At the moment we do the EL2 context save/restore sequence in assembly,
where it is just guarded by #ifdef statement for the build time flags.
This does not cover the FEAT_STATE_CHECK case, where we need to check
for the runtime availability of a feature.
To simplify this extension, and to avoid writing too much code in
assembly, move that sequence into C: it is called from C context
anyways.
This protects the C code with the new version of the is_xxx_present()
check, which combines both build time and runtime check, as necessary,
and allows the compiler to optimise the calls aways, if we don't need
them.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I7c91bec60efcc00a43429dc0381f7e1c203be780
For the FGT context save/restore operation, we need to look at the AMUv1
feature, so migrate this one over to the new scheme.
This uses the generic check function in feat_detect.c, and splits the
feature check into two functions, as was done before for FEAT_FGT.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I95ad797f15001b2c9d1800c9d4af33fba79e136f
Split the feature check for FEAT_FGT into two parts:
- A boolean function that just evaluates whether the feature is usable.
This takes build time flags into account, and only evaluates the CPU
feature ID registers when the flexible FEAT_STATE_CHECK method is
used.
- A "raw" function that returns the unfiltered CPU feature ID register.
Change the callers where needed, to give them the version they actually
want.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I9a041132d280451f5d9f653a62904f603b2a916d
To implement proper runtime checking of features, and to be able to
extend feat_detect.c to catch other cases, rework the FEAT_FGT check to
directly call a generic function instead of providing a trivial specific
one. The #ifdef is moved into the function, and rewritten as a proper C
if statement.
We need to force the compiler to inline that function, otherwise the
optimisation won't work, once we exceed a certain number of callers.
This starts with FEAT_FGT, but all the other features will be moved over
eventually, in separate patches.
For all features checked this way, we delay the panic() until after
every feature has been checked, to list them all during one run.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: Ic576922ff2c4f8d3c1b87b5843b3626729fe4514
The FEATURE_DETECTION functionality had some definitions in a header
file, although they were only used internally in the .c file.
Move them over there, since there are of no interest to other users.
Also use the opportuntiy to rename the less telling FEAT_STATE_[12]
names, and let the "0" case join the game. We use DISABLED, ALWAYS, and
CHECK now, so that the casual reader has some idea what those numbers
are supposed to mean.
feature_panic() becomes "static inline", since disabling all features
makes it unused, so the compiler complains otherwise.
Finally add a new category "cpufeat" to cover CPU feature related
changes.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: If0c8ba91ad22440260ccff383c33bdd055eefbdc
Our system register access function wrappers are using "volatile"
inline assembly instructions. On the first glance this is a good idea,
since many system registers have side effects, and we don't want the
compiler to optimise or reorder them (what "volatile" prevents).
However this also naturally limits the compiler's freedom to optimise
code better, and those volatile properties don't apply to every type of
system register. One example are the CPU ID registers, which have
constant values, are side-effect free and read-only.
Introduce a new wrapper type that drops the volatile keyword, and use
that for the wrappers instantiating ID register accessors.
This allows the compiler to freely optimise those instructions away, if
their result isn't actually used, which can trigger further
optimisations.
Change-Id: I3c64716ae4f4bf603f0ea57b652bd50bcc67bb0e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Add platform fiptool and UUIDs to the TC platform, to allow RSS images
to be inserted into and used from FIPs
Change-Id: Ic8e11bd4a766bdc616af7dee60d44fc5d1f6e7b6
Signed-off-by: Raef Coles <raef.coles@arm.com>
Our documentation currently says that new security advisories will be
announced on the project's issue tracker. However, this issue tracker
is barely used by TF-A community and the software it is based on is
getting deprecated. Thus from now on, security advisories will rather
be announced on the project's mailing list.
Update TF-A documentation to reflect that.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: If2f635795e0af4c794015a025899bfcc7116ab38
Versal uses PLM in the boot flow and printing FSBL in the log for
handoff parameters is misleading. Print proper source of TF-A
handoff parameters.
Change-Id: I331e2eac2f5d30beed8573940ae02094254a759b
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
This issue was triggered by sparse tool:
lib/libc/putchar.c:9:5: warning:
symbol '__putchar' was not declared. Should it be static?
Instead of setting __putchar as static, just remove the function and
directly use putchar() with a weak attribute.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ib35e4ba064f06010851bb860269b08462fe3d3bd
Add new LPM API `mt_lp_rm_find_constraint` and `mt_lp_rm_run_constraint`
for further extension.
Signed-off-by: Liju-Clr Chen <liju-clr.chen@mediatek.com>
Change-Id: I8298811e03227285a7d086166edf9e87471f74b4
Change the parameters of the LPM API for further extension.
Change-Id: Id8897c256c2118d00c6b9f3e7424ebc6100f02eb
Signed-off-by: Liju-Clr Chen <liju-clr.chen@mediatek.com>
Move `mt_lp_rm.h` to `plat/mediatek/include/lpm` for further extension.
