The toolchain refactor change introduces the `${toolchain}-${tool}-id`
variables, which provide identifiers for all of the toolchain tools used
by the build system. This change replaces the various conditions that
are in use to identify these tools based on the path with a standard set
of comparisons against these new identifier variables.
Change-Id: Ib60e592359fa6e415c19a012e68d660f87436ca7
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change migrates the values of `CC`, `CPP`, `AS` and other toolchain
variables to the new `$(toolchain)-$(tool)` variables, which were
introduced by the toolchain refactor patch. These variables should be
equivalent to the values that they're replacing.
Change-Id: I644fe4ce82ef1894bed129ddb4b6ab94fb04985d
Signed-off-by: Chris Kay <chris.kay@arm.com>
Linker may decide to put new unspecified sections before .text
section. That will cause non-working image, because entry point isn't
at __BLXX_START__. Device just not booted with such image.
This happened for example with .note.gnu.build-id section generated
for LTO build in some cases. Now linker will report this situation as
an error.
```
/usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/bin/ld: .text is not aligned on a page boundary.
collect2: error: ld returned 1 exit status
```
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Change-Id: I5ae46ddd1e6e431e1df1715d1d301f6dd7181cc7
When ENABLE_RUNTIME_INSTRUMENTATION flag is set timestamps are captured
and output to the fvp console at various boot stages using the PMF
library (which are based on aarch timers).
Timestamps are captured at entry and exit points for Bl1, Bl2
and, Bl3 respectively.
Change-Id: I7c0c502e5dbf73d711700b2fe0085ca3eb9346d2
Signed-off-by: Thaddeus Serna <Thaddeus.Gonzalez-Serna@arm.com>
The FEAT_MTPMU feature disable runs very early after reset. This means,
it needs to be written in assembly, since the C runtime has not been
initialised yet.
However, there is no need for it to be initialised so soon. The PMU
state is only relevant after TF-A has relinquished control. The code
to do this is also very verbose and difficult to read. Delaying the
initialisation allows for it to happen with the rest of the PMU. Align
with FEAT_STATE in the process.
BREAKING CHANGE: This patch explicitly breaks the EL2 entry path. It is
currently unsupported.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I2aa659d026fbdb75152469f6d19812ece3488c6f
Add symbols to mark end of TEXT/RODATA before page alignment.
Similar change was done by commit 8d69a03f6a ("Various
improvements/cleanups on the linker scripts") for
RO_END/COHERENT_RAM. These symbols help to know how much free
space is in the final binary because of page alignment.
Also show all *UNALIGNED__ symbols via poetry.
For example:
poetry run memory -p zynqmp -b debug
Change-Id: I322beba37dad76be9f4e88ca7e5b3eff2df7d96e
Signed-off-by: Michal Simek <michal.simek@amd.com>
The function is called in a fully initialised C environment and calls
into other C functions. The Aarch differences are minimal and are hidden
by the pre-existing headers. Converting it results into cleaner code
that is the same across both Aarch64 and Aarch32.
To avoid having to do very ugly pointer arithmetic, define a C struct
for the cpu_ops for both Aarch64 and Aarch32.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Idc07c4064e03143c88a4a0e2d10ceda70ba19a50
Add symbols for mapping the physical memory layout of BL2. There are
symbols that partially satisfy this requirement, however, the naming of
these is inconsistent.
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Change-Id: I83ce5e3f5c45b71022279649f823ed0cb33a145d
Both bl2_main and bl2_run_next_image call pauth_disable_el3. However,
bl2_main is the only caller of bl2_run_next_image so it doesn't need to
call it
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I91769b2994ad643d2259c211936dbac4ef010d25
This change forces LD to sort all input sections by alignment when
allocating them within an output section. This is done in some places
explicitly in the linker scripts today, but this makes sure we don't
miss any easy targets.
Change-Id: Id70be2a5399c4c75fcf2a736cab0991d20a6b863
Signed-off-by: Chris Kay <chris.kay@arm.com>
BL2_AT_EL3 is an overloaded macro which has two uses:
1. When BL2 is entry point into TF-A(no BL1)
2. When BL2 is running at EL3 exception level
These two scenarios are not exactly same even though first implicitly
means second to be true. To distinguish between these two use cases we
introduce new macros.
