Juan Castillo [Wed, 28 Jan 2015 16:46:57 +0000 (16:46 +0000)]
TBB: authenticate BL3-x images and certificates
This patch adds support to authenticate the Trusted Key certificate
and the BL3-x certificates and images at BL2.
Change-Id: I69a8c13a14c8da8b75f93097d3a4576aed71c5dd
Juan Castillo [Wed, 28 Jan 2015 16:42:41 +0000 (16:42 +0000)]
FVP: initialize IO framework in bl2_early_platform_setup()
This patch moves fvp_io_setup() to bl2_early_platform_setup() in order
to allow BL2 to use the IO framework before bl2_platform_setup().
Change-Id: I75e1a772ab5f9b4727f6727822a2527c30f3c63d
Juan Castillo [Wed, 7 Jan 2015 13:49:59 +0000 (13:49 +0000)]
TBB: authenticate BL2 image and certificate
This patch adds support to authenticate the BL2 content certificate
and image using the authentication module in BL1.
The FIP driver has been extended to include the BL2 certificate
UUID.
FVP and Juno ports include the BL2 certificate FIP file
definition.
Change-Id: I32680e9bd123c8db4a4193c14448c9b32b0e9325
Juan Castillo [Tue, 13 Jan 2015 10:37:27 +0000 (10:37 +0000)]
TBB: add authentication module interface
This patch provides an API to access the authentication module that
will be used to verify the authenticity of the images loaded into
memory as part of the Trusted Board Boot process.
To include the authentication module as part of the build, set the
boolean build option TRUSTED_BOARD_BOOT. One single authentication
module must be registered at build time by setting the build option
AUTH_MOD=<mod_name>. All authentication modules will be located in
'common/auth/<mod_name>' and must present the <mod_name>.mk file that
will be included by the build system to compile the module sources.
To create an authentication module, an instance of auth_mod_t called
'auth_mod' must be declared in the module sources. The initialization
and verification functions provided by the module will be exported
through the function pointers specified when declaring this instance.
If an authentication module includes third party sources that do not
adhere to the C99 standard, the -pedantic option may be removed from
the build options by setting the flag DISABLE_PEDANTIC in the module
file <mod_name>.mk.
Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd
Juan Castillo [Tue, 13 Jan 2015 12:21:04 +0000 (12:21 +0000)]
TBB: add PolarSSL based authentication module
This patch implements an authentication module based on the
PolarSSL library (v1.3.9) to verify the Chain of Trust when
Trusted Boot is enabled.
PolarSSL sources must be fetched separately. The POLARSSL_DIR
build option may be used to indicate the path to the PolarSSL
main directory (this directory must contain the 'include' and
'library' subdirectories).
To be able to build PolarSSL sources as a part of the Trusted
Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
will tell the build system to remove the -pedantic option from
the CFLAGS.
Inclusion of PolarSSL increases the memory requirements of the BL1
and BL2 images. The following are the changes made to the FVP and
Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
defined:
Changes on FVP:
- BL1 and BL2 stacks have been increased to 4 KB
- BL1(rw) section has been increased to 32 KB.
- BL2 memory region has been increased to 112 KB
Changes on Juno:
- BL1 and BL2 stacks have been increased to 4 KB
- BL1(rw) section has been increased to 32 KB.
- Trusted ROM region in Flash has been increased to 128 KB.
- BL2 memory region has been increased to 116 KB
Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80
Juan Castillo [Mon, 17 Nov 2014 17:27:41 +0000 (17:27 +0000)]
stdlib: add missing features to build PolarSSL
This patch adds the missing features to the C library included
in the Trusted Firmware to build PolarSSL:
- strcasecmp() function
- exit() function
- sscanf()* function
- time.h header file (and its dependencies)
* NOTE: the sscanf() function is not a real implementation. It just
returns the number of expected arguments by counting the number of
'%' characters present in the formar string. This return value is
good enough for PolarSSL because during the certificate parsing
only the return value is checked. The certificate validity period
is ignored.
Change-Id: I43bb3742f26f0bd458272fccc3d72a7f2176ab3d
Juan Castillo [Wed, 7 Jan 2015 10:39:25 +0000 (10:39 +0000)]
TBB: add a platform specific function to validate the ROTPK
This patch adds the function plat_match_rotpk() to the platform
porting layer to provide a Root Of Trust Public key (ROTPK)
verification mechanism. This function is called during the
Trusted Board Boot process and receives a supposed valid copy
of the ROTPK as a parameter, usually obtained from an external
source (for instance, a certificate). It returns 0 (success) if
that key matches the actual ROTPK stored in the system or any
other value otherwise.
The mechanism to access the actual ROTPK stored in the system
is platform specific and should be implemented as part of this
function. The format of the ROTPK is also platform specific
(to save memory, some platforms might store a hash of the key
instead of the whole key).
TRUSTED_BOARD_BOOT build option has been added to allow the user
to enable the Trusted Board Boot features. The implementation of
the plat_match_rotpk() funtion is mandatory when Trusted Board
Boot is enabled.
For development purposes, FVP and Juno ports provide a dummy
function that returns always success (valid key). A safe trusted
boot implementation should provide a proper matching function.
Documentation updated accordingly.
Change-Id: I74ff12bc2b041556c48533375527d9e8c035b8c3
Juan Castillo [Tue, 4 Nov 2014 17:36:40 +0000 (17:36 +0000)]
TBB: add support to include certificates in a FIP image
This patch extends the FIP tool to include the certificates
generated by the 'cert_create' tool.
If GENERATE_COT build option is enabled, the Makefile adds the
certificates as dependencies to create the FIP file. Thus, make
target 'fip' will also build the certificates as part of the
Trusted Firmware build process.
Change-Id: I5eee500da7f7be6cfb6e3df0423599739d260074
Juan Castillo [Tue, 21 Oct 2014 10:30:42 +0000 (11:30 +0100)]
TBB: add tool to generate certificates
This patch adds a tool that generates all the necessary elements
to establish the chain of trust (CoT) between the images.
The tool reads the binary images and signing keys and outputs the
corresponding certificates that will be used by the target at run
time to verify the authenticity of the images.
