2016-09-22 |
PSCI: Do psci_setup() as part of std_svc_setup()
...
This patch moves the invocation of `psci_setup()` from BL31 and SP_MIN
into `std_svc_setup()` as part of ARM Standard Service initialization.
This allows us to consolidate ARM Standard Service initializations which
will be added to in the future. A new function `get_arm_std_svc_args()`
is introduced to get arguments corresponding to each standard service.
This function must be implemented by the EL3 Runtime Firmware and both
SP_MIN and BL31 implement it.
Change-Id: I38e1b644f797fa4089b20574bd4a10f0419de184
Soby Mathew
committed
on 22 Sep 2016
|
PSCI: Introduce PSCI Library argument structure
...
This patch introduces a `psci_lib_args_t` structure which must be
passed into `psci_setup()` which is then used to initialize the PSCI
library. The `psci_lib_args_t` is a versioned structure so as to enable
compatibility checks during library initialization. Both BL31 and SP_MIN
are modified to use the new structure.
SP_MIN is also modified to add version string and build message as part
of its cold boot log just like the other BLs in Trusted Firmware.
NOTE: Please be aware that this patch modifies the prototype of
`psci_setup()`, which breaks compatibility with EL3 Runtime Firmware
(excluding BL31 and SP_MIN) integrated with the PSCI Library.
Change-Id: Ic3761db0b790760a7ad664d8a437c72ea5edbcd6
Soby Mathew
committed
on 22 Sep 2016
|
2016-09-21 |
AArch32: Support in SP_MIN to receive arguments from BL2
...
This patch adds support in SP_MIN to receive generic and
platform specific arguments from BL2.
The new signature is as following:
void sp_min_early_platform_setup(void *from_bl2,
void *plat_params_from_bl2);
ARM platforms have been modified to use this support.
Note: Platforms may break if using old signature.
Default value for RESET_TO_SP_MIN is changed to 0.
Change-Id: I008d4b09fd3803c7b6231587ebf02a047bdba8d0
Yatharth Kochar
committed
on 21 Sep 2016
|
AArch32: Refactor SP_MIN to support RESET_TO_SP_MIN
...
This patch uses the `el3_entrypoint_common` macro to initialize
CPU registers, in SP_MIN entrypoint.s file, in both cold and warm
boot path. It also adds conditional compilation, in cold and warm
boot entry path, based on RESET_TO_SP_MIN.
Change-Id: Id493ca840dc7b9e26948dc78ee928e9fdb76b9e4
Yatharth Kochar
committed
on 21 Sep 2016
|
2016-08-10 |
AArch32: add a minimal secure payload (SP_MIN)
...
This patch adds a minimal AArch32 secure payload SP_MIN. It relies on PSCI
library to initialize the normal world context. It runs in Monitor mode
and uses the runtime service framework to handle SMCs. It is added as
a BL32 component in the Trusted Firmware source tree.
Change-Id: Icc04fa6b242025a769c1f6c7022fde19459c43e9
Soby Mathew
committed
on 10 Aug 2016
|
2016-08-09 |
Move spinlock library code to AArch64 folder
...
This patch moves the assembly exclusive lock library code
`spinlock.S` into architecture specific folder `aarch64`.
A stub file which includes the file from new location is
retained at the original location for compatibility. The BL
makefiles are also modified to include the file from the new
location.
Change-Id: Ide0b601b79c439e390c3a017d93220a66be73543
Soby Mathew
committed
on 9 Aug 2016
|
2016-07-08 |
TSP: Print BL32_BASE rather than __RO_START__
...
In debug builds, the TSP prints its image base address and size.
The base address displayed corresponds to the start address of the
read-only section, as defined in the linker script.
This patch changes this to use the BL32_BASE address instead, which is
the same address as __RO_START__ at the moment but has the advantage
to be independent of the linker symbols defined in the linker script
as well as the layout and order of the sections.
Change-Id: I032d8d50df712c014cbbcaa84a9615796ec902cc
Sandrine Bailleux
committed
on 8 Jul 2016
|
Introduce SEPARATE_CODE_AND_RODATA build flag
...
At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.
This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.
This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.
- When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
the read-only section still looks like this (padding omitted):
| ... |
+-------------------+
| Exception vectors |
+-------------------+
| Read-only data |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script provides the limits of the whole
read-only section.
