This patch allocates level 0 GPT at the top of SRAM
for FVP. This helps to meet L0 GPT alignment requirements
and prevent the occurrence of possible unused gaps in SRAM.
Load addresses for FVP TB_FW, SOC_FW and TOS_FW DTBs are
defined in fvp_fw_config.dts via ARM_BL_RAM_BASE macro.
Change-Id: Iaa52e302373779d9fdbaf4e1ba40c10aa8d1f8bd
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
- Add PCIe and SMMUv3 related information to DTS for
configurations with ENABLE_RME=1.
- Add entries for PCIe IO memory regions to Boot manifest
- Update RMMD_MANIFEST_VERSION_MINOR from 3 to 4.
- Read PCIe related information from DTB and write it to
Boot manifest.
- Rename structures that used to describe DRAM layout
and now describe both DRAM and PCIe IO memory regions:
- ns_dram_bank -> memory_bank
- ns_dram_info -> memory_info.
Change-Id: Ib75d1af86076f724f5c330074e231f1c2ba8e21d
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
For FVP model define single Root PAS which
includes EL3 DRAM data, L1 GPTs and SCP TZC.
This allows to decrease the number of PAS
regions passed to GPT library and use GPT
mapping with Contiguous descriptor of
larger block size.
Change-Id: I70f6babaebc14e5e0bce033783ec423c8a26c542
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Now that all errata flags are all conveniently in a single list we can
make sweeping decisions about their values. The first use-case is to
enable all errata in TF-A. This is useful for CI runs where it is
impractical to list every single one. This should help with the long
standing issue of errata not being built or tested.
Also add missing CPUs with errata to `ENABLE_ERRATA_ALL` to enable all
errata builds in CI.
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I2b456d304d7bf3215c7c4f4fd70b56ecbcb09979
* changes:
feat(rdv3): enable the support to fetch dynamic config
feat(rdv3): add dts files to enable hafnium as BL32
feat(rdv3): define SPMC manifest base address
feat(arm): add a macro for SPMC manifest base address
feat(rdv3): add carveout for BL32 image
feat(rdv3): introduce platform handler for Group0 interrupt
feat(neoverse-rd): use larger stack size when S-EL2 spmc is enabled
fix(neoverse-rd): set correct SVE vector lengths
PSCI OS initiated is usually implemented with the extended state id
format, however this does not have to be the case. When this is the
case, the original format will carry the requested power level in
the PowerLevel field. To validate that the requested power state is
valid we must save it so that later when we call
psci_is_last_cpu_to_idle_at_pwrlvl() it checks the right level (instead
of a default 0).
This came up when testing 01959a1656 for
all configurations.
Change-Id: Iaab88c1910467282ae524861446283acddd9d977
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
To enable the support to load Hafnium as BL32, BL31 needs firmware
configuration info to get BL32 manifest load location. The load address
of BL32 is passed via firmware config info.
Add the support to get the address using fconf framework from dynamic
config info.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I3a2a5706789ed290dc7f4a67e62e03751b930c02
On RD-V3 platform and variants, Hafnium is used as SPMC running at
S-EL2 and manage SP running at S-EL0. Hafnium is loaded and configured
as BL32 image. SP is loaded by SP load framework and configured by
Hafnium.
Add the dts files needed to enable load and configuration of hafnium and
SP.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I7de72052323ff9106d7bedbaaf5ece3272e9a6cd
ARM_SPMC_MANIFEST_BASE defines the base address of the SPMC manifest
used by BL32. In the non-RESET_TO_BL31 case, it is defined relative to
the top of Trusted SRAM. However, for RESET_TO_BL31, the
PLAT_ARM_SPMC_MANIFEST_BASE macro can be used to set it to a different
location which is then used to populate ARM_SPMC_MANIFEST_BASE.
As the RD-V3 platform and its variants have a different SRAM layout
compared to that defined in arm_def.h, define the
PLAT_ARM_SPMC_MANIFEST_BASE macro to an address suitable for this
platform and its variants.