Note: the platform port must provide the file platform_oid.h. This
file will define the OIDs of the x509 extensions that will be added
to the certificates in order to establish the CoT.
Change-Id: I2734d6808b964a2107ab3a4805110698066a04be
Juan Castillo [Mon, 19 Jan 2015 16:51:21 +0000 (16:51 +0000)]
Skip reserving memory for non-executable and BL3-0 images
This patch adds support to not reserve the memory where an image is
loaded if the image is:
1. A non-executable image e.g. a certificate
2. An executable image which is not meant to run on the
application CPU (e.g. BL3-0)
Both types of images are characterized by a NULL entrypoint argument
to the load_image() function. It is used to distinguish them from
other type of images.
Important: Use this feature carefully. The caller is responsible for
providing a valid entrypoint while loading images which will execute
on the application CPU to prevent a potential overwrite of the
corresponding memory region.
Change-Id: Ied482280d9db714c529ec12c33a6c1d918d77a4e
danh-arm [Wed, 28 Jan 2015 10:42:32 +0000 (10:42 +0000)]
Merge pull request #248 from jcastillo-arm/jc/tf-issues/212_1
Allow BL3-2 to be loaded into the secure region of DRAM
danh-arm [Tue, 27 Jan 2015 09:48:18 +0000 (09:48 +0000)]
Merge pull request #247 from achingupta/ag/tf-issues#275
Call reset handlers upon BL3-1 entry.
Yatharth Kochar [Thu, 20 Nov 2014 18:09:41 +0000 (18:09 +0000)]
Call reset handlers upon BL3-1 entry.
This patch adds support to call the reset_handler() function in BL3-1 in the
cold and warm boot paths when another Boot ROM reset_handler() has already run.
This means the BL1 and BL3-1 versions of the CPU and platform specific reset
handlers may execute different code to each other. This enables a developer to
perform additional actions or undo actions already performed during the first
call of the reset handlers e.g. apply additional errata workarounds.
Typically, the reset handler will be first called from the BL1 Boot ROM. Any
additional functionality can be added to the reset handler when it is called
from BL3-1 resident in RW memory. The constant FIRST_RESET_HANDLER_CALL is used
to identify whether this is the first version of the reset handler code to be
executed or an overridden version of the code.
The Cortex-A57 errata workarounds are applied only if they have not already been
applied.
Fixes ARM-software/tf-issue#275
Change-Id: Id295f106e4fda23d6736debdade2ac7f2a9a9053
danh-arm [Mon, 26 Jan 2015 18:07:26 +0000 (18:07 +0000)]
Merge pull request #246 from soby-mathew/sm/route_IRQ_EL3
Demonstrate model for routing IRQs to EL3
Soby Mathew [Tue, 13 Jan 2015 15:48:26 +0000 (15:48 +0000)]
Demonstrate model for routing IRQs to EL3
This patch provides an option to specify a interrupt routing model
where non-secure interrupts (IRQs) are routed to EL3 instead of S-EL1.
When such an interrupt occurs, the TSPD arranges a return to
the normal world after saving any necessary context. The interrupt
routing model to route IRQs to EL3 is enabled only during STD SMC
processing. Thus the pre-emption of S-EL1 is disabled during Fast SMC
and Secure Interrupt processing.
A new build option TSPD_ROUTE_NS_INT_EL3 is introduced to change
the non secure interrupt target execution level to EL3.
Fixes ARM-software/tf-issues#225
Change-Id: Ia1e779fbbb6d627091e665c73fa6315637cfdd32
danh-arm [Mon, 26 Jan 2015 12:52:46 +0000 (12:52 +0000)]
Merge pull request #245 from danh-arm/sm/psci_version
Increment the PSCI VERSION to 1.0 (PR v2)
Soby Mathew [Thu, 15 Jan 2015 11:49:58 +0000 (11:49 +0000)]
Increment the PSCI VERSION to 1.0
This patch:
* Bumps the PSCI VERSION to 1.0. This means that
the PSCI_VERSION API will now return the value 0x00010000
to indicate the version as 1.0. The firmware remains
compatible with PSCI v0.2 clients.
* The firmware design guide is updated to document the
APIs supported by the Trusted Firmware generic code.
* The FVP Device Tree Sources (dts) and Blobs(dtb) are also
updated to add "psci-1.0" and "psci-0.2" to the list of
compatible PSCI versions.
Change-Id: Iafc2f549c92651dcd65d7e24a8aae35790d00f8a
danh-arm [Mon, 26 Jan 2015 12:46:55 +0000 (12:46 +0000)]
Merge pull request #244 from danh-arm/sm/psci_mig_feat
Rework PSCI migrate APIs and implement the FEATURES API v2
Soby Mathew [Thu, 15 Jan 2015 11:49:49 +0000 (11:49 +0000)]
Verify capabilities before handling PSCI calls
This patch implements conditional checks in psci_smc_handler() to verify
that the psci function invoked by the caller is supported by the platform
or SPD implementation. The level of support is saved in the 'psci_caps'
variable. This check allows the PSCI implementation to return an error
early.
As a result of the above verification, the checks performed within the psci
handlers for the pm hooks are now removed and replaced with assertions.
Change-Id: I9b5b646a01d8566dc28c4d77dd3aa54e9bf3981a
Soby Mathew [Wed, 7 Jan 2015 11:10:22 +0000 (11:10 +0000)]
Implement PSCI_FEATURES API
This patch implements the PSCI_FEATURES function which is a mandatory
API in the PSCI 1.0 specification. A capability variable is
constructed during initialization by examining the plat_pm_ops and
spd_pm_ops exported by the platform and the Secure Payload Dispatcher.
This is used by the PSCI FEATURES function to determine which
PSCI APIs are supported by the platform.
Change-Id: I147ffc1bd5d90b469bd3cc4bbe0a20e95c247df7
Soby Mathew [Thu, 23 Oct 2014 09:35:34 +0000 (10:35 +0100)]
Rework the PSCI migrate APIs
This patch reworks the PSCI MIGRATE, MIGRATE_INFO_TYPE and
MIGRATE_INFO_UP_CPU support for Trusted Firmware. The
implementation does the appropriate validation of parameters
and invokes the appropriate hook exported by the SPD.
