When building Crypto APIs, it requires dependency on external headers,
e.g., Mbedtls headers. Without the CRYPTO_SUPPORT configuration,
external dependencies are not set up, building Crypto APIs will fail.
Guard Crypto APIs with the CRYPTO_SUPPORT configuration, to make sure
the code is built only for Crypto enabled case.
Change-Id: Iffe1220b0e6272586c46432b4f8d0512cb39b0b5
Signed-off-by: Leo Yan <leo.yan@arm.com>
Enable the trng on the platform, which can be used by other features.
`rng-seed` has been removed and enabled `FEAT_RNG_TRAP` to trap to EL3
when accessing system registers RNDR and RNDRRS
Change-Id: Ibde39115f285e67d31b14863c75beaf37493deca
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Add MediaTek SMMU power driver. This driver tracks the reference
counter for power domain access on SMMU hardware, including
Multimedia SMMU and APU SMMU. The PM get/put commands may come from
linux(EL1) and hypervisor(EL2).
Change-Id: I60f83c4e3d87059b0549b2ed8c68367be3bfbbc5
Signed-off-by: Yong Wu <yong.wu@mediatek.com>
Neoverse-V3 erratum 3701767 that applies to r0p0, r0p1, r0p2 is
still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-2891958/latest/
Change-Id: I5be0de881f408a9e82a07b8459d79490e9065f94
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Neoverse-N3 erratum 3699563 that applies to r0p0 is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-3050973/latest/
Change-Id: I77aaf8ae0afff3adde9a85f4a1a13ac9d1daf0af
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Neoverse-N2 erratum 3701773 that applies to r0p0, r0p1, r0p2 and r0p3
is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1982442/latest/
Change-Id: If95bd67363228c8083724b31f630636fb27f3b61
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-X925 erratum 3701747 that applies to r0p0, r0p1 and is still
Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/109180/latest/
Change-Id: I080296666f89276b3260686c2bdb8de63fc174c1
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-X4 erratum 3701758 that applies to r0p0, r0p1, r0p2 and r0p3
is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/109148/latest/
Change-Id: I4ee941d1e7653de7a12d69f538ca05f7f9f9961d
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-X3 erratum 3701769 that applies to r0p0, r1p0, r1p1 and r1p2
is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-2055130/latest/
Change-Id: Ifd722e1bb8616ada2ad158297a7ca80b19a3370b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-X2 erratum 3701772 that applies to r0p0, r1p0, r2p0, r2p1
is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775100/latest/
Change-Id: I2ffc5e7d7467f1bcff8b895fea52a1daa7d14495
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A725 erratum 3699564 that applies to r0p0, r0p1 and is
fixed in r0p2.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-2832921/latest
Change-Id: Ifad1f6c3f5b74060273f897eb5e4b79dd9f088f7
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A720-AE erratum 3699562 that applies to r0p0 and is still
Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-3090091/latest/
Change-Id: Ib830470747822cac916750c01684a65cb5efc15b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A720 erratum 3699561 that applies to all revisions <= r0p2
and is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-2439421/latest/
Change-Id: I7ea3aaf3e7bf6b4f3648f6872e505a41247b14ba
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A715 erratum 3699560 that applies to all revisions <= r1p3
and is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-2148827/latest/
Change-Id: I183aa921b4b6f715d64eb6b70809de2566017d31
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A710 erratum 3701772 that applies to all revisions <= r2p1
and is still Open.
The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775101/latest/
Change-Id: I997c9cfaa75321f22b4f690c4d3f234c0b51c670
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
When ICH_VMCR_EL2.VBPR1 is written in Secure state (SCR_EL3.NS==0)
and then subsequently read in Non-secure state (SCR_EL3.NS==1), a
wrong value might be returned. The same issue exists in the opposite way.
Adding workaround in EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored. For example, EL3 software should set
SCR_EL3.NS to 1 when saving or restoring the value ICH_VMCR_EL2 for
Non-secure(or Realm) state. EL3 software should clear
SCR_EL3.NS to 0 when saving or restoring the value ICH_VMCR_EL2 for
Secure state.
SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775101/latest/
Change-Id: I9f0403601c6346276e925f02eab55908b009d957
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
- errata.h is using incorrect header macro ERRATA_REPORT_H fix this.
- Group errata function utilities.
Change-Id: I6a4a8ec6546adb41e24d8885cb445fa8be830148
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Move the RSE MHU channel initialization to the platform setup phase,
this allows the services (e.g. TRNG service) to talk to RSE during the
service init function.
Change-Id: Id0ff6e49117008463f11b2dc3c585daca00f609c
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
To allow for generic handling of a wakeup, this hook is no longer
expected to call wfi itself. Update the name everywhere to reflect this
expectation so that future platform implementers don't get misled.
Change-Id: Ic33f0b6da74592ad6778fd802c2f0b85223af614
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
There is now a convent place at the end of the function to jump to when
we shouldn't power down. This eliminates the need for skip_wfi.
Change-Id: I8d1a88c77463e8ee6765b185adbe3d23d9fce101
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Newer cores in upcoming platforms may refuse to power down. The PSCI
library is already prepared for this so convert platform code to also
allow this. This is simple - drop the `wfi` + panic and let common code
deal with the fallout. The end result will be the same (sans the
message) except the platform will have fewer responsibilities. The only
exception is for cores being signalled to power off gracefully ahead of
system reset. That path must also be terminal so replace the end with
the same psci_pwrdown_cpu_end() to behave the same as the generic
implementation. It will handle wakeups and panic, hoping that the system
gets reset from under it. The dmb is upgraded to a dsb so no functional
change.
Change-Id: I381f96bec8532bda6ccdac65de57971aac42e7e8
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is that
if this isn't done, the powerdown request will be rejected. On the
CPU_OFF path that's not a problem - we can force SVCR to 0 and be
certain the core will power off.
On the suspend to powerdown path, however, we cannot do this. The TRM
also tells us that the sequence could also be aborted on eg. GIC
interrupts. If this were to happen when we have overwritten SVCR to 0,
upon a return to the caller they would experience a loss of context. We
know that at least Linux may call into PSCI with SVCR != 0. One option
is to save the entire SME context which would be quite expensive just to
work around. Another option is to downgrade the request to a normal
suspend when SME was left on. This option is better as this is expected
to happen rarely enough to ignore the wasted power and we don't want to
burden the generic (correct) path with needless context management.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I698fa8490ebf51461f6aa8bba84f9827c5c46ad4
The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.
One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.
Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.
So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.
To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.
Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.
Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.
Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.
Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.
All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.
Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.
Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
This function doesn't return and its callers that don't return either
rely on this. Drop the dead attribute and add a panic() after it to make
this expectation explicit. Calling `wfi` in the powerdown sequence is
terminal so even if the function was made to return, there would be no
functional change.
This is useful for a following patch that makes psci_power_down_wfi()
return.
Change-Id: I62ca1ee058b1eaeb046966c795081e01bf45a2eb
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
This change adjusts the Dependabot settings for the LTS branches such
that Dependabot does not open pull requests for changes which anything
more substantial than patch updates (typically security fixes).
Change-Id: Icc203038e8069e723926849a33c3e8784b544053
Signed-off-by: Chris Kay <chris.kay@arm.com>
Arm ROTPK generation may start before the build directory is
created, causing errors like:
00:45:53.235 Can't open "/home/buildslave/workspace/tf-a-coverity/
trusted-firmware-a/build/rd1ae/debug/arm_rotpk.bin" for writing,
No such file or directory
This patch ensures the build directory is created beforehand to
prevent such issues.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I73f7d5af00efc738e95ea79c5cacecdb6a2d20c6
The workarounds introduced in the three patches starting at
888eafa00b assumed that any powerdown
request will be (forced to be) terminal. This assumption can no longer
be the case for new CPUs so there is a need to revisit these older
cores. Since we may wake up, we now need to respect the workaround's
recommendation that the workaround needs to be reverted on wakeup. So do
exactly that.
