Dimitris Papastamos [Mon, 11 Jun 2018 10:07:58 +0000 (11:07 +0100)]
Adjust BL2_AT_EL3 memory layout
For the BL2_AT_EL3 configuration, move BL2 higher up to make more
space for BL31. Adjust the BL31 limit to be up to BL2 base. This is
because BL2 is always resident for the BL2_AT_EL3 configuration and
thus we cannot overlay it with BL31.
Change-Id: I71e89863ed48f5159e8b619f49c7c73b253397aa
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Fri, 8 Jun 2018 13:01:38 +0000 (14:01 +0100)]
Merge pull request #1397 from dp-arm/dp/cortex-a76
Add support for Cortex-A76 and Cortex-Ares
Dimitris Papastamos [Fri, 8 Jun 2018 12:17:47 +0000 (13:17 +0100)]
Merge pull request #1409 from ARM-software/revert-1389-db/bugfix
Revert "Code change to fix small bugs"
Dimitris Papastamos [Fri, 8 Jun 2018 12:17:26 +0000 (13:17 +0100)]
Revert "Code change to fix small bugs"
Dimitris Papastamos [Fri, 8 Jun 2018 10:47:13 +0000 (11:47 +0100)]
Merge pull request #1405 from dp-arm/dp/cve_2017_5715
Fast path SMCCC_ARCH_WORKAROUND_1 calls from AArch32
Dimitris Papastamos [Thu, 7 Jun 2018 10:29:15 +0000 (11:29 +0100)]
SDEI: Ensure SDEI handler executes with CVE-2018-3639 mitigation enabled
When dynamic mitigation is used, the SDEI handler is required to
execute with the mitigation enabled by default, regardless of the
mitigation state for lower ELs. This means that if the kernel or
hypervisor explicitly disables the mitigation and then later when the
event is dispatched, the dispatcher will remember the mitigation state
for the lower ELs but force the mitigation to be on during the SDEI
handler execution. When the SDEI handler returns, it will restore the
mitigation state.
This behaviour is described in "Firmware interfaces for mitigating
cache speculation vulnerabilities System Software on Arm Systems"[0].
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8dd60b736be0aa9e832b0f92d67a401fdeb417f4
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Wed, 16 May 2018 08:59:54 +0000 (09:59 +0100)]
Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76
The Cortex-A76 implements SMCCC_ARCH_WORKAROUND_2 as defined in
"Firmware interfaces for mitigating cache speculation vulnerabilities
System Software on Arm Systems"[0].
Dynamic mitigation for CVE-2018-3639 is enabled/disabled by
setting/clearning bit 16 (Disable load pass store) of `CPUACTLR2_EL1`.
NOTE: The generic code that implements dynamic mitigation does not
currently implement the expected semantics when dispatching an SDEI
event to a lower EL. This will be fixed in a separate patch.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I8fb2862b9ab24d55a0e9693e48e8be4df32afb5a
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Thu, 31 May 2018 13:10:06 +0000 (14:10 +0100)]
Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default
The upcoming patch that adds dynamic mitigation for Cortex-A76
requires that DYNAMIC_WORKAROUND_CVE_2018_3639=1. On FVP, we pull in
all the CPU files into the build which means there will be a build
failure if DYNAMIC_WORKAROUND_CVE_2018_3639=0.
Change-Id: I2e781cbeafbf5d16eaabf76a1677e0c9f81269d2
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Mon, 26 Mar 2018 15:46:01 +0000 (16:46 +0100)]
Implement Cortex-Ares
1043202 erratum workaround
The workaround uses the instruction patching feature of the Ares cpu.
Change-Id: I868fce0dc0e8e41853dcce311f01ee3867aabb59
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Tue, 13 Feb 2018 11:28:02 +0000 (11:28 +0000)]
Add AMU support for Cortex-Ares
Change-Id: Ia170c12d3929a616ba80eb7645c301066641f5cc
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Isla Mitchell [Thu, 3 Aug 2017 15:04:46 +0000 (16:04 +0100)]
Add support for Cortex-Ares and Cortex-A76 CPUs
Both Cortex-Ares and Cortex-A76 CPUs use the ARM DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly
managed in hardware, and required software operations are simple.
Change-Id: I3a9447b5bdbdbc5ed845b20f6564d086516fa161
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
Dimitris Papastamos [Fri, 8 Jun 2018 10:45:06 +0000 (11:45 +0100)]
Merge pull request #1389 from danielboulby-arm/db/bugfix
Code change to fix small bugs
Dimitris Papastamos [Fri, 8 Jun 2018 09:50:09 +0000 (10:50 +0100)]
Merge pull request #1407 from soby-mathew/sm/juno_bl1_size
Juno: Bump up the BL1-RW size
Soby Mathew [Thu, 7 Jun 2018 14:23:39 +0000 (15:23 +0100)]
Juno: Bump up the BL1-RW size
This patch bumps up the BL1-RW size for Juno and at the same time reduces
the BL2 size when TBB is enabled, TF_MBEDTLS_KEY_ALG=rsa+ecdsa. The BL2
size for this config is reduced as it was observed that the peak memory
usage is only reached when SPD=opteed and the dual rsa+ecdsa support is
not needed for this case.
