TF-A support for mbedtls3.x has been overdue by number of releases.
As per mbedtls support it was advised to use latest and greatest
mbedtls-3.3. But mbedtls-3.x breaks API compatibility with
mbedtls-2.x
To maintain comptability for mbedtls-2.x and enable mbedtls-3.x
support add a functionality into makefile to determine the major version
of mbedtls and use that to selective include or compile files
that are present.
With mbedtls-3.x numerous other config changes have been done.
Some of the config options deprecated or enabled by default.
Thus we decided to introduce a new 3.x config file part of this
change for building TF-A with mbedtls-3.3.
For futher information on migrating to mbedtls 3.x refer to:
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/3.0-migration-guide.md
Change-Id: Ia8106d6f526809df927d608db27fe149623258ed
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Currently we include MBEDTLS_CONFIG_FILE directly and if a custom
config file is used it will included.
However from mbedtls-3.x onwards it discourages usage of
MBEDTLS_CONFIG_FILE include directly, so to resolve this and keep 2.28
compatibility include version.h which would include the custom config
file if present and also would expose us with mbedtls-major-version
number which could be used for selecting features and functions for
mbedtls 2.28 or 3.3
Change-Id: I029992311be2a38b588ebbb350875b03ea29acdb
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Some of our specialized sections are not prefixed with the conventional
period. The compiler uses input section names to derive certain other
section names (e.g. `.rela.text`, `.relacpu_ops`), and these can be
difficult to select in linker scripts when there is a lack of a
delimiter.
This change introduces the period prefix to all specialized section
names.
BREAKING-CHANGE: All input and output linker section names have been
prefixed with the period character, e.g. `cpu_ops` -> `.cpu_ops`.
Change-Id: I51c13c5266d5975fbd944ef4961328e72f82fc1c
Signed-off-by: Chris Kay <chris.kay@arm.com>
Add code in SPMD to forward calls to FFA_PARTITION_INFO_GET_REGS. This
is a new ABI that allows getting partition information without the need
for rx/tx buffer, that helps in situations where having an rx/tx buffer
mapped and available is difficult (ex. uefi runtime services).
Currently, the spmc at el3 does not support this new ABI.
The new ABI uses registers x8-x17 to return partition information so
changes are made to ensure those registers are passed through to the
SPMC and restored on the return path.
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I1fe5956763e054e4f8d62292fc1247e7120bb5a4
Most of the macros/routine in vector entry need a free scratch register.
Introduce a macro "save_x30" and call it right at the begining of vector
entries where x30 is used. It is more exlicit and less error prone
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I617f3d41a120739e5e3fe1c421c79ceb70c1188e
* changes:
feat(spmd): map SPMC manifest region as EL3_PAS
feat(fvp): update device tree with load addresses of TOS_FW config
refactor(fvp): rename the DTB info structure member
feat(fconf): rename 'ns-load-address' to 'secondary-load-address'
* changes:
refactor(allwinner): use fdt_node_is_enabled() in AXP driver
fix(allwinner): check RSB availability in DT on H6
refactor(fdt): introduce common fdt_node_is_enabled()
Adding AP/RSS interface for retrieving and incrementing non-volatile
counters.
The read interface implements the psa_call:
psa_call(RSS_PLATFORM_SERVICE_HANDLE,
RSS_PLATFORM_API_ID_NV_READ,
in_vec, 1, out_vec, 1);
where the in_vec indicates which of the 3 counters we want, and the
out_vec stores the counter value we get back from RSS.
The increment interface implements the psa_call:
psa_call(RSS_PLATFORM_SERVICE_HANDLE,
RSS_PLATFORM_API_ID_NV_INCREMENT,
in_vec, 1, (psa_outvec *)NULL, 0);
where, again, in_vec indicates the counter to increment, and we don't
get any output parameter from RSS.
Through this service, we will be able to get/increment any of the 3 NV
counters used on a CCA platform:
- NV counter for CCA firmware (BL2, BL31, RMM).
- NV counter for secure firmware.
- NV counter for non-secure firmware.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Signed-off-by: Raef Coles <raef.coles@arm.com>
Change-Id: I4c1c7f4837ebff30de16bb0ce7ecd416b70b1f62
The 'ns-load-address' property has been renamed to 'secondary-load-
address' in order to make it more generic. It can be used to copy
the configuration to any location, be it root, secure, or non-secure.
