This patch enables access to the branch record buffer control registers
in non-secure EL2 and EL1 using the new build option ENABLE_BRBE_FOR_NS.
It is disabled for all secure world, and cannot be used with ENABLE_RME.
This option is disabled by default, however, the FVP platform makefile
enables it for FVP builds.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I576a49d446a8a73286ea6417c16bd0b8de71fca0
Cortex-A15 does not support FEAT_CSV2 so the existing workaround for
Spectre V2 is sufficient to mitigate against Spectre BHB attacks,
however the code needed to be updated to work with the new build flag.
Also, some code was refactored several years ago and not updated in
the Cortex-A15 library file so this patch fixes that as well.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I768c88a38c561c91019b038ac6c22b291955f18e
The current implementation uses plat_arm API under generic code.
"plat_arm" API is a convention used with Arm common platform layer
and is reserved for that purpose. In addition, the function has a
weak definition which is not encouraged in TF-A.
Henceforth, removing the weak API with a configurable macro "TWED_DELAY"
of numeric data type in generic code and simplifying the implementation.
By default "TWED_DELAY" is defined to zero, and the delay value need to
be explicitly set by the platforms during buildtime.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I25cd6f628e863dc40415ced3a82d0662fdf2d75a
If using the EL3 SPMC ensure that we don't mark the translation
tables as read only. The SPMC requires the ability to map and
unmap a partitions RX/TX buffers at runtime.
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Ibb78a6a2e3847ce4ec74ce81a9bb61ce34fec24c
As part of the RFC:
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/13651,
this patch adds the 'cm_prepare_el3_exit_ns' function. The function is
a wrapper to 'cm_prepare_el3_exit' function for Non-secure state.
When EL2 sysregs context exists (CTX_INCLUDE_EL2_REGS is
enabled) EL1 and EL2 sysreg values are restored from the context
instead of directly updating the registers.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I9b071030576bb05500d54090e2a03b3f125d1653
The patch removes initialization of MPAM EL2 registers when an EL2
software exists. The patch assumes the EL2 software will perform
the necessary initializations of the registers.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I5bed81bc22f417bc3e3cbbcd860a8553cd4307cd
This patch splits the function 'cm_setup_context' into four
functions to make it more readable and easier to maintain.
The function is split into the following functions based on
the security state of the context.
- setup_context_common - performs common initializations
- setup_secure_context - performs Secure state specific
initializations
- setup_realm_context - performs Realm state specific
initializations
- setup_ns_context - performs Non-secure state specific
initializations
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: Ie14a1c2fc6586087e7aa36537cf9064c80802f8f
The following registers are only accessible from secure state,
therefore don't need to be saved/restored during world switch.
- SDER32_EL2
- VSTCR_EL2
- VSTTBR_EL2
This patch removes these registers from EL2 context.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I24d08aacb1b6def261c7b37d3e1265bb76adafdc
Cortex-X2 erratum 2147715 is a Cat B erratum that applies to revision
r2p0 and is fixed in r2p1. The workaround is to set CPUACTLR_EL1[22]=1,
which will cause the CFP instruction to invalidate all branch predictor
resources regardless of context.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I2d81867486d9130f2c36cd4554ca9a8f37254b57
is_lock_acquired() function is only used in assert() statements, so when
compiling without asserts, e.g. with DEBUG=0, the function is unused.
this is okay when compiling with gcc because the function is marked as
inline but that doesn't work for clang. let's mark this as __unused to
avoid -Wunused-function warning-as-error.
Change-Id: I93f808fd15f715a65d1bd4f7592affb7997c4bad
Signed-off-by: Okash Khawaja <okash@google.com>
Replacing ARM_ARCH_AT_LEAST macro with feature specific build options
to prevent unconditional accesses to the registers during context save
and restore routines.
Registers are tightly coupled with features more than architecture
versions. Henceforth having a feature-specific build flag guarding the
respective registers, will restrict any undefined actions.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I809774df580530803c8a6e05a62d8d4de0910e02
Cortex A78 AE erratum 2395408 is a Cat B erratum that applies
to revisions <= r0p1. It is still open.
This erratum states, "A translation table walk that matches an
existing L1 prefetch with a read request outstanding on CHI might
fold into the prefetch, which might lead to data corruption for
a future instruction fetch"
This erratum is avoided by setting CPUACTLR2_EL1[40] to 1 to
disable folding of demand requests into older prefetches with
L2 miss requests outstanding.
