ARMv8.3-PAuth adds functionality that supports address authentication of
the contents of a register before that register is used as the target of
an indirect branch, or as a load.
This feature is supported only in AArch64 state.
This feature is mandatory in ARMv8.3 implementations.
This feature adds several registers to EL1. A new option called
CTX_INCLUDE_PAUTH_REGS has been added to select if the TF needs to save
them during Non-secure <-> Secure world switches. This option must be
enabled if the hardware has the registers or the values will be leaked
during world switches.
To prevent leaks, this patch also disables pointer authentication in the
Secure world if CTX_INCLUDE_PAUTH_REGS is 0. Any attempt to use it will
be trapped in EL3.
Change-Id: I27beba9907b9a86c6df1d0c5bf6180c972830855
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch introduces a build option 'OVERRIDE_LIBC' that platforms
can set to override libc from the BL image. The default value is '0'
to keep the library.
Change-Id: I10a0b247f6a782eeea4a0359e30a8d79b1e9e4e1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This reverts commit 2f37046524 ("Add support for the SMC Calling
Convention 2.0").
SMCCC v2.0 is no longer required for SPM, and won't be needed in the
future. Removing it makes the SMC handling code less complicated.
The SPM implementation based on SPCI and SPRT was using it, but it has
been adapted to SMCCC v1.0.
Change-Id: I36795b91857b2b9c00437cfbfed04b3c1627f578
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Following changes are done to make DT pre-processing similar to that of
U-boot/Linux kernel.
1. Creating seperate CPPFLAGS for DT preprocessing so that compiler
options specific to it can be accommodated.
e.g: "-undef" compiler option avoids replacing "linux" string(used in
device trees) with "1" as "linux" is a pre-defined macro in gnu99
standard.
2. Replace CPP with PP for DT pre-processing, as CPP in U-boot/Linux is
exported as "${CROSS_COMPILE}gcc -E" while in TF-A it is exported as
"${CROSS_COMPILE}cpp".
Change-Id: If4c61a249d51614d9f53ae30b602036d50c02349
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
The SPM implementation based on MM is going to be kept for the
foreseeable future.
Change-Id: I11e96778a4f52a1aa803e7e048d9a7cb24a53954
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
This flag was removed in 79eb1aff78 ("Remove `DISABLE_PEDANTIC` build
option").
Change-Id: Ic3584a4c5f0100ed9e57b068ec672b0baae8cfab
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
ASM_ASSERTION was deprecated long ago, this check is no longer needed.
Change-Id: I2a5770f76ea1317461c0059dad8dba9dc0e5af32
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The architecture dependant header files in include/lib/${ARCH} and
include/common/${ARCH} have been moved to /include/arch/${ARCH}.
Change-Id: I96f30fdb80b191a51448ddf11b1d4a0624c03394
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch allows platforms to define their
own jump table list for library at ROM. The
file has the list of functions to be used
from library at ROM. It can also include
other list files.
Change-Id: I721c35d7dad3dcadbb3a7f3277bfd5d3e1f6e00a
Signed-off-by: Sathees Balya <sathees.balya@arm.com>
This is done for other compilers, and without this some code does not
compile, like inline assembly code.
FixesARM-software/tf-issues#657.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This patch modifies the search criteria to see if we are using 'armclang'
as the compiler. Switch over to using 'findstring' which enables platforms
to do fancy stuff using scripts e.g. check if armclang timed out and retry
compilation.
Change-Id: If2162ebadb9033f6457a4e8d4243345e711defe6
Signed-off-by: Kalyani Chidambaram Vaidyanathan <kalyanic@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
This tool packages Secure Partitions and Resource Descriptor blobs into
a simple file that can be loaded by SPM.
Change-Id: If3800064f30bdc3d7fc6a15ffbb3007ef632bcaa
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The list of warning is taken from kernel and also divided in 3.
The option to activate that is W=x, with x=1, 2 or 3.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The current SPM is a prototype that only supports one secure partition
in EL0. The objective of SPM is to have multiple partitions. The current
MM interface isn't adequate for this, so it is needed to modify heavily
the code to add proper support for it.