The TSP is a MP Trusted OS. Hence the ability to actually
migrate a Trusted OS has not been implemented. The
corresponding function is not populated in the spd_pm_hooks
structure for the TSPD.
The `spd_pm_ops_t` has undergone changes with this patch.
SPD PORTS MAY NEED TO BE UPDATED.
Fixes ARM-software/tf-issues#249
Change-Id: Iabd87521bf7c530a5e4506b6d3bfd4f1bf87604f
danh-arm [Mon, 26 Jan 2015 12:37:47 +0000 (12:37 +0000)]
Merge pull request #243 from soby-mathew/sm/psci_cleanup_1
Clean-up PSCI code and introduce early validation of parameters v3
Juan Castillo [Fri, 19 Dec 2014 09:51:00 +0000 (09:51 +0000)]
FVP: Allow BL3-2 to sit in the secure region of DRAM
This patch allows the secure payload (BL3-2) to be loaded in the
DRAM region secured by the TrustZone controller (top 16 MB of DRAM1).
The location of BL3-2 can be selected at build time by setting the
build flag FVP_TSP_RAM_LOCATION to one of the following options:
- 'tsram' : Trusted SRAM (this is the default option)
- 'tdram' : Trusted DRAM
- 'dram' : Secure region in DRAM1 (top 16MB configured by the
TrustZone controller)
The number of MMU tables in BL3-2 depends on its location in
memory: 3 in case it is loaded in DRAM, 2 otherwise.
Documentation updated accordingly.
Fixes ARM-software/tf-issues#212
Change-Id: I371eef3a4159f06a0c9e3c6c1f4c905b2f93803a
Soby Mathew [Tue, 6 Jan 2015 21:36:55 +0000 (21:36 +0000)]
Return success if an interrupt is seen during PSCI CPU_SUSPEND
This patch adds support to return SUCCESS if a pending interrupt is
detected during a CPU_SUSPEND call to a power down state. The check
is performed as late as possible without losing the ability to return
to the caller. This reduces the overhead incurred by a CPU in
undergoing a complete power cycle when a wakeup interrupt is already
pending.
Fixes ARM-Software/tf-issues#102
Change-Id: I1aff04a74b704a2f529734428030d1d10750fd4b
Soby Mathew [Thu, 2 Oct 2014 15:56:51 +0000 (16:56 +0100)]
Validate power_state and entrypoint when executing PSCI calls
This patch allows the platform to validate the power_state and
entrypoint information from the normal world early on in PSCI
calls so that we can return the error safely. New optional
pm_ops hooks `validate_power_state` and `validate_ns_entrypoint`
are introduced to do this.
As a result of these changes, all the other pm_ops handlers except
the PSCI_ON handler are expected to be successful. Also, the PSCI
implementation will now assert if a PSCI API is invoked without the
corresponding pm_ops handler being registered by the platform.
NOTE : PLATFORM PORTS WILL BREAK ON MERGE OF THIS COMMIT. The
pm hooks have 2 additional optional callbacks and the return type
of the other hooks have changed.
Fixes ARM-Software/tf-issues#229
Change-Id: I036bc0cff2349187c7b8b687b9ee0620aa7e24dc
Soby Mathew [Tue, 30 Sep 2014 10:19:51 +0000 (11:19 +0100)]
Save 'power_state' early in PSCI CPU_SUSPEND call
This patch adds support to save the "power state" parameter before the
affinity level specific handlers are called in a CPU_SUSPEND call.
This avoids the need to pass the power_state as a parameter to the
handlers and Secure Payload Dispatcher (SPD) suspend spd_pm_ops.
The power_state arguments in the spd_pm_ops operations are now reserved
and must not be used. The SPD can query the relevant power_state fields
by using the psci_get_suspend_afflvl() & psci_get_suspend_stateid() APIs.
NOTE: THIS PATCH WILL BREAK THE SPD_PM_OPS INTERFACE. HENCE THE SECURE
PAYLOAD DISPATCHERS WILL NEED TO BE REWORKED TO USE THE NEW INTERFACE.
Change-Id: I1293d7dc8cf29cfa6a086a009eee41bcbf2f238e
Soby Mathew [Tue, 6 Jan 2015 15:36:38 +0000 (15:36 +0000)]
Rework internal API to save non-secure entry point info
This patch replaces the internal psci_save_ns_entry() API with a
psci_get_ns_ep_info() API. The new function splits the work done by the
previous one such that it populates and returns an 'entry_point_info_t'
structure with the information to enter the normal world upon completion
of the CPU_SUSPEND or CPU_ON call. This information is used to populate
the non-secure context structure separately.
This allows the new internal API `psci_get_ns_ep_info` to return error
and enable the code to return safely.
Change-Id: Ifd87430a4a3168eac0ebac712f59c93cbad1b231
Soby Mathew [Mon, 12 Jan 2015 13:01:31 +0000 (13:01 +0000)]
PSCI: Check early for invalid CPU state during CPU ON
This patch moves the check for valid CPU state during
PSCI_CPU_ON to before the non secure entry point is programmed
so as to enable it to return early on error.
Change-Id: I1b1a21be421e2b2a6e33db236e91dee8688efffa
Soby Mathew [Fri, 26 Sep 2014 14:08:52 +0000 (15:08 +0100)]
Remove `ns_entrypoint` and `mpidr` from parameters in pm_ops
This patch removes the non-secure entry point information being passed
to the platform pm_ops which is not needed. Also, it removes the `mpidr`
parameter for platform pm hooks which are meant to do power management
operations only on the current cpu.
NOTE: PLATFORM PORTS MUST BE UPDATED AFTER MERGING THIS COMMIT.