Change-Id: Ia9009771b5cfd805e9cc75410aabb7db99fc2fbc
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Dimitris Papastamos [Thu, 7 Jun 2018 13:49:25 +0000 (14:49 +0100)]
Merge pull request #1404 from soby-mathew/sm/bl_layout_change
ARM platforms: Change memory layout and update documentation
Dimitris Papastamos [Thu, 31 May 2018 10:38:33 +0000 (11:38 +0100)]
Fast path SMCCC_ARCH_WORKAROUND_1 calls from AArch32
When SMCCC_ARCH_WORKAROUND_1 is invoked from a lower EL running in
AArch32 state, ensure that the SMC call will take a shortcut in EL3.
This minimizes the time it takes to apply the mitigation in EL3.
When lower ELs run in AArch32, it is preferred that they execute the
`BPIALL` instruction to invalidate the BTB. However, on some cores
the `BPIALL` instruction may be a no-op and thus would benefit from
making the SMCCC_ARCH_WORKAROUND_1 call go through the fast path.
Change-Id: Ia38abd92efe2c4b4a8efa7b70f260e43c5bda8a5
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Soby Mathew [Wed, 6 Jun 2018 15:03:10 +0000 (16:03 +0100)]
docs: Firmware design update for BL memory layout
This patch updates the firmware design guide for the BL memory
layout change on ARM platforms.
Change-Id: Icbfe7249484bb8b4ba3c94421172d42f27605c52
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew [Fri, 1 Jun 2018 15:53:38 +0000 (16:53 +0100)]
ARM platforms: Move BL31 below BL2 to enable BL2 overlay
The patch changes the layout of BL images in memory to enable
more efficient use of available space. Previously BL31 was loaded
with the expectation that BL2 memory would be reclaimed by BL32
loaded in SRAM. But with increasing memory requirements in the
firmware, we can no longer fit BL32 in SRAM anymore which means the
BL2 memory is not reclaimed by any runtime image. Positioning BL2
below BL1-RW and above BL31 means that the BL31 NOBITS can be
overlaid on BL2 and BL1-RW.
This patch also propogates the same memory layout to BL32 for AArch32
mode. The reset addresses for the following configurations are also
changed :
* When RESET_TO_SP_MIN=1 for BL32 in AArch32 mode
* When BL2_AT_EL3=1 for BL2
The restriction on BL31 to be only in DRAM when SPM is enabled
is now removed with this change. The update to the firmware design
guide for the BL memory layout is done in the following patch.
Change-Id: Icca438e257abe3e4f5a8215f945b9c3f9fbf29c9
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Dimitris Papastamos [Tue, 29 May 2018 08:28:05 +0000 (09:28 +0100)]
Merge pull request #1392 from dp-arm/dp/cve_2018_3639
Implement workaround for CVE-2018-3639 on Cortex A57/A72/A73 and A75
Daniel Boulby [Thu, 3 May 2018 16:11:04 +0000 (17:11 +0100)]
Remove rt_svc_descs pointer from inner scope
A pointer to rt_svc_desc_t was defined both in the
function and globally. The innermost definition
hid the global definition which is the one we want
to use so remove the innermost definition to prevent
this
Change-Id: Idabdbc0947178ae83224bd17a9b170df7c278d51
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Daniel Boulby [Tue, 1 May 2018 11:19:26 +0000 (12:19 +0100)]
Remove duplicate weak definition
The weak pragma was assigned twice to the bl2_plat_handle_post_image_load
definition both in plat/common/ and in plat/arm/common/ this was an error as
it should have only have been defined in plat/common
Change-Id: Id85e14c699cb09ed998d1677f2a172e760911918
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Dimitris Papastamos [Fri, 25 May 2018 08:47:11 +0000 (09:47 +0100)]
Merge pull request #1395 from antonio-nino-diaz-arm/an/spm-refactor
SPM: Refactor codebase
Antonio Nino Diaz [Thu, 24 May 2018 08:14:58 +0000 (09:14 +0100)]
plat/arm: SPM: Force BL31 to DRAM when SPM is used
BL31 is running out of space, and the use-case of SPM doesn't require it
to be in SRAM. To prevent BL31 from running out of space in the future,
move BL31 to DRAM if SPM is enabled.
Secure Partition Manager design document updated to reflect the changes.
Increased the size of the stack of BL31 for builds with SPM.
The translation tables used by SPM in Arm platforms have been moved back
to the 'xlat_tables' region instead of 'arm_el3_tzc_dram'. Everything is
in DRAM now, so it doesn't make sense to treat them in a different way.
Change-Id: Ia6136c8e108b8da9edd90e9d72763dada5e5e5dc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz [Wed, 23 May 2018 10:49:16 +0000 (11:49 +0100)]
SPM: Extract code out of the SMC handler
Simplify the code of the SMC handler by extracting the code of
SP_EVENT_COMPLETE and MM_COMMUNICATE.
Change-Id: I9250a3f5e4b807b35c9d044592c1074a45ab9a07
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz [Wed, 23 May 2018 08:09:41 +0000 (09:09 +0100)]
SPM: Replace SP init flag by generic state enum
Instead of just knowing if the Secure Partition is being initialized or
not, this generic state enum can be used to tell if the Secure Partition
is busy and to add more states in the future if needed.
Also, the spinlock of the secure_partition_context_t structure now only
protects against concurrent accesses to the state of the secure
partition. Previously, it used to lock down the whole structure, thus
preventing one CPU to access any of its fields while another CPU was
executing the partition.
