In LOAD_IMAGE_V1 (i.e when LOAD_IMAGE_V2=0) the bl2_tzram_layout is,
by default, assigned to the bl1_tzram_layout->free_base which is
dynamically calculated based on the images loaded in memory. There is a
chance that the bl2_tzram_layout will be assigned a value not aligned to
8 bytes. This patch rounds up the free_base value for the required
alignment.
This doesn't happen in LOAD_IMAGE_V2 because the bl2_tzram_layout is
assigned by default to the bl1_tzram_layout->total_base, which is
aligned.
Change-Id: Idc583e7dad993d02ac6791797406118c96f83fa1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The upcoming patch that adds dynamic mitigation for Cortex-A76
requires that DYNAMIC_WORKAROUND_CVE_2018_3639=1. On FVP, we pull in
all the CPU files into the build which means there will be a build
failure if DYNAMIC_WORKAROUND_CVE_2018_3639=0.
Change-Id: I2e781cbeafbf5d16eaabf76a1677e0c9f81269d2
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch bumps up the BL1-RW size for Juno and at the same time reduces
the BL2 size when TBB is enabled, TF_MBEDTLS_KEY_ALG=rsa+ecdsa. The BL2
size for this config is reduced as it was observed that the peak memory
usage is only reached when SPD=opteed and the dual rsa+ecdsa support is
not needed for this case.
Change-Id: Ia9009771b5cfd805e9cc75410aabb7db99fc2fbc
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The weak pragma was assigned twice to the bl2_plat_handle_post_image_load
definition both in plat/common/ and in plat/arm/common/ this was an error as
it should have only have been defined in plat/common
Change-Id: Id85e14c699cb09ed998d1677f2a172e760911918
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
This patch adds soc_fw_config, tos_fw_config and nt_fw_config to the FVP.
The config files are placeholders and do not have any useful bindings
defined. The tos_fw_config is packaged in FIP and loaded by BL2 only
if SPD=tspd. The load address of these configs are specified in tb_fw_config
via new bindings defined for these configs. Currently, in FVP, the
soc_fw_config and tos_fw_config is loaded in the page between BL2_BASE
and ARM_SHARED_RAM. This memory was typically used for BL32 when
ARM_TSP_RAM_LOCATION=tsram but since we cannot fit BL32 in that
space anymore, it should be safe to use this memory for these configs.
There is also a runtime check in arm_bl2_dyn_cfg_init() which ensures
that this overlap doesn't happen.
The previous arm_dyn_get_hwconfig_info() is modified to accept configs
other than hw_config and hence renamed to arm_dyn_get_config_load_info().
The patch also corrects the definition of ARM_TB_FW_CONFIG_LIMIT to be
BL2_BASE.
Change-Id: I03a137d9fa1f92c862c254be808b8330cfd17a5a
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
This patch adds capability to FVP to disable authentication dynamically
via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
the TB_FW_CONFIG for the `disable_auth` property and invokes the
`load_dyn_disable_auth()` API to disable authentication if the
property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
FVP as it is a development platform. Note that the TB_FW_CONFIG has to
be authenticated by BL1 irrespective of these settings.
The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
rather than in bl2_platform_setup() as we need to get the value of
`disable_auth` property prior to authentication of any image by BL2.
Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The vcu disable bit in efuse ipdisable register is valid
only if PL powered up so, consider PL powerup status for
determing EG/EV part. If PL is not powered up, display
EG/EV as a part of string. The PL powerup status will
be filled by pmufw based on PL PROGB status in the
9th bit of version field.This patch also used IPI
to get this info from pmufw instead of directly accessing
the registers. Accessing this info from pmufw using
IPI fixes the issue of PMUFW access denied error for
reading IPDISABLE register.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
This patch adds new API for processing secure images. This API
is used for authentication and decryption of secure images using
xilsecure in pmufw.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Existing code blocks each IPI send request in ipi_mb_notify()
function till pmu clears respective bit in ipi observation
register.
After sending PM_SYSTEM_SHUTDOWN request to PMU, PMU will
restart APU. While PMU is restarting APU, ATF is running out
of OCM, which can cause read/write hang from/to OCM.
There is no need to wait for notification from PMU in case
of SystemShutdown request in ATF, as APU is going to restart.
This patch fixes APU only restart issue.
Signed-off-by: Tejas Patel <tejasp@xilinx.com>
Acked-by: Wendy Liang <wendy.liang@xilinx.com>
This patch makes bitstream load blocking call and waits until
bitstream is loaded successfully or return with error.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Tested-by: Avesh Khan <aveshk@xilinx.com>
GET_CALLBACK_DATA function is not required now. IPI mailbox
can be used instead of GET_CALLBACK_DATA function.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
PMU IPI-1 is used for callbacks from PMU to master. Unsecure
master can also receive callbacks from PMU, so make PMU IPI-1
as non-secure.