- When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
read-only data are swapped, such that the code and exception
vectors are contiguous, followed by the read-only data. This
gives the following new layout (padding omitted):
| ... |
+-------------------+
| Read-only data |
+-------------------+
| Exception vectors |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script now exports 2 sets of addresses
instead: the limits of the code and the limits of the read-only
data. Refer to the Firmware Design guide for more details. This
provides platform code with a finer-grained view of the image
layout and allows it to map these 2 regions with the appropriate
access permissions.
Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
Sandrine Bailleux
committed
on 8 Jul 2016
|
2016-05-26 |
Introduce some helper macros for exception vectors
...
This patch introduces some assembler macros to simplify the
declaration of the exception vectors. It abstracts the section
the exception code is put into as well as the alignments
constraints mandated by the ARMv8 architecture. For all TF images,
the exception code has been updated to make use of these macros.
This patch also updates some invalid comments in the exception
vector code.
Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
Sandrine Bailleux
committed
on 26 May 2016
|
2016-04-01 |
Make:Remove calls to shell from makefiles.
...
As an initial stage of making Trusted Firmware build environment more
portable, we remove most uses of the $(shell ) function and replace them
with more portable make function based solutions.
Note that the setting of BUILD_STRING still uses $(shell ) since it's
not possible to reimplement this as a make function. Avoiding invocation
of this on incompatible host platforms will be implemented separately.
Change-Id: I768e2f9a265c78814a4adf2edee4cc46cda0f5b8
Evan Lloyd
committed
on 1 Apr 2016
|
2016-03-14 |
Remove all non-configurable dead loops
...
Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.
Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().
All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.
Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
Antonio Nino Diaz
committed
on 14 Mar 2016
|
2015-12-14 |
Remove dashes from image names: 'BL3-x' --> 'BL3x'
...
This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:
https://github.com/ARM-software/arm-trusted-firmware/wiki
Changes apply to output messages, comments and documentation.
non-ARM platform files have been left unmodified.
Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
Juan Castillo
committed
on 14 Dec 2015
|
2015-12-09 |
TSP: Allow preemption of synchronous S-EL1 interrupt handling
...
Earlier the TSP only ever expected to be preempted during Standard SMC
processing. If a S-EL1 interrupt triggered while in the normal world, it
will routed to S-EL1 `synchronously` for handling. The `synchronous` S-EL1
interrupt handler `tsp_sel1_intr_entry` used to panic if this S-EL1 interrupt
was preempted by another higher priority pending interrupt which should be
handled in EL3 e.g. Group0 interrupt in GICv3.
With this patch, the `tsp_sel1_intr_entry` now expects `TSP_PREEMPTED` as the
return code from the `tsp_common_int_handler` in addition to 0 (interrupt
successfully handled) and in both cases it issues an SMC with id
`TSP_HANDLED_S_EL1_INTR`. The TSPD switches the context and returns back
to normal world. In case a higher priority EL3 interrupt was pending, the
execution will be routed to EL3 where interrupt will be handled. On return
back to normal world, the pending S-EL1 interrupt which was preempted will
get routed to S-EL1 to be handled `synchronously` via `tsp_sel1_intr_entry`.
Change-Id: I2087c7fedb37746fbd9200cdda9b6dba93e16201
Soby Mathew
committed
on 9 Dec 2015
|
2015-12-04 |
Enable use of FIQs and IRQs as TSP interrupts
...
On a GICv2 system, interrupts that should be handled in the secure world are
typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
as IRQs instead. The mechanism for handling both types of interrupts is the same
in both cases. This patch enables the TSP to run on a GICv3 system by:
1. adding support for handling IRQs in the exception handling code.
2. removing use of "fiq" in the names of data structures, macros and functions.
The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
former build flag is defined, it will be used to define the value for the
new build flag. The documentation is also updated accordingly.
Change-Id: I1807d371f41c3656322dd259340a57649833065e
Soby Mathew
committed
on 4 Dec 2015
|
Unify interrupt return paths from TSP into the TSPD
...
The TSP is expected to pass control back to EL3 if it gets preempted due to
an interrupt while handling a Standard SMC in the following scenarios:
1. An FIQ preempts Standard SMC execution and that FIQ is not a TSP Secure
timer interrupt or is preempted by a higher priority interrupt by the time
the TSP acknowledges it. In this case, the TSP issues an SMC with the ID
as `TSP_EL3_FIQ`. Currently this case is never expected to happen as only
the TSP Secure Timer is expected to generate FIQ.
2. An IRQ preempts Standard SMC execution and in this case the TSP issues
an SMC with the ID as `TSP_PREEMPTED`.
