2016-07-25 |
Make runtime_svc_init() function more robust
...
- Added some debug assertions checking that the runtime services
indexes computed by get_unique_oen() are sane.
- Do not print the name of the service when its descriptor is
invalid. If the descriptor is corrupted then its name field
could be corrupted as well and we would end up reading an
arbitrary amount of invalid memory.
Change-Id: I16f61065277d01fe1555d5a9cf743f7b52ccaa60
Sandrine Bailleux
committed
on 25 Jul 2016
|
Improvements to runtime service init code
...
Light refactoring of the code in runtime_svc.c file.
- Declare validate_rt_svc_desc()'s argument as const.
- Remove 'goto' path in runtime_svc_init(). It was used in one
place only.
- Improve code readability by declaring a local variable holding the
service pointer.
Change-Id: I3b15c5adb9f37b786b5b993a9be70ea9dd017a83
Sandrine Bailleux
committed
on 25 Jul 2016
|
Validate psci_find_target_suspend_lvl() result
...
This patch adds a runtime check that psci_find_target_suspend_lvl()
returns a valid value back to psci_cpu_suspend() and psci_get_stat().
If it is invalid, BL31 will now panic.
Note that on the PSCI CPU suspend path there is already a debug
assertion checking the validity of the target composite power state,
which effectively also checks the validity of the target suspend level.
Therefore, the error condition would already be caught in debug builds,
but in a release build this assertion would be compiled out.
On the PSCI stat path, there is currently no debug assertion checking
the validity of the power state before using it as an index into
the power domain state array.
Although BL31 platforms ports are responsible for validating the
power state parameter, the security impact (i.e. an out-of-bounds
array access) of a potential platform port bug in this code would
be quite high, given that this parameter comes from an untrusted
source. The cost of checking this in runtime generic code is low.
Change-Id: Icea85b8020e39928ac03ec0cd49805b5857b3906
Sandrine Bailleux
committed
on 25 Jul 2016
|
Merge pull request #667 from soby-mathew/sm/PSCI_lib
...
Introduce PSCI library
danh-arm
authored
on 25 Jul 2016
GitHub
committed
on 25 Jul 2016
|
2016-07-19 |
Rearrange assembly helper macros
...
This patch moves assembler macros which are not architecture specific
to a new file `asm_macros_common.S` and moves the `el3_common_macros.S`
into `aarch64` specific folder.
Change-Id: I444a1ee3346597bf26a8b827480cd9640b38c826
Soby Mathew
committed
on 19 Jul 2016
|
Define `plat_get_syscnt_freq2()` unconditionally for ARM platforms
...
Previously the definition of `plat_get_syscnt_freq2()` in `arm_common.c` was
conditionally defined based on the ERROR_DEPRECATED flag. This patch makes
this function available irrespective of the flag and removes the deprecated
`plat_get_syscnt_freq()` definition.
Change-Id: I250ca787ca1b5e867096c6ba8f2bb444db44c97b
Soby Mathew
committed
on 19 Jul 2016
|
Cater for preloaded BL33 within plat_get_ns_image_entrypoint()
...
The PRELOADED_BL33_BASE build option allows to preload a BL33 and bypass its
loading by BL2. In ARM standard platforms, the conditional behaviour of
PRELOADED_BL33_BASE is moved within the implementation of
`plat_get_ns_image_entrypoint()` so that all callers may benefit from this
feature.
Change-Id: Iea060e204ec72f8081087837854535c4e320da4e
Soby Mathew
committed
on 19 Jul 2016
|
Move `arm_common.c` out of aarch64 folder
...
This patch moves the `arm_common.c` file from `plat/arm/common/aarch64/`
to the parent directory since the functions implemented in the file are
not AArch64 specific. The platform makefiles are also modified for this
change.
Change-Id: I776d2e4958f59041476cf2f53a9adb5b2d304ee0
Soby Mathew
committed
on 19 Jul 2016
|
Include `plat_psci_common.c` from the new location
...
The `plat_psci_common.c` was moved to the new location `plat/common`
and a stub file was retained at previous location for compatibility. This
patch modifies the platform makefiles to include the file from the new
location.
Change-Id: Iabddeeb824e9a5d72d176d7c644735966c8c0699
Soby Mathew
committed
on 19 Jul 2016
|
Introduce PSCI Library Interface
...
This patch introduces the PSCI Library interface. The major changes
introduced are as follows:
* Earlier BL31 was responsible for Architectural initialization during cold
boot via bl31_arch_setup() whereas PSCI was responsible for the same during
warm boot. This functionality is now consolidated by the PSCI library
and it does Architectural initialization via psci_arch_setup() during both
cold and warm boots.
* Earlier the warm boot entry point was always `psci_entrypoint()`. This was
not flexible enough as a library interface. Now PSCI expects the runtime
firmware to provide the entry point via `psci_setup()`. A new function
`bl31_warm_entrypoint` is introduced in BL31 and the previous
`psci_entrypoint()` is deprecated.
* The `smc_helpers.h` is reorganized to separate the SMC Calling Convention
defines from the Trusted Firmware SMC helpers. The former is now in a new
header file `smcc.h` and the SMC helpers are moved to Architecture specific
header.