All requests from master(s) to PMU would still go on PMU IPI-1
secure channel.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Remove includes of gic_common.h and string.h which
are not required.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Acked-by: Jolly Shah <jollys@xilinx.com>
Xilinx now requires the PMU FW when using ATF, so it doesn't make sense
to maintain checks for the PMU FW in ATF. This also means that cases
where ATF came up before the PMU FW (such as on QEMU) ATF will now hang
waiting for the PMU FW instead of aborting.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Use positive logic (pm_up instead of pm_down) to check whether PMU
services are available. This change also puts the variable into the
BSS section rather than the Data section as the variable is now
initialized to 0 rather than 1.
Signed-off-by: Will Wong <WILLW@xilinx.com>
Signed-off-by: Stefan Krsmanovic <stefan.krsmanovic@aggios.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
If we can't find the FSBL handoff struct don't panic and just use the
defaults instead.
We still print a warning to the user to let them know what we couldn't
find it.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Instead of calling panic() in fsbl_atf_handover() return the error
status so that bl31_early_platform_setup() can act accordingly.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Type "entry_point_info_t" is used in zynqmp_private.h. It is defined
in "bl_common.h". The header file which defines the type should be
included.
Signed-off-by: Wendy Liang <jliang@xilinx.com>
Added SHA to calculate SHA3 hash,RSA to encrypt data with
public key and decrypt with private key and AES to do symmetric
encryption with User key or device key.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Read ipdisable reg which needs to be used for cg/eg/ev device detection.
ATF runs in EL3 that's why this read can be done directly.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
This patch corrects the SVD mask for getting chip ID
using 0xe is wrong and 0x7 is correct.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
psci system_reset and system_off calls now retrieve shutdown scope on
the fly. The default scope is system, but it can be changed by calling
pm_system_shutdown(2, scope)
Until full support for different restart scopes becomes available with
PSCI 1.1 this change allows users to set the reboot scope to match
their application needs.
Possible scope values:
0 - APU subsystem: does not affect RPU, PMU or PL
1 - PS only: shutdown/restart entire PS without affecting PL
2 - System: shutdown/restart applies to entire system
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Signed-off-by: Davorin Mista <davorin.mista@aggios.com>
The PM_INIT_FINALIZE PM API is required to inform the PFW that APU is
done with requesting nodes and that not-requested nodes can be powered
down. If PM is not enabled, this call will never be made and PFW will
never power down any of the nodes which APU can use.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
This patch adds pm_secure_rsaaes() API to provide access to
the xilsecure library for loading secure images
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Read boot mode register using pm_mmio_read if pmu is
present otherwise access it directly using mmio_read_32().
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
The pm_req_wakeup PM API accepts start address (64-bit unsiged integer)
and a flag stating if address should be used. To save an argument
of the SMC call, flag is encoded in the LSB of the address, since
addresses are word aligned.
Decode start address and use-address flag in the PM SMC handler and
pass them to pm_req_wakeup.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Call to pm_client_wakeup from pm_req_wakeup prevented the PM API
call to be used to wake up non-APU processor (e.g. from higher ELs),
since it clears power down request for specified APU processor.
Move this function out of pm_client_wakeup to allow passing wake up
requests to the PMU for other processor in the system.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
NODE_EXTERN is the slave node which represents an external wake
source.
Signed-off-by: Mirela Simonovic <mirela.simonovic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Beside standard suspend-to-RAM state, Zynq MPSoC supports
suspend-to-RAM state with additional power savings, called
power-off suspend-to-RAM. If this mode is set, only NODE_EXTERN
must be set as wake source. Standard suspend-to-RAM procedure
is unchanged.
This patch adds support for setting suspend mode from higher
ELs and ensuring that all conditions for power-off suspend mode
are set.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
pm_get_node_status API function returns 3 values:
-status: Current power state of the node
-requirements: Current requirements for the node
-usage: Current usage of the node
The last two values only apply to slave nodes.
Signed-off-by: Anes Hadziahmetagic <anes.hadziahmetagic@aggios.com>
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
The MT bit in MPIDR is always set for SGI platforms and so the
core position calculation code is updated to take into account
the thread affinity value as well.
Change-Id: I7b2a52707f607dc3859c6bbcd2b145b7987cb4ed
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Signed-off-by: Vishwanatha HG <vishwanatha.hg@arm.com>
Instead of instantiating a local copy of GICv3 driver data for SGI
platforms, reuse the existing instance of GICv3 driver data available
in the arm common platform code.
Change-Id: If6f38e15d1f0e20cea96fff98091da300015d295
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Signed-off-by: Vishwanatha HG <vishwanatha.hg@arm.com>
This reverts commit 2f18aa1fa3.
It is causing some tests to fail. Until the cause is found and fixed, it
is needed to remove this commit from master.
Change-Id: Ic5ff7a841903a15613e00379e87cbbd8a0e85152
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
To catch early hangs in resume, this sets up the watchdog before
anything else in the pmusram code (ignoring setting up the stack...).
This uses hard coded settings for the watchdog until the proper
watchdog restore later on in the firmware/kernel.
This also restores the old watchdog register values before the PLLs
are restored to make sure we don't temporarily switch over to a 1/3s
timeout on the watchdog when the pclk_wdt goes from 4MHz to 100MHz.
