At the moment we only support FEAT_VHE to be either unconditionally
compiled in, or to be not supported at all.
Add support for runtime detection (ENABLE_FEAT_VHE=2), by splitting
is_armv8_1_vhe_present() into an ID register reading function and a
second function to report the support status. That function considers
both build time settings and runtime information (if needed), and is
used before we access VHE related registers.
Also move the context saving code from assembly to C, and use the new
is_feat_vhe_supported() function to guard its execution.
Enable VHE in its runtime detection version for all FVP builds.
Change-Id: Ib397cd0c83e8c709bd6fed603560e39901fa672b
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The spmd_setup function is made fail safe in that a failure in the
SPMC manifest parsing, SPMD or SPMC initialization returns a success
code to the standard services initialization routine (std_svc_setup).
This permits continuing the boot process and initialize services
beyond the SPMD to succeed for the system to operate in the normal
world. It operates in a degraded mode for the secure world.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ida0ac91c17925279a79f112d190f9ad038f518e7
Some of our specialized sections are not prefixed with the conventional
period. The compiler uses input section names to derive certain other
section names (e.g. `.rela.text`, `.relacpu_ops`), and these can be
difficult to select in linker scripts when there is a lack of a
delimiter.
This change introduces the period prefix to all specialized section
names.
BREAKING-CHANGE: All input and output linker section names have been
prefixed with the period character, e.g. `cpu_ops` -> `.cpu_ops`.
Change-Id: I51c13c5266d5975fbd944ef4961328e72f82fc1c
Signed-off-by: Chris Kay <chris.kay@arm.com>
Add code in SPMD to forward calls to FFA_PARTITION_INFO_GET_REGS. This
is a new ABI that allows getting partition information without the need
for rx/tx buffer, that helps in situations where having an rx/tx buffer
mapped and available is difficult (ex. uefi runtime services).
Currently, the spmc at el3 does not support this new ABI.
The new ABI uses registers x8-x17 to return partition information so
changes are made to ensure those registers are passed through to the
SPMC and restored on the return path.
Signed-off-by: Raghu Krishnamurthy <raghu.ncstate@gmail.com>
Change-Id: I1fe5956763e054e4f8d62292fc1247e7120bb5a4
The following build system variables have been renamed:
- `LINKERFILE` -> `DEFAULT_LINKER_SCRIPT`
- `BL_LINKERFILE` -> `DEFAULT_LINKER_SCRIPT_SOURCE`
- `<IMAGE>_LINKERFILE` -> `<IMAGE>_DEFAULT_LINKER_SCRIPT_SOURCE`
These new names better reflect how each variable is used:
1. the default linker script is passed via `-dT` instead of `-T`
2. linker script source files are first preprocessed
Additionally, linker scripts are now placed in the build directory
relative to where they exist in the source directory. For example,
the `bl32/sp_min/sp_min.ld.S` would now preprocess to
`sp_min/sp_min.ld` instead of just `bl32.ld`
BREAKING-CHANGE: The `LINKERFILE`, `BL_LINKERFILE` and
`<IMAGE_LINKERFILE>` build system variables have been renamed. See the
commit message for more information.
Change-Id: If8cef65dcb8820e8993736702c8741e97a66e6cc
Signed-off-by: Chris Kay <chris.kay@arm.com>
There were some late comments to the prior change (18635) which are
address in this commit. There was also an invalid return value check
which was changed and the wrong result was being returned via the SMC
call for loading OP-TEE which is now fixed.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I883ddf966662549a3ef9c801a2d4f47709422332
The tos_fw_config is currently loaded into memory by BL2 and
consumed by SPMD (part of BL31) and BL32 firmwares. This does
not work in RME-enabled systems as BL31 uses the root PAS memory
and does not trust secure PAS memory.
A first attempt was made to map the TOS_FW_CONFIG region as root PAS,
and then to remap to secure PAS after SPMD consumption, but this was
not suitable for RME systems where memory encryption is enabled.