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I36e1eb21ab3d1c68bddb52c62198fcdfc40d8993
In RESET_TO_BL31, the SPMC manifest base address that is utilized by
bl32_image_ep_info has to be statically defined as DT is not available.
Common arm code sets this to the top of SRAM using macros but it can be
different for some platforms. Hence, introduce the macro
PLAT_ARM_SPMC_MANIFEST_BASE that could be re-defined by platform as per
their use-case. Platforms that utilize arm_def.h would use the existing
value from arm common code.
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I4491749ad2b5794e06c9bd11ff61e2e64f21a948
Edk2 converts StMM GUID to UUID format, which is used in FF-A and linux
kernel. StMM manifest currently provides GUID format. Correcting this to
UUID format.
Change-Id: Ie94728e5ea74d3d9935e0af9a2a601cbafe5ad3d
Signed-off-by: Jerry Wang <Jerry.Wang4@arm.com>
* changes:
feat(tc): get entropy with PSA Crypto API
feat(psa): add interface with RSE for retrieving entropy
fix(psa): guard Crypto APIs with CRYPTO_SUPPORT
feat(tc): enable trng
feat(tc): initialize the RSE communication in earlier phase
Add and map the carveout for loading Hafnium as BL32 image. Also define
PLAT_ARM_SP_MAX_SIZE as 3 MB for secure partitions.
Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I2845eb6807a127c9f6b92de2dabc9a58d25bd4d4
This patch introduces a handler for RD-V3 variants to handle Group0
secure interrupts. Currently, it is empty but serves as a placeholder
for future Group0 interrupt sources.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: Ifa418094f6075a6cdc33e63eec1825103bbf6d68
Larger stack size is needed when S-EL2 SPMC is enabled. This is required
because BL31 xlat map framework makes more nested calls when this
feature is enabled.
Signed-off-by: Nishant Sharma <nishant.sharma@arm.com>
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: Ib3f2abf38b576ba96402dab4ba995d8b648b4cc7
Affected platforms: RD-N2, RD-V1, RD-V1-MC, RD-V3 and their
configurations.
Previously, the SVE vector lengths for these platforms were
being taken from the default configuration. This commit updates
their respective platform.mk files to specify the correct vector
lengths.
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I8919257e2cec5c0e819424ff44a623dc3ab1a368
The PSA Crypto API is available with sending messages to RSE. Change
to invoke PSA Crypto API for getting entropy.
Change-Id: I4b2dc4eb99606c2425b64949d9c3f5c576883758
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Enable the trng on the platform, which can be used by other features.
`rng-seed` has been removed and enabled `FEAT_RNG_TRAP` to trap to EL3
when accessing system registers RNDR and RNDRRS
Change-Id: Ibde39115f285e67d31b14863c75beaf37493deca
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Move the RSE MHU channel initialization to the platform setup phase,
this allows the services (e.g. TRNG service) to talk to RSE during the
service init function.
Change-Id: Id0ff6e49117008463f11b2dc3c585daca00f609c
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Newer cores in upcoming platforms may refuse to power down. The PSCI
library is already prepared for this so convert platform code to also
allow this. This is simple - drop the `wfi` + panic and let common code
deal with the fallout. The end result will be the same (sans the
message) except the platform will have fewer responsibilities. The only
exception is for cores being signalled to power off gracefully ahead of
system reset. That path must also be terminal so replace the end with
the same psci_pwrdown_cpu_end() to behave the same as the generic
implementation. It will handle wakeups and panic, hoping that the system
gets reset from under it. The dmb is upgraded to a dsb so no functional
change.
Change-Id: I381f96bec8532bda6ccdac65de57971aac42e7e8
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is that
if this isn't done, the powerdown request will be rejected. On the
CPU_OFF path that's not a problem - we can force SVCR to 0 and be
certain the core will power off.
