SVE and SME aren't enabled symmetrically for all worlds, but EL3 needs
to context switch them nonetheless. Previously, this had to happen by
writing the enable bits just before reading/writing the relevant
context. But since the introduction of root context, this need not be
the case. We can have these enables always be present for EL3 and save
on some work (and ISBs!) on every context switch.
We can also hoist ZCR_EL3 to a never changing register, as we set its
value to be identical for every world, which happens to be the one we
want for EL3 too.
Change-Id: I3d950e72049a298008205ba32f230d5a5c02f8b0
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
The current code is incredibly resilient to updates to the spec and
has worked quite well so far. However, recent implementations expose a
weakness in that this is rather slow. A large part of it is written in
assembly, making it opaque to the compiler for optimisations. The
future proofness requires reading registers that are effectively
`volatile`, making it even harder for the compiler, as well as adding
lots of implicit barriers, making it hard for the microarchitecutre to
optimise as well.
We can make a few assumptions, checked by a few well placed asserts, and
remove a lot of this burden. For a start, at the moment there are 4
group 0 counters with static assignments. Contexting them is a trivial
affair that doesn't need a loop. Similarly, there can only be up to 16
group 1 counters. Contexting them is a bit harder, but we can do with a
single branch with a falling through switch. If/when both of these
change, we have a pair of asserts and the feature detection mechanism to
guard us against pretending that we support something we don't.
We can drop contexting of the offset registers. They are fully
accessible by EL2 and as such are its responsibility to preserve on
powerdown.
Another small thing we can do, is pass the core_pos into the hook.
The caller already knows which core we're running on, we don't need to
call this non-trivial function again.
Finally, knowing this, we don't really need the auxiliary AMUs to be
described by the device tree. Linux doesn't care at the moment, and any
information we need for EL3 can be neatly placed in a simple array.
All of this, combined with lifting the actual saving out of assembly,
reduces the instructions to save the context from 180 to 40, including a
lot fewer branches. The code is also much shorter and easier to read.
Also propagate to aarch32 so that the two don't diverge too much.
Change-Id: Ib62e6e9ba5be7fb9fb8965c8eee148d5598a5361
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
MPMM is a core-specific microarchitectural feature. It has been present
in every Arm core since the Cortex-A510 and has been implemented in
exactly the same way. Despite that, it is enabled more like an
architectural feature with a top level enable flag. This utilised the
identical implementation.
This duality has left MPMM in an awkward place, where its enablement
should be generic, like an architectural feature, but since it is not,
it should also be core-specific if it ever changes. One choice to do
this has been through the device tree.
This has worked just fine so far, however, recent implementations expose
a weakness in that this is rather slow - the device tree has to be read,
there's a long call stack of functions with many branches, and system
registers are read. In the hot path of PSCI CPU powerdown, this has a
significant and measurable impact. Besides it being a rather large
amount of code that is difficult to understand.
Since MPMM is a microarchitectural feature, its correct placement is in
the reset function. The essence of the current enablement is to write
CPUPPMCR_EL3.MPMM_EN if CPUPPMCR_EL3.MPMMPINCTL == 0. Replacing the C
enablement with an assembly macro in each CPU's reset function achieves
the same effect with just a single close branch and a grand total of 6
instructions (versus the old 2 branches and 32 instructions).
Having done this, the device tree entry becomes redundant. Should a core
that doesn't support MPMM arise, this can cleanly be handled in the
reset function. As such, the whole ENABLE_MPMM_FCONF and platform hooks
mechanisms become obsolete and are removed.
Change-Id: I1d0475b21a1625bb3519f513ba109284f973ffdf
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Statically allocate 'gpt_bitlock' array of fine-grained
'bitlock_t' data structures in arm_bl31_setup.c.
The amount of memory needed for this array is controlled
by 'RME_GPT_BITLOCK_BLOCK' build option and 'PLAT_ARM_PPS'
macro defined in platform_def.h which specifies the size
of protected physical address space in bytes.
