The trail bytes from the secure proxy driver were being overwritten,
increase the count each time to not overwrite the existing data and not
get the end data corrupted from secure proxy.
Fixes: d76fdd33e0 ("ti: k3: drivers: Add Secure Proxy driver")
Change-Id: I8e23f8b6959da886d6ab43049746f78765ae1766
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
When building TF-A (with SPMD support) with ARM_ARCH_MAJOR=8/
ARCH_ARCH_MINOR=8 options, this forces the -march=armv8.8-a compiler
option. In this condition, the compiler optimises statement [1] into
a store pair to an unaligned address resulting to a supposedly alignment
fault. With -march=armv8.7-a and earlier the compiler resolves with a
memcpy. Replacing this line by an explicit memcpy masks out the issue.
Prefer using the plain struct uuid in place of the uuid_helper union
for further clarity.
[1] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/
plat/arm/common/fconf/arm_fconf_sp.c?h=v2.10#n77
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I509b7bc50c7c4a894885d24dc8279d0fe634e8f2
This feature provides support to context save the
SCXTNUM_ELx register. FEAT_CSV2_3 implies the implementation
of FEAT_CSV2_2. FEAT_CSV2_3 is supported in AArch64 state only
and is an optional feature in Arm v8.0 implementations.
This patch adds feature detection for v8.9 feature FEAT_CSV2_3,
adds macros for ID_AA64PFR0_EL1.CSV2 bits [59:56] for detecting
FEAT_CSV2_3 and macro for ENABLE_FEAT_CSV2_3.
Change-Id: Ida9f31e832b5f11bd89eebd6cc9f10ddad755c14
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
In i.MX8MM/MQ it is possible to have two copies of bootloader in
SD/eMMC and switch between them. The switch is triggered either
by the BootROM in case the bootloader image is faulty OR can be
enforced by the user, and there is API introduced in
9ce232fe ("feat(plat/imx8m): add SiP call for secondary boot"),
which leverages this SoC feature.
However neither i.MX8MP nor i.MX8MN have a dedicated bit
which indicates what boot image set is currently booted.
According to AN12853 [1] "i.MX ROMs Log Events", it is
possible to determine whether fallback event occurred
by parsing the BootROM event log. In case ROM event ID 0x51 is
present,fallback event did occur and secondary boot image was booted.
Knowing which boot image was booted might be useful for reliable
bootloader A/B updates, detecting fallback event might be used for
making decision if boot firmware rollback is required.
This patche introduces implementation, that replicates the same
imx_src_handler() behaviour as on i.MX8MM/MQ SoCs.
The code is based on original U-Boot implementation [2].
[1]: https://www.nxp.com/webapp/Download?colCode=AN12853
[2]: a5ee05cf71
Change-Id: I9a4c5229aa0e53fa23b5261459da99cb3ce6bdbe
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
As of now, GPT setup is being handled from BL2 for plat/arm platforms.
However, for platforms having a separate entity to load firmware images,
it is possible for BL31 to setup the GPT. In order to address this
concern, move the GPT setup implementation from arm_bl2_setup.c file to
arm_common.c. Additionally, rename the API from arm_bl2_gpt_setup to
arm_gpt_setup to make it boot stage agnostic.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I35d17a179c8746945c69db37fd23d763a7774ddc
For RME-enabled platforms, initializing L0 and L1 tables and enabling
GPC checks is necessary. For systems using BL2 to load firmware images,
the GPT initialization has to be done in BL2 prior to the image load.
The common Arm platform code currently implements this in the
"arm_bl2_plat_gpt_setup" function, relying on the FVP platform's
specifications (PAS definitions, GPCCR_PPS, and GPCCR_PGS).
Different Arm platforms may have distinct PAS definitions, GPCCR_PPS,
GPCCR_PGS, L0/L1 base, and size. To accommodate these variations,
introduce the "plat_arm_get_gpt_info" API. Platforms must implement
this API to provide the necessary data for GPT setup on RME-enabled
platforms. It is essential to note that these additions are relevant to
platforms under the plat/arm hierarchy that will reuse the
"arm_bl2_plat_gpt_setup" function.
