fix(ras): restrict RAS support for NS world

Current RAS framework in TF-A only supports handling errors originating
from NS world but the HANDLE_EA_EL3_FIRST flag configures it for all
lower Els. To make the current design of RAS explicit, rename this macro
to HANDLE_EA_EL3_FIRST_NS and set EA bit in scr_el3 only when
switching to NS world.

Note: I am unaware of any platform which traps errors originating in
Secure world to EL3, if there is any such platform then it need to
be explicitly implemented in TF-A

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: If58eb201d8fa792c16325c85c26056e9b409b750

Makefile

@@ -715,8 +715,8 @@ endif
 
 # For RAS_EXTENSION, require that EAs are handled in EL3 first
 ifeq ($(RAS_EXTENSION),1)
-    ifneq ($(HANDLE_EA_EL3_FIRST),1)
-        $(error For RAS_EXTENSION, HANDLE_EA_EL3_FIRST must also be 1)
+    ifneq ($(HANDLE_EA_EL3_FIRST_NS),1)
+        $(error For RAS_EXTENSION, HANDLE_EA_EL3_FIRST_NS must also be 1)
     endif
 endif
 
@@ -1033,7 +1033,7 @@ $(eval $(call assert_booleans,\
         FAULT_INJECTION_SUPPORT \
         GENERATE_COT \
         GICV2_G0_FOR_EL3 \
-        HANDLE_EA_EL3_FIRST \
+        HANDLE_EA_EL3_FIRST_NS \
         HW_ASSISTED_COHERENCY \
         INVERTED_MEMMAP \
         MEASURED_BOOT \
@@ -1172,7 +1172,7 @@ $(eval $(call add_defines,\
         ERROR_DEPRECATED \
         FAULT_INJECTION_SUPPORT \
         GICV2_G0_FOR_EL3 \
-        HANDLE_EA_EL3_FIRST \
+        HANDLE_EA_EL3_FIRST_NS \
         HW_ASSISTED_COHERENCY \
         LOG_LEVEL \
         MEASURED_BOOT \

common/aarch64/debug.S

@@ -168,7 +168,7 @@ func do_panic
 	mrs	x0, currentel
 	ubfx	x0, x0, #MODE_EL_SHIFT, #MODE_EL_WIDTH
 	cmp	x0, #MODE_EL3
-#if !HANDLE_EA_EL3_FIRST
+#if !HANDLE_EA_EL3_FIRST_NS
 	ldr	x0, [sp], #0x10
 	b.eq	el3_panic
 #else
@@ -184,7 +184,7 @@ func do_panic
 
 to_panic_common:
 	ldr	x0, [sp], #0x10
-#endif /* HANDLE_EA_EL3_FIRST */
+#endif /* HANDLE_EA_EL3_FIRST_NS */
 #endif /* CRASH_REPORTING */
 
 panic_common:

docs/components/ras.rst

@@ -6,10 +6,11 @@ Serviceability (RAS) extensions. RAS is a mandatory extension for Armv8.2 and
 later CPUs, and also an optional extension to the base Armv8.0 architecture.
 
 In conjunction with the |EHF|, support for RAS extension enables firmware-first
-paradigm for handling platform errors: exceptions resulting from errors are
-routed to and handled in EL3. Said errors are Synchronous External Abort (SEA),
-Asynchronous External Abort (signalled as SErrors), Fault Handling and Error
-Recovery interrupts.  The |EHF| document mentions various :ref:`error handling
+paradigm for handling platform errors: exceptions resulting from errors in
+Non-secure world are routed to and handled in EL3.
+Said errors are Synchronous External Abort (SEA), Asynchronous External Abort
+(signalled as SErrors), Fault Handling and Error Recovery interrupts.
+The |EHF| document mentions various :ref:`error handling
 use-cases <delegation-use-cases>` .
 
 For the description of Arm RAS extensions, Standard Error Records, and the
@@ -29,7 +30,7 @@ introduced by the RAS extensions.
 .. __: `Standard Error Record helpers`_
 
 The build option ``RAS_EXTENSION`` when set to ``1`` includes the RAS in run
-time firmware; ``EL3_EXCEPTION_HANDLING`` and ``HANDLE_EA_EL3_FIRST`` must also
+time firmware; ``EL3_EXCEPTION_HANDLING`` and ``HANDLE_EA_EL3_FIRST_NS`` must also
 be set ``1``. ``RAS_TRAP_NS_ERR_REC_ACCESS`` controls the access to the RAS
 error record registers from Non-secure.
 
@@ -198,8 +199,8 @@ related, build options:
 -  ``EL3_EXCEPTION_HANDLING=1`` enables handling of exceptions at EL3. See
    `Interaction with Exception Handling Framework`_;
 
--  ``HANDLE_EA_EL3_FIRST=1`` enables routing of External Aborts and SErrors to
-   EL3.
+-  ``HANDLE_EA_EL3_FIRST_NS=1`` enables routing of External Aborts and SErrors,
+   resulting from errors in NS world, to EL3.
 
