summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2021-11-17 21:42:08 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2021-11-17 21:42:08 +0000
commitd9626f39aa9fb04f2d92e5dff8748cdf51eee277 (patch)
tree6a4e204176247768b8d2f9a88252e84d4cba39f9
parentReleasing progress-linux version 2.5+dfsg-2~progress6+u1. (diff)
downloadarm-trusted-firmware-d9626f39aa9fb04f2d92e5dff8748cdf51eee277.tar.xz
arm-trusted-firmware-d9626f39aa9fb04f2d92e5dff8748cdf51eee277.zip
Merging upstream version 2.6~rc0+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--Makefile227
-rw-r--r--bl1/aarch64/bl1_context_mgmt.c38
-rw-r--r--bl1/aarch64/bl1_entrypoint.S40
-rw-r--r--bl1/bl1.mk6
-rw-r--r--bl1/bl1_main.c8
-rw-r--r--bl1/bl1_private.h5
-rw-r--r--bl2/aarch32/bl2_el3_entrypoint.S37
-rw-r--r--bl2/aarch32/bl2_run_next_image.S46
-rw-r--r--bl2/aarch64/bl2_el3_entrypoint.S37
-rw-r--r--bl2/aarch64/bl2_rme_entrypoint.S67
-rw-r--r--bl2/aarch64/bl2_run_next_image.S45
-rw-r--r--bl2/bl2.ld.S6
-rw-r--r--bl2/bl2.mk17
-rw-r--r--bl2/bl2_main.c56
-rw-r--r--bl31/aarch64/bl31_entrypoint.S15
-rw-r--r--bl31/aarch64/runtime_exceptions.S15
-rw-r--r--bl31/bl31.mk37
-rw-r--r--bl31/bl31_context_mgmt.c18
-rw-r--r--bl31/bl31_main.c58
-rw-r--r--bl32/sp_min/sp_min.mk16
-rw-r--r--bl32/tsp/aarch64/tsp_entrypoint.S22
-rw-r--r--bl32/tsp/tsp_interrupt.c3
-rw-r--r--bl32/tsp/tsp_main.c6
-rw-r--r--common/bl_common.c35
-rw-r--r--common/fdt_fixup.c42
-rw-r--r--common/fdt_wrappers.c58
-rw-r--r--common/fdt_wrappers.mk7
-rw-r--r--common/tf_crc32.c45
-rw-r--r--common/tf_log.c14
-rw-r--r--common/uuid.c3
-rw-r--r--docs/about/features.rst6
-rw-r--r--docs/about/maintainers.rst76
-rw-r--r--docs/about/release-information.rst2
-rw-r--r--docs/change-log.rst2
-rw-r--r--docs/components/activity-monitors.rst34
-rw-r--r--docs/components/fconf/amu-bindings.rst142
-rw-r--r--docs/components/fconf/index.rst2
-rw-r--r--docs/components/fconf/mpmm-bindings.rst48
-rw-r--r--docs/components/ffa-manifest-binding.rst17
-rw-r--r--docs/components/index.rst3
-rw-r--r--docs/components/measured_boot/event_log.rst2
-rw-r--r--docs/components/mpmm.rst30
-rw-r--r--docs/components/realm-management-extension.rst194
-rw-r--r--docs/components/secure-partition-manager.rst274
-rw-r--r--docs/components/xlat-tables-lib-v2-design.rst51
-rw-r--r--docs/design/cpu-specific-build-macros.rst124
-rw-r--r--docs/design/firmware-design.rst5
-rw-r--r--docs/design/trusted-board-boot.rst3
-rw-r--r--docs/design_documents/index.rst1
-rw-r--r--docs/design_documents/measured_boot_poc.rst507
-rw-r--r--docs/getting_started/build-options.rst141
-rw-r--r--docs/getting_started/porting-guide.rst151
-rw-r--r--docs/getting_started/prerequisites.rst6
-rw-r--r--docs/global_substitutions.txt3
-rw-r--r--docs/glossary.rst12
-rw-r--r--docs/index.rst2
-rw-r--r--docs/license.rst1
-rw-r--r--docs/plat/arm/arm-build-options.rst6
-rw-r--r--docs/plat/arm/diphda/index.rst61
-rw-r--r--docs/plat/arm/fvp/index.rst51
-rw-r--r--docs/plat/arm/fvp_r/index.rst46
-rw-r--r--docs/plat/arm/index.rst6
-rw-r--r--docs/plat/arm/tc/index.rst (renamed from docs/plat/arm/tc0/index.rst)16
-rw-r--r--docs/plat/deprecated.rst2
-rw-r--r--docs/plat/imx8m.rst3
-rw-r--r--docs/plat/index.rst1
-rw-r--r--docs/plat/marvell/armada/build.rst172
-rw-r--r--docs/plat/nvidia-tegra.rst30
-rw-r--r--docs/plat/nxp/index.rst17
-rw-r--r--docs/plat/nxp/nxp-layerscape.rst301
-rw-r--r--docs/plat/nxp/nxp-ls-fuse-prov.rst271
-rw-r--r--docs/plat/nxp/nxp-ls-tbbr.rst210
-rw-r--r--docs/plat/qti.rst8
-rw-r--r--docs/plat/stm32mp1.rst141
-rw-r--r--docs/plat/xilinx-versal.rst5
-rw-r--r--docs/process/contributing.rst63
-rwxr-xr-xdocs/resources/diagrams/ffa-secure-interrupt-handling-nwd.pngbin0 -> 48073 bytes
-rwxr-xr-xdocs/resources/diagrams/ffa-secure-interrupt-handling-swd.pngbin0 -> 48364 bytes
-rw-r--r--docs/resources/diagrams/plantuml/spm_dfd.puml82
-rw-r--r--docs/resources/diagrams/spm-threat-model-trust-boundaries.pngbin0 -> 66389 bytes
-rw-r--r--docs/threat_model/index.rst10
-rw-r--r--docs/threat_model/threat_model.rst17
-rw-r--r--docs/threat_model/threat_model_spm.rst617
-rw-r--r--drivers/arm/css/scmi/scmi_common.c8
-rw-r--r--drivers/arm/css/scp/css_pm_scmi.c2
-rw-r--r--drivers/arm/ethosn/ethosn_smc.c58
-rw-r--r--drivers/arm/gic/v3/gic-x00.c10
-rw-r--r--drivers/arm/gic/v3/gic600_multichip.c26
-rw-r--r--drivers/arm/gic/v3/gic600_multichip_private.h26
-rw-r--r--drivers/arm/gic/v3/gic600ae_fmu.c244
-rw-r--r--drivers/arm/gic/v3/gic600ae_fmu_helpers.c257
-rw-r--r--drivers/arm/gic/v3/gicv3.mk11
-rw-r--r--drivers/arm/gic/v3/gicv3_helpers.c90
-rw-r--r--drivers/arm/gic/v3/gicv3_main.c70
-rw-r--r--drivers/arm/gic/v3/gicv3_private.h2
-rw-r--r--drivers/arm/tzc/tzc400.c28
-rw-r--r--drivers/arm/tzc/tzc_common_private.h23
-rw-r--r--drivers/auth/auth_mod.c9
-rw-r--r--drivers/auth/cryptocell/713/cryptocell_crypto.c1
-rw-r--r--drivers/auth/tbbr/tbbr_cot_bl1_r64.c177
-rw-r--r--drivers/brcm/emmc/emmc_csl_sdcard.c6
-rw-r--r--drivers/fwu/fwu.c187
-rw-r--r--drivers/fwu/fwu.mk11
-rw-r--r--drivers/io/io_mtd.c68
-rw-r--r--drivers/marvell/amb_adec.c13
-rw-r--r--drivers/marvell/ccu.c9
-rw-r--r--drivers/marvell/comphy/comphy-cp110.h2
-rw-r--r--drivers/marvell/comphy/phy-comphy-3700.c229
-rw-r--r--drivers/marvell/comphy/phy-comphy-common.h2
-rw-r--r--drivers/marvell/comphy/phy-comphy-cp110.c54
-rw-r--r--drivers/marvell/gwin.c9
-rw-r--r--drivers/marvell/io_win.c9
-rw-r--r--drivers/marvell/iob.c9
-rw-r--r--drivers/marvell/mc_trustzone/mc_trustzone.c7
-rw-r--r--drivers/marvell/uart/a3700_console.S10
-rw-r--r--drivers/measured_boot/event_log.c410
-rw-r--r--drivers/measured_boot/event_log/event_log.c284
-rw-r--r--drivers/measured_boot/event_log/event_log.mk (renamed from drivers/measured_boot/measured_boot.mk)22
-rw-r--r--drivers/measured_boot/event_log/event_print.c (renamed from drivers/measured_boot/event_print.c)2
-rw-r--r--drivers/measured_boot/measured_boot.c39
-rw-r--r--drivers/mmc/mmc.c76
-rw-r--r--drivers/mtd/nand/core.c43
-rw-r--r--drivers/mtd/nand/spi_nand.c10
-rw-r--r--drivers/mtd/nor/spi_nor.c24
-rw-r--r--drivers/mtd/spi-mem/spi_mem.c4
-rw-r--r--drivers/nxp/auth/csf_hdr_parser/csf_hdr.mk4
-rw-r--r--drivers/nxp/console/console.mk2
-rw-r--r--drivers/nxp/crypto/caam/caam.mk7
-rw-r--r--drivers/nxp/csu/csu.mk8
-rw-r--r--drivers/nxp/dcfg/dcfg.c14
-rw-r--r--drivers/nxp/dcfg/dcfg.mk8
-rw-r--r--drivers/nxp/ddr/fsl-mmdc/ddr.mk12
-rw-r--r--drivers/nxp/ddr/nxp-ddr/ddr.c9
-rw-r--r--drivers/nxp/ddr/nxp-ddr/ddr.mk17
-rw-r--r--drivers/nxp/ddr/phy-gen2/phy.c14
-rw-r--r--drivers/nxp/drivers.mk5
-rw-r--r--drivers/nxp/gic/gic.mk4
-rw-r--r--drivers/nxp/gpio/gpio.mk6
-rw-r--r--drivers/nxp/i2c/i2c.mk8
-rw-r--r--drivers/nxp/interconnect/interconnect.mk4
-rw-r--r--drivers/nxp/pmu/pmu.mk6
-rw-r--r--drivers/nxp/qspi/qspi.mk8
-rw-r--r--drivers/nxp/sd/sd_mmc.mk8
-rw-r--r--drivers/nxp/sec_mon/sec_mon.mk6
-rw-r--r--drivers/nxp/sfp/fuse_prov.c2
-rw-r--r--drivers/nxp/sfp/sfp.mk10
-rw-r--r--drivers/nxp/timer/timer.mk6
-rw-r--r--drivers/nxp/tzc/tzc.mk6
-rw-r--r--drivers/partition/partition.c3
-rw-r--r--drivers/renesas/common/common.c5
-rw-r--r--drivers/renesas/common/console/rcar_console.S4
-rw-r--r--drivers/renesas/common/ddr/ddr_a/ddr_init_d3.c74
-rw-r--r--drivers/renesas/common/ddr/ddr_b/boot_init_dram.c8
-rw-r--r--drivers/renesas/common/ddr/ddr_b/boot_init_dram_config.c45
-rw-r--r--drivers/renesas/common/ddr/ddr_b/boot_init_dram_regdef.h4
-rw-r--r--drivers/renesas/common/emmc/emmc_init.c9
-rw-r--r--drivers/renesas/common/emmc/emmc_registers.h15
-rw-r--r--drivers/renesas/common/iic_dvfs/iic_dvfs.c4
-rw-r--r--drivers/renesas/common/io/io_rcar.c27
-rw-r--r--drivers/renesas/common/pwrc/pwrc.c39
-rw-r--r--drivers/renesas/common/scif/scif.S26
-rw-r--r--drivers/renesas/common/watchdog/swdt.c6
-rw-r--r--drivers/renesas/rcar/board/board.c6
-rw-r--r--drivers/scmi-msg/common.h8
-rw-r--r--drivers/scmi-msg/entry.c28
-rw-r--r--drivers/scmi-msg/power_domain.c239
-rw-r--r--drivers/scmi-msg/power_domain.h72
-rw-r--r--drivers/scmi-msg/smt.c8
-rw-r--r--drivers/st/clk/stm32mp1_clk.c45
-rw-r--r--drivers/st/clk/stm32mp_clkfunc.c12
-rw-r--r--drivers/st/io/io_mmc.c13
-rw-r--r--drivers/st/io/io_stm32image.c21
-rw-r--r--drivers/st/mmc/stm32_sdmmc2.c39
-rw-r--r--drivers/st/pmic/stm32mp_pmic.c6
-rw-r--r--drivers/st/pmic/stpmic1.c45
-rw-r--r--drivers/st/spi/stm32_qspi.c3
-rw-r--r--drivers/st/uart/aarch32/stm32_console.S11
-rw-r--r--drivers/st/usb/stm32mp1_usb.c1091
-rw-r--r--drivers/ufs/ufs.c122
-rw-r--r--drivers/usb/usb_device.c845
-rw-r--r--fdts/arm_fpga.dts10
-rw-r--r--fdts/fvp-base-gicv3-psci-common.dtsi11
-rw-r--r--fdts/juno-ethosn.dtsi12
-rw-r--r--fdts/morello-fvp.dts31
-rw-r--r--fdts/stm32mp15-bl2.dtsi91
-rw-r--r--fdts/stm32mp15-bl32.dtsi46
-rw-r--r--fdts/stm32mp15-ddr.dtsi256
-rw-r--r--fdts/stm32mp15-ddr3-1x4Gb-1066-binG.dtsi4
-rw-r--r--fdts/stm32mp15-ddr3-2x4Gb-1066-binG.dtsi4
-rw-r--r--fdts/stm32mp15-fw-config.dtsi80
-rw-r--r--fdts/stm32mp15-pinctrl.dtsi105
-rw-r--r--fdts/stm32mp151.dtsi28
-rw-r--r--fdts/stm32mp157a-avenger96-fw-config.dts7
-rw-r--r--fdts/stm32mp157a-dk1-fw-config.dts7
-rw-r--r--fdts/stm32mp157a-ed1-fw-config.dts7
-rw-r--r--fdts/stm32mp157a-ev1-fw-config.dts7
-rw-r--r--fdts/stm32mp157c-dk2-fw-config.dts7
-rw-r--r--fdts/stm32mp157c-ed1-fw-config.dts7
-rw-r--r--fdts/stm32mp157c-ed1.dts29
-rw-r--r--fdts/stm32mp157c-ev1-fw-config.dts7
-rw-r--r--fdts/stm32mp157c-ev1.dts5
-rw-r--r--fdts/stm32mp157c-lxa-mc1-fw-config.dts7
-rw-r--r--fdts/stm32mp157c-lxa-mc1.dts18
-rw-r--r--fdts/stm32mp157c-odyssey-fw-config.dts7
-rw-r--r--fdts/stm32mp157d-dk1-fw-config.dts7
-rw-r--r--fdts/stm32mp157d-ed1-fw-config.dts7
-rw-r--r--fdts/stm32mp157d-ev1-fw-config.dts7
-rw-r--r--fdts/stm32mp157f-dk2-fw-config.dts7
-rw-r--r--fdts/stm32mp157f-ed1-fw-config.dts7
-rw-r--r--fdts/stm32mp157f-ev1-fw-config.dts7
-rw-r--r--fdts/stm32mp15xx-dkx.dtsi9
-rw-r--r--fdts/stm32mp15xxaa-pinctrl.dtsi4
-rw-r--r--fdts/stm32mp15xxab-pinctrl.dtsi4
-rw-r--r--fdts/stm32mp15xxac-pinctrl.dtsi4
-rw-r--r--fdts/stm32mp15xxad-pinctrl.dtsi4
-rw-r--r--fdts/tc.dts (renamed from fdts/tc0.dts)84
-rw-r--r--include/arch/aarch32/arch.h36
-rw-r--r--include/arch/aarch32/arch_helpers.h2
-rw-r--r--include/arch/aarch32/el3_common_macros.S40
-rw-r--r--include/arch/aarch64/arch.h163
-rw-r--r--include/arch/aarch64/arch_features.h29
-rw-r--r--include/arch/aarch64/arch_helpers.h43
-rw-r--r--include/arch/aarch64/asm_macros.S4
-rw-r--r--include/arch/aarch64/el2_common_macros.S422
-rw-r--r--include/arch/aarch64/el3_common_macros.S85
-rw-r--r--include/bl31/bl31.h3
-rw-r--r--include/common/bl_common.h8
-rw-r--r--include/common/debug.h3
-rw-r--r--include/common/ep_info.h11
-rw-r--r--include/common/fdt_fixup.h4
-rw-r--r--include/common/fdt_wrappers.h8
-rw-r--r--include/common/tf_crc32.h16
-rw-r--r--include/drivers/arm/arm_gicv3_common.h8
-rw-r--r--include/drivers/arm/css/scmi.h10
-rw-r--r--include/drivers/arm/ethosn.h8
-rw-r--r--include/drivers/arm/gic600ae_fmu.h148
-rw-r--r--include/drivers/arm/gicv3.h28
-rw-r--r--include/drivers/arm/tzc400.h1
-rw-r--r--include/drivers/fwu/fwu.h15
-rw-r--r--include/drivers/fwu/fwu_metadata.h74
-rw-r--r--include/drivers/io/io_mtd.h13
-rw-r--r--include/drivers/measured_boot/event_log.h97
-rw-r--r--include/drivers/measured_boot/event_log/event_log.h111
-rw-r--r--include/drivers/measured_boot/event_log/tcg.h (renamed from include/drivers/measured_boot/tcg.h)0
-rw-r--r--include/drivers/measured_boot/measured_boot.h21
-rw-r--r--include/drivers/mmc.h11
-rw-r--r--include/drivers/nand.h12
-rw-r--r--include/drivers/nxp/auth/csf_hdr_parser/csf_hdr.h (renamed from drivers/nxp/auth/csf_hdr_parser/csf_hdr.h)2
-rw-r--r--include/drivers/nxp/console/plat_console.h (renamed from drivers/nxp/console/plat_console.h)0
-rw-r--r--include/drivers/nxp/crypto/caam/caam.h (renamed from drivers/nxp/crypto/caam/include/caam.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/caam_io.h (renamed from drivers/nxp/crypto/caam/include/caam_io.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/hash.h (renamed from drivers/nxp/crypto/caam/include/hash.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/jobdesc.h (renamed from drivers/nxp/crypto/caam/include/jobdesc.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/jr_driver_config.h (renamed from drivers/nxp/crypto/caam/include/jr_driver_config.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/rsa.h (renamed from drivers/nxp/crypto/caam/include/rsa.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/sec_hw_specific.h (renamed from drivers/nxp/crypto/caam/include/sec_hw_specific.h)2