SDEN is available at https://developer.arm.com/documentation/SDEN-1707912
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: Ic17968987ca3c67fa7f64211bcde6dfcb35ed5d6
Cortex A78 AE erratum 2376748 is a Cat B erratum that applies
to revisions <= r0p1. It is still open.
The erratum states, "A PE executing a PLDW or PRFM PST instruction
that lies on a mispredicted branch path might cause a second PE
executing a store exclusive to the same cache line address to fail
continuously."
The erratum is avoided by setting CPUACTLR2_EL1[0] to 1 to force
PLDW/PFRM ST to behave like PLD/PRFM LD and not cause invalidations
to other PE caches. There might be a small performance degradation
to this workaround for certain workloads that share data.
SDEN is available at https://developer.arm.com/documentation/SDEN-1707912
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I93bd392a870d4584f3e12c8e4626dbe5a3a40a4d
Implements the loop workaround for Cortex-A76AE, Cortex-A78AE and
Cortex-A78C.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Change-Id: I5c838f5b9d595ed3c461a7452bd465bd54acc548
This patch applies CVE-2022-23960 workarounds for Cortex-A75,
Cortex-A73, Cortex-A72 & Cortex-A57. This patch also implements
the new SMCCC_ARCH_WORKAROUND_3 and enables necessary discovery
hooks for Coxtex-A72, Cortex-A57, Cortex-A73 and Cortex-A75 to
enable discovery of this SMC via SMC_FEATURES. SMCCC_ARCH_WORKAROUND_3
is implemented for A57/A72 because some revisions are affected by both
CVE-2022-23960 and CVE-2017-5715 and this allows callers to replace
SMCCC_ARCH_WORKAROUND_1 calls with SMCCC_ARCH_WORKAROUND_3. For details
of SMCCC_ARCH_WORKAROUND_3, please refer SMCCCv1.4 specification.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Ifa6d9c7baa6764924638efe3c70468f98d60ed7c
Implements mitigation for Cortex-A72 CPU versions that support
the CSV2 feature(from r1p0). It also applies the mitigation for
Cortex-A57 CPU.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I7cfcf06537710f144f6e849992612033ddd79d33
Retrieved the NS load address of configs from FW_CONFIG device tree,
and modified the prototype of "set_config_info" to update device tree
information with the retrieved address.
Change-Id: Ic5a98ba65bc7aa0395c70c7d450253ff8d84d02c
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Re-factored the prior implementation of workaround for CVE-2018-3639
using branch and link instruction to save vector space to include the
workaround for CVE-2022-23960.
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Ib3fe949583160429b5de8f0a4a8e623eb91d87d4
The previous delegating/undelegating sequence was incorrect as per the
specification DDI0615, "Architecture Reference Manual Supplement, The
Realm Management Extension (RME), for Armv9-A" Sections A1.1.1 and
A1.1.2
Off topic:
- cleaning the gpt_is_gpi_valid and gpt_check_pass_overlap
Change-Id: Idb64d0a2e6204f1708951137062847938ab5e0ac
Signed-off-by: Robert Wakim <robert.wakim@arm.com>
Cortex-A710 erratum 2282622 is a Cat B erratum that applies to revisions
r0p0, r1p0, and r2p0, and is fixed in r2p1. The workaround is to set
CPUACTLR2_EL1[0] to 1, which will force PLDW/PFRM ST to behave like
PLD/PRFM LD and not cause invalidations to other PE caches.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775101
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Ic48409822536e9eacc003300036a1f0489593020
Common mbedTLS implementation include the fixed configuration
file of mbedTLS and that does not gives flexilibility to the
platform to include their own mbedTLS configuration.
Hence changes are done so that platform can include their own
mbedTLS configuration file.
Signed-off-by: Lucian Paul-Trifu <lucian.paul-trifu@arm.com>
Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com>
Change-Id: I04546589f67299e26b0a6a6e151cdf1fdb302607
Cortex-A510 erratum 2172148 is a Cat B erratum that applies to revisions
r0p0, r0p1, r0p2, r0p3 and r1p0, and is fixed in r1p1.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I1784d643ca3d1d448340cd421facb5f229df1d22
Cortex-A510 erratum 2218950 is a Cat B erratum that applies to revisions
r0p0, r0p1, r0p2, r0p3 and r1p0, and is fixed in r1p1.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Icb6e369946f8978a08cf8ed5e4452782efb0a77a
Cortex-A510 erratum 2250311 is a Cat B erratum that applies to revisions
r0p0, r0p1, r0p2, r0p3 and r1p0 and is fixed in r1p1.
