If RSS Comms is used but PLAT_MHU_VERSION was undefined then it should
default to MHUv2 to avoid breaking existing configurations which did not
need to specify PLAT_MHU_VERSION as on MHUv2 was available.
Change-Id: I8353b49b9f61414a664c2802f90ba3b2bc526887
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
* changes:
feat(mhu): use compile flag to choose mhu version
feat(mhu): add MHUv3 wrapper APIs for RSS comm driver
feat(mhu): add MHUv3 doorbell driver
* changes:
feat(tc): group components into certificates
feat(dice): add cert_id argument to dpe_derive_context()
refactor(sds): modify log level for region validity
feat(tc): add dummy TRNG support to be able to boot pVMs
feat(tc): get the parent component provided DPE context_handle
feat(tc): share DPE context handle with child component
feat(tc): add DPE context handle node to device tree
feat(tc): add DPE backend to the measured boot framework
feat(auth): add explicit entries for key OIDs
feat(dice): add DPE driver to measured boot
feat(dice): add client API for DICE Protection Environment
feat(dice): add QCBOR library as a dependency of DPE
feat(dice): add typedefs from the Open DICE repo
docs(changelog): add 'dice' scope
refactor(tc): align image identifier string macros
refactor(fvp): align image identifier string macros
refactor(imx8m): align image identifier string macros
refactor(qemu): align image identifier string macros
fix(measured-boot): add missing image identifier string
refactor(measured-boot): move metadata size macros to a common header
refactor(measured-boot): move image identifier strings to a common header
MHUv3 and MHUv2 drivers can now be selected at build time by using
PLAT_MHU_VERSION.
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
Change-Id: I24f9e05f7969ed3be8f3261fdfed881a4ad18ba4
RSS comm driver interfaces with MHUv3 driver through specific
API calls. Add APIs to support the interface.
Signed-off-by: Aziz IDOMAR <aziz.idomar@arm.com>
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Shriram K <shriram.k@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
Change-Id: I815d43ca548d3640fceb4c91fe3bbeec31687210
MHUv3 reworks parts of MHUv2 and introduces MHU extensions. There are
currently 3 extensions:
* Doorbell extension: which works like MHUv2
* FIFO extension: which uses a buffer for faster inband data transfer
* Fastchannel extension: for fast data transfer
Add MHUv3 driver with support for Doorbell extension for both postbox
sender MHUs and mailbox receiver MHUs.
Signed-off-by: Aziz IDOMAR <aziz.idomar@arm.com>
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Shriram K <shriram.k@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
Change-Id: Icf49df56f1159f4c9830e0ffcda5b3a4bea8d2fd
GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'
This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.
gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.
SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731
Modify the log level from WARNING to VERBOSE for the SDS region
validity check. An invalid region causes the initialization step
to fail, but normally it's only a temporary condition as the
actual initialization of the region (such as adding a valid region
descriptor structure) can happen asynchronously in another system
component. The goal of this tiny modification is to avoid flooding
the log with this message when we're waiting in a loop for the
region initialization to happen.
Change-Id: I180e35e25df3f31bbc816e6421ded17ba6ae1d85
Signed-off-by: David Vincze <david.vincze@arm.com>
Split the smmuv3_init() to separate smmuv3_security_init() from it in
order to allow skipping the default deny policy on reset for certain
SMMUv3 implementations.
Additionally, fix a couple of MISRA warnings.
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: I2127943e709dd1ded34145bd022c930e351bbb4a
The SMMU_S_INIT register definition in the Arm SMMUv3 specification
says that if SMMUv3 has REALM_IMPL == 1 then it is root firmware’s
responsibility to write to INV_ALL before enabling granule protection
checks. So fix this flow during smmuv3 init.
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: Ied9325e1658950c04f06c62485eeab3f28ca1285
* changes:
docs: update FVP TC2 model version and build (11.23/17)
fix(tc): increase BL2 maximum size limit
refactor(tc): update platform tests
feat(rss): add defines for 'type' range and use them in psa_call()
feat(rss): adjust parameter packing to match TF-M changes
refactor(tc): remap console logs
Extend the SDS driver to be able to handle multiple
SDS regions:
- AP-SCP
- AP-RSS
Change-Id: Id303840b248c383b3f960227cbf6333d1cc75e65
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
In gicv3_main.c the function is_sgi_ppi() returns true when its
sgi/ppi or false when the interrupt number matches an spi interrupt.
