BL2 requires the ability to access the TCG Event Log during
Measured Boot. Currently the Platform hangs since the Event Log
is not exposed to BL2's mmap. Define a RPI3_BL1_RW region to be
added to the BL2 Image, if Measured Boot is enabled.
Change-Id: Ic236a80e73ea342b4590cfb65bafbb8ffac17085
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
In BL1 and BL2 add support for the use of an Infineon Optiga SLB 9670
TPM2.0.
The platform utilizes the gpio_spi.c driver to bit-bang gpio pins in
order to send commands and receive responses to/from the TPM.
In BL1 & BL2:
-utilize TPM commands to initialize the gpio pins for "spi"
communication, and extend image hashes to the TPM's PCR 0,
at the end of the measured boot phase for the bootloader,
the TPM locality is released.
-Bl1 executes a tpm_startup command in order to flush the TPM.
Change-Id: I2f2fa28f60a262a0aa25a674c72a9904b3cf4d8a
Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
At the end of BL2 measured boot, write the address
and size of the TCG Event Log to NT_FW_CONFIG so
that the log can be consumed later by BL33.
-add dynamic configuration helpers for the fdt
-write the eventlog address and size to the fdt
Change-Id: I099dd9cc96d740ae13cb8b8e8c6b9f2e6c02accc
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
Add Measured Boot support using the Event Log backend for the rpi3
platform.
-Implement measured boot infrastructure in BL1 & BL2, including
the init, measure image, and finish phases.
-Pass the eventlog addr and size from BL1 to BL2 using the
image entry point args.
-dump the eventlog after measuring BL2, and after all images are
measured in BL2.
Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
Change-Id: I7c040c4a2d001a933fefb0b16f0fdf2a43a11be9
To allow for generic handling of a wakeup, this hook is no longer
expected to call wfi itself. Update the name everywhere to reflect this
expectation so that future platform implementers don't get misled.
Change-Id: Ic33f0b6da74592ad6778fd802c2f0b85223af614
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
In order to support measured boot we need plat_get_mbedtls_heap,
this function currently resides in rpi3_trusted_boot.c, but we do
not need trusted board boot to use measured boot, so moving this
to common code removes the need to compile rpi3_trusted_boot.c
Change-Id: I6ac6dfa8c540e456d7cb6932098c921907ad086a
Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
fixed rpi_shared.h include guard, previously the commented
endif was RPI3_PRIVATE, which could be a cause for confusion
when searching through header files.
Change-Id: I721f9f7c38cd14cda0385593b307cdfc71f810f8
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
In order for directories to be automatically created when used as a
dependency, they must end with a forward slash (`/`). This is because we
have a pattern rule (`%/`) to create a directory anywhere where a
directory is required as a direct dependency.
Change-Id: Ib632d59da0745f6cadb0a839a62360aeca25c178
Signed-off-by: Chris Kay <chris.kay@arm.com>
The rpi3 does not initialize the generic timer in BL1, which is now
required to use the delay timer in the dTPM driver. This change sets the
counter frequency register (CNTFRQ) with the rpi3's system counter
frequency value, as a prerequisite for timer initialization, and then
initializes the generic timer all during BL1 setup.
Change-Id: I4e2475b63ce4a97653202f94f506b5d3edc4c1a7
Signed-off-by: Abhi Singh <abhi.singh@arm.com>
When fdt_add_reserved_memory() is called to add a memory region, we
unconditionally add a node for that region. However there might be an
existing region node in the DT already, or there might be an overlapping
region. The Linux kernel will complain in those cases.
Cover the simple case of the region already existing in the DT, as this
is what we actually see on the Allwinner H616: The mainline DT contains
a node reserving the memory for TF-A, in case the DT changed by TF-A
itself is not given to the kernel. Our code always adds a region, making
the kernel complain - albeit without further consequences.
Covering all cases of overlapping regions would blow up the generic DT
code too much, so just add a simple check for an existing region
completely containing the to-be-added region, simply bailing out in this
case.
