In preparation for RPi 5 support, which will reuse most of the RPi 4
logic except for DTB patching.
Change-Id: I6f6ef96933711a1798757a3389adae1b8ee3de6c
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
* changes:
feat(tc): group components into certificates
feat(dice): add cert_id argument to dpe_derive_context()
refactor(sds): modify log level for region validity
feat(tc): add dummy TRNG support to be able to boot pVMs
feat(tc): get the parent component provided DPE context_handle
feat(tc): share DPE context handle with child component
feat(tc): add DPE context handle node to device tree
feat(tc): add DPE backend to the measured boot framework
feat(auth): add explicit entries for key OIDs
feat(dice): add DPE driver to measured boot
feat(dice): add client API for DICE Protection Environment
feat(dice): add QCBOR library as a dependency of DPE
feat(dice): add typedefs from the Open DICE repo
docs(changelog): add 'dice' scope
refactor(tc): align image identifier string macros
refactor(fvp): align image identifier string macros
refactor(imx8m): align image identifier string macros
refactor(qemu): align image identifier string macros
fix(measured-boot): add missing image identifier string
refactor(measured-boot): move metadata size macros to a common header
refactor(measured-boot): move image identifier strings to a common header
This patch resolves the MISRA issues reported in mailing list.
It addresses the following MISRA Rules violations - Rule 15.7 and
Rule 2.4.
* As per Rule 15.7, All if.. else if constructs should be terminated
with an else statement and hence the conditional block
has been changed to switch..case. Updated get_el_str() to include
all EL cases.
* As per Rule 2.4, A project should not contain unused tag declarations,
hence intr_type_desc tag is removed.
* bl31_lib_init is only used in translation unit and hence it's
declaration is removed from bl31.h and the definition is made static to
maintain visibility.
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Ica1d3041566baf51befcad5fd3714189117ba193
Currently the EL2 part of the context structure (el2_sysregs_t), is
mostly feature dependent.
For instance, CTX_HCRX_EL2 is only needed when FEAT_HCX
(ENABLE_FEAT_HCX=1) is set, but the entry is unconditionally added
in the EL2 context structure and thereby consuming memory even in
build configurations where FEAT_HCX is disabled.
Henceforth, all such context entries should be coupled/tied with
their respective feature enables and be optimized away when unused.
This would reduce the context memory allocation for platforms, that
dont enable/support all the architectural features at once.
Further, converting the assembly context-offset entries into
a c structure relies on garbage collection of the linker
removing unreferenced structures from memory, as well as aiding
in readability and future maintenance.
Change-Id: I0cf49498ee3033cb6f3ee3810331121b26627783
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
populate_next_bl_params_config already configures the register values
to be passed to BL33 and puts the HW_CONFIG address in r1. Therefore,
we do not need to override r0 here and should instead use r1 in BL33.
Change-Id: I00b425301957b5b0510416e1fa1f3599c0359bfc
Signed-off-by: Jackson Cooper-Driver <jackson.cooper-driver@arm.com>
Cortex-X4 erratum 2701112 is cat B erratum that applies to
revision r0p0 and is fixed in r0p1. This erratum affects
system configurations that do not use an Arm interconnect IP.
The workaround for this erratum is not implemented in EL3.
The erratum can be enabled/disabled on a platform level.
The flag is used when the errata ABI feature is enabled and can
assist the Kernel in the process of mitigation of the erratum.
SDEN Documentation:
https://developer.arm.com/documentation/SDEN2432808/latest
Change-Id: I8ede1ee75b0ea1658369a0646d8af91d44a8759b
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
GIC600 erratum 2384374 is a Category B erratum. Part 1 is fixed
in this patch, and the Part 1 failure mode is described as
'If the packet to be sent is a SET packet, then a higher priority SET
may not be sent when it should be until an unblocking event occurs.'
This is handled by calling gicv3_apply_errata_wa_2384374() in the
ehf_deactivate_priority() path, so that when EHF restores the priority
to the original priority, the interrupt packet buffered
in the GIC can be sent.
gicv3_apply_errata_wa_2384374() is the workaround for
the Part 2 of erratum 2384374 which flush packets from the GIC buffer
and is being used in this patch.