Change-Id: I8f7652089a88783271b17482117b4609330abe80
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
All the m0 code run in SRAM before, but we need to watch PMU_POWER_ST
when SOC enter into FSM, and SRAM will shutdown during this time, so
this code need run in PMUSRAM. But PMUSRAM only 8K space, we can not
put all the m0 binary into PMUSRAM, Split the M0 binary into two, dram
part still run in SRAM, and suspend part run in PMUSRAM.
Change-Id: Ie08bdf3e2b8838f12b9297fe60ab0aad219684b1
Signed-off-by: Lin Huang <hl@rock-chips.com>
we need to enable PMU_WKUP_RST_EN for pmu powermode configure, since
enable wakeup reset will hold the soc status, so the SOC will not affect
by some power or other single glitch when resume, and keep the soc in the
right status. And it not need to enable DDRIO_RET_HW_DE_REQ, the ddr resume
will do it manual.
Change-Id: Ib4af897ffb3cb63dc2aa9a6002e5d9ef86ee4a49
Signed-off-by: Lin Huang <hl@rock-chips.com>
SGI-575's NSRAM is neither in the same place nor the same size as Juno's.
Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
Signed-off-by: Chris Kay <chris.kay@arm.com>
Normally, BL33 needs to contain a boot loader like U-Boot or UEFI that
eventually gives control to the OS. However, in some cases, this boot
sequence may be too slow. For example, when doing tests in a
cycle-accurate emulator, the user may only be interested in the
interaction between the Trusted Firmware and the OS, not in the boot
process itself.
The new option ARM_LINUX_KERNEL_AS_BL33 allows BL33 to contain the Linux
kernel image by changing the value of registers x0-x3 to the values
expected by the kernel. This option requires the device tree blob (DTB)
to be present in memory. Its address must be specified in the newly
introduced ARM_PRELOADED_DTB_BASE build option. For now, it only supports
AArch64 kernels.
This option is only available when RESET_TO_BL31=1. For this reason
the BL33 binary must be preloaded in memory and PRELOADED_BL33_BASE must
be used.
For example, if the kernel is loaded at 0x80080000 and the DTB is loaded
at address 0x82000000, the firmware could be built like this:
CROSS_COMPILE=aarch64-linux-gnu- \
make PLAT=fvp DEBUG=1 \
RESET_TO_BL31=1 \
ARM_LINUX_KERNEL_AS_BL33=1 \
PRELOADED_BL33_BASE=0x80080000 \
ARM_PRELOADED_DTB_BASE=0x82000000 \
all fip
Change-Id: If9dc847c65ae2d0c27b51f0fd44fc06b28497db9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
The old API is deprecated and will eventually be removed.
Arm platforms now use the multi console driver for boot and runtime
consoles. However, the crash console uses the direct console API because
it doesn't need any memory access to work. This makes it more robust
during crashes.
The AArch32 port of the Trusted Firmware doesn't support this new API
yet, so it is only enabled in AArch64 builds. Because of this, the
common code must maintain compatibility with both systems. SP_MIN
doesn't have to be updated because it's only used in AArch32 builds.
The TSP is only used in AArch64, so it only needs to support the new
API without keeping support for the old one.
Special care must be taken because of PSCI_SYSTEM_SUSPEND. In Juno, this
causes the UARTs to reset (except for the one used by the TSP). This
means that they must be unregistered when suspending and re-registered
when resuming. This wasn't a problem with the old driver because it just
restarted the UART, and there were no problems associated with
registering and unregistering consoles.
The size of BL31 has been increased in builds with SPM.
Change-Id: Icefd117dd1eb9c498921181a21318c2d2435c441
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
- Assign 0x10 for RAS exceptions on ARM platforms, and install
EHF priority descriptor.
- Call the common RAS initialisation from ARM BL31 setup.
- Add empty definitions for platform error records and RAS interrupts.
Change-Id: I0675f299b7840be4c83a9c7a81073a95c605dc90
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Previous patches added frameworks for handling RAS errors. This patch
introduces features that the platform can use to enumerate and iterate
RAS nodes:
- The REGISTER_RAS_NODES() can be used to expose an array of
ras_node_info_t structures. Each ras_node_info_t describes a RAS
node, along with handlers for probing the node for error, and if
did record an error, another handler to handle it.
- The macro for_each_ras_node() can be used to iterate over the
registered RAS nodes, probe for, and handle any errors.
The common platform EA handler has been amended using error handling
primitives introduced by both this and previous patches.
Change-Id: I2e13f65a88357bc48cd97d608db6c541fad73853
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Antonio Nino Diaz
Dimitris Papastamos
Isla Mitchell
Soby Mathew
Daniel Boulby
Siva Durga Prasad Paladugu
Siva Durga Prasad Paladugu
Tejas Patel
Rajan Vaja
Alistair Francis
Wendy Liang
Filip Drazic
Mirela Simonovic
Anes Hadziahmetagic
Vishwanatha HG
Jeenu Viswambharan
Derek Basehore
Lin Huang
Chris Kay