* The CPU context is used by PSCI for context initialization and
restoration after power down (PSCI Context). It is also used by BL31 for SMC
handling and context management during Normal-Secure world switch (SMC
Context). The `psci_smc_handler()` interface is redefined to not use SMC
helper macros thus enabling to decouple the PSCI context from EL3 runtime
firmware SMC context. This enables PSCI to be integrated with other runtime
firmware using a different SMC context.
NOTE: With this patch the architectural setup done in `bl31_arch_setup()`
is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be
invoked prior to architectural setup. It is highly unlikely that the platform
setup will depend on architectural setup and cause any failure. Please be
be aware of this change in sequence.
Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73
Soby Mathew
committed
on 19 Jul 2016
|
2016-07-18 |
Introduce `el3_runtime` and `PSCI` libraries
...
This patch moves the PSCI services and BL31 frameworks like context
management and per-cpu data into new library components `PSCI` and
`el3_runtime` respectively. This enables PSCI to be built independently from
BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
PSCI library sources and gets included by `bl31.mk`. Other changes which
are done as part of this patch are:
* The runtime services framework is now moved to the `common/` folder to
enable reuse.
* The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
specific folder.
* The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
to `plat/common` folder. The original file location now has a stub which
just includes the file from new location to maintain platform compatibility.
Most of the changes wouldn't affect platform builds as they just involve
changes to the generic bl1.mk and bl31.mk makefiles.
NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.
Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
Soby Mathew
committed
on 18 Jul 2016
|
Fix coding guideline warnings
...
This patch fixes some coding guideline warnings reported by the checkpatch
script. Only files related to upcoming feature development have been fixed.
Change-Id: I26fbce75c02ed62f00493ed6c106fe7c863ddbc5
Soby Mathew
committed
on 18 Jul 2016
|
Rework type usage in Trusted Firmware
...
This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:
* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
whether AArch64 or AArch32.
* Use generic C types where-ever possible.
In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.
Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
Soby Mathew
committed
on 18 Jul 2016
|
Merge pull request #666 from Xilinx/zynqmp/rodata-xn
...
zynqmp: Map read-only data as execute-never
danh-arm
authored
on 18 Jul 2016
GitHub
committed
on 18 Jul 2016
|
Merge pull request #654 from rockchip-linux/rk3399-suspend-resume
...
rockchip: support the suspend/resume for rk3399
danh-arm
authored
on 18 Jul 2016
GitHub
committed
on 18 Jul 2016
|
Merge pull request #653 from rockchip-linux/support-rockchip-sip-runtime-service
...
rockchip: support plat SIP runtime service for rk3399
danh-arm
authored
on 18 Jul 2016
GitHub
committed
on 18 Jul 2016
|
rockchip: support the suspend/resume for rk3399
...
1.Fixes the suspend/resume some bugs.
2.Add the power domain for saving power consumption.
3.Add cpu clusters suspend for rk3399 SoCs
Change-Id: Id602779016b41d6281f4ba40a20229d909b28e46
Tony Xie
authored
on 15 Jul 2016
Caesar Wang
committed
on 18 Jul 2016
|
rockchip: support plat SIP runtime service
...
Software executing in the normal world and in the trusted world at
exception levels lower than EL3 will request runtime services using the
SMC instruction.
See the documentation here:
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/
rt-svc-writers-guide.md
This to be implemented as an EL3 Runtime Service in rockchip BL31
platform port, using the "SiP Service Call" range as specified in the
SMC Calling Convention.
This doesn't support any SMC yet, we will support it in later.
Change-Id: I0a638dd0b653c28b08f79d89f77ed7c69864017d
Caesar Wang
committed
on 18 Jul 2016
|
2016-07-15 |
Merge pull request #662 from sandrine-bailleux-arm/sb/rodata-xn
...
Map read-only data as execute-never
danh-arm
authored
on 15 Jul 2016
GitHub
committed
on 15 Jul 2016
|
Merge pull request #659 from soby-mathew/sm/declare_stack
...
Derive stack alignment from CACHE_WRITEBACK_GRANULE
danh-arm
authored
on 15 Jul 2016
GitHub
committed
on 15 Jul 2016
|
Merge pull request #658 from soby-mathew/sm/init_spi_ppi_gic
...
GIC: Ensure SGIs and PPIs are Group0 before setup
danh-arm
authored
on 15 Jul 2016
GitHub
committed
on 15 Jul 2016
|
Merge pull request #655 from Xilinx/report_merr
...
bl31: Add error reporting registers
danh-arm
authored
on 15 Jul 2016
GitHub
committed
on 15 Jul 2016
|
2016-07-12 |
bl31: Add error reporting registers
...
This patch adds cpumerrsr_el1 and l2merrsr_el1 to the register dump on
error for applicable CPUs.
These registers hold the ECC errors on L1 and L2 caches.
This patch updates the A53, A57, A72, A73 (l2merrsr_el1 only) CPU libraries.
