Merge pull request #1688 from JoelHutton/jh/variant_1_mitigations ...

Initial Spectre V1 mitigations (CVE-2017-5753).

Merge pull request #1696 from satheesbalya-arm/sb1/sb1_2406_romlib_juno ...

romlib: Add juno support for romlib

Merge pull request #1695 from satheesbalya-arm/sb1/sb1_2641_romlib_phase2 ...

romlib: Allow patching of romlib functions

Initial Spectre V1 mitigations (CVE-2017-5753). ...

Initial Spectre Variant 1 mitigations (CVE-2017-5753).
A potential speculative data leak was found in PSCI code, this depends
on a non-robust implementation of the `plat_get_core_pos_by_mpidr()`
function. This is considered very low-risk. This patch adds a macro to
mitigate this. Note not all code paths could be analyzed with current
tools.

Add a macro which makes a variable 'speculation safe', using the
 __builtin_speculation_safe_value function of GCC and llvm. This will be
available in GCC 9, and is planned for llvm, but is not currently in
mainline GCC or llvm. In order to implement this mitigation the compiler
must support this builtin. Support is indicated by the
__HAVE_SPECULATION_SAFE_VALUE flag.

The -mtrack-speculation option maintains a 'tracker' register, which
determines if the processor is in false speculation at any point. This
adds instructions and increases code size, but avoids the performance
impact of a hard barrier.

Without the -mtrack-speculation option, __builtin_speculation_safe_value
expands to a

    ISB
    DSB SY

sequence after a conditional branch, before the
speculation safe variable is used. With -mtrack-speculation a

    CSEL tracker, tracker, XZR, [cond];
    AND safeval,tracker;
    CSDB

sequence is added instead, clearing the vulnerable variable by
AND'ing it with the tracker register, which is zero during speculative
execution. [cond] are the status flags which will only be true during
speculative execution. For more information on
__builtin_speculation_safe_value and the -mtrack-speculation option see
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/compiler-support-for-mitigations

The -mtracking option was not added, as the performance impact of the
mitigation is low, and there is only one occurence.

Change-Id: Ic9e66d1f4a5155e42e3e4055594974c230bfba3c
Signed-off-by: Joel Hutton <Joel.Hutton@Arm.com>

juno: Add romlib support ...

This patch adds support to build a combined BL1
and ROMLIB binary file with the right page
alignment in Juno. When USE_ROMLIB=1 is set for
Juno, it generates the combined file
bl1_romlib.bin which needs to be used instead of
bl1.bin

Change-Id: I407efbe48d3e522fa6ef855538a9587193cb1919
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

romlib: Add map file generation ...

Change-Id: I1f377d2d94c0fe8d2d9e62614f4a8e2dfcd9e745
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

romlib: Add calloc_free register function ...

Register functions have to be added to the
jump table to allow patching in the
future

Change-Id: I57a885f7fc6290ea74a6096aea5b1867b2098eb7
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

romlib: Allow patching of romlib functions ...

This change allows patching of functions in the
romlib. This can be done by adding "patch" at the
end of the jump table entry for the function that
needs to be patched in the file jmptbl.i.
Functions patched in the jump table list will be
built as part of the BL image and the romlib
version will not be used

Change-Id: Iefb200cb86e2a4b61ad3ee6180d3ecc39bad537f
Signed-off-by: Sathees Balya <sathees.balya@arm.com>

xlat v2: Support mapping regions with allocated VA ...

Provide new APIs to add new regions without specifying the base VA.

- `mmap_add_region_alloc_va` adds a static region to mmap choosing as
  base VA the first possible address after all the currently mapped
  regions. It is aligned to an appropriate boundary in relation to the
  size and base PA of the requested region. No attempt is made to fill
  any unused VA holes.

- `mmap_add_dynamic_region_alloc_va` it adds a region the same way as
  `mmap_add_region_alloc_va` does, but it's dynamic instead of static.

- `mmap_add_alloc_va` takes an array of non const `mmap_region_t`,
  maps them in the same way as `mmap_add_region_alloc_va` and fills
  their `base_va` field. A helper macro has been created to help create
  the array, called `MAP_REGION_ALLOC_VA`.

Change-Id: I5ef3f82ca0dfd0013d2e8034aa22f13ca528ba37
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

compiler_rt: Import lshrdi3.c file ...

Imported from the LLVM compiler_rt library on master branch as of
30 Oct 2018 (SVN revision: r345645).

This is to get the __aeabi_llsr() builtin, which is required by a
subsequent patch that uses a logical right shift operator in AArch32.

Change-Id: I9884139a12855a8a87206fb572aaa7dd35582b09
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

compiler_rt: Import latest changes on int_lib.h ...

Imported from the LLVM compiler_rt library on master branch as of
30 Oct 2018 (SVN revision: r345645).

Change-Id: I058cfb5894daf1d12e1ef971c0ba36b0aa089be5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

libc: Adapt strlcpy to this codebase ...

Change-Id: I2f5f64aaf90caae936510e1179392a8835f493e0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

libc: Import strlcpy from FreeBSD ...

From commit aafd1cf:

- lib/libc/strlcpy.c

Change-Id: Iaa7028fcc26706bdd6ee3f1e4bd55dd5873a30c6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

bakery: Fix MISRA defects ...

Change-Id: I600bc13522ae977db355b6dc5a1695bce39ec130
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

context_mgmt: Fix MISRA defects ...

