2020-03-21 |
spd: tlkd: support new TLK SMCs for RPMB service
...
This patch adds support to handle following TLK SMCs:
{TLK_SET_BL_VERSION, TLK_LOCK_BL_INTERFACE, TLK_BL_RPMB_SERVICE}
These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.
Brief:
TLK_SET_BL_VERSION: This SMC is issued by the bootloader to supply its
version to TLK. TLK can use this to prevent rollback attacks.
TLK_LOCK_BL_INTERFACE: This SMC is issued by bootloader before handing off
execution to the OS. This allows preventing sensitive SMCs being used
by the OS.
TLK_BL_RPMB_SERVICE: bootloader issues this SMC to sign or verify RPMB
frames.
Tested by: Tests TLK can receive the new SMCs issued by bootloader
Change-Id: I57c2d189a5f7a77cea26c3f8921866f2a6f0f944
Signed-off-by: Mustafa Yigit Bilgen <mbilgen@nvidia.com>
Mustafa Yigit Bilgen
authored
on 3 Dec 2018
Varun Wadekar
committed
on 21 Mar 2020
|
2020-03-18 |
tlkd: remove system off/reset handlers
...
TLK does not participate in the system off/reset process and so
has no use for the SYSTEM_OFF/RESET notifications.
This patch removes the system off/reset handlers as a result.
Change-Id: Icf1430b1400cea88000e6d54426eb604a43cbe6c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
committed
on 18 Mar 2020
|
2020-03-11 |
spd: tlkd: secure timer interrupt handler
...
This patch adds an interrupt handler for TLK. On receiving an
interrupt, the source of the interrupt is determined and the
interrupt is marked complete. The IRQ number is passed to
TLK along with a special SMC function ID. TLK issues an SMC
to notify completion of the interrupt handler in the S-EL1
world.
Change-Id: I76f28cee6537245c5e448d2078f86312219cea1a
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
committed
on 11 Mar 2020
|
2019-08-01 |
Replace __ASSEMBLY__ with compiler-builtin __ASSEMBLER__
...
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.
Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>
Julius Werner
committed
on 1 Aug 2019
|
2019-04-25 |
sp_min: make sp_min_warm_entrypoint public
...
Similar to bl31_warm_entrypoint, sp_min-based platforms may need
that for special resume handling.
Therefore move it from the private header to the sp_min platform header.
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Change-Id: I40d9eb3ff77cff88d47c1ff51d53d9b2512cbd3e
Heiko Stuebner
committed
on 25 Apr 2019
|
2019-02-27 |
TSP: Enable pointer authentication support
...
The size increase after enabling options related to ARMv8.3-PAuth is:
+----------------------------+-------+-------+-------+--------+
| | text | bss | data | rodata |
+----------------------------+-------+-------+-------+--------+
| CTX_INCLUDE_PAUTH_REGS = 1 | +40 | +0 | +0 | +0 |
| | 0.4% | | | |
+----------------------------+-------+-------+-------+--------+
| ENABLE_PAUTH = 1 | +352 | +0 | +16 | +0 |
| | 3.1% | | 15.8% | |
+----------------------------+-------+-------+-------+--------+
Results calculated with the following build configuration:
make PLAT=fvp SPD=tspd DEBUG=1 \
SDEI_SUPPORT=1 \
EL3_EXCEPTION_HANDLING=1 \
TSP_NS_INTR_ASYNC_PREEMPT=1 \
CTX_INCLUDE_PAUTH_REGS=1 \
ENABLE_PAUTH=1
Change-Id: I6cc1fe0b2345c547dcef66f98758c4eb55fe5ee4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 27 Feb 2019
|
2019-01-31 |
tlkd: support new TLK SMCs
...
This patch adds support to handle following TLK SMCs:
{TLK_SS_REGISTER_HANDLER, TLK_REGISTER_NS_DRAM_RANGES, TLK_SET_ROOT_OF_TRUST}
These SMCs need to be supported in ATF in order to forward them to
TLK. Otherwise, these functionalities won't work.
Brief:
TLK_SS_REGISTER_HANDLER: This SMC is issued by TLK Linux Driver to
set up secure storage buffers.
TLK_REGISTER_NS_DRAM_RANGES: Cboot performs this SMC during boot to
pass NS memory ranges to TLK.
