ARM platforms: Define common image sizes ...

Compile option `ARM_BOARD_OPTIMISE_MMAP` has been renamed to
`ARM_BOARD_OPTIMISE_MEM` because it now applies not only to defines
related to the translation tables but to the image size as well.

The defines `PLAT_ARM_MAX_BL1_RW_SIZE`, `PLAT_ARM_MAX_BL2_SIZE` and
`PLAT_ARM_MAX_BL31_SIZE` have been moved to the file board_arm_def.h.
This way, ARM platforms no longer have to set their own values if
`ARM_BOARD_OPTIMISE_MEM=0` and they can specify optimized values
otherwise. The common sizes have been set to the highest values used
for any of the current build configurations.

This is needed because in some build configurations some images are
running out of space. This way there is a common set of values known
to work for all of them and it can be optimized for each particular
platform if needed.

The space reserved for BL2 when `TRUSTED_BOARD_BOOT=0` has been
increased. This is needed because when memory optimisations are
disabled the values for Juno of `PLAT_ARM_MMAP_ENTRIES` and
`MAX_XLAT_TABLES` are higher. If in this situation the code is
compiled in debug mode and with "-O0", the code won't fit.

Change-Id: I70a3d8d3a0b0cad1d6b602c01a7ea334776e718e

Merge pull request #666 from Xilinx/zynqmp/rodata-xn ...

zynqmp: Map read-only data as execute-never

Merge pull request #654 from rockchip-linux/rk3399-suspend-resume ...

rockchip: support the suspend/resume for rk3399

Merge pull request #653 from rockchip-linux/support-rockchip-sip-runtime-service ...

rockchip: support plat SIP runtime service for rk3399

rockchip: support the suspend/resume for rk3399 ...

1.Fixes the suspend/resume some bugs.
2.Add the power domain for saving power consumption.
3.Add cpu clusters suspend for rk3399 SoCs

Change-Id: Id602779016b41d6281f4ba40a20229d909b28e46

rockchip: support plat SIP runtime service ...

Software executing in the normal world and in the trusted world at
exception levels lower than EL3 will request runtime services using the
SMC instruction.

See the documentation here:
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/
rt-svc-writers-guide.md

This to be implemented as an EL3 Runtime Service in rockchip BL31
platform port, using the "SiP Service Call" range as specified in the
SMC Calling Convention.
This doesn't support any SMC yet, we will support it in later.

Change-Id: I0a638dd0b653c28b08f79d89f77ed7c69864017d

Merge pull request #662 from sandrine-bailleux-arm/sb/rodata-xn ...

Map read-only data as execute-never

Merge pull request #659 from soby-mathew/sm/declare_stack ...

Derive stack alignment from CACHE_WRITEBACK_GRANULE

Merge pull request #658 from soby-mathew/sm/init_spi_ppi_gic ...

GIC: Ensure SGIs and PPIs are Group0 before setup

Merge pull request #655 from Xilinx/report_merr ...

bl31: Add error reporting registers

bl31: Add error reporting registers ...

This patch adds cpumerrsr_el1 and l2merrsr_el1 to the register dump on
error for applicable CPUs.

These registers hold the ECC errors on L1 and L2 caches.

This patch updates the A53, A57, A72, A73 (l2merrsr_el1 only) CPU libraries.

Signed-off-by: Naga Sureshkumar Relli <nagasure@xilinx.com>

zynqmp: Separate code and rodata ...

Set the SEPARATE_CODE_AND_RODATA build flag to map read-only data as
execute never.

Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

ARM CSS platforms: Map flash as execute-never by default ...

On ARM CSS platforms, the whole flash used to be mapped as executable.
This is not required, given that the flash is used to store the BL1
and FIP images and:

 - The FIP is not executed in place, its images are copied to RAM
   and executed from there.

 - BL1 is executed in place from flash but only its code needs to be
   mapped as executable and platform code takes care of re-mapping
   BL1's read-only section as executable.

Therefore, this patch now maps the flash as non-executable by default
on these platforms. This increases security by restricting the
executable region to what is strictly needed.

This patch also adds some comments to clarify the memory mapping
attributes on these platforms.

Change-Id: I4db3c145508bea1f43fbe0f6dcd551e1aec1ecd3

Add some verbose traces in arm_setup_page_tables() ...

This patch adds some verbose traces in the arm_setup_page_tables()
function to print the extents of the different memory regions it maps.

Change-Id: Ia3ae1053e7ebf3579601ff9238b0e3791eb1e9e4

ARM platforms: Add support for SEPARATE_CODE_AND_RODATA ...

