Coverity: remove unnecessary header file includes ...

This patch removes unnecessary header file includes
discovered by Coverity HFA option.

Change-Id: I2827c37c1c24866c87db0e206e681900545925d4
Signed-off-by: Zelalem <zelalem.aweke@arm.com>

Merge "Use correct type when reading SCR register" into integration

Introduce COT build option ...

Allows to select the chain of trust to use when the Trusted Boot feature
is enabled. This affects both the cert_create tool and the firmware
itself.

Right now, the only available CoT is TBBR.

Change-Id: I7ab54e66508a1416cb3fcd3dfb0f055696763b3d
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Use correct type when reading SCR register ...

The Secure Configuration Register is 64-bits in AArch64 and 32-bits in
AArch32. Use u_register_t instead of unsigned int to reflect this.

Change-Id: I51b69467baba36bf0cfaec2595dc8837b1566934
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Revert "plat/arm: Add support for SEPARATE_NOBITS_REGION" ...

This reverts commit d433bbd.

Change-Id: I46c69dce704a1ce1b50452dd4d62425c4a67f7f0

plat/arm: Add support for SEPARATE_NOBITS_REGION ...

In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load
BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate
the build to require that ARM_BL31_IN_DRAM is enabled as well.

Naturally with SEPARATE_NOBITS_REGION enabled, the BL31 initialization code
cannot be reclaimed to be used for runtime data such as secondary cpu stacks.

Memory map for BL31 NOBITS region also has to be created.

Change-Id: Ibd480f82c1dc74e9cbb54eec07d7a8fecbf25433
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Merge "debugfs: add SMC channel" into integration

spm-mm: Refactor secure_partition.h and its contents ...

Before adding any new SPM-related components we should first do
some cleanup around the existing SPM-MM implementation. The aim
is to make sure that any SPM-MM components have names that clearly
indicate that they are MM-related. Otherwise, when adding new SPM
code, it could quickly become confusing as it would be unclear to
which component the code belongs.

The secure_partition.h header is a clear example of this, as the
name is generic so it could easily apply to any SPM-related code,
when it is in fact SPM-MM specific.

This patch renames the file and the two structures defined within
it, and then modifies any references in files that use the header.

Change-Id: I44bd95fab774c358178b3e81262a16da500fda26
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

spm: Remove SPM Alpha 1 prototype and support files ...

The Secure Partition Manager (SPM) prototype implementation is
being removed. This is preparatory work for putting in place a
dispatcher component that, in turn, enables partition managers
at S-EL2 / S-EL1.

This patch removes:

- The core service files (std_svc/spm)
- The Resource Descriptor headers (include/services)
- SPRT protocol support and service definitions
- SPCI protocol support and service definitions

Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>

Remove dependency between SPM_MM and ENABLE_SPM build flags ...

There are two different implementations of Secure Partition
management in TF-A. One is based on the "Management Mode" (MM)
design, the other is based on the Secure Partition Client Interface
(SPCI) specification. Currently there is a dependency between their
build flags that shouldn't exist, making further development
harder than it should be. This patch removes that
dependency, making the two flags function independently.

Before: ENABLE_SPM=1 is required for using either implementation.
        By default, the SPCI-based implementation is enabled and
        this is overridden if SPM_MM=1.

After: ENABLE_SPM=1 enables the SPCI-based implementation.
       SPM_MM=1 enables the MM-based implementation.
       The two build flags are mutually exclusive.

Note that the name of the ENABLE_SPM flag remains a bit
ambiguous - this will be improved in a subsequent patch. For this
patch the intention was to leave the name as-is so that it is
easier to track the changes that were made.

Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
Signed-off-by: Paul Beesley <paul.beesley@arm.com>

Merge changes from topic "bs/pmf32" into integration ...

* changes:
  pmf: Make the runtime instrumentation work on AArch32
  SiP: Don't validate entrypoint if state switch is impossible

TF-A: Fix BL2 bug in dynamic configuration initialisation ...

This patch fixes the bug in BL2 dynamic configuration initialisation
which prevents loading NT_FW_CONFIG image (ref. GENFW-3471).
It also adds parentheses around 'if' statement conditions to fix
Coverity defect.

Change-Id: I353566c29b84341887e13bf8098a4fedfc4e00ff
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

debugfs: add SMC channel ...

Provide an SMC interface to the 9p filesystem. This permits
accessing firmware drivers through a common interface, using
standardized read/write/control operations.

Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9314662314bb060f6bc02714476574da158b2a7d

Merge "arm: gicv3: Fix compiler dependent behavior" into integration

pmf: Make the runtime instrumentation work on AArch32 ...

Ported the pmf asm macros and the asm code in the bl31 entrypoint
necessary for the instrumentation to AArch32.

Since smc dispatch is handled by the bl32 payload on AArch32, we
provide this service only if AARCH32_SP=sp_min is set.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: Id33b7e9762ae86a4f4b40d7f1b37a90e5130c8ac

SiP: Don't validate entrypoint if state switch is impossible ...

Switching execution states is only possible if EL3 is AArch64.
As such there is no need to validate the entrypoint on AArch32 builds.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Change-Id: I3c1eb25b5df296a492870641d274bf65213c6608

arm: gicv3: Fix compiler dependent behavior ...

C99 standard: "What constitutes an access to an object that has
volatile-qualified type is implementation-defined".

GCC is not considering the cast to void of volatile structures as an
access and so is not actually issuing reads.

Clang does read those structures by copying them on the stack, which in
this case creates an overflow because of their large size.

This patch removes the cast to void and instead uses the USED attribute
to tell the compiler to retain the static variables.