This erratum workaround is a bit different because it interacts with a
feature supported in TFA. The typical method of implementing an errata
workaround will not work in this case as the MPMM feature would just be
re-enabled by context management at every core power on after being
disabled by the errata framework. So in addition to disabling MPMM, this
workaround also sets a flag in the MPMM runtime framework indicating
that the feature should not be enabled even if ENABLE_MPMM=1.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I7805756e65ec90b6ef8af47e200617c9e07a3a7e
Cortex-A510 erratum 2041909 is a Cat B erratum that applies to revision
r0p2 and is fixed in r0p3. It is also present in r0p0 and r0p1 but there
is no workaround in these revisions.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I7b1498faa0c79488dee0d11d07f6e9f58144e298
Cortex-A510 erratum 2042739 is a Cat B erratum that applies to revisions
r0p0, r0p1 and r0p2 and is fixed in r0p3.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I1d2ebee3914396e1e298eb45bdab35ce9e194ad9
Cortex-A510 erratum 2288014 is a Cat B erratum that applies to revisions
r0p0, r0p1, r0p2, r0p3 and r1p0, and is fixed in r1p1.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I875519ff55be90244cc3d3a7e9f7abad0fc3c2b8
Cortex-A510 erratum 1922240 is a Cat B erratum that applies to revision
r0p0 and is fixed in r0p1.
Since no errata framework code existed for A510 prior to this patch, it
has been added as well. Also some general cleanup changes in the CPU lib
makefile.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN2397239
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I8c427ef255cb4b38ed3e5c2c7444fcef957277e4
As parent_node is unsigned, we have to use %u and not %d.
This avoids warning when -Wformat-signedness is enabled.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I5ab7acb33227d720b2c8a4ec013435442b219a44
Replace %d with %u in logs, to avoid warning when
-Wformat-signedness is enabled.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id058f6fb0fd25ce5f83b1be41082403fcb205841
As image_id is unsigned, we have to use %u and not %d.
This avoids warning when -Wformat-signedness is enabled.
Change-Id: I292e1639847e69ba79265fc32871c0ad7eebc94e
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The snprintf code uses the uintptr_t type, which is defined in stdint.h.
We do not include this header explicitly, but get the definition
indirectly through some other header doing so.
However this breaks when snprintf is compiled in isolation (for instance
for unit-testing), so let's add this #include to make things right.
Change-Id: I1299767ee482f5cf1af30c4df2e8f7e596969b41
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
In our unsigned_num_print() function we first print the integer into a
local buffer, then put this through alignment and padding and output the
result. For this we use a local buffer, sized by the maximum possible
length of the largest possible number.
However this assumes that the radix is not smaller than 10, which is
indeed the smallest value we pass into this static function at the
moment. To prevent accidents in the future, should we add support for
other radices, add an assert to enforce our assumption.
Unfortunately this cannot be a static assert (CASSERT), since the
compiler is not smart enough to see that the argument is always coming
from a literal.
Change-Id: Ic204462600d9f4c281d899cf9f2c698a0a33a874
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Allow access to PMSNEVFR_EL1 register at NS-EL1 or NS-EL2 when
FEAT_SPEv1p2 is implemented.
Change-Id: I44b1de93526dbe9c11fd061d876371a6c0e6fa9c
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The number formatting routine in snprintf was trying to be clever with
the buffer handling, but tripped over its own feet: snprintf() users
expect output to be emitted, even if not everything fits into the
buffer. The current code gives up completely when the buffer is too
small.
Fix those issues and simplify the code on the way, by consequently using
the CHECK_AND_PUT_CHAR() macro, which both checks for the buffer size
correctly, but also keeps track of the number of should-be-printed
characters for the return value.
Change-Id: Ifd2b03b9a73f9279abed53081a2d88720ecbdbc1
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Cortex-A710 erratum 2136059 is a Cat B erratum that applies to
revisions r0p0, r1p0 and r2p0 of the CPU. It is fixed in r2p1.
The workaround is to set CPUACTLR5_EL1[44] to 1 which will cause
the CPP instruction to invalidate the hardware prefetcher state
trained from any EL.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775101/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I43a86a365418fb663cc1b6ab1d365b4beddae0bc
Cortex-A710 erratum 2267065 is a Cat B erratum that applies to
revisions r0p0, r1p0 and r2p0 of the CPU. It is fixed in r2p1.
