An earlier patch extended ehf_allow_ns_preemption() API to also register
an error code to offer to Non-secure when a Yielding SMC is preempted by
SDEI interrupt. In TSPD's case, register the error code TSP_PREEMPTED.
Change-Id: I31992b6651f80694e83bc5092b044ef7a3eda690
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, the build option TSP_NS_INTR_ASYNC_PREEMPT controls how
Non-secure interrupt affects TSPs execution. When TSP is executing:
1. When TSP_NS_INTR_ASYNC_PREEMPT=0, Non-secure interrupts are received
at the TSP's exception vector, and TSP voluntarily preempts itself.
2. When TSP_NS_INTR_ASYNC_PREEMPT=1, Non-secure interrupts causes a
trap to EL3, which preempts TSP execution.
When EL3 exception handling is in place (i.e.,
EL3_EXCEPTION_HANDLING=1), FIQs are always trapped to EL3. On a system
with GICv3, pending NS interrupts while TSP is executing will be
signalled as FIQ (which traps to EL3). This situation necessitates the
same treatment applied to case (2) above.
Therefore, when EL3 exception handling is in place, additionally
require that TSP_NS_INTR_ASYNC_PREEMPT is set to one 1.
Strictly speaking, this is not required on a system with GICv2, but the
same model is uniformly followed regardless, for simplicity.
Relevant documentation updated.
Change-Id: I928a8ed081fb0ac96e8b1dfe9375c98384da1ccd
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
When EL3 exception handling is in effect (i.e.,
EL3_EXCEPTION_HANDLING=1), Non-secure interrupts can't preempt Secure
execution. However, for yielding SMCs, preemption by Non-secure
interupts is intended.
This patch therefore adds a call to ehf_allow_ns_preemption() before
dispatching a Yielding SMC to TSP.
Change-Id: Ia3a1ae252f3adc0f14e6d7e0502f251bdb349bdf
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Add off/on argument to SMC_FC_CPU_SUSPEND SMC_FC_CPU_RESUME and pass
1 when called from the cpu on/off hooks.
Change-Id: Ie233c446fd38b3ff8546e445a8d86a15d2816093
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The secure physical timer is inacessible from 32-bit S-EL1 (when EL3
is 64-bit) so trusty will use the non-secure physical timer in this
case. Linux will use the virtual timer instead of the physical timer
when started in EL1.
Change-Id: Ie49348d9a27e5287676dd4a77f678ecbd6c2309f
Signed-off-by: Arve Hjønnevåg <arve@android.com>
The original patch has been partly merged. This adds the missing
pieces.
Change-Id: I77fd434feab396ff05d9b8e0c1761e4dd588a701
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Add smc calls to return gic base address and print to the debug
console. Allows running a generic trusty binary.
Change-Id: I4b6540f140f11432cdff43c3f5a2097df09dc9d1
Signed-off-by: Arve Hjønnevåg <arve@android.com>
This patch adds support to receive function ID with NS world's
memory ranges to provide the memory snapshot to TLK.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
A line in the upstream SPDs is only compiled in in `DEBUG` builds. This
line is used to help with assertions and so assertion failures can
happen in release builds with assertions enabled. Use
`ENABLE_ASSERTIONS` instead of `DEBUG`.
This bug was introduced in commit aa61368eb5, which introduced the build
option `ENABLE_ASSERTIONS`.
Change-Id: I7977df9c89c68677b00099b2a1926fa3cb0937c6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Currently, Trusty OS/LK implemented FPU context switch in internal
thread switch but does not implement the proper mechanism for world
switch. This commit just simply saves/restores FPU registes in world
switch to prevent FPU context from being currupted when Trusty OS uses
VFP in its applications.
It should be noted that the macro *CTX_INCLUDE_FPREGS* must be defined
in trusty.mk if Trusty OS uses VFP
Signed-off-by: Aijun Sun <aijun.sun@spreadtrum.com>
Pass device tree pointer to OP-TEE in x2. bl2 is expected to fill in the
device tree pointer in args.arg3. Passing 0 means that device tree is
unavailable.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
ARM TF need transfer information about pageable image load address
and memory limit to OPTEE. OPTEE will relocate the pageable image
to where it's needed.
The legacy OP-TEE images that do not include header information
are not affected.
Change-Id: Id057efbbc894de7c36b2209b391febea4729c455
Signed-off-by: Edison Ai <edison.ai@arm.com>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch enables the 'sign-compare' flag, to enable warning/errors
for comparisons between signed/unsigned variables. The warning has
been enabled for all the Tegra platforms, to start with.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pd
A previous patch introduced a new define for yielding SMC call type.
This patch updates the secure payload dispatchers (except the TSPD) to
use this new define and also migrates the code to use the new
terminology.