However, there are platforms which are already using this (like SGI) and
removing the code would break it. For this reason, the current SPM code
has been duplicated in order to temporarily preserve compatibility. All
new improvements/changes to SPM will be done in the non-deprecated copy,
that may change without notice.
The new build option SPM_DEPRECATED has been introduced to select the SPM
implementation. It defaults to 1, that selects the deprecated SPM.
Change-Id: Ic9f80b53b450e97b4d3f47e4ef4a138ee8d87443
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Now that we have switched to using the stack in MULTI_CONSOLE_API
framework functions and have factored all code involved in crash
reporting out into a separate file, there's really no reason to keep the
main framework code in assembly anymore. This patch rewrites it in C
which allows us to have a single implementation across aarch32/64 and
should be much easier to maintain going forward.
Change-Id: I6c85a01e89a79e8b233f3f8bee812f0dbd026221
Signed-off-by: Julius Werner <jwerner@chromium.org>
This patch makes the build system link the console framework code by
default, like it already does with other common libraries (e.g. cache
helpers). This should not make a difference in practice since TF is
linked with --gc-sections, so the linker will garbage collect all
functions and data that are not referenced by any other code. Thus, if a
platform doesn't want to include console code for size reasons and
doesn't make any references to console functions, the code will not be
included in the final binary.
To avoid compatibility issues with older platform ports, only make this
change for the MULTI_CONSOLE_API.
Change-Id: I153a9dbe680d57aadb860d1c829759ba701130d3
Signed-off-by: Julius Werner <jwerner@chromium.org>
It's better to have them in a separate file instead of having them spread
across the Makefile. This is what the stack protector is already doing.
Change-Id: Id30742c0af10de5ea6d10674ca25bf52b0f2b262
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Commit <ee1ba6d4ddf1> ("Makefile: Support totally quiet output with -s")
broke verbose (V=1) builds on Windows. This patch fixes it by adding
helpers to silence echo prints in a OS-dependent way.
Change-Id: I24669150457516e9fb34fa32fa103398efe8082d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
"-s" is a command line option to the make tool, to suppress normal output,
something to the effect of prepending every line with '@' in the Makefile.
However with our V={0|1} support, we now print the shortened command line
output in any case (even with V=1, in addition to the long line!).
Normally -s helps to not miss non-fatal warnings, which tend to scroll out
of the window easily.
Introduce a new Makefile variable ECHO, to control the shortened output.
We only set it in the (current default) V=0 case, and replace every
occurence of "@echo" with that variable.
When the user specifies "-s", we set ECHO to some magic string which
changes the output line into a comment, so the output is suppressed.
Beside suppressing every output for "-s", we also avoid the redundant
short output when compiling with V=1.
This changes the output to:
==========
$ make -s PLAT=.... bl31
Built build/.../release/bl31.bin
==========
$ make PLAT=.... bl31
...
CC lib/libc/strncmp.c
CC lib/libc/strnlen.c
...
==========
$ make V=1 PLAT=.... bl31
...
gcc -DDEBUG=0 .... -o build/.../release/libc/strncmp.o
gcc -DDEBUG=0 .... -o build/.../release/libc/strnlen.o
...
==========
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
When attempting to compile TF-A with "SPD=something ARCH=aarch32", the
following error message is printed:
Makefile:291: *** recipe commences before first target. Stop.
This is because the call to the error function is indented using a tab
whereas it's not part of a rule's recipe. Replace the tab by spaces.
Change-Id: Ic9b603837a0e43f2f7070cb39137541c332365d2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This patch introduces a build flag "RECLAIM_INIT_CODE" to mark boot time
code which allows platforms to place this memory in an appropriate
section to be reclaimed later. This features is primarily targeted for
BL31. Appropriate documentation updates are also done.
Change-Id: If0ca062851614805d769c332c771083d46599194
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
The code of LOAD_IMAGE_V2=0 has been removed.
Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old driver is now in deprecated_console.S, in a similar way to the
AArch64 driver.