Change-Id: If632376a990b7f3b355f910e78771884bf6b12e7
danh-arm [Thu, 22 Jan 2015 11:05:48 +0000 (11:05 +0000)]
Merge pull request #240 from danh-arm/sm/rem_coh_mem
Remove coherent memory v2
Soby Mathew [Thu, 8 Jan 2015 18:02:44 +0000 (18:02 +0000)]
Remove coherent memory from the BL memory maps
This patch extends the build option `USE_COHERENT_MEMORY` to
conditionally remove coherent memory from the memory maps of
all boot loader stages. The patch also adds necessary
documentation for coherent memory removal in firmware-design,
porting and user guides.
Fixes ARM-Software/tf-issues#106
Change-Id: I260e8768c6a5c2efc402f5804a80657d8ce38773
Soby Mathew [Thu, 8 Jan 2015 18:02:19 +0000 (18:02 +0000)]
Move bakery algorithm implementation out of coherent memory
This patch moves the bakery locks out of coherent memory to normal memory.
This implies that the lock information needs to be placed on a separate cache
line for each cpu. Hence the bakery_lock_info_t structure is allocated in the
per-cpu data so as to minimize memory wastage. A similar platform per-cpu
data is introduced for the platform locks.
As a result of the above changes, the bakery lock api is completely changed.
Earlier, a reference to the lock structure was passed to the lock implementation.
Now a unique-id (essentially an index into the per-cpu data array) and an offset
into the per-cpu data for bakery_info_t needs to be passed to the lock
implementation.
Change-Id: I1e76216277448713c6c98b4c2de4fb54198b39e0
Soby Mathew [Tue, 30 Dec 2014 16:11:42 +0000 (16:11 +0000)]
Add macros for domain specific barriers.
This patch adds helper macros for barrier operations that specify
the type of barrier (dmb, dsb) and the shareability domain (system,
inner-shareable) it affects.
Change-Id: I4bf95103e79da212c4fbdbc13d91ad8ac385d9f5
Soby Mathew [Tue, 18 Nov 2014 10:45:04 +0000 (10:45 +0000)]
Remove the wfe() for bounded wait in bakery_lock
This patch is an optimization in the bakery_lock_get() function
which removes the wfe() when waiting for other contenders to choose
their ticket i.e when their `entering` flag is set. Since the time
taken to execute bakery_get_ticket() by other contenders is bounded,
this wait is a bounded time wait. Hence the removal of wfe() and the
corresponding sev() and dsb() in bakery_get_ticket() may result
in better time performance during lock acquisition.
Change-Id: I141bb21294226b54cb6e89e7cac0175c553afd8d
Juan Castillo [Fri, 19 Dec 2014 09:28:30 +0000 (09:28 +0000)]
FVP: map non-secure DRAM1 in the MMU
This patch maps the non-secure region of DRAM1 in the MMU. The
non-secure region comprises the whole DRAM1 (0x80000000 -
0xffffffff) excluding the top 16 MB (0xff000000 - 0xffffffff).
The TrustZone controller configures this 16 MB region as secure
memory, so it can not be accessed in non-secure mode.
The number of MMU tables in BL2 has been increased to 3 because
the new size of the non-secure region in DRAM requires an extra L2
table.
Change-Id: I5ad080c6e181f6b6060e15cebb1d18b7fa128cf5
danh-arm [Fri, 16 Jan 2015 17:57:47 +0000 (17:57 +0000)]
Merge pull request #235 from soby-mathew/sm/inv_cpu_ops
Invalidate the dcache after initializing cpu-ops
danh-arm [Fri, 16 Jan 2015 17:55:45 +0000 (17:55 +0000)]
Merge pull request #233 from jcastillo-arm/jc/tf-issues/254
Juno: Add support for image overlaying in Trusted SRAM
Soby Mathew [Tue, 18 Nov 2014 10:14:14 +0000 (10:14 +0000)]
Invalidate the dcache after initializing cpu-ops
This patch fixes a crash due to corruption of cpu_ops
data structure. During the secondary CPU boot, after the
cpu_ops has been initialized in the per cpu-data, the
dcache lines need to invalidated so that the update in
memory can be seen later on when the dcaches are turned ON.
Also, after initializing the psci per cpu data, the dcache
lines are flushed so that they are written back to memory
and dirty dcache lines are avoided.
Fixes ARM-Software/tf-issues#271
Change-Id: Ia90f55e9882690ead61226eea5a5a9146d35f313
danh-arm [Mon, 12 Jan 2015 17:04:03 +0000 (17:04 +0000)]
Merge pull request #232 from jcastillo-arm/jc/fix_doc_bl31
Fix reset to BL3-1 instructions in user guide, part 3
Juan Castillo [Thu, 20 Nov 2014 17:31:14 +0000 (17:31 +0000)]
Fix reset to BL3-1 instructions in user guide, part 3
Patch
20d51ca moved the shared data page from the top of the
Trusted SRAM to the bottom, changing the load addresses of BL3-1
and BL3-2.
This patch updates BL3-1 and BL3-2 addresses in the instructions
to run the Trusted Firmware on FVP using BL3-1 as reset vector.
This patch is similar to but distinct from
bfb1dd5 and
7ea4c43.
Change-Id: I6b467f9a82360a5e2181db99fea881487de52704
danh-arm [Mon, 12 Jan 2015 14:47:03 +0000 (14:47 +0000)]
Merge pull request #231 from jcastillo-arm/jc/fip_bin
Specify FIP filename at build time
danh-arm [Mon, 12 Jan 2015 14:45:56 +0000 (14:45 +0000)]
Merge pull request #230 from sandrine-bailleux/sb/doc-updates
User Guide: Enable secure memory on Foundation FVP
danh-arm [Mon, 12 Jan 2015 14:45:11 +0000 (14:45 +0000)]
Merge pull request #229 from sandrine-bailleux/sb/tf-issue-273
Prevent optimisation of sysregs accessors calls
danh-arm [Mon, 12 Jan 2015 14:44:20 +0000 (14:44 +0000)]
Merge pull request #228 from jcastillo-arm/jc/tf-issues/274
Bug fix: initialize bl30_image_info fields before use
Juan Castillo [Fri, 7 Nov 2014 09:44:58 +0000 (09:44 +0000)]
Juno: Add support for image overlaying in Trusted SRAM
This patch allows the BL3-1 NOBITS section to overlap the BL1 R/W
section since the former will always be used after the latter.