Change-Id: I3d2437c04e3b21fdbd32019f55c066c87679a5bf
Signed-off-by: David Cunado <david.cunado@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
This patch adds a new define for yielding SMC call type and deprecates
the current standard SMC call type. The tsp is migrated to use this new
terminology and, additionally, the documentation and code comments are
updated to use this new terminology.
Change-Id: I0d7cc0224667ee6c050af976745f18c55906a793
Signed-off-by: David Cunado <david.cunado@arm.com>
SMC_RET0 should only be used when the SMC code works as a function that
returns void. If the code of the SMC uses SMC_RET1 to return a value to
signify success and doesn't return anything in case of an error (or the
other way around) SMC_RET1 should always be used to return clearly
identifiable values.
This patch fixes two cases in which the code used SMC_RET0 instead of
SMC_RET1.
It also introduces the define SMC_OK to use when an SMC must return a
value to tell that it succeeded, the same way as SMC_UNK is used in case
of failure.
Change-Id: Ie4278b51559e4262aced13bbde4e844023270582
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch removes support for running Trusty in the AARCH32 mode as
all platforms use it in only AARCH64 mode.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch uses the stack end to start saving the CPU context
during world switch. The previous logic, used the stack start
to save the context, thus overwriting the other members of the
context.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
If Trusty is not running on the device, then Verified Boot is
not supported and the NS layer will fail gracefully later during
boot. This patch just returns success for the case when Trusty is
not running on the device and the bootloader issues SET_ROT_PARAMS
call during boot, so that we can at least boot non-Android images.
Change-Id: I40fc249983df80fb8cc5be5e4ce94c99d5b5f17d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch checks if standard SMC calls, meant for TLK, are issued
only on the boot CPU. TLK is UP Trusted OS stack and so we need this
check to avoid the NS world calling into TLK from any other CPU.
The previous check tied TLK to CPU0, but the boot CPU can be other
than CPU0 in some scenarios.
Change-Id: I75eaafa32471ce19e9920433c2f97b6b5fc02d86
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch passes the boot parameters, provided by the previous
bootloader, to the Trusted OS via X0, X1 and X2.
Original change by: Wayne Lin <wlin@nvidia.com>
Change-Id: I2039612a8a8226158babfd505ce8c31c4212319c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
In multi-guest trusty environment, all guest's SMCs will be
forwarded to Trusty. This change only allows 1 guest's SMC
to be forwarded at a time and returns 'busy' status to all
other requests.
Change-Id: I2144467d11e3680e28ec816adeec2766bca114d4
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
According to the ARM DEN0028A spec, hypervisor ID(VMID) should be stored
in x7 (or w7). This patch gets this value from the context and passes it
to Trusty. In order to do so, introduce new macros to pass five to eight
parameters to the Trusted OS.
Change-Id: I101cf45d0712e1e880466b2274f9a48af755c9fa
Signed-off-by: Anthony Zhou <anzhou@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch uses the OEN_TAP_START aperture for all the standard
calls being passed to Trusty.
Change-Id: Id78d01c7f48e4f54855600d7c789ffbfb898c541
Signed-off-by: Amith <aramachan@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
ABORT SMC used to return to the previously executing world, which
happened to be S-EL1 as it calls a TSP handler using synchronous entry
into the TSP.
Now properly save and restore the non-secure context (including system
registers) and return to non-secure world as it should.
fixesARM-Software/tf-issues#453
Change-Id: Ie40c79ca2636ab8b6b2ab3106e8f49e0f9117f5f
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Replace all use of memset by zeromem when zeroing moderately-sized
structure by applying the following transformation:
memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x))
As the Trusted Firmware is compiled with -ffreestanding, it forbids the
compiler from using __builtin_memset and forces it to generate calls to
the slow memset implementation. Zeromem is a near drop in replacement
for this use case, with a more efficient implementation on both AArch32
and AArch64.
Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
With GCC 6.2 compiler, more C undefined behaviour is being flagged as
warnings, which result in build errors in ARM TF build.
The specific issue that this patch resolves is the use of (1 << 31),
which is predominantly used in case statements, where 1 is represented
as a signed int. When shifted to msb the behaviour is undefined.
The resolution is to specify 1 as an unsigned int using a convenience
macro ULL(). A duplicate macro MAKE_ULL() is replaced.
FixesARM-software/tf-issues#438
Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
Signed-off-by: David Cunado <david.cunado@arm.com>
Standard SMC requests that are handled in the secure-world by the Secure
Payload can be preempted by interrupts that must be handled in the
normal world. When the TSP is preempted the secure context is stored and
control is passed to the normal world to handle the non-secure
interrupt. Once completed the preempted secure context is restored. When
restoring the preempted context, the dispatcher assumes that the TSP
preempted context is still stored as the SECURE context by the context
management library.