Change-Id: I51215328e2ca8ea2452f92e4a1cb237415958b22
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz [Tue, 22 May 2018 15:26:48 +0000 (16:26 +0100)]
SPM: Shorten names of types and functions
The current internal names are too long, which makes it hard to write
code as many lines overflow the limit and need to be split, which may
not help the reader.
Change-Id: I072bdc8f3dd125255063ffa7f02500e5228fc9a1
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz [Tue, 22 May 2018 15:45:35 +0000 (16:45 +0100)]
SPM: Move xlat-related functions to separate file
This is done in order to make it easier to read the file spm_main.c.
Change-Id: I21e765154c1682a319a3bc47a19a42fd736e910e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz [Wed, 23 May 2018 10:40:46 +0000 (11:40 +0100)]
SPM: Move all SP-related info to SP context struct
Move all information related to a Secure Partition to the struct
secure_partition_context_t.
This requires an in-depth refactor because most of the previous code of
SPM relied on global information.
Change-Id: I0a23e93817dcc191ce1d7506b8bc671d376123c4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz [Tue, 22 May 2018 09:09:10 +0000 (10:09 +0100)]
context_mgmt: Make cm_init_context_common public
This function can be currently accessed through the wrappers
cm_init_context_by_index() and cm_init_my_context(). However, they only
work on contexts that are associated to a CPU.
By making this function public, it is possible to set up a context that
isn't associated to any CPU. For consistency, it has been renamed to
cm_setup_context().
Change-Id: Ib2146105abc8137bab08745a8adb30ca2c4cedf4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Dimitris Papastamos [Wed, 16 May 2018 10:36:14 +0000 (11:36 +0100)]
Add support for dynamic mitigation for CVE-2018-3639
Some CPUS may benefit from using a dynamic mitigation approach for
CVE-2018-3639. A new SMC interface is defined to allow software
executing in lower ELs to enable or disable the mitigation for their
execution context.
It should be noted that regardless of the state of the mitigation for
lower ELs, code executing in EL3 is always mitigated against
CVE-2018-3639.
NOTE: This change is a compatibility break for any platform using
the declare_cpu_ops_workaround_cve_2017_5715 macro. Migrate to
the declare_cpu_ops_wa macro instead.
Change-Id: I3509a9337ad217bbd96de9f380c4ff8bf7917013
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Thu, 17 May 2018 13:41:13 +0000 (14:41 +0100)]
aarch32: Implement static workaround for CVE-2018-3639
Implement static mitigation for CVE-2018-3639 on
Cortex A57 and A72.
Change-Id: I83409a16238729b84142b19e258c23737cc1ddc3
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Thu, 5 Apr 2018 13:38:26 +0000 (14:38 +0100)]
Implement static workaround for CVE-2018-3639
For affected CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.
This approach permanently mitigates the entire software stack and no
additional mitigation code is required in other software components.
TF-A implements this approach for the following affected CPUs:
* Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
`CPUACTLR_EL1` (`S3_1_C15_C2_0`).
* Cortex-A73, by setting bit 3 of `S3_0_C15_C0_0` (not documented in the
Technical Reference Manual (TRM)).
* Cortex-A75, by setting bit 35 (reserved in TRM) of `CPUACTLR_EL1`
(`S3_0_C15_C1_0`).
Additionally, a new SMC interface is implemented to allow software
executing in lower ELs to discover whether the system is mitigated
against CVE-2018-3639.
Refer to "Firmware interfaces for mitigating cache speculation
vulnerabilities System Software on Arm Systems"[0] for more
information.
[0] https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
Change-Id: I084aa7c3bc7c26bf2df2248301270f77bed22ceb
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Fri, 6 Apr 2018 14:29:34 +0000 (15:29 +0100)]
Rename symbols and files relating to CVE-2017-5715
This patch renames symbols and files relating to CVE-2017-5715 to make
it easier to introduce new symbols and files for new CVE mitigations.
Change-Id: I24c23822862ca73648c772885f1690bed043dbc7
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos [Wed, 23 May 2018 11:45:13 +0000 (12:45 +0100)]
Merge pull request #1386 from soby-mathew/sm/dyn_bl31
Extend dynamic configuration
Dimitris Papastamos [Tue, 22 May 2018 09:34:52 +0000 (10:34 +0100)]
Merge pull request #1393 from geesun/correct_comment
Correct some typo errors in comment
Dimitris Papastamos [Tue, 22 May 2018 09:31:25 +0000 (10:31 +0100)]
Merge pull request #1390 from soby-mathew/sm/fvp_rm_dtb
Remove the DTBs and update userguide for FVP
Qixiang Xu [Mon, 5 Mar 2018 01:31:11 +0000 (09:31 +0800)]
Correct some typo errors in comment
File: include/common/aarch64/el3_common_macros.S
Change-Id: I619401e961a3f627ad8864781b5f90bc747c3ddb
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
Dimitris Papastamos [Mon, 21 May 2018 15:31:04 +0000 (16:31 +0100)]
Merge pull request #1359 from danielboulby-arm/db/match_flags_type
Ensure read and write of flags defined in the console struct are 32 bit
Soby Mathew [Wed, 4 Apr 2018 08:40:32 +0000 (09:40 +0100)]
FVP: Add dummy configs for BL31, BL32 and BL33
This patch adds soc_fw_config, tos_fw_config and nt_fw_config to the FVP.