As a result of these new additions, migrate data related to the FVP
platform to its source and header files.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I4f4c8894c1cda0adc1f83e7439eb372e923f6147
In accordance with common naming conventions, macros specifying the base
address of a region typically use the prefix "BASE" combined with the
region name, rather than "ADDR_BASE."
Currently, the macros defining the base addresses for L0 and L1 GPT
tables within `arm_def.h` are named "ARM_L0_GPT_ADDR_BASE" and
"ARM_L1_GPT_ADDR_BASE" respectively. To adhere to the established naming
convention, rename these macros as "ARM_L1_GPT_BASE" and
"ARM_L0_GPT_BASE" respectively.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: Ibd50a58a1f63ba97d2df141f41a21a89ef97d6fb
The fused monotonic counter is checked by the ROM bootloader. The ROM
bootloader won't allow booting images build with a lower
STM32_TF_VERSION value.
On non-closed devices a user can easily circumvent this. But it is
annoying for a developer when open development hardware gets the counter
value fused.
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Change-Id: Ie52561368a3178de9d9a44b9d089664241452651
The i.MX8MP exists in multiple SKUs, some of which lack the NPU or VPU.
Yet, we unconditionally enable NPU and VPU power domains in upstream
TF-A, causing it to hang on such SoCs, unless patched.
Enabling all power domains is an idiosyncrasy of the i.MX8MP support,
which we don't have on i.MX8MQ, i.MX8MM or i.MX8MN. Therefore let's drop
unconditional powering on of all power domains.
As only exception, we will keep enabling the USB power domains. These
are enabled in the BootROM if booting over SDPS and boot firmware may
expect them to be enabled for non-SDPS recovery too. As USB is
available unconditionally on the current i.MX8MP variants, this is
deemed acceptable and reduces the chance of breaking existing systems.
Fixes: a775ef25c3 ("plat: imx8mp: Add the basic support for i.MX8MP")
Change-Id: Idc6e8f770d240f4d929dffa91f9ccf8c476c6c12
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Add compilation and initialization of BSEC peripheral, to access OTP
fuses. Add the definition of OTP fuses.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If6403838b1e2c04c59effc8545b381aced5f7cda
Update nand driver to match GHRD design, fix row
address calculation method and other misc updates.
Signed-off-by: Girisha Dengi <girisha.dengi@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I1cb3dda43e767ba243fbe89bfa18818db321c5c2
As a part of removing DeviceTree from EDK2, we move functions to TF-A:
- counting the number of memory nodes
- checking NUMA node id
- checking the memory address
Signed-off-by: Xiong Yining <xiongyining1480@phytium.com.cn>
Signed-off-by: Chen Baozi <chenbaozi@phytium.com.cn>
Change-Id: Ib7bce3a65c817a5b3bef6c9e0a459c7ce76c7e35
Update the version to match release versioning scheme.
No functional change.
Signed-off-by: Hieu Nguyen <hieu.nguyen.dn@renesas.com>
Change-Id: Ib481fade925f74dbea1dd2b39c1abfab888379e4
Add cache operations because BL2 disabled MMU at the end of the boot
process, but did not clean/invalidate for the cache used by MMU.
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: Id4070b46103ca2b50788b3a99f6961a35df24418
This commit changes ENABLE_STACK_PROTECTOR value to "strong" for
enabling the stack protector by canary.
Signed-off-by: Koichi Yamaguchi <koichi.yamaguchi.zb@hitachi.com>
Signed-off-by: Toshiyuki Ogasahara <toshiyuki.ogasahara.bo@hitachi.com>
Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>
Change-Id: Ice351d23c98daf12737a5e65cef743035d62dabe
Add support for BL2 to get the CCA chain of trust description
through the Firmware Configuration Framework (FCONF). This makes
it possible to export the part of the CCA chain of trust enforced
by BL2 in BL2's configuration file (TB_FW_CONFIG DTB file). BL2
will parse it when setting up the platform.
This feature can be enabled through the COT_DESC_IN_DTB=1 option.
