This corrects the MISRA violation C2012-15.6:
The body of an iteration-statement or a selection-statement shall
be a compound-statement.
Enclosed statement body within the curly braces.
Change-Id: I66f957467bdee13052847f3e8c5ad6ae258c4222
Signed-off-by: Nithin G <nithing@amd.com>
Signed-off-by: Maheedhar Bollapalli <maheedharsai.bollapalli@amd.com>
* changes:
fix(rdn2): add LCA multichip data for RD-N2-Cfg2
fix(rdv3): add LCA multichip data for RD-V3-Cfg2
feat(gic): add support for local chip addressing
The function to use is now rse_mbx_init(), that does the same if
using MHU.
Change-Id: I712712d7d1bcd8c96d26951e176b877afb65209d
Signed-off-by: Yann Gautier <yann.gautier@st.com>
To be able to use RSE comms without MHU, a first step is to disentangle
the rse_comms.c file with MHU code direct calls. This is done with the
creation of a new file rse_comms_mhu.c. New APIs are created to
initialize the mailbox, get max message size and send and receive data.
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: I75dda77e1886beaa6ced6f92c311617125918cfa
In order to support a platform without MHU in RSE, update the flag
PLAT_MHU_VERSION. It is renamed PLAT_MHU and can take the following
entries: NO_MHU, MHUv1, MHUv2, MHUv3...
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Ia72e590088ce62ba8c9009f341b6135926947bee
Newer cores in upcoming platforms may refuse to power down. The PSCI
library is already prepared for this so convert platform code to also
allow this. This is simple - drop the `wfi` + panic and let common code
deal with the fallout. The end result will be the same (sans the
message) except the platform will have fewer responsibilities. The only
exception is for cores being signalled to power off gracefully ahead of
system reset. That path must also be terminal so replace the end with
the same psci_pwrdown_cpu_end() to behave the same as the generic
implementation. It will handle wakeups and panic, hoping that the system
gets reset from under it. The dmb is upgraded to a dsb so no functional
change.
Change-Id: I381f96bec8532bda6ccdac65de57971aac42e7e8
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.
One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.
Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.
So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.
To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.
Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.
Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.
Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.
Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.
All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.
Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.
Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
This patch adds support for Local Chip Addressing (LCA). In a multi-chip
system, enablig LCA allows each GIC Distributor to maintain its own
version of routing table. This feature is activated when the
GICD_CFGID.LCA bit is set to 1.
The existing `gic600_multichip_data` data structure did not account for
the LCA feature. To support LCA:
- `rt_owner_base` is replaced by `base_addrs[]`. This is required
because each GICD in the system needs to be configured independently,
and their base addresses must be passed to the driver.
- `chip_addrs` is changed from 1D to 2D array to store the routing table
for each chip's GICD. The entries in `chip_addrs` are configuration
dependent, as the GIC specification does not enforce this.
On a multi-chip platform with chip count N where LCA is enabled by
default, the `gic600_multichip_data` structure should contain all copies
of the routing table (N*N entries). On platforms where LCA is not
supported, only the first sub-array with N entries is required. The
function signature of `gic600_multichip_init` remains unchanged, but if
the LCA feature is enabled, the driver will expect the routing table
configuration in the described format.
Change-Id: I8830c2cf90db6a0cae78e99914cd32c637284a2b
Signed-off-by: Jerry Wang <Jerry.Wang4@arm.com>
On some platforms plat_my_core_pos is a nontrivial function that takes a
bit of time and the compiler really doesn't like to inline. In the PSCI
library, at least, we have no need to keep repeatedly calling it and we
can instead pass it around as an argument. This saves on a lot of
redundant calls, speeding the library up a bit.
Change-Id: I137f69bea80d7cac90d7a20ffe98e1ba8d77246f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
In the SMMU root port programming model, changing both
SMMU_ROOT_CR0.GPCEN and ACCESSEN bits in the same MMIO write operation
is permitted by the architecture but left to the SMMU IP implementation
to determine the order of completing one or the other operation.
