At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
unnecessary.
This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
them.
FixesARM-software/tf-issues#148
Change-Id: I1b9d623606acb9797c3e0b02fb5ec7c0a414f37e
This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.
This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.
panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.
The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.
FixesARM-software/tf-issues#79 Improve reporting of unhandled exception
Change-Id: I260791dc05536b78547412d147193cdccae7811a
The TZC configuration on FVP was incorrectly allowing both secure
and non-secure accesses to the DRAM, which can cause aliasing
problems for software. It was also not enabling virtio access on
some models.
This patch fixes both of those issues. The patch also enabless
non-secure access to the DDR RAM for all devices with defined IDs.
The third region of DDR RAM has been removed from the configuration
as this is not used in any of the FVP models.
FixesARM-software/tf-issues#150FixesARM-software/tf-issues#151
Change-Id: I60ad5daaf55e14f178affb8afd95d17e7537abd7
The BL images share common stack management code which provides
one coherent and one cacheable stack for every CPU. BL1 and BL2
just execute on the primary CPU during boot and do not require
the additional CPU stacks. This patch provides separate stack
support code for UP and MP images, substantially reducing the
RAM usage for BL1 and BL2 for the FVP platform.
This patch also provides macros for declaring stacks and
calculating stack base addresses to improve consistency where
this has to be done in the firmware.
The stack allocation source files are now included via
platform.mk rather than the common BLx makefiles. This allows
each platform to select the appropriate MP/UP stack support
for each BL image.
Each platform makefile must be updated when including this
commit.
FixesARM-software/tf-issues#76
Change-Id: Ia251f61b8148ffa73eae3f3711f57b1ffebfa632
BL3-1 architecture setup code programs the system counter frequency
into the CNTFRQ_EL0 register. This frequency is defined by the
platform, though. This patch introduces a new platform hook that
the architecture setup code can call to retrieve this information.
In the ARM FVP port, this returns the first entry of the frequency
modes table from the memory mapped generic timer.
All system counter setup code has been removed from BL1 as some
platforms may not have initialized the system counters at this stage.
The platform specific settings done exclusively in BL1 have been moved
to BL3-1. In the ARM FVP port, this consists in enabling and
initializing the System level generic timer. Also, the frequency change
request in the counter control register has been set to 0 to make it
explicit it's using the base frequency. The CNTCR_FCREQ() macro has been
fixed in this context to give an entry number rather than a bitmask.
In future, when support for firmware update is implemented, there
is a case where BL1 platform specific code will need to program
the counter frequency. This should be implemented at that time.
This patch also updates the relevant documentation.
It properly fixesARM-software/tf-issues#24
Change-Id: If95639b279f75d66ac0576c48a6614b5ccb0e84b
This reverts commit 1c297bf015
because it introduced a bug: the CNTFRQ_EL0 register was no
longer programmed by all CPUs. bl31_platform_setup() function
is invoked only in the cold boot path and consequently only
on the primary cpu.
A subsequent commit will correctly implement the necessary changes
to the counter frequency setup code.
FixesARM-software/tf-issues#125
Conflicts:
docs/firmware-design.md
plat/fvp/bl31_plat_setup.c
Change-Id: Ib584ad7ed069707ac04cf86717f836136ad3ab54
This patch reworks the console driver to ensure that each bootloader stage
initializes it independently. As a result, both BL3-1 and BL2 platform code
now calls console_init() instead of relying on BL1 to perform console setup
FixesARM-software/tf-issues#120
Change-Id: Ic4d66e0375e40a2fc7434afcabc8bbb4715c14ab
This patch implements ARM Standard Service as a runtime service and adds
support for call count, UID and revision information SMCs. The existing
PSCI implementation is subsumed by the Standard Service calls and all
PSCI calls are therefore dispatched by the Standard Service to the PSCI
handler.
At present, PSCI is the only specification under Standard Service. Thus
call count returns the number of PSCI calls implemented. As this is the
initial implementation, a revision number of 0.1 is returned for call
revision.
FixesARM-software/tf-issues#62
Change-Id: I6d4273f72ad6502636efa0f872e288b191a64bc1
At present, bl1_arch_setup() and bl31_arch_setup() program the counter
frequency using a value from the memory mapped generic timer. The
generic timer however is not necessarily present on all ARM systems
(although it is architected to be present on all server systems).
This patch moves the timer setup to platform-specific code and updates
the relevant documentation. Also, CNTR.FCREQ is set as the specification
requires the bit corresponding to the counter's frequency to be set when
enabling. Since we intend to use the base frequency, set bit 8.
FixesARM-software/tf-issues#24
Change-Id: I32c52cf882253e01f49056f47c58c23e6f422652
If a platform doesn't specify a BLx_SOURCE variable, then building
of the corresponding bootloader isn't attempted. Also allow BL3-3 to
be omitted from the FIP.
