As of now, GPT setup is being handled from BL2 for plat/arm platforms.
However, for platforms having a separate entity to load firmware images,
it is possible for BL31 to setup the GPT. In order to address this
concern, move the GPT setup implementation from arm_bl2_setup.c file to
arm_common.c. Additionally, rename the API from arm_bl2_gpt_setup to
arm_gpt_setup to make it boot stage agnostic.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I35d17a179c8746945c69db37fd23d763a7774ddc
For RME-enabled platforms, initializing L0 and L1 tables and enabling
GPC checks is necessary. For systems using BL2 to load firmware images,
the GPT initialization has to be done in BL2 prior to the image load.
The common Arm platform code currently implements this in the
"arm_bl2_plat_gpt_setup" function, relying on the FVP platform's
specifications (PAS definitions, GPCCR_PPS, and GPCCR_PGS).
Different Arm platforms may have distinct PAS definitions, GPCCR_PPS,
GPCCR_PGS, L0/L1 base, and size. To accommodate these variations,
introduce the "plat_arm_get_gpt_info" API. Platforms must implement
this API to provide the necessary data for GPT setup on RME-enabled
platforms. It is essential to note that these additions are relevant to
platforms under the plat/arm hierarchy that will reuse the
"arm_bl2_plat_gpt_setup" function.
As a result of these new additions, migrate data related to the FVP
platform to its source and header files.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I4f4c8894c1cda0adc1f83e7439eb372e923f6147
In accordance with common naming conventions, macros specifying the base
address of a region typically use the prefix "BASE" combined with the
region name, rather than "ADDR_BASE."
Currently, the macros defining the base addresses for L0 and L1 GPT
tables within `arm_def.h` are named "ARM_L0_GPT_ADDR_BASE" and
"ARM_L1_GPT_ADDR_BASE" respectively. To adhere to the established naming
convention, rename these macros as "ARM_L1_GPT_BASE" and
"ARM_L0_GPT_BASE" respectively.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: Ibd50a58a1f63ba97d2df141f41a21a89ef97d6fb
The file arm_def.h currently contains common definitions used by ARM
platforms. However, some platforms may have their own definitions,
allowing them to avoid a direct dependency on arm_def.h. For a clean
platform port of arm_def.h, none of the source files should directly
include arm_def.h; instead, they should include the platform header
which would indirectly include the required definitions.
Presently, the rotpk module has a source file that directly includes
arm_def.h. This could lead to compilation issues if the platform
incorporating the rotpk module has a separate implementation of some or
all of the definitions in arm_def.h file. To address this, move the
relevant definitions out of arm_def.h and into rotpk_def.h.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I9e8b0d319391f9a167af5c69a7b2d42ac488e7b4
CryptoCell-712 and CryptoCell-713 drivers have been deprecated since
TF-A v2.9 and their removal was announced for TF-A v2.10 release.
See [1].
As the release is approaching, this patch deletes these drivers' code as
well as all references to them in the documentation and Arm platforms
code (Nuvoton platform is taken care in a subsequent patch). Associated
build options (ARM_CRYPTOCELL_INTEG and PLAT_CRYPTOCELL_BASE) have also
been removed and thus will have no effect if defined.
This is a breaking change for downstream platforms which use these
drivers.
[1] https://trustedfirmware-a.readthedocs.io/en/v2.9/about/release-information.html#removal-of-deprecated-drivers
Note that TF-A v3.0 release later got renumbered into v2.10.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Idabbc9115f6732ac1a0e52b273d3380677a39813
This patch removes RAS_FFH_SUPPORT macro which is the combination of
ENABLE_FEAT_RAS and HANDLE_EA_EL3_FIRST_NS. Instead introduce an
internal macro FFH_SUPPORT which gets enabled when platforms wants
to enable lower EL EA handling at EL3. The internal macro FFH_SUPPORT
will be automatically enabled if HANDLE_EA_EL3_FIRST_NS is enabled.
FFH_SUPPORT along with ENABLE_FEAT_RAS will be used in source files
to provide equivalent check which was provided by RAS_FFH_SUPPORT
earlier. In generic code we needed a macro which could abstract both
HANDLE_EA_EL3_FIRST_NS and RAS_FFH_SUPPORT macros that had limitations.
Former was tied up with NS world only while the latter was tied to RAS
feature.