The config files are placeholders and do not have any useful bindings
defined. The tos_fw_config is packaged in FIP and loaded by BL2 only
if SPD=tspd. The load address of these configs are specified in tb_fw_config
via new bindings defined for these configs. Currently, in FVP, the
soc_fw_config and tos_fw_config is loaded in the page between BL2_BASE
and ARM_SHARED_RAM. This memory was typically used for BL32 when
ARM_TSP_RAM_LOCATION=tsram but since we cannot fit BL32 in that
space anymore, it should be safe to use this memory for these configs.
There is also a runtime check in arm_bl2_dyn_cfg_init() which ensures
that this overlap doesn't happen.
The previous arm_dyn_get_hwconfig_info() is modified to accept configs
other than hw_config and hence renamed to arm_dyn_get_config_load_info().
The patch also corrects the definition of ARM_TB_FW_CONFIG_LIMIT to be
BL2_BASE.
Change-Id: I03a137d9fa1f92c862c254be808b8330cfd17a5a
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew [Wed, 9 May 2018 12:59:29 +0000 (13:59 +0100)]
Docs: Update user guide for Dynamic Config on FVP
From TF-A v1.5, FVP supports loading the kernel FDT through
firmware as part of dynamic configuration feature. This means
that the FDT no longer needs to be loaded via Model parameters.
This patch updates the user guide to reflect the same.
Change-Id: I79833beeaae44a1564f6512c3a473625e5959f65
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew [Fri, 16 Feb 2018 14:57:24 +0000 (14:57 +0000)]
Dynamic_config: remove the FVP dtb files
Since FVP enables dynamic configuration by default, the DT blobs are
compiled from source and included in FIP during build. Hence this
patch removes the dtb files from the `fdts` folder.
Change-Id: Ic155ecd257384a33eb2aa38c9b4430e47b09cd31
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew [Thu, 29 Mar 2018 13:29:55 +0000 (14:29 +0100)]
Dynamic cfg: Enable support on CoT for other configs
This patch implements support for adding dynamic configurations for
BL31 (soc_fw_config), BL32 (tos_fw_config) and BL33 (nt_fw_config). The
necessary cert tool support and changes to default chain of trust are made
for these configs.
Change-Id: I25f266277b5b5501a196d2f2f79639d838794518
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew [Mon, 26 Mar 2018 14:16:46 +0000 (15:16 +0100)]
FVP: Enable capability to disable auth via dynamic config
This patch adds capability to FVP to disable authentication dynamically
via the `disable_auth` property in TB_FW_CONFIG. Both BL1 and BL2 parses
the TB_FW_CONFIG for the `disable_auth` property and invokes the
`load_dyn_disable_auth()` API to disable authentication if the
property is set to 1. The DYN_DISABLE_AUTH is enabled by default for
FVP as it is a development platform. Note that the TB_FW_CONFIG has to
be authenticated by BL1 irrespective of these settings.
The arm_bl2_dyn_cfg_init() is now earlier in bl2_plat_preload_setup()
rather than in bl2_platform_setup() as we need to get the value of
`disable_auth` property prior to authentication of any image by BL2.
Change-Id: I734acd59572849793e5020ec44c6ac51f654a4d1
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew [Mon, 26 Mar 2018 11:43:37 +0000 (12:43 +0100)]
Allow disabling authentication dynamically
This patch allows platforms to dynamically disable authentication of
images during cold boot. This capability is controlled via the
DYN_DISABLE_AUTH build flag and is only meant for development
purposes.
Change-Id: Ia3df8f898824319bb76d5cc855b5ad6c3d227260
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
danh-arm [Thu, 17 May 2018 17:20:59 +0000 (18:20 +0100)]
Merge pull request #1369 from sivadur/xilinxdiff
Xilinx platform mangement related changes
Daniel Boulby [Wed, 16 May 2018 15:04:35 +0000 (16:04 +0100)]
Ensure read and write of flags are 32 bit
In 'console_set_scope' and when registering a console, field 'flags' of
'console_t' is assigned a 32-bit value. However, when it is actually
used, the functions perform 64-bit reads to access its value. This patch
changes all 64-bit reads to 32-bit reads.
Change-Id: I181349371409e60065335f078857946fa3c32dc1
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
Dimitris Papastamos [Thu, 17 May 2018 13:35:34 +0000 (14:35 +0100)]
Merge pull request #1340 from Andre-ARM/sec-irqs-fixes
Fix support for systems without secure interrupts
Dimitris Papastamos [Thu, 17 May 2018 12:46:57 +0000 (13:46 +0100)]
Merge pull request #1384 from rockchip-linux/for_m0_patch
for rk3399 suspend/resume
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 14:42:12 +0000 (20:12 +0530)]
zynqmp: Add wdt timeout restart functionality
This patch adds support to restart system incase of wdt
timeout.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 5 Mar 2018 13:17:15 +0000 (18:47 +0530)]
zynqmp: Fix EG/EV detection logic
The vcu disable bit in efuse ipdisable register is valid
only if PL powered up so, consider PL powerup status for
determing EG/EV part. If PL is not powered up, display
EG/EV as a part of string. The PL powerup status will
be filled by pmufw based on PL PROGB status in the
9th bit of version field.This patch also used IPI
to get this info from pmufw instead of directly accessing
the registers. Accessing this info from pmufw using
IPI fixes the issue of PMUFW access denied error for
reading IPDISABLE register.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 14:36:58 +0000 (20:06 +0530)]
zynqmp: Add new API for processing secure images
This patch adds new API for processing secure images. This API
is used for authentication and decryption of secure images using
xilsecure in pmufw.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Tejas Patel [Fri, 9 Feb 2018 10:42:59 +0000 (02:42 -0800)]
xilinx: zynqmp: pm_service: Fix APU only restart
Existing code blocks each IPI send request in ipi_mb_notify()
function till pmu clears respective bit in ipi observation
register.