Enforce more determinism by setting CR0.GPCEN, wait for CR0ACK.GPCEN
completion, then setting CR0.ACCESSEN and wait for CR0ACK.ACCESSEN
completion.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I36ba5fbc13d06c6243226008d18a2d57477b0d28
DCC driver to support boot and runtime console scope
switch for dedicated boot and runtime consoles.
Change-Id: I7769dc44860a5fda99ca42ce17a3a6009288d7e7
Signed-off-by: Maheedhar Bollapalli <MaheedharSai.Bollapalli@amd.com>
When initialising a GICv3 compatible interrupt controller, we currently
assume that the GIC is still in its reset state, which means
the GICR_WAKER.ProcessorSleep bit is set. There is an "assert" in the
GIC setup function to check this.
However when using RESET_TO_BL31, there might be prior firmware running,
and it might have used the GIC already. This is for instance the case on
the Allwinner A523 SoC, where the BootROM initialises the GIC to use it
when handling the built-in USB debug protocol.
Drop the assert, which is not the right thing to do here anyway: it's
not checking an internal state. Instead return early when the
redistributor is already marked as active.
Also keep waiting if ChildrenAsleep is unexpectedly set, but warn about
this.
This fixes booting TF-A on an Allwinner A523 SoC when using the USB
debug mode.
Change-Id: I5be9e1b0489d33b8371fff484e526483d5f3d937
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Per GIC architecture version 3 and version 4, Where the GICR_CTRL.EnableLPIs
remains programmable:
- Software must observe GICR_CTLR.RWP==0 after clearing GICR_CTLR.EnableLPIs
from 1 to 0 before writing GICR_PENDBASER or GICR_PROPBASER, otherwise
behavior is UNPREDICTABLE.
- Software must observe GICR_CTLR.RWP==0 after clearing GICR_CTLR.EnableLPIs
from 1 to 0 before setting GICR_CTLR.EnableLPIs to 1, otherwise behavior is
UNPREDICTABLE.
After changing EnableLPIs from 1 to 0, wait RWP got cleared, otherwise
setting EnableLPIs from 0 to 1 may fail.
Reviewed-by: Jacky Bai <ping.bai@nxp.com>
Tested-by: Clark Wang <xiaoning.wang@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Change-Id: I6aaf96dc9984376de9399d0dac8a8504ba095149
The GICR_WAKER.Sleep and GICR_WAKE.Quiescent functionality is solely
about flushing out the LPI cache and ensuring that the contents are
consistent with external memory.
Hence, as shown in GIC-700 TRM version r3p0, software must poll for
Quiescent bit only if LPIs are supported.
Change-Id: I7d69b208428e24d8a3ff30e81bd1a8ee3d0bda6e
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
After disabling assertion with -DENABLE_ASSERTIONS=0, the build reports
error:
drivers/arm/mhu/mhu_wrapper_v3_x.c: In function 'mhu_get_max_message_size':
drivers/arm/mhu/mhu_wrapper_v3_x.c:448:31: error: variable 'err' set but not used [-Werror=unused-but-set-variable]
enum mhu_v3_x_error_t err;
^~~
This commit fixes the building failure by making the variable 'err' as
__maybe_unused.
Change-Id: I338e6df03d2f0805c83e96d8e3a4abae41e68678
Signed-off-by: Leo Yan <leo.yan@arm.com>
Unless platforms include lib/psa into platform specific makefile the
rse_comms throws build error on its own:
CC drivers/arm/rse/rse_comms_protocol.c
drivers/arm/rse/rse_comms.c:13:10: fatal error: psa/client.h: No such file or directory
13 | #include <psa/client.h>
So add PLAT_INCLUDES entry to include the lib/psa to rse_comms.mk.
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: I4cbcbbaf20285990239d605f0b3b3dc92bea61e6
Adds driver support to preserve DSU PMU register values over a DSU
power cycle. This driver needs to be enabled by the platforms that
support DSU and also need it's PMU registers to be preserved
Change-Id: I7fc68a3d7d99ee369379aa5cd114fffc763fc0d2
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
In this patch, we are trying to introduce the wrapper macro
CREATE_FEATURE_PRESENT to get the following capability and
align it for all the features:
-> is_feat_xx_present(): Does Hardware implement the feature.