In both the cases, the TSPD hands control back to the normal world and returns
returns an error code to the normal world to indicate that the standard SMC it
had issued has been preempted but not completed.
This patch unifies the handling of these two cases in the TSPD and ensures that
the TSP only uses TSP_PREEMPTED instead of separate SMC IDs. Also instead of 2
separate error codes, SMC_PREEMPTED and TSP_EL3_FIQ, only SMC_PREEMPTED is
returned as error code back to the normal world.
Background information: On a GICv3 system, when the secure world has affinity
routing enabled, in 2. an FIQ will preempt TSP execution instead of an IRQ. The
FIQ could be a result of a Group 0 or a Group 1 NS interrupt. In both case, the
TSPD passes control back to the normal world upon receipt of the TSP_PREEMPTED
SMC. A Group 0 interrupt will immediately preempt execution to EL3 where it
will be handled. This allows for unified interrupt handling in TSP for both
GICv3 and GICv2 systems.
Change-Id: I9895344db74b188021e3f6a694701ad272fb40d4
Soby Mathew
committed
on 4 Dec 2015
|
2015-09-14 |
Make generic code work in presence of system caches
...
On the ARMv8 architecture, cache maintenance operations by set/way on the last
level of integrated cache do not affect the system cache. This means that such a
flush or clean operation could result in the data being pushed out to the system
cache rather than main memory. Another CPU could access this data before it
enables its data cache or MMU. Such accesses could be serviced from the main
memory instead of the system cache. If the data in the sysem cache has not yet
been flushed or evicted to main memory then there could be a loss of
coherency. The only mechanism to guarantee that the main memory will be updated
is to use cache maintenance operations to the PoC by MVA(See section D3.4.11
(System level caches) of ARMv8-A Reference Manual (Issue A.g/ARM DDI0487A.G).
This patch removes the reliance of Trusted Firmware on the flush by set/way
operation to ensure visibility of data in the main memory. Cache maintenance
operations by MVA are now used instead. The following are the broad category of
changes:
1. The RW areas of BL2/BL31/BL32 are invalidated by MVA before the C runtime is
initialised. This ensures that any stale cache lines at any level of cache
are removed.
2. Updates to global data in runtime firmware (BL31) by the primary CPU are made
visible to secondary CPUs using a cache clean operation by MVA.
3. Cache maintenance by set/way operations are only used prior to power down.
NOTE: NON-UPSTREAM TRUSTED FIRMWARE CODE SHOULD MAKE EQUIVALENT CHANGES IN
ORDER TO FUNCTION CORRECTLY ON PLATFORMS WITH SUPPORT FOR SYSTEM CACHES.
Fixes ARM-software/tf-issues#205
Change-Id: I64f1b398de0432813a0e0881d70f8337681f6e9a
Achin Gupta
committed
on 14 Sep 2015
|
2015-09-10 |
Pass the target suspend level to SPD suspend hooks
...
In certain Trusted OS implementations it is a requirement to pass them the
highest power level which will enter a power down state during a PSCI
CPU_SUSPEND or SYSTEM_SUSPEND API invocation. This patch passes this power level
to the SPD in the "max_off_pwrlvl" parameter of the svc_suspend() hook.
Currently, the highest power level which was requested to be placed in a low
power state (retention or power down) is passed to the SPD svc_suspend_finish()
hook. This hook is called after emerging from the low power state. It is more
useful to pass the highest power level which was powered down instead. This
patch does this by changing the semantics of the parameter passed to an SPD's
svc_suspend_finish() hook. The name of the parameter has been changed from
"suspend_level" to "max_off_pwrlvl" as well. Same changes have been made to the
parameter passed to the tsp_cpu_resume_main() function.
NOTE: THIS PATCH CHANGES THE SEMANTICS OF THE EXISTING "svc_suspend_finish()"
API BETWEEN THE PSCI AND SPD/SP IMPLEMENTATIONS. THE LATTER MIGHT NEED
UPDATES TO ENSURE CORRECT BEHAVIOUR.
Change-Id: If3a9d39b13119bbb6281f508a91f78a2f46a8b90
Achin Gupta
committed
on 10 Sep 2015
|
2015-08-13 |
PSCI: Migrate SPDs and TSP to the new platform and framework API
...
