The ability to read a character from the console constitutes an attack
vector into TF-A, as it gives attackers a means to inject arbitrary
data into TF-A. It is dangerous to keep that feature enabled if not
strictly necessary, especially in production firmware builds.
Thus, we need a way to disable this feature. Moreover, when it is
disabled, all related code should be eliminated from the firmware
binaries, such that no remnant/dead getc() code remains in memory,
which could otherwise be used as a gadget as part of a bigger security
attack.
This patch disables getc() feature by default. For legitimate getc()
use cases [1], it can be explicitly enabled by building TF-A with
ENABLE_CONSOLE_GETC=1.
The following changes are introduced when getc() is disabled:
- The multi-console framework no longer provides the console_getc()
function.
- If the console driver selected by the platform attempts to register
a getc() callback into the multi-console framework then TF-A will
now fail to build.
If registered through the assembly function finish_console_register():
- On AArch64, you'll get:
Error: undefined symbol CONSOLE_T_GETC used as an immediate value.
- On AArch32, you'll get:
Error: internal_relocation (type: OFFSET_IMM) not fixed up
If registered through the C function console_register(), this requires
populating a struct console with a getc field, which will trigger:
error: 'console_t' {aka 'struct console'} has no member named 'getc'
- All console drivers which previously registered a getc() callback
have been modified to do so only when ENABLE_CONSOLE_GETC=1.
[1] Example of such use cases would be:
- Firmware recovery: retrieving a golden BL2 image over the console in
order to repair a broken firmware on a bricked board.
- Factory CLI tool: Drive some soak tests through the console.
Discussed on TF-A mailing list here:
https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/YS7F6RCNTWBTEOBLAXIRTXWIOYINVRW7/
Change-Id: Icb412304cd23dbdd7662df7cf8992267b7975cc5
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
* changes:
feat(imx8mq): enable dram dvfs support on imx8mq
feat(imx8m): use non-fast wakeup stop mode for system suspend
feat(imx8mq): correct the slot ack setting for STOP mode
feat(imx8mq): add anamix pll override setting for DSM mode
feat(imx8mq): add workaround code for ERR11171 on imx8mq
feat(imx8mq): add the dram retention support for imx8mq
feat(imx8mq): add version for B2
fix(imx8m): backup mr12/14 value from lpddr4 chip
fix(imx8m): add ddr4 dvfs sw workaround for ERR050712
fix(imx8m): fix coverity out of bound access issue
fix(imx8m): fix the dram retention random hang on some imx8mq Rev2.0
feat(imx8m): add more dram pll setting
fix(imx8m): fix the current fsp init
fix(imx8m): fix the rank to rank space issue
fix(imx8m): fix the dfiphymaster setting after dvfs
feat(imx8m): update the ddr4 dvfs flow to include ddr3l support
fix(imx8m): correct the rank info get fro mstr
feat(imx8m): fix the ddr4 dvfs random hang on imx8m
This new workaround takes advantage of the per core IMR
registers in GPC in order to unmask the IRQ0, still generated
by the 12bit in IOMUX_GPR register (which now remains always set),
so it can only wake up one core at the time.Also, this entire
workaround has now been moved here in TF-A, allowing the kernel
side to be minimal.
Another advantage this workaround brings is the removal of the
50us delay (which was necessary before in gic_raise_softirq in
kernel) by allowing the core that is waking up to mask his own
IRQ0 in the suspend finish callback.
One important change here is the way the cores are woken up in
dram_dvfs_handler. Since the wake up mechanism has changed from
asserting the 12th bit in IOMUX_GPR and leaving the IMR1 1st bit
on for each core to exactly the reverse, that is, leaving the
IOMUX_GPR 12th bit always set and then masking/unmasking the IMR1
1st bit for each independent core, we need to use the imx_gpc_core_wake
to wake up the cores.