 The RAS support in |TF-A| introduces a default implementation of
 ``plat_ea_handler``, the External Abort handler in EL3. When ``RAS_EXTENSION``

docs/getting_started/build-options.rst

@@ -569,10 +569,11 @@ Common build options
    EL1 for handling. The default value of this option is ``0``, which means the
    Group 0 interrupts are assumed to be handled by Secure EL1.
 
--  ``HANDLE_EA_EL3_FIRST``: When set to ``1``, External Aborts and SError
-   Interrupts will be always trapped in EL3 i.e. in BL31 at runtime. When set to
-   ``0`` (default), these exceptions will be trapped in the current exception
-   level (or in EL1 if the current exception level is EL0).
+-  ``HANDLE_EA_EL3_FIRST_NS``: When set to ``1``, External Aborts and SError
+   Interrupts, resulting from errors in NS world, will be always trapped in
+   EL3 i.e. in BL31 at runtime. When set to ``0`` (default), these exceptions
+   will be trapped in the current exception level (or in EL1 if the current
+   exception level is EL0).
 
 -  ``HW_ASSISTED_COHERENCY``: On most Arm systems to-date, platform-specific
    software operations are required for CPUs to enter and exit coherency.
@@ -725,7 +726,7 @@ Common build options
    or later CPUs. This flag can take the values 0 to 2, to align with the
    ``FEATURE_DETECTION`` mechanism.
 
-   When ``RAS_EXTENSION`` is set to ``1``, ``HANDLE_EA_EL3_FIRST`` must also be
+   When ``RAS_EXTENSION`` is set to ``1``, ``HANDLE_EA_EL3_FIRST_NS`` must also be
    set to ``1``.
 
    This option is disabled by default.

docs/plat/marvell/armada/build.rst

@@ -165,14 +165,14 @@ Globalscale MOCHAbin specific build options:
 
 Armada37x0 specific build options:
 
-- HANDLE_EA_EL3_FIRST
+- HANDLE_EA_EL3_FIRST_NS
 
-        When ``HANDLE_EA_EL3_FIRST=1``, External Aborts and SError Interrupts will be always trapped
-        in TF-A. TF-A in this case enables dirty hack / workaround for a bug found in U-Boot and
-        Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks SError interrupt
-        caused by AXI SLVERR on external access (syndrome 0xbf000002).
+        When ``HANDLE_EA_EL3_FIRST_NS=1``, External Aborts and SError Interrupts, resulting from errors
+        in NS world, will be always trapped in TF-A. TF-A in this case enables dirty hack / workaround for
+        a bug found in U-Boot and Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks
+        SError interrupt caused by AXI SLVERR on external access (syndrome 0xbf000002).
 
-        Otherwise when ``HANDLE_EA_EL3_FIRST=0``, these exceptions will be trapped in the current
+        Otherwise when ``HANDLE_EA_EL3_FIRST_NS=0``, these exceptions will be trapped in the current
         exception level (or in EL1 if the current exception level is EL0). So exceptions caused by
         U-Boot will be trapped in U-Boot, exceptions caused by Linux kernel (or user applications)
         will be trapped in Linux kernel.
@@ -185,8 +185,8 @@ Armada37x0 specific build options:
         recommended to not enable this workaround as it disallows propagating of all External Aborts
         to running Linux kernel and makes correctable errors as fatal aborts.
 
-        This option is now disabled by default. In past this option was enabled by default in
-        TF-A versions v2.2, v2.3, v2.4 and v2.5.
+        This option is now disabled by default. In past this option has different name "HANDLE_EA_EL3_FIRST" and
+        was enabled by default in TF-A versions v2.2, v2.3, v2.4 and v2.5.
 
 - CM3_SYSTEM_RESET
 

lib/el3_runtime/aarch64/context_mgmt.c

@@ -206,6 +206,11 @@ static void setup_ns_context(cpu_context_t *ctx, const struct entry_point_info *
 	/* Allow access to Allocation Tags when MTE is implemented. */
 	scr_el3 |= SCR_ATA_BIT;
 
+#if HANDLE_EA_EL3_FIRST_NS
+	/* SCR_EL3.EA: Route External Abort and SError Interrupt to EL3. */
+	scr_el3 |= SCR_EA_BIT;
+#endif
+
 #if RAS_TRAP_NS_ERR_REC_ACCESS
 	/*
 	 * SCR_EL3.TERR: Trap Error record accesses. Accesses to the RAS ERR
@@ -279,7 +284,7 @@ static void setup_context_common(cpu_context_t *ctx, const entry_point_info_t *e
 	 * Security state and entrypoint attributes of the next EL.
 	 */
 	scr_el3 = read_scr();
-	scr_el3 &= ~(SCR_NS_BIT | SCR_RW_BIT | SCR_FIQ_BIT | SCR_IRQ_BIT |
+	scr_el3 &= ~(SCR_NS_BIT | SCR_RW_BIT | SCR_EA_BIT | SCR_FIQ_BIT | SCR_IRQ_BIT |
 			SCR_ST_BIT | SCR_HCE_BIT | SCR_NSE_BIT);
 
 	/*
@@ -317,15 +322,6 @@ static void setup_context_common(cpu_context_t *ctx, const entry_point_info_t *e
 	scr_el3 |= SCR_TRNDR_BIT;
 #endif
 