TLK_SET_ROOT_OF_TRUST: Cboot performs this SMC during boot to pass
Verified Boot parameters to TLK.
Change-Id: I18af35f6dd6f510dfc22c1d1d1d07f643c7b82bc
Reviewed-on: https://git-master.nvidia.com/r/1643851
Signed-off-by: Mihir Joshi <mihirj@nvidia.com>
Mihir Joshi
authored
on 22 Jan 2018
Varun Wadekar
committed
on 31 Jan 2019
|
2019-01-04 |
Sanitise includes across codebase
...
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a282 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988b9 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 4 Jan 2019
|
2018-11-08 |
Standardise header guards across codebase
...
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 8 Nov 2018
|
2018-09-28 |
Remove deprecated early platform setup interfaces
...
The affected interfaces are bl31_early_platform_setup(),
sp_min_early_platform_setup() and bl2_early_platform_setup().
Change-Id: I50c01ec68bcbe97fe4e5d101bcd0f763358b8e1e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
Antonio Nino Diaz
committed
on 28 Sep 2018
|
2018-02-26 |
Introduce the new BL handover interface
...
This patch introduces a new BL handover interface. It essentially allows
passing 4 arguments between the different BL stages. Effort has been made
so as to be compatible with the previous handover interface. The previous
blx_early_platform_setup() platform API is now deprecated and the new
blx_early_platform_setup2() variant is introduced. The weak compatiblity
implementation for the new API is done in the `plat_bl_common.c` file.
Some of the new arguments in the new API will be reserved for generic
code use when dynamic configuration support is implemented. Otherwise
the other registers are available for platform use.
Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Soby Mathew
committed
on 26 Feb 2018
|
2018-01-08 |
spd: tlkd: support for "NS memory ranges" function ID
...
This patch adds support to receive function ID with NS world's
memory ranges to provide the memory snapshot to TLK.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
committed
on 8 Jan 2018
|
2017-08-09 |
bl32: add secure interrupt handling in AArch32 sp_min
...
Add support for a minimal secure interrupt service in sp_min for
the AArch32 implementation. Hard code that only FIQs are handled.
Introduce bolean build directive SP_MIN_WITH_SECURE_FIQ to enable
FIQ handling from SP_MIN.
Configure SCR[FIQ] and SCR[FW] from generic code for both cold and
warm boots to handle FIQ in secure state from monitor.
Since SP_MIN architecture, FIQ are always trapped when system executes
in non secure state. Hence discard relay of the secure/non-secure
state in the FIQ handler.
Change-Id: I1f7d1dc7b21f6f90011b7f3fcd921e455592f5e7
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Etienne Carriere
committed
on 9 Aug 2017
|
2017-06-20 |
sp_min: Implement `sp_min_plat_runtime_setup()`
...
On ARM platforms before exiting from SP_MIN ensure that
the default console is switched to the runtime serial port.
Change-Id: I0ca0d42cc47e345d56179eac16aa3d6712767c9b
Signed-off-by: Dimitris Papastamos <dimitris.papastamos@arm.com>
Dimitris Papastamos
committed
on 20 Jun 2017
|
2017-05-04 |
Migrate secure payload dispatchers to new SMC terminology
...
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pd
A previous patch introduced a new define for yielding SMC call type.
This patch updates the secure payload dispatchers (except the TSPD) to
use this new define and also migrates the code to use the new
terminology.
Change-Id: I3d2437c04e3b21fdbd32019f55c066c87679a5bf
Signed-off-by: David Cunado <david.cunado@arm.com>
David Cunado
committed
on 4 May 2017
|
Merge pull request #925 from dp-arm/dp/spdx
...
Use SPDX license identifiers
davidcunado-arm
authored
on 4 May 2017
GitHub
committed
on 4 May 2017
|
2017-05-03 |
Use SPDX license identifiers
...
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
dp-arm
committed
on 3 May 2017
|
2017-05-02 |
Merge pull request #919 from davidcunado-arm/dc/smc_yielding_generic
...
Update terminology: standard SMC to yielding SMC
davidcunado-arm
authored
on 2 May 2017
GitHub
committed
on 2 May 2017
|
2017-04-29 |
Move defines in utils.h to utils_def.h to fix shared header compile issues
...
utils.h is included in various header files for the defines in it.
Some of the other header files only contain defines. This allows the
header files to be shared between host and target builds for shared defines.