Change-Id: I122508e155ccd99082296be3f6b8db2f908be221
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
As the max ESPI can be 5119, so enlarge the intr_num range of
structure interrupt_prop_t. After the patch the ESPI can be add to
this macro:
define PLATFORM_G1S_PROPS(grp) \
INTR_PROP_DESC(197 - 32 + 4576, GIC_HIGHEST_SEC_PRIORITY, (grp), GIC_INTR_CFG_EDGE), \
INTR_PROP_DESC(199 - 32 + 4576, GIC_HIGHEST_SEC_PRIORITY, (grp), GIC_INTR_CFG_EDGE)
The firmware-design.rst will be updated accordingly.
Signed-off-by: Ming Huang <huangming@linux.alibaba.com>
Change-Id: Ic923868bb1b00c017410dc2aeabfda58ee54782f
There are several users in the tree which want to check whether a given
FDT node is enabled or not: the "status" property holds that
information. So far all those users provide private implementations,
some of them having issues.
Export a generic implementation of that function in fdt_wrappers.h, as
a "static inline" function to not increase code size.
Also replace the existing implementation in Arm's fconf code, which had
a tiny bug in needlessly using the property length:
"status = [6f 6b 61 79 20];" would pass the check, where it should not.
The proper solution is also simpler: status must be a string, and
strings must be NUL-terminated in a DT. strcmp() would terminate on the
first NUL in *either* of the two strings it compares, so it would never
walk beyond the property boundary in the DTB.
Change-Id: I9d89093432f127c09add6cf5c93a725bc534e5de
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
* changes:
docs(rme): update RMM-EL3 Boot Manifest structure description
feat(rme): read DRAM information from FVP DTB
feat(rme): set DRAM information in Boot Manifest platform data
This adds the ability to load the OP-TEE image via an SMC called from
non-secure userspace rather than loading it during boot. This should
only be utilized on platforms that can ensure security is maintained up
until the point the SMC is invoked as it breaks the normal barrier
between the secure and non-secure world.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I21cfa9699617c493fa4190f01d1cbb714e7449cc
This patch builds on the previous patch by implementing
support for reading NS DRAM layout of FVP model from
HW_CONFIG Device tree.
Macro _RMMD_MANIFEST_VERSION is renamed to
SET_RMMD_MANIFEST_VERSION to suppress MISRA-C
"rule MC3R1.D4.5: (advisory) Identifiers in
the same name space with overlapping visibility
should be typographically unambiguous" warning
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: Ifc2461b4441a1efdd4b7c656ab4d15e62479f77b
* changes:
fix(mmc): align part config type
fix(mmc): do not modify r_data in mmc_send_cmd()
fix(mmc): explicitly check operators precedence
fix(partition): add U suffix for unsigned numbers
fix(partition): add missing curly braces
With "ENABLE_MPAM_FOR_LOWER_ELS" and "CTX_INCLUDE_EL2_REGS" build
options enabled, MPAM EL2 registers would be saved/restored as part of
context management. Context save/restore routines as of now would
proceed to access all of MPAM EL2 registers without any runtime checks.
MPAM specification states that MPAMHCR_EL2 should only be accessed if
MPAMIDR_EL1.HAS_HCR is "1". Likewise, MPAMIDR_EL1.VPMR_MAX has to be
probed to obtain the maximum supported MPAMVPM<x>_EL2 before accessing
corresponding MPAMVPM<x>_EL2 registers. Since runtime checks are not
being made, an exception would be raised if the platform under test
doesn't support one of the registers. On Neoverse reference design
platforms, an exception is being raised while MPAMVPM2_EL2 or above are
accessed. Neoverse reference design platforms support only registers
till MPAMVPM1_EL2 at this point.
To resolve this, add sufficient runtime checks in MPAM EL2 context
save/restore routines. As part of the new save/restore routines,
MPAMIDR_EL1.HAS_HCR and MPAMIDR_EL1.VPMR_MAX are probed for the right
set of registers to be saved and restored.
CC: Davidson Kumaresan <davidson.kumaresan@arm.com>
Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Change-Id: I2e3affd23091023b287b2bd5057a4a549037b611
* changes:
fix(libc): remove __putchar alias
fix(console): correct scopes for console symbols
fix(auth): use NULL instead of 0 for pointer check
fix(io): compare function pointers with NULL
fix(fdt-wrappers): use correct prototypes
Neoverse V1 erratum 2779461 is a Cat B erratum that applies to
all revisions <=r1p2 and is still open.
The workaround sets CPUACTLR3_EL1[47] bit to 1. Setting this
bit might have a small impact on power and negligible impact
on performance.
SDEN documentation:https://developer.arm.com/documentation/SDEN1401781/latest
Change-Id: I367cda1779684638063d7292fda20ca6734e6f10
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
Cortex-A78 erratum 2779479 is a Cat B erratum that applies to
all revisions <= r1p2 and is still open.
The workaround is to set the CPUACTLR3_EL1[47] bit to 1. Setting this
bit might have a small impact on power and negligible impact
on performance.