Similarly, the BL3-2 NOBITS section can overlay the BL2 image
when BL3-2 is loaded in Trusted SRAM.
Due to the current size of the images, there is no actual overlap.
Nevertheless, this reorganization may help to optimise the Trusted
SRAM usage when the images size grows.
Note that because BL3-1 NOBITS section is allowed to overlap the
BL1 R/W section, BL1 global variables will remain valid only until
execution reaches the BL3-1 entry point during a cold boot.
Documentation updated accordingly.
Fixes ARM-software/tf-issues#254
Change-Id: Id538f4d1c7f1f7858108280fd7b97e138572b879
Sandrine Bailleux [Thu, 8 Jan 2015 11:48:34 +0000 (11:48 +0000)]
User Guide: Enable secure memory on Foundation FVP
Previously, the User Guide recommended launching the Foundation
FVP with the parameter --no-secure-memory, which disabled security
control of the address map. This was due to missing support for
secure memory regions in v1 of the Foundation FVP. This is no longer
needed as secure memory is now supported on the Foundation FVP.
This patch updates the User Guide to recommend enabling secure
memory instead.
Change-Id: Ifae53c10ff6e1c7c6724af20e05a3d3a88f6a5ad
Juan Castillo [Thu, 13 Nov 2014 17:04:33 +0000 (17:04 +0000)]
Bug fix: initialize bl30_image_info fields before use
This patch initializes the version field in the bl30_image_info
structure when loading BL30. This initialization must be done before
calling load_image().
Fixes ARM-software/tf-issues#274
Change-Id: I74a05167d66fff51d257ad611abc7b5436e5d912
danh-arm [Wed, 7 Jan 2015 17:29:38 +0000 (17:29 +0000)]
Merge pull request #222 from jbech-linaro/user_guide_toc_links
Create TOC links in the User Guide markdown file
Sandrine Bailleux [Wed, 7 Jan 2015 16:36:11 +0000 (16:36 +0000)]
Prevent optimisation of sysregs accessors calls
Calls to system register read accessors functions may be optimised
out by the compiler if called twice in a row for the same register.
This is because the compiler is not aware that the result from
the instruction may be modified by external agents. Therefore, if
nothing modifies the register between the 2 reads as far as the
compiler knows then it might consider that it is useless to read
it twice and emit only 1 call.
This behaviour is faulty for registers that may not have the same
value if read twice in succession. E.g.: counters, timer
control/countdown registers, GICv3 interrupt status registers and
so on.
The same problem happens for calls to system register write
accessors functions. The compiler might optimise out some calls
if it considers that it will produce the same result. Again, this
behaviour is faulty for cases where intermediate writes to these
registers make a difference in the system.
This patch fixes the problem by making these assembly register
accesses volatile.
Fixes ARM-software/tf-issues#273
Change-Id: I33903bc4cc4eea8a8d87bc2c757909fbb0138925
Joakim Bech [Tue, 25 Nov 2014 09:55:26 +0000 (10:55 +0100)]
Create Table of Content links in markdown files
Fixes arm-software/tf-issues#276
danh-arm [Wed, 7 Jan 2015 13:00:34 +0000 (13:00 +0000)]
Merge pull request #226 from sandrine-bailleux/sb/tf-issues-279
fip_create: don't succeed if one of the passed files doesn't exist
danh-arm [Wed, 7 Jan 2015 12:58:37 +0000 (12:58 +0000)]
Merge pull request #227 from soby-mathew/sm/afflvl_fix
Fix CPU_SUSPEND when invoked with affinity level higher than get_max_aff...
danh-arm [Wed, 7 Jan 2015 12:53:41 +0000 (12:53 +0000)]
Merge pull request #225 from sandrine-bailleux/sb/remove-IRQ_SEC_SGI_8
Remove IRQ_SEC_SGI_8 constant
Juan Castillo [Mon, 24 Nov 2014 11:45:12 +0000 (11:45 +0000)]
Specify FIP filename at build time
This patch allows to define the name of the FIP at build time by
defining the FIP_NAME variable. If FIP_NAME is not defined, default
name 'fip.bin' is used.
Documentation updated accordingly.
Change-Id: Ic41f42aac379b0c958b3dfd02863ba8ba7108710
Soby Mathew [Thu, 2 Oct 2014 16:24:19 +0000 (17:24 +0100)]
Fix CPU_SUSPEND when invoked with affinity level higher than get_max_afflvl()
This patch fixes the assertion failure when CPU_SUSPEND is invoked with
an affinity level higher than supported by the platform by adding suitable
checks for affinity level within `psci_cpu_suspend`. Also added suitable
bound checks within `psci_aff_map_get_idx` to prevent indexing beyond array
limits.
Fixes ARM-software/tf-issues#260
Change-Id: I04b75c49729e6c6d1983add590f60146c8fc3630
Kévin Petit [Mon, 8 Dec 2014 13:23:09 +0000 (13:23 +0000)]
fip_create: don't succeed if one of the passed files doesn't exist
If one of the files passed to fip_create on the command line doesn't
exist, it will print an error message but produce an incomplete
fip.bin file and report success. This behaviour could potentially
hide errors made in the command line arguments.
This patch addresses the issue by having the tool bail out if one of
the supplied files can't be processed.
Signed-off-by: Kévin Petit <kevin.petit@arm.com>
Fixes ARM-software/tf-issues#279
Change-Id: I1c7d87d09eb4c063005b7969bdaad1d043c29dec
Sandrine Bailleux [Wed, 19 Nov 2014 13:48:59 +0000 (13:48 +0000)]
Remove IRQ_SEC_SGI_8 constant
In both FVP and Juno ports, IRQ #16, which is a PPI, is incorrectly
identified as secure SGI #8 through the constant IRQ_SEC_SGI_8.
This patch removes it.