Note, this change also removes support for PLAT=all and the 'fip' target
from the 'all' recipe.
FixesARM-software/tf-issues#30
Change-Id: Ibdfead0440256eaf364617ecff65290ca6fe6240
Signed-off-by: Jon Medhurst <tixy@linaro.org>
Update the readme.md and change-log.md with release information.
Also, remove the "Detailed changes since last release" section of
the change-log.md since the same information can be found in the
GIT commit messages. FixesARM-software/tf-issues#22.
Change-Id: I968cc8aaf588aa5c34ba8f1c12a5b797a46e04f5
Consolidate firmware-design.md and porting-guide.pm so
that recently added sections fit better with
pre-existing sections. Make the documentation more
consistent in use of terminology.
Change-Id: Id87050b096122fbd845189dc2fe1cd17c3003468
1. Add design information on EL3 runtime services and
Secure-EL1 Payload Dispatchers (SPD) to
firmware-design.md.
2. Create new EL3 runtime service writer's guide
(rt-svc-writers-guide.md) to ease creation of new
runtime services.
Change-Id: I670aeb5fc246e25c6e599a15139aac886a0074fd
Move the firmware design documentation out of user-guide.md
and into a new file - firmware-design.md. Reformat the
section headers.
Change-Id: I664815dd47011c7c1cf2202aa4472a8fd78ebb92
1. Update user-guide.md with the latest versions of dependent
components required by the tested configurations of ARM Trusted
Firmware. This includes the tested versions of Fixed Virtual
Platforms (FVPs), toolchain, EFI Development Kit 2(EDK2),
Linux kernel and Linux file system.
2. Remove the instructions to configure the Cortex Base FVP
with the legacy GICv2 memory map as this is no longer supported
since version 5.3 of the Base FVPs.
3. General tidyup of "Using the software" section.
Change-Id: If8264cd29036b59dc5ff435b5f8b1d072dd36ef0
The UART used to be initialised in bl1_platform_setup(). This is too
late because there are some calls to the assert() macro, which needs
to print some messages on the console, before that.
This patch moves the UART initialisation code to
bl1_early_platform_setup().
FixesARM-software/tf-issues#49
Change-Id: I98c83a803866372806d2a9c2e1ed80f2ef5b3bcc
This patch adds the following support to the BL3-1 stage:
1. BL3-1 allows runtime services to specify and determine the security
state of the next image after BL3-1. This has been done by adding
the `bl31_set_next_image_type()` & `bl31_get_next_image_type()`
apis. The default security state is non-secure. The platform api
`bl31_get_next_image_info()` has been modified to let the platform
decide which is the next image in the desired security state.
2. BL3-1 exports the `bl31_prepare_next_image_entry()` function to
program entry into the target security state. It uses the apis
introduced in 1. to do so.
3. BL3-1 reads the information populated by BL2 about the BL3-2 image
into its internal data structures.
4. BL3-1 introduces a weakly defined reference `bl32_init()` to allow
initialisation of a BL3-2 image. A runtime service like the Secure
payload dispatcher will define this function if present.
Change-Id: Icc46dcdb9e475ce6575dd3f9a5dc7a48a83d21d1
This patch adds support for loading a BL3-2 image in BL2. In case a
BL3-2 image is found, it also passes information to BL3-1 about where it
is located and the extents of memory available to it. Information about
memory extents is populated by platform specific code.
The documentation has also been updated to reflect the above changes.
Change-Id: I526b2efb80babebab1318f2b02e319a86d6758b0
Co-authored-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
This patch reworks BL2 to BL3-1 hand over interface by introducing a
composite structure (bl31_args) that holds the superset of information
that needs to be passed from BL2 to BL3-1.
- The extents of secure memory available to BL3-1
- The extents of memory available to BL3-2 (not yet implemented) and
BL3-3
- Information to execute BL3-2 (not yet implemented) and BL3-3 images
This patch also introduces a new platform API (bl2_get_bl31_args_ptr)
that needs to be implemented by the platform code to export reference to
bl31_args structure which has been allocated in platform-defined memory.
The platform will initialize the extents of memory available to BL3-3
during early platform setup in bl31_args structure. This obviates the
need for bl2_get_ns_mem_layout platform API.
BL2 calls the bl2_get_bl31_args_ptr function to get a reference to
bl31_args structure. It uses the 'bl33_meminfo' field of this structure
to load the BL3-3 image. It sets the entry point information for the
BL3-3 image in the 'bl33_image_info' field of this structure. The
reference to this structure is passed to the BL3-1 image.
Also fixes issue ARM-software/tf-issues#25
Change-Id: Ic36426196dd5ebf89e60ff42643bed01b3500517
New phony Makefile targets have been added:
* checkcodebase
* checkpatch
The checkcodebase target will run a Linux style compliance check over the
entire codebase, and honours the V=1 Makefile verbose setting and so will
show more information when this is enabled.