However, PSCI power management operations causes synchronous entry into
TSP. This overwrites the preempted SECURE context in the context
management library. When restoring back the SECURE context, the Secure
Payload crashes because this context is not the preempted context
anymore.
This patch avoids corruption of the preempted SECURE context by aborting
any preempted SMC during PSCI power management calls. The
abort_std_smc_entry hook of the TSP is called when aborting the SMC
request.
It also exposes this feature as a FAST SMC callable from normal world to
abort preempted SMC with FID TSP_FID_ABORT.
Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Add a debug assertion in the initialization function of Trusty's SPD
to check for the presence of Trusty. If Trusty is absent then the SPD's
setup function already detects it and returns an error code so the init
function will never been called. Therefore, a debug assertion is enough
to catch this improbable error case.
Change-Id: Id20013e9291cdeef7827b919de2a22455f6cd9f9
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch fixes the following coding style error reported
by the checkpatch.pl script:
Bad function definition - void el3_exit() should probably
be void el3_exit(void)
There is another one but it's a false positive so there's no
point in fixing it:
space prohibited after that '&' (ctx:WxW)
+#define SMC_NR(entity, fn, fastcall, smc64) ((((fastcall) & 0x1) << 31) | \
^
Change-Id: I34de0337c7216dabd16395879f13845a60ee6df0
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
In release builds, the Trusty SPD fails to build because of an unused
variable. Note that this warning message doesn't show in debug builds
because INFO() messages are not compiled out like in release mode.
This patch fixes this issue by removing this variable and using its
value in place directly in the INFO() macro call.
Change-Id: I1f552421181a09412315eef4eaca586012022018
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch adds the secure payload dispatcher for interacting
with Google's Trusty TEE. Documentation for Trusty can be found
at https://source.android.com/security/trusty
Original authors:
-----------------
* Arve Hjønnevåg <arve@android.com>
* Michael Ryleev <gmar@google.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
OPTEE to execute in aarch64 bit mode, set it accordingly
when execution transitions from EL3 to EL1
Change-Id: I59f2f940bdc1aac10543045b006a137d107ec95f
Signed-off-by: Ashutosh Singh <ashutosh.singh@arm.com>
In new communication protocol between optee os and linux driver,
r0-r6 registers are used. opteed need to copy these registers
as well when optee context registers are initialized.
Change-Id: Ifb47b73f847c61746cb58ea78411c1c71f208030
Signed-off-by: Ashutosh Singh <ashutosh.singh@arm.com>
Earlier the TSP only ever expected to be preempted during Standard SMC
processing. If a S-EL1 interrupt triggered while in the normal world, it
will routed to S-EL1 `synchronously` for handling. The `synchronous` S-EL1
interrupt handler `tsp_sel1_intr_entry` used to panic if this S-EL1 interrupt
was preempted by another higher priority pending interrupt which should be
handled in EL3 e.g. Group0 interrupt in GICv3.
With this patch, the `tsp_sel1_intr_entry` now expects `TSP_PREEMPTED` as the
return code from the `tsp_common_int_handler` in addition to 0 (interrupt
successfully handled) and in both cases it issues an SMC with id
`TSP_HANDLED_S_EL1_INTR`. The TSPD switches the context and returns back
to normal world. In case a higher priority EL3 interrupt was pending, the
execution will be routed to EL3 where interrupt will be handled. On return
back to normal world, the pending S-EL1 interrupt which was preempted will
get routed to S-EL1 to be handled `synchronously` via `tsp_sel1_intr_entry`.
Change-Id: I2087c7fedb37746fbd9200cdda9b6dba93e16201
On a GICv2 system, interrupts that should be handled in the secure world are
typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
as IRQs instead. The mechanism for handling both types of interrupts is the same
in both cases. This patch enables the TSP to run on a GICv3 system by:
1. adding support for handling IRQs in the exception handling code.
2. removing use of "fiq" in the names of data structures, macros and functions.
The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
former build flag is defined, it will be used to define the value for the
new build flag. The documentation is also updated accordingly.
Change-Id: I1807d371f41c3656322dd259340a57649833065e
The TSP is expected to pass control back to EL3 if it gets preempted due to
an interrupt while handling a Standard SMC in the following scenarios:
1. An FIQ preempts Standard SMC execution and that FIQ is not a TSP Secure
timer interrupt or is preempted by a higher priority interrupt by the time
the TSP acknowledges it. In this case, the TSP issues an SMC with the ID
as `TSP_EL3_FIQ`. Currently this case is never expected to happen as only
the TSP Secure Timer is expected to generate FIQ.
2. An IRQ preempts Standard SMC execution and in this case the TSP issues
an SMC with the ID as `TSP_PREEMPTED`.
In both the cases, the TSPD hands control back to the normal world and returns
returns an error code to the normal world to indicate that the standard SMC it
had issued has been preempted but not completed.