On the suspend to powerdown path, however, we cannot do this. The TRM
also tells us that the sequence could also be aborted on eg. GIC
interrupts. If this were to happen when we have overwritten SVCR to 0,
upon a return to the caller they would experience a loss of context. We
know that at least Linux may call into PSCI with SVCR != 0. One option
is to save the entire SME context which would be quite expensive just to
work around. Another option is to downgrade the request to a normal
suspend when SME was left on. This option is better as this is expected
to happen rarely enough to ignore the wasted power and we don't want to
burden the generic (correct) path with needless context management.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I698fa8490ebf51461f6aa8bba84f9827c5c46ad4
The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.
One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.
Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.
So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.
To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.
Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.
Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.
Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.
Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.
All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.
Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.
Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Arm ROTPK generation may start before the build directory is
created, causing errors like:
00:45:53.235 Can't open "/home/buildslave/workspace/tf-a-coverity/
trusted-firmware-a/build/rd1ae/debug/arm_rotpk.bin" for writing,
No such file or directory
This patch ensures the build directory is created beforehand to
prevent such issues.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I73f7d5af00efc738e95ea79c5cacecdb6a2d20c6
Enable the compiler's stack protector for detecting stack overflow
issues.
Though TC platform can generate RNG from RSE via MHU channel, the
stack protector canary is used prior to MHU channel initialization.
Thus, currently here simply returns a value of the combination of a
timer's value and a compile-time constant.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Icen Zeyada <Icen.Zeyada2@arm.com>
Change-Id: I68fcc7782637b2b6b4dbbc81bc15df8c5ce0040b
When the SPD_spmd configuration is disabled, the compiler complaints:
plat/arm/board/tc/tc_bl2_dpe.c:234:22: error: unused variable 'array_size' [-Werror=unused-variable]
234 | const size_t array_size = ARRAY_SIZE(tc_dpe_metadata);
| ^~~~~~~~~~
plat/arm/board/tc/tc_bl2_dpe.c:233:16: error: unused variable 'i' [-Werror=unused-variable]
233 | size_t i;
| ^
cc1: all warnings being treated as errors
Move variable declarations into the code chunk protected by the SPD_spmd
configuration.
Change-Id: I1a3889938e2d4ec5efec516e9ef54034f9d711b2
Signed-off-by: Leo Yan <leo.yan@arm.com>
Distros (e.g. Buildroot and Android) can have different secure partition
layout.
This commit iterates the DPE metadata table and finds index (i) for the
first entry of the secure partition, connecting with the defined secure
partition number NUM_SP, so the last secure partition index is:
i + NUM_SP - 1
Instead of setting the certificate in hard code, dynamically enables the
certificate for the last secure partition base on calculated index.
Signed-off-by: Ben Horgan <ben.horgan@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Change-Id: Idd11b4f463bf5ccc8d82cd06bd21deeebbda67d9
Corrected the comment for the size of NRD_CSS_DRAM1_CARVEOUT_SIZE
(0x0C000000) from 117MB to 192MB
Signed-off-by: Rakshit Goyal <rakshit.goyal@arm.com>
Change-Id: I289d37f50e70b936f717d4579d73882fac28ee95
EXTLLC bit in CPUECTLR_EL1(for non-gelas cpus) and in CPUECTLR2_EL1
register for gelas cpu enables external Last-level cache in the system,
External LLC is present on TC4 systems in MCN but it is not enabled in
CPU registers so enable it.
On TC4, Gelas vs Non-Gelas CPUs have different bits to enable EXTLLC
so take care of that as well.
Change-Id: Ic6a74b4af110a3c34d19131676e51901ea2bf6e3
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
This patch adds the routing table addresses required for LCA
enablement on RD-N2-Cfg2. CMN on RD-N2-Cfg2 uses AXI Stream IDs
to route LCA connections to the correct downstream tx_cxs_a4s
port. The data programmed in the routing table are the A4S IDs
of each chip.
Change-Id: I46e558f3be7f0d51b768b7c5586f15e6bc517f3a
Signed-off-by: Jerry Wang <Jerry.Wang4@arm.com>
This patch adds the routing table addresses required for LCA
enablement on RD-V3-Cfg2. Since LCA connection on rdv3 uses ACE5L
instead of A4S, the addresses programmed in the routing table is
the address of memory mapped HNI with chip offset.