If the local directory is a git checkout then the output of git ls-files is
used to decide which files to test for compliance. If the local directory
is not under git control then a 'best attempt' is made, but in this case it
should be noted that it is possible for additional non-codebase files to be
tested, so care should be taken when parsing the output.
The checkpatch target will compare local changes against the git origin/master
to allow issues with the last set of changes to be identified. To override
the change comparision location, set the BASE_COMMIT variable to your
desired git branch.
Both targets rely on the Linux source tree script checkpatch.pl to do the
syntax checking, and expects that the CHECKPATCH environment variable points
to the location of this file.
Notes on the usage of these targets have been added to the contributing.md
and docs/user-guide.md text files.
Change-Id: I6d73c97af578e24a34226d972afadab9d30f1d8d
The psci implementation does not track target affinity level requests
specified during cpu_suspend calls correctly as per the following
example.
1. cpu0.cluster0 calls cpu_suspend with the target affinity level as 0
2. Only the cpu0.cluster0 is powered down while cluster0 remains
powered up
3. cpu1.cluster0 calls cpu_off to power itself down to highest
possible affinity level
4. cluster0 will be powered off even though cpu0.cluster0 does not
allow cluster shutdown
This patch introduces reference counts at affinity levels > 0 to track
the number of cpus which want an affinity instance at level X to
remain powered up. This instance can be turned off only if its
reference count is 0. Cpus still undergo the normal state transitions
(ON, OFF, ON_PENDING, SUSPEND) but the higher levels can only be
either ON or OFF depending upon their reference count.
The above issue is thus fixed as follows:
1. cluster0's reference count is incremented by two when cpu0 and cpu1
are initially powered on.
2. cpu0.cluster0 calls cpu_suspend with the target affinity level as
0. This does not affect the cluster0 reference count.
3. Only the cpu0.cluster0 is powered down while cluster0 remains
powered up as it has a non-zero reference count.
4. cpu1.cluster0 call cpu_off to power itself down to highest possible
affinity level. This decrements the cluster0 reference count.
5. cluster0 is still not powered off since its reference count will at
least be 1 due to the restriction placed by cpu0.
Change-Id: I433dfe82b946f5f6985b1602c2de87800504f7a9
The FVP platform has a few filenames that begin with fvp_. These are
renamed to plat_ to make it easier to use the FVP port as a template.
Change-Id: I601e6256d5ef3bae81a2e1f5df6de56db5b27069
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
Move all explicit platform or architecture specific references
into a new platform.mk file that is defined for each platform.
Change-Id: I9d6320d1ba957e0cc8d9b316b3578132331fa428
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
The GICv3 distributor can have more ports than CPUs are available in
the system. Probe all re-distributors and use the matching affinity
levels as specified by each core and re-distributor to decide which
re-distributor to use with which CPU core.
If a core cannot be matched with a re-distributor, the core panics and
is placed in an endless loop.
Change-Id: Ie393cfe07c7449a2383959e3c968664882e18afc
Traps when accessing architectural features are disabled by clearing bits
in CPTR_EL3 during early boot, including accesses to floating point
registers. The value of this register was previously undetermined, causing
unwanted traps to EL3. Future EL3 code (for example, context save/restore
code) may use floating point registers, although they are not used by current
code.
Also, the '-mgeneral-regs-only' flag is enabled in the GCC settings to
prevent generation of code that uses floating point registers.
Change-Id: I9a03675f6387bbbee81a6f2c9ccf81150db03747
In order to reduce the software dependency on the compiler, the project
is now compiled with the '-ffreestanding' flag. This is to prevent GCC
from replacing functions with more optimised versions. An example is
where GCC replaces a simple printf() with a puts().
Change-Id: I1973fe6957cd708e8432a0039af9d50e037bd884
- Update porting guide to describe where files live and how to get
FreeBSD source code.
- Update change-log to describe relocation and new functions.
Change-Id: Id8f30cc7bafdd1064b3a5c5aae958c5aa3fb79f3
Platform setup code has to reserve some memory for storing the
memory layout information. It is populated in early platform setup
code.
blx_get_sec_mem_layout() functions used to return a copy of this
structure. This patch modifies blx_get_sec_mem_layout() functions
so that they now directly return a pointer to their memory layout
structure. It ensures that the memory layout returned by
blx_get_sec_mem_layout() is always up-to-date and also avoids a
useless copy of the meminfo structure.
Also rename blx_get_sec_mem_layout() to blx_plat_sec_mem_layout()
to make it clear those functions are platform specific.
Change-Id: Ic7a6f9d6b6236b14865ab48a9f5eff545ce56551
This patch makes changes to the documents to reflect the current
state of play of the psci cpu_suspend function.