This prevents the kernel warning for the Allwinner H616.
This code requires a function from fdt_wrappers.c, so we have to include
that file for platforms that use the fdt_add_reserved_memory() function
(rpi4 and versal2).
Change-Id: I98404889163316addbb42130d7177f1a21c8be06
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This change introduces a few helper variables for dealing with verbose
and silent build modes: `silent`, `verbose`, `q` and `s`.
The `silent` and `verbose` variables are boolean values determining
whether the build system has been configured to run silently or
verbosely respectively (i.e. with `--silent` or `V=1`).
These two modes cannot be used together - if `silent` is truthy then
`verbose` is always falsy. As such:
make --silent V=1
... results in a silent build.
In addition to these boolean variables, we also introduce two new
variables - `s` and `q` - for use in rule recipes to conditionally
suppress the output of commands.
When building silently, `s` expands to a value which disables the
command that follows, and `q` expands to a value which supppresses
echoing of the command:
$(s)echo 'This command is neither echoed nor executed'
$(q)echo 'This command is executed but not echoed'
When building verbosely, `s` expands to a value which disables the
command that follows, and `q` expands to nothing:
$(s)echo 'This command is neither echoed nor executed'
$(q)echo 'This command is executed and echoed'
In all other cases, both `s` and `q` expand to a value which suppresses
echoing of the command that follows:
$(s)echo 'This command is executed but not echoed'
$(q)echo 'This command is executed but not echoed'
The `s` variable is predominantly useful for `echo` commands, where you
always want to suppress echoing of the command itself, whilst `q` is
more useful for all other commands.
Change-Id: I8d8ff6ed714d3cb401946c52955887ed7dca602b
Signed-off-by: Chris Kay <chris.kay@arm.com>
BCM2712 changes:
- support all 3 PCIe RCs / segments.
- don't check for link up: the RC can now be configured to fabricate
all-ones AXI OKAY responses, so no more Arm SErrors when the link is
down (or other conditions).
Also, limit bus 0 to devfn 0 as accesses beyond that may result in
lock-ups.
Change-Id: Ic64785cd68b22571c6638fc3f771703113bc76f6
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
The Raspberry Pi 5 is a single-board computer based on BCM2712 that
contains four Arm Cortex-A76 cores.
This change introduces minimal BL31 support with PSCI that has been
validated to boot Linux and a private EDK2 build.
It's a drop-in replacement for the custom TF-A armstub now included in
the EEPROM images.
Change-Id: Id72a0370f54e71ac97c3daa1bacedacb7dec148f
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
RPi 5 has newer Armv8.2 cores where the MT bit is set to indicate that
the lowest affinity level represents a thread, but there is only one
thread per core.
To deal with this, simply right shift MPIDR by one affinity level to get
the cluster and core IDs back into Aff1 and Aff0 as expected.
Change-Id: I2bafba38f82fd9a6ef6f2fdf2c089b754279a6de
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
Detection of the UART in use and GPIO code only apply to RPi 3 and 4.
RPi 5 has a dedicated PL011 debug port.
Change-Id: Iddf8aea01278e2b79b4e7c476740f1add8c419f0
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
In preparation for RPi 5 support, which will reuse most of the RPi 4
logic except for DTB patching.
Change-Id: I6f6ef96933711a1798757a3389adae1b8ee3de6c
Signed-off-by: Mario Bălănică <mariobalanica02@gmail.com>
The toolchain refactor change introduces the `${toolchain}-${tool}-id`
variables, which provide identifiers for all of the toolchain tools used
by the build system. This change replaces the various conditions that
are in use to identify these tools based on the path with a standard set
of comparisons against these new identifier variables.
Change-Id: Ib60e592359fa6e415c19a012e68d660f87436ca7
Signed-off-by: Chris Kay <chris.kay@arm.com>
This change migrates the values of `CC`, `CPP`, `AS` and other toolchain
variables to the new `$(toolchain)-$(tool)` variables, which were
introduced by the toolchain refactor patch. These variables should be
equivalent to the values that they're replacing.