Also, the 50us udelay is moved to TF-A (inside imx_pwr_domain_off)
from kernel(gic_raise_softirq), since the new cpuidle workaround
does not need it in order to clean the IOMUX_GPC 12bit. For now,
the udelay seems to be still needed in order to delay the affinity
info OFF for the dying core. This is something that needs further
investigation.
Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
Signed-off-by: Jacky Bai <ping.bai@nxp.com>
Change-Id: I9f17ff6fc3452b8225a50b232964712aafeab78a
The current putc version test for TXEMPTY bit set (#6) instead
of waiting for TXFULL bit clear (#4), that slows the global
boot time as we are not taking benefit of the 32-byte FIFO.
We then need to implement the flush function to be sure the
transmit is complete (FIFO and shift register empty).
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Change-Id: I54873a5203e2afdc230e44ce73284e7a80985b4f
TF-A wants to eventually enable -Wold-style-definition globally. Convert
the rare few instances where this is still the case.
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I9c450fc875cf097e6de2ed577ea3b085821c9f5e
Introduce support for High Assurance Boot (HABv4), which is used to
establish and extend the Root-of-Trust during FW loading at any given
boot stage.
This commit introduces support for HAB ROM Vector Table (RVT) API, which
is normally used by post-ROM code to authenticate additional boot images
(Kernel, FDT, FIT, etc.) that are taking part in the Root-of-Trust.
Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
Change-Id: I780d308369824fa4850844eb9e91768e417166a0
This commit makes imx image io-storage logic common for all
imx platform.
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Change-Id: I15045ac8f9dfa8cb714e32f9e7475d5eae4e86e4
In iMX8MM it is possible to have two copies of bootloader in
SD/eMMC and switch between them. The switch is triggered either
by the BootROM in case the bootloader image is faulty OR can be
enforced by the user. To trigger that switch the
PERSIST_SECONDARY_BOOT bit should be set in GPR10 SRC register.
As the bit is retained after WARM reset, that permits to control
BootROM behavior regarding what boot image it will boot after
reset: primary or secondary.
This is useful for reliable bootloader A/B updates, as it permits
switching between two copies of bootloader at different offsets of
the same storage.
If the PERSIST_SECONDARY_BOOT is 0, the boot ROM uses address
0x8400 for the primary image. If the PERSIST_SECONDARY_BOOT is 1,
the boot ROM reads that secondary image table from address 0x8200
on the boot media and uses the address specified in the table for
the secondary image.
Secondary Image Table contains the sector of secondary bootloader
image, exluding the offset to that image (explained below in the
note). To generate the Secondary Image Table, use e.g.:
$ printf '\x0\x0\x0\x0\x0\x0\x0\x0\x33\x22\x11'
'\x00\x00\x10\x0\x0\x00\x0\x0\x0'
> /tmp/sit.bin
$ hexdump -vC /tmp/sit.bin
00000000 00 00 00 00
00000004 00 00 00 00
00000008 33 22 11 00 <--- This is the "tag"
0000000c 00 10 00 00 <--- This is the "firstSectorNumber"
00000010 00 00 00 00
You can also use NXP script from [1][2] imx-mkimage tool for
SIT generation. Note that the firstSectorNumber is NOT the offset
of the IVT, but an offset of the IVT decremented by Image Vector
Table offset (Table 6-25. Image Vector Table Offset and Initial
Load Region Size for iMX8MM/MQ), so for secondary SPL copy at
offset 0x1042 sectors, firstSectorNumber must be 0x1000
(0x42 sectors * 512 = 0x8400 bytes offset).
In order to test redundant boot board should be closed and
SD/MMC manufacture mode disabled, as secondary boot is not
supported in the SD/MMC manufacture mode, which can be disabled
by blowing DISABLE_SDMMC_MFG (example for iMX8MM):
> fuse prog -y 2 1 0x00800000
For additional details check i.MX 8M Mini Apllication Processor
Reference Manual, 6.1.5.4.5 Redundant boot support for
expansion device chapter.