SDEN can be found here:
https://developer.arm.com/documentation/sden892601/latest/
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I4bb6dcf86c94125cbc574e0dc5119abe43e84731
There are some CI configs which apply patch on the fly to test some
unusual test scenarios. After commit c864af989 there is one patch which
does not apply cleanly into arm_bl31_plat_runtime_setup().
To fix this issue move console flush/switch into the caller of this
function.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I4116044d53bef349a707c977cf26d1df65200045
Set the cert_id argument to group the components
into certificates. The grouping reflects the likely units
of updateability.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ie7a1f10c84af727d0cd39e3a78b0cb59cbc2e457
pVMs on Android 14 has a platform requirement to support
SMCCC TRNG discovery. This implementation add a
dummy TRNG support to TC2.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Iae0ca546cadf48a6a404ae578c7ccf5a84d057c4
Each client who wants to communicate with the DPE service
must own a valid context handle issued by the DPE service.
A context handle can be used for a single time then it will
be invalidated by the DPE service. In case of calls from
the same component, the next valid context handle is
returned in the response to a DPE command. When a component
finishes their job then the next component in the boot flow
inherits its first context handle from its parent.
How the inheritance is done can be client or
platform-dependent. It can be shared through shared
memory or be part of a DTB object passed to the next
bootloader stage.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ic82f074f1c5b15953e78f9fa5404ed7f48674cbb
To be allowed to communicate with DPE service all
components must own a valid context handle. The first
valid context handle is inherited from the parent
component via a DTB object.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Id357fab3586398b1933444e1d10d1ab6d8243ab9
Child software components are inheriting their first valid
DPE context handle from their parent components (who loaded
and measured them). The context handle is shared through
the device tree object the following way:
- BL1 -> BL2 via TB_FW_CONFIG
- BL2 -> BL33 via NT_FW_CONFIG
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I9bf7808fb13a310ad7ca1895674a0c7e6725e08b
The client platform relies on the DICE attestation
scheme. RSS provides the DICE Protection Environment
(DPE) service. TF-A measured boot framework supports
multiple backends. A given platform always enables
the corresponding backend which is required by the
attestation scheme.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Idc3360d0d7216e4859e99b5db3d377407e0aeee5
Erratum ID 2701951 is an erratum that could affect platforms that
do not use an Arm interconnect IP. This was originally added to the list
of Cortex-A715 in the errata ABI files.
Fixed this by adding it to the Cortex-X3 list.
SDEN documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I6ffaf4360a4a2d0a23c253a2326c178e010c8e45
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
The workarounds for these below mentioned errata are not implemented
in EL3, but the flags can be enabled/disabled at a platform level
based on arm/non-arm interconnect IP flag. The ABI helps assist the
Kernel in the process of mitigation for the following errata:
Cortex-A715: erratum 2701951
Neoverse V2: erratum 2719103
Cortex-A710: erratum 2701952
Cortex-X2: erratum 2701952
Neoverse N2: erratum 2728475
Neoverse V1: erratum 2701953
Cortex-A78: erratum 2712571
Cortex-A78AE: erratum 2712574
Cortex-A78C: erratum 2712575
Change-Id: Ie86b7212d731a79e2a0c07649e69234e733cd78d
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Errata ABI feature introduced per CPU based errata structures
in the errata_abi_main.c, these can be removed by re-using
the structures created by the errata framework.
Change-Id: I1a60d3e4f116b6254fb45426f43ff1b21771af89
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
This enables the usage of speaking defines instead of magic numbers:
CSU_SA(CSU_SA_SDMA1, 1, LOCKED)
becomes:
CSU_SA(CSU_SA_SDMA1, NON_SEC_ACCESS, LOCKED)
Change-Id: Idcabcda677bf7840084a2ea66d321b50aa0b2b20
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
This ports the missing enum defines for the central security unit found
in NXPs i.MX8M socs. The defines itself where imported from NXP's
downstream version of the trusted-firmware-a version 2.8[1].
[1]: https://github.com/nxp-imx/imx-atf/commit/0c52279fc4
Change-Id: Iad0c5d3733e9d29ead86334ba4bc5ce915018142
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
The csu found in the imx8mp has 3 csu_sa registers, before the fix not
all of them could be addressed.
The defines itself was imported from NXP's downstream version of the
trusted-firmware-a version 2.8[1].