'PLAT_ARM_PPS' takes values from 4GB to 4PB supported by
Arm architecture.
Change-Id: Icf620b5039e45df6828d58fca089cad83b0bc669
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
- Add PCIe and SMMUv3 related information to DTS for
configurations with ENABLE_RME=1.
- Add entries for PCIe IO memory regions to Boot manifest
- Update RMMD_MANIFEST_VERSION_MINOR from 3 to 4.
- Read PCIe related information from DTB and write it to
Boot manifest.
- Rename structures that used to describe DRAM layout
and now describe both DRAM and PCIe IO memory regions:
- ns_dram_bank -> memory_bank
- ns_dram_info -> memory_info.
Change-Id: Ib75d1af86076f724f5c330074e231f1c2ba8e21d
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
* This patch adds some details on the EL3/Root-Context
and its related interfaces.
* Additionally it updates the existing details on the
interfaces, related to various CPU context entries which
have been improvised recently.
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I81a992fe09feca4dc3d579a48e54a4763425e052
Add documentation for the feature where EL3 can be used to sign realm
attestation token requests using RMM_EL3_TOKEN_SIGN command.
This patch also adds documentation for the RMM_EL3_FEATURES features
command that can be used to discover support for features such as
RMM_EL3_TOKEN_SIGN.
Change-Id: Iab5a157761ed17931210c3702f813198fc9c4b3a
Signed-off-by: Raghu Krishnamurthy <raghupathyk@nvidia.com>
Remove all instances of macros CTX_INCLUDE_MTE_REGS and FEAT_MTE
since these have been deprecated in v2.11
Change-Id: I7838a865755326f03668e43768140929a2d9e418
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
The support for runtime-model has never been implemented by any SPMC.
Hence, remove the corresponding field from binding document.
Also, fix the incorrect description of the `managed-exit-virq` property.
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Change-Id: I0a5ef3f08202a8c76edd9a6e1ac680ac3a38ca60
When this is provided in the partition manifest, it should be added to
the load address to get the base address of the region.
Signed-off-by: Davidson K <davidson.kumaresan@arm.com>
Change-Id: Ib6d3d6a29af0a3eb87fac67c58220ba25342e1cd
Until now, the attestation token size was limited by the size of the
shared buffer between RMM and TF-A. With this change, RMM can now
request the token in pieces, so they fit in the shared buffer. A new
output parameter was added to the SMC call, which will return (along
with the size of bytes copied into the buffer) the number of bytes
of the token that remain to be retrieved.
TF-A will keep an offset variable that will indicate the position in
the token where the next call will retrieve bytes from. This offset
will be increased on every call by adding the number number of bytes
copied. If the received hash size is not 0, TF-A will reset the
offset to 0 and copy from that position on.
The SMC call will now return at most the size of the shared buffer
in bytes on every call. Therefore, from now on, multiple SMC calls
may be needed to be issued if the token size exceeds the shared
buffer size.
Change-Id: I591f7013d06f64e98afaf9535dbea6f815799723
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Fixed a few typos in the cot binding document.
Change-Id: I043187b3f4b516db944e82569307834df2c3c72a
Signed-off-by: sah01 <sahil@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
* changes:
feat(tc): enable trbe errata flags for Cortex-A520 and X4
feat(cm): asymmetric feature support for trbe
refactor(errata-abi): move EXTRACT_PARTNUM to arch.h
feat(cpus): workaround for Cortex-A520(2938996) and Cortex-X4(2726228)
feat(tc): make SPE feature asymmetric
feat(cm): handle asymmetry for SPE feature
feat(cm): support for asymmetric feature among cores
feat(cpufeat): add new feature state for asymmetric features
Introduce a new feature state CHECK_ASYMMETRIC to cater for the features
which are asymmetric across cores. This state is useful for platforms
which has architectural asymmetric cores (A feature is only present in
one type of core e.g. big).
This state is similar to FEAT_STATE_CHECK (dynamic detection) except
that feature state is also checked on each core during warmboot path and
override the context (just for asymmetric features) which was setup by
core executing CPU_ON call.