This is to allow Secure/Realm world to have their own FFH macros
in future.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie5692ccbf462f5dcc3f005a5beea5aa35124ac73
Newer platforms such as Neoverse V2 with GICv4.1 will report
0x3 instead of 0x1 in ID_AA64PFR0_EL1.
Update the logic to not accidentially take the GICv2 path
when printing the GIC registers.
Change-Id: Ia0d546cc5dcaa0dcad49a75b5921b0df5e176d34
Signed-off-by: Moritz Fischer <moritzf@google.com>
This patch introduces an SiP SMC call for FVP platform to set an
interrupt pending. This is needed for testing purposes.
Change-Id: I3dc68ffbec36d90207c30571dc1fa7ebfb75046e
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch introduces handler to add support for SiP calls to be
handled at EL3 for Arm platforms.
Consequently, the support for SPMD LSP is moved to corresponding
Arm platform SiP source file. This will allow us to add support
for a new SiP call in subsequent patch.
Change-Id: Ie29cb57fc622f96be3b67bebf34ce37cc82947d8
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Removing ARM_ROTPK_KEY_LEN definition and comparison in full key .S
files since there is little value in comparing the defined value with a
static size. This becomes more maintenance than value addition.
Removing defines no longer required and general clean up of .S full key
files.
Change-Id: Id286b7078ab9e190e37a43804e2a8d1b0934c235
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Add full key support for ECDSA P384 and P256.
New .S files and p384 pem file created along with new
plat_get_rotpk_info() flag ARM_ROTPK_DEVEL_FULL_DEV_ECDSA_KEY_ID.
Change-Id: I578b257eca41070bb4f4791ef429f2b8a66b1eb3
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
BL31 image has grown with feature addition over time. In particular the
RESET_TO_BL2 + ENABLE_PIE + DEBUG combination of options lead to BL31
image overlap head of BL2 image. In this configuration BL2 is meant to
stay resident as PE reset occurs from BL2. Apply changes similar to [1]
such that BL2 start address is pushed forward and leaves more room for
BL31 end of image.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/15486/9/include/plat/arm/common/arm_def.h#530
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I027e23780fb77ca9fe81aa47231da649c7a030ee
To allow the SPD to access the Event Log on RME systems with
TrustZone Controller, the Event Log region needs to be configured
into the TZC. This change will enable read-write access of this
region from the secure world, which is currently denied.
Change-Id: I0c32977386f3d7c22f310b2b9404d48e8e6cac29
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The build flags to enable the Arm(R) Ethos(TM)-N NPU driver are in arm
platform specific make files i.e. plat/arm/common/arm_common.mk. These
flags are renamed and moved to ethosn_npu.mk. Other source and make
files are changed to reflect the changes in these flags.
Signed-off-by: Rajasekaran Kalidoss <rajasekaran.kalidoss@arm.com>
Change-Id: I6fd20225343c574cb5ac1f0f32ff2fc28ef37ea6
To handle the core corrected errors in the firmware, the FHI PPI
interrupt has to be enabled on all the cores. At boot, when the RAS
framework is initialized, only primary core is up and hence core FHI PPI
interrupt is enabled only on primary core. This patch adds support to
configure and enable core FHI interrupt for all the secondary cores as
part of their boot sequence.
Signed-off-by: Omkar Anand Kulkarni <omkar.kulkarni@arm.com>
Change-Id: I4b25152cb498fe975b9c770babb25aa9e01f9656
Adjusted BL31 maximum size as per total SRAM size.
Change-Id: Ifdfdedb8af3e001cebba8e60c973f3c72be11652
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
BL32_LIMIT has been increased from 2MB to 4MB to accommodate
the latest tee.bin (it is around ~2.1MB).
Change-Id: I47b770bf23c23d38931a2b3316d076b829338d70
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Co-developed-by: Juan Pablo Conde <juanpablo.conde@arm.com>
This patch does the following:
1. Configures SBSA secure watchdog timer as Group0 interrupt for
TC platform while keeping it as Group1 secure interrupt for
other CSS based SoCs.
2. Programs the watchdog timer to trigger periodically
3. Provides a Group0 interrupt handler for TC platform port to
deactivate the EL3 interrupt due to expiry of secure watchdog
timer and refresh it explicitly.
Change-Id: I3847d6eb7347c6ea0e527b97b096119ca1e6701b
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Updated the code to get and set the 'tpm_event_log_max_size' property
in the event_log.dtsi.
