The existing DSU errata workarounds hijack the errata framework's inner
workings to register with it. However, that is undesirable as any change
to the framework may end up missing these workarounds. So convert the
checks and workarounds to macros and have them included with the
standard wrappers.
The only problem with this is the is_scu_present_in_dsu weak function.
Fortunately, it is only needed for 2 of the errata and only on 3 cores.
So drop it, assuming the default behaviour and have the callers handle
the exception.
Change-Id: Iefa36325804ea093e938f867b9a6f49a6984b8ae
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
* changes:
fix(qemu): statically allocate bitlocks array
feat(qemu): update for renamed struct memory_bank
feat(fvp): increase GPT PPS to 1TB
feat(gpt): statically allocate bitlocks array
chore(gpt): define PPS in platform header files
feat(fvp): allocate L0 GPT at the top of SRAM
feat(fvp): change size of PCIe memory region 2
feat(rmm): add PCIe IO info to Boot manifest
feat(fvp): define single Root region
* changes:
fix(cpus): clear CPUPWRCTLR_EL1.CORE_PWRDN_EN_BIT on reset
chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`
chore(psci): drop skip_wfi variable
feat(arm): convert arm platforms to expect a wakeup
fix(cpus): avoid SME related loss of context on powerdown
feat(psci): allow cores to wake up from powerdown
refactor: panic after calling psci_power_down_wfi()
refactor(cpus): undo errata mitigations
feat(cpus): add sysreg_bit_toggle
- Increase PPS for FVP from 64GB to 1TB.
- GPT L0 table for 1TB PPS requires 8KB memory.
- Set FVP_TRUSTED_SRAM_SIZE to 384 with ENABLE_RME=1
option.
- Add 256MB of PCIe memory region 1 and 3GB of
PCIe memory region 2 to FVP PAS regions array.
Change-Id: Icadd528576f53c55b5d461ff4dcd357429ba622a
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Now that all errata flags are all conveniently in a single list we can
make sweeping decisions about their values. The first use-case is to
enable all errata in TF-A. This is useful for CI runs where it is
impractical to list every single one. This should help with the long
standing issue of errata not being built or tested.
Also add missing CPUs with errata to `ENABLE_ERRATA_ALL` to enable all
errata builds in CI.
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I2b456d304d7bf3215c7c4f4fd70b56ecbcb09979
Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is that
if this isn't done, the powerdown request will be rejected. On the
CPU_OFF path that's not a problem - we can force SVCR to 0 and be
certain the core will power off.
On the suspend to powerdown path, however, we cannot do this. The TRM
also tells us that the sequence could also be aborted on eg. GIC
interrupts. If this were to happen when we have overwritten SVCR to 0,
upon a return to the caller they would experience a loss of context. We
know that at least Linux may call into PSCI with SVCR != 0. One option
is to save the entire SME context which would be quite expensive just to
work around. Another option is to downgrade the request to a normal
suspend when SME was left on. This option is better as this is expected
to happen rarely enough to ignore the wasted power and we don't want to
burden the generic (correct) path with needless context management.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I698fa8490ebf51461f6aa8bba84f9827c5c46ad4
The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.
One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.
Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.
So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.
To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.
Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.
Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.
Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.
Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.
All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.
Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.
Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
FEAT_MOPS, mandatory from Arm v8.8, is typically managed in EL2.
However, in configurations where NS_EL2 is not enabled,
EL3 must set the HCRX_EL2.MSCEn bit to 1 to enable the feature.
This patch ensures FEAT_MOPS is enabled by setting HCRX_EL2.MSCEn to 1.
Change-Id: Ic4960e0cc14a44279156b79ded50de475b3b21c5
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulation layers like MSYS2, Mingw64, Cygwin or WSL.
This change removes the remainder of the OS compatibility layer
entirely, and migrates the build system over to explicitly relying on a
POSIX environment.
Change-Id: I8fb60d998162422e958009afd17eab826e3bc39b
Signed-off-by: Chris Kay <chris.kay@arm.com>
Mbed-TLS requires platforms to allocate it a heap for it's own internal
usage. This heap is typically between shared by BL1 and BL2 to conserve
memory.The base address and size of the heap are conveyed from BL1 to
BL2 through the config TB_FW_CONFIG.
This slightly awkward approach necessitates declaring a placeholder node
in the DTS. At runtime, this node is populated with the actual values of
the heap information. Instead, since this is dynamic information, and
simple to represent through C structures, transmit it to later stages
using the firmware handoff framework.