-> uniformity in naming the function across multiple features.
-> improved readability
The is_feat_xx_present() is implemented to check if the hardware
implements the feature and does not take into account the
ENABLE_FEAT_XXX flag enabled/disabled in software.
- CREATE_FEATURE_PRESENT(name, idreg, shift, mask, idval)
The wrapper macro reduces the function to a single line and
creates the is_feat_xx_present function that checks the
id register based on the shift and mask values and compares
this against a determined idvalue.
Change-Id: I7b91d2c9c6fbe55f94c693aa1b2c50be54fb9ecc
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Changes all occurrences of "RSS" and "rss" in the code and build files
to "RSE" and "rse".
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I9f72ad36ec233d7eaac3ce9e2f2b010130e1fa94
If RSS Comms is used but PLAT_MHU_VERSION was undefined then it should
default to MHUv2 to avoid breaking existing configurations which did not
need to specify PLAT_MHU_VERSION as on MHUv2 was available.
Change-Id: I8353b49b9f61414a664c2802f90ba3b2bc526887
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
* changes:
feat(mhu): use compile flag to choose mhu version
feat(mhu): add MHUv3 wrapper APIs for RSS comm driver
feat(mhu): add MHUv3 doorbell driver
* changes:
feat(tc): group components into certificates
feat(dice): add cert_id argument to dpe_derive_context()
refactor(sds): modify log level for region validity
feat(tc): add dummy TRNG support to be able to boot pVMs
feat(tc): get the parent component provided DPE context_handle
feat(tc): share DPE context handle with child component
feat(tc): add DPE context handle node to device tree
feat(tc): add DPE backend to the measured boot framework
feat(auth): add explicit entries for key OIDs
feat(dice): add DPE driver to measured boot
feat(dice): add client API for DICE Protection Environment
feat(dice): add QCBOR library as a dependency of DPE
feat(dice): add typedefs from the Open DICE repo
docs(changelog): add 'dice' scope
refactor(tc): align image identifier string macros
refactor(fvp): align image identifier string macros
refactor(imx8m): align image identifier string macros
refactor(qemu): align image identifier string macros
fix(measured-boot): add missing image identifier string
refactor(measured-boot): move metadata size macros to a common header
refactor(measured-boot): move image identifier strings to a common header
MHUv3 and MHUv2 drivers can now be selected at build time by using
PLAT_MHU_VERSION.
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
Change-Id: I24f9e05f7969ed3be8f3261fdfed881a4ad18ba4
RSS comm driver interfaces with MHUv3 driver through specific
API calls. Add APIs to support the interface.
Signed-off-by: Aziz IDOMAR <aziz.idomar@arm.com>
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Shriram K <shriram.k@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
Change-Id: I815d43ca548d3640fceb4c91fe3bbeec31687210
MHUv3 reworks parts of MHUv2 and introduces MHU extensions. There are
currently 3 extensions:
* Doorbell extension: which works like MHUv2
* FIFO extension: which uses a buffer for faster inband data transfer
* Fastchannel extension: for fast data transfer
Add MHUv3 driver with support for Doorbell extension for both postbox
sender MHUs and mailbox receiver MHUs.
Signed-off-by: Aziz IDOMAR <aziz.idomar@arm.com>
Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
Signed-off-by: Shriram K <shriram.k@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Joel Goddard <joel.goddard@arm.com>
Change-Id: Icf49df56f1159f4c9830e0ffcda5b3a4bea8d2fd
GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'
This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.
gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.
SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731
Modify the log level from WARNING to VERBOSE for the SDS region
validity check. An invalid region causes the initialization step
to fail, but normally it's only a temporary condition as the
actual initialization of the region (such as adding a valid region
descriptor structure) can happen asynchronously in another system
component. The goal of this tiny modification is to avoid flooding
the log with this message when we're waiting in a loop for the
region initialization to happen.