BL2_AT_EL3 is renamed to RESET_TO_BL2 to better convey both 1. and 2.
Additional macro BL2_RUNS_AT_EL3 is added to cover all scenarious where
BL2 runs at EL3 (including four world systems).
BREAKING CHANGE: BL2_AT_EL3 renamed to RESET_TO_BL2 across the
repository.
Change-Id: I477e1d0f843b44b799c216670e028fcb3509fb72
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Signed-off-by: Maksims Svecovs <maksims.svecovs@arm.com>
Some of our specialized sections are not prefixed with the conventional
period. The compiler uses input section names to derive certain other
section names (e.g. `.rela.text`, `.relacpu_ops`), and these can be
difficult to select in linker scripts when there is a lack of a
delimiter.
This change introduces the period prefix to all specialized section
names.
BREAKING-CHANGE: All input and output linker section names have been
prefixed with the period character, e.g. `cpu_ops` -> `.cpu_ops`.
Change-Id: I51c13c5266d5975fbd944ef4961328e72f82fc1c
Signed-off-by: Chris Kay <chris.kay@arm.com>
The following build system variables have been renamed:
- `LINKERFILE` -> `DEFAULT_LINKER_SCRIPT`
- `BL_LINKERFILE` -> `DEFAULT_LINKER_SCRIPT_SOURCE`
- `<IMAGE>_LINKERFILE` -> `<IMAGE>_DEFAULT_LINKER_SCRIPT_SOURCE`
These new names better reflect how each variable is used:
1. the default linker script is passed via `-dT` instead of `-T`
2. linker script source files are first preprocessed
Additionally, linker scripts are now placed in the build directory
relative to where they exist in the source directory. For example,
the `bl32/sp_min/sp_min.ld.S` would now preprocess to
`sp_min/sp_min.ld` instead of just `bl32.ld`
BREAKING-CHANGE: The `LINKERFILE`, `BL_LINKERFILE` and
`<IMAGE_LINKERFILE>` build system variables have been renamed. See the
commit message for more information.
Change-Id: If8cef65dcb8820e8993736702c8741e97a66e6cc
Signed-off-by: Chris Kay <chris.kay@arm.com>
There are a variety of code styles used by the various linker scripts
around the code-base. This change brings them in line with one another
and attempts to make the scripts more friendly for skim-readers.
Change-Id: Ibee2afad0d543129c9ba5a8a22e3ec17d77e36ea
Signed-off-by: Chris Kay <chris.kay@arm.com>
Use four spaces for indentation to maintain a consistent style. This
attempts to make the linker scripts more friendly for readers.
Signed-off-by: Jorge Troncoso <jatron@google.com>
Change-Id: Iaf26d3c8bd7053fd9605a64ebccdae0792a90b9e
New helper functions are created to handle data & prefetch aborts
in AARCH32. They call platform functions, just like what
report_exception is doing.
As extended MSR/MRS instructions (to access lr_abt in monitor mode)
are only available if CPU (Armv7) has virtualization extension,
the functions branch to original report_exception handlers if this is
not the case.
Those new helpers are created mainly to distinguish data and prefetch
aborts, as they both share the same mode.
This adds 40 bytes of code.
Change-Id: I5dd31930344ad4e3a658f8a9d366a87a300aeb67
Signed-off-by: Yann Gautier <yann.gautier@st.com>
If BL2_IN_XIP_MEM is enabled, BL2 fails to compile because RAM_NOLOAD
symbol is not defined. As we could have a no-load region even if
BL2_IN_XIP_MEM is enabled, just put its definition outside the #if/#else
for this flag.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I9169ea799635f8a72790280f3f148d1cba4cd408
Add new options SEPARATE_BL2_NOLOAD_REGION to separate no-loadable
sections (.bss, stack, page tables) to a ram region specified
by BL2_NOLOAD_START and BL2_NOLOAD_LIMIT.
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: I844ee0fc405474af0aff978d292c826fbe0a82fd
As image_id is unsigned, we have to use %u and not %d.
This avoids warning when -Wformat-signedness is enabled.
