Merge pull request #1558 from jenswi-linaro/qemu-update ...

Qemu updates

Add missing barriers to Bakery Locks ...

With the current implementation, it's possible for a contender to
observe accesses in the Critical Section before acquiring or releasing
the lock. Insert fencing in the locking and release codes to prevent any
reorder.

Fixes ARM-software/tf-issues#609

Change-Id: I773b82aa41dd544a2d3dbacb9a4b42c9eb767bbb
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

ARMv7: Alias dmbld() to dmb() ...

'dmb ld' is not a recognized instruction for ARMv7. Since generic code
may use 'dmb ld', alias it to 'dmb' when building for ARMv7.

Change-Id: I502f360cb6412897ca9580b725d9f79469a7612e
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

Merge pull request #1515 from bryanodonoghue/atf-master+linaro-warp7-squash-v4 ...

Atf master+linaro warp7 squash v4

Merge pull request #1554 from jts-arm/mbed ...

Mbed TLS shared heap

Merge pull request #1560 from vwadekar/denver-fixes-918 ...

Recent Denver CPU fixes from downstream

Merge pull request #1557 from sivadur/integration ...

Xilinx latest platform related changes

Merge pull request #1556 from jts-arm/docs ...

Fix broken links in documentation

cpus: denver: Implement static workaround for CVE-2018-3639 ...

For Denver CPUs, this approach enables the mitigation during EL3
initialization, following every PE reset. No mechanism is provided to
disable the mitigation at runtime.

This approach permanently mitigates the EL3 software stack only. Other
software components are responsible to enable it for their exception
levels.

TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN3
and earlier:

*   By setting bit 11 (Disable speculative store buffering) of
    `ACTLR_EL3`

*   By setting bit 9 (Disable speculative memory disambiguation) of
    `ACTLR_EL3`

TF-A implements this approach for the Denver CPUs with DENVER_MIDR_PN4
and later:

*   By setting bit 18 (Disable speculative store buffering) of
    `ACTLR_EL3`

*   By setting bit 17 (Disable speculative memory disambiguation) of
    `ACTLR_EL3`

Change-Id: If1de96605ce3f7b0aff5fab2c828e5aecb687555
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

cpus: denver: reset power state to 'C1' on boot ...

Denver CPUs expect the power state field to be reset to 'C1'
during boot. This patch updates the reset handler to reset the
ACTLR_.PMSTATE field to 'C1' state during CPU boot.

Change-Id: I7cb629627a4dd1a30ec5cbb3a5e90055244fe30c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

denver: use plat_my_core_pos() to get core position ...

The current functions to disable and enable Dynamic Code Optimizer
(DCO) assume that all denver cores are in the same cluster. They
ignore AFF1 field of the mpidr_el1 register, which leads to
incorect logical core id calculation.

This patch calls the platform handler, plat_my_core_pos(), to get
the logical core id to disable/enable DCO for the core.

Original change by: Krishna Sitaraman <ksitaraman@nvidia.com>

Change-Id: I45fbd1f1eb032cc1db677a4fdecc554548b4a830
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

maintainers: Add entries for imx7/WaARP7 and associated shared code ...

This patch adds me to various maintainer activities in the ATF tree
associated with the NXP i.MX7 generally and WaARP7 in particular.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

docs: warp7: Add description for the i.MX7 WaRP7 platform ...

This patch describes the boot-flow and building of the WaRP7 TF-A port.
What it describes is booting and unsigned TF-A.

A very brief section has been added on signing BL2 which is in no-way
comprehensive. For a comprehensive description of the signing process try
the Boundary Devices blog on the matter.

https://boundarydevices.com/high-assurance-boot-hab-dummies/

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

plat: qemu: update the early platform setup API ...

Replaces deprecated early platform setup APIs

* Replaces bl31_early_platform_setup() with bl31_early_platform_setup2()
* Replaces bl2_early_platform_setup() with bl2_early_platform_setup2()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

warp7: Add warp7 platform to the build ...

Previous changes in this series made the necessary driver additions and
updates. With those changes in-place we can add the platform.mk and
bl2_el3_setup.c to drive the boot process.

After this commit its possible to build a fully-functional TF-A for the
WaRP7 and boot from the BootROM to the Linux command prompt in secure or
non-secure mode.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: panic: hab: Call into BootROM failsafe on panic path ...

This patch adds a callback into the BootROM's provided High Assurance Boot
(HAB) failsafe function when panicking i.e. the call is done without making
use of stack.

The HAB failsafe function allows a piece of software to call into the
BootROM and place the processor into failsafe mode.

Failsafe mode is a special mode which presents a serial download protocol
interface over UART or USB at the time of writing.

If the board has been set into secure mode, then only a signed binary can
be used to recover the board.

Thus failsafe gives a putatively secure method of performing a secure
recovery over UART or USB.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

warp7: mem_params_desc: Add boot entries to mem params array ...

This patch adds entries to the mem params array for

- BL32
- BL32_EXTRA1
- BL32_EXTRA2
- BL33
- HW_CONFIG_ID

BL32 is marked as bootable to indicate that OPTEE is the thing that should
be booted next.

In our model OPTEE chain-loads onto u-boot so only BL32 is bootable.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: io_storage: Add initial stub warp7_io_storage.c ...

This commit adds support for parsing a FIP pre-loaded by a previous
boot-phase such as u-boot or via ATF reading directly from eMMC.

[bod: squashing several patches from Rui, Jun and bod]

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: Define a platform_def.h ...