In this change, the maximum Event Log buffer size allocated by BL1 is
passed to BL2, rather than both relying on the maximum Event Log buffer
size macro.
Change-Id: I7aa6256390872171e362b6f166f3f7335aa6e425
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The FCONF parsing of the HW_CONFIG for the Arm(R) Ethos(TM)-N NPU now
supports reading the address of the reserved memory setup for the NPU so
the address can be used in the SiP service for the NPU.
Change-Id: I0968255a966e84896b00ea935d6aa3d5232c5f7b
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
BL2_AT_EL3 is an overloaded macro which has two uses:
1. When BL2 is entry point into TF-A(no BL1)
2. When BL2 is running at EL3 exception level
These two scenarios are not exactly same even though first implicitly
means second to be true. To distinguish between these two use cases we
introduce new macros.
BL2_AT_EL3 is renamed to RESET_TO_BL2 to better convey both 1. and 2.
Additional macro BL2_RUNS_AT_EL3 is added to cover all scenarious where
BL2 runs at EL3 (including four world systems).
BREAKING CHANGE: BL2_AT_EL3 renamed to RESET_TO_BL2 across the
repository.
Change-Id: I477e1d0f843b44b799c216670e028fcb3509fb72
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Signed-off-by: Maksims Svecovs <maksims.svecovs@arm.com>
Reserved 4KB area for Event Log in DRAM1. This area is used by BL2
to copy Event Log from internal SRAM to this carved out DRAM region
in the subsequent patch.
Change-Id: I7b405775c66d249e31edf7688d95770e6c05c175
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Some of our specialized sections are not prefixed with the conventional
period. The compiler uses input section names to derive certain other
section names (e.g. `.rela.text`, `.relacpu_ops`), and these can be
difficult to select in linker scripts when there is a lack of a
delimiter.
This change introduces the period prefix to all specialized section
names.
BREAKING-CHANGE: All input and output linker section names have been
prefixed with the period character, e.g. `cpu_ops` -> `.cpu_ops`.
Change-Id: I51c13c5266d5975fbd944ef4961328e72f82fc1c
Signed-off-by: Chris Kay <chris.kay@arm.com>
This patch builds on the previous patch by implementing
support for reading NS DRAM layout of FVP model from
HW_CONFIG Device tree.
Macro _RMMD_MANIFEST_VERSION is renamed to
SET_RMMD_MANIFEST_VERSION to suppress MISRA-C
"rule MC3R1.D4.5: (advisory) Identifiers in
the same name space with overlapping visibility
should be typographically unambiguous" warning
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: Ifc2461b4441a1efdd4b7c656ab4d15e62479f77b
This patch adds support for setting configuration of DRAM banks
for FVP model in RMM-EL3 Boot Manifest structure.
Structure 'rmm_manifest' is extended with 'plat_dram' structure
which contains information about platform's DRAM layout:
- number of DRAM banks;
- pointer to 'dram_bank[]' array;
- check sum: two's complement 64-bit value of the sum of
data in 'plat_dram' and 'dram_bank[] array.
Each 'dram_bank' structure holds information about DRAM
bank base address and its size. This values must be aligned
to 4KB page size.
The patch increases Boot Manifest minor version to 2 and
removes 'typedef rmm_manifest_t' as per
"3.4.15.1. Avoid anonymous typedefs of structs/enums in headers" of
https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-style.html
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I5176caa5780e27d1e0daeb5dea3e40cf6ad5fd12
Add support for ARM_ROTPK_LOCATION=devel_full_dev_rsa_key, which
implements the scenario where the platform provides the full ROTPK, as
opposed to the hash of it. This returns a 2kB development RSA key
embedded into the firmware.
The motivation for this patch is to extend our test coverage in the CI.
Right now, the authentication framework allows platforms to return
either the full ROTPK or a hash of it (*). However, the FVP platform
only supports returning a hash currently so we cannot easily exercise
the full key scenario. This patch adds that capability.
(*) Or even no key at all if it's not deployed on the platform yet, as
is typically the case on pre-production/developement platforms.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: Ie869cca1082410e63894e2b7dea2d31155684105
This patch adds support for RMM granules allocation
in FVP 2nd DRAM 2GB bank at 0x880000000 base address.
For ENABLE_RME = 1 case it also removes "mem=1G"
Linux kernel command line option in fvp-base-psci-common.dsti
to allow memory layout discovery from the FVP device tree.