The arm_setup_page_tables() function used to expect a single set of
addresses defining the extents of the whole read-only section, code
and read-only data mixed up, which was mapped as executable.

This patch changes this behaviour. arm_setup_page_tables() now
expects 2 separate sets of addresses:

 - the extents of the code section;
 - the extents of the read-only data section.

The code is mapped as executable, whereas the data is mapped as
execute-never. New #defines have been introduced to identify the
extents of the code and the read-only data section. Given that
all BL images except BL1 share the same memory layout and linker
script structure, these #defines are common across these images.
The slight memory layout differences in BL1 have been handled by
providing values specific to BL1.

Note that this patch also affects the Xilinx platform port, which
uses the arm_setup_page_tables() function. It has been updated
accordingly, such that the memory mappings on this platform are
unchanged. This is achieved by passing null values as the extents
of the read-only data section so that it is ignored. As a result,
the whole read-only section is still mapped as executable.

Fixes ARM-software/tf-issues#85

Change-Id: I1f95865c53ce6e253a01286ff56e0aa1161abac5

ARM platforms: Include BL2U's RO section in total memory region ...

This patch changes the base address of the "total" Trusted SRAM region
seen by the BL2U image. It used to start just after BL2U's read-only
section (i.e. at address BL2U_RO_LIMIT), it now starts from the base
address of the BL2U image (i.e. at address BL2U_BASE). In other words,
the "total" memory region now includes BL2U's own read-only section.

This does not change BL2U's resulting memory mappings because the
read-only section was already mapped in BL2U, it just wasn't part of
this total memory region.

Change-Id: I2da16ac842469023b41904eaa8d13ed678d65671

ARM platforms: Restrict mapping of Trusted ROM in BL1 ...

At the moment, on ARM platforms, BL1 maps everything from BL1_RO_BASE
to BL1_RO_LIMIT. BL1_RO_LIMIT, as defined in the porting guide, is
the maximum address in Trusted ROM that BL1's actual content _can_
occupy. The actual portion of ROM occupied by BL1 can be less than
that, which means that BL1 might map more Trusted ROM than it actually
needs to.

This patch changes BL1's memory mappings on ARM platforms to restrict
the region of Trusted ROM it maps. It uses the symbols exported by
the linker to figure out the actual extents of BL1's ROM footprint.

This change increases the number of page tables used on FVP by 1.
On FVP, we used to map the whole Trusted ROM. As it is 64MB large,
we used to map it as blocks of 2MB using level-2 translation table
entries. We now need a finer-grained mapping, which requires an
additional level-3 translation table.

On ARM CSS platforms, the number of translation tables is unchanged.
The BL1 image resides in flash at address 0x0BEC0000. This address is
not aligned on a 2MB-boundary so a level-3 translation table was
already required to map this memory.

Change-Id: I317a93fd99c40e70d0f13cc3d7a570f05c6c61eb

TSP: Print BL32_BASE rather than __RO_START__ ...

In debug builds, the TSP prints its image base address and size.
The base address displayed corresponds to the start address of the
read-only section, as defined in the linker script.

This patch changes this to use the BL32_BASE address instead, which is
the same address as __RO_START__ at the moment but has the advantage
to be independent of the linker symbols defined in the linker script
as well as the layout and order of the sections.

Change-Id: I032d8d50df712c014cbbcaa84a9615796ec902cc

Introduce SEPARATE_CODE_AND_RODATA build flag ...

At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.

This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.

This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.

 - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
   the read-only section still looks like this (padding omitted):

   |        ...        |
   +-------------------+
   | Exception vectors |
   +-------------------+
   |  Read-only data   |
   +-------------------+
   |       Code        |
   +-------------------+ BLx_BASE

   In this case, the linker script provides the limits of the whole
   read-only section.

 - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
   read-only data are swapped, such that the code and exception
   vectors are contiguous, followed by the read-only data. This
   gives the following new layout (padding omitted):

   |        ...        |
   +-------------------+
   |  Read-only data   |
   +-------------------+
   | Exception vectors |
   +-------------------+
   |       Code        |
   +-------------------+ BLx_BASE

   In this case, the linker script now exports 2 sets of addresses
   instead: the limits of the code and the limits of the read-only
   data. Refer to the Firmware Design guide for more details. This
   provides platform code with a finer-grained view of the image
   layout and allows it to map these 2 regions with the appropriate
   access permissions.

Note that SEPARATE_CODE_AND_RODATA applies to all BL images.

Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49

Introduce round_up/down() macros ...