The default behaviour (COT_DESC_IN_DTB=0) remains to hard-code
the CCA CoT into BL2 image.
Change-Id: Iec4f623d5e42b7c166beeb3ad6b35d918969f7e2
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Adding support for CCA CoT in DTB. This makes it possible for BL2
to retrieve its chain of trust description from a configuration file
in DTB format. With this, the CoT description may be updated without
rebuilding BL2 image. This feature can be enabled by building BL2
with COT_DESC_IN_DTB=1 and COT=cca. The default behaviour remains to
embed the CoT description into BL2 image.
Change-Id: I5912aad5ae529281a93a76e6b8f4b89d867445fe
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
No part of the build system uses the `NM` variable, which is usually
used to dump symbol tables from compiled images. This change removes all
declarations of it.
Change-Id: I796ff365e6a7f97d21678f1c8cf8b59bfbb1ae9c
Signed-off-by: Chris Kay <chris.kay@arm.com>
The `gcc-ar` wrapper exists to make it easier to support LTO on some
versions of GCC. The two commands are compatible, accepting exactly the
same arguments, so this change moves us to `gcc-ar` to ensure that we
are configuring LTO correctly.
Change-Id: I24a4cfaad29d35b09f847299081f83ca9b41aa8a
Signed-off-by: Chris Kay <chris.kay@arm.com>
We're a bit inconsistent about which tool we use to preprocess source
files; in some places we use `$(CC) -E` whilst in others we use `cpp`.
This change forces all invocations of the C preprocessor to use the
first scheme, which ensures that the preprocessor behaves the same way
as the C compiler used when compiling C source files.
Change-Id: Iede2f25ff86ea8b43d7a523e32648058d5023832
Signed-off-by: Chris Kay <chris.kay@arm.com>
Without #include <plat/common/platform.h>, we have the following warning
with sparse:
plat/st/stm32mp2/bl2_plat_setup.c:15:6: warning: symbol
'bl2_el3_early_platform_setup' was not declared. Should it be static?
plat/st/stm32mp2/bl2_plat_setup.c:23:6: warning: symbol
'bl2_platform_setup' was not declared. Should it be static?
plat/st/stm32mp2/bl2_plat_setup.c:27:6: warning: symbol
'bl2_el3_plat_arch_setup' was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I18f9265c1eef1f8e8e0eac3d6c37a959e5c9e8b6
When STM32MP2 boots on Cortex-M33, the Cortex-A35 do no more have access
to BSEC peripheral. New static inline stm32_otp_* wrappers are added,
which just redirect to BSEC functions.
While at it remove a useless bsec.h include.
Change-Id: Ie0f917c02e48acf456634f455dae41805bf6adbf
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
The shadowing of the OTP is done in BL2.
As for BL32 on AARCH32 systems, stm32_get_otp_value_from_idx()
should also use bsec_read_otp() in BL31.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: Ib406cfc154339e6d3cde3c925bc6e9416d77b689
The function stm32mp_is_closed_device() is replaced with
stm32mp_check_closed_device(), which return an uint32_t, either
STM32MP_CHIP_SEC_OPEN or STM32MP_CHIP_SEC_CLOSED.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
Change-Id: Ie0790cdc36c4b6522083bc1f0e7c38e8061e6adf
In order to ease the introduction of a new BSEC3 driver for STM32MP25,
the BSEC2 driver is reworked. Unused functions are removed. The
bsec_base global variable is removed in favor of the macro BSEC_BASE.
A rework is also done around function checking the state of BSEC.
Change-Id: I1ad76cb67333ab9a8fa1d65db34d74a712bf1190
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
This is something commonly asked by Linux kernel DT maintainers [1].
The mentioned doc is not upstreamed, but may be checked with dtbs_check.
While at it align some nodes with Linux or OP-TEE.
[1] https://lore.kernel.org/linux-arm-kernel/20231125184422.12315-1-krzysztof.kozlowski@linaro.org/
Change-Id: I63e983c2a00eda3cd8b81c66c0cd1a97cf8249b7
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Enable handoff to BL31 and BL32 using transfer list.