-rw-r--r--include/drivers/nxp/crypto/caam/sec_jr_driver.h (renamed from drivers/nxp/crypto/caam/include/sec_jr_driver.h)2
-rw-r--r--include/drivers/nxp/csu/csu.h (renamed from drivers/nxp/csu/csu.h)2
-rw-r--r--include/drivers/nxp/dcfg/dcfg.h (renamed from drivers/nxp/dcfg/dcfg.h)38
-rw-r--r--include/drivers/nxp/dcfg/dcfg_lsch2.h (renamed from drivers/nxp/dcfg/dcfg_lsch2.h)10
-rw-r--r--include/drivers/nxp/dcfg/dcfg_lsch3.h (renamed from drivers/nxp/dcfg/dcfg_lsch3.h)5
-rw-r--r--include/drivers/nxp/dcfg/scfg.h (renamed from drivers/nxp/dcfg/scfg.h)4
-rw-r--r--include/drivers/nxp/ddr/ddr.h (renamed from drivers/nxp/ddr/include/ddr.h)0
-rw-r--r--include/drivers/nxp/ddr/ddr_io.h (renamed from drivers/nxp/ddr/include/ddr_io.h)0
-rw-r--r--include/drivers/nxp/ddr/dimm.h (renamed from drivers/nxp/ddr/include/dimm.h)0
-rw-r--r--include/drivers/nxp/ddr/fsl-mmdc/fsl_mmdc.h (renamed from drivers/nxp/ddr/fsl-mmdc/fsl_mmdc.h)0
-rw-r--r--include/drivers/nxp/ddr/immap.h (renamed from drivers/nxp/ddr/include/immap.h)0
-rw-r--r--include/drivers/nxp/ddr/opts.h (renamed from drivers/nxp/ddr/include/opts.h)0
-rw-r--r--include/drivers/nxp/ddr/regs.h (renamed from drivers/nxp/ddr/include/regs.h)0
-rw-r--r--include/drivers/nxp/ddr/utility.h (renamed from drivers/nxp/ddr/include/utility.h)0
-rw-r--r--include/drivers/nxp/flexspi/flash_info.h32
-rw-r--r--include/drivers/nxp/gic/gicv2/plat_gic.h (renamed from drivers/nxp/gic/include/gicv2/plat_gic.h)0
-rw-r--r--include/drivers/nxp/gic/gicv3/plat_gic.h (renamed from drivers/nxp/gic/include/gicv3/plat_gic.h)0
-rw-r--r--include/drivers/nxp/gpio/nxp_gpio.h (renamed from drivers/nxp/gpio/nxp_gpio.h)0
-rw-r--r--include/drivers/nxp/i2c/i2c.h (renamed from drivers/nxp/i2c/i2c.h)2
-rw-r--r--include/drivers/nxp/interconnect/ls_interconnect.h (renamed from drivers/nxp/interconnect/ls_interconnect.h)2
-rw-r--r--include/drivers/nxp/pmu/pmu.h (renamed from drivers/nxp/pmu/pmu.h)0
-rw-r--r--include/drivers/nxp/qspi/qspi.h (renamed from drivers/nxp/qspi/qspi.h)0
-rw-r--r--include/drivers/nxp/sd/sd_mmc.h (renamed from drivers/nxp/sd/sd_mmc.h)2
-rw-r--r--include/drivers/nxp/sec_mon/snvs.h (renamed from drivers/nxp/sec_mon/snvs.h)0
-rw-r--r--include/drivers/nxp/sfp/fuse_prov.h (renamed from drivers/nxp/sfp/fuse_prov.h)0
-rw-r--r--include/drivers/nxp/sfp/sfp.h (renamed from drivers/nxp/sfp/sfp.h)0
-rw-r--r--include/drivers/nxp/sfp/sfp_error_codes.h (renamed from drivers/nxp/sfp/sfp_error_codes.h)0
-rw-r--r--include/drivers/nxp/timer/nxp_timer.h (renamed from drivers/nxp/timer/nxp_timer.h)0
-rw-r--r--include/drivers/nxp/tzc/plat_tzc400.h (renamed from drivers/nxp/tzc/plat_tzc400.h)0
-rw-r--r--include/drivers/st/io_mmc.h6
-rw-r--r--include/drivers/st/stm32mp1_rcc.h2695
-rw-r--r--include/drivers/st/stm32mp1_usb.h16
-rw-r--r--include/drivers/st/stm32mp_clkfunc.h1
-rw-r--r--include/drivers/st/stpmic1.h24
-rw-r--r--include/drivers/ufs.h11
-rw-r--r--include/drivers/usb_device.h278
-rw-r--r--include/dt-bindings/interrupt-controller/arm-gic.h13
-rw-r--r--include/dt-bindings/interrupt-controller/irq.h23
-rw-r--r--include/dt-bindings/soc/stm32mp15-tzc400.h36
-rw-r--r--include/export/common/ep_info_exp.h18
-rw-r--r--include/export/common/tbbr/tbbr_img_def_exp.h17
-rw-r--r--include/lib/cpus/aarch64/cortex_a510.h (renamed from include/lib/cpus/aarch64/cortex_matterhorn_elp_arm.h)14
-rw-r--r--include/lib/cpus/aarch64/cortex_a710.h44
-rw-r--r--include/lib/cpus/aarch64/cortex_a77.h8
-rw-r--r--include/lib/cpus/aarch64/cortex_a78.h4
-rw-r--r--include/lib/cpus/aarch64/cortex_a78_ae.h7
-rw-r--r--include/lib/cpus/aarch64/cortex_hayes.h (renamed from include/lib/cpus/aarch64/cortex_klein.h)16
-rw-r--r--include/lib/cpus/aarch64/cortex_hunter.h (renamed from include/lib/cpus/aarch64/cortex_matterhorn.h)16
-rw-r--r--include/lib/cpus/aarch64/cortex_x2.h23
-rw-r--r--include/lib/cpus/aarch64/neoverse_demeter.h23
-rw-r--r--include/lib/cpus/aarch64/neoverse_n2.h40
-rw-r--r--include/lib/cpus/aarch64/neoverse_v1.h14
-rw-r--r--include/lib/el3_runtime/aarch64/context.h21
-rw-r--r--include/lib/el3_runtime/cpu_data.h75
-rw-r--r--include/lib/extensions/amu.h110
-rw-r--r--include/lib/extensions/mpam.h1
-rw-r--r--include/lib/extensions/sme.h27
-rw-r--r--include/lib/extensions/sve.h8
-rw-r--r--include/lib/extensions/sys_reg_trace.h18
-rw-r--r--include/lib/extensions/trbe.h12
-rw-r--r--include/lib/extensions/trf.h12
-rw-r--r--include/lib/fconf/fconf_amu_getter.h20
-rw-r--r--include/lib/fconf/fconf_mpmm_getter.h20
-rw-r--r--include/lib/fconf/fconf_tbbr_getter.h3
-rw-r--r--include/lib/gpt_rme/gpt_rme.h276
-rw-r--r--include/lib/libc/aarch32/inttypes_.h21
-rw-r--r--include/lib/libc/aarch32/stdint_.h28
-rw-r--r--include/lib/libc/aarch64/inttypes_.h21
-rw-r--r--include/lib/libc/aarch64/stdint_.h31
-rw-r--r--include/lib/libc/arm_acle.h2
-rw-r--r--include/lib/libc/inttypes.h47
-rw-r--r--include/lib/libc/stdint.h18
-rw-r--r--include/lib/mpmm/mpmm.h57
-rw-r--r--include/lib/optee_utils.h6
-rw-r--r--include/lib/smccc.h46
-rw-r--r--include/lib/xlat_mpu/xlat_mpu.h27
-rw-r--r--include/lib/xlat_tables/xlat_tables.h9
-rw-r--r--include/lib/xlat_tables/xlat_tables_defs.h3
-rw-r--r--include/lib/xlat_tables/xlat_tables_v2.h30
-rw-r--r--include/plat/arm/board/common/v2m_def.h29
-rw-r--r--include/plat/arm/board/fvp_r/fvp_r_bl1.h13
-rw-r--r--include/plat/arm/common/arm_def.h256
-rw-r--r--include/plat/arm/common/arm_dyn_cfg_helpers.h6
-rw-r--r--include/plat/arm/common/arm_pas_def.h94
-rw-r--r--include/plat/arm/common/fconf_ethosn_getter.h9
-rw-r--r--include/plat/arm/common/plat_arm.h29
-rw-r--r--include/plat/arm/common/smccc_def.h4
-rw-r--r--include/plat/arm/css/common/css_def.h4
-rw-r--r--include/plat/common/platform.h50
-rw-r--r--include/plat/marvell/armada/a3k/common/plat_marvell.h2
-rw-r--r--include/services/ffa_svc.h81
-rw-r--r--include/services/gtsi_svc.h40
-rw-r--r--include/services/pci_svc.h59
-rw-r--r--include/services/rmi_svc.h64
-rw-r--r--include/services/rmmd_svc.h34
-rw-r--r--include/services/trp/platform_trp.h15
-rw-r--r--include/tools_share/firmware_image_package.h2
-rw-r--r--lib/aarch64/misc_helpers.S21
-rw-r--r--lib/bl_aux_params/bl_aux_params.c4
-rw-r--r--lib/cpus/aarch64/cortex_a510.S77
-rw-r--r--lib/cpus/aarch64/cortex_a710.S324
-rw-r--r--lib/cpus/aarch64/cortex_a77.S34
-rw-r--r--lib/cpus/aarch64/cortex_a78.S195
-rw-r--r--lib/cpus/aarch64/cortex_a78_ae.S125
-rw-r--r--lib/cpus/aarch64/cortex_hayes.S (renamed from lib/cpus/aarch64/cortex_klein.S)48
-rw-r--r--lib/cpus/aarch64/cortex_hunter.S77
-rw-r--r--lib/cpus/aarch64/cortex_matterhorn.S77
-rw-r--r--lib/cpus/aarch64/cortex_matterhorn_elp_arm.S77
-rw-r--r--lib/cpus/aarch64/cortex_x2.S77
-rw-r--r--lib/cpus/aarch64/cpu_helpers.S4
-rw-r--r--lib/cpus/aarch64/neoverse_demeter.S77
-rw-r--r--lib/cpus/aarch64/neoverse_n2.S410
-rw-r--r--lib/cpus/aarch64/neoverse_v1.S373
-rw-r--r--lib/cpus/cpu-ops.mk261
-rw-r--r--lib/cpus/errata_report.c4
-rw-r--r--lib/el3_runtime/aarch32/context_mgmt.c14
-rw-r--r--lib/el3_runtime/aarch64/context.S46
-rw-r--r--lib/el3_runtime/aarch64/context_mgmt.c148
-rw-r--r--lib/extensions/amu/aarch32/amu.c428
-rw-r--r--lib/extensions/amu/aarch32/amu_helpers.S2
-rw-r--r--lib/extensions/amu/aarch64/amu.c661
-rw-r--r--lib/extensions/amu/aarch64/amu_helpers.S4
-rw-r--r--lib/extensions/amu/amu.mk24
-rw-r--r--lib/extensions/amu/amu_private.h (renamed from include/lib/extensions/amu_private.h)11
-rw-r--r--lib/extensions/sme/sme.c103
-rw-r--r--lib/extensions/sve/sve.c132
-rw-r--r--lib/extensions/sys_reg_trace/aarch32/sys_reg_trace.c36
-rw-r--r--lib/extensions/sys_reg_trace/aarch64/sys_reg_trace.c37
-rw-r--r--lib/extensions/trbe/trbe.c63
-rw-r--r--lib/extensions/trf/aarch32/trf.c35
-rw-r--r--lib/extensions/trf/aarch64/trf.c36
-rw-r--r--lib/fconf/fconf.mk15
-rw-r--r--lib/fconf/fconf_amu_getter.c142
-rw-r--r--lib/fconf/fconf_mpmm_getter.c80
-rw-r--r--lib/fconf/fconf_tbbr_getter.c17
-rw-r--r--lib/gpt_rme/gpt_rme.c1124
-rw-r--r--lib/gpt_rme/gpt_rme.mk8
-rw-r--r--lib/gpt_rme/gpt_rme_private.h228
-rw-r--r--lib/mpmm/mpmm.c72
-rw-r--r--lib/mpmm/mpmm.mk29
-rw-r--r--lib/optee/optee_utils.c35
-rw-r--r--lib/psci/psci_setup.c3
-rw-r--r--lib/xlat_mpu/aarch64/enable_mpu.S53
-rw-r--r--lib/xlat_mpu/aarch64/xlat_mpu_arch.c69
-rw-r--r--lib/xlat_mpu/ro_xlat_mpu.mk14
-rw-r--r--lib/xlat_mpu/xlat_mpu.mk19
-rw-r--r--lib/xlat_mpu/xlat_mpu_context.c65
-rw-r--r--lib/xlat_mpu/xlat_mpu_core.c408
-rw-r--r--lib/xlat_mpu/xlat_mpu_private.h103
-rw-r--r--lib/xlat_mpu/xlat_mpu_utils.c83
-rw-r--r--lib/xlat_tables/aarch64/xlat_tables.c4
-rw-r--r--lib/xlat_tables_v2/aarch32/xlat_tables_arch.c21
-rw-r--r--lib/xlat_tables_v2/aarch64/xlat_tables_arch.c29
-rw-r--r--lib/xlat_tables_v2/xlat_tables_core.c11
-rw-r--r--lib/xlat_tables_v2/xlat_tables_private.h5
-rw-r--r--lib/xlat_tables_v2/xlat_tables_utils.c18
-rw-r--r--lib/zlib/tf_gunzip.c15
-rw-r--r--make_helpers/build_macros.mk84
-rw-r--r--make_helpers/defaults.mk81
-rw-r--r--make_helpers/tbbr/tbbr_tools.mk3
-rw-r--r--package-lock.json12
-rw-r--r--plat/allwinner/common/include/platform_def.h23
-rw-r--r--plat/allwinner/common/include/sunxi_def.h1
-rw-r--r--plat/allwinner/common/sunxi_bl31_setup.c3
-rw-r--r--plat/allwinner/common/sunxi_common.c22
-rw-r--r--plat/allwinner/common/sunxi_cpu_ops.c4
-rw-r--r--plat/allwinner/common/sunxi_scpi_pm.c1
-rw-r--r--plat/allwinner/sun50i_a64/include/sunxi_cpucfg.h3
-rw-r--r--plat/allwinner/sun50i_a64/include/sunxi_mmap.h1
-rw-r--r--plat/allwinner/sun50i_a64/sunxi_power.c1
-rw-r--r--plat/allwinner/sun50i_h6/include/sunxi_cpucfg.h3
-rw-r--r--plat/allwinner/sun50i_h6/include/sunxi_mmap.h1
-rw-r--r--plat/allwinner/sun50i_h616/include/sunxi_cpucfg.h3
-rw-r--r--plat/allwinner/sun50i_r329/include/sunxi_ccu.h14
-rw-r--r--plat/allwinner/sun50i_r329/include/sunxi_cpucfg.h31
-rw-r--r--plat/allwinner/sun50i_r329/include/sunxi_mmap.h55
-rw-r--r--plat/allwinner/sun50i_r329/include/sunxi_spc.h17
-rw-r--r--plat/allwinner/sun50i_r329/platform.mk20
-rw-r--r--plat/allwinner/sun50i_r329/sunxi_power.c27
-rw-r--r--plat/arm/board/a5ds/platform.mk11
-rw-r--r--plat/arm/board/arm_fpga/build_axf.ld.S12
-rw-r--r--plat/arm/board/arm_fpga/fpga_bl31_setup.c256
-rw-r--r--plat/arm/board/arm_fpga/fpga_gicv3.c92
-rw-r--r--plat/arm/board/arm_fpga/fpga_private.h3
-rw-r--r--plat/arm/board/arm_fpga/include/platform_def.h2
-rw-r--r--plat/arm/board/arm_fpga/kernel_trampoline.S35
-rw-r--r--plat/arm/board/arm_fpga/platform.mk23
-rw-r--r--plat/arm/board/common/rotpk/arm_dev_rotpk.S9
-rw-r--r--plat/arm/board/diphda/common/diphda_bl2_mem_params_desc.c86
-rw-r--r--plat/arm/board/diphda/common/diphda_err.c17
-rw-r--r--plat/arm/board/diphda/common/diphda_helpers.S67
-rw-r--r--plat/arm/board/diphda/common/diphda_plat.c77
-rw-r--r--plat/arm/board/diphda/common/diphda_pm.c22
-rw-r--r--plat/arm/board/diphda/common/diphda_security.c16
-rw-r--r--plat/arm/board/diphda/common/diphda_stack_protector.c35
-rw-r--r--plat/arm/board/diphda/common/diphda_topology.c43
-rw-r--r--plat/arm/board/diphda/common/diphda_trusted_boot.c53
-rw-r--r--plat/arm/board/diphda/common/fdts/diphda_spmc_manifest.dts30
-rw-r--r--plat/arm/board/diphda/common/include/platform_def.h416
-rw-r--r--plat/arm/board/diphda/include/plat_macros.S22
-rw-r--r--plat/arm/board/diphda/platform.mk83
-rw-r--r--plat/arm/board/fvp/fconf/fconf_hw_config_getter.c5
-rw-r--r--plat/arm/board/fvp/fdts/fvp_fw_config.dts4
-rw-r--r--plat/arm/board/fvp/fdts/fvp_spmc_manifest.dts11
-rw-r--r--plat/arm/board/fvp/fdts/fvp_spmc_optee_sp_manifest.dts5
-rw-r--r--plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts35
-rw-r--r--plat/arm/board/fvp/fdts/optee_sp_manifest.dts9
-rw-r--r--plat/arm/board/fvp/fvp_bl1_measured_boot.c44
-rw-r--r--plat/arm/board/fvp/fvp_bl1_setup.c71
-rw-r--r--plat/arm/board/fvp/fvp_bl2_measured_boot.c110
-rw-r--r--plat/arm/board/fvp/fvp_bl2_setup.c47
-rw-r--r--plat/arm/board/fvp/fvp_common.c31
-rw-r--r--plat/arm/board/fvp/fvp_common_measured_boot.c35
-rw-r--r--plat/arm/board/fvp/fvp_err.c24
-rw-r--r--plat/arm/board/fvp/fvp_io_storage.c20
-rw-r--r--plat/arm/board/fvp/fvp_measured_boot.c40
-rw-r--r--plat/arm/board/fvp/fvp_pm.c24
-rw-r--r--plat/arm/board/fvp/include/platform_def.h57
-rw-r--r--plat/arm/board/fvp/platform.mk34
-rw-r--r--plat/arm/board/fvp/sp_min/sp_min-fvp.mk9
-rw-r--r--plat/arm/board/fvp/trp/trp-fvp.mk12
-rw-r--r--plat/arm/board/fvp_r/fvp_r_bl1_arch_setup.c35