Change-Id: If377ce6791ce80f82643b0f2466eb0f1aa5aa40b
Signed-off-by: Liju-Clr Chen <liju-clr.chen@mediatek.com>
In order to wake up system from USB devices, keep infra and peri on
when system suspend.
Change-Id: I0a0eb2e72709b0cc1bf11b36241a50cb5d85d9b8
Signed-off-by: Shaocheng Wang <shaocheng.wang@mediatek.corp-partner.google.com>
Add SPM low power functions, such as system suspend.
Change-Id: I6d1ad847a81ba9c347ab6fb8a8cb8c69004b7add
Signed-off-by: James Liao <jamesjj.liao@mediatek.com>
The notifier is used to notify SSPM to sleep when system suspend or
notify SSPM to wakeup when system resume.
Change-Id: I027ca356a84ea1e58be54a8a5eb302b3b96c2e22
Signed-off-by: James Liao <jamesjj.liao@mediatek.com>
SPM needs to access some modules' registers to decide its sleep
behavior. This patch add these register definitions to platform_def.h.
Signed-off-by: James Liao <jamesjj.liao@mediatek.com>
Change-Id: I3bebe74e367d5f6a7b59563036e18a83a3ef31e9
Add new functions and intefaces of LPM to support more interactions
between LPM providers and users.
Signed-off-by: James Liao <jamesjj.liao@mediatek.com>
Change-Id: I8ebbda0c0ef5be3a7a388a38c09424ebf785996f
Following macros removed
- handle_async_ea : It duplicates "check_and_unmask_ea" functionality
- check_if_serror_from_EL3: This macro is small and called only once,
replace this macro with instructions at the caller.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Id7eec6263ec23cc8792139f491c563f616fd3618
console_state is only used in multi_console.c, it is then declared as
static. console_list is used by several files, declare it as extern.
This corrects the 2 sparse warnings:
drivers/console/multi_console.c:13:11: warning: symbol 'console_list'
was not declared. Should it be static?
drivers/console/multi_console.c:14:9: warning: symbol 'console_state'
was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id1891595906c258e8cb8aa325226f0a43723ca0e
This was triggered by sparse tool:
drivers/auth/mbedtls/mbedtls_x509_parser.c:481:42: warning:
Using plain integer as NULL pointer
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I392316c2a81ef8da7597e35f136e038f152d19d1
The ops->read and ops->write existence was checked with 0, change it
to NULL.
This corrects sparse issues:
drivers/io/io_block.c:272:9: warning:
Using plain integer as NULL pointer
drivers/io/io_block.c:384:9: warning:
Using plain integer as NULL pointer
drivers/io/io_block.c:384:9: warning:
Using plain integer as NULL pointer
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I039050a645107523d8263ddf820e539c260d956c
These issues were triggered by sparse tool:
common/fdt_wrappers.c:209:36:
warning: incorrect type in assignment (different base types)
expected unsigned long long [usertype]
got restricted fdt64_t
common/fdt_wrappers.c:211:36:
warning: incorrect type in assignment (different base types)
expected unsigned int [usertype]
got restricted fdt32_t
common/fdt_wrappers.c:401:45:
warning: incorrect type in argument 1 (different base types)
expected restricted fdt32_t const [usertype] *prop
got unsigned int const [usertype] *value
common/fdt_wrappers.c:402:52:
warning: incorrect type in argument 1 (different base types)
expected restricted fdt32_t const [usertype] *prop
got unsigned int const [usertype] *
common/fdt_wrappers.c:404:66:
warning: incorrect type in argument 1 (different base types)
expected restricted fdt32_t const [usertype] *prop
got unsigned int const [usertype] *
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I32067607cd4da1897f0ce5d8e1e2d51e044ab815
get_ext() does not check the return value of the various mbedtls_*
functions, as cert_parse() is assumed to have guaranteed that they will
always succeed. However, it passes the end of an extension as the end
pointer to these functions, whereas cert_parse() passes the end of the
TBSCertificate. Furthermore, cert_parse() does *not* check that the
contents of the extension have the same length as the extension itself.
Before fd37982a19 ("fix(auth): forbid junk after extensions"),
cert_parse() also does not check that the extension block extends to the
end of the TBSCertificate.
This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len
undefined on failure. In practice, this results in get_ext() continuing
to parse at different offsets than were used (and validated) by
cert_parse(), which means that the in-bounds guarantee provided by
cert_parse() no longer holds.
This patch fixes the remaining flaw by enforcing that the contents of an
extension are the same length as the extension itself.
Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
auth_nvctr() does not check that the buffer provided is long enough to
hold an ASN.1 INTEGER, or even that the buffer is non-empty. Since
auth_nvctr() will only ever read 6 bytes, it is possible to read up to
6 bytes past the end of the buffer.
