MPMM is a core-specific microarchitectural feature. It has been present
in every Arm core since the Cortex-A510 and has been implemented in
exactly the same way. Despite that, it is enabled more like an
architectural feature with a top level enable flag. This utilised the
identical implementation.
This duality has left MPMM in an awkward place, where its enablement
should be generic, like an architectural feature, but since it is not,
it should also be core-specific if it ever changes. One choice to do
this has been through the device tree.
This has worked just fine so far, however, recent implementations expose
a weakness in that this is rather slow - the device tree has to be read,
there's a long call stack of functions with many branches, and system
registers are read. In the hot path of PSCI CPU powerdown, this has a
significant and measurable impact. Besides it being a rather large
amount of code that is difficult to understand.
Since MPMM is a microarchitectural feature, its correct placement is in
the reset function. The essence of the current enablement is to write
CPUPPMCR_EL3.MPMM_EN if CPUPPMCR_EL3.MPMMPINCTL == 0. Replacing the C
enablement with an assembly macro in each CPU's reset function achieves
the same effect with just a single close branch and a grand total of 6
instructions (versus the old 2 branches and 32 instructions).
Having done this, the device tree entry becomes redundant. Should a core
that doesn't support MPMM arise, this can cleanly be handled in the
reset function. As such, the whole ENABLE_MPMM_FCONF and platform hooks
mechanisms become obsolete and are removed.
Change-Id: I1d0475b21a1625bb3519f513ba109284f973ffdf
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
The rse_comms_init() function will be removed. The new function to use
is rse_mbx_init() for the MHU mailbox initialization.
Change-Id: I1932500ef71b6e895f0ee164ee9c2b58becf4409
Signed-off-by: Yann Gautier <yann.gautier@st.com>
The same way it is done for neoverse_rd, create a plat_rse_comms_init()
function to call rse_comms_init().
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I12f3b8a38a5369decb4b97f8aceeb0dc81cbea28
In order to support a platform without MHU in RSE, update the flag
PLAT_MHU_VERSION. It is renamed PLAT_MHU and can take the following
entries: NO_MHU, MHUv1, MHUv2, MHUv3...
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ia72e590088ce62ba8c9009f341b6135926947bee
* changes:
fix(cpus): clear CPUPWRCTLR_EL1.CORE_PWRDN_EN_BIT on reset
chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`
chore(psci): drop skip_wfi variable
feat(arm): convert arm platforms to expect a wakeup
fix(cpus): avoid SME related loss of context on powerdown
feat(psci): allow cores to wake up from powerdown
refactor: panic after calling psci_power_down_wfi()
refactor(cpus): undo errata mitigations
feat(cpus): add sysreg_bit_toggle
* changes:
feat(tc): get entropy with PSA Crypto API
feat(psa): add interface with RSE for retrieving entropy
fix(psa): guard Crypto APIs with CRYPTO_SUPPORT
feat(tc): enable trng
feat(tc): initialize the RSE communication in earlier phase
The PSA Crypto API is available with sending messages to RSE. Change
to invoke PSA Crypto API for getting entropy.
Change-Id: I4b2dc4eb99606c2425b64949d9c3f5c576883758
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Enable the trng on the platform, which can be used by other features.
`rng-seed` has been removed and enabled `FEAT_RNG_TRAP` to trap to EL3
when accessing system registers RNDR and RNDRRS
Change-Id: Ibde39115f285e67d31b14863c75beaf37493deca
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Move the RSE MHU channel initialization to the platform setup phase,
this allows the services (e.g. TRNG service) to talk to RSE during the
service init function.
Change-Id: Id0ff6e49117008463f11b2dc3c585daca00f609c
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is that
if this isn't done, the powerdown request will be rejected. On the
CPU_OFF path that's not a problem - we can force SVCR to 0 and be
certain the core will power off.
On the suspend to powerdown path, however, we cannot do this. The TRM
also tells us that the sequence could also be aborted on eg. GIC
interrupts. If this were to happen when we have overwritten SVCR to 0,
upon a return to the caller they would experience a loss of context. We
know that at least Linux may call into PSCI with SVCR != 0. One option
is to save the entire SME context which would be quite expensive just to
work around. Another option is to downgrade the request to a normal
suspend when SME was left on. This option is better as this is expected
to happen rarely enough to ignore the wasted power and we don't want to
burden the generic (correct) path with needless context management.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I698fa8490ebf51461f6aa8bba84f9827c5c46ad4
The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.
One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.
Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.
So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.
To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.
Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.
Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.
Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.
Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.
All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.
Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.
Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Enable the compiler's stack protector for detecting stack overflow
issues.