Only Non-secure context will be re-checked as secure and realm context
is created on same core.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ic78a0b6ca996e0d7881c43da1a6a0c422f528ef3
The problem that this resolves is a bit involved; the following
must be met at the same time for some function <to_be_wrapped>:
* to_be_wrapped must be specified as part of the romlib
* to_be_wrapped must _not_ be referenced by any translation unit
in TF-A
* to_be_wrapped must be referenced by a translation unit in a
dependent library, mbedtls for example.
Under these circumstances, to_be_wrapped will not be wrapped, and
will instead reference its original definition while simultaneously
residing in romlib.
This is a side effect of two issues with romlib prior to this patch:
1 to_be_wrapped is expected to wrap by duplicating its definition.
This causes any condition that links against both the base and
wrapper functions to be a link error (duplicate symbol definition).
2 to_be_wrapped is in its own translation unit
This causes the wrappers to be used by TF-A in an as needed.
The duplicate function definitions can be worked around using the
linker's `--wrap` flag, which redirects all references to a symbol
to resolve to `__wrap_<symbol>` and the original symbol to be
available as `__real_<symbol>`. Most of the changes handle creating
this arguments and passing them to the linker.
Further, once you use the linker's wrap, you will encounter another
issue: if TF-A does not use a function, its wrapper is not present.
This causes link issues when a library and not TF-A uses the wrapper.
Note that this issue would have been resolved previously by ignoring
the wrapper and using the base definition.
This further issue is worked around by concatenating the assembly for
all of the wrappers into a single translation unit. It's possible to
work around this issue in a few other ways, including reordering the
libraries passed to the linker to place libwrapper.a last or grouping
the libraries so that symbols from later libraries may be resolved
with prior libraries.
I chose the translation unit concatenation approach as it revealed
that a jumptable has duplicate symbols within it.
Change-Id: Ie57b5ae69bde2fc8705bdc7a93fae3ddb5341ed9
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
SPs can subscribe to get notified when a VM is created or destroyed.
This patch adds a binding to the SP manifest to represent this.
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
Change-Id: Ib23655575f471a22bcf261f70f2c4124a3f292c3
In order to avoid the complexity of supporting value types smaller
than u32 and avoid discrepancies for the various manifest fields
among different projects, the value type for relevant fields are
upgraded to u32.
Change-Id: Ib033019b3b8c26bf4b8b50f89b7a6d1a772e5e51
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Various SPMC projects within trustefirmware.org have decided to adhere
to a common FF-A manifest binding document. The one hosted in the
readthedocs portal of TF-A project will be considered as the reference.
Hence, this binding document is updated to reflect new additions made
to binding document hosted in Hafnium project. Eventually, all other
binding document are going to be removed.
Also, few fields were incorrectly identified as mandatory. Necessary
corrections are made in this patch.
Change-Id: I2eadd77487c770e49605285bbd72027c5e72e385
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
All the relevant documentation for Hafnium as the chosen Secure
Partition Manager has been moved to hafnium project[1].
This patch removes the redundant sections without any loss of
information.
This patch adds links to documentation of each of the SPM projects.
[1] https://hafnium.readthedocs.io/en/latest/secure-partition-manager/index.html
Change-Id: I52caf7dc50f4aa253c68309cac0915b7d368939d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch updates GPT library design documentation
with the changes introduced by patches which add
support for large GPT mappings and configuration of
memory size protected by bitlock.
Change-Id: I1f97fa8f003deb07a5f32b7237c1927581a788c8
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
This patch adds some documentation for the context management library.
It mainly covers the design at a higher level, with more focus on
the cold boot and warm boot entries as well as the operations
involved during context switch. Further it also includes a section
on feature enablement for individual world contexts.
Change-Id: I77005730f4df7f183f56a2c6dd04f6362e813c07
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
With addition of vendor-specific el3 monitor service calls debugfs and
pmf are moved from arm-sip to vendor-specific el3 range.