Change-Id: I3f868f3d14c9f19349f0daa8a754179f887339c0
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Measured-Boot and Trusted-Boot are orthogonal to each other and hence
removed dependency of Trusted-Boot on Measured-Boot by making below
changes -
1. BL1 and BL2 main functions are used for initializing Crypto module
instead of the authentication module
2. Updated Crypto module registration macro for MEASURED_BOOT with only
necessary callbacks for calculating image hashes
3. The 'load_auth_image' function is now used for the image measurement
during Trusted or Non-Trusted Boot flow
Change-Id: I3570e80bae8ce8f5b58d84bd955aa43e925d9fff
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Right now, the measured boot driver is strongly coupled with the TCG
event log driver. It would not be possible to push the measurements
somewhere else, for instance to a physical TPM.
To enable this latter use case, turn the driver's init and teardown
functions into platform hooks. Call them bl2_plat_mboot_init()/finish().
This allows each platform to implement them appropriately, depending on
the type of measured boot backend they use. For example, on a platform
with a physical TPM, the plat_mboot_init() hook would startup the TPM
and setup it underlying bus (e.g. SPI).
Move the current implementation of the init and teardown function to the
FVP platform layer.
Finally move the conditional compilation logic (#if MEASURED_BOOT) out
of bl2_main() to improve its readability. Provide a dummy implementation
in the case measured boot is not included in the build.
Change-Id: Ib6474cb5a9c1e3d4a30c7f228431b22d1a6e85e3
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This patch updates and refactors the GPT library and fixes bugs.
- Support all combinations of PGS, PPS, and L0GPTSZ parameters.
- PPS and PGS are set at runtime, L0GPTSZ is read from GPCCR_EL3.
- Use compiler definitions to simplify code.
- Renaming functions to better suit intended uses.
- MMU enabled before GPT APIs called.
- Add comments to make function usage more clear in GPT library.
- Added _rme suffix to file names to differentiate better from the
GPT file system code.
- Renamed gpt_defs.h to gpt_rme_private.h to better separate private
and public code.
- Renamed gpt_core.c to gpt_rme.c to better conform to TF-A precedent.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I4cbb23b0f81e697baa9fb23ba458aa3f7d1ed919
This patch introduces the Granule Protection Table (GPT)
library code. This implementation will be updated later to
be more flexible, as the current implementation is very rigid.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I3af824a28c6e9a5d36459c0c51d2d9bebfba1505
This patch enables BL2 to run in root world (EL3) which is
needed as per the security model of RME-enabled systems.
Using the existing BL2_AT_EL3 TF-A build option is not convenient
because that option assumes TF-A BL1 doesn't exist, which is not
the case for RME-enabled systems. For the purposes of RME, we use
a normal BL1 image but we also want to run BL2 in EL3 as normally as
possible, therefore rather than use the special bl2_entrypoint
function in bl2_el3_entrypoint.S, we use a new bl2_entrypoint
function (in bl2_rme_entrypoint.S) which doesn't need reset or
mailbox initialization code seen in the el3_entrypoint_common macro.
The patch also cleans up bl2_el3_entrypoint.S, moving the
bl2_run_next_image function to its own file to avoid duplicating
code.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I99821b4cd550cadcb701f4c0c4dc36da81c7ef55
Initialized FWU driver module in BL2 component under
build flag PSA_FWU_SUPPORT.
Change-Id: I08b191599835925c355981d695667828561b9a21
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Only BL32 (SP_min) is supported at the moment, BL1 and BL2_AT_EL3 are just
stubbed with _pie_fixup_size=0.
The changes are an adaptation for AARCH32 on what has been done for
PIE support on AARCH64.
The RELA_SECTION is redefined for AARCH32, as the created section is
.rel.dyn and the symbols are .rel*.
Change-Id: I92bafe70e6b77735f6f890f32f2b637b98cf01b9
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The use of end addresses is preferred over the size of sections.
This was done for some AARCH64 files for PIE with commit [1],
and some extra explanations can be found in its commit message.
Align the missing AARCH64 files.
For AARCH32 files, this is required to prepare PIE support introduction.
[1] f1722b693d ("PIE: Use PC relative adrp/adr for symbol reference")
Change-Id: I8f1c06580182b10c680310850f72904e58a54d7d
Signed-off-by: Yann Gautier <yann.gautier@st.com>
If FEAT_PMUv3 is implemented and PMEVTYPER<n>(_EL0).MT bit is implemented
as well, it is possible to control whether PMU counters take into account
events happening on other threads.