[1]: https://github.com/nxp-imx/imx-atf/commit/0c52279fc4
Change-Id: Ia3653118bba82df9244c819a5c5f37bdc4e89c49
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
* changes:
build(fpga): correctly handle gcc as linker for LTO
fix(build): enforce single partition for LTO build
fix(rockchip): add support for building with LTO enabled
Flush the FIFO before switching to runtime. This is so that there are
no lingering chars in the FIFO when we move to the runtime console.
TF-A plans to refactor the console_Switch_state(CONSOLE_FLAG_RUNTIME)
and console_flush() calls and make them the last calls in bl31_main()
(before BL31 exits). Until then they are being left as the last calls
in bl31_plat_runtime_setup() for testing before refactoring.
This patch only affects the Allwinner platform.
Change-Id: I15b4a459a280822a01c60e3b0c856b530db6efab
Signed-off-by: Salman Nabi <salman.nabi@arm.com>
Any BL31 setup and Runtime initialization within BL31 is still part of
the BOOT process. As such, the console flush and switch must be the
last calls before BL31 exit. Flush the console print buffer before
switching to runtime. This is so that there is no lingering chars in
the print buffer when we move to the runtime console.
This patch adds console flush before switching to runtime in
bl31_plat_runtime_setup() function (before BL31 exits). The plan is to
move flush and switch calls to bl31_main before BL31 exits, until then
console_flush() in bl31_main.c has been left as is.
This patch affects the Arm platform only.
Change-Id: I4d367b9e9640686ac15246ad24318ae4685c12c5
Signed-off-by: Salman Nabi <salman.nabi@arm.com>
TF-A plans to move console_flush() and
console_switch_state(CONSOLE_FLAG_RUNTIME) to the end of bl31_main()
before BL31 exits.
Add console_flush() in the generic implementation of
bl31_plat_runtime_setup() call so that platforms can implement or
follow the generic pattern to test this implementation before
console_flush() and console_switch_state() move to bl31_main().
This patch affects the generic implementation of
bl31_plat_runtime_setup()
Change-Id: I92b4176022bfb84558dec5a83386e8ecef49516a
Signed-off-by: Salman Nabi <salman.nabi@arm.com>
* changes:
style(fwu): change the metadata fields to align with specification
style(partition): use GUID values for GPT partition fields
feat(st): add logic to boot the platform from an alternate bank
feat(st): add a function to clear the FWU trial state counter
feat(fwu): add a function to obtain an alternate FWU bank to boot
feat(fwu): add some sanity checks for the FWU metadata
feat(fwu): modify the check for getting the FWU bank's state
feat(st): get the state of the active bank directly
feat(fwu): add a config flag for including image info in the FWU metadata
feat(fwu): migrate FWU metadata structure to version 2
feat(fwu): document the config flag for including image info in the FWU metadata
feat(fwu): update the URL links for the FWU specification
* changes:
refactor(sgi): replace references to "SGI"/"sgi" for neoverse_rd
refactor(sgi): rename "CSS_SGI"" macro prefixes to "NRD"
refactor(sgi): move apis and types to "nrd" prefix
refactor(sgi): replace build-option prefix to "NRD"
refactor(sgi): move neoverse_rd out of css
refactor(sgi): move from "sgi" to "neoverse_rd"
feat(sgi): remove unused SGI_PLAT build-option
fix(sgi): align to misra rule for braces
feat(rde1edge): remove support for RD-E1-Edge
fix(rdn2): populate TOS_CONFIG only when SPMC_AT_EL3 is enabled
fix(board): update spi_id max for sgi multichip platforms
* changes:
docs(maintainers): add the maintainers for imx8ulp
docs(imx8ulp): add imx8ulp platform
fix(imx8ulp): increase the mmap region num
feat(imx8ulp): adjust the dram mapped region
feat(imx8ulp): ddrc switch auto low power and software interface
feat(imx8ulp): add some delay before cmc1 access
feat(imx8ulp): add a flag check for the ddr status
fix(imx8ulp): add sw workaround for csi/hotplug test hang
feat(imx8ulp): adjust the voltage when sys dvfs enabled
feat(imx8ulp): enable the DDR frequency scaling support
fix(imx8ulp): fix suspend/resume issue when DBD owner is s400 only
feat(imx8ulp): update XRDC for ELE to access DDR with CA35 DID
feat(imx8ulp): add memory region policy
feat(imx8ulp): protect TEE region for secure access only
feat(imx8ulp): add trusty support
feat(imx8ulp): add OPTEE support
feat(imx8ulp): update the upower config for power optimization
feat(imx8ulp): allow RTD to reset APD through MU
feat(imx8ulp): not power off LPAV PD when LPAV owner is RTD
feat(imx8ulp): add system power off support
feat(imx8ulp): add APD power down mode(PD) support in system suspend
feat(imx8ulp): add the basic support for idle & system suspned
feat(imx8ulp): enable 512KB cache after resume on imx8ulp
feat(imx8ulp): add the initial XRDC support
feat(imx8ulp): allocated caam did for the non secure world
feat(imx8ulp): add i.MX8ULP basic support
build(changelog): add new scopes for nxp imx8ulp platform
feat(scmi): add scmi sensor support
Change the names of some FWU metadata structure members to have them
align with the wording used in the corresponding specification. Use
the GUID type instead of UUID as the fields described in the
specification are GUIDs. Make corresponding changes to the code that
accesses these fields. No functional changes are introduced by the
patch.
