Use SPDX license identifiers ...

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/

Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Merge pull request #898 from soby-mathew/sm/dcache-early ...

PSCI: Build option to enable D-Caches early in warmboot

Remove build option `ASM_ASSERTION` ...

The build option `ENABLE_ASSERTIONS` should be used instead. That way
both C and ASM assertions can be enabled or disabled together.

All occurrences of `ASM_ASSERTION` in common code and ARM platforms have
been replaced by `ENABLE_ASSERTIONS`.

ASM_ASSERTION has been removed from the user guide.

Change-Id: I51f1991f11b9b7ff83e787c9a3270c274748ec6f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Add `ENABLE_ASSERTIONS` build option ...

Add the new build option `ENABLE_ASSERTIONS` that controls whether or
not assert functions are compiled out. It defaults to 1 for debug builds
and to 0 for release builds.

Additionally, a following patch will be done to allow this build option
to hide auxiliary code used for the checks done in an `assert()`. This
code is is currently under the DEBUG build flag.

Assert messages are now only printed if LOG_LEVEL >= LOG_LEVEL_INFO,
which is the default for debug builds.

This patch also updates the User Guide.

Change-Id: I1401530b56bab25561bb0f274529f1d12c5263bc
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

PSCI: Build option to enable D-Caches early in warmboot ...

This patch introduces a build option to enable D-cache early on the CPU
after warm boot. This is applicable for platforms which do not require
interconnect programming to enable cache coherency (eg: single cluster
platforms). If this option is enabled, then warm boot path enables
D-caches immediately after enabling MMU.

Fixes ARM-Software/tf-issues#456

Change-Id: I44c8787d116d7217837ced3bcf0b1d3441c8d80e
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Merge pull request #890 from masahir0y/scp ...

Build: add generic way to include SCP_BL2 into FIP image

Merge pull request #886 from dp-arm/dp/stack-protector ...

Add support for GCC stack protection

Merge pull request #877 from soby-mathew/sm/build_opt_checks ...

Include all makefiles before build option checks

Build: add generic way to include SCP_BL2 into FIP image ...

If SCP_BL2 is passed in from the command line, it is recognized by
make_helpers/tbbr/tbbr_tools.mk, and the cert_create tool generates
the corresponding key and content certificates.

On the other hand, the top-level Makefile does not care SCP_BL2, so
the --scp-fw option is not passed to the fiptool.  As far as I see
plat/arm/css/common/css_common.mk, it looks like a platform's job to
add $(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw)).

We can make the top-level Makefile kind enough to take care of it.
This is useful when we want to have optional SCP_BL2 firmware.

Adjust css_common.mk so that Juno still requires SCP_BL2 by default.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Add support for GCC stack protection ...

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

Include all makefiles before build option checks ...

At present, the build option checks are done prior to inclusion of
BL makefiles. This meant if the BL makefiles modified any of the options
then these checks were bypassed. This patch corrects this problem.

Change-Id: I0b591392a74d6d456d2b19bbe292f42b5aeae048
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Move plat/common source file definitions to generic Makefiles ...

These source file definitions should be defined in generic
Makefiles so that all platforms can benefit. Ensure that the
symbols are properly marked as weak so they can be overridden
by platforms.

NOTE: This change is a potential compatibility break for
non-upstream platforms.

Change-Id: I7b892efa9f2d6d216931360dc6c436e1d10cffed
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Merge pull request #860 from jeenu-arm/hw-asstd-coh ...

Patches for platforms with hardware-assisted coherency

Merge pull request #856 from antonio-nino-diaz-arm/an/dynamic-xlat ...

Introduce version 2 of the translation tables library

Add version 2 of xlat tables library ...

The folder lib/xlat_tables_v2 has been created to store a new version
of the translation tables library for further modifications in patches
to follow. At the moment it only contains a basic implementation that
supports static regions.

This library allows different translation tables to be modified by
using different 'contexts'. For now, the implementation defaults to
the translation tables used by the current image, but it is possible
to modify other tables than the ones in use.

Added a new API to print debug information for the current state of
the translation tables, rather than printing the information while
the tables are being created. This allows subsequent debug printing
of the xlat tables after they have been changed, which will be useful
when dynamic regions are implemented in a patch to follow.

The common definitions stored in `xlat_tables.h` header have been moved
to a new file common to both versions, `xlat_tables_defs.h`.

All headers related to the translation tables library have been moved to
a the subfolder `xlat_tables`.

Change-Id: Ia55962c33e0b781831d43a548e505206dffc5ea9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Disallow using coherent memory with hardware-assisted coherency ...

ARM Trusted Firmware keeps certain data structures in a memory region
with non-cacheable attributes (termed as "coherent memory") to keep data
coherent with observers that are cache-coherent, and those not. These
data structures pertain to power management and mutual exclusion. Using
coherent memory also costs at least an additional page to map memory
with special memory attributes.

On systems with hardware-assisted coherency, all CPUs that participate
in power management and mutual exclusion are cache-coherent, obviating
the need for special memory attributes for such data structures.
Instead, they can be placed in normal memory, along with rest of data.