Change-Id: Ib57209c322576c451d466d7406a94adbf01ab8fd
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This function diplays the backtrace, the current EL and security state
to allow a post-processing tool to choose the right binary to interpret
the dump.
The output can be fed to GNU addr2line to resolve function names given
an ELF binary compiled with debug information. The "-i" flag is
recommended to improve display in case of inlined functions. The *.dump
files generated during the build process can also be used.
The function works in AArch64 and AArch32. In AArch32 it only works in
A32 mode (without T32 interworking), which is enforced in the Makefile.
Sample output of a backtrace at EL3:
BACKTRACE: START: function_name
0: EL3: 0x798
1: EL3: 0x538
2: EL3: 0x550
3: EL3: 0x55c
4: EL3: 0x568
5: EL3: 0x5a8
6: EL3: 0xf4
BACKTRACE: END: function_name
In order to enable it the new option ENABLE_BACKTRACE must be set to 1.
This option is set to 1 by default only in AArch64 debug builds. As
usual, it can be overridden by the platform makefile and in the build
command line.
Change-Id: Icaff39b0e5188329728be2f3c72b868b2368e794
Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
At the moment the AArch32 instruction set isn't specified in the command
line, which means that the compiler is free to choose the one it sees
fit. This decision may change between compiler versions, so it is better
to specify it manually.
The build option AARCH32_INSTRUCTION_SET has been introduced for this
reason. This option can be set to T32 or A32 to pass the correct flags
to the compiler.
The current behaviour is to default to T32 due to it's smaller size.
Change-Id: I02297eb1d9404b5868ff7c054fbff9b3cda7fdb6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
armclang replaces calls to printf by calls to one of the symbols
__0printf, __1printf or __2printf. This patch adds new functions with
these names that internally call printf so that the Trusted Firmware can
be compiled with this compiler.
Change-Id: I06a0e3e5001232fe5b2577615666ddd66e81eef0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Change their names to printf and snprintf. They are much smaller than
the previous versions we had, which makes them better suited for the
Trusted Firmware.
Change-Id: Ia872af91b7b967c47fce012eccecede7873a3daf
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Memory Partitioning And Monitoring is an Armv8.4 feature that enables
various memory system components and resources to define partitions.
Software running at various ELs can then assign themselves to the
desired partition to control their performance aspects.
With this patch, when ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
lower ELs to access their own MPAM registers without trapping to EL3.
This patch however doesn't make use of partitioning in EL3; platform
initialisation code should configure and use partitions in EL3 if
required.
Change-Id: I5a55b6771ccaa0c1cffc05543d2116b60cbbcdcd
Co-authored-by: James Morse <james.morse@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Romlib is a new image that is stored in ROM and contains the code of
several libraries that can be shared between different images. All
the functions within in the library are accessed using a jump table
which allows to update the romlib image whithout changing the binary
compatibility. This jump table can be also stored in RAM and it can
allow to patch a romlib with potential bugs fixes..
Change-Id: If980ccdaca24b7aaca900e32acc68baf6f94ab35
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Mbebtls include paths are controlled by the user using the variable
MBEDTLS_DIR and they are out of the TF source tree. Since these
includes have a different origin it is better to move them to a
different variable.
This change makes easier for the romlib Makefile to parse the include
paths.
Change-Id: I3e4c99300f1012bc7f88c6b9f5bc0ec1f7b5aa8d
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
TF Makefile was linking all the objects files generated for the
c library instead of creating a static library that could be
used in the linking stage.
Change-Id: I721daea097e9b13cbb42c9f8eaa2af8fea0799cf
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch adds all the make macros needed to create a library archive
and to use it in the link stage.
Change-Id: I26597bfd6543649d0b68a9b1e06aec1ba353e6de
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
This patch allows the user to override the value of the LD Makefile
variable. This feature can be used to force the use of the new Clang
linker.
Change-Id: I97ffeb18e48fa75346702a479d7dc1e8abcb3621
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Alignment fault checking is always enabled in TF (by setting the
SCTLR.A bit). Thus, all instructions that load or store one or more
registers have an alignment check that the address being accessed is
aligned to the size of the data element(s) being accessed. If this
check fails it causes an Alignment fault, which is taken as a Data
Abort exception.