Change-Id: Id3544ed1633811b0eeee2bf99477f9b7e6667044
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
In a few scenarios, there is a need to boot the platform from an
alernate bank which is not the active bank. Call the API
fwu_get_alernate_boot_bank() to select an alternate bank to boot the
platform from. Calling this API function might be required in a couple
of cases. One, in the unlikely scenario of the active bank being in an
invalid state, or if the number of times the platform boots in trial
state exceeds a pre-set count.
Also add a debug print that indicates the bank that
the platform is booting from.
Change-Id: I688406540e64d1719af8d5c121821f5bb6335c06
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Add an API stm32_clear_fwu_trial_boot_cnt() function to clear the
trial state counter. This is called in the corner case scenario when
the active index is in an Invalid state, thus needing a reset of the
trial state counter.
Change-Id: I2980135da88d0d947c222655c7958b51eb572d69
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
With version 2 of the FWU metadata structure, the state that a bank is
in can be obtained from the bank_state field in the top level
structure. Read the state of the active bank by referencing this field
directly, instead of making an API call.
Change-Id: Ib22c56acbe172923b1323c544801ded81f1598ec
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Flush the FIFO before switching to runtime. This is so that there are
no lingering chars in the FIFO when we move to the runtime console.
TF-A plans to refactor the console_Switch_state(CONSOLE_FLAG_RUNTIME)
and console_flush() calls and make them the last calls in bl31_main()
(before BL31 exits). Until then they are being left as the last calls
in bl31_plat_runtime_setup() for testing before refactoring.
This patch affects the QEMU platform only.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Change-Id: I6188d73dd3f3c97f41bb25de543f8c46a972adf0
Datastore symbol used by EL3 SPMC is not relocated at
boot time when using ENABLE_PIE=1.
Use linker script markers instead of symbol.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: If22d2fc8deacc74c73d7dc51bb70093935d9fa2b
* changes:
refactor(tc): correlate secure world addresses with platform_def
feat(tc): add memory node in the device tree
feat(tc): pass the DTB address to BL33 in R0
feat(tc): add arm_ffa node in dts
chore(tc): add dummy entropy to speed up the Linux boot
feat(tc): choose the DPU address and irq based on the target
feat(tc): add SCMI power domain and IOMMU toggles
refactor(tc): move the FVP RoS to a separate file
feat(tc): factor in FVP/FPGA differences
feat(tc): introduce an FPGA subvariant and TC3 CPUs
feat(tc): add TC3 platform definitions
refactor(tc): sanitise the device tree
feat(tc): add PMU entry
feat(tc): allow booting from DRAM
chore(tc): remove unused hdlcd
feat(tc): add firmware update secure partition
feat(tc): add spmc manifest with trusty sp
refactor(tc): unify all the spmc manifests
feat(arm): add trusty_sp_fw_config build option
fix(tc): do not enable MPMM and Aux AMU counters always
fix(tc): correct interrupts
feat(tc): interrupt numbers for `smmu_700`
feat(tc): enable gpu/dpu scmi power domain and also gpu perf domain