Recently types.h has been included in utils.h as well as some function
prototypes.
Because of the inclusion of types.h conflicts exist building host tools
abd these header files now. To solve this problem,
move the defines to utils_def.h and have this included by utils.h and
change header files to only include utils_def.h and not pick up the new
types.h being introduced.
Fixes ARM-software/tf-issues#461
Signed-off-by: Scott Branden <scott.branden@broadcom.com>
Remove utils_def.h from utils.h
This patch removes utils_def.h from utils.h as it is not required.
And also makes a minor change to ensure Juno platform compiles.
Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
Scott Branden
committed
on 29 Apr 2017
|
2017-04-26 |
Update terminology: standard SMC to yielding SMC
...
Since Issue B (November 2016) of the SMC Calling Convention document
standard SMC calls are renamed to yielding SMC calls to help avoid
confusion with the standard service SMC range, which remains unchanged.
http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
This patch adds a new define for yielding SMC call type and deprecates
the current standard SMC call type. The tsp is migrated to use this new
terminology and, additionally, the documentation and code comments are
updated to use this new terminology.
Change-Id: I0d7cc0224667ee6c050af976745f18c55906a793
Signed-off-by: David Cunado <david.cunado@arm.com>
David Cunado
committed
on 26 Apr 2017
|
2017-01-26 |
Resolve build errors flagged by GCC 6.2
...
With GCC 6.2 compiler, more C undefined behaviour is being flagged as
warnings, which result in build errors in ARM TF build.
The specific issue that this patch resolves is the use of (1 << 31),
which is predominantly used in case statements, where 1 is represented
as a signed int. When shifted to msb the behaviour is undefined.
The resolution is to specify 1 as an unsigned int using a convenience
macro ULL(). A duplicate macro MAKE_ULL() is replaced.
Fixes ARM-software/tf-issues#438
Change-Id: I08e3053bbcf4c022ee2be33a75bd0056da4073e1
Signed-off-by: David Cunado <david.cunado@arm.com>
David Cunado
committed
on 26 Jan 2017
|
2016-12-23 |
Abort preempted TSP STD SMC after PSCI CPU suspend
...
Standard SMC requests that are handled in the secure-world by the Secure
Payload can be preempted by interrupts that must be handled in the
normal world. When the TSP is preempted the secure context is stored and
control is passed to the normal world to handle the non-secure
interrupt. Once completed the preempted secure context is restored. When
restoring the preempted context, the dispatcher assumes that the TSP
preempted context is still stored as the SECURE context by the context
management library.
However, PSCI power management operations causes synchronous entry into
TSP. This overwrites the preempted SECURE context in the context
management library. When restoring back the SECURE context, the Secure
Payload crashes because this context is not the preempted context
anymore.
This patch avoids corruption of the preempted SECURE context by aborting
any preempted SMC during PSCI power management calls. The
abort_std_smc_entry hook of the TSP is called when aborting the SMC
request.
It also exposes this feature as a FAST SMC callable from normal world to
abort preempted SMC with FID TSP_FID_ABORT.
Change-Id: I7a70347e9293f47d87b5de20484b4ffefb56b770
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Douglas Raillard
committed
on 23 Dec 2016
|
2016-12-20 |
Fix TSP_STD_FID macro
...
Enforce valid FID input in TSP_STD_FID and TSP_FAST_FID macros.
Also remove an undefined behavior by using unsigned literals.
Change-Id: Id37e908da861980a4eaa3a70b37a729f416ce272
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
Douglas Raillard
committed
on 20 Dec 2016
|
2016-09-21 |
AArch32: Support in SP_MIN to receive arguments from BL2
...
This patch adds support in SP_MIN to receive generic and
platform specific arguments from BL2.
The new signature is as following:
void sp_min_early_platform_setup(void *from_bl2,
void *plat_params_from_bl2);
ARM platforms have been modified to use this support.
Note: Platforms may break if using old signature.
Default value for RESET_TO_SP_MIN is changed to 0.
Change-Id: I008d4b09fd3803c7b6231587ebf02a047bdba8d0
Yatharth Kochar
committed
on 21 Sep 2016
|
2016-08-10 |
AArch32: add a minimal secure payload (SP_MIN)
...
This patch adds a minimal AArch32 secure payload SP_MIN. It relies on PSCI
library to initialize the normal world context. It runs in Monitor mode
and uses the runtime service framework to handle SMCs. It is added as
a BL32 component in the Trusted Firmware source tree.