On systems with hardware-assisted coherency, where build option
HW_ASSISTED_COHERENCY will be set, also having USE_COHERENT_MEMORY
enabled only wastes a page of memory without any
benefit. Therefore, with HW_ASSISTED_COHERENCY set to 1, require that
USE_COHERENT_MEMORY is explicitly set to 0.

Change-Id: I5101657ae6b1a46278069f23e2d88ee5cbd98efa
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

build: Define build option for hardware-assisted coherency ...

The boolean build option HW_ASSISTED_COHERENCY is introduced to enable
various optimizations in ARM Trusted Software, when built for such
systems. It's set to 0 by default.

Change-Id: I638390da6e1718fe024dcf5b402e07084f1eb014
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Merge pull request #837 from douglas-raillard-arm/dr/fix_tools_cflags ...

build: Use separate CFLAGS for tools

Merge pull request #843 from jeenu-arm/cas-lock ...

Introduce locking primitives using CAS instruction

Merge pull request #829 from masahir0y/build ...

Makefile: use git describe for BUILD_STRING

Introduce locking primitives using CAS instruction ...

The ARMv8v.1 architecture extension has introduced support for far
atomics, which includes compare-and-swap. Compare and Swap instruction
is only available for AArch64.

Introduce build options to choose the architecture versions to target
ARM Trusted Firmware:

  - ARM_ARCH_MAJOR: selects the major version of target ARM
    Architecture. Default value is 8.

  - ARM_ARCH_MINOR: selects the minor version of target ARM
    Architecture. Default value is 0.

When:

  (ARM_ARCH_MAJOR > 8) || ((ARM_ARCH_MAJOR == 8) && (ARM_ARCH_MINOR >= 1)),

for AArch64, Compare and Swap instruction is used to implement spin
locks. Otherwise, the implementation falls back to using
load-/store-exclusive instructions.

Update user guide, and introduce a section in Firmware Design guide to
summarize support for features introduced in ARMv8 Architecture
Extensions.

Change-Id: I73096a0039502f7aef9ec6ab3ae36680da033f16
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

PSCI: Decouple PSCI stat residency calculation from PMF ...

This patch introduces the following three platform interfaces:

* void plat_psci_stat_accounting_start(const psci_power_state_t *state_info)

  This is an optional hook that platforms can implement in order
  to perform accounting before entering a low power state.  This
  typically involves capturing a timestamp.

* void plat_psci_stat_accounting_stop(const psci_power_state_t *state_info)

  This is an optional hook that platforms can implement in order
  to perform accounting after exiting from a low power state.  This
  typically involves capturing a timestamp.

* u_register_t plat_psci_stat_get_residency(unsigned int lvl,
	const psci_power_state_t *state_info,
	unsigned int last_cpu_index)

  This is an optional hook that platforms can implement in order
  to calculate the PSCI stat residency.

If any of these interfaces are overridden by the platform, it is
recommended that all of them are.

By default `ENABLE_PSCI_STAT` is disabled.  If `ENABLE_PSCI_STAT`
is set but `ENABLE_PMF` is not set then an alternative PSCI stat
collection backend must be provided.  If both are set, then default
weak definitions of these functions are provided, using PMF to
calculate the residency.

NOTE: Previously, platforms did not have to explicitly set
`ENABLE_PMF` since this was automatically done by the top-level
Makefile.

Change-Id: I17b47804dea68c77bc284df15ee1ccd66bc4b79b
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Makefile: use git describe for BUILD_STRING ...

Currently, the BUILD_STRING is just 7-digits git hash.  It is true
we can identify which version is running, but we can not get a quick
idea about how new or old it is.

The command "git describe" provides us a bit more useful information
in the format of:
  (tag-name)-(number of commits on top the tag)-g(7 digits hash)

I added some options:
  --always
    Make "git describe" work without any tag in case the upstream
    ATF is cloned, but all the tags are locally dropped.

  --tags
    Use any tag instead of only annotated tags.  In ATF, only some
    tags are annotated, actually the last annotated tag is "v0.2",
    whereas we are on "v1.3" tag now.  This option is needed to get
    something like v1.3-233-gbcc2bf0 instead of v0.2-1713-gbcc2bf0.

  --dirty
    The mark "-dirty" is appended if the source tree is locally
    modified.

With this commit, the welcome string

  NOTICE:  BL1: v1.3(debug):bcc2bf0

will become like follows:

  NOTICE:  BL1: v1.3(debug):v1.3-233-gbcc2bf0-dirty

While we are here, let's add "2> /dev/null" as well to silently
ignore any error message from git.  We should not assume that users
always work in a git repository; the ATF might be released in a
tarball form instead of a git repository.  In such a case, the git
command will fail, then the ugly message "fatal: Not a git ..." will
be displayed during the build:

$ make CROSS_COMPILE=aarch64-linux-gnu-
fatal: Not a git repository (or any of the parent directories): .git
Building fvp
  CC      drivers/io/io_semihosting.c
  CC      lib/semihosting/semihosting.c
     ...

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Merge pull request #821 from jeenu-arm/errata-printing ...