This can be solved by copying the TOS FW config (SPMC manifest) from
the Root PAS region to the Secure PAS region so that BL32 can consume
it.
Change-Id: I8eef8345366199cb0e367db883c34a5b5136465d
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
This adds the ability to load the OP-TEE image via an SMC called from
non-secure userspace rather than loading it during boot. This should
only be utilized on platforms that can ensure security is maintained up
until the point the SMC is invoked as it breaks the normal barrier
between the secure and non-secure world.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I21cfa9699617c493fa4190f01d1cbb714e7449cc
This patch adds support for setting configuration of DRAM banks
for FVP model in RMM-EL3 Boot Manifest structure.
Structure 'rmm_manifest' is extended with 'plat_dram' structure
which contains information about platform's DRAM layout:
- number of DRAM banks;
- pointer to 'dram_bank[]' array;
- check sum: two's complement 64-bit value of the sum of
data in 'plat_dram' and 'dram_bank[] array.
Each 'dram_bank' structure holds information about DRAM
bank base address and its size. This values must be aligned
to 4KB page size.
The patch increases Boot Manifest minor version to 2 and
removes 'typedef rmm_manifest_t' as per
"3.4.15.1. Avoid anonymous typedefs of structs/enums in headers" of
https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-style.html
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I5176caa5780e27d1e0daeb5dea3e40cf6ad5fd12
* changes:
docs(build): describes the SPMC_OPTEE build option
feat(qemu): support el3 spmc
feat(el3-spmc): make platform logical partition optional
feat(qemu): support s-el2 spmc
feat(qemu): update abi between spmd and spmc
fix(sptool): add dependency to SP image
Prior to this commit a logical platform specific partition is added when
compiling with SPMC at EL3. Not all platform need to add a logical
platform so make this optional.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Change-Id: I3bdd2a91350330c1637e8d84765974bfb6b225d7
Ensure that there is sufficient space in the memory
descriptor to accommodate the size of the composite memory
struct as part of the descriptor.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: Iea646b144c59a2a1a171298cabb5f31040a8af31
This patch also:
* Enforces the check of RES0 fields on EL3-RMM boot interface
and manifest
* Fixes a couple of nits on the EL3-RMM Boot Interface
documentation.
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>
Change-Id: Idb9e38f9fcda2ba0655646a1e2c4fdbabd5cdc40
This patch adds X2-X6 and 'smc_ret' parameters to trp_rmi_handler().
The last 'smc_ret' parameter passed in X7 contains address of
'trp_smc_result' structure on stack to return result of RMI SMC call.
This allows to preserve X4 if not used as a return argument as per
SMCCCv1.2. The patch also removes use of trp_args_t in RMI handling.
Signed-off-by: AlexeiFedorov <Alexei.Fedorov@arm.com>
Change-Id: I9e3387a7380b37863eeccc53d13e92e0ac5cffbd
Compiling with -Wimplicit-fallthrough=3 (enabled by -Wextra) produces
many warnings about fallthrough comments either missing or being wrong.
Unify the comments so we comply with -Wextra.
Note that Coverity recommends against using the __attribute__ directive.
Also, zlib does not build with a higher value of -Wimplicit-fallthrough.
Finally, compilers strip comments before expanding macros. As such,
checkpatch's fallthrough annotation (or higher levels of the flag) isn't
really possible.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I060cf4f8dc04c02cbb45cf4ceb69569a8369ccee
This patch discards all the used entropy bits from the global memory
pool after being delivered to the requester (lower exception levels) by
overwriting them with zeroes.
It effectively implements the requirement, as part of TRNG FW interface
listed at DEN0098 (section 1.2).
https://developer.arm.com/documentation/den0098/latest
Change-Id: I447cbccc1a8ad972418a3569c99f010189d4b2f6
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Ensure that the correct execution state of an SP is reported
as part of an FF-A v1.1 PARTITION_INFO_GET response.