Change-Id: Icc04fa6b242025a769c1f6c7022fde19459c43e9
Soby Mathew
committed
on 10 Aug 2016
|
2015-12-04 |
Enable use of FIQs and IRQs as TSP interrupts
...
On a GICv2 system, interrupts that should be handled in the secure world are
typically signalled as FIQs. On a GICv3 system, these interrupts are signalled
as IRQs instead. The mechanism for handling both types of interrupts is the same
in both cases. This patch enables the TSP to run on a GICv3 system by:
1. adding support for handling IRQs in the exception handling code.
2. removing use of "fiq" in the names of data structures, macros and functions.
The build option TSPD_ROUTE_IRQ_TO_EL3 is deprecated and is replaced with a
new build flag TSP_NS_INTR_ASYNC_PREEMPT. For compatibility reasons, if the
former build flag is defined, it will be used to define the value for the
new build flag. The documentation is also updated accordingly.
Change-Id: I1807d371f41c3656322dd259340a57649833065e
Soby Mathew
committed
on 4 Dec 2015
|
Unify interrupt return paths from TSP into the TSPD
...
The TSP is expected to pass control back to EL3 if it gets preempted due to
an interrupt while handling a Standard SMC in the following scenarios:
1. An FIQ preempts Standard SMC execution and that FIQ is not a TSP Secure
timer interrupt or is preempted by a higher priority interrupt by the time
the TSP acknowledges it. In this case, the TSP issues an SMC with the ID
as `TSP_EL3_FIQ`. Currently this case is never expected to happen as only
the TSP Secure Timer is expected to generate FIQ.
2. An IRQ preempts Standard SMC execution and in this case the TSP issues
an SMC with the ID as `TSP_PREEMPTED`.
In both the cases, the TSPD hands control back to the normal world and returns
returns an error code to the normal world to indicate that the standard SMC it
had issued has been preempted but not completed.
This patch unifies the handling of these two cases in the TSPD and ensures that
the TSP only uses TSP_PREEMPTED instead of separate SMC IDs. Also instead of 2
separate error codes, SMC_PREEMPTED and TSP_EL3_FIQ, only SMC_PREEMPTED is
returned as error code back to the normal world.
Background information: On a GICv3 system, when the secure world has affinity
routing enabled, in 2. an FIQ will preempt TSP execution instead of an IRQ. The
FIQ could be a result of a Group 0 or a Group 1 NS interrupt. In both case, the
TSPD passes control back to the normal world upon receipt of the TSP_PREEMPTED
SMC. A Group 0 interrupt will immediately preempt execution to EL3 where it
will be handled. This allows for unified interrupt handling in TSP for both
GICv3 and GICv2 systems.
Change-Id: I9895344db74b188021e3f6a694701ad272fb40d4
Soby Mathew
committed
on 4 Dec 2015
|
2015-09-30 |
Send power management events to the Trusted OS (TLK)
...
This patch adds PM handlers to TLKD for the system suspend/resume and
system poweroff/reset cases. TLK expects all SMCs through a single
handler, which then fork out into multiple handlers depending on the
SMC. We tap into the same single entrypoint by restoring the S-EL1
context before passing the PM event via register 'x0'. On completion
of the PM event, TLK sends a completion SMC and TLKD then moves on
with the PM process.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
committed
on 30 Sep 2015
|
2015-04-13 |
Pass arguments/results between EL3/S-EL1 via CPU registers (x0-x7)
...
This patch removes the need for a shared buffer between the EL3 and S-EL1
levels. We now use the CPU registers, x0-x7, while passing data between
the two levels. Since TLK is a 32-bit Trusted OS, tlkd has to unpack the
arguments in the x0-x7 registers. TLK in turn gets these values via r0-r7.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
authored
on 2 Apr 2015
Dan Handley
committed
on 13 Apr 2015
|
2015-03-31 |
Open/Close TA sessions, send commands/events to TAs
...
This patch adds support to open/close secure sessions with Trusted
Apps and later send commands/events. Modify TLK_NUM_FID to indicate
the total number of FIDs available to the NS world.
Change-Id: I3f1153dfa5510bd44fc25f1fee85cae475b1abf1
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar
committed
on 31 Mar 2015
|