Change-Id: I086509fb75111b6e9f93b7f6dbcd33cc4591b9f3
In fvp_affinst_on/suspend, the non-secure entrypoint is always
expected to lie in the DRAM. This check will not be valid if
non-secure code executes directly out of flash e.g. a baremetal
test. This patch removes this check.
Change-Id: I0436e1138fc394aae8ff1ea59ebe38b46a440b61
In the previous psci implementation, the psci_afflvl_power_on_finish()
function would run into an error condition if the value of the context
id parameter in the cpu_on and cpu_suspend psci calls was != 0. The
parameter was being restored as the return value of the affinity level
0 finisher function. A non zero context id would be treated as an
error condition. This would prevent successful wake up of the cpu from
a power down state. Also, the contents of the general purpose
registers were not being cleared upon return to the non-secure world
after a cpu power up. This could potentially allow the non-secure
world to view secure data.
This patch ensures that all general purpose registers are set to ~0
prior to the final eret that drops the execution to the non-secure
world. The context id is used to initialize the general purpose
register x0 prior to re-entry into the non-secure world and is no
longer restored as a function return value. A platform helper
(platform_get_stack()) has been introduced to facilitate this change.
Change-Id: I2454911ffd75705d6aa8609a5d250d9b26fa097c
This patch fixes the following constant values in the psci.h:
1. The affinity level shift value in the power_state parameter of the
cpu_suspend psci call. The previous value was preventing shutdown
of the affinity level 1.
2. The values used for affinity state constants (ON, OFF,
ON_PENDING). They did not match the values expected to be returned
by the affinity_info psci api as mentioned in the spec.
3. The state id shift value in the power_state parameter of the
cpu_suspend psci call.
Change-Id: I62ed5eb0e9640b4aa97b93923d6630e6b877a097
The FVP specific code that gets called after a cpu has been physically
powered on after having been turned off or suspended earlier does not
clear the PWRC.PWKUPR.WEN bit. Not doing so causes problems if: a cpu
is suspended, woken from suspend, powered down through a cpu_off call
& receives a spurious interrupt. Since the WEN bit is not cleared
after the cpu woke up from suspend, the spurious wakeup will power the
cpu on. Since the cpu_off call clears the jump address in the mailbox
this spurious wakeup will cause the cpu to crash.
This patch fixes this issue by clearing the WEN bit whenever a cpu is
powered up.
Change-Id: Ic91f5dffe1ed01d76bc7fc807acf0ecd3e38ce5b
- Add instructions for contributing to ARM Trusted Firmware.
- Update copyright text in all files to acknowledge contributors.
Change-Id: I9311aac81b00c6c167d2f8c889aea403b84450e5
This patch updates the user guide section about the memory layout.
- Explain the verifications that the linker scripts does on the
global memory layout.
- Refer to the new linker symbols.
- Describe the linker symbols exported to the trusted firmware code.
Change-Id: I033ab2b867e8b9776deb4185b9986bcb8218f286
A single binary can be compiled using a command such as:
make CROSS_COMPILE=aarch64-none-elf- bl1
Also make use of brackets consistent in the Makefile.
Change-Id: I2180fdb473411ef7cffe39670a7b2de82def812e
- Large RAM-disks may have trouble starting with 2GB of memory.
- Increase from 2GB to 4GB in FDT.
Change-Id: I12c1b8e5db41114b88c69c48621cb21247a6a6a7
Any asynchronous exception caused by the firmware should be handled
in the firmware itself. For this reason, unmask SError exceptions
(and Debug ones as well) on all boot paths. Also route external
abort and SError interrupts to EL3, otherwise they will target EL1.
Change-Id: I9c191d2d0dcfef85f265641c8460dfbb4d112092
Global and static variables are expected to be initialised to zero
by default. This is specified by the C99 standard. This patch
removes some unnecessary initialisations of such variables.
It fixes a compilation warning at the same time:
plat/fvp/bl31_plat_setup.c:82:3: warning: missing braces around
initializer [-Wmissing-braces]
section("tzfw_coherent_mem"))) = {0};
^
plat/fvp/bl31_plat_setup.c:82:3: warning: (near initialization for
‘ns_entry_info[0]’) [-Wmissing-braces]
Note that GCC should not have emitted this warning message in the
first place. The C Standard permits braces to be elided around
subaggregate initializers. See this GCC bug report:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53119
Change-Id: I13cb0c344feb9803bca8819f976377741fa6bc35
Harry Liebel
Jeenu Viswambharan
Soby Mathew
Andrew Thoelke
Sandrine Bailleux
Vikram Kanigiri
Jon Medhurst
Dan Handley
Achin Gupta
Ian Spray
Ryan Harkin
James Morrissey