These bits (MDCR_EL3.{NSTB, NSTBE, TTRF, TPM}, CPTR_EL3.TTA) only affect
EL2 (and lower) execution. Each feat_init_el3() is called long before
any lower EL has had a chance to execute, so setting the bits at reset
is redundant. Removing them from reset code also improves readability of
the immutable EL3 state.
Preserve the original intention for the TTA bit of "enabled for NS and
disabled everywhere else" (inferred from commit messages d4582d3088 and
2031d6166a and the comment). This is because CPTR_EL3 will be contexted
and so everyone will eventually get whatever NS has anyway.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I3d24b45d3ea80882c8e450b2d9db9d5531facec1
With the introduction of FEAT_RME MDCR_EL3 bits NSPB and NSPBE depend on
each other. The enable code relies on the register being initialised to
zero and omits to reset NSPBE. However, this is not obvious. Reset the
bit explicitly to document this.
Similarly, reset the STE bit , since it's part of the feature enablement.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I3714507bae10042cdccd2b7bc713b31d4cdeb02f
* changes:
refactor(tc): print RSS interface test PSA status
test(tc): test for AP/RSS interface for ROTPK
feat(psa): interface with RSS for retrieving ROTPK
Adding the AP/RSS interface for reading the ROTPK.
The read interface implements the psa_call:
psa_call(RSS_CRYPTO_HANDLE, PSA_IPC_CALL,
in_vec, IOVEC_LEN(in_vec),
out_vec, IOVEC_LEN(out_vec));
where the in_vec indicates which of the 3 ROTPKs we want,
and the out_vec stores the ROTPK value we get back from RSS.
Through this service, we will be able to read any of the 3
ROTPKs used on a CCA platform:
- ROTPK for CCA firmware (BL2, BL31, RMM).
- ROTPK for secure firmware.
- ROTPK for non-secure firmware.
Change-Id: I44c615588235cc797fdf38870b74b4c422be0a72
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
* changes:
feat(intel): platform enablement for Agilex5 SoC FPGA
feat(intel): ccu driver for Agilex5 SoC FPGA
feat(intel): vab support for Agilex5 SoC FPGA
feat(intel): sdmmc/nand/combo-phy/qspi driver for Agilex5 SoC FPGA
feat(intel): ddr driver for Agilex5 SoC FPGA
feat(intel): power manager for Agilex5 SoC FPGA
feat(intel): cold/warm reset and smp support for Agilex5 SoC FPGA
feat(intel): reset manager support for Agilex5 SoC FPGA
feat(intel): mailbox and SMC support for Agilex5 SoC FPGA
feat(intel): system manager support for Agilex5 SoC FPGA
feat(intel): memory controller support for Agilex5 SoC FPGA
feat(intel): clock manager support for Agilex5 SoC FPGA
feat(intel): mmc support for Agilex5 SoC FPGA
feat(intel): uart support for Agilex5 SoC FPGA
feat(intel): pinmux, peripheral and Handoff support for Agilex5 SoC FPGA
* changes:
docs(imx9): add imx93 platform
feat(imx93): add OPTEE support
feat(imx93): protect OPTEE memory to secure access only
feat(imx93): add cpuidle and basic suspend support
feat(imx93): add reset & poweroff support
feat(imx93): allow SoC masters access to system TCM
feat(imx93): update the ocram trdc config for did10
feat(imx93): add the basic support
feat(imx93): add the trdc driver
build(changelog): add new scopes for nxp imx platform
This patch is used to implement sdmmc/nand/combo-phy
driver to support Cadence IP for Agilex5 SoC FPGA.
1. Added SDMMC/NAND/COMBO-PHY support.
2. Updated product name -> Agilex5
3. Updated QSPI base address
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I6db689d2b784c9f59a25701ab34517f6f6b0a0e6
Combining the EL2 and EL3 enablement code necessitates that it must be
called at el3_exit, which is the only place with enough context to make
the decision of what needs to be set.
Decouple them to allow them to be called from elsewhere. Also take
some time to clarify and simplify AMU code.
The sanity check in the context_restore() is now wrong, as the cpu may
turn off on suspend, thus resetting the value of the counter enables.
Remove it.