If FEAT_MTPMU is implemented, EL3 (or EL2) can override the MT bit
leaving it to effective state of 0 regardless of any write to it.
This patch introduces the DISABLE_MTPMU flag, which allows to diable
multithread event count from EL3 (or EL2). The flag is disabled
by default so the behavior is consistent with those architectures
that do not implement FEAT_MTPMU.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: Iee3a8470ae8ba13316af1bd40c8d4aa86e0cb85e
This patch adds support for Measured Boot driver functionality
in BL1 and BL2 code.
Change-Id: I7239a94c3e32b0a3e9e73768a0140e0b52ab0361
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
The .rela.dyn section is the same for BL2-AT-EL3, BL31, TSP.
Move it to the common header file.
I slightly changed the definition so that we can do "RELA_SECTION >RAM".
It still produced equivalent elf images.
Please note I got rid of '.' from the VMA field. Otherwise, if the end
of previous .data section is not 8-byte aligned, it fails to link.
aarch64-linux-gnu-ld.bfd: warning: changing start of section .rela.dyn by 4 bytes
aarch64-linux-gnu-ld.bfd: warning: changing start of section .rela.dyn by 4 bytes
aarch64-linux-gnu-ld.bfd: warning: changing start of section .rela.dyn by 4 bytes
make: *** [Makefile:1071: build/qemu/release/bl31/bl31.elf] Error 1
Change-Id: Iba7422d99c0374d4d9e97e6fd47bae129dba5cc9
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Move the data section to the common header.
I slightly tweaked some scripts as follows:
[1] bl1.ld.S has ALIGN(16). I added DATA_ALIGN macro, which is 1
by default, but overridden by bl1.ld.S. Currently, ALIGN(16)
of the .data section is redundant because commit 4128659076
("Fix boot failures on some builds linked with ld.lld.") padded
out the previous section to work around the issue of LLD version
<= 10.0. This will be fixed in the future release of LLVM, so
I am keeping the proper way to align LMA.
[2] bl1.ld.S and bl2_el3.ld.S define __DATA_RAM_{START,END}__ instead
of __DATA_{START,END}__. I put them out of the .data section.
[3] SORT_BY_ALIGNMENT() is missing tsp.ld.S, sp_min.ld.S, and
mediatek/mt6795/bl31.ld.S. This commit adds SORT_BY_ALIGNMENT()
for all images, so the symbol order in those three will change,
but I do not think it is a big deal.
Change-Id: I215bb23c319f045cd88e6f4e8ee2518c67f03692
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The stacks section is the same for all BL linker scripts.
Move it to the common header file.
Change-Id: Ibd253488667ab4f69702d56ff9e9929376704f6c
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Attempts to address MISRA compliance issues in BL1, BL2, and BL31 code.
Mainly issues like not using boolean expressions in conditionals,
conflicting variable names, ignoring return values without (void), adding
explicit casts, etc.
Change-Id: If1fa18ab621b9c374db73fa6eaa6f6e5e55c146a
Signed-off-by: John Powell <john.powell@arm.com>
Move the bss section to the common header. This adds BAKERY_LOCK_NORMAL
and PMF_TIMESTAMP, which previously existed only in BL31. This is not
a big deal because unused data should not be compiled in the first
place. I believe this should be controlled by BL*_SOURCES in Makefiles,
not by linker scripts.
I investigated BL1, BL2, BL2U, BL31 for plat=fvp, and BL2-AT-EL3,
BL31, BL31 for plat=uniphier. I did not see any more unexpected
code addition.
The bss section has bigger alignment. I added BSS_ALIGN for this.
Currently, SORT_BY_ALIGNMENT() is missing in sp_min.ld.S, and with this
change, the BSS symbols in SP_MIN will be sorted by the alignment.
This is not a big deal (or, even better in terms of the image size).
Change-Id: I680ee61f84067a559bac0757f9d03e73119beb33
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The common section data are repeated in many linker scripts (often
twice in each script to support SEPARATE_CODE_AND_RODATA). When you
add a new read-only data section, you end up with touching lots of
places.
After this commit, you will only need to touch bl_common.ld.h when
you add a new section to RODATA_COMMON.
Replace a series of RO section with RODATA_COMMON, which contains
6 sections, some of which did not exist before.