-rw-r--r--plat/arm/board/fvp_r/fvp_r_bl1_entrypoint.S93
-rw-r--r--plat/arm/board/fvp_r/fvp_r_bl1_exceptions.S120
-rw-r--r--plat/arm/board/fvp_r/fvp_r_bl1_main.c268
-rw-r--r--plat/arm/board/fvp_r/fvp_r_bl1_setup.c247
-rw-r--r--plat/arm/board/fvp_r/fvp_r_common.c289
-rw-r--r--plat/arm/board/fvp_r/fvp_r_context_mgmt.c53
-rw-r--r--plat/arm/board/fvp_r/fvp_r_debug.S47
-rw-r--r--plat/arm/board/fvp_r/fvp_r_def.h103
-rw-r--r--plat/arm/board/fvp_r/fvp_r_err.c48
-rw-r--r--plat/arm/board/fvp_r/fvp_r_helpers.S128
-rw-r--r--plat/arm/board/fvp_r/fvp_r_io_storage.c105
-rw-r--r--plat/arm/board/fvp_r/fvp_r_misc_helpers.S32
-rw-r--r--plat/arm/board/fvp_r/fvp_r_private.h23
-rw-r--r--plat/arm/board/fvp_r/fvp_r_stack_protector.c24
-rw-r--r--plat/arm/board/fvp_r/fvp_r_trusted_boot.c73
-rw-r--r--plat/arm/board/fvp_r/include/fvp_r_arch_helpers.h28
-rw-r--r--plat/arm/board/fvp_r/include/platform_def.h268
-rw-r--r--plat/arm/board/fvp_r/platform.mk99
-rw-r--r--plat/arm/board/fvp_ve/platform.mk11
-rw-r--r--plat/arm/board/juno/include/platform_def.h9
-rw-r--r--plat/arm/board/juno/juno_bl1_setup.c16
-rw-r--r--plat/arm/board/juno/juno_common.c10
-rw-r--r--plat/arm/board/juno/juno_err.c6
-rw-r--r--plat/arm/board/juno/juno_security.c10
-rw-r--r--plat/arm/board/juno/platform.mk5
-rw-r--r--plat/arm/board/rdn2/include/platform_def.h4
-rw-r--r--plat/arm/board/rdn2/platform.mk2
-rw-r--r--plat/arm/board/rdv1/platform.mk2
-rw-r--r--plat/arm/board/rdv1mc/platform.mk1
-rw-r--r--plat/arm/board/tc/fdts/tc_fw_config.dts (renamed from plat/arm/board/tc0/fdts/tc0_fw_config.dts)4
-rw-r--r--plat/arm/board/tc/fdts/tc_spmc_manifest.dts (renamed from plat/arm/board/tc0/fdts/tc0_spmc_manifest.dts)15
-rw-r--r--plat/arm/board/tc/fdts/tc_spmc_optee_sp_manifest.dts (renamed from plat/arm/board/tc0/fdts/tc0_spmc_optee_sp_manifest.dts)28
-rw-r--r--plat/arm/board/tc/fdts/tc_tb_fw_config.dts (renamed from plat/arm/board/tc0/fdts/tc0_tb_fw_config.dts)32
-rw-r--r--plat/arm/board/tc/include/plat_macros.S (renamed from plat/arm/board/tc0/include/plat_macros.S)0
-rw-r--r--plat/arm/board/tc/include/platform_def.h (renamed from plat/arm/board/tc0/include/platform_def.h)81
-rw-r--r--plat/arm/board/tc/include/tc_helpers.S (renamed from plat/arm/board/tc0/include/tc0_helpers.S)2
-rw-r--r--plat/arm/board/tc/include/tc_plat.h12
-rw-r--r--plat/arm/board/tc/platform.mk (renamed from plat/arm/board/tc0/platform.mk)88
-rw-r--r--plat/arm/board/tc/tc_bl2_setup.c47
-rw-r--r--plat/arm/board/tc/tc_bl31_setup.c (renamed from plat/arm/board/tc0/tc0_bl31_setup.c)30
-rw-r--r--plat/arm/board/tc/tc_err.c (renamed from plat/arm/board/tc0/tc0_err.c)2
-rw-r--r--plat/arm/board/tc/tc_interconnect.c (renamed from plat/arm/board/tc0/tc0_interconnect.c)0
-rw-r--r--plat/arm/board/tc/tc_plat.c (renamed from plat/arm/board/tc0/tc0_plat.c)17
-rw-r--r--plat/arm/board/tc/tc_security.c (renamed from plat/arm/board/tc0/tc0_security.c)2
-rw-r--r--plat/arm/board/tc/tc_topology.c (renamed from plat/arm/board/tc0/tc0_topology.c)4
-rw-r--r--plat/arm/board/tc/tc_trusted_boot.c (renamed from plat/arm/board/tc0/tc0_trusted_boot.c)0
-rw-r--r--plat/arm/board/tc0/include/tc0_plat.h12
-rw-r--r--plat/arm/common/aarch64/arm_bl2_mem_params_desc.c26
-rw-r--r--plat/arm/common/arm_bl1_fwu.c4
-rw-r--r--plat/arm/common/arm_bl1_setup.c13
-rw-r--r--plat/arm/common/arm_bl2_setup.c106
-rw-r--r--plat/arm/common/arm_bl31_setup.c78
-rw-r--r--plat/arm/common/arm_common.c6
-rw-r--r--plat/arm/common/arm_common.mk68
-rw-r--r--plat/arm/common/arm_dyn_cfg.c79
-rw-r--r--plat/arm/common/arm_dyn_cfg_helpers.c135
-rw-r--r--plat/arm/common/arm_image_load.c6
-rw-r--r--plat/arm/common/arm_io_storage.c104
-rw-r--r--plat/arm/common/fconf/arm_fconf_io.c25
-rw-r--r--plat/arm/common/fconf/fconf_ethosn_getter.c114
-rw-r--r--plat/arm/common/sp_min/arm_sp_min_setup.c2
-rw-r--r--plat/arm/common/trp/arm_trp.mk10
-rw-r--r--plat/arm/common/trp/arm_trp_setup.c40
-rw-r--r--plat/arm/css/sgi/aarch64/sgi_helper.S18
-rw-r--r--plat/arm/css/sgi/include/sgi_base_platform_def.h2
-rw-r--r--plat/arm/css/sgi/include/sgi_ras.h5
-rw-r--r--plat/arm/css/sgi/sgi-common.mk2
-rw-r--r--plat/arm/css/sgi/sgi_ras.c46
-rw-r--r--plat/brcm/board/common/board_arm_trusted_boot.c3
-rw-r--r--plat/brcm/board/stingray/src/brcm_pm_ops.c3
-rw-r--r--plat/common/aarch64/plat_common.c11
-rw-r--r--plat/common/plat_bl1_common.c14
-rw-r--r--plat/common/plat_spmd_manifest.c8
-rw-r--r--plat/hisilicon/hikey/hikey_bl1_setup.c4
-rw-r--r--plat/hisilicon/poplar/bl31_plat_setup.c4
-rw-r--r--plat/imx/common/imx_io_storage.c (renamed from plat/imx/imx8m/imx8mm/imx8mm_io_storage.c)25
-rw-r--r--plat/imx/common/imx_sip_handler.c32
-rw-r--r--plat/imx/common/imx_sip_svc.c5
-rw-r--r--plat/imx/common/include/imx_sip_svc.h9
-rw-r--r--plat/imx/imx7/common/imx7.mk3
-rw-r--r--plat/imx/imx7/common/imx7_bl2_el3_common.c4
-rw-r--r--plat/imx/imx7/common/imx7_io_storage.c270
-rw-r--r--plat/imx/imx7/include/imx7_def.h2
-rw-r--r--plat/imx/imx7/picopi/include/platform_def.h8
-rw-r--r--plat/imx/imx7/picopi/picopi_bl2_el3_setup.c9
-rw-r--r--plat/imx/imx7/warp7/include/platform_def.h8
-rw-r--r--plat/imx/imx7/warp7/warp7_bl2_el3_setup.c9
-rw-r--r--plat/imx/imx8m/imx8m_image_load.c (renamed from plat/imx/imx8m/imx8mm/imx8mm_image_load.c)0
-rw-r--r--plat/imx/imx8m/imx8m_psci_common.c63
-rw-r--r--plat/imx/imx8m/imx8mm/imx8mm_bl2_el3_setup.c2
-rw-r--r--plat/imx/imx8m/imx8mm/imx8mm_psci.c1
-rw-r--r--plat/imx/imx8m/imx8mm/include/imx8mm_private.h2
-rw-r--r--plat/imx/imx8m/imx8mm/include/platform_def.h13
-rw-r--r--plat/imx/imx8m/imx8mm/platform.mk4
-rw-r--r--plat/imx/imx8m/imx8mn/include/platform_def.h5
-rw-r--r--plat/imx/imx8m/imx8mn/platform.mk5
-rw-r--r--plat/imx/imx8m/imx8mp/imx8mp_bl2_el3_setup.c117
-rw-r--r--plat/imx/imx8m/imx8mp/imx8mp_bl2_mem_params_desc.c94
-rw-r--r--plat/imx/imx8m/imx8mp/imx8mp_rotpk.S15
-rw-r--r--plat/imx/imx8m/imx8mp/imx8mp_trusted_boot.c36
-rw-r--r--plat/imx/imx8m/imx8mp/include/imx8mp_private.h15
-rw-r--r--plat/imx/imx8m/imx8mp/include/platform_def.h30
-rw-r--r--plat/imx/imx8m/imx8mp/platform.mk99
-rw-r--r--plat/imx/imx8m/imx8mq/imx8mq_psci.c1
-rw-r--r--plat/imx/imx8m/imx8mq/include/platform_def.h2
-rw-r--r--plat/imx/imx8m/include/imx8m_psci.h1
-rw-r--r--plat/imx/imx8qm/imx8qm_bl31_setup.c24
-rw-r--r--plat/imx/imx8qx/imx8qx_bl31_setup.c24
-rw-r--r--plat/marvell/armada/a3k/common/a3700_common.mk115
-rw-r--r--plat/marvell/armada/a3k/common/a3700_ea.c81
-rw-r--r--plat/marvell/armada/a3k/common/aarch64/a3700_clock.S35
-rw-r--r--plat/marvell/armada/a3k/common/include/platform_def.h9
-rw-r--r--plat/marvell/armada/a3k/common/io_addr_dec.c22
-rw-r--r--plat/marvell/armada/a8k/a70x0_mochabin/board/dram_port.c227
-rw-r--r--plat/marvell/armada/a8k/a70x0_mochabin/board/marvell_plat_config.c145
-rw-r--r--plat/marvell/armada/a8k/a70x0_mochabin/board/phy-porting-layer.h87
-rw-r--r--plat/marvell/armada/a8k/a70x0_mochabin/mvebu_def.h15
-rw-r--r--plat/marvell/armada/a8k/a70x0_mochabin/platform.mk20
-rw-r--r--plat/marvell/armada/a8k/a80x0_puzzle/board/system_power.c4
-rw-r--r--plat/marvell/armada/a8k/common/a8k_common.mk13
-rw-r--r--plat/marvell/armada/a8k/common/ble/ble.mk18
-rw-r--r--plat/marvell/armada/a8k/common/include/platform_def.h10
-rw-r--r--plat/marvell/armada/common/aarch64/marvell_helpers.S16
-rw-r--r--plat/marvell/armada/common/marvell_console.c9
-rw-r--r--plat/marvell/octeontx/otx2/t91/t9130_cex7_eval/board/marvell_plat_config.c224
-rw-r--r--plat/marvell/octeontx/otx2/t91/t9130_cex7_eval/platform.mk33
-rw-r--r--plat/mediatek/common/drivers/pmic_wrap/pmic_wrap_init_v2.c20
-rw-r--r--plat/mediatek/common/mtk_cirq.c2
-rw-r--r--plat/mediatek/common/mtk_plat_common.c6
-rw-r--r--plat/mediatek/common/mtk_sip_svc.h4
-rw-r--r--plat/mediatek/mt8183/drivers/sspm/sspm.c2
-rw-r--r--plat/mediatek/mt8192/aarch64/platform_common.c8
-rw-r--r--plat/mediatek/mt8192/drivers/apusys/mtk_apusys.c68
-rw-r--r--plat/mediatek/mt8192/drivers/apusys/mtk_apusys.h42
-rw-r--r--plat/mediatek/mt8192/drivers/apusys/mtk_apusys_apc.c571
-rw-r--r--plat/mediatek/mt8192/drivers/apusys/mtk_apusys_apc.h12
-rw-r--r--plat/mediatek/mt8192/drivers/apusys/mtk_apusys_apc_def.h110
-rw-r--r--plat/mediatek/mt8192/drivers/devapc/devapc.c8
-rw-r--r--plat/mediatek/mt8192/drivers/dfd/plat_dfd.c139
-rw-r--r--plat/mediatek/mt8192/drivers/dfd/plat_dfd.h70
-rw-r--r--plat/mediatek/mt8192/drivers/emi_mpu/emi_mpu.c13
-rw-r--r--plat/mediatek/mt8192/drivers/spm/mt_spm_cond.c5
-rw-r--r--plat/mediatek/mt8192/drivers/spm/mt_spm_cond.h19
-rw-r--r--plat/mediatek/mt8192/include/plat_sip_calls.h6
-rw-r--r--plat/mediatek/mt8192/include/platform_def.h10
-rw-r--r--plat/mediatek/mt8192/plat_pm.c3
-rw-r--r--plat/mediatek/mt8192/plat_sip_calls.c13
-rw-r--r--plat/mediatek/mt8192/platform.mk5
-rw-r--r--plat/mediatek/mt8195/aarch64/platform_common.c8
-rw-r--r--plat/mediatek/mt8195/bl31_plat_setup.c12
-rw-r--r--plat/mediatek/mt8195/drivers/dcm/mtk_dcm.c63
-rw-r--r--plat/mediatek/mt8195/drivers/dcm/mtk_dcm.h14
-rw-r--r--plat/mediatek/mt8195/drivers/dcm/mtk_dcm_utils.c483
-rw-r--r--plat/mediatek/mt8195/drivers/dcm/mtk_dcm_utils.h59
-rw-r--r--plat/mediatek/mt8195/drivers/dfd/plat_dfd.c156
-rw-r--r--plat/mediatek/mt8195/drivers/dfd/plat_dfd.h85
-rw-r--r--plat/mediatek/mt8195/drivers/dp/mt_dp.c69
-rw-r--r--plat/mediatek/mt8195/drivers/dp/mt_dp.h28
-rw-r--r--plat/mediatek/mt8195/drivers/emi_mpu/emi_mpu.c97
-rw-r--r--plat/mediatek/mt8195/drivers/emi_mpu/emi_mpu.h98
-rw-r--r--plat/mediatek/mt8195/drivers/mcdi/mt_cpu_pm.c31
-rw-r--r--plat/mediatek/mt8195/drivers/mcdi/mt_lp_irqremain.c70
-rw-r--r--plat/mediatek/mt8195/drivers/mcdi/mt_lp_irqremain.h14
-rw-r--r--plat/mediatek/mt8195/drivers/mcdi/mt_mcdi.c5
-rw-r--r--plat/mediatek/mt8195/drivers/ptp3/mtk_ptp3_common.h52
-rw-r--r--plat/mediatek/mt8195/drivers/ptp3/mtk_ptp3_main.c137
-rw-r--r--plat/mediatek/mt8195/drivers/spm/build.mk68
-rw-r--r--plat/mediatek/mt8195/drivers/spm/constraints/mt_spm_rc_bus26m.c241
-rw-r--r--plat/mediatek/mt8195/drivers/spm/constraints/mt_spm_rc_cpu_buck_ldo.c106
-rw-r--r--plat/mediatek/mt8195/drivers/spm/constraints/mt_spm_rc_dram.c201
-rw-r--r--plat/mediatek/mt8195/drivers/spm/constraints/mt_spm_rc_internal.h43
-rw-r--r--plat/mediatek/mt8195/drivers/spm/constraints/mt_spm_rc_syspll.c200
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm.c98
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm.h68
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_cond.c235
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_cond.h73
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_conservation.c155
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_conservation.h20
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_constraint.h63
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_idle.c346
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_idle.h17
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_internal.c543
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_internal.h583
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_pmic_wrap.c159
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_pmic_wrap.h45
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_reg.h2859
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_resource_req.h25
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_suspend.c394
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_suspend.h26
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_vcorefs.c526
-rw-r--r--plat/mediatek/mt8195/drivers/spm/mt_spm_vcorefs.h328
-rw-r--r--plat/mediatek/mt8195/drivers/spm/notifier/mt_spm_notifier.h21
-rw-r--r--plat/mediatek/mt8195/drivers/spm/notifier/mt_spm_sspm_intc.h33
-rw-r--r--plat/mediatek/mt8195/drivers/spm/notifier/mt_spm_sspm_notifier.c38
-rw-r--r--plat/mediatek/mt8195/drivers/spm/pcm_def.h179
-rw-r--r--plat/mediatek/mt8195/drivers/spm/sleep_def.h151
-rw-r--r--plat/mediatek/mt8195/include/plat_mtk_lpm.h4
-rw-r--r--plat/mediatek/mt8195/include/plat_sip_calls.h10
-rw-r--r--plat/mediatek/mt8195/include/platform_def.h30
-rw-r--r--plat/mediatek/mt8195/plat_pm.c13
-rw-r--r--plat/mediatek/mt8195/plat_sip_calls.c24
-rw-r--r--plat/mediatek/mt8195/platform.mk19
-rw-r--r--plat/nvidia/tegra/common/tegra_bl31_setup.c7
-rw-r--r--plat/nvidia/tegra/common/tegra_platform.c18
-rw-r--r--plat/nvidia/tegra/include/t132/tegra_def.h127
-rw-r--r--plat/nvidia/tegra/include/tegra_platform.h3
-rw-r--r--plat/nvidia/tegra/soc/t132/plat_psci_handlers.c208
-rw-r--r--plat/nvidia/tegra/soc/t132/plat_secondary.c75