Encode TL_TAG_OPTEE_PAGABLE_PART as transfer entry.
Fallback to default handoff args when transfer list is disabled or
fails to archieve args from transfer entries.
Refactor handoff from BL2 to BL33.
Minor fixes of comment style.
Change-Id: I55d92ca7f5c4727bacc9725a7216c0ac70d16aec
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Enable query of fip offset from QSPI on RSU boot for
Intel agilex and intel agilex5 platform
Change-Id: Iaa189c54723a8656b9691da5849fd86b9986cfa1
Signed-off-by: Mahesh Rao <mahesh.rao@intel.com>
Query the fip binary from SPT table on RSU boot on Intel Agilex series.
Change-Id: I8856b49539f33272625d4c0a8c26b81b5864c4eb
Signed-off-by: Mahesh Rao <mahesh.rao@intel.com>
As per SMCCC Section 6.2, the call count query for all the services
has been deprecated from SMCCC v1.2 onwards.
Inline with above change, AMD-Xilinx SiP service count query has
been deprecated and now onwards will return unknown function
identifier error.
Change-Id: I296d119d65549fdb01718d08351d255550e4ead0
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
Coverity Scan reminded that we need to take care of MPIDR properly.
We need to make sure that we get MPIDR values from QEMU.
No MPIDR == panic() in case which should not happen.
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Change-Id: Idb5fe7d958f0bcecd3d66a643743f478538f4a8b
As stated in the commit introducing the NS_TIMER_SWITCH build flag,
saving/restoring this registers causes the non-secure timer to stop
while in the secure world and non-secure timer interrupts are prevented
from asserting until we return to the non-secure world. This breaks
any realtime OS on the non-secure side that uses this timer for
realtime scheduling.
This flag is by default off, but OP-TEE SPD enables it. The K3 OP-TEE
platform makes no use of these registers and we would like to have
support for realtime OSs while also supporting the OP-TEE SPD. Disable
this flag in our platform definition.
Signed-off-by: Andrew Davis <afd@ti.com>
Change-Id: I65055512d897b93b7690fd63c734f4731a6e09e6
The core 1 is put in wfi for pen holding. If a debugger halts the
core, it causes the core to exit from wfi.
Let the core to jump back in wfi when the debugger resumes the
core's execution.
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Change-Id: I9b5607b05cdcde905dc4047af8d6f1292d53d701
This function is required, at least for bakery locks.
Change-Id: I28906c50e0a0ebff5d387a424247513ec1a599fc
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The former code, using x2 register, was removing the LPEN bit from UART
config register. So the UART clock is stopped as soon as the CA35 is in
CSleep. It was then displaying crap in Linux console.
The ands check instruction is replaced with a clearer tst instruction
directly with the bit to be tested.
Change-Id: I8a2b3ab195981dee2962e0c2f5d501d5933c17f4
Signed-off-by: Yann Gautier <yann.gautier@st.com>
QEMU provides us with minimal information about hardware platform using
minimalistic DeviceTree. This is not a Linux DeviceTree. It is not even
a firmware DeviceTree.
Change-Id: I7b6cc5f53a4f78a9ed69bc7fc2fa1a69ea65428d
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
We want to remove use of DeviceTree from EDK2. So we move
functions to TF-A:
- counting cpu cores
- checking NUMA node id
- checking MPIDR
And then it gets passed to EDK2 via SMC calls.
Change-Id: I1c7fc234ba90ba32433b6e4aa2cf127f26da00fd
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
The AMD-Xilinx Versal platform, currently only supports the OCM and
Low DDR address ranges in both physical and virtual address range.
To locate and execute TF-A from High DDR and HBM address range,
expanding the address scope is necessary.
Depending on the BL31_BASE address both the platform physical and
virtual space sizes are selected.
Change-Id: I49112bff9eda44d924c5f49ea99aed9a8d5e5774
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
The TF-A does have a official PRELOADED_BL33_BASE define which is used
to tell the TF-A where to jump and that no bl33 loading is requied. Use
this to make the platform specific PLAT_NS_IMAGE_OFFSET configurable.