This is not a big deal because unneeded data should not be compiled
in the first place. I believe this should be controlled by BL*_SOURCES
in Makefiles, not by linker scripts.
When I was working on this commit, the BL1 image size increased
due to the fconf_populator. Commit c452ba159c ("fconf: exclude
fconf_dyn_cfg_getter.c from BL1_SOURCES") fixed this issue.
I investigated BL1, BL2, BL2U, BL31 for plat=fvp, and BL2-AT-EL3,
BL31, BL31 for plat=uniphier. I did not see any more unexpected
code addition.
Change-Id: I5d14d60dbe3c821765bce3ae538968ef266f1460
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
These are mostly used to collect data from special structure,
and repeated in many linker scripts.
To differentiate the alignment size between aarch32/aarch64, I added
a new macro STRUCT_ALIGN.
While I moved the PMF_SVC_DESCS, I dropped #if ENABLE_PMF conditional.
As you can see in include/lib/pmf/pmf_helpers.h, PMF_REGISTER_SERVICE*
are no-op when ENABLE_PMF=0. So, pmf_svc_descs and pmf_timestamp_array
data are not populated.
Change-Id: I3f4ab7fa18f76339f1789103407ba76bda7e56d0
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
TF-A has so many linker scripts, at least one linker script for each BL
image, and some platforms have their own ones. They duplicate quite
similar code (and comments).
When we add some changes to linker scripts, we end up with touching
so many files. This is not nice in the maintainability perspective.
When you look at Linux kernel, the common code is macrofied in
include/asm-generic/vmlinux.lds.h, which is included from each arch
linker script, arch/*/kernel/vmlinux.lds.S
TF-A can follow this approach. Let's factor out the common code into
include/common/bl_common.ld.h
As a start point, this commit factors out the xlat_table section.
Change-Id: Ifa369e9b48e8e12702535d721cc2a16d12397895
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
aarch32 CPUs speculatively execute instructions following a
ERET as if it was not a jump instruction. This could lead to
cache-based side channel vulnerabilities. The software fix is
to place barrier instructions following ERET.
The counterpart patch for aarch64 is merged:
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f461fe346b728d0e88142fd7b8f2816415af18bc
Change-Id: I2aa3105bee0b92238f389830b3a3b8650f33af3d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Introduce the Firmware CONfiguration Framework (fconf).
The fconf is an abstraction layer for platform specific data, allowing
a "property" to be queried and a value retrieved without the requesting
entity knowing what backing store is being used to hold the data.
The default backing store used is C structure. If another backing store
has to be used, the platform integrator needs to provide a "populate()"
function to fill the corresponding C structure.
The "populate()" function must be registered to the fconf framework with
the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
be called inside the "fconf_populate()" function.
A two level macro is used as getter:
- the first macro takes 3 parameters and converts it to a function
call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
- the second level defines a__b_getter(c) to the matching C structure,
variable, array, function, etc..
Ex: Get a Chain of trust property:
1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Fix code that violates the MISRA rule:
MISRA C-2012 Rule 11.9: Literal "0" shall not be used as
null pointer constant.
The fix explicitly checks whether a pointer is NULL.
Change-Id: Ibc318dc0f464982be9a34783f24ccd1d44800551
Signed-off-by: Zelalem <zelalem.aweke@arm.com>
When Trusted Boot is enabled, images are loaded and authenticated
following up the root of trust. This means that between the initial
console message saying that an image is being loaded, and the final one
where it says that it failed to load it, BL2 may print several messages
about other images on the chain of trust being loaded, thus it is not
always clear which image we failed loading at the end of the day.
Change-Id: I3b189ec9d12c2a6203d16c8dbbb4fc117639c3c1
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This implementation simply mimics that of BL31.
I did not implement the ENABLE_PIE support for BL2_IN_XIP_MEM=1 case.
It would make the linker script a bit uglier.
Change-Id: If3215abd99f2758dfb232e44b50320d04eba808b
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Even though ERET always causes a jump to another address, aarch64 CPUs
speculatively execute following instructions as if the ERET
instruction was not a jump instruction.