Though TC platform can generate RNG from RSE via MHU channel, the
stack protector canary is used prior to MHU channel initialization.
Thus, currently here simply returns a value of the combination of a
timer's value and a compile-time constant.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I68fcc7782637b2b6b4dbbc81bc15df8c5ce0040b
When the SPD_spmd configuration is disabled, the compiler complaints:
plat/arm/board/tc/tc_bl2_dpe.c:234:22: error: unused variable 'array_size' [-Werror=unused-variable]
234 | const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
| ^~~~~~~~~~
plat/arm/board/tc/tc_bl2_dpe.c:233:16: error: unused variable 'i' [-Werror=unused-variable]
233 | size_t i;
| ^
cc1: all warnings being treated as errors
Move variable declarations into the code chunk protected by the SPD_spmd
configuration.
Change-Id: I1a3889938e2d4ec5efec516e9ef54034f9d711b2
Signed-off-by: Leo Yan <leo.yan@arm.com>
Distros (e.g. Buildroot and Android) can have different secure partition
layout.
This commit iterates the DPE metadata table and finds index (i) for the
first entry of the secure partition, connecting with the defined secure
partition number NUM_SP, so the last secure partition index is:
i + NUM_SP - 1
Instead of setting the certificate in hard code, dynamically enables the
certificate for the last secure partition base on calculated index.
Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9
EXTLLC bit in CPUECTLR_EL1(for non-gelas cpus) and in CPUECTLR2_EL1
register for gelas cpu enables external Last-level cache in the system,
External LLC is present on TC4 systems in MCN but it is not enabled in
CPU registers so enable it.
On TC4, Gelas vs Non-Gelas CPUs have different bits to enable EXTLLC
so take care of that as well.
Change-Id: Ic6a74b4af110a3c34d19131676e51901ea2bf6e3
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
Rename TC_FPGA_ANDROID_IMG_IN_RAM to TC_FPGA_FS_IMG_IN_RAM
to use it for debian loading to ram as well.
Change-Id: I70b68b06501d17dcebbe78bee8fec0a701106c92
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
TC4 FPGA have a UART clock of 4000000 so modify the value
of TC_UARTCLK for TC4.
Change-Id: I8de84d58bce8b7277bf356136a5185c008ab4c28
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
Set console baurate to 38400 for fvp as well for code
simplicity.
Change-Id: I58ba6b7043541f6eb67e32257307da4eba0bb28a
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
remove redundant macro UARTCLK_FREQ and replace it with TC_UARTCLK
in dts.
Change-Id: Id463a9ddc1588278e552ffca3dfb738676229ce7
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
MCN PMU counters are by default non-accesible from non-secure world,
so enable the non-secure access to those PMU counters so that linux
perf driver can read them.
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I1cf1f88f97e9062592fd5603a78fd36f15a15f89
Define MCN related macros for TC4 to add TC4 specific MCN PMU
nodes in dts and to enable MCN PMU NS access in further commits.
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: Ifc02fcd833888a9953fac404585468316aa0168c
The failure was caused by missing a variable definition, `status`
in the RSE initialisation patch.
Change-Id: I937a39e20fae39f3a6d14fe66af578c166545301
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
The rse_platform_api.h file includes certain MbedTLS headers,
introducing an unnecessary dependency when building the TC
platform with RSE support unconditionally.
However, these headers are not required, as the BL31
implementation only initializes RSE communication,
which does not rely on MbedTLS.
Change-Id: If45122aaf158be128f8978422fd870dbb0a0d090
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
TC platform was missing this region's mapping in its plat_arm_mmap
structure causing a data abort when trying to access it.
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I0a6322685f1ee017b0f0cfa795abac0524c13287
Initialize MHU channels between TF-A and RSE, this is a preparation
for later sending messages to RSE.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I66095cafcc1d48249cf957a49dc1dad3059a0010
Enable DSU PMU EL1 access for TC4 to use DSU PMU using perf
in Linux.
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I5492bab5c95d60ffaaede4606d8d75c00f988eb6
Change the name of these confs to be version agnostic,
we will later use these configs to enforce the mbedtls
minimum version
Change-Id: I1f665c2471877ecc833270c511749ff845046f10
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
The component-aware simple encoder has become outdated with the latest
upstream DRM subsystem changes since Linux kernel commit 4cfe5cc02e3f
("drm/arm/komeda: Remove component framework and add a simple encoder")
To address this we introduce a new compilation flag
`TC_DPU_USE_SIMPLE_PANEL` for control panel vs. encoder enablement.
This flag is set when the kernel version is >= 6.6 and 0 when the kernel
version is < 6.6.