Going forward any changes to SMCCC services can be captured from docs
file table.
Use one FID allocated per sub-feature to track changes in sub-feature.
Modify top level version only when we break version probing or
discovery.
Change-Id: I14ceeab79f29ae57a5d7c523147f6ecaa5574f79
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Move pmf support to vendor-specific EL3 Monitor Service Calls. Remove
pmf call count as it's not supported in vendor-specific el3 as per
SMCCC Documentation 1.5:
https://developer.arm.com/documentation/den0028/latest
Add a deprecation notice to inform PMF is moved from arm-sip range to
vendor-specific EL3 range. PMF support from arm-sip range will be
removed and will not available after TF-A 2.12 release.
Change-Id: Ie1e14aa601d4fc3db352cd5621d842017a18e9ec
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Move debugfs to Vendor-Specific EL3 Monitor Service Calls.
Function Identifier for Vendor-Specific EL3 Monitor Service is '7' and
allocated subranges of Function identifiers to different services are:
0x87000000-0x8700FFFF-SMC32: Vendor-Specific EL3 Monitor Service Calls
0xC7000000-0xC700FFFF-SMC64: Vendor-Specific EL3 Monitor Service Calls
Amend Debugfs FID's to use this range and id.
Add a deprecation notice to inform debugfs moved from arm-sip range to
Vendor-Specific EL3 range. Debugfs support from arm-sip range will be
removed and will not be available after TF-A 2.12 release.
Reference to debugfs component level documentation:
https://trustedfirmware-a.readthedocs.io/en/latest/components/debugfs-design.html#overview
Change-Id: I97a50170178f361f70c95ed0049bc4e278de59d7
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Add support for vendor-specific el3 service. SMCCC 1.5 introduces
support for vendor-specific EL3 monitor calls.
SMCCC Documentation reference:
https://developer.arm.com/docs/den0028/latest
Change-Id: Id8bc43842eecdb7a8a2ec7f31a631e88fe4fe0b4
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Document bindings for TB_FW_CONFIG that are common between platforms.
Since the information this device tree type contains pertains to
firmware specific properties, we do not expect that the document will
cover all uses, nor do we promise backward compatiblity.
Change-Id: I0e850c13b77cc62940ab5020a15bf8e503568ed8
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
There's a typo in the romlib design document when referring to
the generator script. It should be romlib_generator.py instead
of romlib_generate.py so fixed this typo.
Change-Id: I6db7ee66b13c2b0b9d8511da7e0d1b058366281b
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This change adds documentation for the console_list and
console_info structures added to the RMM Boot Manifest v0.3.
Signed-off-by: Harry Moulton <harry.moulton@arm.com>
Change-Id: I3a4f9a4f1d34259bc69c0ab497cbfbc268d7a994
Currently both FEAT_MTE and FEAT_MTE_PERM aren't used for enabling
of any feature bits in EL3. So remove both FEAT handling.
All mte regs that are currently context saved/restored are needed
only when FEAT_MTE2 is enabled, so move to usage of FEAT_MTE2 and
remove FEAT_MTE usage.
BREAKING CHANGE: Any platform or downstream code trying to use
SCR_EL3.ATA bit(26) will see failures as this is now moved to be
used only with FEAT_MTE2 with
commit@ef0d0e5478a3f19cbe70a378b9b184036db38fe2
Change-Id: Id01e154156571f7792135639e17dc5c8d0e17cf8
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'
This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.
gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.
SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731
Update the links for accessing the FWU Multi Bank update specification
to point to the latest revision of the specification.
Change-Id: I25f35556a94ca81ca0a7463aebfcbc2d84595e8f
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
In RME documentation use "bp.secure_memory=0" to disable TZC,
and avoid conflicts with SPM in 4-world configuration.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I532bca8ab3bd3e6d4f18b5aa7e848c533e016f39
As of now, GPT setup is being handled from BL2 for plat/arm platforms.