Change-Id: I952b5056e3f6e91841e7ef9558434352710ab80d
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
	       Zelalem Aweke <zelalem.aweke@arm.com>

Use the proper size for tb_fw_cfg_dtb ...

Currently tb_fw_cfg_dtb size is fixed to max, which is generally a page
(but depend on the platform). Instead, read the actual size of the dtb
with the libfdt "fdt_totalsize" function.
This avoid flushing extra memory after updating the dtb with mbedtls
heap information when shared heap is used.

Change-Id: Ibec727661116429f486464a0c9f15e9760d7afe2
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Merge "plat/arm: Re-enable PIE when RESET_TO_BL31=1" into integration

plat/arm: Re-enable PIE when RESET_TO_BL31=1 ...

Earlier PIE support was enabled for all arm platforms when
RESET_TO_BL31=1, but later on it was restricted only to FVP with patch
SHA d4580d17 because of n1sdp platform.

Now it has been verified that PIE does work for n1sdp platform also, so
enabling it again for all arm platforms.

Change-Id: I05ad4f1775ef72e7cb578ec9245cde3fbce971a5
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

plat/arm/gicv3: add support for probing multiple GIC Redistributor frames ...

ARM platform can have a non-contiguous GICR frames. For instance, a
multi socket platform can have two or more GIC Redistributor frames
which are 4TB apart. Hence it is necessary for the `gicv3_rdistif_probe`
function to probe all the GICR frames available in the platform.

Introduce `plat_arm_override_gicr_frames` function which platforms can
use to override the default gicr_frames which holds the GICR base
address of the primary cpu.

Change-Id: I1f537b0d871a679cb256092944737f2e55ab866e
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>

plat/arm: use Aff3 bits also to validate mpidr ...

There are some platforms which uses MPIDR Affinity level 3 for storing
extra affinity information e.g. N1SDP uses it for keeping chip id in a
multichip setup, for such platforms MPIDR validation should not fail.

This patch adds Aff3 bits also as part of mpidr validation mask, for
platforms which does not uses Aff3 will not have any impact as these
bits will be all zeros.

Change-Id: Ia8273972fa7948fdb11708308d0239d2dc4dfa85
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>

Migrate ARM platforms to use the new GICv3 API ...

This patch invokes the new function gicv3_rdistif_probe() in the
ARM platform specific gicv3 driver. Since this API modifies the
shared GIC related data structure, it must be invoked coherently
by using the platform specific pwr_domain_on_finish_late hook.

Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>

Refactor ARMv8.3 Pointer Authentication support code ...

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
  of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
  which returns 128-bit value and uses Generic timer physical counter
  value to increase the randomness of the generated key.
  The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
  generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
  pauth_disable_el1()` and `pauth_disable_el3()` functions disable
  PAuth for EL1 and EL3 respectively;
  `pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
  cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
  `save_gp_registers()` and `pauth_context_save()`;
  `restore_gp_pauth_registers()` replaces `pauth_context_restore()`
  and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
  code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
  for 12 uint64_t PAuth registers instead of 10 by removal of macro
  CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
  and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
  in `msr	spsel`  instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.

Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

Switch AARCH32/AARCH64 to __aarch64__ ...

NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.

All common C compilers pre-define the same macros to signal which
architecture the code is being compiled for: __arm__ for AArch32 (or
earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
to define its own custom macros for this. In order to unify code with
the export headers (which use __aarch64__ to avoid another dependency),
let's deprecate the AARCH32 and AARCH64 macros and switch the code base
over to the pre-defined standard macro. (Since it is somewhat
unintuitive that __arm__ only means AArch32, let's standardize on only
using __aarch64__.)

Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
Signed-off-by: Julius Werner <jwerner@chromium.org>

arm: Shorten the Firmware Update (FWU) process ...

The watchdog is configured with a default value of 256 seconds in order
to implement the Trusted Board Boot Requirements.

For the FVP and Juno platforms, the FWU process relies on a watchdog
reset. In order to automate the test of FWU, the length of this process
needs to be as short as possible. Instead of waiting for those 4 minutes
to have a reset by the watchdog, tell it to reset immediately.

There are no side effects as the value of the watchdog's load register
resets to 0xFFFFFFFF.

Tested on Juno.

Change-Id: Ib1aea80ceddc18ff1e0813a5b98dd141ba8a3ff2
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

Remove MULTI_CONSOLE_API flag and references to it ...

The new API becomes the default one.

Change-Id: Ic1d602da3dff4f4ebbcc158b885295c902a24fec
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>

plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set ...

BL2U should not build when RESET_TO_SP_MIN flag is set, like BL1 and
BL2.

Change-Id: Iac516121f98611ca1f58d2b5efdec6525b06ce4e
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>

Merge changes from topic "sami/550_fix_n1sdp_issues_v1" into integration ...

* changes:
  N1SDP: Initialise CNTFRQ in Non Secure CNTBaseN
  N1SDP: Fix DRAM2 start address
  Add option for defining platform DRAM2 base
  Disable speculative loads only if SSBS is supported

N1SDP: Initialise CNTFRQ in Non Secure CNTBaseN ...

N1SDP exhibits the behavior similar to Juno wherein CNTBaseN.CNTFRQ
can be written but does not reflect the value of the CNTFRQ register
in CNTCTLBase frame. This doesn't follow ARM ARM in that the value
updated in CNTCTLBase.CNTFRQ is not reflected in CNTBaseN.CNTFRQ.

Hence enable the workaround (applied to Juno) for N1SDP that updates
the CNTFRQ register in the Non Secure CNTBaseN frame.

Change-Id: Id89ee1bca0f25c9d62f8f794f2c4f4e618cdf092
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>