For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulation layers like MSYS2, Mingw64, Cygwin or WSL.
This change removes the remainder of the OS compatibility layer
entirely, and migrates the build system over to explicitly relying on a
POSIX environment.
Change-Id: I8fb60d998162422e958009afd17eab826e3bc39b
Signed-off-by: Chris Kay <chris.kay@arm.com>
Patch fc7dca72ba656e5f147487b20f9f0fb6eb39e116 changed the owning
security states of the TRBE and SPE buffers to NS. The thinking was that
this would assist SMCCC feature availability to more easily determine
if the feature is enabled or disabled. However, that only changed bit 0
while the SMCCC feature only looks at bit 1 so this change is redundant.
It was also meant to tighten security but that was done by
73d98e3759 instead.
Annoyingly, FEAT_TRBE has TRBIDR_EL1 which reports that programming is
allowed when the current security state owns the buffer even when the
MDCR_EL3 setting disallows this in practice.
So revert the functional aspect of the patch as it causes linux panics
with ERRATA_A520_2938996. Keep the defines as they are used elsewhere.
Change-Id: I39463d585df89aee44d1996137616da85d678f41
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
* changes:
feat(el3_spmc): ffa error handling in direct msg
feat(ff-a): support FFA_MSG_SEND_DIRECT_REQ2/RESP2
feat(ff-a): add FFA_MEM_PERM_GET/SET_SMC64
feat(el3-spmc): support Hob list to boot S-EL0 SP
feat(synquacer): add support Hob creation
fix(fvp): exclude extend memory map TZC regions
feat(fvp): add StandaloneMm manifest in fvp
feat(spm): use xfer list with Hob list in SPM_MM
When an FFA_ERROR happens while handling a direct message
from normal world, return to normal world with
FFA_ERROR. Otherwise, the system would re-enter the secure partition
with FFA_ERROR.
Change-Id: I3d9a68a41b4815c1a8e10354cfcf68fec9f4b800
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
StandaloneMm which is S-EL0 partition uses
FFA_MSG_SEND_DIRECT_REQ2/RESP2 to handle multiple services.
For this, add support for FFA_MSG_SEND_DIRECT_REQ2/RESP2 in el3_spmc
restrictly up to use 8 registers.
although FF-A v1.2 defines FFA_MSG_SEND_DIRECT_REQ2/RESP2
with ability to pass/return up to 18 registers.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I8ab1c332d269d9d131330bb2debd10d75bdba1ee
If MTKLIB_PATH is provided, the build will use the library provided by
MTKLIB_PATH. Otherwise, it will use stub implementation.
Change-Id: I218e724231c8bbc6cc851a240c6bbc4f6f49f154
Signed-off-by: Gavin Liu <gavin.liu@mediatek.corp-partner.google.com>
* changes:
feat(qemu): hand off TPM event log via TL
feat(handoff): common API for TPM event log handoff
feat(handoff): transfer entry ID for TPM event log
fix(qemu): fix register convention in BL31 for qemu
fix(handoff): fix register convention in opteed
Commit 71c4443886ff ("fix(lib/rmm_el3_ifc): add console name to checksum
calculation") on TF-RMM updated the checksum calcualtion of the RMM
manifest to include the console names.
Include console names in the QEMU manifest to remain compatible with
RMM, just like commit aa99881d30 ("fix(rme): add console name to
checksum calculation") did for FVP.
Checksum calculation is done by adding together 64-bit values. Add a
helper that does this.
Change-Id: Ica6cab628160593830270bef1acdeb475d1c0c36
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change owning security state when a feature is disabled
Implement stub functions for the EMI driver to ensure that the build
can pass when a prebuilt library is not available.
Change-Id: I296945a3df6766a3a133cd385a1e5038ca979403
Signed-off-by: Gavin Liu <gavin.liu@mediatek.corp-partner.google.com>
Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1f662f82cd949eedfdbb61b9f66de15c46fb3106
Similarly to BL1 and BL31, use EL3_PAS macro from xlat_tables header
(depends on ENABLE_RME) in BL2 to define MAP_BL2_TOTAL.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I59a3b297efd2eacd082a297de6b579b7c9052883
If TRANSFER_LIST is enabled, hand off TPM event log via TL instead
of DT; otherwise fallback to legacy way if TRANSFER_LIST is off or
errors observed.
Moreover, for updating the TL from secure to non-secure
memory before existing EL3, replace memcpy with function
transfer_list_relocate() for more accuracy.
Change-Id: I1d6bcf573f91efe99380bc89195198a8583b1def
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
print ni-tower discovery tree to understand ni-tower hierarchy which
might be useful during debugging.