[1] https://source.codeaurora.org/external/imx/imx-mkimage/
[2] scripts/gen_sit.sh
Change-Id: I0a5cea7295a4197f6c89183d74b4011cada52d4c
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
And from crash_console_flush.
We ignore the error information return by console_flush in _every_
place where we call it, and casting the return type to void does not
work around the MISRA violation that this causes. Instead, we collect
the error information from the driver (to avoid changing that API), and
don't return it to the caller.
Change-Id: I1e35afe01764d5c8f0efd04f8949d333ffb688c1
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>
Add sdei support for i.MX8MM, this is to let jailhouse Hypervisor
could use SDEI to do hypervisor management, after physical IRQ
has been disabled routing.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Change-Id: I5fd697fee22df151e13d0f1335e8ac8a7bae6189
Implement IMX_SIP_AARCH32 to let AArch64 Bootloader could issue
SIP call to switch to AArch32 mode to run OS.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Change-Id: I38b04ef909a6dbfba5ded12a7bb6e799a3935a66
This fixes shift overflow errors, when compiled with CONSOLE_DEBUG
support:
plat/imx/common/include/imx8_iomux.h:11:35: error: result of ‘1 << 31’
requires 33 bits to represent, but ‘int’ only has 32 bits
[-Werror=shift-overflow=]
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Change-Id: I0488e22c30314ba27caabc5c767164baa1e8004c
Since commit ac71344e9e we have the UART base address in the generic
console_t structure. For most platforms the platform-specific struct
console is gone, so we *must* use the embedded base address, since there
is no storage behind the generic console_t anymore.
Replace the usage of CONSOLE_T_DRVDATA with CONSOLE_T_BASE to fix this.
Change-Id: I6d2ab0bc2c845c71f98b9dd64d89eef3252f4591
Reported-by: Varun Wadekar <vwadekar@nvidia.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Since now the generic console_t structure holds the UART base address as
well, let's use that generic location and drop the UART driver specific
data structure at all.
Change-Id: I058f793e4024fa7291e432f5be374a77faf16f36
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This is not conforming C and does not compile with -fno-common.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: I6535954cc567d6efa06919069b91e3f50975b073
This was found by compiling with -fno-common:
./build/picopi/release/bl2/imx_snvs.o:(.bss.__packed+0x0): multiple definition of `__packed';
./build/picopi/release/bl2/imx_caam.o:(.bss.__packed+0x0): first defined here
__packed was intended to be the attribute macro from cdefs.h, not an
object of the structure type.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Change-Id: Id02fac3f098be2d71c35c6b4a18012515532f32a
Normally, SGI6 & SGI7 is used by non-secure world, these
two SGIs should not be reserved for secure interrupt purpose.
On i.MX8M platform, SGI8 is used for secure group0 IPI for
DDR DVFS, So update the code to reserve SGI8 for secure world.
Change-Id: Ib1ed9786e0a79bb729b120a0d4d791d13b6f048a
Signed-off-by: Jacky Bai <ping.bai@nxp.com>
NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__.
All common C compilers predefine a macro called __ASSEMBLER__ when
preprocessing a .S file. There is no reason for TF-A to define it's own
__ASSEMBLY__ macro for this purpose instead. To unify code with the
export headers (which use __ASSEMBLER__ to avoid one extra dependency),
let's deprecate __ASSEMBLY__ and switch the code base over to the
predefined standard.
Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417
Signed-off-by: Julius Werner <jwerner@chromium.org>
The PicoPi iMX7D is a 2 board development board consisting of
a System-on-Module and a carrier baseboard and optimized for
the Internet-of-Things (IoT).
This patch add basic support to this board.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Reviewed-by: Louis Mayencourt <louis.mayencourt@arm.com>
Change-Id: I009d85819c4f73b7063aab73d0f6ee74e6ef3fc4
For the iMX7 SOCs, part of the code for platform
setup implementation can be reused and made
common for all these SoCs. This patch extracts
the common part for reuse.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Change-Id: I42fd4167e6903416df96a0159a046abf3896e878
This consists of ensuring that the left operand of each shift is
unsigned when the operation might overflow into the sign bit.