Introducing a new API is_valid_interrupt() which validates if
an interrupt number matches SGI/PPI or SPI as a valid interrupt,
any other interrupt number is considered invalid and panics.
Change-Id: Idce8f5432a94c8d300b9408cf5b2502c60e13318
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Fix the wrong placement of the closing parenthesis in the second
condition check that resulted in the incorrect calculation of the MHU
message size. Also, format the code for readability.
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Change-Id: I0e012f3ff00bae2dfc12cdb1c2c636fc6c0a0b55
The function mhu_get_max_message_size() for MHUv2 should return only the
available memory for use after considering all the overheads for its own
use.
Signed-off-by: Sathyam Panda <sathyam.panda@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Change-Id: I14ad16e8f4b781e396bca6173077513db74157d5
Reading the SCMI mailbox status in polling mode causes a burst of bus
accesses. On certain platforms, this would not be ideal as the shared
bus on the CPU subsystem might cause contentions across all the CPUs.
So allow platforms to specify a delay to be introduced while polling.
Change-Id: Ib90ad7b5954854071cfd543f4a27a178dde3d5c6
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Remove the dcc_console_init() function. The initialization function
is not being used and serves no purpose.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I056d09e153998d686d3b95ad39c563f797184c18
Add unregistration function for the JTAG DCC (Debug Communication
Channel) console.
The unregistration function flushes DCC buffer before unregistering
the dcc console to make sure that no output char is pending.
Since console_flush() flushes chars for all registered consoles on
the platform, which is not required in this case, dcc_console_flush()
is being called instead.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I6f15a07c6ee947dc0e7aa8fb069227618080e611
The JTAG DCC (Debug Communication Channel) console is primary used
for debugging that's why make no sense not to setup it up as crash
console too.
Change-Id: I16e5d83f8da721657b1a10609494f835b87e5578
Signed-off-by: Michal Simek <michal.simek@amd.com>
The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.
Currently, they are used interchangeably in GICv3 driver. It did not
cause any functional issues since the matching type and group had the
same value for corresponding macros. This patch makes the necessary
fixes.
The generic interrupt controller APIs, such as
plat_ic_set_interrupt_type map interrupt type to interrupt group
supported by the GICv3 IP. Similarly, other generic interrupt
controller APIs map interrupt group to interrupt type as needed.
This patch also changes the name of the helper functions to use group
rather than type for handling interrupts.
Change-Id: Ie2d88a3260c71e4ab9c8baacde24cc21e551de3d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.
This patch changes the name of the helper functions to use group
rather than type for handling interrupts. No functional change in this
patch.
Change-Id: If13ec65cc6c87c2da73a3d54b033f02635ff924a
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Changes have been made in NPU firmware version 13 around error handling
which require some different register values to be set in AUXCTLR and
SYSCTRL1.
SiP service version number has been bumped up to 15 to reflect these
changes.
Change-Id: I6cda0048dc75df2150f7a0fe25f12ba6bf119ced
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
The build flags to enable the Arm(R) Ethos(TM)-N NPU driver are in arm
platform specific make files i.e. plat/arm/common/arm_common.mk. These
flags are renamed and moved to ethosn_npu.mk. Other source and make
files are changed to reflect the changes in these flags.
Signed-off-by: Rajasekaran Kalidoss <rajasekaran.kalidoss@arm.com>
Change-Id: I6fd20225343c574cb5ac1f0f32ff2fc28ef37ea6
The ID field populated for every FVP PWRC register interface must be
computed from the affinity level values from MPIDR.
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Change-Id: If1474fd25704911f8f717dafb419a0734b99a4ec
A newer version of the Arm(R) Ethos(TM)-N NPU firmware is now available,
and so the constants in the SiP service need updating.
Change-Id: I8eee7d543bac0a726c6161a16b3df90609f6b443
Signed-off-by: Rob Hughes <robert.hughes@arm.com>
gicv3_get_multichip_base in case of GICV3_IMPL_GIC600_MULTICHIP flag
being set, only works if the id belongs to SPI range.
Moving invocation of the function after confirming that the
intr_num belongs to SPI range.