Change-Id: Ic235983d63e8ab3492ae566b68841d0659724e45
Signed-off-by: Jerry Wang <Jerry.Wang4@arm.com>
This patch adds support for Local Chip Addressing (LCA). In a multi-chip
system, enablig LCA allows each GIC Distributor to maintain its own
version of routing table. This feature is activated when the
GICD_CFGID.LCA bit is set to 1.
The existing `gic600_multichip_data` data structure did not account for
the LCA feature. To support LCA:
- `rt_owner_base` is replaced by `base_addrs[]`. This is required
because each GICD in the system needs to be configured independently,
and their base addresses must be passed to the driver.
- `chip_addrs` is changed from 1D to 2D array to store the routing table
for each chip's GICD. The entries in `chip_addrs` are configuration
dependent, as the GIC specification does not enforce this.
On a multi-chip platform with chip count N where LCA is enabled by
default, the `gic600_multichip_data` structure should contain all copies
of the routing table (N*N entries). On platforms where LCA is not
supported, only the first sub-array with N entries is required. The
function signature of `gic600_multichip_init` remains unchanged, but if
the LCA feature is enabled, the driver will expect the routing table
configuration in the described format.
Change-Id: I8830c2cf90db6a0cae78e99914cd32c637284a2b
Signed-off-by: Jerry Wang <Jerry.Wang4@arm.com>
FEAT_MOPS, mandatory from Arm v8.8, is typically managed in EL2.
However, in configurations where NS_EL2 is not enabled,
EL3 must set the HCRX_EL2.MSCEn bit to 1 to enable the feature.
This patch ensures FEAT_MOPS is enabled by setting HCRX_EL2.MSCEn to 1.
Change-Id: Ic4960e0cc14a44279156b79ded50de475b3b21c5
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulation layers like MSYS2, Mingw64, Cygwin or WSL.
This change removes the remainder of the OS compatibility layer
entirely, and migrates the build system over to explicitly relying on a
POSIX environment.
Change-Id: I8fb60d998162422e958009afd17eab826e3bc39b
Signed-off-by: Chris Kay <chris.kay@arm.com>
* changes:
feat(el3_spmc): ffa error handling in direct msg
feat(ff-a): support FFA_MSG_SEND_DIRECT_REQ2/RESP2
feat(ff-a): add FFA_MEM_PERM_GET/SET_SMC64
feat(el3-spmc): support Hob list to boot S-EL0 SP
feat(synquacer): add support Hob creation
fix(fvp): exclude extend memory map TZC regions
feat(fvp): add StandaloneMm manifest in fvp
feat(spm): use xfer list with Hob list in SPM_MM
Rename TC_FPGA_ANDROID_IMG_IN_RAM to TC_FPGA_FS_IMG_IN_RAM
to use it for debian loading to ram as well.
Change-Id: I70b68b06501d17dcebbe78bee8fec0a701106c92
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
TC4 FPGA have a UART clock of 4000000 so modify the value
of TC_UARTCLK for TC4.
Change-Id: I8de84d58bce8b7277bf356136a5185c008ab4c28
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1f662f82cd949eedfdbb61b9f66de15c46fb3106
Similarly to BL1 and BL31, use EL3_PAS macro from xlat_tables header
(depends on ENABLE_RME) in BL2 to define MAP_BL2_TOTAL.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I59a3b297efd2eacd082a297de6b579b7c9052883
print ni-tower discovery tree to understand ni-tower hierarchy which
might be useful during debugging.
Change-Id: Ib49fef9c63f7740e04b4d8371c1083bd040f6e09
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
Set console baurate to 38400 for fvp as well for code
simplicity.
Change-Id: I58ba6b7043541f6eb67e32257307da4eba0bb28a
Signed-off-by: Jagdish Gediya <jagdish.gediya@arm.com>
Signed-off-by: Icen.Zeyada <Icen.Zeyada2@arm.com>