-rw-r--r--plat/nvidia/tegra/soc/t132/plat_setup.c201
-rw-r--r--plat/nvidia/tegra/soc/t132/plat_sip_calls.c75
-rw-r--r--plat/nvidia/tegra/soc/t132/platform_t132.mk35
-rw-r--r--plat/nvidia/tegra/soc/t186/drivers/mce/mce.c4
-rw-r--r--plat/nvidia/tegra/soc/t194/drivers/mce/mce.c4
-rw-r--r--plat/nvidia/tegra/soc/t194/plat_ras.c12
-rw-r--r--plat/nvidia/tegra/soc/t194/platform_t194.mk8
-rw-r--r--plat/nvidia/tegra/soc/t210/plat_sip_calls.c5
-rw-r--r--plat/nxp/common/include/default/ch_2/soc_default_helper_macros.h7
-rw-r--r--plat/nxp/common/include/default/ch_3_2/soc_default_base_addr.h4
-rw-r--r--plat/nxp/common/include/default/ch_3_2/soc_default_helper_macros.h9
-rw-r--r--plat/nxp/common/include/default/plat_default_def.h18
-rw-r--r--plat/nxp/common/ocram/aarch64/ocram.S71
-rw-r--r--plat/nxp/common/ocram/ocram.h13
-rw-r--r--plat/nxp/common/ocram/ocram.mk14
-rw-r--r--plat/nxp/common/plat_make_helper/plat_common_def.mk103
-rw-r--r--plat/nxp/common/plat_make_helper/soc_common_def.mk119
-rw-r--r--plat/nxp/common/psci/aarch64/psci_utils.S24
-rw-r--r--plat/nxp/common/psci/include/plat_psci.h40
-rw-r--r--plat/nxp/common/setup/core.mk6
-rw-r--r--plat/nxp/common/setup/include/plat_common.h15
-rw-r--r--plat/nxp/common/setup/ls_bl31_setup.c6
-rw-r--r--plat/nxp/common/setup/ls_common.c26
-rw-r--r--plat/nxp/common/soc_errata/errata.c28
-rw-r--r--plat/nxp/common/soc_errata/errata.h (renamed from plat/nxp/soc-lx2160a/include/errata.h)7
-rw-r--r--plat/nxp/common/soc_errata/errata.mk23
-rw-r--r--plat/nxp/common/soc_errata/errata_a050426.c (renamed from plat/nxp/soc-lx2160a/erratas_soc.c)3
-rw-r--r--plat/nxp/common/soc_errata/errata_list.h15
-rw-r--r--plat/nxp/soc-ls1028a/aarch64/ls1028a.S1387
-rw-r--r--plat/nxp/soc-ls1028a/aarch64/ls1028a_helpers.S70
-rw-r--r--plat/nxp/soc-ls1028a/include/soc.h149
-rw-r--r--plat/nxp/soc-ls1028a/ls1028ardb/ddr_init.c185
-rw-r--r--plat/nxp/soc-ls1028a/ls1028ardb/plat_def.h76
-rw-r--r--plat/nxp/soc-ls1028a/ls1028ardb/platform.c28
-rw-r--r--plat/nxp/soc-ls1028a/ls1028ardb/platform.mk33
-rw-r--r--plat/nxp/soc-ls1028a/ls1028ardb/platform_def.h13
-rw-r--r--plat/nxp/soc-ls1028a/ls1028ardb/policy.h16
-rw-r--r--plat/nxp/soc-ls1028a/soc.c432
-rw-r--r--plat/nxp/soc-ls1028a/soc.def97
-rw-r--r--plat/nxp/soc-ls1028a/soc.mk113
-rw-r--r--plat/nxp/soc-lx2160a/erratas_soc.mk21
-rw-r--r--plat/nxp/soc-lx2160a/include/soc.h11
-rw-r--r--plat/nxp/soc-lx2160a/lx2160aqds/platform.mk60
-rw-r--r--plat/nxp/soc-lx2160a/lx2160ardb/platform.mk54
-rw-r--r--plat/nxp/soc-lx2160a/lx2162aqds/platform.mk62
-rw-r--r--plat/nxp/soc-lx2160a/soc.c39
-rw-r--r--plat/nxp/soc-lx2160a/soc.def92
-rw-r--r--plat/nxp/soc-lx2160a/soc.mk7
-rw-r--r--plat/qemu/common/qemu_pm.c4
-rw-r--r--plat/qemu/qemu/include/platform_def.h4
-rw-r--r--plat/qemu/qemu_sbsa/platform.mk8
-rw-r--r--plat/qti/common/inc/qti_cpu.h8
-rw-r--r--plat/qti/common/src/aarch64/qti_kryo6_gold.S83
-rw-r--r--plat/qti/common/src/aarch64/qti_kryo6_silver.S79
-rw-r--r--plat/qti/common/src/pm_ps_hold.c (renamed from plat/qti/common/src/pm8998.c)2
-rw-r--r--plat/qti/common/src/qti_gic_v3.c12
-rw-r--r--plat/qti/common/src/qti_syscall.c31
-rw-r--r--plat/qti/qtiseclib/inc/qtiseclib_interface.h18
-rw-r--r--plat/qti/qtiseclib/inc/sc7280/qtiseclib_defs_plat.h45
-rw-r--r--plat/qti/qtiseclib/src/qtiseclib_cb_interface.c4
-rw-r--r--plat/qti/sc7180/inc/platform_def.h5
-rw-r--r--plat/qti/sc7180/platform.mk2
-rw-r--r--plat/qti/sc7280/inc/platform_def.h199
-rw-r--r--plat/qti/sc7280/inc/qti_rng_io.h15
-rw-r--r--plat/qti/sc7280/inc/qti_secure_io_cfg.h30
-rw-r--r--plat/qti/sc7280/platform.mk119
-rw-r--r--plat/renesas/common/aarch64/plat_helpers.S6
-rw-r--r--plat/renesas/common/bl2_cpg_init.c34
-rw-r--r--plat/renesas/common/bl2_secure_setting.c12
-rw-r--r--plat/renesas/common/common.mk9
-rw-r--r--plat/renesas/common/include/platform_def.h7
-rw-r--r--plat/renesas/common/include/rcar_def.h7
-rw-r--r--plat/renesas/common/include/rcar_version.h4
-rw-r--r--plat/renesas/common/include/registers/cpg_registers.h8
-rw-r--r--plat/renesas/common/plat_pm.c20
-rw-r--r--plat/renesas/common/rcar_common.c13
-rw-r--r--plat/renesas/rcar/bl2_plat_setup.c213
-rw-r--r--plat/renesas/rcar/platform.mk18
-rw-r--r--plat/renesas/rzg/bl2_plat_setup.c4
-rw-r--r--plat/rockchip/rk3399/drivers/dram/dram.h2
-rw-r--r--plat/rockchip/rk3399/drivers/dram/suspend.c61
-rw-r--r--plat/rockchip/rk3399/drivers/dram/suspend.h4
-rw-r--r--plat/rockchip/rk3399/drivers/pmu/pmu.c3
-rw-r--r--plat/rpi/rpi4/include/rpi_hw.h22
-rw-r--r--plat/rpi/rpi4/platform.mk11
-rw-r--r--plat/rpi/rpi4/rpi4_bl31_setup.c46
-rw-r--r--plat/rpi/rpi4/rpi4_pci_svc.c215
-rw-r--r--plat/socionext/synquacer/sq_psci.c8
-rw-r--r--plat/st/common/bl2_io_storage.c430
-rw-r--r--plat/st/common/bl2_stm32_io_storage.c665
-rw-r--r--plat/st/common/include/stm32cubeprogrammer.h27
-rw-r--r--plat/st/common/include/stm32mp_common.h17
-rw-r--r--plat/st/common/include/stm32mp_dt.h8
-rw-r--r--plat/st/common/include/stm32mp_fconf_getter.h29
-rw-r--r--plat/st/common/include/stm32mp_io_storage.h23
-rw-r--r--plat/st/common/include/usb_dfu.h80
-rw-r--r--plat/st/common/stm32cubeprogrammer_usb.c196
-rw-r--r--plat/st/common/stm32mp_common.c55
-rw-r--r--plat/st/common/stm32mp_dt.c57
-rw-r--r--plat/st/common/stm32mp_fconf_io.c121
-rw-r--r--plat/st/common/usb_dfu.c538
-rw-r--r--plat/st/stm32mp1/bl2_plat_setup.c214
-rw-r--r--plat/st/stm32mp1/include/boot_api.h5
-rw-r--r--plat/st/stm32mp1/include/platform_def.h22
-rw-r--r--plat/st/stm32mp1/include/stm32mp1_private.h4
-rw-r--r--plat/st/stm32mp1/include/stm32mp1_smc.h8
-rw-r--r--plat/st/stm32mp1/plat_bl2_mem_params_desc.c70
-rw-r--r--plat/st/stm32mp1/plat_bl2_stm32_mem_params_desc.c103
-rw-r--r--plat/st/stm32mp1/plat_image_load.c10
-rw-r--r--plat/st/stm32mp1/platform.mk152
-rw-r--r--plat/st/stm32mp1/services/bsec_svc.c11
-rw-r--r--plat/st/stm32mp1/services/stm32mp1_svc_setup.c4
-rw-r--r--plat/st/stm32mp1/sp_min/sp_min-stm32mp1.mk4
-rw-r--r--plat/st/stm32mp1/sp_min/sp_min_setup.c21
-rw-r--r--plat/st/stm32mp1/stm32mp1.S4
-rw-r--r--plat/st/stm32mp1/stm32mp1.ld.S10
-rw-r--r--plat/st/stm32mp1/stm32mp1_def.h87
-rw-r--r--plat/st/stm32mp1/stm32mp1_fconf_firewall.c123
-rw-r--r--plat/st/stm32mp1/stm32mp1_fip_def.h69
-rw-r--r--plat/st/stm32mp1/stm32mp1_helper.S15
-rw-r--r--plat/st/stm32mp1/stm32mp1_private.c106
-rw-r--r--plat/st/stm32mp1/stm32mp1_security.c111
-rw-r--r--plat/st/stm32mp1/stm32mp1_shared_resources.c6
-rw-r--r--plat/st/stm32mp1/stm32mp1_stm32image_def.h73
-rw-r--r--plat/st/stm32mp1/stm32mp1_syscfg.c6
-rw-r--r--plat/st/stm32mp1/stm32mp1_usb_dfu.c390
-rw-r--r--plat/xilinx/common/include/ipi.h2
-rw-r--r--plat/xilinx/common/ipi.c15
-rw-r--r--plat/xilinx/common/ipi_mailbox_service/ipi_mailbox_svc.c4
-rw-r--r--plat/xilinx/common/plat_startup.c10
-rw-r--r--plat/xilinx/common/pm_service/pm_ipi.c8
-rw-r--r--plat/xilinx/versal/include/plat_ipi.h2
-rw-r--r--plat/xilinx/versal/platform.mk5
-rw-r--r--plat/xilinx/versal/pm_service/pm_api_sys.c4
-rw-r--r--plat/xilinx/zynqmp/aarch64/zynqmp_common.c91
-rw-r--r--plat/xilinx/zynqmp/bl31_zynqmp_setup.c75
-rw-r--r--plat/xilinx/zynqmp/include/platform_def.h25
-rw-r--r--plat/xilinx/zynqmp/plat_psci.c9
-rw-r--r--plat/xilinx/zynqmp/platform.mk10
-rw-r--r--plat/xilinx/zynqmp/pm_service/pm_api_ioctl.c4
-rw-r--r--plat/xilinx/zynqmp/pm_service/pm_api_ioctl.h53
-rw-r--r--plat/xilinx/zynqmp/pm_service/pm_api_sys.c43
-rw-r--r--plat/xilinx/zynqmp/pm_service/pm_api_sys.h5
-rw-r--r--plat/xilinx/zynqmp/zynqmp_ehf.c24
-rw-r--r--plat/xilinx/zynqmp/zynqmp_sdei.c37
-rw-r--r--services/arm_arch_svc/arm_arch_svc_setup.c26
-rw-r--r--services/spd/trusty/trusty.c10
-rw-r--r--services/std_svc/pci_svc.c113
-rw-r--r--services/std_svc/rmmd/aarch64/rmmd_helpers.S73
-rw-r--r--services/std_svc/rmmd/rmmd.mk18
-rw-r--r--services/std_svc/rmmd/rmmd_initial_context.h33
-rw-r--r--services/std_svc/rmmd/rmmd_main.c347
-rw-r--r--services/std_svc/rmmd/rmmd_private.h64
-rw-r--r--services/std_svc/rmmd/trp/linker.lds71
-rw-r--r--services/std_svc/rmmd/trp/trp.mk20
-rw-r--r--services/std_svc/rmmd/trp/trp_entry.S74
-rw-r--r--services/std_svc/rmmd/trp/trp_main.c136
-rw-r--r--services/std_svc/rmmd/trp/trp_private.h50
-rw-r--r--services/std_svc/sdei/sdei_intr_mgmt.c103
-rw-r--r--services/std_svc/sdei/sdei_main.c72
-rw-r--r--services/std_svc/spmd/spmd.mk8
-rw-r--r--services/std_svc/spmd/spmd_main.c209
-rw-r--r--services/std_svc/spmd/spmd_pm.c25
-rw-r--r--services/std_svc/spmd/spmd_private.h1
-rw-r--r--services/std_svc/std_svc_setup.c31
-rw-r--r--tools/fiptool/tbbr_config.c7
-rw-r--r--tools/renesas/rcar_layout_create/sa6.c4
-rwxr-xr-xtools/sptool/sp_mk_generator.py38
-rw-r--r--tools/stm32image/stm32image.c46
855 files changed, 47985 insertions, 7003 deletions
diff --git a/Makefile b/Makefile
index 2376b9a..4905291 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -129,12 +129,27 @@ else
$(error Unknown BRANCH_PROTECTION value ${BRANCH_PROTECTION})
endif
+# FEAT_RME
+ifeq (${ENABLE_RME},1)
+# RME doesn't support PIE
+ifneq (${ENABLE_PIE},0)
+ $(error ENABLE_RME does not support PIE)
+endif
+# RME requires AARCH64
+ifneq (${ARCH},aarch64)
+ $(error ENABLE_RME requires AArch64)
+endif
+# RME requires el2 context to be saved for now.
+CTX_INCLUDE_EL2_REGS := 1
+CTX_INCLUDE_AARCH32_REGS := 0
+ARM_ARCH_MAJOR := 8
+ARM_ARCH_MINOR := 6
+endif
+
# USE_SPINLOCK_CAS requires AArch64 build
ifeq (${USE_SPINLOCK_CAS},1)
ifneq (${ARCH},aarch64)
$(error USE_SPINLOCK_CAS requires AArch64)
-else
- $(info USE_SPINLOCK_CAS is an experimental feature)
endif
endif
@@ -334,7 +349,7 @@ ASFLAGS_aarch64 = $(march64-directive)
# General warnings
WARNINGS := -Wall -Wmissing-include-dirs -Wunused \
- -Wdisabled-optimization -Wvla -Wshadow \
+ -Wdisabled-optimization -Wvla -Wshadow \
-Wno-unused-parameter -Wredundant-decls
# Additional warnings
@@ -508,7 +523,6 @@ ifneq (${SPD},none)
endif
ifeq (${SPD},spmd)
- $(warning "SPMD is an experimental feature")
# SPMD is located in std_svc directory
SPD_DIR := std_svc
@@ -521,6 +535,18 @@ ifneq (${SPD},none)
ifeq ($(findstring optee_sp,$(ARM_SPMC_MANIFEST_DTS)),optee_sp)
DTC_CPPFLAGS += -DOPTEE_SP_FW_CONFIG
endif
+
+ ifeq ($(TS_SP_FW_CONFIG),1)
+ DTC_CPPFLAGS += -DTS_SP_FW_CONFIG
+ endif
+
+ ifneq ($(ARM_BL2_SP_LIST_DTS),)
+ DTC_CPPFLAGS += -DARM_BL2_SP_LIST_DTS=$(ARM_BL2_SP_LIST_DTS)
+ endif
+
+ ifneq ($(SP_LAYOUT_FILE),)
+ BL2_ENABLE_SP_LOAD := 1
+ endif
else
# All other SPDs in spd directory
SPD_DIR := spd
@@ -547,6 +573,18 @@ ifneq (${SPD},none)
endif
################################################################################
+# Include rmmd Makefile if RME is enabled
+################################################################################
+
+ifneq (${ENABLE_RME},0)
+ifneq (${ARCH},aarch64)
+ $(error ENABLE_RME requires AArch64)
+endif
+include services/std_svc/rmmd/rmmd.mk
+$(warning "RME is an experimental feature")
+endif
+
+################################################################################
# Include the platform specific Makefile after the SPD Makefile (the platform
# makefile may use all previous definitions in this file)
################################################################################
@@ -690,12 +728,7 @@ endif
# SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled.
ifeq ($(SDEI_SUPPORT)-$(SDEI_IN_FCONF),0-1)
-$(error "SDEI_IN_FCONF is an experimental feature and is only supported when \
- SDEI_SUPPORT is enabled")
-endif
-
-ifeq ($(COT_DESC_IN_DTB),1)
- $(info CoT in device tree is an experimental feature)
+$(error "SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled")
endif
# If pointer authentication is used in the firmware, make sure that all the
@@ -710,35 +743,28 @@ endif
ifeq ($(CTX_INCLUDE_PAUTH_REGS),1)
ifneq (${ARCH},aarch64)
$(error CTX_INCLUDE_PAUTH_REGS requires AArch64)
- else
- $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature)
endif
endif
-ifeq ($(ENABLE_PAUTH),1)
- $(info Pointer Authentication is an experimental feature)
-endif
-
-ifeq ($(ENABLE_BTI),1)
- $(info Branch Protection is an experimental feature)
-endif
-
ifeq ($(CTX_INCLUDE_MTE_REGS),1)
ifneq (${ARCH},aarch64)
$(error CTX_INCLUDE_MTE_REGS requires AArch64)
- else
- $(info CTX_INCLUDE_MTE_REGS is an experimental feature)
endif
endif
+# Trusted Boot is a prerequisite for Measured Boot. It provides trust that the
+# code taking the measurements and recording them has not been tampered
+# with. This is referred to as the Root of Trust for Measurement.