Finally, this completes the migration to cm_manage_extensions_el3() and
manage_extensions_nonsecure() so manage_extensions_nonsecure_mixed() is
being removed.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I66399132364c32be66017506bb54cbadd8485577
Combining the EL2 and EL3 enablement code necessitates that it must be
called at el3_exit, which is the only place with enough context to make
the decision of what needs to be set.
Decouple them to allow them to be called from elsewhere.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I147764c42771e7d4100699ec8fae98dac0a505c0
Currently, Measured Boot RSS driver gathers data from platform calls,
specifically RSS metadata. Generally, the driver should use the least
amount of platform calls possible, and the platform should provide the
data directly to the driver via the driver interface.
For this purpose, RSS Measured Boot driver interface APIs were updated
and platform calls were removed from RSS Measured Boot driver.
Change-Id: I6c797d9ac2d70215f32a084a7643884b399ee28c
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The FEAT_MTPMU feature disable runs very early after reset. This means,
it needs to be written in assembly, since the C runtime has not been
initialised yet.
However, there is no need for it to be initialised so soon. The PMU
state is only relevant after TF-A has relinquished control. The code
to do this is also very verbose and difficult to read. Delaying the
initialisation allows for it to happen with the rest of the PMU. Align
with FEAT_STATE in the process.
BREAKING CHANGE: This patch explicitly breaks the EL2 entry path. It is
currently unsupported.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I2aa659d026fbdb75152469f6d19812ece3488c6f
The enablement code for the PMU is scattered and difficult to track
down. Factor out the feature into its own lib/extensions folder and
consolidate the implementation. Treat it is as an architecturally
mandatory feature as it is currently.
Additionally, do some cleanup on AArch64. Setting overflow bits in
PMCR_EL0 is irrelevant for firmware so don't do it. Then delay the PMU
initialisation until the context management stage which simplifies the
early environment assembly. One side effect is that the PMU might count
before this happens so reset all counters to 0 to prevent any leakage.
Finally, add an enable to manage_extensions_realm() as realm world uses
the pmu. This introduces the HPMN fixup to realm world.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ie13a8625820ecc5fbfa467dc6ca18025bf6a9cd3
Make the default value for MTPME always be 1 to preserve the reset
behaviour on newer revisions and on older revisions where the bit is
RES0 it doesn't matter.
Before its introduction MDCR_EL3.MTPME was RES0. Upon its introduction
the field resets to 1, making the MTPMU architecturally "enabled". As
such, the logical action on TF-A's part is to "disable" it, which led to
the introduction of DISABLE_MTPMU.
This hinges on the assumption that MDCR_EL3.MTPME will always be 1
unless the above flag is set. Unfortunately this is not the case, as the
reset value is overwritten at reset with a macro that sets this bit to
0.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ie570774972f246b3aa41dc016ecbcc6fc2f581f6
manage_extensions_nonsecure() is problematic because it updates both
context and in-place registers (unlike its secure/realm counterparts).
The in-place register updates make it particularly tricky, as those
never change for the lifetime of TF-A. However, they are only set when
exiting to NS world. As such, all of TF-A's execution before that
operates under a different context. This is inconsistent and could cause
problems.
This patch Introduce a real manage_extensions_nonsecure() which only
operates on the context structure. It also introduces a
cm_manage_extensions_el3() which only operates on register in-place that
are not context switched. It is called in BL31's entrypoints so that all
of TF-A executes with the same environment once all features have been
converted.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ic579f86c41026d2054863ef44893e0ba4c591da9
Adjusted BL31 maximum size as per total SRAM size.
Change-Id: Ifdfdedb8af3e001cebba8e60c973f3c72be11652
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Adding basic CPU library code to support the Hermes CPU.
Change-Id: I61946033fe5fafb56ceb2d14d4c796d85b30457e
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
As the unit testing project uses the host machine GCC version to
compile, it is marking non-casted references as errors. This patch adds
the proper casting, so it compiles correctly for both Arm platforms and
host machines for unit testing.
Change-Id: Iee96e9117301ba28b6f164aac2cd36dc0f8b6be8
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
* changes:
feat(board/rdn2): enable base element RAM RAS support on RD-N2 platform
feat(plat/arm): add memory map entry for CPER memory region
feat(plat/arm): firmware first error handling support for base RAMs
feat(plat/arm): update common platform RAS implementation
feat(plat/sgi): remove RAS setup call from common code
refactor(plat/sgi): deprecate DMC-620 RAS support
fix(plat/common): register PLAT_SP_PRI only if not already registered
fix(plat/sgi): update PLAT_SP_PRI macro definition
fix(plat/arm): add RAS_FFH_SUPPORT check for RAS EHF priority
The current implementation of macro L/LL/UL/ULL concatenates the input
with "L"/"LL"/"UL"/"ULL" respectively.