This patch introduces the round_up() and round_down() macros,
which round up (respectively down) a value to a given boundary.
The boundary must be a power of two.

Change-Id: I589dd1074aeb5ec730dd523b4ebf098d55a7e967

Introduce utils.h header file ...

This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.

For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.

bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.

Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9

BL1: Add linker symbol identifying end of ROM content ...

This patch adds a new linker symbol in BL1's linker script named
'__BL1_ROM_END__', which marks the end of BL1's ROM content. This
covers BL1's code, read-only data and read-write data to relocate
in Trusted SRAM. The address of this new linker symbol is exported
to C code through the 'BL1_ROM_END' macro.

The section related to linker symbols in the Firmware Design guide
has been updated and improved.

Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7

xlat lib: Introduce MT_EXECUTE/MT_EXECUTE_NEVER attributes ...

This patch introduces the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping
attributes in the translation table library to specify the
access permissions for instruction execution of a memory region.
These new attributes should be used only for normal, read-only
memory regions. For other types of memory, the translation table
library still enforces the following rules, regardless of the
MT_EXECUTE/MT_EXECUTE_NEVER attribute:

 - Device memory is always marked as execute-never.
 - Read-write normal memory is always marked as execute-never.

Change-Id: I8bd27800a8c1d8ac1559910caf4a4840cf25b8b0

xlat lib: Refactor mmap_desc() function ...

This patch clarifies the mmap_desc() function by adding some comments
and reorganising its code. No functional change has been introduced.

Change-Id: I873493be17b4e60a89c1dc087dd908b425065401

Introduce arm_setup_page_tables() function ...

This patch introduces the arm_setup_page_tables() function to
set up page tables on ARM platforms. It replaces the
arm_configure_mmu_elx() functions and does the same thing except
that it doesn't enable the MMU at the end. The idea is to reduce
the amount of per-EL code that is generated by the C preprocessor
by splitting the memory regions definitions and page tables creation
(which is generic) from the MMU enablement (which is the only per-EL
configuration).

As a consequence, the call to the enable_mmu_elx() function has been
moved up into the plat_arch_setup() hook. Any other ARM standard
platforms that use the functions `arm_configure_mmu_elx()` must be
updated.

Change-Id: I6f12a20ce4e5187b3849a8574aac841a136de83d

Derive stack alignment from CACHE_WRITEBACK_GRANULE ...

The per-cpu stacks should be aligned to the cache-line size and
the `declare_stack` helper in asm_macros.S macro assumed a
cache-line size of 64 bytes. The platform defines the cache-line
size via CACHE_WRITEBACK_GRANULE macro. This patch modifies
`declare_stack` helper macro to derive stack alignment from the
platform defined macro.

Change-Id: I1e1b00fc8806ecc88190ed169f4c8d3dd25fe95b

GIC: Ensure SGIs and PPIs are Group0 before setup ...

The legacy GIC driver assumes that the SGIs and PPIs are Group0 during
initialization. This is true if the driver is the first one to initialize
the GIC hardware after reset. But in some cases, earlier BL stages could
have already initialized the GIC hardware which means that SGI and PPI
configuration are not the expected reset values causing assertion failure
in `gicd_set_ipriorityr()`. This patch explicitly resets the SGI and PPI
to Group0 prior to their initialization in the driver. The same patch is
not done in the GICv2-only driver because unlike in the legacy driver,
`gicd_set_ipriorityr()` of GICv2 driver doesn't enforce this policy and
the appropriate group is set irrespective of the initial value.

Fixes ARM-software/tf-issues#396

Change-Id: I521d35caa37470ce542c796c2ba99716e4763105

Merge pull request #657 from yatharth-arm/yk/genfw-1505 ...

Fix `cert_create` tool for Segmentation fault

Fix `cert_create` tool for Segmentation fault ...

With the introduction of commit `96103d5a`, the Certificate
Generation tool is not able to generate FWU certificate and
while doing so it does segmentation fault.

This happens because it is now required to pass non-volatile
counter values to the `cert_create` tool from the command line
for creating the trusted firmware certificates.

But in case of creating FWU certificate these counter values are not
being passed to the tool and as a consequence the `cert_create` tool
try to use the NULL argument and errors out with Segmentation fault.

This patch fixes this issue by providing a check before using the
command line argument passed in the case of `EXT_TYPE_NVCOUNTER`
certificate extension.

Change-Id: Ie17d0c1502b52aaa8500f3659c2da2448ab0347a

Merge pull request #651 from Xilinx/zynqmp_uart ...

zynqmp: Make UART selectable