This becomes necessary if one would like to place the bl33 code to other
places.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Change-Id: I9d462c0e9df8e6d2ad78ee770bfa59e680739a51
Add console_flush() call before shutting down in order to
ensure that console output is flushed.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I5397105d2d7bf317f199b6326593bdb1c3cc75e2
Currently in Versal NET TF-A writing 32 bits in icc_asgi1r_el1 register
to raise SGI to Linux but this register is of 64 bits. Also its writing
only CPU number and SGI number to this register but along with that it
needs to write cluster number and other information. Which is not happening
currently. So use generic function plat_ic_raise_ns_sgi() to raise SGI to
Linux.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I6f5146c8315a321b705ed2ef79e2dc927b805ffb
Currently there is only 1 state for CPU idle which is used while CPU
power down from Linux CPU idle feature. But CPU power down when firmware
send CPU power down request needs new state in self suspend to
distinguish in firmware for CPU power down from power down request or CPU
power down from Linux CPU idle. So add new state PM_STATE_CPU_OFF to
indicate CPU power down from power down request from firmware.
PM_STATE_CPU_OFF state is supported from self-suspend version 3. So
added feature check which sends new state in case of new firmware and
old state i.e. PM_STATE_CPU_IDLE in case of old firmware.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I4118e1b813e5f76fca7b7e9ca1cc598715203fb0
Send subsystem restart notification to firmware when TF-A receives
system reset PSCI call. On receiving subsystem restart call, firmware
will send CPU idle callback to TF-A for powering down all cores. Wait
for CPU idle callback from firmware and raise power down request to
all cores after it receives CPU idle callback to power down core.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I50f417ae228017f38b648740dc90b2e8f1872620
On receiving CPU power down request from firmware, TF-A raises SGI
interrupt to all active cores for entering in power down state. So add support
for power down core on receiving CPU power down request. PWRDWN_WAIT_TIMEOUT
is the timeout value in milliseconds for the other cores to transition to
power down state.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I29760a2098852c546fa5a1324262a62c3d75b391
On receiving CPU power down callback, TF-A raises SGI interrupt to all active
cores to power down each active cores. Add handler for this SGI IRQ.
By default TF-A uses SGI 6 for CPU power down request. This can be
configurable through CPU_PWRDWN_SGI build flag.
e.g., If user wants to use SGI 7 instead of SGI 6 then provide build
flag CPU_PWRDWN_SGI=7
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Id0df32187d1de3f0af4486eb4d4930cb3ab01dbd
Firmware sends CPU power down request to TF-A through NOTIFY_CB
callback. It indicates CPU needs to power down.
Add wrapper to handle CPU power down request from firmware
through IPI callback.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ic4aff874dd29da057c5ffde1899c7f0e5cdf6733
Currently SGI interrupts are not received in secondary cores because
of issue in GIC configuration. In current Versal NET specific GIC
functions, redistributor configuration is not happening properly.
Because of that SGI interrupt from one processor to another processor
is not transferring. So, use common GIC handlers which will iterate
over all GIC redistributor frames and discovers per cpu redistributor
frame. Also, it initializes corresponding interface in GICv3.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I1433260b8520d6a315fdf5df86bd0688f92d211a
Use generic macro name as per common ARM GIC macro name for Versal
and Versal NET.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I2987ff2f612993fc80979f0179c04d316259ed1d
When an external RMM is not provided during make invocation, include the
Test Realm Payload (TRP) to the FIP.
Change-Id: I15d396cf268a08d79da63075aadb4172238eb225
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Manorit Chawdhry
Olivier Deprez
Sona Mathew
Igor Opaniuk
Rohit Mathew
Robin van der Gracht
Ahmad Fatoum
Yann Gautier
Girisha Dengi
Xiong Yining
Hieu Nguyen
Toshiyuki Ogasahara
laurenw-arm
Chris Kay
Yann Gautier
Patrick Delaunay
Raymond Mao
Mahesh Rao
Akshay Belsare
Marcin Juszkiewicz
Andrew Davis
Antonio Borneo
Marco Felsch
Jay Buddhabhatti
Jean-Philippe Brucker