Change-Id: I644fe4ce82ef1894bed129ddb4b6ab94fb04985d
Signed-off-by: Chris Kay <chris.kay@arm.com>
Rather than validating the type of interrupts supported by the
platform interrupt controller, the interrupt management framework can
directly use helper utilities implemented by the generic interrupt
controller driver.
Change-Id: I735f8d2742a2c7974d11c0a5ddc771ad807c635c
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Add initial configuration parameters for Rasperry Pi 3's sdhost
controller, and then configure and use those parameters.
This change allows warm reboots of UEFI on Raspberry Pi 3B+ where
existing code often fails with "unknown error". See discussion at:
https://github.com/pftf/RPi3/issues/24
The basic idea is that some initial configuration parameters
(clock rate, bus width) aren't configured into the hardware before
commands start being sent. I suspect that the particular setting
that matters is the "slow card" bit, but the initial clock setting
also seemed wrong to me.
Change-Id: I526def340def143f23f3422f1fc14c12c937ca7f
Signed-off-by: Rob Newberry <robthedude@mac.com>
Platforms which implement pwr_domain_pwr_down_wfi differ substantially
in behaviour. However, different cpus require similar sequences to power
down. This patch tightens the behaviour of these platforms to end on a
wfi loop after performing platform power down. This is required so that
platforms behave more consistently on power down, in cases where the wfi
can fall through.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ie29bd3a5e654780bacb4e07a6d123ac6d2467c1f
The pwr_domain_pwr_down_wfi entry is overridden by a newer
implementation. This removes the last reference to
rpi3_pwr_domain_pwr_down_wfi. Remove both as they are not needed
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ie65c40935cd1ed3c673ffdc9aa72064f5ab4032e
Currently Tf-A uses whatever openssl binary is on the system to sign
images. However if OPENSSL_DIR is specified in the build flags this can
lead to linking issues as the system binary can end up being linked
against shared libraries provided in OPENSSL_DIR/lib if both binaries
(the system's and the on in OPENSSL_DIR/bin) are the same version.
This patch ensures that the binary used is always the one given by
OPENSSL_DIR to avoid those link issues.
Signed-off-by: Salome Thirot <salome.thirot@arm.com>
Change-Id: Ib534e06ebc8482e4391e376d3791a87968de4a99
Use long instead of long long on aarch64 for 64_t stdint types.
Introduce inttypes.h to properly support printf format specifiers for
fixed width types for such change.
Change-Id: I0bca594687a996fde0a9702d7a383055b99f10a1
Signed-off-by: Scott Branden <scott.branden@broadcom.com>
Most DTBs used on the RaspberryPi contain a FDT /memreserve/ region,
that covers the original secondaries' spin table.
We need to reserve more memory than described there, to cover the whole
of the TF-A image, so we add a /reserved-memory node to the DTB.
However having the same memory region described by both methods upsets
the Linux kernel and U-Boot, so we have to make sure there is only one
instance describing this reserved memory.
Keep our currently used /reserved-memory node, since it's more capable
(it allows to mark the region as secure memory). Add some code to drop
the original /memreserve/ region, since we don't need this anymore,
because we take the secondaries out of their original spin loop.
We explicitly check for the currently used size of 4KB for this region,
to be alerted by any changes to this region in the upstream DTB.
Change-Id: Ia3105560deb3f939e026f6ed715a9bbe68b56230
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The rpi4 has a single nonstandard ECAM. It is broken
into two pieces, the root port registers, and a window
to a single device's config space which can be moved
between devices. Now that we have widened the page
tables/MMIO window, we can create a read/write acces
functions that are called by the SMCCC/PCI API.
As an example platform, the rpi4 single device ECAM
region quirk is pretty straightforward. The assumption
here is that a lower level (uefi) has configured and
initialized the PCI root to match the values we are
using here.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Change-Id: Ie1ffa8fe9aa1d3c62e6aa84746a949c1009162e0
Now that we have adjusted the address map, added the
SMC conduit code, and the RPi4 PCI callbacks, lets
add the flags to enable everything in the build.