However, for platforms having a separate entity to load firmware images,
it is possible for BL31 to setup the GPT. In order to address this
concern, move the GPT setup implementation from arm_bl2_setup.c file to
arm_common.c. Additionally, rename the API from arm_bl2_gpt_setup to
arm_gpt_setup to make it boot stage agnostic.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I35d17a179c8746945c69db37fd23d763a7774ddc
For RME-enabled platforms, initializing L0 and L1 tables and enabling
GPC checks is necessary. For systems using BL2 to load firmware images,
the GPT initialization has to be done in BL2 prior to the image load.
The common Arm platform code currently implements this in the
"arm_bl2_plat_gpt_setup" function, relying on the FVP platform's
specifications (PAS definitions, GPCCR_PPS, and GPCCR_PGS).
Different Arm platforms may have distinct PAS definitions, GPCCR_PPS,
GPCCR_PGS, L0/L1 base, and size. To accommodate these variations,
introduce the "plat_arm_get_gpt_info" API. Platforms must implement
this API to provide the necessary data for GPT setup on RME-enabled
platforms. It is essential to note that these additions are relevant to
platforms under the plat/arm hierarchy that will reuse the
"arm_bl2_plat_gpt_setup" function.
As a result of these new additions, migrate data related to the FVP
platform to its source and header files.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I4f4c8894c1cda0adc1f83e7439eb372e923f6147
Currently CTX_INCLUDE_MTE_REGS is used for dual purpose,
to enable allocation tags register and to context save and restore
them and also to check if mte feature is available.
To make it more meaningful, remove CTX_INCLUDE_MTE_REGS
and introduce FEAT_MTE. This would enable allocation tags register
when FEAT_MTE is enabled and also supported from platform.
Also arch features can be conditionally enabled disabled based on
arch version from `make_helpers/arch_features.mk`
Change-Id: Ibdd2d43874634ad7ddff93c7edad6044ae1631ed
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Update CoT binding documentation to add the signing-key property
as optional in root-certificates and add rot_keys node
Change-Id: I1d1fbc0394275520cfa43213d5b7006e51990fdd
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Add details about RAS error handling philosophies and its implementation
It also updates the tests introduced to verify them.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iedc8c1e713dad05baadd58e5752df36fa00121a7
This patch removes RAS_FFH_SUPPORT macro which is the combination of
ENABLE_FEAT_RAS and HANDLE_EA_EL3_FIRST_NS. Instead introduce an
internal macro FFH_SUPPORT which gets enabled when platforms wants
to enable lower EL EA handling at EL3. The internal macro FFH_SUPPORT
will be automatically enabled if HANDLE_EA_EL3_FIRST_NS is enabled.
FFH_SUPPORT along with ENABLE_FEAT_RAS will be used in source files
to provide equivalent check which was provided by RAS_FFH_SUPPORT
earlier. In generic code we needed a macro which could abstract both
HANDLE_EA_EL3_FIRST_NS and RAS_FFH_SUPPORT macros that had limitations.
Former was tied up with NS world only while the latter was tied to RAS
feature.
This is to allow Secure/Realm world to have their own FFH macros
in future.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie5692ccbf462f5dcc3f005a5beea5aa35124ac73
As the SEL2 SPMC design doc is migrated to Hafnium tree, remove the
reference to this implementation from TF-A's SPM-MM doc.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1609c7d1d098420412dffc7b1309cc9c11502f8a
Introduce a build flag for enabling the support for loading SEL0 SP in
EL3 SPMC.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Change-Id: I1d63ae4d0d8374a732113565be90d58861506e39
Rather than returning 0 or 1, the above function returns bool false
or true. No functional change.
Change-Id: Iea904ffc368568208fa8203e0d2e0cdaa500b1e0
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Deprecate pack_realm build command for TFTF.
To build Realm payload tests use ENABLE_REALM_PAYLOAD_TESTS=1.
This new command line for TFTF is effective from SHA 9945bef6b
in tf-a-tests repo.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: Iee9ac9b2b367aac50677fac95631e7e4818cdf3a