After sending PM_SYSTEM_SHUTDOWN request to PMU, PMU will
restart APU. While PMU is restarting APU, ATF is running out
of OCM, which can cause read/write hang from/to OCM.
There is no need to wait for notification from PMU in case
of SystemShutdown request in ATF, as APU is going to restart.
This patch fixes APU only restart issue.
Signed-off-by: Tejas Patel <tejasp@xilinx.com>
Acked-by: Wendy Liang <wendy.liang@xilinx.com>
Siva Durga Prasad Paladugu [Wed, 7 Feb 2018 07:43:01 +0000 (13:13 +0530)]
plat: xilinx: zynqmp: Make fpga load blocking until completed
This patch makes bitstream load blocking call and waits until
bitstream is loaded successfully or return with error.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Tested-by: Avesh Khan <aveshk@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 14:23:56 +0000 (19:53 +0530)]
plat: xilinx: zynqmp: Remove GET_CALLBACK_DATA function
GET_CALLBACK_DATA function is not required now. IPI mailbox
can be used instead of GET_CALLBACK_DATA function.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Rajan Vaja [Tue, 30 Jan 2018 11:59:23 +0000 (03:59 -0800)]
zynqmp: pm_service: Make PMU IPI-1 channel unsecure
PMU IPI-1 is used for callbacks from PMU to master. Unsecure
master can also receive callbacks from PMU, so make PMU IPI-1
as non-secure.
All requests from master(s) to PMU would still go on PMU IPI-1
secure channel.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Rajan Vaja [Fri, 15 Dec 2017 06:58:07 +0000 (22:58 -0800)]
zynqmp: pm: Remove unnecessary header includes
Remove includes of gic_common.h and string.h which
are not required.
Signed-off-by: Rajan Vaja <rajanv@xilinx.com>
Acked-by: Jolly Shah <jollys@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 14:13:03 +0000 (19:43 +0530)]
xilinx: zynqmp: Remove PMU Firmware checks
Xilinx now requires the PMU FW when using ATF, so it doesn't make sense
to maintain checks for the PMU FW in ATF. This also means that cases
where ATF came up before the PMU FW (such as on QEMU) ATF will now hang
waiting for the PMU FW instead of aborting.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 14:09:49 +0000 (19:39 +0530)]
zynqmp: pm: Reverse logic for detecting that the PMU firmware is loaded
Use positive logic (pm_up instead of pm_down) to check whether PMU
services are available. This change also puts the variable into the
BSS section rather than the Data section as the variable is now
initialized to 0 rather than 1.
Signed-off-by: Will Wong <WILLW@xilinx.com>
Signed-off-by: Stefan Krsmanovic <stefan.krsmanovic@aggios.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Alistair Francis [Fri, 1 Dec 2017 00:21:21 +0000 (16:21 -0800)]
plat: zynqmp: Don't panic() if we can't find the FSBL struct
If we can't find the FSBL handoff struct don't panic and just use the
defaults instead.
We still print a warning to the user to let them know what we couldn't
find it.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Siva Durga Prasad Paladugu [Thu, 17 May 2018 09:47:46 +0000 (15:17 +0530)]
plat: zynqmp: Let fsbl_atf_handover() return an error status
Instead of calling panic() in fsbl_atf_handover() return the error
status so that bl31_early_platform_setup() can act accordingly.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Wendy Liang [Fri, 10 Nov 2017 23:55:16 +0000 (15:55 -0800)]
Include "bl_common.h" in Xilinx zynqmp_private.h
Type "entry_point_info_t" is used in zynqmp_private.h. It is defined
in "bl_common.h". The header file which defines the type should be
included.
Signed-off-by: Wendy Liang <jliang@xilinx.com>
Siva Durga Prasad Paladugu [Tue, 1 May 2018 05:42:55 +0000 (11:12 +0530)]
zynqmp: pm: Added APIs for xilsecure linux support
Added SHA to calculate SHA3 hash,RSA to encrypt data with
public key and decrypt with private key and AES to do symmetric
encryption with User key or device key.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Siva Durga Prasad Paladugu [Tue, 1 May 2018 05:40:25 +0000 (11:10 +0530)]
plat: zynqmp: Add support for CG/EG/EV device detection
Read ipdisable reg which needs to be used for cg/eg/ev device detection.