Signed-off-by: sahil <sahil@arm.com>
Change-Id: I429eb473a7aeccb30309b1ffa5994663393ba0a2
According to GIC-600 TRM, it supports up to 960 SPIs. With the
starting SPI_ID of 32, the maximum SPI_ID should be 991. This patch
fixes the value of GIC600_SPI_ID_MAX which is currently configured
to be 960.
Signed-off-by: sahil <sahil@arm.com>
Change-Id: I441f9a607d160db8533f2a03e02afd1a9bab991e
EL3's context is poorly defined as it is and polluting it further is not
a good idea. Put it back as it was before the function call.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I9d13c9517962b501246989fd2126d08410191784
This patch adds a helper API to explicitly refresh SBSA secure watchdog
timer. Please refer section A.3 of the following spec:
https://developer.arm.com/documentation/den0029/latest/
Change-Id: I2d0943792aea0092bee1e51d74b908348587e66b
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
To be able to further restrict the memory access for the Arm(R)
Ethos(TM)-N NPU, separate read-only and read/write NSAIDs for the
non-protected and protected memory have been added to the Juno
platform's TZMP1 TZC configuration for the NPU.
The platform definition has been updated accordingly and the NPU driver
will now only give read/write access to the streams that require it.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I5a173500fc1943a5cd406a3b379e1f1f554eeda6
When the Arm(R) Ethos(TM)-N NPU driver is built with TZMP1 support, the
NPU should use the firmware that has been loaded into the protected
memory by BL2. The Linux Kernel NPU driver in the non-secure world is
not allowed to configure the NPU to do this in a TZMP1 build so the SiP
service will now configure the NPU to boot with the firmware in the
protected memory.
BREAKING CHANGE: The Linux Kernel NPU driver can no longer directly
configure and boot the NPU in a TZMP1 build. The API version has
therefore been given a major version bump with this change.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I65d00f54b3ade3665d7941e270da7a3dec02281a
The SiP service for the Arm(R) Ethos(TM)-N NPU driver will now handle
setting up the address extension and attribute control for the NPU's
streams. The non-secure world will still be allowed to read the address
extension for stream0 but non-secure access to all other streams have
been removed.
The API version has been given a minor bump with this change to indicate
the added functionality.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I2b041ca4a0a2b5cd6344a4ae144f75e137c72592
The SiP service for the Arm(R) Ethos(TM)-N NPU driver will now handle
setting up the NPU's event and aux control registers during the SMC
reset call. The aux control register will no longer be accessible by the
non-secure world.
The API version has been given a minor bump with this change to indicate
the added functionality.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I5b099e25978aa4089c384eb17c5060c5b4eaf373
When the Arm(R) Ethos(TM)-N NPU firmware is loaded by BL2 into protected
memory, the Linux kernel NPU driver cannot access the firmware. To still
allow the kernel driver to access some information about the firmware,
SMC calls have been added so it can check compatibility and get the
necessary information to map the firmware into the SMMU for the NPU.
The API version has been given a minor version bump with this change to
indicate the added functionality.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: Idb076b7bcf54ed7e8eb39be80114dc1d1c45336d
Doing all the SMC call handling in a single function and using specific
names for the x1-4 parameters is no longer practical for upcoming
additions to the SiP service. Handling of the different SMC functions
have therefore been split into separate functions.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: If28da8df0f13c449d1fdb2bd9d792d818ec5e1af
When the Arm(R) Ethos(TM)-N NPU driver is built with TZMP1 support, it
will now validate the NPU firmware binary that BL2 is expected to load
into the protected memory location specified by
ARM_ETHOSN_NPU_IMAGE_BASE.
Juno has been updated with a new BL31 memory mapping to allow the SiP
service to read the protected memory that contains the NPU firmware
binary.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I633256ab7dd4f8f5a6f864c8c98a66bf9dfc37f3
The SiP service in the Arm(R) Ethos(TM)-N NPU driver requires that there
is at least one NPU available. If there is no NPU available, the driver
is either used incorrectly or the HW config is incorrect.
To ensure that the SiP service is not incorrectly used, a setup handler
has been added to the service that will validate that there is at least
one NPU available.
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I8139a652f265cfc0db4a37464f39f1fb92868e10