FVP parameter 'bp.dram_size' - size of main memory in gigabytes
documented in docs/components/realm-management-extension.rst
is changed from 2 to 4.
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I174da4416ad5a8d41bf0ac89f356dba7c0cd3fe7
Added a platform function to set and get DRTM error.
Also, added a platform function to reset the system.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I471f2387f8c78b21a06af063a6fa02cda3646557
The Arm(R) Ethos(TM)-N NPU driver now supports configuring the SMMU
streams that the NPU shall use and will therefore no longer delegate
access to these registers to the non-secure world. In order for the
driver to support this, the device tree parsing has been updated to
support parsing the allocators used by the NPU and what SMMU stream that
is associated with each allocator.
To keep track of what NPU device each allocator is associated with, the
resulting config from the device tree parsing will now group the NPU
cores and allocators into their respective NPU device.
The SMC API has been changed to allow the caller to specify what
allocator the NPU shall be configured to use and the API version has
been bumped to indicate this change.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I6ac43819133138614e3f55a014e93466fe3d5277
- Removing platform dependencies from libc modules.
- Replacing panicking with actual error handling.
- Debug macros are included indirectly from assert.h. Removing
"platform_def.h" from assert.h and adding "common/debug.h"
where the macros are used.
- Removing hack for fixing PLAT_LOG_LEVEL_ASSERT to 40.
Instead removing assert with expression, as this
does not provide additional information.
Signed-off-by: Claus Pedersen <claustbp@google.com>
Change-Id: Icc201ea7b63c1277e423c1cfd13fd6816c2bc568
Add platform specific interrupt handler for handling the reboot of
all CPU's. On shutdown/reboot, only one CPU invoke PSCI and enter into
trusted firmware. The CPU which entered trusted firmware signals the
rest of the cores which are online using SGI to initiate power down
sequence. On receiving the SGI, the handler will power down the
GIC redistributor interface of the respective core, configure the power
control register and power down the CPU by executing wfi.
In addition to these changes, fix coding style issues that are not
directly related to the code being introduced in this patch.
Change-Id: I4917dfdc47be5ce7367bee629486a6344cdd706f
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
Add a new function to setup a SGI interrupt that will be used to trigger
a request for per-cpu power down when executing the PSCI SYSTEM_RESET
request. This will be used on CSS platform that require all the CPUs to
execute the CPU specific power down sequence to complete a warm reboot
sequence in which only the CPUs are power cycled.
Change-Id: I80da0f6c3cd0c5c442c82239ba1e1f773821a7f5
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
The patch 8c980a4 created a 4KB shared region from the 32MB
Realm region for RMM-EL3 communication. But this meant that BL2
needs to map a region of 32MB - 4KB, which required more xlat
tables at runtime. This patch maps the entire 32MB region in BL2
which is more memory efficient in terms of xlat tables needed.
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I17aa27545293d7b5bbec1c9132ea2c22bf2e7e65
This patch adds the infrastructure needed to pass boot arguments from
EL3 to RMM and allocates a shared buffer between both worlds that can
be used, among others, to pass a boot manifest to RMM. The buffer is
composed a single memory page be used by a later EL3 <-> RMM interface
by all CPUs.
The RMM boot manifest is not implemented by this patch.
In addition to that, this patch also enables support for RMM when
RESET_TO_BL31 is enabled.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: I855cd4758ee3843eadd9fb482d70a6d18954d82a
BL2 base address updated to provide enough space for BL31 in
Trusted SRAM when building with BL2_AT_EL3 and ENABLE_PIE options.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ieaba00d841648add855feb99b7923a4b0cccfb08
When RECLAIM_INIT_CODE is enabled, functions with __init attribute can
be reclaimed after boot and marked as Execute Never.
Because of a bug in linker script the functions starting with "init"
were also marked XN and causing instruction abort.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I2221973c05af170acf4e723cd44645b9ff9d58d2
For EL3 SPMC configuration enabled platforms, allow the reuse of
BL32 specific definitions.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I37ffbbf680326c101fbb2f146085a96c138f07a1
Currently, HW-config is loaded into non-secure memory, which mean
a malicious NS-agent could tamper with it. Ideally, this shouldn't
be an issue since no software runs in non-secure world at this time
(non-secure world has not been started yet).
It does not provide a guarantee though since malicious external
NS-agents can take control of this memory region for update/corruption
after BL2 loads it and before BL31/BL32/SP_MIN consumes it. The threat
is mapped to Threat ID#3 (Bypass authentication scenario) in threat
model [1].