ATF runs in EL3 that's why this read can be done directly.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Siva Durga Prasad Paladugu [Tue, 6 Jun 2017 07:24:52 +0000 (12:54 +0530)]
aarch64: zynqmp: Add new Ids for RFSoC
Add new id codes for RFSoC's.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Siva Durga Prasad Paladugu [Tue, 1 Aug 2017 04:53:19 +0000 (10:23 +0530)]
zynqmp: Fix CSU ID SVD mask fo getting chip ID
This patch corrects the SVD mask for getting chip ID
using 0xe is wrong and 0x7 is correct.
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 10:26:10 +0000 (15:56 +0530)]
zynqmp: pm: Allow to set shutdown scope via pm_system_shutdown API
psci system_reset and system_off calls now retrieve shutdown scope on
the fly. The default scope is system, but it can be changed by calling
pm_system_shutdown(2, scope)
Until full support for different restart scopes becomes available with
PSCI 1.1 this change allows users to set the reboot scope to match
their application needs.
Possible scope values:
0 - APU subsystem: does not affect RPU, PMU or PL
1 - PS only: shutdown/restart entire PS without affecting PL
2 - System: shutdown/restart applies to entire system
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Signed-off-by: Davorin Mista <davorin.mista@aggios.com>
Filip Drazic [Wed, 15 Mar 2017 10:50:47 +0000 (11:50 +0100)]
zynqmp: pm: Implement PM_INIT_FINALIZE PM API call
The PM_INIT_FINALIZE PM API is required to inform the PFW that APU is
done with requesting nodes and that not-requested nodes can be powered
down. If PM is not enabled, this call will never be made and PFW will
never power down any of the nodes which APU can use.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Filip Drazic [Thu, 16 Mar 2017 15:56:53 +0000 (16:56 +0100)]
zynqmp: pm: Rename PM_INIT to PM_INIT_FINALIZE
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Siva Durga Prasad Paladugu [Mon, 30 Apr 2018 10:19:27 +0000 (15:49 +0530)]
zynqmp: pm: Implemented new pm API to load secure images
This patch adds pm_secure_rsaaes() API to provide access to
the xilsecure library for loading secure images
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Siva Durga Prasad Paladugu [Mon, 20 Feb 2017 12:25:50 +0000 (17:55 +0530)]
xilinx: zynqmp: Read bootmode register using PM API
Read boot mode register using pm_mmio_read if pmu is
present otherwise access it directly using mmio_read_32().
Signed-off-by: Siva Durga Prasad Paladugu <sivadur@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Filip Drazic [Tue, 7 Feb 2017 11:03:57 +0000 (12:03 +0100)]
zynqmp: pm: Decode start address related SMC arguments for pm_req_wakeup
The pm_req_wakeup PM API accepts start address (64-bit unsiged integer)
and a flag stating if address should be used. To save an argument
of the SMC call, flag is encoded in the LSB of the address, since
addresses are word aligned.
Decode start address and use-address flag in the PM SMC handler and
pass them to pm_req_wakeup.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Filip Drazic [Tue, 7 Feb 2017 11:03:56 +0000 (12:03 +0100)]
zynqmp: pm: Move pm_client_wakeup call from pm_req_wakeup
Call to pm_client_wakeup from pm_req_wakeup prevented the PM API
call to be used to wake up non-APU processor (e.g. from higher ELs),
since it clears power down request for specified APU processor.
Move this function out of pm_client_wakeup to allow passing wake up
requests to the PMU for other processor in the system.
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Mirela Simonovic [Mon, 30 Jan 2017 16:44:00 +0000 (17:44 +0100)]
zynqmp: pm: Remove unused NODE_AFI, add NODE_EXTERN
NODE_EXTERN is the slave node which represents an external wake
source.
Signed-off-by: Mirela Simonovic <mirela.simonovic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Siva Durga Prasad Paladugu [Fri, 27 Apr 2018 10:56:47 +0000 (16:26 +0530)]
zynqmp: pm: Add support for setting suspend-to-RAM mode
Beside standard suspend-to-RAM state, Zynq MPSoC supports
suspend-to-RAM state with additional power savings, called
power-off suspend-to-RAM. If this mode is set, only NODE_EXTERN
must be set as wake source. Standard suspend-to-RAM procedure
is unchanged.
This patch adds support for setting suspend mode from higher
ELs and ensuring that all conditions for power-off suspend mode
are set.
Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Anes Hadziahmetagic [Fri, 27 Jan 2017 17:42:44 +0000 (18:42 +0100)]
zynqmp: pm: Implement pm_get_node_status API function
pm_get_node_status API function returns 3 values:
-status: Current power state of the node
-requirements: Current requirements for the node
-usage: Current usage of the node
The last two values only apply to slave nodes.