-#if !HANDLE_EA_EL3_FIRST
-	/*
-	 * SCR_EL3.EA: Do not route External Abort and SError Interrupt External
-	 * to EL3 when executing at a lower EL. When executing at EL3, External
-	 * Aborts are taken to EL3.
-	 */
-	scr_el3 &= ~SCR_EA_BIT;
-#endif
-
 #if FAULT_INJECTION_SUPPORT
 	/* Enable fault injection from lower ELs */
 	scr_el3 |= SCR_FIEN_BIT;

make_helpers/defaults.mk

@@ -216,9 +216,9 @@ GENERATE_COT			:= 0
 # default, they are for Secure EL1.
 GICV2_G0_FOR_EL3		:= 0
 
-# Route External Aborts to EL3. Disabled by default; External Aborts are handled
+# Route NS External Aborts to EL3. Disabled by default; External Aborts are handled
 # by lower ELs.
-HANDLE_EA_EL3_FIRST		:= 0
+HANDLE_EA_EL3_FIRST_NS		:= 0
 
 # Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512.
 # The default value is sha256.

plat/arm/board/tc/platform.mk

@@ -21,7 +21,7 @@ SDEI_SUPPORT		:=	0
 
 EL3_EXCEPTION_HANDLING	:=	0
 
-HANDLE_EA_EL3_FIRST	:=	0
+HANDLE_EA_EL3_FIRST_NS	:=	0
 
 # System coherency is managed in hardware
 HW_ASSISTED_COHERENCY	:=	1

plat/arm/css/sgi/sgi-common.mk

@@ -14,7 +14,7 @@ SDEI_SUPPORT			:=	0
 
 EL3_EXCEPTION_HANDLING		:=	0
 
-HANDLE_EA_EL3_FIRST		:=	0
+HANDLE_EA_EL3_FIRST_NS		:=	0
 
 CSS_SGI_CHIP_COUNT		:=	1
 

plat/common/aarch64/plat_common.c

@@ -93,7 +93,7 @@ void plat_default_ea_handler(unsigned int ea_reason, uint64_t syndrome, void *co
 	ERROR("Unhandled External Abort received on 0x%lx from %s\n",
 		read_mpidr_el1(), get_el_str(level));
 	ERROR("exception reason=%u syndrome=0x%" PRIx64 "\n", ea_reason, syndrome);
-#if HANDLE_EA_EL3_FIRST
+#if HANDLE_EA_EL3_FIRST_NS
 	/* Skip backtrace for lower EL */
 	if (level != MODE_EL3) {
 		console_flush();

plat/marvell/armada/a3k/common/a3700_common.mk

@@ -62,7 +62,7 @@ BL31_SOURCES		+=	lib/cpus/aarch64/cortex_a53.S		\
 				$(PLAT_COMMON_BASE)/a3700_sip_svc.c	\
 				$(MARVELL_DRV)
 
-ifeq ($(HANDLE_EA_EL3_FIRST),1)
+ifeq ($(HANDLE_EA_EL3_FIRST_NS),1)
 BL31_SOURCES		+=	$(PLAT_COMMON_BASE)/a3700_ea.c
 endif
 

plat/marvell/armada/a3k/common/a3700_ea.c

@@ -18,7 +18,7 @@
 
 /*
  * This source file with custom plat_ea_handler function is compiled only when
- * building TF-A with compile option HANDLE_EA_EL3_FIRST=1
+ * building TF-A with compile option HANDLE_EA_EL3_FIRST_NS=1
  */
 void plat_ea_handler(unsigned int ea_reason, uint64_t syndrome, void *cookie,
 		void *handle, uint64_t flags)

plat/nvidia/tegra/soc/t194/platform_t194.mk

@@ -33,7 +33,7 @@ MAX_MMAP_REGIONS			:= 30
 $(eval $(call add_define,MAX_MMAP_REGIONS))
 
 # enable RAS handling
-HANDLE_EA_EL3_FIRST			:= 1
+HANDLE_EA_EL3_FIRST_NS			:= 1
 RAS_EXTENSION				:= 1
 
 # platform files

plat/renesas/common/common.mk

@@ -15,7 +15,7 @@ ENABLE_SVE_FOR_NS		:= 0
 MULTI_CONSOLE_API		:= 1
 
 CRASH_REPORTING			:= 1
-HANDLE_EA_EL3_FIRST		:= 1
+HANDLE_EA_EL3_FIRST_NS		:= 1
 
 # This option gets enabled automatically if the TRUSTED_BOARD_BOOT
 # is set via root Makefile, but Renesas support Trusted-Boot without

plat/ti/k3/common/plat_common.mk

@@ -27,7 +27,7 @@ ERRATA_A72_859971	:=	1
 ERRATA_A72_1319367	:=	1
 
 CRASH_REPORTING		:= 1
-HANDLE_EA_EL3_FIRST	:= 1
+HANDLE_EA_EL3_FIRST_NS	:= 1
 
 # Split out RO data into a non-executable section
 SEPARATE_CODE_AND_RODATA :=    1