The new PSCI frameworks mandates that the platform APIs and the various
frameworks in Trusted Firmware migrate away from MPIDR based core
identification to one based on core index. Deprecated versions of the old
APIs are still present to provide compatibility but their implementations
are not optimal. This patch migrates the various SPDs exisiting within
Trusted Firmware tree and TSP to the new APIs.
Change-Id: Ifc37e7071c5769b5ded21d0b6a071c8c4cab7836
Soby Mathew
authored
on 8 Jul 2015
Achin Gupta
committed
on 13 Aug 2015
|
2015-04-28 |
Add linker symbol declarations to bl_common.h
...
Add extern declarations of linker symbols to bl_common.h. These are
used by platform ports to determine the memory layout of BL images.
Adding the declarations to this file facilitates removal of these
declarations from the platform porting source files in subsequent
patches.
Also remove the linker symbol declarations from common TSP source
code.
Change-Id: I8ed0426bc815317c4536b588e4e78bc15b4fe91c
Dan Handley
committed
on 28 Apr 2015
|
Allow deeper platform port directory structure
...
Update the top level makefile to allow platform ports to exist in
subdirectories at any level instead of one level under `plat/`. The
makefile recursively searches for all files called `platform.mk` in
all subdirectories of `plat/`. The directory containing
`platform.mk` is the platform name. Platform names must be unique
across the codebase.
Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since
these are both used to report the same information back to the user.
Update the TSP and cert_create tool makefiles in a similar way
to support a deeper platform port directory structure.
Also add PLAT_<plat_name> as a define passed through the top level
makefile to the source files, to allow build time variation in common
platform code.
Change-Id: I213420164808c5ddb99a26144e8e3f141a7417b7
Dan Handley
committed
on 28 Apr 2015
|
2015-04-27 |
Fix type mismatches in verbose logging
...
Commit dad2504 adds support for type checking in printf-like
functions. Some of the VERBOSE logging statements were not updated
at that time.
Fix the type mismatches in the verbose logging statements.
Change-Id: Idd9a49e41cc0dc31f7698e220819d934e3d2d10e
Dan Handley
committed
on 27 Apr 2015
|
2015-04-08 |
Add support to indicate size and end of assembly functions
...
In order for the symbol table in the ELF file to contain the size of
functions written in assembly, it is necessary to report it to the
assembler using the .size directive.
To fulfil the above requirements, this patch introduces an 'endfunc'
macro which contains the .endfunc and .size directives. It also adds
a .func directive to the 'func' assembler macro.
The .func/.endfunc have been used so the assembler can fail if
endfunc is omitted.
Fixes ARM-Software/tf-issues#295
Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc
Signed-off-by: Kévin Petit <kevin.petit@arm.com>
Kévin Petit
committed
on 8 Apr 2015
|
2015-03-06 |
Enable type-checking of arguments passed to printf() et al.
...
This patch modifies the declarations of the functions printf() et al.
and adds the right GCC attribute to request the compiler to check
the type of the arguments passed to these functions against the given
format string. This will ensure that the compiler outputs warning
messages like the following whenever it detects an inconsistency:
file.c:42: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
It also fixes the type mismatch inconsistencies that it revealed
across the code base.
NOTE: THIS PATCH MAY FORCE PLATFORM PORTS OR SP/SPDS THAT USE THE
PRINTF FAMILY OF FUNCTIONS TO FIX ANY TYPE MISMATCH INCONSISTENCIES.
Change-Id: If36bb54ec7d6dd2cb4791d89b02a24ac13fd2df6
Sandrine Bailleux
committed
on 6 Mar 2015
|
2015-01-23 |
Save 'power_state' early in PSCI CPU_SUSPEND call
...
This patch adds support to save the "power state" parameter before the
affinity level specific handlers are called in a CPU_SUSPEND call.
This avoids the need to pass the power_state as a parameter to the
handlers and Secure Payload Dispatcher (SPD) suspend spd_pm_ops.
The power_state arguments in the spd_pm_ops operations are now reserved
and must not be used. The SPD can query the relevant power_state fields
by using the psci_get_suspend_afflvl() & psci_get_suspend_stateid() APIs.
NOTE: THIS PATCH WILL BREAK THE SPD_PM_OPS INTERFACE. HENCE THE SECURE
PAYLOAD DISPATCHERS WILL NEED TO BE REWORKED TO USE THE NEW INTERFACE.
Change-Id: I1293d7dc8cf29cfa6a086a009eee41bcbf2f238e
Soby Mathew
committed
on 23 Jan 2015
|
2015-01-22 |
Remove coherent memory from the BL memory maps
...