Signed-off-by: Naga Sureshkumar Relli <nagasure@xilinx.com>
Naga Sureshkumar Relli
authored
on 1 Jul 2016
Soren Brinkmann
committed
on 12 Jul 2016
|
2016-07-11 |
zynqmp: Separate code and rodata
...
Set the SEPARATE_CODE_AND_RODATA build flag to map read-only data as
execute never.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Soren Brinkmann
committed
on 11 Jul 2016
|
2016-07-08 |
ARM CSS platforms: Map flash as execute-never by default
...
On ARM CSS platforms, the whole flash used to be mapped as executable.
This is not required, given that the flash is used to store the BL1
and FIP images and:
- The FIP is not executed in place, its images are copied to RAM
and executed from there.
- BL1 is executed in place from flash but only its code needs to be
mapped as executable and platform code takes care of re-mapping
BL1's read-only section as executable.
Therefore, this patch now maps the flash as non-executable by default
on these platforms. This increases security by restricting the
executable region to what is strictly needed.
This patch also adds some comments to clarify the memory mapping
attributes on these platforms.
Change-Id: I4db3c145508bea1f43fbe0f6dcd551e1aec1ecd3
Sandrine Bailleux
committed
on 8 Jul 2016
|
Add some verbose traces in arm_setup_page_tables()
...
This patch adds some verbose traces in the arm_setup_page_tables()
function to print the extents of the different memory regions it maps.
Change-Id: Ia3ae1053e7ebf3579601ff9238b0e3791eb1e9e4
Sandrine Bailleux
committed
on 8 Jul 2016
|
ARM platforms: Add support for SEPARATE_CODE_AND_RODATA
...
The arm_setup_page_tables() function used to expect a single set of
addresses defining the extents of the whole read-only section, code
and read-only data mixed up, which was mapped as executable.
This patch changes this behaviour. arm_setup_page_tables() now
expects 2 separate sets of addresses:
- the extents of the code section;
- the extents of the read-only data section.
The code is mapped as executable, whereas the data is mapped as
execute-never. New #defines have been introduced to identify the
extents of the code and the read-only data section. Given that
all BL images except BL1 share the same memory layout and linker
script structure, these #defines are common across these images.
The slight memory layout differences in BL1 have been handled by
providing values specific to BL1.
Note that this patch also affects the Xilinx platform port, which
uses the arm_setup_page_tables() function. It has been updated
accordingly, such that the memory mappings on this platform are
unchanged. This is achieved by passing null values as the extents
of the read-only data section so that it is ignored. As a result,
the whole read-only section is still mapped as executable.
Fixes ARM-software/tf-issues#85
Change-Id: I1f95865c53ce6e253a01286ff56e0aa1161abac5
Sandrine Bailleux
committed
on 8 Jul 2016
|
ARM platforms: Include BL2U's RO section in total memory region
...
This patch changes the base address of the "total" Trusted SRAM region
seen by the BL2U image. It used to start just after BL2U's read-only
section (i.e. at address BL2U_RO_LIMIT), it now starts from the base
address of the BL2U image (i.e. at address BL2U_BASE). In other words,
the "total" memory region now includes BL2U's own read-only section.
This does not change BL2U's resulting memory mappings because the
read-only section was already mapped in BL2U, it just wasn't part of
this total memory region.
Change-Id: I2da16ac842469023b41904eaa8d13ed678d65671
Sandrine Bailleux
committed
on 8 Jul 2016
|
ARM platforms: Restrict mapping of Trusted ROM in BL1
...
At the moment, on ARM platforms, BL1 maps everything from BL1_RO_BASE
to BL1_RO_LIMIT. BL1_RO_LIMIT, as defined in the porting guide, is
the maximum address in Trusted ROM that BL1's actual content _can_
occupy. The actual portion of ROM occupied by BL1 can be less than
that, which means that BL1 might map more Trusted ROM than it actually
needs to.
This patch changes BL1's memory mappings on ARM platforms to restrict
the region of Trusted ROM it maps. It uses the symbols exported by
the linker to figure out the actual extents of BL1's ROM footprint.
This change increases the number of page tables used on FVP by 1.
On FVP, we used to map the whole Trusted ROM. As it is 64MB large,
we used to map it as blocks of 2MB using level-2 translation table
entries. We now need a finer-grained mapping, which requires an
additional level-3 translation table.
On ARM CSS platforms, the number of translation tables is unchanged.
The BL1 image resides in flash at address 0x0BEC0000. This address is
not aligned on a 2MB-boundary so a level-3 translation table was
already required to map this memory.
Change-Id: I317a93fd99c40e70d0f13cc3d7a570f05c6c61eb
Sandrine Bailleux
committed
on 8 Jul 2016
|
TSP: Print BL32_BASE rather than __RO_START__
...
In debug builds, the TSP prints its image base address and size.
The base address displayed corresponds to the start address of the
read-only section, as defined in the linker script.
This patch changes this to use the BL32_BASE address instead, which is
the same address as __RO_START__ at the moment but has the advantage
to be independent of the linker symbols defined in the linker script
as well as the layout and order of the sections.
Change-Id: I032d8d50df712c014cbbcaa84a9615796ec902cc
Sandrine Bailleux
committed
on 8 Jul 2016
|