This patch defines a platform_def.h describing

- FIP layout and location
- eMMC device select
- UART identity select
- System clock frequency
- Operational memory map

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: mem_params_desc: Add a file which exports a REGISTER_BL_IMAGE_DESCS ...

In order to link even a basic image we need to declare
REGISTER_BL_IMAGE_DESCS. This patch declares an empty structure which is
passed to REGISTER_BL_IMAGE_DESCS(). Later patches will add in some
meaningful data.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: Add a warp7_private.h file ...

Internal declarations for the WaRP7 port will go here. For now just include
sys/types.h.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: image_load: Add warp7_image_load.c ...

This commit adds warp7_image_load.c with the functions

- plat_flush_next_bl_params()
- plat_get_bl_image_load_info()
- plat_get_next_bl_params()

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

warp7: Add initial warp7_helpers.S ...

This commit adds a warp7_helpers.S which contains a implementation of:

- platform_mem_init
- plat_get_my_entrypoint
- plat_crash_console_init
- plat_crash_console_putc

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

imx: imx_wdog: Add code to initialize the wdog block ...

The watchdog block on the IMX is mercifully simple. This patch maps the
various registers and bits associated with the block.

We are mostly only really interested in the power-down-enable (PDE) bits in
the block for the purposes of ATF.

The i.MX7 Solo Applications Processor Reference Manual details the PDE bit
as follows:

"Power Down Enable bit. Reset value of this bit is 1, which means the power
down counter inside the WDOG is enabled after reset. The software must
write 0 to this bit to disable the counter within 16 seconds of reset
de-assertion. Once disabled this counter cannot be enabled again. See
Power-down counter event for operation of this counter."

This patch does that zero write in-lieu of later phases in the boot
no-longer have the necessary permissions to rewrite the PDE bit directly.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

imx: imx_caam: Add code to initialize the CAAM job-rings to NS-world ...

This patch defines the most basic part of the CAAM and the only piece of
the CAAM silicon we are really interested in, in ATF, the CAAM control
structure.

The CAAM itself is a huge address space of some 32k, way out of scope for
the purpose we have in ATF.

This patch adds a simple CAAM init function that assigns ownership of the
CAAM job-rings to the non-secure MID with the ownership bit set to
non-secure.

This will allow later logic in the boot process such as OPTEE, u-boot and
Linux to assign job-rings as appropriate, restricting if necessary but
leaving open the main functionality of the CAAM to the Linux NS runtime.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>

qemu: make LOAD_IMAGE_V2=1 mandatory ...

The QEMU platform has only been used with LOAD_IMAGE_V2=1 for some time
now and bit rot has occurred for LOAD_IMAGE_V2=0. To ease the
maintenance make LOAD_IMAGE_V2=1 mandatory and remove the platform
specific code for LOAD_IMAGE_V2=0.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

zynqmp: Define and enable ARM_XLAT_TABLES_LIB_V1 ...

Enable ARM_XLAT_TABLES_LIB_V1 as ZynqMP is using
v1 library of translation tables.

With upstream patch d323af9,
the usage of MAP_REGION_FLAT is referring to definition in file
include/lib/xlat_tables/xlat_tables_v2.h but while preparing
xlat tables in lib/xlat_tables/xlat_tables_common.c it is referring
to include/lib/xlat_tables/xlat_tables.h which is v1 xlat tables.
Also, ZynqMP was using v1 so defined ARM_XLAT_TABLES_LIB_V1 to
use v1 xlat tables everywhere.
This fixes the issue of xlat tables failures as it takes v2
library mmap_region structure in some files and v1 in other
files.

Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>

imx: imx_hab: Define a HAB header file ...

The High Assurance Boot or HAB is an on-chip method of providing a
root-of-trust from the reset vector to subsequent stages in the bootup
flow of the Cortex-A7 on the i.MX series of processors.

This patch adds a simple header file with pointer offsets of the provided
set of HAH API callbacks in the BootROM.

The relative offset of the function pointers is a constant and known
quantum, a software-contract between NXP and an implementation which is
defined in the NXP HAB documentation.

All we need is the correct base offset and then we can map the set of
function pointers relative to that offset.

imx_hab_arch.h provides the correct offset and the imx_hab.h hooks the
offset to the pre-determined callbacks.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

imx7: hab_arch: Provide a hab_arch.h file ...

In order to enable compile time differences in HAB interaction, we should
split out the definition of the base address of the HAB API.

Some version of the i.MX series have different offsets from the BootROM
base for the HAB callback table.

This patch defines the header into which we will define the i.MX7 specific
offset. The offset of the i.MX7 function-callback table is simultaneously
defined.

Once done, we can latch a set of common function pointer locations from the
offset given here and if necessary change the offset for different
processors without any other code-change.

For now all we support is i.MX7 so the only offset being defined is that
for the i.MX7.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Ryan Harkin <ryan.harkin@linaro.org>

imx: imx_snvs: Add an SNVS core functionality ...

This patch adds snvs.c with a imx_snvs_init() function.

imx_snvs_init() sets up permissions of the RTC via the SNVS HPCOMR.

During previous work with OPTEE on the i.MX7 part we discovered that prior
to switching from secure-world to normal-world it is required to apply more
permissive permissions than are defaulted to in order for Linux to be able
to access the RTC and CAAM functionality in general.

This patch pertains to fixing the RTC permissions by way of the
HPCOMR.NPSWA_EN bit.

Once set non-privileged code aka Linux-kernel code has permissions to
access the SNVS where the RTC resides.

Perform that permissions fix in imx_snvs_init() now, with a later patch making
the call from our platform setup code.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>