ifeq ($(MEASURED_BOOT),1)
ifneq (${TRUSTED_BOARD_BOOT},1)
$(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1)
- else
- $(info MEASURED_BOOT is an experimental feature)
endif
endif
+ifeq ($(PSA_FWU_SUPPORT),1)
+ $(info PSA_FWU_SUPPORT is an experimental feature)
+endif
+
ifeq (${ARM_XLAT_TABLES_LIB_V1}, 1)
ifeq (${ALLOW_RO_XLAT_TABLES}, 1)
$(error "ALLOW_RO_XLAT_TABLES requires translation tables library v2")
@@ -748,8 +774,52 @@ endif
ifneq (${DECRYPTION_SUPPORT},none)
ifeq (${TRUSTED_BOARD_BOOT}, 0)
$(error TRUSTED_BOARD_BOOT must be enabled for DECRYPTION_SUPPORT to be set)
- else
- $(info DECRYPTION_SUPPORT is an experimental feature)
+ endif
+endif
+
+# SME/SVE only supported on AArch64
+ifeq (${ARCH},aarch32)
+ ifeq (${ENABLE_SME_FOR_NS},1)
+ $(error "ENABLE_SME_FOR_NS cannot be used with ARCH=aarch32")
+ endif
+ ifeq (${ENABLE_SVE_FOR_NS},1)
+ # Warning instead of error due to CI dependency on this
+ $(warning "ENABLE_SVE_FOR_NS cannot be used with ARCH=aarch32")
+ $(warning "Forced ENABLE_SVE_FOR_NS=0")
+ override ENABLE_SVE_FOR_NS := 0
+ endif
+endif
+
+# Ensure ENABLE_RME is not used with SME
+ifeq (${ENABLE_RME},1)
+ ifeq (${ENABLE_SME_FOR_NS},1)
+ $(error "ENABLE_SME_FOR_NS cannot be used with ENABLE_RME")
+ endif
+endif
+
+# Secure SME/SVE requires the non-secure component as well
+ifeq (${ENABLE_SME_FOR_SWD},1)
+ ifeq (${ENABLE_SME_FOR_NS},0)
+ $(error "ENABLE_SME_FOR_SWD requires ENABLE_SME_FOR_NS")
+ endif
+endif
+ifeq (${ENABLE_SVE_FOR_SWD},1)
+ ifeq (${ENABLE_SVE_FOR_NS},0)
+ $(error "ENABLE_SVE_FOR_SWD requires ENABLE_SVE_FOR_NS")
+ endif
+endif
+
+# SVE and SME cannot be used with CTX_INCLUDE_FPREGS since secure manager does
+# its own context management including FPU registers.
+ifeq (${CTX_INCLUDE_FPREGS},1)
+ ifeq (${ENABLE_SME_FOR_NS},1)
+ $(error "ENABLE_SME_FOR_NS cannot be used with CTX_INCLUDE_FPREGS")
+ endif
+ ifeq (${ENABLE_SVE_FOR_NS},1)
+ # Warning instead of error due to CI dependency on this
+ $(warning "ENABLE_SVE_FOR_NS cannot be used with CTX_INCLUDE_FPREGS")
+ $(warning "Forced ENABLE_SVE_FOR_NS=0")
+ override ENABLE_SVE_FOR_NS := 0
endif
endif
@@ -757,10 +827,16 @@ endif
# Process platform overrideable behaviour
################################################################################
-# Using BL2 implies that a BL33 image also needs to be supplied for the FIP and
-# Certificate generation tools. This flag can be overridden by the platform.
+ifdef BL1_SOURCES
+NEED_BL1 := yes
+endif
+
ifdef BL2_SOURCES
- ifdef EL3_PAYLOAD_BASE
+ NEED_BL2 := yes
+
+ # Using BL2 implies that a BL33 image also needs to be supplied for the FIP and
+ # Certificate generation tools. This flag can be overridden by the platform.
+ ifdef EL3_PAYLOAD_BASE
# If booting an EL3 payload there is no need for a BL33 image
# in the FIP file.
NEED_BL33 := no
@@ -775,6 +851,10 @@ ifdef BL2_SOURCES
endif
endif
+ifdef BL2U_SOURCES
+NEED_BL2U := yes
+endif
+
# If SCP_BL2 is given, we always want FIP to include it.
ifdef SCP_BL2
NEED_SCP_BL2 := yes
@@ -812,6 +892,10 @@ ifneq (${FIP_ALIGN},0)
FIP_ARGS += --align ${FIP_ALIGN}
endif
+ifdef FDT_SOURCES
+NEED_FDT := yes
+endif
+
################################################################################
# Include libraries' Makefile that are used in all BL
################################################################################
@@ -855,30 +939,22 @@ DOCS_PATH ?= docs
################################################################################
# Include BL specific makefiles
################################################################################
-ifdef BL1_SOURCES
-NEED_BL1 := yes
+
+ifeq (${NEED_BL1},yes)
include bl1/bl1.mk
endif
-ifdef BL2_SOURCES
-NEED_BL2 := yes
+ifeq (${NEED_BL2},yes)
include bl2/bl2.mk
endif
-ifdef BL2U_SOURCES
-NEED_BL2U := yes
+ifeq (${NEED_BL2U},yes)
include bl2u/bl2u.mk
endif
ifeq (${NEED_BL31},yes)
-ifdef BL31_SOURCES
include bl31/bl31.mk
endif
-endif
-
-ifdef FDT_SOURCES
-NEED_FDT := yes
-endif
################################################################################
# Build options checks
@@ -887,6 +963,7 @@ endif
$(eval $(call assert_booleans,\
$(sort \
ALLOW_RO_XLAT_TABLES \
+ BL2_ENABLE_SP_LOAD \
COLD_BOOT_SINGLE_CPU \
CREATE_KEYS \
CTX_INCLUDE_AARCH32_REGS \
@@ -900,15 +977,21 @@ $(eval $(call assert_booleans,\
DYN_DISABLE_AUTH \
EL3_EXCEPTION_HANDLING \
ENABLE_AMU \
+ ENABLE_AMU_AUXILIARY_COUNTERS \
+ ENABLE_AMU_FCONF \
AMU_RESTRICT_COUNTERS \
ENABLE_ASSERTIONS \
ENABLE_MPAM_FOR_LOWER_ELS \
ENABLE_PIE \
ENABLE_PMF \
ENABLE_PSCI_STAT \
+ ENABLE_RME \
ENABLE_RUNTIME_INSTRUMENTATION \
+ ENABLE_SME_FOR_NS \
+ ENABLE_SME_FOR_SWD \
ENABLE_SPE_FOR_LOWER_ELS \
ENABLE_SVE_FOR_NS \
+ ENABLE_SVE_FOR_SWD \
ERROR_DEPRECATED \
FAULT_INJECTION_SUPPORT \
GENERATE_COT \
@@ -951,6 +1034,13 @@ $(eval $(call assert_booleans,\
USE_SP804_TIMER \
ENABLE_FEAT_RNG \
ENABLE_FEAT_SB \
+ PSA_FWU_SUPPORT \
+ ENABLE_TRBE_FOR_NS \
+ ENABLE_SYS_REG_TRACE_FOR_NS \
+ ENABLE_TRF_FOR_NS \
+ ENABLE_FEAT_HCX \
+ ENABLE_MPMM \
+ ENABLE_MPMM_FCONF \
)))
$(eval $(call assert_numerics,\
@@ -959,6 +1049,8 @@ $(eval $(call assert_numerics,\
ARM_ARCH_MINOR \
BRANCH_PROTECTION \
FW_ENC_STATUS \
+ NR_OF_FW_BANKS \
+ NR_OF_IMAGES_IN_FW_BANK \
)))
ifdef KEY_SIZE
@@ -980,6 +1072,7 @@ $(eval $(call add_defines,\
ALLOW_RO_XLAT_TABLES \
ARM_ARCH_MAJOR \
ARM_ARCH_MINOR \
+ BL2_ENABLE_SP_LOAD \
COLD_BOOT_SINGLE_CPU \
CTX_INCLUDE_AARCH32_REGS \
CTX_INCLUDE_FPREGS \
@@ -991,6 +1084,8 @@ $(eval $(call add_defines,\
DECRYPTION_SUPPORT_${DECRYPTION_SUPPORT} \
DISABLE_MTPMU \
ENABLE_AMU \
+ ENABLE_AMU_AUXILIARY_COUNTERS \
+ ENABLE_AMU_FCONF \
AMU_RESTRICT_COUNTERS \
ENABLE_ASSERTIONS \
ENABLE_BTI \
@@ -999,9 +1094,13 @@ $(eval $(call add_defines,\
ENABLE_PIE \
ENABLE_PMF \
ENABLE_PSCI_STAT \
+ ENABLE_RME \
ENABLE_RUNTIME_INSTRUMENTATION \
+ ENABLE_SME_FOR_NS \
+ ENABLE_SME_FOR_SWD \
ENABLE_SPE_FOR_LOWER_ELS \
ENABLE_SVE_FOR_NS \
+ ENABLE_SVE_FOR_SWD \
ENCRYPT_BL31 \
ENCRYPT_BL32 \
ERROR_DEPRECATED \
@@ -1045,6 +1144,15 @@ $(eval $(call add_defines,\
USE_SP804_TIMER \
ENABLE_FEAT_RNG \
ENABLE_FEAT_SB \
+ NR_OF_FW_BANKS \
+ NR_OF_IMAGES_IN_FW_BANK \
+ PSA_FWU_SUPPORT \
+ ENABLE_TRBE_FOR_NS \
+ ENABLE_SYS_REG_TRACE_FOR_NS \
+ ENABLE_TRF_FOR_NS \
+ ENABLE_FEAT_HCX \
+ ENABLE_MPMM \
+ ENABLE_MPMM_FCONF \
)))
ifeq (${SANITIZE_UB},trap)
@@ -1074,9 +1182,6 @@ endif
# Generate and include sp_gen.mk if SPD is spmd and SP_LAYOUT_FILE is defined
ifeq (${SPD},spmd)
ifdef SP_LAYOUT_FILE
- ifeq (${SPMD_SPM_AT_SEL2},0)
- $(error "SPMD with SPM at S-EL1 does not require SP_LAYOUT_FILE")
- endif
-include $(BUILD_PLAT)/sp_gen.mk
FIP_DEPS += sp
CRT_DEPS += sp
@@ -1114,7 +1219,9 @@ $(eval $(call MAKE_LIB,c))
# Expand build macros for the different images
ifeq (${NEED_BL1},yes)
-$(eval $(call MAKE_BL,1))
+BL1_SOURCES := $(sort ${BL1_SOURCES})
+
+$(eval $(call MAKE_BL,bl1))
endif
ifeq (${NEED_BL2},yes)
@@ -1122,8 +1229,10 @@ ifeq (${BL2_AT_EL3}, 0)
FIP_BL2_ARGS := tb-fw
endif
+BL2_SOURCES := $(sort ${BL2_SOURCES})
+
$(if ${BL2}, $(eval $(call TOOL_ADD_IMG,bl2,--${FIP_BL2_ARGS})),\
- $(eval $(call MAKE_BL,2,${FIP_BL2_ARGS})))
+ $(eval $(call MAKE_BL,bl2,${FIP_BL2_ARGS})))
endif
ifeq (${NEED_SCP_BL2},yes)
@@ -1136,10 +1245,10 @@ BL31_SOURCES += ${SPD_SOURCES}
BL31_SOURCES := $(sort ${BL31_SOURCES})
ifneq (${DECRYPTION_SUPPORT},none)
$(if ${BL31}, $(eval $(call TOOL_ADD_IMG,bl31,--soc-fw,,$(ENCRYPT_BL31))),\
- $(eval $(call MAKE_BL,31,soc-fw,,$(ENCRYPT_BL31))))
+ $(eval $(call MAKE_BL,bl31,soc-fw,,$(ENCRYPT_BL31))))
else
$(if ${BL31}, $(eval $(call TOOL_ADD_IMG,bl31,--soc-fw)),\
- $(eval $(call MAKE_BL,31,soc-fw)))
+ $(eval $(call MAKE_BL,bl31,soc-fw)))
endif
endif
@@ -1152,14 +1261,25 @@ BL32_SOURCES := $(sort ${BL32_SOURCES})
BUILD_BL32 := $(if $(BL32),,$(if $(BL32_SOURCES),1))
ifneq (${DECRYPTION_SUPPORT},none)
-$(if ${BUILD_BL32}, $(eval $(call MAKE_BL,32,tos-fw,,$(ENCRYPT_BL32))),\
+$(if ${BUILD_BL32}, $(eval $(call MAKE_BL,bl32,tos-fw,,$(ENCRYPT_BL32))),\
$(eval $(call TOOL_ADD_IMG,bl32,--tos-fw,,$(ENCRYPT_BL32))))
else
-$(if ${BUILD_BL32}, $(eval $(call MAKE_BL,32,tos-fw)),\
+$(if ${BUILD_BL32}, $(eval $(call MAKE_BL,bl32,tos-fw)),\
$(eval $(call TOOL_ADD_IMG,bl32,--tos-fw)))
endif
endif
+# If RMM image is needed but RMM is not defined, Test Realm Payload (TRP)
+# needs to be built from RMM_SOURCES.
+ifeq (${NEED_RMM},yes)
+# Sort RMM source files to remove duplicates
+RMM_SOURCES := $(sort ${RMM_SOURCES})
+BUILD_RMM := $(if $(RMM),,$(if $(RMM_SOURCES),1))
+
+$(if ${BUILD_RMM}, $(eval $(call MAKE_BL,rmm,rmm-fw)),\
+ $(eval $(call TOOL_ADD_IMG,rmm,--rmm-fw)))
+endif
+
# Add the BL33 image if required by the platform
ifeq (${NEED_BL33},yes)
$(eval $(call TOOL_ADD_IMG,bl33,--nt-fw))
@@ -1167,7 +1287,7 @@ endif
ifeq (${NEED_BL2U},yes)
$(if ${BL2U}, $(eval $(call TOOL_ADD_IMG,bl2u,--ap-fwu-cfg,FWU_)),\
- $(eval $(call MAKE_BL,2u,ap-fwu-cfg,FWU_)))
+ $(eval $(call MAKE_BL,bl2u,ap-fwu-cfg,FWU_)))
endif
# Expand build macros for the different images
@@ -1248,7 +1368,8 @@ checkpatch: locate-checkpatch
echo " with ${CHECKPATCH_OPTS} option(s)"; \
fi
${Q}COMMON_COMMIT=$$(git merge-base HEAD ${BASE_COMMIT}); \
- for commit in `git rev-list $$COMMON_COMMIT..HEAD`; do \
+ for commit in `git rev-list --no-merges $$COMMON_COMMIT..HEAD`; \
+ do \
printf "\n[*] Checking style of '$$commit'\n\n"; \
git log --format=email "$$commit~..$$commit" \
-- ${CHECK_PATHS} | \
diff --git a/bl1/aarch64/bl1_context_mgmt.c b/bl1/aarch64/bl1_context_mgmt.c
index 2a8d58e..b9a7e5b 100644
--- a/bl1/aarch64/bl1_context_mgmt.c
+++ b/bl1/aarch64/bl1_context_mgmt.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -16,6 +16,7 @@
/* Following contains the cpu context pointers. */
static void *bl1_cpu_context_ptr[2];
+entry_point_info_t *bl2_ep_info;
void *cm_get_context(uint32_t security_state)
@@ -30,6 +31,40 @@ void cm_set_context(void *context, uint32_t security_state)
bl1_cpu_context_ptr[security_state] = context;
}
+#if ENABLE_RME
+/*******************************************************************************
+ * This function prepares the entry point information to run BL2 in Root world,
+ * i.e. EL3, for the case when FEAT_RME is enabled.
+ ******************************************************************************/
+void bl1_prepare_next_image(unsigned int image_id)
+{
+ image_desc_t *bl2_desc;
+
+ assert(image_id == BL2_IMAGE_ID);
+
+ /* Get the image descriptor. */
+ bl2_desc = bl1_plat_get_image_desc(BL2_IMAGE_ID);
+ assert(bl2_desc != NULL);
+
+ /* Get the entry point info. */
+ bl2_ep_info = &bl2_desc->ep_info;
+
+ bl2_ep_info->spsr = (uint32_t)SPSR_64(MODE_EL3, MODE_SP_ELX,
+ DISABLE_ALL_EXCEPTIONS);
+
+ /*
+ * Flush cache since bl2_ep_info is accessed after MMU is disabled
+ * before jumping to BL2.
+ */
+ flush_dcache_range((uintptr_t)bl2_ep_info, sizeof(entry_point_info_t));
+
+ /* Indicate that image is in execution state. */
+ bl2_desc->state = IMAGE_STATE_EXECUTED;
+
+ /* Print debug info and flush the console before running BL2. */
+ print_entry_point_info(bl2_ep_info);
+}
+#else
/*******************************************************************************
* This function prepares the context for Secure/Normal world images.
* Normal world images are transitioned to EL2(if supported) else EL1.
@@ -93,3 +128,4 @@ void bl1_prepare_next_image(unsigned int image_id)
print_entry_point_info(next_bl_ep);
}
+#endif /* ENABLE_RME */
diff --git a/bl1/aarch64/bl1_entrypoint.S b/bl1/aarch64/bl1_entrypoint.S
index 00f2718..f61c060 100644
--- a/bl1/aarch64/bl1_entrypoint.S
+++ b/bl1/aarch64/bl1_entrypoint.S
@@ -1,13 +1,15 @@
/*
- * Copyright (c) 2013-2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <arch.h>
+#include <common/bl_common.h>
#include <el3_common_macros.S>
.globl bl1_entrypoint
+ .globl bl1_run_bl2_in_root
/* -----------------------------------------------------
@@ -66,5 +68,41 @@ func bl1_entrypoint
* Do the transition to next boot image.
* --------------------------------------------------
*/
+#if ENABLE_RME
+ b bl1_run_bl2_in_root
+#else
b el3_exit
+#endif
endfunc bl1_entrypoint
+
+ /* -----------------------------------------------------
+ * void bl1_run_bl2_in_root();
+ * This function runs BL2 in root/EL3 when RME is enabled.