This patch unifies the handling of these two cases in the TSPD and ensures that
the TSP only uses TSP_PREEMPTED instead of separate SMC IDs. Also instead of 2
separate error codes, SMC_PREEMPTED and TSP_EL3_FIQ, only SMC_PREEMPTED is
returned as error code back to the normal world.
Background information: On a GICv3 system, when the secure world has affinity
routing enabled, in 2. an FIQ will preempt TSP execution instead of an IRQ. The
FIQ could be a result of a Group 0 or a Group 1 NS interrupt. In both case, the
TSPD passes control back to the normal world upon receipt of the TSP_PREEMPTED
SMC. A Group 0 interrupt will immediately preempt execution to EL3 where it
will be handled. This allows for unified interrupt handling in TSP for both
GICv3 and GICv2 systems.
Change-Id: I9895344db74b188021e3f6a694701ad272fb40d4
The IMF_READ_INTERRUPT_ID build option enables a feature where the interrupt
ID of the highest priority pending interrupt is passed as a parameter to the
interrupt handler registered for that type of interrupt. This additional read
of highest pending interrupt id from GIC is problematic as it is possible that
the original interrupt may get deasserted and another interrupt of different
type maybe become the highest pending interrupt. Hence it is safer to prevent
such behaviour by removing the IMF_READ_INTERRUPT_ID build option.
The `id` parameter of the interrupt handler `interrupt_type_handler_t` is
now made a reserved parameter with this patch. It will always contain
INTR_ID_UNAVAILABLE.
FixesARM-software/tf-issues#307
Change-Id: I2173aae1dd37edad7ba6bdfb1a99868635fa34de
TLK sends the "preempted" event to the NS world along with an
identifier for certain use cases. The NS world driver is then
expected to take appropriate action depending on the identifier
value. Upon completion, the NS world driver then sends the
results to TLK (via x1-x3) with the TLK_RESUME_FID function ID.
This patch uses the already present code to pass the results
from the NS world to TLK for the TLK_RESUME_FID function ID.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This patch adds PM handlers to TLKD for the system suspend/resume and
system poweroff/reset cases. TLK expects all SMCs through a single
handler, which then fork out into multiple handlers depending on the
SMC. We tap into the same single entrypoint by restoring the S-EL1
context before passing the PM event via register 'x0'. On completion
of the PM event, TLK sends a completion SMC and TLKD then moves on
with the PM process.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
In certain Trusted OS implementations it is a requirement to pass them the
highest power level which will enter a power down state during a PSCI
CPU_SUSPEND or SYSTEM_SUSPEND API invocation. This patch passes this power level
to the SPD in the "max_off_pwrlvl" parameter of the svc_suspend() hook.
Currently, the highest power level which was requested to be placed in a low
power state (retention or power down) is passed to the SPD svc_suspend_finish()
hook. This hook is called after emerging from the low power state. It is more
useful to pass the highest power level which was powered down instead. This
patch does this by changing the semantics of the parameter passed to an SPD's
svc_suspend_finish() hook. The name of the parameter has been changed from
"suspend_level" to "max_off_pwrlvl" as well. Same changes have been made to the
parameter passed to the tsp_cpu_resume_main() function.
NOTE: THIS PATCH CHANGES THE SEMANTICS OF THE EXISTING "svc_suspend_finish()"
API BETWEEN THE PSCI AND SPD/SP IMPLEMENTATIONS. THE LATTER MIGHT NEED
UPDATES TO ENSURE CORRECT BEHAVIOUR.
Change-Id: If3a9d39b13119bbb6281f508a91f78a2f46a8b90
The new PSCI frameworks mandates that the platform APIs and the various
frameworks in Trusted Firmware migrate away from MPIDR based core
identification to one based on core index. Deprecated versions of the old
APIs are still present to provide compatibility but their implementations
are not optimal. This patch migrates the various SPDs exisiting within
Trusted Firmware tree and TSP to the new APIs.
Change-Id: Ifc37e7071c5769b5ded21d0b6a071c8c4cab7836
Remove the 'NEED_BL32' flag from the makefile. TLK compiles using a
completely different build system and is present on the device as a
binary blob. The NEED_BL32 flag does not influence the TLK load/boot
sequence at all. Moreover, it expects that TLK binary be present on
the host before we can compile BL31 support for Tegra.
This patch removes the flag from the makefile and thus decouples both
the build systems.
Tested by booting TLK without the NEED_BL32 flag.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Arve Hjønnevåg
Jeenu Viswambharan
Varun Wadekar
Antonio Nino Diaz
Aijun Sun
Jens Wiklander
Edison Ai
Isla Mitchell
David Cunado
dp-arm
Wayne Lin
Anthony Zhou
Amith
Douglas Raillard
Sandrine Bailleux
Ashutosh Singh
Soby Mathew
Achin Gupta