Fixes ARM-software/tf-issues#282
Change-Id: I9e52d849611ffcd2b1f28e56dd156c5b217ed63e
danh-arm [Mon, 8 Dec 2014 12:16:44 +0000 (12:16 +0000)]
Merge pull request #223 from sandrine-bailleux/sb/fix-fiptool-target
Fix problem of dependencies on the fiptool makefile target
danh-arm [Mon, 8 Dec 2014 12:14:36 +0000 (12:14 +0000)]
Merge pull request #224 from soby-mathew/sm/fix_mpidr_aff_map_nodes_t
Fix the array size of mpidr_aff_map_nodes_t.
Soby Mathew [Thu, 4 Dec 2014 14:14:12 +0000 (14:14 +0000)]
Fix the array size of mpidr_aff_map_nodes_t.
This patch fixes the array size of mpidr_aff_map_nodes_t which
was less by one element.
Fixes ARM-software/tf-issues#264
Change-Id: I48264f6f9e7046a3d0f4cbcd63b9ba49657e8818
Sandrine Bailleux [Mon, 27 Oct 2014 17:10:46 +0000 (17:10 +0000)]
Fix problem of dependencies on the fiptool makefile target
The 'fiptool' target doesn't depend on fip_create's source files,
neither directly nor indirectly. As a result, the FIP tool is not
rebuilt whenever its source files change.
This patch makes the ${FIPTOOL} target into a phony target so that the
FIP tool's sub-makefile is always called. The sub-makefile correctly
handles the dependencies. It also moves the completion message into
the sub-makefile so that it is only displayed when the tool is
actually recompiled.
Fixes ARM-software/tf-issues#278
Change-Id: Ia027519fe51d3c42be30665d1ad20a7b89fa350f
danh-arm [Tue, 11 Nov 2014 15:54:09 +0000 (15:54 +0000)]
Merge pull request #220 from soby-mathew/sm/reassign_crash_console
Use the BL3-1 runtime console as the crash console.
danh-arm [Tue, 11 Nov 2014 15:52:55 +0000 (15:52 +0000)]
Merge pull request #221 from achingupta/ag/tf-issues#272
Precede a 'sev' with a 'dsb' in bakery lock code
Achin Gupta [Mon, 10 Nov 2014 11:50:30 +0000 (11:50 +0000)]
Precede a 'sev' with a 'dsb' in bakery lock code
This patch fixes a bug in the bakery lock implementation where a data
synchronisation barrier instruction is not issued before sending an event as
mandated by the ARMv8 ARM. This can cause a event to be signalled before the
related memory accesses have completed resulting in erroneous execution.
Fixes ARM-software/tf-issues#272
Change-Id: I5ce02bf70afb001d967b9fa4c3f77442931d5349
Soby Mathew [Tue, 23 Sep 2014 10:32:48 +0000 (11:32 +0100)]
Use the BL3-1 runtime console as the crash console.
This patch reassigns the crash console on Juno and FVP to use the runtime
BL3-1 console. The crash console is changed to SoC UART0 (UART2) from the
previous FPGA UART0 (UART0) on Juno. In FVP, it is changed from UART0 to
UART1.
Fixes ARM-software/tf-issues#256
Change-Id: I7df54f86ca00ec2652c27261dd66a94c12610816
danh-arm [Tue, 4 Nov 2014 16:01:40 +0000 (16:01 +0000)]
Merge pull request #219 from jcastillo-arm/jc/tf-issues/253
Improvements to ARM GIC driver
Juno: Use the generic ARM GIC driver
Juan Castillo [Mon, 20 Oct 2014 11:29:58 +0000 (12:29 +0100)]
Juno: Use the generic ARM GIC driver
This patch replaces the usage of the GIC private driver in Juno with
the generic ARM GIC driver. The private driver is no longer necessary
and has been removed from the Juno port.
Fixes ARM-software/tf-issues#253
Change-Id: I6aaabc252e5e6fb5fcf44ab6d0febd9b38791056
Juan Castillo [Mon, 20 Oct 2014 11:27:28 +0000 (12:27 +0100)]
Improvements to ARM GIC driver
This patch introduces several improvements to the ARM GIC driver:
* In function gicd_set_itargetsr(), target CPU is specified using
the same bit mask detailed in the GICD_ITARGETSRn register instead
of the CPU linear ID, removing the dependency between bit position
and linear ID in the platform porting. The current CPU bit mask
may be obtained by reading GICD_ITARGETSR0.
* PPIs and SGIs are initialized in arm_gic_pcpu_distif_setup().
SPIs are initialized in arm_gic_distif_setup().
* By default, non secure interrupts are assigned the maximum
priority allowed to a non secure interrupt (defined by
GIC_HIGHEST_NS_PRIORITY).
* GICR base address is allowed to be NULL for GICv1 and GICv2.
Change-Id: Ie2837fe860d43b2282e582dfdb13c39c6186f232
danh-arm [Thu, 30 Oct 2014 16:04:42 +0000 (16:04 +0000)]
Merge pull request #218 from soby-mathew/sm/add_cpu_ops_warning
Add level specific cache operations and changes to errata workaround mechanism
Soby Mathew [Mon, 22 Sep 2014 13:13:34 +0000 (14:13 +0100)]
Optimize Cortex-A57 cluster power down sequence on Juno
This patch optimizes the Cortex-A57 cluster power down sequence by not
flushing the Level1 data cache. The L1 data cache and the L2 unified
cache are inclusive. A flush of the L2 by set/way flushes any dirty
lines from the L1 as well. This is a known safe deviation from the
Cortex-A57 TRM defined power down sequence. This optimization can be
enabled by the platform through the 'SKIP_A57_L1_FLUSH_PWR_DWN' build
flag. Each Cortex-A57 based platform must make its own decision on
whether to use the optimization.
This patch also renames the cpu-errata-workarounds.md to
cpu-specific-build-macros.md as this facilitates documentation
of both CPU Specific errata and CPU Specific Optimization
build macros.
Change-Id: I299b9fe79e9a7e08e8a0dffb7d345f9a00a71480
Soby Mathew [Mon, 22 Sep 2014 11:15:26 +0000 (12:15 +0100)]
Optimize barrier usage during Cortex-A57 power down
This the patch replaces the DSB SY with DSB ISH
after disabling L2 prefetches during the Cortex-A57
power down sequence.