Change-Id: Ib49fef9c63f7740e04b4d8371c1083bd040f6e09
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
Set console baurate to 38400 for fvp as well for code
simplicity.
Change-Id: I58ba6b7043541f6eb67e32257307da4eba0bb28a
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
remove redundant macro UARTCLK_FREQ and replace it with TC_UARTCLK
in dts.
Change-Id: Id463a9ddc1588278e552ffca3dfb738676229ce7
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is not enabled at EL3, eg due to an older FW image, but it is present in
hardware. In those cases, the EL1 ID registers do not reflect the usable
feature set and this call should provide the necessary information to
remedy that.
The call itself is very lightweight - effectively a sanitised read of
the relevant system register. Bits that are not relevant to feature
enablement are masked out and active low bits are converted to active
high.
The implementation is also very simple. All relevant, irrelevant, and
inverted bits combined into bitmasks at build time. Then at runtime the
masks are unconditionally applied to produce the right result. This
assumes that context managers will make sure that disabled features
do not have their bits set and the registers are context switched if
any fields in them make enablement ambiguous.
Features that are not yet supported in TF-A have not been added. On
debug builds, calling this function will fail an assert if any bits that
are not expected are set. In combination with CI this should allow for
this feature to to stay up to date as new architectural features are
added.
If a call for MPAM3_EL3 is made when MPAM is not enabled, the call
will return INVALID_PARAM, while if it is FEAT_STATE_CHECK, it will
return zero. This should be fairly consistent with feature detection.
The bitmask is meant to be interpreted as the logical AND of the
relevant ID registers. It would be permissible for this to return 1
while the ID returns 0. Despite this, this implementation takes steps
not to. In the general case, the two should match exactly.
Finally, it is not entirely clear whether this call replies to SMC32
requests. However, it will not, as the return values are all 64 bits.
[1]: https://developer.arm.com/documentation/den0028/galp1/?lang=en
Co-developed-by: Charlie Bareham <charlie.bareham@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1a74e7d0b3459b1396961b8fa27f84e3f0ad6a6f
In preparation for SMCCC_ARCH_FEATURE_AVAILABILITY, it is useful for
context to be directly related to the underlying system. Currently,
certain bits like SCR_EL3.APK are always set with the understanding that
they will only take effect if the feature is present.
However, that is problematic for SMCCC_ARCH_FEATURE_AVAILABILITY (an
SMCCC call to report which features firmware enables), as simply reading
the enable bit may contradict the ID register, like the APK bit above
for a system with no Pauth present.
This patch is to clean up these cases. Add a check for PAuth's presence
so that the APK bit remains unset if not present. Also move SPE and TRBE
enablement to only the NS context. They already only enable the features
for NS only and disable them for Secure and Realm worlds. This change
only makes these worlds' context read 0 for easy bitmasking.
There's only a single snag on SPE and TRBE. Currently, their fields have
the same values and any world asymmetry is handled by hardware. Since we
don't want to do that, the buffers' ownership will change if we just set
the fields to 0 for non-NS worlds. Doing that, however, exposes Secure
state to a potential denial of service attack - a malicious NS can
enable profiling and call an SMC. Then, the owning security state will
change and since no SPE/TRBE registers are contexted, Secure state will
start generating records. Always have NS world own the buffers to
prevent this.
Finally, get rid of manage_extensions_common() as it's just a level of
indirection to enable a single feature.
Change-Id: I487bd4c70ac3e2105583917a0e5499e0ee248ed9
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
This resolves Dependabot vulnerability alert #19, resolving a DoS issue
in a dependency of pytest.
Change-Id: I2959da88d3d0422e15d25df5820dfd91f474d6ca
Signed-off-by: Chris Kay <chris.kay@arm.com>
Create a common BL2 API to add a TE for TPM event log.
Change-Id: I459e70f40069aa9ea0625977e0bad8ec316439e6
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
The commit with Change-Id:Ie417e054a7a4c192024a2679419e99efeded1705
updated the register convention r1/x1 values but missing necessary
changes in BL31.
As a result, a system panic observed during setup for BL32 when
TRANSFER_LIST is enabled due to unexpected arguments.
This patch is to fix this issue for qemu.
Change-Id: I42e581c5026f0f66d3b114204b4dff167a9bc6ae
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
The commit with Change-Id:Ie417e054a7a4c192024a2679419e99efeded1705
updated the register convention r1/x1 values but missing necessary
changes in BL31.
As a result, a system panic observed during setup for BL32 when
TRANSFER_LIST is enabled due to unexpected arguments.
This patch is to fix this issue for optee.