+ * -----------------------------------------------------
+ */
+
+func bl1_run_bl2_in_root
+ /* read bl2_ep_info */
+ adrp x20, bl2_ep_info
+ add x20, x20, :lo12:bl2_ep_info
+ ldr x20, [x20]
+
+ /* ---------------------------------------------
+ * MMU needs to be disabled because BL2 executes
+ * in EL3. It will initialize the address space
+ * according to its own requirements.
+ * ---------------------------------------------
+ */
+ bl disable_mmu_icache_el3
+ tlbi alle3
+
+ ldp x0, x1, [x20, #ENTRY_POINT_INFO_PC_OFFSET]
+ msr elr_el3, x0
+ msr spsr_el3, x1
+
+ ldp x6, x7, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x30)]
+ ldp x4, x5, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x20)]
+ ldp x2, x3, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x10)]
+ ldp x0, x1, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x0)]
+ exception_return
+endfunc bl1_run_bl2_in_root
diff --git a/bl1/bl1.mk b/bl1/bl1.mk
index d11b4ab..9f63fd5 100644
--- a/bl1/bl1.mk
+++ b/bl1/bl1.mk
@@ -1,14 +1,14 @@
#
-# Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
-BL1_SOURCES += bl1/bl1_main.c \
- bl1/${ARCH}/bl1_arch_setup.c \
+BL1_SOURCES += bl1/${ARCH}/bl1_arch_setup.c \
bl1/${ARCH}/bl1_context_mgmt.c \
bl1/${ARCH}/bl1_entrypoint.S \
bl1/${ARCH}/bl1_exceptions.S \
+ bl1/bl1_main.c \
lib/cpus/${ARCH}/cpu_helpers.S \
lib/cpus/errata_report.c \
lib/el3_runtime/${ARCH}/context_mgmt.c \
diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c
index fd60232..663ec64 100644
--- a/bl1/bl1_main.c
+++ b/bl1/bl1_main.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -126,6 +126,9 @@ void bl1_main(void)
auth_mod_init();
#endif /* TRUSTED_BOARD_BOOT */
+ /* Initialize the measured boot */
+ bl1_plat_mboot_init();
+
/* Perform platform setup in BL1. */
bl1_platform_setup();
@@ -147,6 +150,9 @@ void bl1_main(void)
else
NOTICE("BL1-FWU: *******FWU Process Started*******\n");
+ /* Teardown the measured boot driver */
+ bl1_plat_mboot_finish();
+
bl1_prepare_next_image(image_id);
console_flush();
diff --git a/bl1/bl1_private.h b/bl1/bl1_private.h
index 2cfeeea..e119ba7 100644
--- a/bl1/bl1_private.h
+++ b/bl1/bl1_private.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -11,6 +11,8 @@
#include <common/bl_common.h>
+extern entry_point_info_t *bl2_ep_info;
+
/******************************************
* Function prototypes
*****************************************/
@@ -18,6 +20,7 @@ void bl1_arch_setup(void);
void bl1_arch_next_el_setup(void);
void bl1_prepare_next_image(unsigned int image_id);
+void bl1_run_bl2_in_root(void);
u_register_t bl1_fwu_smc_handler(unsigned int smc_fid,
u_register_t x1,
diff --git a/bl2/aarch32/bl2_el3_entrypoint.S b/bl2/aarch32/bl2_el3_entrypoint.S
index 7e85551..40154aa 100644
--- a/bl2/aarch32/bl2_el3_entrypoint.S
+++ b/bl2/aarch32/bl2_el3_entrypoint.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -10,7 +10,6 @@
#include <el3_common_macros.S>
.globl bl2_entrypoint
- .globl bl2_run_next_image
func bl2_entrypoint
@@ -56,37 +55,3 @@ func bl2_entrypoint
no_ret plat_panic_handler
endfunc bl2_entrypoint
-
-func bl2_run_next_image
- mov r8,r0
-
- /*
- * MMU needs to be disabled because both BL2 and BL32 execute
- * in PL1, and therefore share the same address space.
- * BL32 will initialize the address space according to its
- * own requirement.
- */
- bl disable_mmu_icache_secure
- stcopr r0, TLBIALL
- dsb sy
- isb
- mov r0, r8
- bl bl2_el3_plat_prepare_exit
-
- /*
- * Extract PC and SPSR based on struct `entry_point_info_t`
- * and load it in LR and SPSR registers respectively.
- */
- ldr lr, [r8, #ENTRY_POINT_INFO_PC_OFFSET]
- ldr r1, [r8, #(ENTRY_POINT_INFO_PC_OFFSET + 4)]
- msr spsr_xc, r1
-
- /* Some BL32 stages expect lr_svc to provide the BL33 entry address */
- cps #MODE32_svc
- ldr lr, [r8, #ENTRY_POINT_INFO_LR_SVC_OFFSET]
- cps #MODE32_mon
-
- add r8, r8, #ENTRY_POINT_INFO_ARGS_OFFSET
- ldm r8, {r0, r1, r2, r3}
- exception_return
-endfunc bl2_run_next_image
diff --git a/bl2/aarch32/bl2_run_next_image.S b/bl2/aarch32/bl2_run_next_image.S
new file mode 100644
index 0000000..0b3554e
--- /dev/null
+++ b/bl2/aarch32/bl2_run_next_image.S
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch.h>
+#include <asm_macros.S>
+#include <common/bl_common.h>
+
+ .globl bl2_run_next_image
+
+
+func bl2_run_next_image
+ mov r8,r0
+
+ /*
+ * MMU needs to be disabled because both BL2 and BL32 execute
+ * in PL1, and therefore share the same address space.
+ * BL32 will initialize the address space according to its
+ * own requirement.
+ */
+ bl disable_mmu_icache_secure
+ stcopr r0, TLBIALL
+ dsb sy
+ isb
+ mov r0, r8
+ bl bl2_el3_plat_prepare_exit
+
+ /*
+ * Extract PC and SPSR based on struct `entry_point_info_t`
+ * and load it in LR and SPSR registers respectively.
+ */
+ ldr lr, [r8, #ENTRY_POINT_INFO_PC_OFFSET]
+ ldr r1, [r8, #(ENTRY_POINT_INFO_PC_OFFSET + 4)]
+ msr spsr_xc, r1
+
+ /* Some BL32 stages expect lr_svc to provide the BL33 entry address */
+ cps #MODE32_svc
+ ldr lr, [r8, #ENTRY_POINT_INFO_LR_SVC_OFFSET]
+ cps #MODE32_mon
+
+ add r8, r8, #ENTRY_POINT_INFO_ARGS_OFFSET
+ ldm r8, {r0, r1, r2, r3}
+ exception_return
+endfunc bl2_run_next_image
diff --git a/bl2/aarch64/bl2_el3_entrypoint.S b/bl2/aarch64/bl2_el3_entrypoint.S
index 4eab39c..45bac7d 100644
--- a/bl2/aarch64/bl2_el3_entrypoint.S
+++ b/bl2/aarch64/bl2_el3_entrypoint.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -12,8 +12,6 @@
#include <el3_common_macros.S>
.globl bl2_entrypoint
- .globl bl2_el3_run_image
- .globl bl2_run_next_image
#if BL2_IN_XIP_MEM
#define FIXUP_SIZE 0
@@ -72,36 +70,3 @@ func bl2_entrypoint
*/
no_ret plat_panic_handler
endfunc bl2_entrypoint
-
-func bl2_run_next_image
- mov x20,x0
- /* ---------------------------------------------
- * MMU needs to be disabled because both BL2 and BL31 execute
- * in EL3, and therefore share the same address space.
- * BL31 will initialize the address space according to its
- * own requirement.
- * ---------------------------------------------
- */
- bl disable_mmu_icache_el3
- tlbi alle3
- bl bl2_el3_plat_prepare_exit
-
-#if ENABLE_PAUTH
- /* ---------------------------------------------
- * Disable pointer authentication before jumping
- * to next boot image.
- * ---------------------------------------------
- */
- bl pauth_disable_el3
-#endif /* ENABLE_PAUTH */
-
- ldp x0, x1, [x20, #ENTRY_POINT_INFO_PC_OFFSET]
- msr elr_el3, x0
- msr spsr_el3, x1
-
- ldp x6, x7, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x30)]
- ldp x4, x5, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x20)]
- ldp x2, x3, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x10)]
- ldp x0, x1, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x0)]
- exception_return
-endfunc bl2_run_next_image
diff --git a/bl2/aarch64/bl2_rme_entrypoint.S b/bl2/aarch64/bl2_rme_entrypoint.S
new file mode 100644
index 0000000..076e326
--- /dev/null
+++ b/bl2/aarch64/bl2_rme_entrypoint.S
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <platform_def.h>
+
+#include <arch.h>
+#include <asm_macros.S>
+#include <common/bl_common.h>
+#include <el3_common_macros.S>
+
+ .globl bl2_entrypoint
+
+
+func bl2_entrypoint
+ /* Save arguments x0-x3 from previous Boot loader */
+ mov x20, x0
+ mov x21, x1
+ mov x22, x2
+ mov x23, x3
+
+ el3_entrypoint_common \
+ _init_sctlr=0 \
+ _warm_boot_mailbox=0 \
+ _secondary_cold_boot=0 \
+ _init_memory=0 \
+ _init_c_runtime=1 \
+ _exception_vectors=bl2_el3_exceptions \
+ _pie_fixup_size=0
+
+ /* ---------------------------------------------
+ * Restore parameters of boot rom
+ * ---------------------------------------------
+ */
+ mov x0, x20
+ mov x1, x21
+ mov x2, x22
+ mov x3, x23
+
+ /* ---------------------------------------------
+ * Perform BL2 setup
+ * ---------------------------------------------
+ */
+ bl bl2_setup
+
+#if ENABLE_PAUTH
+ /* ---------------------------------------------
+ * Program APIAKey_EL1 and enable pointer authentication.
+ * ---------------------------------------------
+ */
+ bl pauth_init_enable_el3
+#endif /* ENABLE_PAUTH */
+
+ /* ---------------------------------------------
+ * Jump to main function.
+ * ---------------------------------------------
+ */
+ bl bl2_main
+
+ /* ---------------------------------------------
+ * Should never reach this point.
+ * ---------------------------------------------
+ */
+ no_ret plat_panic_handler
+endfunc bl2_entrypoint
diff --git a/bl2/aarch64/bl2_run_next_image.S b/bl2/aarch64/bl2_run_next_image.S
new file mode 100644
index 0000000..f0a8be8
--- /dev/null
+++ b/bl2/aarch64/bl2_run_next_image.S
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch.h>
+#include <asm_macros.S>
+#include <common/bl_common.h>
+
+ .globl bl2_run_next_image
+
+
+func bl2_run_next_image
+ mov x20,x0
+ /* ---------------------------------------------
+ * MMU needs to be disabled because both BL2 and BL31 execute
+ * in EL3, and therefore share the same address space.
+ * BL31 will initialize the address space according to its
+ * own requirement.
+ * ---------------------------------------------
+ */
+ bl disable_mmu_icache_el3
+ tlbi alle3
+ bl bl2_el3_plat_prepare_exit
+
+#if ENABLE_PAUTH
+ /* ---------------------------------------------
+ * Disable pointer authentication before jumping
+ * to next boot image.
+ * ---------------------------------------------
+ */
+ bl pauth_disable_el3
+#endif /* ENABLE_PAUTH */
+
+ ldp x0, x1, [x20, #ENTRY_POINT_INFO_PC_OFFSET]
+ msr elr_el3, x0
+ msr spsr_el3, x1
+
+ ldp x6, x7, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x30)]
+ ldp x4, x5, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x20)]
+ ldp x2, x3, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x10)]
+ ldp x0, x1, [x20, #(ENTRY_POINT_INFO_ARGS_OFFSET + 0x0)]
+ exception_return
+endfunc bl2_run_next_image
diff --git a/bl2/bl2.ld.S b/bl2/bl2.ld.S
index 37849c3..d332ec0 100644
--- a/bl2/bl2.ld.S
+++ b/bl2/bl2.ld.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -25,7 +25,11 @@ SECTIONS
#if SEPARATE_CODE_AND_RODATA
.text . : {
__TEXT_START__ = .;
+#if ENABLE_RME
+ *bl2_rme_entrypoint.o(.text*)
+#else /* ENABLE_RME */
*bl2_entrypoint.o(.text*)
+#endif /* ENABLE_RME */
*(SORT_BY_ALIGNMENT(.text*))
*(.vectors)
. = ALIGN(PAGE_SIZE);
diff --git a/bl2/bl2.mk b/bl2/bl2.mk
index 735e7e0..7a973e5 100644
--- a/bl2/bl2.mk
+++ b/bl2/bl2.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -15,13 +15,26 @@ ifeq (${ARCH},aarch64)
BL2_SOURCES += common/aarch64/early_exceptions.S
endif
-ifeq (${BL2_AT_EL3},0)
+ifeq (${ENABLE_RME},1)
+# Using RME, run BL2 at EL3
+include lib/gpt_rme/gpt_rme.mk
+
+BL2_SOURCES += bl2/${ARCH}/bl2_rme_entrypoint.S \
+ bl2/${ARCH}/bl2_el3_exceptions.S \
+ bl2/${ARCH}/bl2_run_next_image.S \
+ ${GPT_LIB_SRCS}
+BL2_LINKERFILE := bl2/bl2.ld.S
+
+else ifeq (${BL2_AT_EL3},0)
+# Normal operation, no RME, no BL2 at EL3
BL2_SOURCES += bl2/${ARCH}/bl2_entrypoint.S
BL2_LINKERFILE := bl2/bl2.ld.S
else
+# BL2 at EL3, no RME
BL2_SOURCES += bl2/${ARCH}/bl2_el3_entrypoint.S \
bl2/${ARCH}/bl2_el3_exceptions.S \
+ bl2/${ARCH}/bl2_run_next_image.S \
lib/cpus/${ARCH}/cpu_helpers.S \
lib/cpus/errata_report.c
diff --git a/bl2/bl2_main.c b/bl2/bl2_main.c
index 203e1d4..90fe39b 100644
--- a/bl2/bl2_main.c
+++ b/bl2/bl2_main.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -14,9 +14,7 @@
#include <common/debug.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/console.h>
-#if MEASURED_BOOT
-#include <drivers/measured_boot/measured_boot.h>
-#endif
+#include <drivers/fwu/fwu.h>
#include <lib/extensions/pauth.h>
#include <plat/common/platform.h>
@@ -28,18 +26,18 @@
#define NEXT_IMAGE "BL32"
#endif
-#if !BL2_AT_EL3
+#if BL2_AT_EL3
/*******************************************************************************
- * Setup function for BL2.
+ * Setup function for BL2 when BL2_AT_EL3=1
******************************************************************************/
-void bl2_setup(u_register_t arg0, u_register_t arg1, u_register_t arg2,
- u_register_t arg3)
+void bl2_el3_setup(u_register_t arg0, u_register_t arg1, u_register_t arg2,
+ u_register_t arg3)
{
/* Perform early platform-specific setup */
- bl2_early_platform_setup2(arg0, arg1, arg2, arg3);
+ bl2_el3_early_platform_setup(arg0, arg1, arg2, arg3);
/* Perform late platform-specific setup */
- bl2_plat_arch_setup();
+ bl2_el3_plat_arch_setup();
#if CTX_INCLUDE_PAUTH_REGS
/*
@@ -49,19 +47,18 @@ void bl2_setup(u_register_t arg0, u_register_t arg1, u_register_t arg2,
assert(is_armv8_3_pauth_present());
#endif /* CTX_INCLUDE_PAUTH_REGS */
}
-
-#else /* if BL2_AT_EL3 */
+#else /* BL2_AT_EL3 */
/*******************************************************************************
- * Setup function for BL2 when BL2_AT_EL3=1.
+ * Setup function for BL2 when BL2_AT_EL3=0
******************************************************************************/
-void bl2_el3_setup(u_register_t arg0, u_register_t arg1, u_register_t arg2,
- u_register_t arg3)
+void bl2_setup(u_register_t arg0, u_register_t arg1, u_register_t arg2,
+ u_register_t arg3)
{
/* Perform early platform-specific setup */
- bl2_el3_early_platform_setup(arg0, arg1, arg2, arg3);
+ bl2_early_platform_setup2(arg0, arg1, arg2, arg3);
/* Perform late platform-specific setup */
- bl2_el3_plat_arch_setup();
+ bl2_plat_arch_setup();
#if CTX_INCLUDE_PAUTH_REGS
/*
@@ -88,29 +85,28 @@ void bl2_main(void)
/* Perform remaining generic architectural setup in S-EL1 */
bl2_arch_setup();
+#if PSA_FWU_SUPPORT
+ fwu_init();
+#endif /* PSA_FWU_SUPPORT */
+
#if TRUSTED_BOARD_BOOT
/* Initialize authentication module */
auth_mod_init();
-
-#if MEASURED_BOOT
- /* Initialize measured boot module */
- measured_boot_init();
-
-#endif /* MEASURED_BOOT */
#endif /* TRUSTED_BOARD_BOOT */
+ /* Initialize the Measured Boot backend */
+ bl2_plat_mboot_init();
+
/* Initialize boot source */
bl2_plat_preload_setup();
/* Load the subsequent bootloader images. */
next_bl_ep_info = bl2_load_images();
-#if MEASURED_BOOT
- /* Finalize measured boot */
- measured_boot_finish();
-#endif /* MEASURED_BOOT */
+ /* Teardown the Measured Boot backend */
+ bl2_plat_mboot_finish();
-#if !BL2_AT_EL3
+#if !BL2_AT_EL3 && !ENABLE_RME
#ifndef __aarch64__
/*
* For AArch32 state BL1 and BL2 share the MMU setup.
@@ -135,7 +131,7 @@ void bl2_main(void)
* be passed to next BL image as an argument.
*/
smc(BL1_SMC_RUN_IMAGE, (unsigned long)next_bl_ep_info, 0, 0, 0, 0, 0, 0);
-#else /* if BL2_AT_EL3 */
+#else /* if BL2_AT_EL3 || ENABLE_RME */
NOTICE("BL2: Booting " NEXT_IMAGE "\n");
print_entry_point_info(next_bl_ep_info);
console_flush();
@@ -148,5 +144,5 @@ void bl2_main(void)
#endif /* ENABLE_PAUTH */
bl2_run_next_image(next_bl_ep_info);
-#endif /* BL2_AT_EL3 */
+#endif /* BL2_AT_EL3 && ENABLE_RME */
}
diff --git a/bl31/aarch64/bl31_entrypoint.S b/bl31/aarch64/bl31_entrypoint.S
index 2d672dd..ed05864 100644
--- a/bl31/aarch64/bl31_entrypoint.S
+++ b/bl31/aarch64/bl31_entrypoint.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -195,6 +195,19 @@ func bl31_warm_entrypoint
#endif
bl bl31_plat_enable_mmu
+#if ENABLE_RME
+ /*
+ * At warm boot GPT data structures have already been initialized in RAM
+ * but the sysregs for this CPU need to be initialized. Note that the GPT
+ * accesses are controlled attributes in GPCCR and do not depend on the
+ * SCR_EL3.C bit.