Change-Id: I048d12d830c1b974b161224eff079fb9f8ecf52d
Soby Mathew [Mon, 22 Sep 2014 11:11:36 +0000 (12:11 +0100)]
Apply errata workarounds only when major/minor revisions match.
Prior to this patch, the errata workarounds were applied for any version
of the CPU in the release build and in the debug build an assert
failure resulted when the revision did not match. This patch applies
errata workarounds in the Cortex-A57 reset handler only if the 'variant'
and 'revision' fields read from the MIDR_EL1 match. In the debug build,
a warning message is printed for each errata workaround which is not
applied.
The patch modifies the register usage in 'reset_handler` so
as to adhere to ARM procedure calling standards.
Fixes ARM-software/tf-issues#242
Change-Id: I51b1f876474599db885afa03346e38a476f84c29
Soby Mathew [Tue, 2 Sep 2014 09:47:33 +0000 (10:47 +0100)]
Add support for level specific cache maintenance operations
This patch adds level specific cache maintenance functions
to cache_helpers.S. The new functions 'dcsw_op_levelx',
where '1 <= x <= 3', allow to perform cache maintenance by
set/way for that particular level of cache. With this patch,
functions to support cache maintenance upto level 3 have
been implemented since it is the highest cache level for
most ARM SoCs.
These functions are now utilized in CPU specific power down
sequences to implement them as mandated by processor specific
technical reference manual.
Change-Id: Icd90ce6b51cff5a12863bcda01b93601417fd45c
danh-arm [Tue, 28 Oct 2014 12:25:51 +0000 (12:25 +0000)]
Merge pull request #217 from jcastillo-arm/jc/tf-issues/257
FVP: keep shared data in Trusted SRAM
danh-arm [Tue, 28 Oct 2014 12:06:47 +0000 (12:06 +0000)]
Merge pull request #216 from vikramkanigiri/vk/juno_standby_support
Juno: Support entry into a standby state
danh-arm [Tue, 28 Oct 2014 11:59:22 +0000 (11:59 +0000)]
Merge pull request #215 from jcastillo-arm/jc/juno_mem_6
Jc/juno mem 6
Juan Castillo [Wed, 24 Sep 2014 09:00:06 +0000 (10:00 +0100)]
FVP: keep shared data in Trusted SRAM
This patch deprecates the build option to relocate the shared data
into Trusted DRAM in FVP. After this change, shared data is always
located at the base of Trusted SRAM. This reduces the complexity
of the memory map and the number of combinations in the build
options.
Fixes ARM-software/tf-issues#257
Change-Id: I68426472567b9d8c6d22d8884cb816f6b61bcbd3
Vikram Kanigiri [Tue, 1 Jul 2014 14:34:11 +0000 (15:34 +0100)]
Juno: Support entry into a standby state
This patch adds support on the Juno platform for entering a wfi in
response to a PSCI CPU_SUSPEND call where the state type is a
standby state.
Change-Id: I0a102dee1f8d2ad936c63ad1d1d3ad001a4a4768
Juan Castillo [Fri, 5 Sep 2014 16:29:38 +0000 (17:29 +0100)]
Juno: Reserve some DDR-DRAM for secure use
This patch configures the TrustZone Controller in Juno to split
the 2GB DDR-DRAM memory at 0x80000000 into Secure and Non-Secure
regions:
- Secure DDR-DRAM: top 16 MB, except for the last 2 MB which are
used by the SCP for DDR retraining
- Non-Secure DDR-DRAM: remaining DRAM starting at base address
Build option PLAT_TSP_LOCATION selects the location of the secure
payload (BL3-2):
- 'tsram' : Trusted SRAM (default option)
- 'dram' : Secure region in the DDR-DRAM (set by the TrustZone
controller)
The MMU memory map has been updated to give BL2 permission to load
BL3-2 into the DDR-DRAM secure region.
Fixes ARM-software/tf-issues#233
Change-Id: I6843fc32ef90aadd3ea6ac4c7f314f8ecbd5d07b
Andrew Thoelke [Fri, 10 Oct 2014 11:13:48 +0000 (12:13 +0100)]
Merge pull request #206 from soby-mathew/sm/reset_cntvoff
Reset CNTVOFF_EL2 register before exit into EL1 on warm boot
Juan Castillo [Thu, 4 Sep 2014 13:43:09 +0000 (14:43 +0100)]
Juno: Use TZC-400 driver calls
This patch replaces direct accesses to the TZC-400 registers by the
appropiate calls to the generic driver available in the Trusted
Firmware in order to initialize the TrustZone Controller.
Functions related to the initialization of the secure memory,
like the TZC-400 configuration, have been moved to a new file
'plat_security.c'. This reorganization makes easier to set up
the secure memory from any BL stage.
TZC-400 initialization has been moved from BL1 to BL2 because BL1
does not access the non-secure memory. It is BL2's responsibility
to enable and configure the TZC-400 before loading the next BL
images.
In Juno, BL3-0 initializes some of the platform peripherals, like
the DDR controller. Thus, BL3-0 must be loaded before configuring
the TrustZone Controller. As a consequence, the IO layer
initialization has been moved to early platform initialization.
Fixes ARM-software/tf-issues#234
Change-Id: I83dde778f937ac8d2996f7377e871a2e77d9490e
achingupta [Thu, 25 Sep 2014 13:28:59 +0000 (14:28 +0100)]
Merge pull request #214 from soby-mathew/sm/bl_specific_mmap
Create BL stage specific translation tables
Soby Mathew [Wed, 3 Sep 2014 16:48:44 +0000 (17:48 +0100)]
Create BL stage specific translation tables
This patch uses the IMAGE_BL<x> constants to create translation tables specific
to a boot loader stage. This allows each stage to create mappings only for areas
in the memory map that it needs.