Introduce a new helper to toggle bits in assembly. This allows us to
call the workaround twice, with the first call setting the workaround
and second undoing it. This is also used for gelas' an travis' powerdown
routines. This is so the same function can be called again
Also fix the condition in the cpu helper macro as it was subtly wrong
Change-Id: Iff9e5251dc9d8670d085d88c070f78991955e7c3
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Introduce a new helper to toggle bits in assembly. This allows us to
call the workaround twice, with the first call setting the workaround
and second undoing it. This allows the (errata) workaround functions to
be used to both apply and undo the mitigation.
This is applied to functions where the undo part will be required in
follow-up patches.
Change-Id: I058bad58f5949b2d5fe058101410e33b6be1b8ba
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Booting mt8196 and grepping the logs for "errat" showed:
WARNING: BL31: cortex_a720: CPU workaround for erratum 2792132 was missing!
WARNING: BL31: cortex_a720: CPU workaround for erratum 2844092 was missing!
WARNING: BL31: cortex_a720: CPU workaround for erratum 2926083 was missing!
WARNING: BL31: cortex_a720: CPU workaround for erratum 2940794 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 2726228 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 2740089 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 2763018 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 2816013 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 2897503 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 2923985 was missing!
WARNING: BL31: cortex_x4: CPU workaround for erratum 3076789 was missing!
Set defines so that all the errata are fixed. Now the above shows:
INFO: BL31: cortex_a720: CPU workaround for erratum 2792132 was applied
INFO: BL31: cortex_a720: CPU workaround for erratum 2844092 was applied
INFO: BL31: cortex_a720: CPU workaround for erratum 2926083 was applied
INFO: BL31: cortex_a720: CPU workaround for erratum 2940794 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 2726228 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 2740089 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 2763018 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 2816013 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 2897503 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 2923985 was applied
INFO: BL31: cortex_x4: CPU workaround for erratum 3076789 was applied
Change-Id: I209784c2574b99c3c275ac60adf73896e0cdd078
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Enable the compiler's stack protector for detecting stack overflow
issues.
Though TC platform can generate RNG from RSE via MHU channel, the
stack protector canary is used prior to MHU channel initialization.
Thus, currently here simply returns a value of the combination of a
timer's value and a compile-time constant.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I68fcc7782637b2b6b4dbbc81bc15df8c5ce0040b
This change introduces the hob support for both qemu platforms (virt and
sbsa).
As the hob list feature relies on transfer list, the transfer list
support is promoted to common qemu build configuration. The platforms
specific definitions are updated accordingly.
Change-Id: I473d83388fe95408d34515bf7bcbdd64ce4e777d
Signed-off-by: Kun Qin <kuqin@microsoft.com>
The fpregs_state_* macros require the base register
to point to the start of the simd_regs_t structure.
The fpregs_context_* functions were passing the
address incorrectly shifted by 512 bytes.
Signed-off-by: Andrei Homescu <ahomescu@google.com>
Change-Id: I757a26f8910c2ab648116e001e06baa3deb2eec4
This patch implements SMCCC_ARCH_WORKAROUND_4 and
allows discovery through SMCCC_ARCH_FEATURES.
This mechanism is enabled if CVE_2024_7881 [1] is enabled
by the platform. If CVE_2024_7881 mitigation
is implemented, the discovery call returns 0,
if not -1 (SMC_ARCH_CALL_NOT_SUPPORTED).
For more information about SMCCC_ARCH_WORKAROUND_4 [2], please
refer to the SMCCC Specification reference provided below.
[1]: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881
[2]: https://developer.arm.com/documentation/den0028/latest
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I1b1ffaa1f806f07472fd79d5525f81764d99bc79
This patch adds new cpu ops function extra4 and a new macro
for CVE-2024-7881 [1]. This new macro declare_cpu_ops_wa_4 allows
support for new CVE check function.
[1]: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I417389f040c6ead7f96f9b720d29061833f43d37