By default this service is disabled because the
expectation is that its only useful in a UEFI+ACPI
environment.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Change-Id: I2a3cac6d63ba8119d3b711db121185816b89f8a2
The PCIe root port is outside of the current RPi
MMIO regions, so we need to adjust the address map.
Given much of the code depends on the legacy IOBASE
lets separate that from the actual MMIO begin/end.
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Change-Id: Id65460ae58556bd8826dba08bbad79953e2a7c0b
Addresses the deprecation warning produced by
drivers/arm/gic/common/gic_common.c.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Change-Id: I1a3ff4835d0f94c74b405db10622e99875ded82b
And from crash_console_flush.
We ignore the error information return by console_flush in _every_
place where we call it, and casting the return type to void does not
work around the MISRA violation that this causes. Instead, we collect
the error information from the driver (to avoid changing that API), and
don't return it to the caller.
Change-Id: I1e35afe01764d5c8f0efd04f8949d333ffb688c1
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Coverity build periodically throws below errors(non-consistently)
for 'QEMU' and 'RPI3' platforms.
/bin/sh: 1: cannot create build/qemu/debug/rot_key.pem: Directory
nonexistent
plat/qemu/qemu/platform.mk:86: recipe for target 'build/qemu/debug/
rot_key.pem' failed
make: *** [build/qemu/debug/rot_key.pem] Error 2
/bin/sh: 1: cannot create /work/workspace/workspace/tf-coverity/build
/rpi3/debug/rot_key.pem: Directory nonexistent
plat/rpi/rpi3/platform.mk:214: recipe for target '/work/workspace/
workspace/tf-coverity/build/rpi3/debug/rot_key.pem' failed
make: *** [/work/workspace/workspace/tf-coverity/build/rpi3/debug/
rot_key.pem] Error 2
Issue seems to be occurred when 'ROT key' is generated before creating
the platform build folder(for e.g.build/qemu/debug).
Changes are made to fix this issue by adding orderly dependancy of
the platform folder for the 'ROT key' creation which ensures that
platform folder is created before generating 'ROT key'.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I20c82172dde84e4c7f2373c0bd095d353f845d38
Getting the actual size of a DTB blob is useful beyond the Raspberry Pi
port, so let's move this helper to a common header.
Change-Id: Ia5be46e9353ca859a1e5ad9e3c057a322dfe22e2
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
CoT used for BL1 and BL2 are moved to tbbr_cot_bl1.c
and tbbr_cot_bl2.c respectively.
Common CoT used across BL1 and BL2 are moved to
tbbr_cot_common.c.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I2252ac8a6960b3431bcaafdb3ea4fb2d01b79cf5
We simulate the PSCI CPU_OFF operation by reseting the core via RMR.
For secondaries, that already puts them in the holding pen waiting for a
"warm boot" request as part of PSCI CPU_ON. For the BSP, we have to add
logic to distinguish a regular boot from a CPU_OFF state, where, like the
secondaries, the BSP needs to wait foor a "warm boot" request as part
of CPU_ON.
Testing done:
- ACS suite now passes more tests (since it repeatedly
calls code on secondaries via CPU_ON).
- Linux testing including offlining/onlineing CPU0, e.g.
"echo 0 > /sys/devices/system/cpu/cpu0/online".
Change-Id: Id0ae11a0ee0721b20fa2578b54dadc72dcbd69e0
Link: https://developer.trustedfirmware.org/T686
Signed-off-by: Andrei Warkentin <andrey.warkentin@gmail.com>
[Andre: adapt to unified plat_helpers.S, smaller fixes]
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
When writing to arbitrary locations in memory using a constructed
pointer, there is no guarantee that the compiler does not optimise away
the access, since it cannot detect any dependency.
One typical solution is to use the "volatile" keyword, but using MMIO
accessors in usually the better answer, to avoid torn writes.