We also rename the `vencoder_in` node to `lcd_in` to avoid unnecessary
conditional code for vencoder vs. simple panel enablement.
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: Ibb14a56911cfb406b2181a22cc40db58d8ceaa8d
This patch enable support for loading FIP image into DRAM rather than
flash drive.
Change-Id: I00d2de7b22e315db7f3e8a835ddd414ab297b554
Signed-off-by: Vishnu Satheesh <vishnu.satheesh@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
It requires at least 140 KB to support SCP BL2 optimization 0.
Increase the size to 192 KB (0x30000) considering space for growth.
Signed-off-by: Tintu Thomas <tintu.thomas@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: Ib416c89226475d44746a7561dd949a14349c3e4b
Previously we only enabled 8GB unless we were loading the filesystem
from RAM.
Change-Id: Iae60ef460b8cf70f28e62a79db32405daf029e8a
Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Following recent commit [1], update the Makefile to mark
the TC2 platform as deprecated and trigger a build failure
if someone attempts to build the TC0 or TC1 platform.
[1]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/31702
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ib6ed4933328e35209443ceec59f1e2056881f927
Recent change [1], caused failure in the TC2 run and this
change meant to be for TC3 and TC4.
[1]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/31424
Change-Id: Ibfd604a842815bcf6d413dcba2c440df81dbb486
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Move the flash address to its own devicetree node in
tc_spmc_manifest.dtsi. This patch also changes the device-type to
ns-device-memory which is the correct type for a flash device.
Change-Id: I19503ac35c433661faaaa01c0b83a16540d73810
Co-developed-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Davidson K <davidson.kumaresan@arm.com>
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
CBOR encoding in the platform test requires
a slightly bigger stack, so increase it with 0x100 bytes.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I1b151aa29b3ccfcefa733d189d7aab88653cef1f
The delegated attestation service was updated to be
aligned with RMM spec 1.0-rel0-rc2 version. The test
suite uses the QCBOR library to encode the public key
to be a CBOR serialized COSE_Key object.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ib9e1d80f7b4bca8783ae1f7cf4567725c2aa8538
With the updated firmware update implementation in the Trusted Services,
it is no longer needed to carve out static memory. Memory will be
allocated dynamically in U-Boot and shared with the firmware update
secure partition of Trusted Services.
Change-Id: I0fb128a458773236ee10526edfa1116b229e4d6e
Signed-off-by: Davidson K <davidson.kumaresan@arm.com>
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
The non-secure (NS) timer in TC is AP_GTCLK_NS_CNTBase1. This commit
corrects the NS frame ID from its original value of 0 to U(1),
ensuring that the correct CNTACR register bits are written.
This change enables access to the counter registers.
Change-Id: I287ab9c373a60741f78d44a67f546326916473ea
Signed-off-by: Sandeep Chiluvuru <sandeep.chiluvuru@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
The default mbedTLS configuration enables hash algorithms based on
the HASH_ALG or MBOOT_EL_HASH_ALG selected. However, the Arm ROTPK
is always embedded as a SHA256 hash in BL1 and BL2. In the future,
we may need to adjust this to use the HASH_ALG algorithm for
embedding the ROTPK hash.
As a temporary workaround, a separate mbedTLS configuration has
been created for Arm platforms to explicitly set SHA256 defines,
rather than relying on the default configuration. This adjustment
is reflected in the mbedTLS configuration file for the TC platform
as well as in the PSA Crypto configuration file.
Change-Id: Ib3128ce7b0fb5c0858624ecbc998d456968beddf
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Set the Make flags for TF-A to be able to enable SME and SME2 features.
Note that we enable these architectural features for both the secure and
non-secure worlds, which is required on TC4.
In the case of the non-secure world, we specify a value of 2 for the
flag which specifies that TF-A should check the feature register to
ensure that the feature is present before enabling it. This allows these
flags to be compatible with all platforms and stops TF-A doing anything
different if it does not detect that the feature is present.
Change-Id: I51f8c7e3eb1cf06767f4b155c93269e1f129f730
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Add new include (specific to TC4) to the TC platform file which
specifies the system generic timer base address and is used by the TF-a
for use as system counters.
Note that this include must come before arm_def.h. This is required
as it checks if ARM_SYS_CNTCTL macros are defined before defining
its own macros.
Change-Id: I56861e5737271b29f09c75d962533be620766b52
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Add basic support for TARGET_VERSION=4. It extends the existing 'if'
statements in the Makefile and the header to allow them to take the
value of 4 and also specifies the SCMI platform info to use for TC4.
Change-Id: I8d8257671314277a133e88ef65fae8fada93d00e
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