With this migration, remove references to TB_FW_CONFIG when firmware
handoff is enabled, as it is no longer needed. The setup code now relies
solely on TL structures to configure the TB firmware
Change-Id: Iff00dc742924a055b8bd304f15eec03ce3c6d1ef
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
This patch enables support of FEAT_FPMR by enabling access
to FPMR register. It achieves it by setting the EnFPM bit of
SCR_EL3. This feature is currently enabled for NS world only.
Reference:
https://developer.arm.com/documentation/109697/2024_09/
Feature-descriptions/The-Armv9-5-architecture-extension?lang=en
Change-Id: I580c409b9b22f8ead0737502280fb9093a3d5dd2
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
To produce PHIT HOB list in FVP, add build path for hob library.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I8f4905433bd1cc6f4c9247197b9bd69041f50fd7
Add basic CPU library code to support the Alto CPU.
Change-Id: I45958be99c4a350a32a9e511d3705fb568b97236
Signed-off-by: Igor Podgainõi <igor.podgainoi@arm.com>
Armv8.6 introduced the FEAT_LS64 extension, which provides a 64 *byte*
store instruction. A related instruction is ST64BV0, which will replace
the lowest 32 bits of the data with a value taken from the ACCDATA_EL1
system register (so that EL0 cannot alter them).
Using that ST64BV0 instruction and accessing the ACCDATA_EL1 system
register is guarded by two SCR_EL3 bits, which we should set to avoid a
trap into EL3, when lower ELs use one of those.
Add the required bits and pieces to make this feature usable:
- Add the ENABLE_FEAT_LS64_ACCDATA build option (defaulting to 0).
- Add the CPUID and SCR_EL3 bit definitions associated with FEAT_LS64.
- Add a feature check to check for the existing four variants of the
LS64 feature and detect future extensions.
- Add code to save and restore the ACCDATA_EL1 register on
secure/non-secure context switches.
- Enable the feature with runtime detection for FVP and Arm FPGA.
Please note that the *basic* FEAT_LS64 feature does not feature any trap
bits, it's only the addition of the ACCDATA_EL1 system register that
adds these traps and the SCR_EL3 bits.
Change-Id: Ie3e2ca2d9c4fbbd45c0cc6089accbb825579138a
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This patch disables trapping to EL3 when the FEAT_D128
specific registers are accessed by setting the SCR_EL3.D128En bit.
If FEAT_D128 is implemented, then FEAT_SYSREG128 is implemented.
With FEAT_SYSREG128 certain system registers are treated as 128-bit,
so we should be context saving and restoring 128-bits instead of 64-bit
when FEAT_D128 is enabled.
FEAT_SYSREG128 adds support for MRRS and MSRR instruction which
helps us to read write to 128-bit system register.
Refer to Arm Architecture Manual for further details.
Change the FVP platform to default to handling this as a dynamic option
so the right decision can be made by the code at runtime.
Change-Id: I1a53db5eac29e56c8fbdcd4961ede3abfcb2411a
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
The default dts doesn't describe the core topology correctly - it uses a
two level affinity, while new cores use 3 level with MPIDR_EL1.MT set.
As a result Linux doesn't discover secondary cores correctly unless this
is specifically provided on the command line. CI already accounts for
this in tf_config/fvp-dynamiq-aarch64-only.
Change-Id: I137b213cfc48d98b8856c113d4ec0bf6474d3e2d
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Add the basic CPU library code to support Cortex-A720AE.
The overall library code is adapted based on Cortex-A720 code.
Signed-off-by: David Hu <david.hu2@arm.com>
Signed-off-by: Ahmed Azeem <ahmed.azeem@arm.com>
Change-Id: I3d64dc5a3098cc823e656a5ad3ea05cd71598dc6
Add basic CPU library code to support the Arcadia CPU.
Change-Id: Iecb0634dc6dcb34e9b5fda4902335530d237cc43
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Add required SMCs by RMM to push attestation signing requests to EL3
and get responses. EL3 may then choose to push these requests to a HES
as suitable for a platform. This patch also supports the new
RMM_EL3_FEATURES interface, that RMM can use to query for support for
HES based signing. The new interface exposes a feature register with
different bits defining different discoverable features. This new
interface is available starting the 0.4 version of the RMM-EL3
interface, causing the version to bump up. This patch also adds a
platform port for FVP that implements the platform hooks required to
enable the new SMCs, but it does not push to a HES and instead copies a
zeroed buffer in EL3.
Change-Id: I69c110252835122a9533e71bdcce10b5f2a686b2
Signed-off-by: Raghu Krishnamurthy <raghupathyk@nvidia.com>
Arm v8.9 introduces FEAT_SCTLR2, adding SCTLR2_ELx registers.