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I714e53ae71c376463797a42cd5ab7a5e9c687fb7
This patch adds the following changes to complete the existing
TRNG implementation:
1. Adds a feature specific scope for buildlog generation.
2. Updates the docs on the build flag "TRNG_SUPPORT" and its values.
3. Makefile update and improves the existing comments at few sections
for better understanding of the underlying logic.
Change-Id: I3f72f0ccd5c94005a2df87158cf23199d2160d37
Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Ensure that the provided descriptor size used when reserving space
for a memory descriptor does not overflow to prevent scope for
memory corruption. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: If06985c4de9a88ff82ce60d10e346da948ed383f
Ensure that the fragment_length parameter is validated to prevent
a buffer overflow before it is used. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I0323c096ffd988fbd85bbd4ade3abd8427aea977
The current logic does not cover all scenarios of overlapping
memory regions. Update the implementation to verify non-overlapping
regions instead. Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I16c53d081e4455bc0e28399d28a1b27b1a9eb49c
Ensure that the full memory transaction descriptor has been transmitted
before a request to reclaim the memory transaction is permitted.
This prevents any potential accesses to the incomplete descriptor.
Reported by Matt Oh, Google Android Red Team.
Reported-by: mattoh@google.com
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Change-Id: I33e993c6b754632051e899ab20edd19b18b6cf65
Added DRTM parameters structure version check that as per
the current released DRTM specification [1].
Mainly to cater below mentioned in the specification [1]
section 3.12 -
For a given DRTM major version number this structure will
always be extended in a backwards compatible manner.
[1]: https://developer.arm.com/documentation/den0113/a
Change-Id: I9f312c7f9f20152c5d7e40a22b462c7fe8db70bc
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Error check must be done on the previously allocated pointer, not a
random one from the code.
Change-Id: I1c8253eacbe778cc4a9a8d71081fc615fa7e5293
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
Do not forget to pass via err_unlock_mailbox: label.
Change-Id: Icfb997b1c7cce196003af2c28bffc50dc73e30b4
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
This patch fixes an issue in spmc_ffa_fill_desc.
In order to compute the spmc_shm_get_v1_1_descriptor_size,
fragment_length which is a fraction of the descriptor size is used as
desc_size parameter. It has to be replaced with the
full V1.0 descriptor size(obj->desc_filled).
Ran a subset of our tests and they are passing.
Change-Id: Ia4bbc5dabf0b77fa53d923ff609ee48ecd5bf549
Signed-off-by: vallau01 <valentin.laurent@trustonic.com>
Signed-off-by: Lukas Hanel <lukas.hanel@trustonic.com>
Flush the data cache range before DLME launch to ensure that data
passed by DCE preamble is committed.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I9946fd3420a17b86d9f1483e8b2cd5880033454e
As per DRTM beta0 spec table #28, Before the DLME is called the DCE
must invalidate all instruction caches.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I7efbb03d1d13346a8d898882fdbd7bbe8f1d49b2
Ensured DLME data region and DRTM parameters are lies within Non-Secure
region of DRAM by calling platform function 'plat_drtm_validate_ns_region'.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I93ead775f45ca7748193631f8f9eec4326fcf20a
Ensured no SDEI event are registered during dynamic launch.
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ied3b2d389aa3d9a96ace9078581d5e691f0b38a7
Taken measurement of various DRTM components in the Event Log
buffer to pass it to DLME.
Change-Id: Ic56620161f42596d22bf40d5c83c041cbce0b618
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Added DRTM DMA protections APIs, and called them during
the DLME launch and DRTM SMC handling.
Change-Id: I29e7238c04e2ca9f26600276c5c05bff5387789e
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Added remediation driver for DRTM to set/get the error
from non-volatile memory
Change-Id: I8f0873dcef4936693e0f39a3c95096cb689c04b7
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Signed-off-by: Lucian Paul-Trifu <lucian.paultrifu@gmail.com>