This out-of-bounds read turns out to be harmless. The only caller of
auth_nvctr() always passes a pointer into an X.509 TBSCertificate, and
all in-tree chains of trust require that the certificate’s signature has
already been validated. This means that the signature algorithm
identifier is at least 4 bytes and the signature itself more than that.
Therefore, the data read will be from the certificate itself. Even if
the certificate signature has not been validated, an out-of-bounds read
is still not possible. Since there are at least two bytes (tag and
length) in both the signature algorithm ID and the signature itself, an
out-of-bounds read would require that the tag byte of the signature
algorithm ID would need to be either the tag or length byte of the
DER-encoded nonvolatile counter. However, this byte must be
(MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) (0x30), which is
greater than 4 and not equal to MBEDTLS_ASN1_INTEGER (2). Therefore,
auth_nvctr() will error out before reading the integer itself,
preventing an out-of-bounds read.
Change-Id: Ibdf1af702fbeb98a94c0c96456ebddd3d392ad44
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Wakeup interrupt should be set during power down sequence to wake
processor. So enable wakeup interrupt during power down sequence.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I1154495c25e0468496f6e112996fd182aa516d88
Clear and disable wakeup interrupt during client wakeup to avoid
multiple wakeup events.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Iebc644ae582da03001830b96e3190fce10dbac42
Power down bit and power down interrupt needs to be cleared once core
is wakeup to avoid unnecessary power down events. So disable power down
interrupt and clear power down bit during client wakeup.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I3445991692c441831e4ea8dae112e23b19f185a9
Versal NET is supporting max power state to AFF_LVL_2 so set power state
for all affinity level instead of setting for only AFF_LVL_0.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I55a91e798b7566d2f34d7cb1fe28ca25993a7d8e
Currently power down interrupt status is set by default before its
getting enabled. Because of that Linux is getting crashed since its
triggering interrupt before core goes to WFI state. So clear interrupt
status before enabling power down interrupt.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ia8d047b6078a49ab3dbe3e0bf24422357f0138c2
Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6:
- Macro parameter expands into an expression without being wrapped
by parentheses.
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Ie365d24c02bb38163005a3c073642d5c96412e2d
Fix below MISRA violation from versal_net_def.h:
- MISRA Violation: MISRA-C:2012 R.10.6
- The value of a composite expression shall not be assigned to an
object with wider essential type
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: I74f8e5d63523f33d245a21f8e4f04d30e40b05e7
Cortex-A710 erratum 2282622 is a Cat B erratum that applies to
all revisions <=r2p1 and is still open. The workaround was earlier
applied to all revisions <= r2p0, this patch extends it to r2p1.
This was thought to have been fixed in r2p1 which is not the case.
SDEN documentation:
https://developer.arm.com/documentation/SDEN1775101/latest
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Change-Id: Iad38a7fe57bec3f2d8977995acd601dcd9ae69c0
Default priority was not being set for all interrupts (gicr_write_ipriorityr takes INTID, not register number). The fix makes the loop to pass INTID in range 0, 4, 8, 12, ...
Signed-off-by: Sylwester Garncarek <sylwester.garncarek@sciopta.com>
Change-Id: Iaa975f6af49f5826c2811161f55242844c28ea81
"endfunc" macro is used to mark the end of a function. It takes the
function label as an argument. For el2_sysregs_context_save_mpam
function, "endfunc" has been called with an assumed typo, "func", along
with the function label. Remove this unwanted param to fix the endfunc
call.
Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Change-Id: I05f958a285f936df579f01500b6fd7cb2b7753a8
SCHAR_MIN definition should use SCHAR_MAX, and not itself.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If8c1751a381dac50fe3ec5fdf19d6a4918470b58
In FCONF_REGISTER_POPULATOR macro, add static for the fconf_populator
struct. This avoids this kind of sparse warning:
plat/st/common/stm32mp_fconf_io.c:181:1: warning:
symbol 'stm32mp_io__populator' was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Icaa7da3079e82497e112585150f6348ef2ebf5e6
IOMMU kernel driver has changed the function parameters, so update
IOMMU TF-A driver to be consistent with it.
Change-Id: I2adda69bdbdc31833781fac5e6c1f4b10da161be
Signed-off-by: Chengci.Xu <chengci.xu@mediatek.com>
Andre Przywara
Raef Coles
Sandrine Bailleux
Akshay Belsare
Yann Gautier
Liju-Clr Chen
Shaocheng Wang
James Liao
Manish Pandey
Demi Marie Obenour
Jay Buddhabhatti
Bipin Ravi
Sylwester Garncarek
Rohit Mathew
Madhukar Pappireddy
Manish V Badarkhe
Rupinderjit Singh
Olivier Deprez
Chengci.Xu