Support this, context switching the registers and disabling
traps so lower ELs can access the new registers.
Change the FVP platform to default to handling this as a dynamic option
so the right decision can be made by the code at runtime.
Change-Id: I0c4cba86917b6b065a7e8dd6af7daf64ee18dcda
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Arm v8.9 introduces FEAT_THE, adding Translation Hardening Extension
Read-Check-Write mask registers, RCWMASK_EL1 and RCWSMASK_EL1.
Support this, context switching the registers and disabling
traps so lower ELs can access the new registers.
Change the FVP platform to default to handling this as a dynamic option
so the right decision can be made by the code at runtime.
Change-Id: I8775787f523639b39faf61d046ef482f73b2a562
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Make the process of compiling a TL from DT source flexible. Provide a
top level recipe to make it easier for developers to build a transfer
list. Clean up integration of TLC into the build system.
Change-Id: I4466e27a457dfd5bf709dc3a360a2b63bf6030ce
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
ENABLE_FEAT_MTE2 controls the trapping of some MTE related system
registers. If the memory_tagging_support_level parameter on the FVP
command line is set to higher values, non-secure world will see the
feature bits in the CPU ID registers and will use those registers,
triggering a panic in BL31.
Enable the feature in the optional form for the FVP build, to avoid any
panics.
Change-Id: I26ba444d784adf165db81048f93e11361c7f11ac
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Illegal combinations of build flags associated with SIMD context
management are flagged by the build system.
Change-Id: I3192af3889e1e864c7875778616e167ba6894195
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This patch disables trapping to EL3 when the FEAT_FGT2
specific trap registers are accessed by setting the
SCR_EL3.FGTEn2 bit
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I6d2b614affb9067b2bc3d7bf0ae7d169d031592a
This patch enables FEAT_Debugv8p9 and prevents EL1/0 from
trapping to EL3 when accessing MDSELR_EL1 register by
setting the MDCR_EL3.EBWE bit.
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I3613af1dd8cb8c0d3c33dc959f170846c0b9695a
Most newer CPU's have DSU and CPU power control core-off bit which
means before turning off CPUs from base power controller we need to
turn individual cores off from CPU Power control.
However there are certain older CPU's that don't have DSU and
don't support CPUPWRCTRL_EL1, so populate them as a list
and ignore setting core-off bit for those older CPU's as all newer
CPU's have them.
Note: unfortunately there is no mechanism to identify if a DSU is
present and CPUPWRCTRL_EL1 is supported through any CPU control
registers and CPUPWRCTRL_EL1 is supported only for ARM64 platforms
and not available in ARM32 platforms.
Change-Id: Iba6c3c8db60dbeb177cead7ebc65df8265860da7
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
This patch adds support for large GPT mappings using
Contiguous descriptors. The maximum size of supported
contiguous block in MB is defined in RME_GPT_MAX_BLOCK
build parameter and takes values 0, 2, 32 and 512 and
by default set to 2 in make_helpers/defaults.mk.
Setting RME_GPT_MAX_BLOCK value to 0 disables use of
Contiguous descriptors.
Function gpt_tlbi_by_pa_ll() and its declaration
are removed from lib/aarch64/misc_helpers.S and
include/arch/aarch64/arch_helpers.h, because the
GPT library now uses tlbirpalos_xxx() functions.
Change-Id: Ia9a59bde1741c5666b4ca1de9324e6dfd6f734eb
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Move CPUs which are not tested in CI under a new build option.
We have added some CPUs for which there is no FVP models available
yet to test. Move those CPUs under a new FVP build option.
Change-Id: I3da12d2f8d9c246b435b31adfac61c79dc1ab0cb
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
commit@138221c2457b9d04101b84084c07d576b0eb5a51 reduced items that
should be build due to SRAM size limitations.
But newer models from 11.19 onwards support to set SRAM size greater
than 256KB. So remove all dependency and conditional builds for FVP.
Change-Id: I38684e100450b74fdda0d685775e2cbce92170b6
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Leverage the framework between BL1 and BL2. Migrate all handoff
structures to the TL.
Change-Id: I79ff3a319596b5656184cde10b5204b10a4d03bb
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
Add support for the firmware handoff framework between BL2 and BL31.
Create a transfer list in trusted SRAM, leveraging the larger SRAM sizes
in recent models. Load the HW_CONFIG as a TE along with entry point
parameters for BL31 execution.