Change-Id: I180e35e25df3f31bbc816e6421ded17ba6ae1d85
Signed-off-by: David Vincze <david.vincze@arm.com>
Split the smmuv3_init() to separate smmuv3_security_init() from it in
order to allow skipping the default deny policy on reset for certain
SMMUv3 implementations.
Additionally, fix a couple of MISRA warnings.
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: I2127943e709dd1ded34145bd022c930e351bbb4a
The SMMU_S_INIT register definition in the Arm SMMUv3 specification
says that if SMMUv3 has REALM_IMPL == 1 then it is root firmware’s
responsibility to write to INV_ALL before enabling granule protection
checks. So fix this flow during smmuv3 init.
Signed-off-by: Vivek Gautam <vivek.gautam@arm.com>
Change-Id: Ied9325e1658950c04f06c62485eeab3f28ca1285
* changes:
docs: update FVP TC2 model version and build (11.23/17)
fix(tc): increase BL2 maximum size limit
refactor(tc): update platform tests
feat(rss): add defines for 'type' range and use them in psa_call()
feat(rss): adjust parameter packing to match TF-M changes
refactor(tc): remap console logs
Extend the SDS driver to be able to handle multiple
SDS regions:
- AP-SCP
- AP-RSS
Change-Id: Id303840b248c383b3f960227cbf6333d1cc75e65
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
In gicv3_main.c the function is_sgi_ppi() returns true when its
sgi/ppi or false when the interrupt number matches an spi interrupt.
Introducing a new API is_valid_interrupt() which validates if
an interrupt number matches SGI/PPI or SPI as a valid interrupt,
any other interrupt number is considered invalid and panics.
Change-Id: Idce8f5432a94c8d300b9408cf5b2502c60e13318
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Fix the wrong placement of the closing parenthesis in the second
condition check that resulted in the incorrect calculation of the MHU
message size. Also, format the code for readability.
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Change-Id: I0e012f3ff00bae2dfc12cdb1c2c636fc6c0a0b55
The function mhu_get_max_message_size() for MHUv2 should return only the
available memory for use after considering all the overheads for its own
use.
Signed-off-by: Sathyam Panda <sathyam.panda@arm.com>
Signed-off-by: Vijayenthiran Subramaniam <vijayenthiran.subramaniam@arm.com>
Change-Id: I14ad16e8f4b781e396bca6173077513db74157d5
Reading the SCMI mailbox status in polling mode causes a burst of bus
accesses. On certain platforms, this would not be ideal as the shared
bus on the CPU subsystem might cause contentions across all the CPUs.
So allow platforms to specify a delay to be introduced while polling.
Change-Id: Ib90ad7b5954854071cfd543f4a27a178dde3d5c6
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Remove the dcc_console_init() function. The initialization function
is not being used and serves no purpose.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I056d09e153998d686d3b95ad39c563f797184c18
Add unregistration function for the JTAG DCC (Debug Communication
Channel) console.
The unregistration function flushes DCC buffer before unregistering
the dcc console to make sure that no output char is pending.
Since console_flush() flushes chars for all registered consoles on
the platform, which is not required in this case, dcc_console_flush()
is being called instead.
Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Change-Id: I6f15a07c6ee947dc0e7aa8fb069227618080e611
The JTAG DCC (Debug Communication Channel) console is primary used
for debugging that's why make no sense not to setup it up as crash
console too.
Change-Id: I16e5d83f8da721657b1a10609494f835b87e5578
Signed-off-by: Michal Simek <michal.simek@amd.com>
The generic interrupt controller identifies an interrupt based on its
type whereas the GIC uses the notion of groups to identify an
interrupt.
Currently, they are used interchangeably in GICv3 driver. It did not
cause any functional issues since the matching type and group had the
same value for corresponding macros. This patch makes the necessary
fixes.
The generic interrupt controller APIs, such as
plat_ic_set_interrupt_type map interrupt type to interrupt group
supported by the GICv3 IP. Similarly, other generic interrupt
controller APIs map interrupt group to interrupt type as needed.
This patch also changes the name of the helper functions to use group
rather than type for handling interrupts.
Change-Id: Ie2d88a3260c71e4ab9c8baacde24cc21e551de3d
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