This patch extends the build option `USE_COHERENT_MEMORY` to
conditionally remove coherent memory from the memory maps of
all boot loader stages. The patch also adds necessary
documentation for coherent memory removal in firmware-design,
porting and user guides.
Fixes ARM-Software/tf-issues#106
Change-Id: I260e8768c6a5c2efc402f5804a80657d8ce38773
Soby Mathew
authored
on 8 Jan 2015
Dan Handley
committed
on 22 Jan 2015
|
2014-08-21 |
Juno: Add support for Test Secure-EL1 Payload
...
This patch implements the TSP on Juno. It executes from on-chip Trusted
SRAM.
Also, the other bootloader images (i.e. BL1 R/W, BL2 and BL3-1) have
been moved around. The reason is, although there was enough space
overall to store the TSP in SRAM, there was no contiguous free chunk
of SRAM big enough to hold it.
This patch keeps the overall memory layout (i.e. keeping BL1 R/W at
the bottom, BL2 at the top and BL3-1 in between) but moves the base
addresses of all the bootloader images in such a way that:
- memory fragmentation is reduced enough to fit BL3-2 in;
- new base addresses are suitable for release builds as well as debug
ones;
- each image has a few extra kilobytes for future growth.
BL3-1 and BL3-2 are the images which received the biggest allocations
since they will most probably grow the most.
This patch also adds instruction synchronization barriers around the code which
handles the timer interrupt in the TSP. This ensures that the interrupt is not
acknowledged after or EOIed before it is deactivated at the peripheral.
Change-Id: I1c5b51858700027ee283ac85d18e06863a27c72e
Sandrine Bailleux
authored
on 17 Jul 2014
Soby Mathew
committed
on 21 Aug 2014
|
2014-08-19 |
Add support for PSCI SYSTEM_OFF and SYSTEM_RESET APIs
...
This patch adds support for SYSTEM_OFF and SYSTEM_RESET PSCI
operations. A platform should export handlers to complete the
requested operation. The FVP port exports fvp_system_off() and
fvp_system_reset() as an example.
If the SPD provides a power management hook for system off and
system reset, then the SPD is notified about the corresponding
operation so it can do some bookkeeping. The TSPD exports
tspd_system_off() and tspd_system_reset() for that purpose.
Versatile Express shutdown and reset methods have been removed
from the FDT as new PSCI sys_poweroff and sys_reset services
have been added. For those kernels that do not support yet these
PSCI services (i.e. GICv3 kernel), the original dtsi files have
been renamed to *-no_psci.dtsi.
Fixes ARM-software/tf-issues#218
Change-Id: Ic8a3bf801db979099ab7029162af041c4e8330c8
Juan Castillo
authored
on 12 Aug 2014
Dan Handley
committed
on 19 Aug 2014
|
Merge pull request #189 from achingupta/ag/tf-issues#153
...
Unmask SError interrupt and clear SCR_EL3.EA bit
Dan Handley
committed
on 19 Aug 2014
|
Clarify platform porting interface to TSP
...
* Move TSP platform porting functions to new file:
include/bl32/tsp/platform_tsp.h.
* Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
TSP interrupt handling code, instead of depending on the FVP
specific definition IRQ_SEC_PHY_TIMER.
* Rename TSP platform porting functions from bl32_* to tsp_*, and
definitions from BL32_* to TSP_*.
* Update generic TSP code to use new platform porting function names
and definitions.
* Update FVP port accordingly and move all TSP source files to:
plat/fvp/tsp/.
* Update porting guide with above changes.
Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
BE UPDATED
Fixes ARM-software/tf-issues#167
Change-Id: Ic0ff8caf72aebb378d378193d2f017599fc6b78f
Dan Handley
committed
on 19 Aug 2014
|
2014-08-15 |
Unmask SError interrupt and clear SCR_EL3.EA bit
...
This patch disables routing of external aborts from lower exception levels to
EL3 and ensures that a SError interrupt generated as a result of execution in
EL3 is taken locally instead of a lower exception level.
The SError interrupt is enabled in the TSP code only when the operation has not
been directly initiated by the normal world. This is to prevent the possibility
of an asynchronous external abort which originated in normal world from being
taken when execution is in S-EL1.
Fixes ARM-software/tf-issues#153
Change-Id: I157b996c75996d12fd86d27e98bc73dd8bce6cd5
Achin Gupta
committed
on 15 Aug 2014
|