+ */
+ bl gpt_enable
+ cbz x0, 1f
+ no_ret plat_panic_handler
+1:
+#endif
+
#if ENABLE_PAUTH
/* --------------------------------------------------------------------
* Program APIAKey_EL1 and enable pointer authentication
diff --git a/bl31/aarch64/runtime_exceptions.S b/bl31/aarch64/runtime_exceptions.S
index 51eb2bd..0d0a12d 100644
--- a/bl31/aarch64/runtime_exceptions.S
+++ b/bl31/aarch64/runtime_exceptions.S
@@ -500,6 +500,21 @@ smc_handler64:
stp x16, x17, [x6, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3]
str x18, [x6, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3]
+ /* Clear flag register */
+ mov x7, xzr
+
+#if ENABLE_RME
+ /* Copy SCR_EL3.NSE bit to the flag to indicate caller's security */
+ ubfx x7, x18, #SCR_NSE_SHIFT, 1
+
+ /*
+ * Shift copied SCR_EL3.NSE bit by 5 to create space for
+ * SCR_EL3.NS bit. Bit 5 of the flag correspondes to
+ * the SCR_EL3.NSE bit.
+ */
+ lsl x7, x7, #5
+#endif /* ENABLE_RME */
+
/* Copy SCR_EL3.NS bit to the flag to indicate caller's security */
bfi x7, x18, #0, #1
diff --git a/bl31/bl31.mk b/bl31/bl31.mk
index 2088533..e751824 100644
--- a/bl31/bl31.mk
+++ b/bl31/bl31.mk
@@ -22,6 +22,8 @@ ifeq (${SPM_MM},1)
endif
endif
+include lib/extensions/amu/amu.mk
+include lib/mpmm/mpmm.mk
include lib/psci/psci_lib.mk
BL31_SOURCES += bl31/bl31_main.c \
@@ -78,23 +80,54 @@ BL31_SOURCES += lib/extensions/spe/spe.c
endif
ifeq (${ENABLE_AMU},1)
-BL31_SOURCES += lib/extensions/amu/aarch64/amu.c \
- lib/extensions/amu/aarch64/amu_helpers.S
+BL31_SOURCES += ${AMU_SOURCES}
endif
+ifeq (${ENABLE_MPMM},1)
+BL31_SOURCES += ${MPMM_SOURCES}
+endif
+
+ifeq (${ENABLE_SME_FOR_NS},1)
+BL31_SOURCES += lib/extensions/sme/sme.c
+BL31_SOURCES += lib/extensions/sve/sve.c
+else
ifeq (${ENABLE_SVE_FOR_NS},1)
BL31_SOURCES += lib/extensions/sve/sve.c
endif
+endif
ifeq (${ENABLE_MPAM_FOR_LOWER_ELS},1)
BL31_SOURCES += lib/extensions/mpam/mpam.c
endif
+ifeq (${ENABLE_TRBE_FOR_NS},1)
+BL31_SOURCES += lib/extensions/trbe/trbe.c
+endif
+
+ifeq (${ENABLE_SYS_REG_TRACE_FOR_NS},1)
+BL31_SOURCES += lib/extensions/sys_reg_trace/aarch64/sys_reg_trace.c
+endif
+
+ifeq (${ENABLE_TRF_FOR_NS},1)
+BL31_SOURCES += lib/extensions/trf/aarch64/trf.c
+endif
+
ifeq (${WORKAROUND_CVE_2017_5715},1)
BL31_SOURCES += lib/cpus/aarch64/wa_cve_2017_5715_bpiall.S \
lib/cpus/aarch64/wa_cve_2017_5715_mmu.S
endif
+ifeq ($(SMC_PCI_SUPPORT),1)
+BL31_SOURCES += services/std_svc/pci_svc.c
+endif
+
+ifeq (${ENABLE_RME},1)
+include lib/gpt_rme/gpt_rme.mk
+
+BL31_SOURCES += ${GPT_LIB_SRCS} \
+ ${RMMD_SOURCES}
+endif
+
BL31_LINKERFILE := bl31/bl31.ld.S
# Flag used to indicate if Crash reporting via console should be included
diff --git a/bl31/bl31_context_mgmt.c b/bl31/bl31_context_mgmt.c
index 9175ee3..34f69ad 100644
--- a/bl31/bl31_context_mgmt.c
+++ b/bl31/bl31_context_mgmt.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -19,9 +19,9 @@
******************************************************************************/
void *cm_get_context(uint32_t security_state)
{
- assert(security_state <= NON_SECURE);
+ assert(sec_state_is_valid(security_state));
- return get_cpu_data(cpu_context[security_state]);
+ return get_cpu_data(cpu_context[get_cpu_context_index(security_state)]);
}
/*******************************************************************************
@@ -30,9 +30,10 @@ void *cm_get_context(uint32_t security_state)
******************************************************************************/
void cm_set_context(void *context, uint32_t security_state)
{
- assert(security_state <= NON_SECURE);
+ assert(sec_state_is_valid(security_state));
- set_cpu_data(cpu_context[security_state], context);
+ set_cpu_data(cpu_context[get_cpu_context_index(security_state)],
+ context);
}
/*******************************************************************************
@@ -46,7 +47,8 @@ void *cm_get_context_by_index(unsigned int cpu_idx,
{
assert(sec_state_is_valid(security_state));
- return get_cpu_data_by_index(cpu_idx, cpu_context[security_state]);
+ return get_cpu_data_by_index(cpu_idx,
+ cpu_context[get_cpu_context_index(security_state)]);
}
/*******************************************************************************
@@ -58,5 +60,7 @@ void cm_set_context_by_index(unsigned int cpu_idx, void *context,
{
assert(sec_state_is_valid(security_state));
- set_cpu_data_by_index(cpu_idx, cpu_context[security_state], context);
+ set_cpu_data_by_index(cpu_idx,
+ cpu_context[get_cpu_context_index(security_state)],
+ context);
}
diff --git a/bl31/bl31_main.c b/bl31/bl31_main.c
index 44bf32c..9ac10e2 100644
--- a/bl31/bl31_main.c
+++ b/bl31/bl31_main.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -35,6 +35,13 @@ PMF_REGISTER_SERVICE_SMC(rt_instr_svc, PMF_RT_INSTR_SVC_ID,
******************************************************************************/
static int32_t (*bl32_init)(void);
+/*****************************************************************************
+ * Function used to initialise RMM if RME is enabled
+ *****************************************************************************/
+#if ENABLE_RME
+static int32_t (*rmm_init)(void);
+#endif
+
/*******************************************************************************
* Variable to indicate whether next image to execute after BL31 is BL33
* (non-secure & default) or BL32 (secure).
@@ -85,6 +92,15 @@ void bl31_setup(u_register_t arg0, u_register_t arg1, u_register_t arg2,
/* Perform late platform-specific setup */
bl31_plat_arch_setup();
+#if ENABLE_FEAT_HCX
+ /*
+ * Assert that FEAT_HCX is supported on this system, without this check
+ * an exception would occur during context save/restore if enabled but
+ * not supported.
+ */
+ assert(is_feat_hcx_present());
+#endif /* ENABLE_FEAT_HCX */
+
#if CTX_INCLUDE_PAUTH_REGS
/*
* Assert that the ARMv8.3-PAuth registers are present or an access
@@ -130,12 +146,15 @@ void bl31_main(void)
/*
* All the cold boot actions on the primary cpu are done. We now need to
- * decide which is the next image (BL32 or BL33) and how to execute it.
+ * decide which is the next image and how to execute it.
* If the SPD runtime service is present, it would want to pass control
* to BL32 first in S-EL1. In that case, SPD would have registered a
* function to initialize bl32 where it takes responsibility of entering
- * S-EL1 and returning control back to bl31_main. Once this is done we
- * can prepare entry into BL33 as normal.
+ * S-EL1 and returning control back to bl31_main. Similarly, if RME is
+ * enabled and a function is registered to initialize RMM, control is
+ * transferred to RMM in R-EL2. After RMM initialization, control is
+ * returned back to bl31_main. Once this is done we can prepare entry
+ * into BL33 as normal.
*/
/*
@@ -146,9 +165,27 @@ void bl31_main(void)
int32_t rc = (*bl32_init)();
- if (rc == 0)
+ if (rc == 0) {
WARN("BL31: BL32 initialization failed\n");
+ }
}
+
+ /*
+ * If RME is enabled and init hook is registered, initialize RMM
+ * in R-EL2.
+ */
+#if ENABLE_RME
+ if (rmm_init != NULL) {
+ INFO("BL31: Initializing RMM\n");
+
+ int32_t rc = (*rmm_init)();
+
+ if (rc == 0) {
+ WARN("BL31: RMM initialization failed\n");
+ }
+ }
+#endif
+
/*
* We are ready to enter the next EL. Prepare entry into the image
* corresponding to the desired security state after the next ERET.
@@ -227,3 +264,14 @@ void bl31_register_bl32_init(int32_t (*func)(void))
{
bl32_init = func;
}
+
+#if ENABLE_RME
+/*******************************************************************************
+ * This function initializes the pointer to RMM init function. This is expected
+ * to be called by the RMMD after it finishes all its initialization
+ ******************************************************************************/
+void bl31_register_rmm_init(int32_t (*func)(void))
+{
+ rmm_init = func;
+}
+#endif
diff --git a/bl32/sp_min/sp_min.mk b/bl32/sp_min/sp_min.mk
index 8b5eddd..590b032 100644
--- a/bl32/sp_min/sp_min.mk
+++ b/bl32/sp_min/sp_min.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2016-2021, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -8,6 +8,7 @@ ifneq (${ARCH}, aarch32)
$(error SP_MIN is only supported on AArch32 platforms)
endif
+include lib/extensions/amu/amu.mk
include lib/psci/psci_lib.mk
INCLUDES += -Iinclude/bl32/sp_min
@@ -27,9 +28,8 @@ ifeq (${ENABLE_PMF}, 1)
BL32_SOURCES += lib/pmf/pmf_main.c
endif
-ifeq (${ENABLE_AMU}, 1)
-BL32_SOURCES += lib/extensions/amu/aarch32/amu.c\
- lib/extensions/amu/aarch32/amu_helpers.S
+ifeq (${ENABLE_AMU},1)
+BL32_SOURCES += ${AMU_SOURCES}
endif
ifeq (${WORKAROUND_CVE_2017_5715},1)
@@ -42,6 +42,14 @@ BL32_SOURCES += services/std_svc/trng/trng_main.c \
services/std_svc/trng/trng_entropy_pool.c
endif
+ifeq (${ENABLE_SYS_REG_TRACE_FOR_NS},1)
+BL32_SOURCES += lib/extensions/sys_reg_trace/aarch32/sys_reg_trace.c
+endif
+
+ifeq (${ENABLE_TRF_FOR_NS},1)
+BL32_SOURCES += lib/extensions/trf/aarch32/trf.c
+endif
+
BL32_LINKERFILE := bl32/sp_min/sp_min.ld.S
# Include the platform-specific SP_MIN Makefile
diff --git a/bl32/tsp/aarch64/tsp_entrypoint.S b/bl32/tsp/aarch64/tsp_entrypoint.S
index 795c586..7d77f47 100644
--- a/bl32/tsp/aarch64/tsp_entrypoint.S
+++ b/bl32/tsp/aarch64/tsp_entrypoint.S
@@ -100,11 +100,27 @@ func tsp_entrypoint _align=3
* sections. This is done to safeguard against
* possible corruption of this memory by dirty
* cache lines in a system cache as a result of
- * use by an earlier boot loader stage.
+ * use by an earlier boot loader stage. If PIE
+ * is enabled however, RO sections including the
+ * GOT may be modified during pie fixup.
+ * Therefore, to be on the safe side, invalidate
+ * the entire image region if PIE is enabled.
* ---------------------------------------------
*/
- adr x0, __RW_START__
- adr x1, __RW_END__
+#if ENABLE_PIE
+#if SEPARATE_CODE_AND_RODATA
+ adrp x0, __TEXT_START__
+ add x0, x0, :lo12:__TEXT_START__
+#else
+ adrp x0, __RO_START__
+ add x0, x0, :lo12:__RO_START__
+#endif /* SEPARATE_CODE_AND_RODATA */
+#else
+ adrp x0, __RW_START__
+ add x0, x0, :lo12:__RW_START__
+#endif /* ENABLE_PIE */
+ adrp x1, __RW_END__
+ add x1, x1, :lo12:__RW_END__
sub x1, x1, x0
bl inv_dcache_range
diff --git a/bl32/tsp/tsp_interrupt.c b/bl32/tsp/tsp_interrupt.c
index 4e500b3..430b5dd 100644
--- a/bl32/tsp/tsp_interrupt.c
+++ b/bl32/tsp/tsp_interrupt.c
@@ -5,6 +5,7 @@
*/
#include <assert.h>
+#include <inttypes.h>
#include <platform_def.h>
@@ -36,7 +37,7 @@ void tsp_update_sync_sel1_intr_stats(uint32_t type, uint64_t elr_el3)
#if LOG_LEVEL >= LOG_LEVEL_VERBOSE
spin_lock(&console_lock);
- VERBOSE("TSP: cpu 0x%lx sync s-el1 interrupt request from 0x%llx\n",
+ VERBOSE("TSP: cpu 0x%lx sync s-el1 interrupt request from 0x%" PRIx64 "\n",
read_mpidr(), elr_el3);
VERBOSE("TSP: cpu 0x%lx: %d sync s-el1 interrupt requests,"
" %d sync s-el1 interrupt returns\n",
diff --git a/bl32/tsp/tsp_main.c b/bl32/tsp/tsp_main.c
index 01c9ec5..55e1532 100644
--- a/bl32/tsp/tsp_main.c
+++ b/bl32/tsp/tsp_main.c
@@ -5,6 +5,8 @@
*/
#include <assert.h>
+#include <inttypes.h>
+#include <stdint.h>
#include <arch_features.h>
#include <arch_helpers.h>
@@ -271,7 +273,7 @@ tsp_args_t *tsp_cpu_resume_main(uint64_t max_off_pwrlvl,
#if LOG_LEVEL >= LOG_LEVEL_INFO
spin_lock(&console_lock);
- INFO("TSP: cpu 0x%lx resumed. maximum off power level %lld\n",
+ INFO("TSP: cpu 0x%lx resumed. maximum off power level %" PRId64 "\n",
read_mpidr(), max_off_pwrlvl);
INFO("TSP: cpu 0x%lx: %d smcs, %d erets %d cpu resume requests\n",
read_mpidr(),
@@ -375,7 +377,7 @@ tsp_args_t *tsp_smc_handler(uint64_t func,
#if LOG_LEVEL >= LOG_LEVEL_INFO
spin_lock(&console_lock);
- INFO("TSP: cpu 0x%lx received %s smc 0x%llx\n", read_mpidr(),
+ INFO("TSP: cpu 0x%lx received %s smc 0x%" PRIx64 "\n", read_mpidr(),
((func >> 31) & 1) == 1 ? "fast" : "yielding",
func);
INFO("TSP: cpu 0x%lx: %d smcs, %d erets\n", read_mpidr(),
diff --git a/common/bl_common.c b/common/bl_common.c
index f17afcb..eb2352a 100644
--- a/common/bl_common.c
+++ b/common/bl_common.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -202,12 +202,26 @@ static int load_auth_image_recursive(unsigned int image_id,
return -EAUTH;
}
- /*
- * Flush the image to main memory so that it can be executed later by
- * any CPU, regardless of cache and MMU state. This is only needed for
- * child images, not for the parents (certificates).
- */
if (is_parent_image == 0) {
+ /*
+ * Measure the image.
+ * We do not measure its parents because these only play a role
+ * in authentication, which is orthogonal to measured boot.
+ *
+ * TODO: Change this code if we change our minds about measuring
+ * certificates.
+ */
+ rc = plat_mboot_measure_image(image_id, image_data);
+ if (rc != 0) {
+ return rc;
+ }
+
+ /*
+ * Flush the image to main memory so that it can be executed
+ * later by any CPU, regardless of cache and MMU state. This
+ * is only needed for child images, not for the parents
+ * (certificates).
+ */
flush_dcache_range(image_data->image_base,
image_data->image_size);
}
@@ -239,9 +253,18 @@ int load_auth_image(unsigned int image_id, image_info_t *image_data)
{
int err;
+/*
+ * All firmware banks should be part of the same non-volatile storage as per
+ * PSA FWU specification, hence don't check for any alternate boot source
+ * when PSA FWU is enabled.
+ */
+#if PSA_FWU_SUPPORT
+ err = load_auth_image_internal(image_id, image_data);
+#else
do {
err = load_auth_image_internal(image_id, image_data);
} while ((err != 0) && (plat_try_next_boot_source() != 0));
+#endif /* PSA_FWU_SUPPORT */
return err;
}
diff --git a/common/fdt_fixup.c b/common/fdt_fixup.c
index 46606fb..de02b46 100644
--- a/common/fdt_fixup.c
+++ b/common/fdt_fixup.c
@@ -398,6 +398,7 @@ int fdt_add_cpus_node(void *dtb, unsigned int afflv0,
* fdt_adjust_gic_redist() - Adjust GICv3 redistributor size
* @dtb: Pointer to the DT blob in memory
* @nr_cores: Number of CPU cores on this system.
+ * @gicr_base: Base address of the first GICR frame, or ~0 if unchanged
* @gicr_frame_size: Size of the GICR frame per core
*
* On a GICv3 compatible interrupt controller, the redistributor provides
@@ -410,17 +411,19 @@ int fdt_add_cpus_node(void *dtb, unsigned int afflv0,
* A GICv4 compatible redistributor uses four 64K pages per core, whereas GICs
* without support for direct injection of virtual interrupts use two 64K pages.
* The @gicr_frame_size parameter should be 262144 and 131072, respectively.
+ * Also optionally allow adjusting the GICR frame base address, when this is
+ * different due to ITS frames between distributor and redistributor.