Replace the usage of an array with such an MMIO accessor function in
rpi3_pwr_domain_on(), to make sure the write is really happening.
Change-Id: Ia18163c95e92f1557471089fd18abc6dc7fee0c7
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The plat_helpers.S file was almost identical between its RPi3 and RPi4
versions. Unify the two files, moving it into the common/ directory.
This adds a plat_rpi_get_model() function, which can be used to trigger
RPi4 specific action, detected at runtime. We use that to do the RPi4
specific L2 cache initialisation.
Change-Id: I2295704fd6dde7c76fe83b6d98c7bf998d4bf074
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The Raspberry Pi has two different UART devices pin-muxed to GPIO 14&15:
One ARM PL011 one and the 8250 compatible "Mini-UART".
A dtoverlay parameter in config.txt will tell the firmware to switch
between the two: it will setup the right clocks and will configure the
pinmuxes accordingly.
To autodetect the user's choice, we read the pinmux register and check
its setting: ALT5 (0x2) means the Mini-UART is used, ALT0 (0x4) points
to the PL011.
Based on that we select the UART driver to initialise.
This will allow console output in any case.
Change-Id: I620d3ce68de6c6576599f2a405636020e1fd1376
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
So far the Raspberry Pi 3 build needs the GPIO driver just for BL2.
Upcoming changes will require some GPIO code in BL1 and BL31 also, so
move those driver files into the common source section.
This does not affect BL31 code size at all, and bl1.bin just increases
by 144 bytes, but doesn't affect the padded binary size at all.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I7639746dc241c1e69099d85d2671c65fa0108555
The Broadcom 283x SoCs feature multiple UARTs: the mostly used
"Mini-UART", which is an 8250 compatible IP, and at least one PL011.
While the 8250 is usually used for serial console purposes, it suffers
from a design flaw, where its clock depends on the VPU clock, which can
change at runtime. This will reliably mess up the baud rate.
To avoid this problem, people might choose to use the PL011 UART for
the serial console, which is pin-mux'ed to the very same GPIO pins.
This can be done by adding "miniuart-bt" to the "dtoverlay=" line in
config.txt.
To prepare for this situation, use the newly gained freedom of sharing
one console_t pointer across different UART drivers, to introduce the
option of choosing the PL011 for the console.
This is for now hard-coded to choose the Mini-UART by default.
A follow-up patch will introduce automatic detection.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: I8cf2522151e09ff4ff94a6d396aec6fc4b091a05
In the wake of the upcoming unification of the console setup code
between RPi3 and RPi4, extend the "clock-less" setup scheme to the
RPi3. This avoid programming any clocks or baud rate registers,
which makes the port more robust against GPU firmware changes.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: Ida83a963bb18a878997e9cbd55f8ceac6a2e1c1f
There is really no reason to use and pass around a struct when its only
member is the (fixed) base address.
Remove the struct and just use the base address on its own inside the
GPIO driver. Then set the base address automatically.
This simplifies GPIO setup for users, which now don't need to deal with
zeroing a struct and setting the base address anymore.
Change-Id: I3060f7859e3f8ef9a24cc8fb38307b5da943f127
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I5c2fe3b6a667acf80c808cfec4a64059a2c9c25f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
So far we have seen two different clock setups for the Raspberry Pi 4
board, with the VPU clock divider being different. This was handled by
reading the divider register and adjusting the base clock rate
accordingly.
Recently a new GPU firmware version appeared that changed the clock rate
*again*, though this time at a higher level, so the VPU rate (and the
apparent PLLC parent clock) did not seem to change, judging by reading
the clock registers.
So rather than playing cat and mouse with the GPU firmware or going
further down the rabbit hole of exploring the whole clock tree, let's
just skip the baud rate programming altogether. This works because the
GPU firmware actually sets up and programs the debug UART already, so
we can just use it.
Pass 0 as the base clock rate to let the console driver skip the setup,
also remove the no longer needed clock code.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Change-Id: Ica88a3f3c9c11059357c1e6dd8f7a4d9b1f98fd7