Change-Id: Ia0a10b4a30e63c0cbf1d0f8dfe5768e0a93ae1c7
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Platform defines are already provided by the build system so let's not
duplicate them.
Change-Id: Icf1ea76c3c3213e27b447c95e2b22b961fa7693e
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
The manual documents that 0x3036006c should contains the soc revision
for imx8mq but this always reports A0. Work around this by parsing the
ROM header and checking if OCOTP register 0x40 is stuck at 0xff0055aa.
Determining this inside TF-A makes life easier for OS, see for example
this linux discussion: https://lkml.org/lkml/2019/5/3/465
The soc revision can also be useful inside TF-A itself, for example for
the non-upstream DDR DVFS "busfreq" feature is affected by 8mq erratas.
The clock for OCOTP block can be disabled by OS so only initialize soc
revision once at boot time.
Change-Id: I9ca3f27840229ce8a28b53870e44da29f63c73aa
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
The IMX_SIP_BUILDINFO call was implemented for imx8qm and imx8qx but
it's also applicable to imx8m.
This fixes U-Boot not printing commit hash on 8m with upstream TF-A.
Change-Id: Idcfd9729eaaccf329c24e241da325f1f6cd3c880
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Now it is needed to use the full path of the common header files.
Commit 09d40e0e08 ("Sanitise includes across codebase") provides more
information.
Change-Id: Ifedc79d9f664d208ba565f5736612a3edd94c647
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
The old version of the macro is deprecated.
Commit cc5859ca19 ("Multi-console: Deprecate the
`finish_console_register` macro") provides more details.
Change-Id: I3d1cdf6496db7d8e6cfbb5804f508ff46ae7e67e
Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com>
GICR_WAKER.ProcessorSleep can only be set to zero when:
— GICR_WAKER.Sleep bit[0] == 0.
— GICR_WAKER.Quiescent bit[31] == 0.
On some platforms, when system reboot with GIC in sleep
mode but with power ON, such as on NXP's i.MX8QM, Linux
kernel enters suspend but could be requested to reboot,
and GIC is in sleep mode and it is inside a power domain
which is ON in this scenario, when CPU reset, the GIC
driver trys to set CORE's redistributor interface to awake,
with GICR_WAKER.Sleep bit[0] and GICR_WAKER.Quiescent bit[31]
both set, the ProcessorSleep bit[1] will never be clear
and cause system hang.
This patch makes sure GICR_WAKER.Sleep bit[0] and
GICR_WAKER.Quiescent bit[31] are both zeor before clearing
ProcessorSleep bit[1].
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
This commit migrates to MULTI_CONSOLE_API for IMX Warp7 board.
We also rename the functions in imx_uart driver to more specific one.
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Current implementation of i.MX8QM power management related
features does NOT optimize power number, all system resources
like CCI, DDR, and A cluster etc. are kept in STBY mode (powered
ON) when system suspend or CPU hotplug.
To lower the power number, OFF mode should be adopted for those
system resources whenever they can be OFF, A cluster will be OFF
if the CPUs in the cluster are all off line, DDR/MU/DB can be OFF
if system suspend, IRQ steer can be OFF if the wakeup source is
belonged to system controller partition, so wakeup source runtime
check is used to determine if IRQ steer can be OFF before system
suspend.
If resources are powered off for suspend, they should be restored
properly after system resume.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
This patch adds NXP i.MX8 SoCs' build info SIP support for easy debug.
With this function enabled, TF-A's commit hash can be showed in u-boot
debug console when booting up, when there is any issue which could be
related to TF-A, users can use the commit hash value to easily identify
which commit introduces the issue.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
For NXP's i.MX8 SoCs with system controller inside, thermal sensors
are maintained by SCFW, Linux needs to call SMC to trap to TF-A for
thermal alarm operation etc. by calling SCFW API.