Signed-off-by: Anes Hadziahmetagic <anes.hadziahmetagic@aggios.com>
Signed-off-by: Filip Drazic <filip.drazic@aggios.com>
Acked-by: Will Wong <willw@xilinx.com>
Dimitris Papastamos [Wed, 16 May 2018 14:23:18 +0000 (15:23 +0100)]
Merge pull request #1387 from vishwanathahg/sgi575/core_pos_calc
Sgi575/core pos calc
Dimitris Papastamos [Wed, 16 May 2018 13:27:06 +0000 (14:27 +0100)]
Merge pull request #1383 from sandrine-bailleux-arm/topics/sb/sp-access-fpregs
SPM: Do not trap S-EL0 access to SVE/SIMD/FP regs
Dimitris Papastamos [Wed, 16 May 2018 13:26:52 +0000 (14:26 +0100)]
Merge pull request #1382 from sandrine-bailleux-arm/topics/sb/fix-doc
Fix doc for bl31_plat_get_next_image_ep_info()
Dimitris Papastamos [Wed, 16 May 2018 13:26:28 +0000 (14:26 +0100)]
Merge pull request #1381 from antonio-nino-diaz-arm/an/kernel-boot
plat/arm: Introduce ARM_LINUX_KERNEL_AS_BL33 build option
Dimitris Papastamos [Wed, 16 May 2018 09:59:25 +0000 (10:59 +0100)]
Merge pull request #1378 from vwadekar/denver-cve-2017-5715
CVE-2017-5715 mitigation for Denver CPUs
Vishwanatha HG [Tue, 8 May 2018 11:45:37 +0000 (17:15 +0530)]
css/sgi: rework the core position calculation function
The MT bit in MPIDR is always set for SGI platforms and so the
core position calculation code is updated to take into account
the thread affinity value as well.
Change-Id: I7b2a52707f607dc3859c6bbcd2b145b7987cb4ed
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Signed-off-by: Vishwanatha HG <vishwanatha.hg@arm.com>
Vishwanatha HG [Tue, 8 May 2018 10:47:31 +0000 (16:17 +0530)]
css/sgi: remove redundant copy of gic driver data
Instead of instantiating a local copy of GICv3 driver data for SGI
platforms, reuse the existing instance of GICv3 driver data available
in the arm common platform code.
Change-Id: If6f38e15d1f0e20cea96fff98091da300015d295
Signed-off-by: Chandni Cherukuri <chandni.cherukuri@arm.com>
Signed-off-by: Vishwanatha HG <vishwanatha.hg@arm.com>
Varun Wadekar [Thu, 11 Jan 2018 01:03:22 +0000 (17:03 -0800)]
Workaround for CVE-2017-5715 on NVIDIA Denver CPUs
Flush the indirect branch predictor and RSB on entry to EL3 by issuing
a newly added instruction for Denver CPUs. Support for this operation
can be determined by comparing bits 19:16 of ID_AFR0_EL1 with 0b0001.
To achieve this without performing any branch instruction, a per-cpu
vbar is installed which executes the workaround and then branches off
to the corresponding vector entry in the main vector table. A side
effect of this change is that the main vbar is configured before any
reset handling. This is to allow the per-cpu reset function to override
the vbar setting.
Change-Id: Ief493cd85935bab3cfee0397e856db5101bc8011
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Dimitris Papastamos [Tue, 15 May 2018 17:40:46 +0000 (18:40 +0100)]
Merge pull request #1376 from vwadekar/cm-init-actlr-el1
lib: el3_runtime: initialise actlr_el1 to hardware defaults
Dimitris Papastamos [Tue, 15 May 2018 17:40:19 +0000 (18:40 +0100)]
Merge pull request #1380 from CJKay/mmap-fix
Fix incorrect number of reserved memory map entries for Arm platforms
Dimitris Papastamos [Tue, 15 May 2018 17:40:03 +0000 (18:40 +0100)]
Merge pull request #1379 from CJKay/nsram-fix
Fix incorrect NSRAM memory map region for SGI-575
Jeenu Viswambharan [Tue, 15 May 2018 15:18:40 +0000 (16:18 +0100)]
Fix build error with correct format string
Change-Id: I11c12b113c4975efd3ac7ac2e8b93e6771a7e7ff
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
Dimitris Papastamos [Tue, 15 May 2018 14:34:20 +0000 (15:34 +0100)]
Merge pull request #1373 from jeenu-arm/ras-support
RAS support
Dimitris Papastamos [Tue, 15 May 2018 12:34:11 +0000 (13:34 +0100)]
Merge pull request #1385 from antonio-nino-diaz-arm/an/revert-console
Revert "plat/arm: Migrate AArch64 port to the multi console driver"
Antonio Nino Diaz [Tue, 15 May 2018 12:12:50 +0000 (13:12 +0100)]
Revert "plat/arm: Migrate AArch64 port to the multi console driver"
This reverts commit
2f18aa1fa35305f8feec25867473d30975b242fe.
It is causing some tests to fail. Until the cause is found and fixed, it
is needed to remove this commit from master.
Change-Id: Ic5ff7a841903a15613e00379e87cbbd8a0e85152
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Derek Basehore [Mon, 23 Apr 2018 21:49:22 +0000 (14:49 -0700)]
rockchip/rk3399: Add watchdog support in pmusram
To catch early hangs in resume, this sets up the watchdog before
anything else in the pmusram code (ignoring setting up the stack...).
This uses hard coded settings for the watchdog until the proper
watchdog restore later on in the firmware/kernel.
This also restores the old watchdog register values before the PLLs
are restored to make sure we don't temporarily switch over to a 1/3s
timeout on the watchdog when the pclk_wdt goes from 4MHz to 100MHz.
Change-Id: I8f7652089a88783271b17482117b4609330abe80
Signed-off-by: Derek Basehore <dbasehore@chromium.org>
Lin Huang [Fri, 20 Apr 2018 07:55:21 +0000 (15:55 +0800)]
rockchip/rk3399: Split M0 binary into two
All the m0 code run in SRAM before, but we need to watch PMU_POWER_ST
when SOC enter into FSM, and SRAM will shutdown during this time, so
this code need run in PMUSRAM. But PMUSRAM only 8K space, we can not
put all the m0 binary into PMUSRAM, Split the M0 binary into two, dram
part still run in SRAM, and suspend part run in PMUSRAM.
