ac35869eab574
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Using uint64_t is cleaner, even though size_t is 64 bits on all
platforms el3-spmc supports.
Change-Id: I457deb0b7f3df0749cb5368cceda1bb530d039de
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The ERRATA_XXX macros, used in cpu_helpers.S, are necessary for the
check_errata_xxx family of functions. The CPU_REV should be used in the
cpu files but for whatever reason the values have been hard-coded so far
(at the cost of readability). It's evident this file is not strictly for
status reporting.
The new purpose of this file is to make it a one-stop-shop for all
things errata.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1ce22dd36df5aa0bcfc5f2772251f91af8703dfb
This adds creation of a device tree that will be passed to OP-TEE.
Currently that device tree only contains the coreboot table per the
Linux coreboot device tree specification. This device tree is then
passed to OP-TEE so it can extract the CBMEM console information from
the coreboot table for logging purposes.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I6a26d335e16f7226018c56ad571cca77b81b0f6a
The workarounds for these below mentioned errata are not implemented
in EL3, but the flags can be enabled/disabled at a platform level
based on arm/non-arm interconnect IP. The ABI helps assist the Kernel
in the process of mitigation for the following errata:
Cortex-A715: erratum 2701951
Neoverse V2: erratum 2719103
Cortex-A710: erratum 2701952
Cortex-X2: erratum 2701952
Neoverse N2: erratum 2728475
Neoverse V1: erratum 2701953
Cortex-A78: erratum 2712571
Cortex-A78AE: erratum 2712574
Cortex-A78C: erratum 2712575
EL3 provides an appropriate return value via errata ABI when the
kernel makes an SMC call using the EM_CPU_ERRATUM_FEATURES FID with the
appropriate erratum ID.
Change-Id: I35bd69d812dba37410dd8bc2bbde20d4955b0850
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
Workaround to help enable the kernel to query errata status using the
errata abi feature for platforms with a non-arm interconnect.
Change-Id: I47b03eaee5a0a763056ae71883fa30dfacb9b3f7
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
This patch adds the errata management firmware interface for lower ELs
to discover details about CPU erratum. Based on the CPU erratum
identifier the interface enables the OS to find the mitigation of an
erratum in EL3.
The ABI can only be present in a system that is compliant with SMCCCv1.1
or higher. This implements v1.0 of the errata ABI spec.
For details on all possible return values, refer the design
documentation below:
ABI design documentation:
https://developer.arm.com/documentation/den0100/1-0?lang=en
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
Change-Id: I70f0e2569cf92e6e02ad82e3e77874546232b89a
Use the address of emad 0 instead of the size of the MRD.
Change-Id: I31ec0001b4474e78caa9dfb468f63122a3708781
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The offset has been validated on the first loop iteration. Subsequent
iterations can assume it is valid.
Change-Id: Ib06cd0240220b8aa42bcd34c3c40b69d2d86aa72
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
When called on incomplete objects, it might fail or access uninitialized
memory. This allows simplifying spmc_shm_check_obj().
Change-Id: I7c11f15d4c8ebe8cd15e7d8c37a0d0f3daa83675
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Earlier validation ensures spmc_shmem_obj_get_emad() will never fail, so
trip an assertion instead of returning NULL.
Change-Id: I285f3b59150773b2404db5719753fdb240e9ed63
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
A v1.1 descriptor has a minimum length exceeding that of a v1.0
descriptor.
Change-Id: I06265d58f53eccb0d39927fe9ff396b73735df97
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
This patch introduces a handler for FVP platform to triage Group0
secure interrupts. Currently, it is empty but serves as a
placeholder for future Group0 interrupt sources.
Moreover, this patch also provides a dummy implementation of the
above mentioned platform hook for QEMU, corstone100, n1sdp and
hikey960 ports.
Change-Id: I01d3451408f47ac313b0af74046cce89f89b85bb
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
When Group0 Secure interrupts in secure world get trapped to S-EL2
SPMC, FFA_EL3_INTR_HANDLE ABI is invoked by SPMC to delegate
interrupt handling to EL3 firmware (i.e., SPMD).
SPMD further delegates to platform handler which successfully handles
the Group0 secure interrupt before returning control to SPMC.
Change-Id: I8cc0fec20803b96c81582910ad2668e38b167fb8
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
SPMD registers a generic handler with the interrupt management
framework to handle Group0 secure interrupt from normal world.
The handler further delegates to the platform for successful
handling of the interrupt.
Change-Id: I9cdc721810b09e01190cdcab42c50830792a26e2
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This change forces LD to sort all input sections by alignment when
allocating them within an output section. This is done in some places
explicitly in the linker scripts today, but this makes sure we don't
miss any easy targets.