Change-Id: I13e116e7cb5a7d89fafc11d20295cffbf24793ab
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
SPE and TRBE don't have an outright EL3 disable, there are only
constraints on what's allowed. Since we only enable them for NS at the
moment, we want NS to own the buffers even when the feature should be
"disabled" for a world. This means that when we're running in NS
everything is as normal but when running in S/RL then tracing is
prohibited (since the buffers are owned by NS). This allows us to fiddle
with context a bit more without having to context switch registers.
Change-Id: Ie1dc7c00e4cf9bcc746f02ae43633acca32d3758
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
FF-A memory management protocol v1.1 specifies not only
FFA_MEM_PERM_GET_SMC32/FFA_MEM_PERM_SET_SMC32 but also
FFA_MEM_PERM_GET_SMC64/FFA_MEM_PERM_SET_SMC64.
Change former FFA_MEM_PERM_GET/SET definitions to separate operations
and add handler for FFA_MEM_PERM_GET/SET_SMC64 in spmc_smc_handler().
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I175063654703db26c1ffc3cfd7fa428b94d2bfc9
The EDKII/StandaloneMm module runs as a S-EL0 partition
on top of the EL3 FF-A SPMC.
In the past the StandaloneMm partition received its boot information through
the use of a device tree (DT) passed through the FF-A boot protocol.
The StandaloneMm itself converted the DT into a HOB.
To better match the UEFI PI spec,
the EL3 SPMC must now produce the HOB including the PHIT
(Phase Handoff Information Table) as first item in the HOB list.
The SPMC then passes the HOB through the FF-A boot protocol for
the StandaloneMm consumption.
This discards the use of a DT between the SPMC and
the StandaloneMm partition.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I22fb02c710169bd5a5ba1d1f60dce977a5a59ab6
When StandaloneMm used with SPM_MM, TF-A should create
PHIT Hob to boot it.
This patch supports Hob creation for StandaloneMm in synquacer platform.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: Ifa3ae1f0aa37f389aabb14f48be307502ae6fc2c
The commit
1922875233 ("fix(spm-mm): carve out NS buffer TZC400 region")
removes overlaps of ns shared buffer in secure memory region.
Unfortunately, this separation increases 1 region and over maximum
number of TZC programmable regions when they include
extended memory map regions (DRAM3 to DRAM6).
This causes boot failure of StandaloneMm with spmc_el3 && sp_el0 with
ASSERT: drivers/arm/tzc/tzc400.c:256.
To fix this, like SPM_MM, exclude setting extended memory map regions when
it uses SPMC_AT_EL3 && SPC_AT_EL3_SEL0_SP.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I2d40bea066ca030050dfe951218cd17171010676
Support StandaloneMm running with FF-A as S-EL0 SP
when TF-A is built with EL3 SPMC partition manager.
For this
1. add manifest file describing StandaloneMm partition.
2. add number of page mapping area.
3. StandaloneMm should use SRAM with 512K.
while enabling, StandaloneMm, BL1 image requires more size:
aarch64-none-elf/bin/ld: BL31 image has exceeded its limit.
aarch64-none-elf/bin/ld: region `RAM' overflowed by 16384 bytes
So, when using SRAM size with 512K configuration,
increase size limit of BL1 binary.
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: Idaa1db510340ebb812cfd13588610b2eea941918
According to Platform Initialization (PI) Specification [1] and
Discussion on edk2 mailing list [2],
StandaloneMm shouldn't create Hob but it should be passed from TF-A.
IOW, TF-A should pass boot information via PHIT Hob to initialise
StandaloneMm properly.
This patch applies using transfer list with PHIT Hob list [3] for
delivering boot information to StandaloneMm.
Link: https://uefi.org/sites/default/files/resources/PI_Spec_1_6.pdf [1]
Link: https://edk2.groups.io/g/devel/topic/103675962#114283 [2]
Link: https://github.com/FirmwareHandoff/firmware_handoff [3]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I3df71a7679abf9859612afc8a5be7b2381007311
The combination of ENABLE_RME=1 + ENABLE_PIE=1 build options is
prevented currently for no good reason. ENABLE_PIE in a 4 worlds
configuration is mostly for building BL31 with PIE support.
BL1 / BL2 (BL2_RUNS_AT_EL3=1) remain non-PIE. BL32 (TSP) is PIE capable
but typically unused in this configuration. TRP doesn't support PIE
but is loaded in place so isn't affected by this option.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia60e295534a92cb1b4e3eb88b3e240aea4f4fe1d
This is a small change adding accessor functions for the Debug Power
Control register (DBGPRCR_EL1) to the common architectural helpers.
Change-Id: I72261fbf0395d900347b46af320093ed946aa73d
Signed-off-by: Chris Kay <chris.kay@arm.com>