In the case where a macro is passed to L/LL/UL/ULL as input,
the input macro name is concatenated with, rather than expanding
the input macro and then concatenating it.
The implementation of L/LL/UL/ULL is modified to two level macro,
so as to concatenate to the expansion of a macro argument.
Change 5b33ad174a "Unify type of "cpu_idx" across PSCI module."
has modified the implementation of U() to two level macros without
changing the implementation of other macros.
Change-Id: Ie93d67dff5ce96223a3faf6c98b98fcda530fc34
Signed-off-by: Akshay Belsare <akshay.belsare@amd.com>
TF-A code supports SMCCC spec version 1.4 while version is still kept
1.2. Bump up the version.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie5476c4601bd504d3f3e8433e1d672ebd0a758b1
Figuring out the naming format of errata is annoying, so add a shorthand
for the custom checker functions. Also add some more semantic macros
instead of passing around constants.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ibdcf72146738026df4ebd047bfb30790fd4a1053
To support memcpy_s for better security purpose
to avoid overflowing the dest while copy from src.
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
Change-Id: I63c3ea6a3e99c10d69be6bce04843c14b0a28a4d
* changes:
fix(spi-nand): add Quad Enable management
fix(st-clock): disabling CKPER clock is not functional on stm32mp13
fix(st-uart): skip console flush if UART is disabled
fix(st): flush UART at the end of uart_read()
fix(stm32mp1): use the BSEC nodes compatible for stm32mp13
fix(stm32mp13-fdts): correct the BSEC nodes compatible
fix(stm32mp1-fdts): move /omit-if-no-ref/ to overlay files
fix(stm32mp1): properly check PSCI functions return
Debugging assembly is painful as it is, and having no useful stack trace
does not help. Code must emit CFI directives whenever the stack moves to
enable stack traces. Otherwise, the layout of the stack frame is
ambiguous, the debugger gives up, and shows nothing. The compiler does
this automatically for C but not assembly.
Add this information to the (currently unused) func_prologue macro.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ief5fd672285df8d9d90fa6a2214b5c6e45eddd81
At the moment, TF-A does not need to access VAs or PAs larger than
48 bits, so this patch just enables proper detection of support
for 4KB and 16KB granularity with 52 bits address support.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: Iccebbd5acc21f09dbb234ef21a802300e290ec18
* changes:
feat(fvp): mock support for CCA NV ctr
feat(auth): add CCA NV ctr to CCA CoT
feat(build): pass CCA NV ctr option to cert_create
feat(cert-create): add new option for CCA NV ctr
This patch adds a new optional member `pwr_domain_validate_suspend` to
the `plat_psci_ops_t` structure that allows a platform to optionally
perform platform specific validations in OS-initiated mode. This is
conditionally compiled into the build depending on the value of the
`PSCI_OS_INIT_MODE` build option.
In https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/17682,
the return type of the `pwr_domain_suspend` handler was updated from
`void` to `int` to allow a platform to optionally perform platform
specific validations in OS-initiated mode. However, when an error code
other than `PSCI_E_SUCCESS` is returned, the current exit path does not
undo the operations in `psci_suspend_to_pwrdown_start`, and as a result,
the system ends up in an unexpected state.
The fix in this patch prevents the need to undo the operations in
`psci_suspend_to_pwrdown_start`, by allowing the platform to first
perform any necessary platform specific validations before the PSCI
generic code proceeds to the point of no return where the CPU_SUSPEND
request is expected to complete successfully.
Change-Id: I05d92c7ea3f5364da09af630d44d78252185db20
Signed-off-by: Wing Li <wingers@google.com>
The framework currently supports QE feature only for Macronix devices.
Kioxia devices also support this feature, but this feature can not be
set based on the manufacturer ID as Kioxia first SPI NAND generation
does not support the QE feature when the second generation does.
Use a flag to manage QE feature. This flag will be added at board level
to manage the device.
Change-Id: I7a3683a2df8739967b17b4abbec32c51bf206b93
Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