Change-Id: Ife89a8bb9e592b55c761d9a3dfefc2aeeb07802f
Signed-off-by: Chris Kay <chris.kay@arm.com>
Add support for runtime detection (ENABLE_SVE_FOR_NS=2), by splitting
sve_supported() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we do SVE specific setup.
Change the FVP platform default to the now supported dynamic
option (=2), so the right decision can be made by the code at runtime.
Change-Id: I1caaba2216e8e2a651452254944a003607503216
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Add support for runtime detection (ENABLE_SME_FOR_NS=2), by splitting
feat_sme_supported() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we do SME specific setup.
Change the FVP platform default to the now supported dynamic option
(=2),so the right decision can be made by the code at runtime.
Change-Id: Ida9ccf737db5be20865b84f42b1f9587be0626ab
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
In ARMv8.4, the EL2 exception level got added to the secure world.
Adapt and rename the existing is_armv8_4_sel2_present() function, to
align its handling with the other CPU features.
Change-Id: If11e1942fdeb63c63f36ab9e89be810347d1a952
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
At the moment we only support FEAT_PAN to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_FEAT_PAN=2), by splitting
is_armv8_1_pan_present() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we PAN specific setup.
Change the FVP platform default to the now supported dynamic option (=2),
so the right decision can be made by the code at runtime.
Change-Id: I58e5fe8d3c9332820391c7d93a8fb9dba4cf754a
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
At the moment we only support FEAT_VHE to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_FEAT_VHE=2), by splitting
is_armv8_1_vhe_present() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we access VHE related registers.
Also move the context saving code from assembly to C, and use the new
is_feat_vhe_supported() function to guard its execution.
Enable VHE in its runtime detection version for all FVP builds.
Change-Id: Ib397cd0c83e8c709bd6fed603560e39901fa672b
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This adds return of a UUID when TF-A is in the state where it needs to
receive the SMC call to load the OP-TEE image. It also changes the OEN
used for the image loading call to match the OEN used for the UUID call.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I713cb602d8e53b3f20d179b5fb5162da6a2ed057
The spmd_setup function is made fail safe in that a failure in the
SPMC manifest parsing, SPMD or SPMC initialization returns a success
code to the standard services initialization routine (std_svc_setup).
This permits continuing the boot process and initialize services
beyond the SPMD to succeed for the system to operate in the normal
world. It operates in a degraded mode for the secure world.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ida0ac91c17925279a79f112d190f9ad038f518e7
Some of our specialized sections are not prefixed with the conventional
period. The compiler uses input section names to derive certain other
section names (e.g. `.rela.text`, `.relacpu_ops`), and these can be
difficult to select in linker scripts when there is a lack of a
delimiter.
This change introduces the period prefix to all specialized section
names.
BREAKING-CHANGE: All input and output linker section names have been
prefixed with the period character, e.g. `cpu_ops` -> `.cpu_ops`.
Change-Id: I51c13c5266d5975fbd944ef4961328e72f82fc1c
Signed-off-by: Chris Kay <chris.kay@arm.com>
Add code in SPMD to forward calls to FFA_PARTITION_INFO_GET_REGS. This
is a new ABI that allows getting partition information without the need
for rx/tx buffer, that helps in situations where having an rx/tx buffer
mapped and available is difficult (ex. uefi runtime services).
Currently, the spmc at el3 does not support this new ABI.
The new ABI uses registers x8-x17 to return partition information so
changes are made to ensure those registers are passed through to the
SPMC and restored on the return path.
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I1fe5956763e054e4f8d62292fc1247e7120bb5a4
The following build system variables have been renamed:
- `LINKERFILE` -> `DEFAULT_LINKER_SCRIPT`
- `BL_LINKERFILE` -> `DEFAULT_LINKER_SCRIPT_SOURCE`
- `<IMAGE>_LINKERFILE` -> `<IMAGE>_DEFAULT_LINKER_SCRIPT_SOURCE`
These new names better reflect how each variable is used:
1. the default linker script is passed via `-dT` instead of `-T`
2. linker script source files are first preprocessed
Additionally, linker scripts are now placed in the build directory
relative to where they exist in the source directory. For example,
the `bl32/sp_min/sp_min.ld.S` would now preprocess to
`sp_min/sp_min.ld` instead of just `bl32.ld`
BREAKING-CHANGE: The `LINKERFILE`, `BL_LINKERFILE` and
`<IMAGE_LINKERFILE>` build system variables have been renamed. See the
commit message for more information.