SDEN documentation:
https://developer.arm.com/documentation/SDEN1401784/latest
Change-Id: I3779fd1eff3017c5961ffa101b357918070b3b36
Signed-off-by: Sona Mathew <SonaRebecca.Mathew@arm.com>
* changes:
feat(fvp): enable FEAT_HCX by default
refactor(context-mgmt): move FEAT_HCX save/restore into C
refactor(cpufeat): convert FEAT_HCX to new scheme
feat(fvp): enable FEAT_FGT by default
refactor(context-mgmt): move FEAT_FGT save/restore code into C
refactor(amu): convert FEAT_AMUv1 to new scheme
refactor(cpufeat): decouple FGT feature detection and build flags
refactor(cpufeat): check FEAT_FGT in a new way
refactor(cpufeat): move helpers into .c file, rename FEAT_STATE_
feat(aarch64): make ID system register reads non-volatile
This patch adds support for setting configuration of DRAM banks
for FVP model in RMM-EL3 Boot Manifest structure.
Structure 'rmm_manifest' is extended with 'plat_dram' structure
which contains information about platform's DRAM layout:
- number of DRAM banks;
- pointer to 'dram_bank[]' array;
- check sum: two's complement 64-bit value of the sum of
data in 'plat_dram' and 'dram_bank[] array.
Each 'dram_bank' structure holds information about DRAM
bank base address and its size. This values must be aligned
to 4KB page size.
The patch increases Boot Manifest minor version to 2 and
removes 'typedef rmm_manifest_t' as per
"3.4.15.1. Avoid anonymous typedefs of structs/enums in headers" of
https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-style.html
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I5176caa5780e27d1e0daeb5dea3e40cf6ad5fd12
* changes:
fix(ti): fix typo in boot authentication message name
refactor(ti): remove empty validate_ns_entrypoint function
refactor(ti): use console_set_scope() rather than empty function hack
refactor(ti): factor out common board code into common files
feat(ti): add PSCI system_off support
feat(ti): do not handle EAs in EL3
feat(ti): set snoop-delayed exclusive handling on A72 cores
feat(ti): disable L2 dataless UniqueClean evictions
feat(ti): set L2 cache ECC and and parity on A72 cores
feat(ti): set L2 cache data ram latency on A72 cores to 4 cycles
Snoop requests should not be responded to during atomic operations. This
can be handled by the interconnect using its global monitor or by the
core's SCU delaying to check for the corresponding atomic monitor state.
TI SoCs take the second approach. Set the snoop-delayed exclusive handling
bit to inform the core it needs to delay responses to perform this check.
As J784s4 is currently the only SoC with multiple A72 clusters, limit
this delay to only that device.
Signed-off-by: Andrew Davis <afd@ti.com>
Change-Id: I875f64e4f53d47a9a0ccbf3415edc565be7f84d9
The Cortex-A72 based cores on K3 platforms have cache ECC and
parity protection, enable these.
Signed-off-by: Andrew Davis <afd@ti.com>
Change-Id: Icd00bc4aa9c1c48f0fb2a10ea66e75e0b146ef3c
The Cortex-A72 based cores on K3 platforms can be clocked fast
enough that an extra latency cycle is needed to ensure correct
L2 access. Set the latency here for all A72 cores.
Signed-off-by: Andrew Davis <afd@ti.com>
Change-Id: I639091dd0d2de09572bf0f73ac404e306e336883
At the moment we save and restore the HCRX_EL2 register in assembly, and
just depend on the build time flags.
To allow runtime checking, and to avoid too much code in assembly, move
that over to C, and use the new combined build/runtime feature check.
This also allows to drop the assert, since this should now be covered by
the different FEAT_STATE_x options.
Change-Id: I3e20b9ba17121d423cd08edc20bbf4e7ae7c0178
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Use the generic check function in feat_detect.c, and split the feature
check into two functions, as done for FEAT_FGT before.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I0a4f973427c10d5d15c414ff5e12b18b7e645fae
At the moment we do the EL2 context save/restore sequence in assembly,
where it is just guarded by #ifdef statement for the build time flags.
This does not cover the FEAT_STATE_CHECK case, where we need to check
for the runtime availability of a feature.
To simplify this extension, and to avoid writing too much code in
assembly, move that sequence into C: it is called from C context
anyways.
This protects the C code with the new version of the is_xxx_present()
check, which combines both build time and runtime check, as necessary,
and allows the compiler to optimise the calls aways, if we don't need
them.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I7c91bec60efcc00a43429dc0381f7e1c203be780
For the FGT context save/restore operation, we need to look at the AMUv1
feature, so migrate this one over to the new scheme.