Errata printing infrastructure

Merge pull request #799 from masahir0y/fiptool ...

fiptool: Alignment support + misc refactoring

build: Use separate CFLAGS for tools ...

Sharing the same CFLAGS for both the firmware and host tools is not
useful and can lead to compilation failure when CFLAGS is set on the
command line.

This patch make MAKEOVERRIDES special variable empty so make's command
line variable definitions are not implicitly forwarded to sub make
invocations. However, make options are still forwarded like "-s" option
to make the build silent.

Change-Id: Ia921c02beb1fd2041696a26160b9e7974ae000fa
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

Report errata workaround status to console ...

The errata reporting policy is as follows:

  - If an errata workaround is enabled:

    - If it applies (i.e. the CPU is affected by the errata), an INFO
      message is printed, confirming that the errata workaround has been
      applied.

    - If it does not apply, a VERBOSE message is printed, confirming
      that the errata workaround has been skipped.

  - If an errata workaround is not enabled, but would have applied had
    it been, a WARN message is printed, alerting that errata workaround
    is missing.

The CPU errata messages are printed by both BL1 (primary CPU only) and
runtime firmware on debug builds, once for each CPU/errata combination.

Relevant output from Juno r1 console when ARM Trusted Firmware is built
with PLAT=juno LOG_LEVEL=50 DEBUG=1:

  VERBOSE: BL1: cortex_a57: errata workaround for 806969 was not applied
  VERBOSE: BL1: cortex_a57: errata workaround for 813420 was not applied
  INFO:    BL1: cortex_a57: errata workaround for disable_ldnp_overread was applied
  WARNING: BL1: cortex_a57: errata workaround for 826974 was missing!
  WARNING: BL1: cortex_a57: errata workaround for 826977 was missing!
  WARNING: BL1: cortex_a57: errata workaround for 828024 was missing!
  WARNING: BL1: cortex_a57: errata workaround for 829520 was missing!
  WARNING: BL1: cortex_a57: errata workaround for 833471 was missing!
  ...
  VERBOSE: BL31: cortex_a57: errata workaround for 806969 was not applied
  VERBOSE: BL31: cortex_a57: errata workaround for 813420 was not applied
  INFO:    BL31: cortex_a57: errata workaround for disable_ldnp_overread was applied
  WARNING: BL31: cortex_a57: errata workaround for 826974 was missing!
  WARNING: BL31: cortex_a57: errata workaround for 826977 was missing!
  WARNING: BL31: cortex_a57: errata workaround for 828024 was missing!
  WARNING: BL31: cortex_a57: errata workaround for 829520 was missing!
  WARNING: BL31: cortex_a57: errata workaround for 833471 was missing!
  ...
  VERBOSE: BL31: cortex_a53: errata workaround for 826319 was not applied
  INFO:    BL31: cortex_a53: errata workaround for disable_non_temporal_hint was applied

Also update documentation.

Change-Id: Iccf059d3348adb876ca121cdf5207bdbbacf2aba
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Add -fno-builtin to CFLAGS ...

Disable the automatic substitution of functions with builtins. The
existing -ffreestanding option should already do this but explicitly
adding -fno-builtin reduces the risk of compiler variation. With this
option, GCC is not supposed to be able to make assumptions on what the
function does, which could otherwise lead to security-sensitive code
removal.

This can lead to potentially less efficient code but improves
predictability of what code is actually compiled into the binary.

Change-Id: I06ad151c61318bd1b00d84976f051d2d94314acc
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

fiptool: support --align option to add desired alignment to image offset ...

The current fiptool packs all the images without any padding between
them.  So, the offset to each image has no alignment.  This is not
efficient, for example, when the FIP is read from a block-oriented
device.

For example, (e)MMC is accessed by block-addressing.  The block size
is 512 byte.  So, the best case is each image is aligned by 512 byte
since the DMA engine can transfer the whole of the image to its load
address directly.  The worst case is the offset does not have even
DMA-capable alignment (this is where we stand now).  In this case,
we need to transfer every block to a bounce buffer, then do memcpy()
from the bounce buffer to our final destination.  At least, this
should work with the abstraction by the block I/O layer, but the
CPU-intervention for the whole data transfer makes it really slow.

This commit adds a new option --align to the fiptool.  This option,
if given, requests the tool to align each component in the FIP file
by the specified byte.  Also, add a new Make option FIP_ALIGN for
easier access to this feature; users can give something like
FIP_ALIGN=512 from the command line, or add "FIP_ALIGN := 512" to
their platform.mk file.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

checkpatch: Fix regular expressions ...

When generating the list of files to check by checkpatch.pl, the list
generated by `git ls-files` is filtered by a regular expression with
grep. Due to a malformed regex, the dot of `.md` was considered a
wildcard instead of a dot. This patch fixes this so that it matches
only dots, thus allowing the two following files to be checked:

* tools/cert_create/include/cmd_opt.h
* tools/cert_create/src/cmd_opt.c

Also extended the list of library directories to check by checkpatch
to exclude any folder starting with libfdt.

Change-Id: Ie7bf18efe4df29e364e5d67ba1118515304ed9a4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>