The compiler needs to be aware that it must not emit load and store
instructions resulting in unaligned accesses. It already is for
AArch64 builds (see commit fa1d37122c "Add -mstrict-align to the gcc
options"), this patch does the same for AArch32 builds.
Change-Id: Ic885796bc6ed0ff392aae2d49f3a13f517e0169f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
This is an add-on feature that allows processing
device tree with external includes.
"-Iinclude" is also added to INCLUDES.
It allows inclusion of dt-bindings files either in dts files or drivers,
as those files will be in include/dt-bindings/.
"-i fdts" is added to the DTC command line.
As the pre-processed files are in build directory, the DT source directory
has to be explicitely included, to manages /include/ directives.
fixesarm-software/tf-issues#595
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The ARMv8.4 RAS extensions introduce architectural support for software
to inject faults into the system in order to test fault-handling
software. This patch introduces the build option FAULT_HANDLING_SUPPORT
to allow for lower ELs to use registers in the Standard Error Record to
inject fault. The build option RAS_EXTENSIONS must also be enabled along
with fault injection.
This feature is intended for testing purposes only, and is advisable to
keep disabled for production images.
Change-Id: I6f7a4454b15aec098f9505a10eb188c2f928f7ea
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
RAS extensions are mandatory for ARMv8.2 CPUs, but are also optional
extensions to base ARMv8.0 architecture.
This patch adds build system support to enable RAS features in ARM
Trusted Firmware. A boolean build option RAS_EXTENSION is introduced for
this.
With RAS_EXTENSION, an Exception Synchronization Barrier (ESB) is
inserted at all EL3 vector entry and exit. ESBs will synchronize pending
external aborts before entering EL3, and therefore will contain and
attribute errors to lower EL execution. Any errors thus synchronized are
detected via. DISR_EL1 register.
When RAS_EXTENSION is set to 1, HANDLE_EL3_EA_FIRST must also be set to 1.
Change-Id: I38a19d84014d4d8af688bd81d61ba582c039383a
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
At present, any External Abort routed to EL3 is reported as an unhandled
exception and cause a panic. This patch enables ARM Trusted Firmware to
handle External Aborts routed to EL3.
With this patch, when an External Abort is received at EL3, its handling
is delegated to plat_ea_handler() function. Platforms can provide their
own implementation of this function. This patch adds a weak definition
of the said function that prints out a message and just panics.
In order to support handling External Aborts at EL3, the build option
HANDLE_EA_EL3_FIRST must be set to 1.
Before this patch, HANDLE_EA_EL3_FIRST wasn't passed down to
compilation; this patch fixes that too.
Change-Id: I4d07b7e65eb191ff72d63b909ae9512478cd01a1
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
The C standards specify that this macro is used to
disable asserts but, in our code, the assert macro
is controlled with ENABLE_ASSERTIONS. Having this macro
here creates confusion about the behaviour of assert.
Change-Id: Iab8689a14dc2b8790729857d56585ce43c0c4f51
Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
Due to differences in the bitfields of the SMC IDs, it is not possible
to support SMCCC 1.X and 2.0 at the same time.
The behaviour of `SMCCC_MAJOR_VERSION` has changed. Now, it is a build
option that specifies the major version of the SMCCC that the Trusted
Firmware supports. The only two allowed values are 1 and 2, and it
defaults to 1. The value of `SMCCC_MINOR_VERSION` is derived from it.
Note: Support for SMCCC v2.0 is an experimental feature to enable
prototyping of secure partition specifications. Support for this
convention is disabled by default and could be removed without notice.
Change-Id: I88abf9ccf08e9c66a13ce55c890edea54d9f16a7
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
Varun Wadekar
Manish Pandey
Sathees Balya
Yann Gautier
Julius Werner
Soby Mathew
Andre Przywara
Sandrine Bailleux
Daniel Boulby
Roberto Vargas
Douglas Raillard
Jeenu Viswambharan