Change-Id: If8cef65dcb8820e8993736702c8741e97a66e6cc
Signed-off-by: Chris Kay <chris.kay@arm.com>
There were some late comments to the prior change (18635) which are
address in this commit. There was also an invalid return value check
which was changed and the wrong result was being returned via the SMC
call for loading OP-TEE which is now fixed.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I883ddf966662549a3ef9c801a2d4f47709422332
The tos_fw_config is currently loaded into memory by BL2 and
consumed by SPMD (part of BL31) and BL32 firmwares. This does
not work in RME-enabled systems as BL31 uses the root PAS memory
and does not trust secure PAS memory.
A first attempt was made to map the TOS_FW_CONFIG region as root PAS,
and then to remap to secure PAS after SPMD consumption, but this was
not suitable for RME systems where memory encryption is enabled.
This can be solved by copying the TOS FW config (SPMC manifest) from
the Root PAS region to the Secure PAS region so that BL32 can consume
it.
Change-Id: I8eef8345366199cb0e367db883c34a5b5136465d
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This adds the ability to load the OP-TEE image via an SMC called from
non-secure userspace rather than loading it during boot. This should
only be utilized on platforms that can ensure security is maintained up
until the point the SMC is invoked as it breaks the normal barrier
between the secure and non-secure world.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I21cfa9699617c493fa4190f01d1cbb714e7449cc
This patch adds support for setting configuration of DRAM banks
for FVP model in RMM-EL3 Boot Manifest structure.
Structure 'rmm_manifest' is extended with 'plat_dram' structure
which contains information about platform's DRAM layout:
- number of DRAM banks;
- pointer to 'dram_bank[]' array;
- check sum: two's complement 64-bit value of the sum of
data in 'plat_dram' and 'dram_bank[] array.
Each 'dram_bank' structure holds information about DRAM
bank base address and its size. This values must be aligned
to 4KB page size.
The patch increases Boot Manifest minor version to 2 and
removes 'typedef rmm_manifest_t' as per
"3.4.15.1. Avoid anonymous typedefs of structs/enums in headers" of
https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-style.html
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I5176caa5780e27d1e0daeb5dea3e40cf6ad5fd12
Prior to this commit a logical platform specific partition is added when
compiling with SPMC at EL3. Not all platform need to add a logical
platform so make this optional.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Change-Id: I3bdd2a91350330c1637e8d84765974bfb6b225d7
Ensure that there is sufficient space in the memory
descriptor to accommodate the size of the composite memory
struct as part of the descriptor.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Iea646b144c59a2a1a171298cabb5f31040a8af31
This patch also:
* Enforces the check of RES0 fields on EL3-RMM boot interface
and manifest
* Fixes a couple of nits on the EL3-RMM Boot Interface
documentation.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: Idb9e38f9fcda2ba0655646a1e2c4fdbabd5cdc40
This patch adds X2-X6 and 'smc_ret' parameters to trp_rmi_handler().
The last 'smc_ret' parameter passed in X7 contains address of
'trp_smc_result' structure on stack to return result of RMI SMC call.
This allows to preserve X4 if not used as a return argument as per
SMCCCv1.2. The patch also removes use of trp_args_t in RMI handling.
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I9e3387a7380b37863eeccc53d13e92e0ac5cffbd
Compiling with -Wimplicit-fallthrough=3 (enabled by -Wextra) produces
many warnings about fallthrough comments either missing or being wrong.
Unify the comments so we comply with -Wextra.
Note that Coverity recommends against using the __attribute__ directive.
Also, zlib does not build with a higher value of -Wimplicit-fallthrough.
Finally, compilers strip comments before expanding macros. As such,
checkpatch's fallthrough annotation (or higher levels of the flag) isn't
really possible.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I060cf4f8dc04c02cbb45cf4ceb69569a8369ccee
This patch discards all the used entropy bits from the global memory
pool after being delivered to the requester (lower exception levels) by
overwriting them with zeroes.
It effectively implements the requirement, as part of TRNG FW interface
listed at DEN0098 (section 1.2).
https://developer.arm.com/documentation/den0098/latest
Change-Id: I447cbccc1a8ad972418a3569c99f010189d4b2f6
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Olivier Deprez
Demi Marie Obenour
Harrison Mutai
Boyan Karatotev
Jeffrey Kardatzke
Elyes Haouas
Sona Mathew
Madhukar Pappireddy
Chris Kay
Jayanth Dodderi Chidanand
Andre Przywara
Raghu Krishnamurthy
Manish V Badarkhe
AlexeiFedorov
Jens Wiklander
Shruti Gupta
Marc Bonnici
Javier Almansa Sobrino