The speculative execution does not cross privilege-levels (to the jump
target as one would expect), but it continues on the kernel privilege
level as if the ERET instruction did not change the control flow -
thus execution anything that is accidentally linked after the ERET
instruction. Later, the results of this speculative execution are
always architecturally discarded, however they can leak data using
microarchitectural side channels. This speculative execution is very
reliable (seems to be unconditional) and it manages to complete even
relatively performance-heavy operations (e.g. multiple dependent
fetches from uncached memory).
This was fixed in Linux, FreeBSD, OpenBSD and Optee OS:
679db7080129fb48ace43a08873eceabfd092aa1
It is demonstrated in a SafeSide example:
https://github.com/google/safeside/blob/master/demos/eret_hvc_smc_wrapper.cchttps://github.com/google/safeside/blob/master/kernel_modules/kmod_eret_hvc_smc/eret_hvc_smc_module.c
Signed-off-by: Anthony Steinhauser <asteinhauser@google.com>
Change-Id: Iead39b0b9fb4b8d8b5609daaa8be81497ba63a0f
When a Firmware is complied as Position Independent Executable it needs
to request GDT fixup by passing size of the memory region to
el3_entrypoint_common macro.
The Global descriptor table fixup will be done early on during cold boot
process of primary core.
Currently only BL31 supports PIE, but in future when BL2_AT_EL3 will be
compiled as PIE, it can simply pass fixup size to the common el3
entrypoint macro to fixup GDT.
The reason for this patch was to overcome the bug introduced by SHA
330ead806 which called fixup routine for each core causing
re-initializing of global pointers thus overwriting any changes
done by the previous core.
Change-Id: I55c792cc3ea9e7eef34c2e4653afd04572c4f055
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Currently, sections within .text/.rodata/.data/.bss are emitted in the
order they are seen by the linker. This leads to wasted space, when a
section with a larger alignment follows one with a smaller alignment.
We can avoid this wasted space by sorting the sections.
To take full advantage of this, we must disable generation of common
symbols, so "common" data can be sorted along with the rest of .bss.
An example of the improvement, from `make DEBUG=1 PLAT=sun50i_a64 bl31`:
.text => no change
.rodata => 16 bytes saved
.data => 11 bytes saved
.bss => 576 bytes saved
As a side effect, the addition of `-fno-common` in TF_CFLAGS makes it
easier to spot bugs in header files.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: I073630a9b0b84e7302a7a500d4bb4b547be01d51
This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
which returns 128-bit value and uses Generic timer physical counter
value to increase the randomness of the generated key.
The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
pauth_disable_el1()` and `pauth_disable_el3()` functions disable
PAuth for EL1 and EL3 respectively;
`pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
`save_gp_registers()` and `pauth_context_save()`;
`restore_gp_pauth_registers()` replaces `pauth_context_restore()`
and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
for 12 uint64_t PAuth registers instead of 10 by removal of macro
CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
in `msr spsel` instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.
Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)
Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>
This linker script is so unreadable due to sprinkled #ifdef.
Direct read-only data to 'ROM' and read-write data to 'RAM'.
Both go to the same memory device when BL2_IN_XIP_MEM is disabled.
Change-Id: Ieeac3f1a4e05e9e8599de2ec84260819c70f361e
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.
Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
Prior to entry into BL32 we set the SPSR by way of msr spsr, r1.
This unfortunately only writes the bits f->[31:24] and c->[7:0].
This patch updates the bl2 exit path to write the x->[15:8] and c->[7:0]
fields of the SPSR. For the purposes of initial setup of the SPSR the x and
c fields should be sufficient and importantly will capture the necessary
lower-order control bits that f:c alone do not.
This is important to do to ensure the SPSR is set to the mode the platform
intends prior to performing an eret.
Fixes: b1d27b484f ("bl2-el3: Add BL2_EL3 image")
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Chris Kay
Andrey Skvortsov
thagon01-arm
Boyan Karatotev
Michal Simek
Harrison Mutai
Arvind Ram Prakash
Jorge Troncoso
Yann Gautier
Jiafei Pan
Manish V Badarkhe
johpow01
Zelalem Aweke
Javier Almansa Sobrino
Alexei Fedorov
Masahiro Yamada
Madhukar Pappireddy
Louis Mayencourt
Sandrine Bailleux
Anthony Steinhauser
Manish Pandey
Samuel Holland
Julius Werner
Bryan O'Donoghue