Change-Id: I7c4c6e8353ca978a13520fb3e15fb2803f0f1d0e
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
The core platform layer requires an implementation for the
`plat_core_pos_by_mpidr` function. This implementation is currently
missing in BL1, which causes undefined reference errors when linking
with LTO.
The FVP platform source file providing this implementation is the
`fvp_topology.c` file, so this change adds it to the BL1 sources for the
FVP.
However, the implementation of this function reaches out to the FVP
power controller driver - `fvp_pm.c` - to validate the MPIDR, and this
file has at least two other dependencies:
- `spe.c`
- `arm_gicvX.c`
Pulling these in correctly is no simple job, so I am simply removing the
power controller validation in BL1 builds.
Change-Id: I56ddf1d799f5fe7f5b0fb2b046f7fe8232b07b27
Signed-off-by: Chris Kay <chris.kay@arm.com>
Currently both FEAT_MTE and FEAT_MTE_PERM aren't used for enabling
of any feature bits in EL3. So remove both FEAT handling.
All mte regs that are currently context saved/restored are needed
only when FEAT_MTE2 is enabled, so move to usage of FEAT_MTE2 and
remove FEAT_MTE usage.
BREAKING CHANGE: Any platform or downstream code trying to use
SCR_EL3.ATA bit(26) will see failures as this is now moved to be
used only with FEAT_MTE2 with
commit@ef0d0e5478a3f19cbe70a378b9b184036db38fe2
Change-Id: Id01e154156571f7792135639e17dc5c8d0e17cf8
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A720 erratum 2926083 is a Cat B erratum that is present
in revisions r0p0, r0p1 and is fixed in r0p2. The errata is only
present when SPE (Statistical Profiling Extension) is implemented
and enabled.
The workaround is to set bits[58:57] of the CPUACTLR_EL1 to 'b11
when SPE is "implemented and enabled".
SDEN documentation:
https://developer.arm.com/documentation/SDEN2439421/latest
Change-Id: I30182c3893416af65b55fca9a913cb4512430434
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Cortex-A715 erratum 2413290 is a Cat B erratum that is present
only in revision r1p0 and is fixed in r1p1. The errata is only
present when SPE(Statistical Profiling Extension) is enabled.
The workaround is to set bits[58:57] of the CPUACTLR_EL1 to 'b11
when SPE is enabled, ENABLE_SPE_FOR_NS=1.
SDEN documentation:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: Iaeb258c8b0a92e93d70b7dad6ba59d1056aeb135
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Cortex-X4 erratum 2701112 is cat B erratum that applies to
revision r0p0 and is fixed in r0p1. This erratum affects
system configurations that do not use an Arm interconnect IP.
The workaround for this erratum is not implemented in EL3.
The erratum can be enabled/disabled on a platform level.
The flag is used when the errata ABI feature is enabled and can
assist the Kernel in the process of mitigation of the erratum.
SDEN Documentation:
https://developer.arm.com/documentation/SDEN2432808/latest
Change-Id: I8ede1ee75b0ea1658369a0646d8af91d44a8759b
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Remove any residual RSS usage in the FVP platform, complementing the
changes made in commit dea307fd6c.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I9ced272503456361610ec0c7783d270349233926
Essentially revert [1] to permit specifying SME support along with
SPD=spmd on FVP platform.
[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/20764
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Iab15d5a4c966b9f5b265ccde6711765e242abeaa
This setup helps to mimic an end-to-end RAS handling flow inspired
by real world design with a dedicated RAS secure partition managed
by SPMC.
The detailed steps are documented as comments in the relevant source
files introduced in this patch.
Change-Id: I97737c66649f6e49840fa0bdf2e0af4fb6b08fc7
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
This feature provides support to context save the
SCXTNUM_ELx register. FEAT_CSV2_3 implies the implementation
of FEAT_CSV2_2. FEAT_CSV2_3 is supported in AArch64 state only
and is an optional feature in Arm v8.0 implementations.
This patch adds feature detection for v8.9 feature FEAT_CSV2_3,
adds macros for ID_AA64PFR0_EL1.CSV2 bits [59:56] for detecting
FEAT_CSV2_3 and macro for ENABLE_FEAT_CSV2_3.
Change-Id: Ida9f31e832b5f11bd89eebd6cc9f10ddad755c14
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
Removed RSS usage from the Base AEM FVP platform, as it wasn't
functional on this platform. The Base AEM FVP platform lacks
support for RSS.
Instead, the TC2 platform with RSS is available for actual RSS
interface implementation and testing.
Change-Id: I8f68157319399ab526f9e851b26dba903db5c2e7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