Hence modified the code as below -
1. BL2 loads the HW_CONFIG into secure memory
2. BL2 makes a copy of the HW_CONFIG in the non-secure memory at an
address provided by the newly added property(ns-load-address) in
the 'hw-config' node of the FW_CONFIG
3. SP_MIN receives the FW_CONFIG address from BL2 via arg1 so that
it can retrieve details (address and size) of HW_CONFIG from
FW_CONFIG
4. A secure and non-secure HW_CONFIG address will eventually be used
by BL31/SP_MIN/BL32 and BL33 components respectively
5. BL31/SP_MIN dynamically maps the Secure HW_CONFIG region and reads
information from it to local variables (structures) and then
unmaps it
6. Reduce HW_CONFIG maximum size from 16MB to 1MB; it appears
sufficient, and it will also create a free space for any future
components to be added to memory
[1]: https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html
Change-Id: I1d431f3e640ded60616604b1c33aa638b9a1e55e
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
On RME-enabled platforms, it is currently not possible to incorporate
mapping of all bl_regions specified in bl31 setup[1] with the
ARM_BL_REGIONS macro defined to 6. Hence increased its count to 7.
[1]: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/
plat/arm/common/arm_bl31_setup.c#n380
Change-Id: Ieaa97f026ab2ae6eae22442595aa4122ba0a13c4
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Introduced functions to set and get Event log information
(tpm_event_log address and its size).
In FVP platform case, measured boot with Event Log backend flow
work as below
1. event_log_init function called by BL1 to initialize Event Log
module
2. arm_set_tb_fw_info function called by BL1 to set the
'tpm_event_log_addr' and 'tpm_event_log_size' properties
in tb_fw_config
3. arm_get_tb_fw_info function called by BL2 to get tpm Event Log
parameters set by BL1. These parameters used by the BL2 to
extend the tpm Event Log records, and use these parameters
to initialize Event Log using event_log_init function
4. arm_set_nt_fw_info and arm_set_tos_fw_info function called by
BL2 to set 'tpm_event_log' address and its size properties in
nt_fw_config and tos_fw_config respectively
Alongside, this patch created a separate instances of plat_mboot_init
and plat_mboot_finish APIs for BL1 and BL2.
This patch is tested using the existing measured boot test configuration
in jenkins CI.
Change-Id: Ib9eca092afe580df014541c937868f921dff9c37
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Currently, the Event Log driver does platform layer work by invoking
a few platform functions in the 'event_log_finalise' call. Doing
platform work does not seem to be the driver's responsibility, hence
moved 'event_log_finalise' function's implementation to the platform
layer.
Alongside, introduced few Event Log driver functions and done
some cosmetic changes.
Change-Id: I486160e17e5b0677c734fd202af7ccd85476a551
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Subsequent patches will provide a solution to do the BL2 hash measurement
and recording in BL1 itself, hence in preparation to adopt that solution
remove the logic of passing BL2 hash measurement to BL2 component
via TB_FW config.
Change-Id: Iff9b3d4c6a236a33b942898fcdf799cbab89b724
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
* changes:
refactor(gpt): productize and refactor GPT library
feat(rme): disable Watchdog for Arm platforms if FEAT_RME enabled
docs(rme): add build and run instructions for FEAT_RME
fix(plat/fvp): bump BL2 stack size
fix(plat/fvp): allow changing the kernel DTB load address
refactor(plat/arm): rename ARM_DTB_DRAM_NS region macros
refactor(plat/fvp): update FVP platform DTS for FEAT_RME
feat(plat/arm): add GPT initialization code for Arm platforms
feat(plat/fvp): add memory map for FVP platform for FEAT_RME
refactor(plat/arm): modify memory region attributes to account for FEAT_RME
feat(plat/fvp): add RMM image support for FVP platform
feat(rme): add GPT Library
feat(rme): add ENABLE_RME build option and support for RMM image
refactor(makefile): remove BL prefixes in build macros
feat(rme): add context management changes for FEAT_RME
feat(rme): add Test Realm Payload (TRP)
feat(rme): add RMM dispatcher (RMMD)
feat(rme): run BL2 in root world when FEAT_RME is enabled
feat(rme): add xlat table library changes for FEAT_RME
feat(rme): add Realm security state definition
feat(rme): add register definitions and helper functions for FEAT_RME