The macro EL_IMPLEMENTED() has been deprecated in favour of the new
function el_implemented().

Change-Id: Ic9b1b81480b5e019b50a050e8c1a199991bf0ca9
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Merge pull request #1657 from antonio-nino-diaz-arm/an/libfdt ...

libfdt: Downgrade to version 1.4.6-9

libfdt: Downgrade to version 1.4.6-9 ...

Version 1.4.7 introduces a big performance hit to functions that access
the FDT. Downgrade the library to version 1.4.6-9, before the changes
that introduce the problem. Version 1.4.6 isn't used because one of the
libfdt files (fdt_overlay.c) is missing the license header. This
problem is also fixed in 1.4.6-9.

This version corresponds to commit <aadd0b65c987> checks: centralize
printing of property names in failure messages.

Fixes ARM-software/tf-issues#643

Change-Id: I73c05f2b1f994bcdcc4366131ce0647553cdcfb8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Fix MISRA defects in PMF ...

No functional changes.

Change-Id: I64abd72026082218a40b1a4b8f7dc26ff2478ba6
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Fix MISRA defects in workaround and errata framework ...

No functional changes.

Change-Id: Iaab0310848be587b635ce5339726e92a50f534e0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Fix MISRA defects in extension libs ...

No functional changes.

Change-Id: I2f28f20944f552447ac4e9e755493cd7c0ea1192
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

PIE: Position Independant Executable support for BL31 ...

This patch introduces Position Independant Executable(PIE) support
in TF-A. As a initial prototype, only BL31 can support PIE. A trivial
dynamic linker is implemented which supports fixing up Global Offset
Table(GOT) and Dynamic relocations(.rela.dyn). The fixup_gdt_reloc()
helper function implements this linker and this needs to be called
early in the boot sequence prior to invoking C functions. The GOT is
placed in the RO section of BL31 binary for improved security and the
BL31 linker script is modified to export the appropriate symbols
required for the dynamic linker.

The C compiler always generates PC relative addresses to linker symbols
and hence referencing symbols exporting constants are a problem when
relocating the binary. Hence the reference to the
`__PERCPU_TIMESTAMP_SIZE__` symbol in PMF is removed and is now calculated
at runtime based on start and end addresses.

Change-Id: I1228583ff92cf432963b7cef052e95d995cca93d
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

Make errata reporting mandatory for CPU files ...

Previously the errata reporting was optional for CPU operation
files and this was achieved by making use of weak reference to
resolve to 0 if the symbol is not defined. This is error prone
when adding new CPU operation files and weak references are
problematic when fixing up dynamic relocations. Hence this patch
removes the weak reference and makes it mandatory for the CPU
operation files to define the errata reporting function.

Change-Id: I8af192e19b85b7cd8c7579e52f8f05a4294e5396
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

PIE: Use PC relative adrp/adr for symbol reference ...

This patch fixes up the AArch64 assembly code to use
adrp/adr instructions instead of ldr instruction for
reference to symbols. This allows these assembly
sequences to be Position Independant. Note that the
the reference to sizes have been replaced with
calculation of size at runtime. This is because size
is a constant value and does not depend on execution
address and using PC relative instructions for loading
them makes them relative to execution address. Also
we cannot use `ldr` instruction to load size as it
generates a dynamic relocation entry which must *not*
be fixed up and it is difficult for a dynamic loader
to differentiate which entries need to be skipped.

Change-Id: I8bf4ed5c58a9703629e5498a27624500ef40a836
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

xlat: Fix compatibility between v1 and v2 ...

There are several platforms using arm_setup_page_tables(), which is
supposed to be Arm platform only. This creates several dependency
problems between platforms.

This patch adds the definition XLAT_TABLES_LIB_V2 to the xlat tables lib
v2 makefile. This way it is possible to detect from C code which version
is being used and include the correct header.

The file arm_xlat_tables.h has been renamed to xlat_tables_compat.h and
moved to a common folder. This way, when in doubt, this header can be
used to guarantee compatibility, as it includes the correct header based
on XLAT_TABLES_LIB_V2.

This patch also removes the usage of ARM_XLAT_TABLES_V1 from QEMU (so
that is now locked in xlat lib v2) and ZynqMP (where it was added as a
workaround).

Change-Id: Ie1e22a23b44c549603d1402a237a70d0120d3e04
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

Merge pull request #1643 from antonio-nino-diaz-arm/an/libfdt ...

Update libfdt to version 1.4.7

Merge pull request #1641 from jeenu-arm/ptrauth ...

AArch64: Enable lower ELs to use pointer authentication

libfdt: Import version v1.4.7 ...

Change-Id: Iad7adaf0b16a3d086594cb3432210ac2c4e207f8
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

libfdt: Remove current version ...

The current version of libfdt (1.4.2) has been modified to integrate it
in this repository. In order to do a clean import it is needed to remove
the current version first.

Change-Id: I2cab8c8e5632280d282fa7a2f2339768a0ad1e0f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

libc: Integrate strrchr in libc ...

Change-Id: I3ddc07cb02d73cd7614af7a5b21827aae155f9a0
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

libc: Import strrchr from FreeBSD ...

Imported from lib/libc/string/strrchr.c from commit:

59fd2fb

Change-Id: I898206c6f0372d4d211c149ec0fb9522d0a5b01c
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>