This uses the generic check function in feat_detect.c, and splits the
feature check into two functions, as was done before for FEAT_FGT.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I95ad797f15001b2c9d1800c9d4af33fba79e136f
Split the feature check for FEAT_FGT into two parts:
- A boolean function that just evaluates whether the feature is usable.
This takes build time flags into account, and only evaluates the CPU
feature ID registers when the flexible FEAT_STATE_CHECK method is
used.
- A "raw" function that returns the unfiltered CPU feature ID register.
Change the callers where needed, to give them the version they actually
want.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I9a041132d280451f5d9f653a62904f603b2a916d
The FEATURE_DETECTION functionality had some definitions in a header
file, although they were only used internally in the .c file.
Move them over there, since there are of no interest to other users.
Also use the opportuntiy to rename the less telling FEAT_STATE_[12]
names, and let the "0" case join the game. We use DISABLED, ALWAYS, and
CHECK now, so that the casual reader has some idea what those numbers
are supposed to mean.
feature_panic() becomes "static inline", since disabling all features
makes it unused, so the compiler complains otherwise.
Finally add a new category "cpufeat" to cover CPU feature related
changes.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: If0c8ba91ad22440260ccff383c33bdd055eefbdc
Our system register access function wrappers are using "volatile"
inline assembly instructions. On the first glance this is a good idea,
since many system registers have side effects, and we don't want the
compiler to optimise or reorder them (what "volatile" prevents).
However this also naturally limits the compiler's freedom to optimise
code better, and those volatile properties don't apply to every type of
system register. One example are the CPU ID registers, which have
constant values, are side-effect free and read-only.
Introduce a new wrapper type that drops the volatile keyword, and use
that for the wrappers instantiating ID register accessors.
This allows the compiler to freely optimise those instructions away, if
their result isn't actually used, which can trigger further
optimisations.
Change-Id: I3c64716ae4f4bf603f0ea57b652bd50bcc67bb0e
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
console_state is only used in multi_console.c, it is then declared as
static. console_list is used by several files, declare it as extern.
This corrects the 2 sparse warnings:
drivers/console/multi_console.c:13:11: warning: symbol 'console_list'
was not declared. Should it be static?
drivers/console/multi_console.c:14:9: warning: symbol 'console_state'
was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Id1891595906c258e8cb8aa325226f0a43723ca0e
SCHAR_MIN definition should use SCHAR_MAX, and not itself.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: If8c1751a381dac50fe3ec5fdf19d6a4918470b58
In FCONF_REGISTER_POPULATOR macro, add static for the fconf_populator
struct. This avoids this kind of sparse warning:
plat/st/common/stm32mp_fconf_io.c:181:1: warning:
symbol 'stm32mp_io__populator' was not declared. Should it be static?
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Icaa7da3079e82497e112585150f6348ef2ebf5e6
When a platform decides to use FEAT_RNG_TRAP, every RNDR or RNDRSS read
will trap into EL3. The platform can then emulate those instructions, by
either executing the real CPU instructions, potentially conditioning the
results, or use rate-limiting or filtering to protect the hardware
entropy pool. Another possiblitiy would be to use some platform specific
TRNG device to get entropy and returning this.
To demonstrate platform specific usage, add a demo implementation for the
FVP: It will execute the actual CPU instruction and just return the
result. This should serve as reference code to implement platform specific
policies.
We change the definition of read_rndr() and read_rndrrs() to use the
alternative sysreg encoding, so that all assemblers can handle that.
Add documentation about the new platform specific RNG handler function.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: Ibce817b3b06ad20129d15531b81402e3cc3e9a9e
At the moment we only handle SMC traps from lower ELs, but ignore any
other synchronous traps and just panic.
To cope with system register traps, which we might need to emulate,
introduce a C function to handle those traps, and wire that up in the
exception handler to be called.
We provide a dispatcher function (in C), that will call platform
specific implementation for certain (classes of) system registers.
For now this is empty.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: If147bcb49472eb02791498700300926afbcf75ff
This driver was used when STM32MP_USE_STM32IMAGE was enabled. This flag
is now removed, so the ST io_mmc driver can now be removed.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I3c1280dec8926b921534c81e143e86cfe6d4ee0d
with reference to feature 04c730 (feat(cpus): make cache ops conditional),
booting with caches in debug recovery means SCTLR_C_BIT will be 0.
Wrap the assert for the d-cache enabled check in CONDITIONAL_CMO and
plat_can_cmo calls to allow booting with d-cache disabled.
Signed-off-by: Channagoud kadabi <kadabi@google.com>
Change-Id: I80153df493d1ec9e5e354c7c2e6a14322d22c446