Fixes ARM-software/tf-issues#209
Change-Id: Ie4861407ddf9317f0fb890fc7575eaa88d0de51c
achingupta [Tue, 23 Sep 2014 07:52:02 +0000 (08:52 +0100)]
Merge pull request #213 from soby-mathew/sm/crash_reporting_fix
Remove BSS section access by 'plat_print_gic' during crash reporting
Soby Mathew [Mon, 1 Sep 2014 11:29:27 +0000 (12:29 +0100)]
Remove BSS section access by 'plat_print_gic' during crash reporting
This patch avoids the problem of crash reporting mechanism accessing
global data in BSS by 'plat_print_gic_regs' for FVP platforms. Earlier
it depended on the global 'plat_config' object for the GIC Base address
in FVP platforms which would have caused exception if it were accessed
before the BSS was initialized. It is now fixed by dynamically
querying the V2M_SYS_ID to find the FVP model type and accordingly
selecting the appropriate GIC Base address.
This patch also fixes the 'plat_print_gic_regs' to use the correct GIC
Distributor base address for printing GICD_IS_PENDR register values
for both Juno and FVP platforms.
Fixes ARM-Software/tf-issues#236
Change-Id: I545c7b908b3111419bf27db0575ce86acf86784b
achingupta [Fri, 19 Sep 2014 09:43:29 +0000 (10:43 +0100)]
Merge pull request #212 from jcastillo-arm/jc/tf-issues/252
Fix LENGTH attribute value in linker scripts
Juan Castillo [Tue, 16 Sep 2014 09:40:35 +0000 (10:40 +0100)]
Fix LENGTH attribute value in linker scripts
This patch fixes the incorrect value of the LENGTH attribute in
the linker scripts. This attribute must define the memory size, not
the limit address.
Fixes ARM-software/tf-issues#252
Change-Id: I328c38b9ec502debe12046a8912d7dfc54610c46
achingupta [Wed, 17 Sep 2014 10:53:12 +0000 (11:53 +0100)]
Merge pull request #211 from jenswi-linaro/optee_140916
Dispatcher for OPTEE from Linaro SWG
Jens Wiklander [Mon, 4 Aug 2014 13:39:58 +0000 (15:39 +0200)]
Add opteed based on tspd
Adds a dispatcher for OP-TEE based on the test secure payload
dispatcher.
Fixes arm-software/tf-issues#239
Jens Wiklander [Thu, 4 Sep 2014 08:23:27 +0000 (10:23 +0200)]
Initialize SCTLR_EL1 based on MODE_RW bit
Initializes SCTLR_EL1 based on MODE_RW bit in SPSR for the entry
point. The RES1 bits for SCTLR_EL1 differs for Aarch64 and Aarch32
mode.
achingupta [Tue, 16 Sep 2014 17:46:22 +0000 (18:46 +0100)]
Merge pull request #210 from soby-mathew/sm/makefile_bl_stages
Add support for specifying pre-built BL binaries in Makefile
Soby Mathew [Mon, 8 Sep 2014 16:51:01 +0000 (17:51 +0100)]
Add support for specifying pre-built BL binaries in Makefile
This patch adds support for supplying pre-built BL binaries for BL2,
BL3-1 and BL3-2 during trusted firmware build. Specifying BLx = <path_to_BLx>
in the build command line, where 'x' is any one of BL2, BL3-1 or BL3-2, will
skip building that BL stage from source and include the specified binary in
final fip image.
This patch also makes BL3-3 binary for FIP optional depending on the
value of 'NEED_BL33' flag which is defined by the platform.
Fixes ARM-software/tf-issues#244
Fixes ARM-software/tf-issues#245
Change-Id: I3ebe1d4901f8b857e8bb51372290978a3323bfe7
Soby Mathew [Fri, 29 Aug 2014 13:41:58 +0000 (14:41 +0100)]
Reset CNTVOFF_EL2 register before exit into EL1 on warm boot
This patch resets the value of CNTVOFF_EL2 before exit to EL1 on
warm boot. This needs to be done if only the Trusted Firmware exits
to EL1 instead of EL2, otherwise the hypervisor would be responsible
for this.
Fixes ARM-software/tf-issues#240
Change-Id: I79d54831356cf3215bcf1f251c373bd8f89db0e0
danh-arm [Thu, 28 Aug 2014 14:39:55 +0000 (15:39 +0100)]
Merge pull request #205 from danh-arm/dh/1.0-docs
Documentation for version 1.0
danh-arm [Thu, 28 Aug 2014 14:38:11 +0000 (15:38 +0100)]
Merge pull request #204 from danh-arm/dh/user-guide-fixes
Fix minor issues in user guide
Dan Handley [Tue, 26 Aug 2014 18:18:55 +0000 (19:18 +0100)]
Documentation for version 1.0
Final updates to readme.md and change-log.md for ARM Trusted
Firmware version 1.0. Also increment the version in the Makefile.
Change-Id: I00fe1016c8b936834bbf7bbba7aab07f51261bbb
Dan Handley [Thu, 28 Aug 2014 13:04:06 +0000 (14:04 +0100)]
Fix minor issues in user guide
* Fix broken link to SCP download.
* Remove requirement to install `ia32-libs`. This package is no
longer available in current versions of Ubuntu and is no
longer required when using the Linaro toolchain.
Change-Id: I9823d535a1d69136685754b7707b73e1eef0978d
danh-arm [Wed, 27 Aug 2014 18:16:27 +0000 (19:16 +0100)]
Merge pull request #203 from danh-arm/dh/misc-docs-1.0
Miscellaneous documentation fixes
Sandrine Bailleux [Wed, 6 Aug 2014 10:27:23 +0000 (11:27 +0100)]
Miscellaneous documentation fixes
This patch gathers miscellaneous minor fixes to the documentation, and comments
in the source code.
Change-Id: I631e3dda5abafa2d90f464edaee069a1e58b751b
Co-Authored-By: Soby Mathew <soby.mathew@arm.com>
Co-Authored-By: Dan Handley <dan.handley@arm.com>
danh-arm [Wed, 27 Aug 2014 17:27:19 +0000 (18:27 +0100)]
Merge pull request #202 from achingupta/ag/fw-design-juno-update
Add information about Juno in firmware-design.md
projects / project / bcm63xx / atf.git / log