The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.
One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.
Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.
So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.
To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.
Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.
Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.
Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.
Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.
All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.
Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.
Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
This function doesn't return and its callers that don't return either
rely on this. Drop the dead attribute and add a panic() after it to make
this expectation explicit. Calling `wfi` in the powerdown sequence is
terminal so even if the function was made to return, there would be no
functional change.
This is useful for a following patch that makes psci_power_down_wfi()
return.
Change-Id: I62ca1ee058b1eaeb046966c795081e01bf45a2eb
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
The workarounds introduced in the three patches starting at
888eafa00b assumed that any powerdown
request will be (forced to be) terminal. This assumption can no longer
be the case for new CPUs so there is a need to revisit these older
cores. Since we may wake up, we now need to respect the workaround's
recommendation that the workaround needs to be reverted on wakeup. So do
exactly that.
Introduce a new helper to toggle bits in assembly. This allows us to
call the workaround twice, with the first call setting the workaround
and second undoing it. This is also used for gelas' an travis' powerdown
routines. This is so the same function can be called again
Also fix the condition in the cpu helper macro as it was subtly wrong
Change-Id: Iff9e5251dc9d8670d085d88c070f78991955e7c3
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Introduce a new helper to toggle bits in assembly. This allows us to
call the workaround twice, with the first call setting the workaround
and second undoing it. This allows the (errata) workaround functions to
be used to both apply and undo the mitigation.
This is applied to functions where the undo part will be required in
follow-up patches.
Change-Id: I058bad58f5949b2d5fe058101410e33b6be1b8ba
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Enable the compiler's stack protector for detecting stack overflow
issues.
Though TC platform can generate RNG from RSE via MHU channel, the
stack protector canary is used prior to MHU channel initialization.
Thus, currently here simply returns a value of the combination of a
timer's value and a compile-time constant.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I68fcc7782637b2b6b4dbbc81bc15df8c5ce0040b
This patch implements SMCCC_ARCH_WORKAROUND_4 and
allows discovery through SMCCC_ARCH_FEATURES.
This mechanism is enabled if CVE_2024_7881 [1] is enabled
by the platform. If CVE_2024_7881 mitigation
is implemented, the discovery call returns 0,
if not -1 (SMC_ARCH_CALL_NOT_SUPPORTED).
For more information about SMCCC_ARCH_WORKAROUND_4 [2], please
refer to the SMCCC Specification reference provided below.
[1]: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881
[2]: https://developer.arm.com/documentation/den0028/latest
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I1b1ffaa1f806f07472fd79d5525f81764d99bc79
This patch adds new cpu ops function extra4 and a new macro
for CVE-2024-7881 [1]. This new macro declare_cpu_ops_wa_4 allows
support for new CVE check function.
[1]: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I417389f040c6ead7f96f9b720d29061833f43d37
We have one entry per CPU features but most of the time we just add
CPU feature and its not touched again, so considering to generalize
anything with FEAT_XXXX additions to use `cpufeat` as subsection scope.
Also, some time we don't add a scope for CPU feature this causes problem
while generating release notes as CPU feature additions ends up in wrong
section.
Change-Id: Ibc80f6cdab9ae10ec3af1485640f46771b382da0
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
1. Turn on APU SMPU protection on MT8196.
2. Remove unused header file.
Change-Id: I58637b8dda4bf68253bc2329580963a8bd9cca8b
Signed-off-by: Karl Li <karl.li@mediatek.com>
Implement stub functions for the MMinfra (Multimedia Infrastructure)
driver to ensure that the build can pass when a prebuilt library is
not available.
Change-Id: Iadac654950c868d3743b13a1d6f7ab5d1015fb86
Signed-off-by: Yong Wu <yong.wu@mediatek.com>
The commit 427e46ddea ("fix(xilinx): fix sending sgi to linux")
removed code which called write_icc_asgi1r_el1() but function itself
wasn't removed.
Signed-off-by: Michal Simek <michal.simek@amd.com>
Change-Id: I95a1424b0546f3f4a5e4611de34441b96e70b7d3
When the SPD_spmd configuration is disabled, the compiler complaints:
plat/arm/board/tc/tc_bl2_dpe.c:234:22: error: unused variable 'array_size' [-Werror=unused-variable]
234 | const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
| ^~~~~~~~~~
plat/arm/board/tc/tc_bl2_dpe.c:233:16: error: unused variable 'i' [-Werror=unused-variable]
233 | size_t i;
| ^
cc1: all warnings being treated as errors
Move variable declarations into the code chunk protected by the SPD_spmd
configuration.
Change-Id: I1a3889938e2d4ec5efec516e9ef54034f9d711b2
Signed-off-by: Leo Yan <leo.yan@arm.com>
* changes:
feat(mt8196): add vcore dvfs drivers
feat(mt8196): add LPM v2 support
feat(mt8196): add SPM common version support
feat(mt8196): add SPM common driver support
feat(mt8196): add SPM basic features support
feat(mt8196): add SPM features support
feat(mt8196): enable PMIC low power setting
feat(mt8196): add mcdi driver
feat(mt8196): add pwr_ctrl module for CPU power management
feat(mt8196): add mcusys moudles for power management
feat(mt8196): add CPC module for power management
feat(mt8196): add topology module for power management
feat(mt8196): add SPMI driver
feat(mt8196): add PMIC driver
DCM means dynamic clock management, and it can dynamically slow down
or gate clocks during CPU or bus idle.
Add MCUSYS or bus related DCM drivers.
Enable MCUSYS or bus related DCM by default.
Signed-off-by: Guangjie Song <guangjie.song@mediatek.com>
Change-Id: I40fc21f5808962ca46870a2f3b9963dc8088f877
Distros (e.g. Buildroot and Android) can have different secure partition
layout.
This commit iterates the DPE metadata table and finds index (i) for the
first entry of the secure partition, connecting with the defined secure
partition number NUM_SP, so the last secure partition index is:
i + NUM_SP - 1
Instead of setting the certificate in hard code, dynamically enables the
certificate for the last secure partition base on calculated index.
Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9
The previous code used 64-bit registers as the target and source for
load and store operations on 32-bit hardware registers. In certain
cases (e.g., when using USART1 as the debug console), this could result
in deadlocks where the A35 gets stuck in a permanent loop due to test
conditions that are never fulfilled.
To resolve this issue, 32-bit registers are now used for these
operations.
Change-Id: Id2c03a1df26738fe815079da042cc2dd989f4f8e
Signed-off-by: Boerge Struempfel <boerge.struempfel@gmail.com>
This is an experimental change which (hopefully) enables Dependabot on
the LTS branches, and ensures that PRs touching the package management
files in the repository assign the proper developer(s) as reviewers.
Change-Id: Iefa2f46325514026969fabd08e550544dcb4a598
Signed-off-by: Chris Kay <chris.kay@arm.com>
Corrected the comment for the size of NRD_CSS_DRAM1_CARVEOUT_SIZE
(0x0C000000) from 117MB to 192MB
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I289d37f50e70b936f717d4579d73882fac28ee95