This patch adds temperature alarm SIP service support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
For NXP's i.MX8 SoCs with system controller inside, OTP is
maintained by SCFW, Linux needs to call SMC to trap to TF-A
for OTP read/write etc. operations by calling SCFW API.
This patch adds OTP SIP service support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8 SoCs have system controller (M4 core) which takes
control of misc functions like temperature alarm, dma etc., other
Cortex-A clusters can send out command via MU (Message Unit) to
system controller for misc operation etc..
This patch adds misc IPC(inter-processor communication) support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
On i.MX8QM/i.MX8QX with system controller inside, the wakeup
source is managed in SCFW(system controller firmware), if the
wakeup source is belonged to system controller partition, then
before Linux suspend, the wakeup source should be set to
SC_PM_WAKE_SRC_SCU, and if the wakeup source is belonged to
Cortex-A partition, the wakeup source should be set to
SC_PM_WAKE_SRC_IRQSTEER, so need to add wakeup source SIP runtime
service to get Linux kernel's wakeup source and set the correct
wakeup source for system controller.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
On i.MX8QM/i.MX8QX with system controller inside, the CPU's clock
rate is managed by SCFW(system controller firmware) and can ONLY be
changed from secure world, so SIP runtime service is needed for
setting CPU's clock rate, this patch adds cpu-freq SIP runtime service
support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
On i.MX8QM/i.MX8QX with system controller inside, the SRTC is
managed by SCFW(system controller firmware) and some functions
like setting SRTC's time etc. can ONLY be requested from secure
world, so SIP runtime service is needed for such kind of operations,
this patch adds SRTC SIP runtime service support for i.MX8QM and
i.MX8QX.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
NXP's i.MX8 SoCs have system controller (M4 core) which takes
control of timer management, including watchdog, srtc and system
counter etc., other clusters like Cortex-A35 can send out command
via MU (Message Unit) to system controller for timer operation.
This patch adds timer IPC(inter-processor communication) support.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
With DEBUG_CONSOLE enabled, build will fail for imx8mq platform:
./build/imx8mq/release/bl31/imx8mq_bl31_setup.o:
In function `bl31_early_platform_setup2':
imx8mq_bl31_setup.c:(.text.bl31_early_platform_setup2+0x40):
undefined reference to `console_uart_register'
Makefile:741: recipe for target 'build/imx8mq/release/bl31/bl31.elf' failed
make: *** [build/imx8mq/release/bl31/bl31.elf] Error 1
Besides, the .console_flush callback needs to be added to avoid
panic when debug mode is enabled, since the console_flush() will
call it without checking whether the function callback is valid.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Current lpuart driver does NOT implement .console_flush callback,
if debug console is enabled, the console_flush() will call the
undefined .console_flush callback(NULL) for lpuart and leak to
panic, this patch adds .console_flush callback to make lpuart work
for debug mode.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Enforce full include path for includes. Deprecate old paths.
The following folders inside include/lib have been left unchanged:
- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}
The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).
For example, this patch had to be created because two headers were
called the same way: e0ea0928d5 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a2 ("drivers: add tzc380 support").
This problem was introduced in commit 4ecca33988 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.
Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.
Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
i.MX8MQ is new SOC of NXP's i.MX8M family based on
A53. It can provide industry-leading audio, voice
and video processing for applications that scale
from consumer home audio to industrial building
automation and mobile computers
this patchset add the basic supoort to boot up
the 4 X A53. more feature will be added later.
Signed-off-by: Bai Ping <ping.bai@nxp.com>
All identifiers, regardless of use, that start with two underscores are
reserved. This means they can't be used in header guards.
The style that this project is now to use the full name of the file in
capital letters followed by 'H'. For example, for a file called
"uart_example.h", the header guard is UART_EXAMPLE_H.
The exceptions are files that are imported from other projects:
- CryptoCell driver
- dt-bindings folders
- zlib headers
Change-Id: I50561bf6c88b491ec440d0c8385c74650f3c106e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