The workaround is to set CPUACTLR_EL1[22] to 1'b1. Setting
CPUACTLR_EL1[22] will cause the CFP instruction to invalidate
all branch predictor resources regardless of context.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775101/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Ia9085aaf9b2b6a2b25d03ab36bd3774839fac9aa
Cortex-X2 erratum 2216384 is a Cat B erratum that applies to
revisions r0p0, r1p0 and r2p0 of CPU. It is fixed in r2p1.
The workaround is to set CPUACTLR5_EL1[17] to 1'b1 followed by
applying an instruction patching sequence.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I3c216161678887c06a28c59644e784e0c7d37bab
Cortex-X2 erratum 2081180 is a Cat B erratum present in r0p0, r1p0
and r2p0 of the Cortex-X2 processor core.
Cortex-X2 SDEN: https://developer.arm.com/documentation/SDEN1775100
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I64bed2fd5b7e12932d6de2ae668786e689885188
Cortex-X2 erratum 2017096 is a Cat B erratum that applies to
revisions r0p0, r1p0 & r2p0. The workaround is to set CPUECLTR_EL1[8]
to 1 which disables store issue prefetching.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: I3b740aedc95c2394f6b8d1186014d2b2f640ae05
During a transition to a higher EL some of the PSTATE bits are not set
by hardware, this means that their state may be leaked from lower ELs.
This patch sets those bits to a default value upon entry to EL3.
This patch was tested using a debugger to check the PSTATE values
are correctly set. As well as adding a test in the next patch to
ensure the PSTATE in lower ELs is still maintained after this change.
Change-Id: Ie546acbca7b9aa3c86bd68185edded91b2a64ae5
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
In the next patch we add an extra step of setting the PSTATE
registers to a known state on el3 entry. In this patch we create
the function prepare_el3_entry to wrap the steps needed for before
el3 entry. For now this is only save_gp_pmcr_pauth_regs.
Change-Id: Ie26dc8d89bfaec308769165d2649e84d41be196c
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
This patch adds the basic CPU library code to support the Poseidon CPU
in TF-A. Poseidon is derived from HunterELP core, an implementation of
v9.2 architecture. Currently, Hunter CPU the predecessor to HunterELP,
is supported in TF-A. Accordingly the Hunter CPU library code has been
as the base and adapted here.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I406b4de156a67132e6a5523370115aaac933f18d
Rainier CPU is based on Neoverse N1 R4P0 version which exhibits
the erratum 1868343. This patch inherits the workaround from
neoverse_n1.S file into rainier.S file for erratum 1868343.
Signed-off-by: Manoj Kumar <manoj.kumar3@arm.com>
Change-Id: I735595229716a77d26369943086de08384cafa70
Cortex X2 erratum 2058056 is a Cat B erratum present in the X2 core.
It applies to revisions r0p0, r1p0, and r2p0 and is still open.
There are 2 ways this workaround can be accomplished, the first of
which involves executing a few additional instructions around MSR
writes to CPUECTLR when disabling the prefetcher. (see SDEN for
details)
However, this patch implements the 2nd possible workaround which sets
the prefetcher into its most conservative mode, since this workaround
is generic.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Idb20d9928c986616cd5bedf40bb29d46d384cfd3
Cortex X2 erratum 2002765 is a Cat B erratum present in the X2 core.
It applies to revisions r0p0, r1p0, and r2p0 and is still open.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I11576a03bfd8a6b1bd9ffef4430a097d763ca3cf
Cortex X2 erratum 2083908 is a Cat B erratum present in the Cortex
X2 core. It applies to revision r2p0 and is still open.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN1775100
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: Id9dca2b042bf48e75fb3013ab37d1c5925824728
FEAT_CCIDX modifies the register fields in CCSIDR/CCSIDR2 (aarch32)
and CCSIDR_EL1 (aarch64). This patch adds a check to the do_dcsw_op
function to use the right register format rather than assuming
that FEAT_CCIDX is not implemented.
Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I12cd00cd7b5889525d4d2750281a751dd74ef5dc
johpow01
Jayanth Dodderi Chidanand
Sayanta Pattanayak
Zelalem Aweke
Bipin Ravi
Okash Khawaja
Varun Wadekar
Manish V Badarkhe
Robert Wakim
Yann Gautier
Andre Przywara
Daniel Boulby
Manoj Kumar