Change-Id: Ie08bdf3e2b8838f12b9297fe60ab0aad219684b1
Signed-off-by: Lin Huang <hl@rock-chips.com>
Lin Huang [Fri, 20 Apr 2018 07:40:15 +0000 (15:40 +0800)]
rockchip/rk3399: improve pmu powermode configure when suspend
we need to enable PMU_WKUP_RST_EN for pmu powermode configure, since
enable wakeup reset will hold the soc status, so the SOC will not affect
by some power or other single glitch when resume, and keep the soc in the
right status. And it not need to enable DDRIO_RET_HW_DE_REQ, the ddr resume
will do it manual.
Change-Id: Ib4af897ffb3cb63dc2aa9a6002e5d9ef86ee4a49
Signed-off-by: Lin Huang <hl@rock-chips.com>
Sandrine Bailleux [Wed, 9 May 2018 12:45:34 +0000 (14:45 +0200)]
SPM: Do not trap S-EL0 access to SVE/SIMD/FP regs
This allows secure partitions to access these registers. This is
needed in some cases. For example, it has been reported that in order
to implement secure storage services, a secure partition needs to
encrypt/decrypt some authentication variables, which requires FP/SIMD
support.
Note that SPM will not do any saving/restoring of these registers on
behalf of the SP. This falls under the SP's responsibility.
Also note that if the SP gets preempted, it might not get a chance to
save/restore FP/SIMD registers first. This patch does not address this
problem. It only serves as a temporary solution to unblock development
on the secure partition side.
Change-Id: I3b8ccdebdac0219f6ac96ad66ab2be0be8374ad3
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Sandrine Bailleux [Mon, 14 May 2018 12:25:47 +0000 (14:25 +0200)]
Fix doc for bl31_plat_get_next_image_ep_info()
In the porting guide, fix the function name and the argument type to
reflect the code.
Change-Id: Iac8d69af403194de5586bc0d5890da531e3c8da2
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Antonio Nino Diaz [Mon, 14 May 2018 08:12:34 +0000 (09:12 +0100)]
Replace bootwrapped kernel instructions from User Guide
The instructions to boot the bootwrapped kernel were outdated.
Also, the bootwrapped kernel boot flow isn't really useful. It was meant
to be a replacement for the Trusted Firmware-A, not to be used as the next
step during boot.
The instructions have been removed in favour of the new build option
ARM_LINUX_KERNEL_AS_BL33. This new system directly boots the Linux
kernel from BL31, and requires RESET_TO_BL31 to be 1. Also, the kernel
has to be preloaded in memory, so PRELOADED_BL33_BASE has to be set to its
address. This way, the runtime services of the Trusted Firmware-A are
available for the kernel in the least possible amount of time.
This new system requires the DTB to be patched so that the kernel knows
where the ramdisk is. A short script to add this information to the DTB
has been added to the User Guide. The information related to it can be
found in the following file in the Linux kernel tree:
``Documentation/devicetree/bindings/chosen.txt``
Change-Id: Ide135580959e09f6aa8e4425f37ea55d97439178
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Chris Kay [Thu, 10 May 2018 13:43:28 +0000 (14:43 +0100)]
css: Do not map the non-secure RAM as secure
Change-Id: I7e73c0ab134da11c49f990b739245110c59eac2b
Signed-off-by: Chris Kay <chris.kay@arm.com>
Chris Kay [Thu, 10 May 2018 13:27:45 +0000 (14:27 +0100)]
css: Fix erroneous non-secure RAM base address/size for SGI-575
SGI-575's NSRAM is neither in the same place nor the same size as Juno's.
Change-Id: Id6d692e9c7e9c1360014bb525eda966ebe29c823
Signed-off-by: Chris Kay <chris.kay@arm.com>
Chris Kay [Wed, 9 May 2018 14:46:07 +0000 (15:46 +0100)]
plat/arm: Fix incorrect bounds check in ARM_CASSERT_MMAP
The bounds check in ARM_CASSERT_MMAP does not take into account the
array sentinel in plat_arm_mmap. This commit fixes this, and adds an
additional check to ensure the number of entries in the array is
within the bounds of PLAT_ARM_MMAP_ENTRIES.
Change-Id: Ie6df10c0aa0890d62826bc3224ad7b3e36fd53e2
Signed-off-by: Chris Kay <chris.kay@arm.com>
Chris Kay [Wed, 9 May 2018 14:14:06 +0000 (15:14 +0100)]
plat/arm: Fix incorrect number of reserved memory map entries
There are three calls to mmap_add_region() that always occur in
arm_setup_page_tables(), and two further calls based on whether coherent
memory is enabled, and whether SPM is enabled in BL31.
This commit adapts the ARM_BL_REGIONS definition to match the number of
calls made inside arm_setup_page_tables() so that the MAX_MMAP_REGIONS
is realigned with what is actually occurring.
Change-Id: I7adc05951abccf2cbd5c86280eb874911e6a1566
Signed-off-by: Chris Kay <chris.kay@arm.com>