*
* Return: 0 on success, negative error value otherwise.
*/
int fdt_adjust_gic_redist(void *dtb, unsigned int nr_cores,
- unsigned int gicr_frame_size)
+ uintptr_t gicr_base, unsigned int gicr_frame_size)
{
int offset = fdt_node_offset_by_compatible(dtb, 0, "arm,gic-v3");
- uint64_t redist_size_64;
- uint32_t redist_size_32;
+ uint64_t reg_64;
+ uint32_t reg_32;
void *val;
- int parent;
+ int parent, ret;
int ac, sc;
if (offset < 0) {
@@ -437,13 +440,34 @@ int fdt_adjust_gic_redist(void *dtb, unsigned int nr_cores,
return -EINVAL;
}
+ if (gicr_base != INVALID_BASE_ADDR) {
+ if (ac == 1) {
+ reg_32 = cpu_to_fdt32(gicr_base);
+ val = &reg_32;
+ } else {
+ reg_64 = cpu_to_fdt64(gicr_base);
+ val = &reg_64;
+ }
+ /*
+ * The redistributor base address is the second address in
+ * the "reg" entry, so we have to skip one address and one
+ * size cell.
+ */
+ ret = fdt_setprop_inplace_namelen_partial(dtb, offset,
+ "reg", 3,
+ (ac + sc) * 4,
+ val, ac * 4);
+ if (ret < 0) {
+ return ret;
+ }
+ }
+
if (sc == 1) {
- redist_size_32 = cpu_to_fdt32(nr_cores * gicr_frame_size);
- val = &redist_size_32;
+ reg_32 = cpu_to_fdt32(nr_cores * gicr_frame_size);
+ val = &reg_32;
} else {
- redist_size_64 = cpu_to_fdt64(nr_cores *
- (uint64_t)gicr_frame_size);
- val = &redist_size_64;
+ reg_64 = cpu_to_fdt64(nr_cores * (uint64_t)gicr_frame_size);
+ val = &reg_64;
}
/*
diff --git a/common/fdt_wrappers.c b/common/fdt_wrappers.c
index dd7a0fa..2a9673f 100644
--- a/common/fdt_wrappers.c
+++ b/common/fdt_wrappers.c
@@ -8,6 +8,8 @@
#include <assert.h>
#include <errno.h>
+#include <inttypes.h>
+#include <stdint.h>
#include <string.h>
#include <libfdt.h>
@@ -35,7 +37,7 @@ int fdt_read_uint32_array(const void *dtb, int node, const char *prop_name,
/* Access property and obtain its length (in bytes) */
prop = fdt_getprop(dtb, node, prop_name, &value_len);
if (prop == NULL) {
- WARN("Couldn't find property %s in dtb\n", prop_name);
+ VERBOSE("Couldn't find property %s in dtb\n", prop_name);
return -FDT_ERR_NOTFOUND;
}
@@ -402,7 +404,7 @@ static bool fdtw_xlat_hit(const uint32_t *value, int child_addr_size,
addr_range = fdt_read_prop_cells(value + child_addr_size +
parent_addr_size,
range_size);
- VERBOSE("DT: Address %llx mapped to %llx with range %llx\n",
+ VERBOSE("DT: Address %" PRIx64 " mapped to %" PRIx64 " with range %" PRIx64 "\n",
local_address, parent_address, addr_range);
/* Perform range check */
@@ -413,8 +415,8 @@ static bool fdtw_xlat_hit(const uint32_t *value, int child_addr_size,
/* Found hit for the addr range that needs to be translated */
*translated_addr = parent_address + (base_address - local_address);
- VERBOSE("DT: child address %llx mapped to %llx in parent bus\n",
- local_address, parent_address);
+ VERBOSE("DT: child address %" PRIx64 "mapped to %" PRIx64 " in parent bus\n",
+ local_address, parent_address);
return true;
}
@@ -470,8 +472,8 @@ static uint64_t fdtw_search_all_xlat_entries(const void *dtb,
next_entry = next_entry + ncells_xlat;
}
- INFO("DT: No translation found for address %llx in node %s\n",
- base_address, fdt_get_name(dtb, local_bus, NULL));
+ INFO("DT: No translation found for address %" PRIx64 " in node %s\n",
+ base_address, fdt_get_name(dtb, local_bus, NULL));
return ILLEGAL_ADDR;
}
@@ -572,3 +574,47 @@ uint64_t fdtw_translate_address(const void *dtb, int node,
/* Translate the local device address recursively */
return fdtw_translate_address(dtb, local_bus_node, global_address);
}
+
+/*
+ * For every CPU node (`/cpus/cpu@n`) in an FDT, execute a callback passing a
+ * pointer to the FDT and the offset of the CPU node. If the return value of the
+ * callback is negative, it is treated as an error and the loop is aborted. In
+ * this situation, the value of the callback is returned from the function.
+ *
+ * Returns `0` on success, or a negative integer representing an error code.
+ */
+int fdtw_for_each_cpu(const void *dtb,
+ int (*callback)(const void *dtb, int node, uintptr_t mpidr))
+{
+ int ret = 0;
+ int parent, node = 0;
+
+ parent = fdt_path_offset(dtb, "/cpus");
+ if (parent < 0) {
+ return parent;
+ }
+
+ fdt_for_each_subnode(node, dtb, parent) {
+ const char *name;
+ int len;
+
+ uintptr_t mpidr = 0U;
+
+ name = fdt_get_name(dtb, node, &len);
+ if (strncmp(name, "cpu@", 4) != 0) {
+ continue;
+ }
+
+ ret = fdt_get_reg_props_by_index(dtb, node, 0, &mpidr, NULL);
+ if (ret < 0) {
+ break;
+ }
+
+ ret = callback(dtb, node, mpidr);
+ if (ret < 0) {
+ break;
+ }
+ }
+
+ return ret;
+}
diff --git a/common/fdt_wrappers.mk b/common/fdt_wrappers.mk
new file mode 100644
index 0000000..62b8c6e
--- /dev/null
+++ b/common/fdt_wrappers.mk
@@ -0,0 +1,7 @@
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+FDT_WRAPPERS_SOURCES := common/fdt_wrappers.c
diff --git a/common/tf_crc32.c b/common/tf_crc32.c
new file mode 100644
index 0000000..b33d36e
--- /dev/null
+++ b/common/tf_crc32.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdarg.h>
+#include <assert.h>
+
+#include <arm_acle.h>
+#include <common/debug.h>
+#include <common/tf_crc32.h>
+
+/* compute CRC using Arm intrinsic function
+ *
+ * This function is useful for the platforms with the CPU ARMv8.0
+ * (with CRC instructions supported), and onwards.
+ * Platforms with CPU ARMv8.0 should make sure to add a compile switch
+ * '-march=armv8-a+crc" for successful compilation of this file.
+ *
+ * @crc: previous accumulated CRC
+ * @buf: buffer base address
+ * @size: the size of the buffer
+ *
+ * Return calculated CRC value
+ */
+uint32_t tf_crc32(uint32_t crc, const unsigned char *buf, size_t size)
+{
+ assert(buf != NULL);
+
+ uint32_t calc_crc = ~crc;
+ const unsigned char *local_buf = buf;
+ size_t local_size = size;
+
+ /*
+ * calculate CRC over byte data
+ */
+ while (local_size != 0UL) {
+ calc_crc = __crc32b(calc_crc, *local_buf);
+ local_buf++;
+ local_size--;
+ }
+
+ return ~calc_crc;
+}
diff --git a/common/tf_log.c b/common/tf_log.c
index 08d3cf4..68f1be4 100644
--- a/common/tf_log.c
+++ b/common/tf_log.c
@@ -49,6 +49,20 @@ void tf_log(const char *fmt, ...)
va_end(args);
}
+void tf_log_newline(const char log_fmt[2])
+{
+ unsigned int log_level = log_fmt[0];
+
+ /* Verify that log_level is one of LOG_MARKER_* macro defined in debug.h */
+ assert((log_level > 0U) && (log_level <= LOG_LEVEL_VERBOSE));
+ assert((log_level % 10U) == 0U);
+
+ if (log_level > max_log_level)
+ return;
+
+ putchar('\n');
+}
+
/*
* The helper function to set the log level dynamically by platform. The
* maximum log level is determined by `LOG_LEVEL` build flag at compile time
diff --git a/common/uuid.c b/common/uuid.c
index dd3c7b0..ac6db50 100644
--- a/common/uuid.c
+++ b/common/uuid.c
@@ -73,6 +73,7 @@ static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len)
int read_uuid(uint8_t *dest, char *uuid)
{
int err;
+ uint8_t *dest_start = dest;
/* Check that we have enough characters */
if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
@@ -124,7 +125,7 @@ int read_uuid(uint8_t *dest, char *uuid)
if (err < 0) {
WARN("Error parsing UUID\n");
/* Clear the buffer on error */
- memset((void *)dest, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
+ memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
return -EINVAL;
}
diff --git a/docs/about/features.rst b/docs/about/features.rst
index f5fc1e0..4b7fbe5 100644
--- a/docs/about/features.rst
+++ b/docs/about/features.rst
@@ -74,7 +74,7 @@ Current features
loading of a hardware configuration (for example, a kernel device tree)
as part of the FIP, to be passed through the firmware stages.
This feature is now incorporated inside the firmware configuration framework
- (fconf), which is still flagged as experimental.
+ (fconf).
- Support for alternative boot flows, for example to support platforms where
the EL3 Runtime Software is loaded using other firmware or a separate
@@ -94,9 +94,7 @@ Current features
- Support for ARMv8.3 pointer authentication in the normal and secure worlds.
The use of pointer authentication in the normal world is enabled whenever
architectural support is available, without the need for additional build
- flags. Use of pointer authentication in the secure world remains an
- experimental configuration at this time and requires the
- ``BRANCH_PROTECTION`` option to be set to non-zero.
+ flags.
- Position-Independent Executable (PIE) support. Currently for BL2, BL31, and
TSP, with further support to be added in a future release.
diff --git a/docs/about/maintainers.rst b/docs/about/maintainers.rst
index 30b2ab2..337dde6 100644
--- a/docs/about/maintainers.rst
+++ b/docs/about/maintainers.rst
@@ -109,6 +109,16 @@ Exception Handling Framework (EHF)
:|G|: `john-powell-arm`_
:|F|: bl31/ehf.c
+Realm Management Extension (RME)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:|M|: Bipin Ravi <bipin.ravi@arm.com>
+:|G|: `bipinravi-arm`_
+:|M|: Mark Dykes <mark.dykes@arm.com>
+:|G|: `mardyk01`_
+:|M|: John Powell <John.Powell@arm.com>
+:|G|: `john-powell-arm`_
+:|M|: Zelalem Aweke <Zelalem.Aweke@arm.com>
+:|G|: `zelalem-aweke`_
Drivers, Libraries and Framework Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -207,6 +217,8 @@ Activity Monitors Unit (AMU) extensions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:|M|: Alexei Fedorov <Alexei.Fedorov@arm.com>
:|G|: `AlexeiFedorov`_
+:|M|: Chris Kay <chris.kay@arm.com>
+:|G|: `CJKay`_
:|F|: lib/extensions/amu/
Memory Partitioning And Monitoring (MPAM) extensions
@@ -316,6 +328,13 @@ System Control and Management Interface (SCMI) Server
:|F|: drivers/scmi-msg
:|F|: include/drivers/scmi\*
+Max Power Mitigation Mechanism (MPMM)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:|M|: Chris Kay <chris.kay@arm.com>
+:|G|: `CJKay`_
+:|F|: include/lib/mpmm/
+:|F|: lib/mpmm/
+
Platform Ports
~~~~~~~~~~~~~~
@@ -399,6 +418,7 @@ Arm Rich IoT Platform ports
:|G|: `vishnu-banavath`_
:|F|: plat/arm/board/corstone700
:|F|: plat/arm/board/a5ds
+:|F|: plat/arm/board/diphda
Arm Reference Design platform ports
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -414,13 +434,13 @@ Arm Reference Design platform ports
:|F|: plat/arm/board/rdv1mc/
:|F|: plat/arm/board/sgi575/
-Arm Total Compute(tc0) platform port
+Arm Total Compute platform port
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
:|M|: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
:|G|: `arugan02`_
:|M|: Usama Arif <usama.arif@arm.com>
:|G|: `uarif1`_
-:|F|: plat/arm/board/tc0
+:|F|: plat/arm/board/tc
HiSilicon HiKey and HiKey960 platform ports
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -449,8 +469,8 @@ Intel SocFPGA platform ports
MediaTek platform ports
^^^^^^^^^^^^^^^^^^^^^^^
-:|M|: Yidi Lin (林以廸) <yidi.lin@mediatek.com>
-:|G|: `mtk09422`_
+:|M|: Rex-BC Chen <rex-bc.chen@mediatek.com>
+:|G|: `mtk-rex-bc-chen`_
:|F|: plat/mediatek/
Marvell platform ports and SoC drivers
@@ -493,8 +513,8 @@ NXP i.MX 7 WaRP7 platform port and SoC drivers
NXP i.MX 8 platform port
^^^^^^^^^^^^^^^^^^^^^^^^
-:|M|: Anson Huang <Anson.Huang@nxp.com>
-:|G|: `Anson-Huang`_
+:|M|: Peng Fan <peng.fan@nxp.com>
+:|G|: `MrVan`_
:|F|: docs/plat/imx8.rst
:|F|: plat/imx/
@@ -505,6 +525,24 @@ NXP i.MX8M platform port
:|F|: docs/plat/imx8m.rst
:|F|: plat/imx/imx8m/
+NXP QorIQ Layerscape common code for platform ports
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:|M|: Pankaj Gupta <pankaj.gupta@nxp.com>
+:|G|: `pangupta`_
+:|F|: docs/plat/nxp/
+:|F|: plat/nxp/
+:|F|: drivers/nxp/
+:|F|: tools/nxp/
+
+NXP SoC Part LX2160A and its platform port
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+:|M|: Pankaj Gupta <pankaj.gupta@nxp.com>
+:|G|: `pangupta`_
+:|F|: plat/nxp/soc-lx2160a
+:|F|: plat/nxp/soc-lx2160a/lx2162aqds
+:|F|: plat/nxp/soc-lx2160a/lx2160aqds
+:|F|: plat/nxp/soc-lx2160a/lx2160ardb
+
QEMU platform port
^^^^^^^^^^^^^^^^^^
:|M|: Jens Wiklander <jens.wiklander@linaro.org>
@@ -516,7 +554,10 @@ QTI platform port
^^^^^^^^^^^^^^^^^
:|M|: Saurabh Gorecha <sgorecha@codeaurora.org>
:|G|: `sgorecha`_
-:|M|: Debasish Mandal <dmandal@codeaurora.org>
+:|M|: Lachit Patel <lpatel@codeaurora.org>
+:|G|: `lachitp`_
+:|M|: Sreevyshanavi Kare <skare@codeaurora.org>
+:|G|: `sreekare`_
:|M|: QTI TF Maintainers <qti.trustedfirmware.maintainers@codeaurora.org>
:|F|: docs/plat/qti.rst
:|F|: plat/qti/
@@ -576,6 +617,8 @@ RockChip platform port
:|G|: `rockchip-linux`_
:|M|: Heiko Stuebner <heiko@sntech.de>
:|G|: `mmind`_
+:|M|: Julius Werner <jwerner@chromium.org>
+:|G|: `jwerner-chromium`_
:|F|: plat/rockchip/
STM32MP1 platform port
@@ -681,6 +724,20 @@ Build system
:|F|: Makefile
:|F|: make_helpers/
+Threat Model
+~~~~~~~~~~~~~
+:|M|: Zelalem Aweke <Zelalem.Aweke@arm.com>
+:|G|: `zelalem-aweke`_
+:|M|: Sandrine Bailleux <sandrine.bailleux@arm.com>
+:|G|: `sandrine-bailleux-arm`_
+:|M|: Joanna Farley <joanna.farley@arm.com>
+:|G|: `joannafarley-arm`_
+:|M|: Raghu Krishnamurthy <raghu.ncstate@icloud.com>
+:|G|: `raghuncstate`_
+:|M|: Varun Wadekar <vwadekar@nvidia.com>
+:|G|: `vwadekar`_
+:|F|: docs/threat_model/
+
.. _AlexeiFedorov: https://github.com/AlexeiFedorov
.. _Andre-ARM: https://github.com/Andre-ARM
.. _Anson-Huang: https://github.com/Anson-Huang
@@ -697,13 +754,14 @@ Build system
.. _jenswi-linaro: https://github.com/jenswi-linaro
.. _jwerner-chromium: https://github.com/jwerner-chromium
.. _kostapr: https://github.com/kostapr
+.. _lachitp: https://github.com/lachitp
.. _ldts: https://github.com/ldts
.. _marex: https://github.com/marex
.. _masahir0y: https://github.com/masahir0y
.. _michalsimek: https://github.com/michalsimek
.. _mmind: https://github.com/mmind
.. _MrVan: https://github.com/MrVan
-.. _mtk09422: https://github.com/mtk09422
+.. _mtk-rex-bc-chen: https://github.com/mtk-rex-bc-chen
.. _niej: https://github.com/niej
.. _npoushin: https://github.com/npoushin
.. _prabhakarlad: https://github.com/prabhakarlad
@@ -715,6 +773,7 @@ Build system
.. _shawnguo2: https://github.com/shawnguo2
.. _smaeul: https://github.com/smaeul
.. _soby-mathew: https://github.com/soby-mathew
+.. _sreekare: https://github.com/sreekare
.. _thloh85-intel: https://github.com/thloh85-intel
.. _thomas-arm: https://github.com/thomas-arm
.. _TonyXie06: https://github.com/TonyXie06
@@ -745,5 +804,6 @@ Build system
.. _vijayenthiran-arm: https://github.com/vijayenthiran-arm
.. _arugan02: https://github.com/arugan02
.. _uarif1: https://github.com/uarif1
+.. _pangupta: https://github.com/pangupta
.. _Project Maintenance Process: https://developer.trustedfirmware.org/w/collaboration/project-maintenance-process/
diff --git a/docs/about/release-information.rst b/docs/about/release-information.rst
index 3e8dd91..b65571d 100644
--- a/docs/about/release-information.rst
+++ b/docs/about/release-information.rst
@@ -46,7 +46,7 @@ depending on project requirement and partner feedback.
+-----------------+---------------------------+------------------------------+
| v2.5 | 3rd week of May '21 | 5th week of Apr '21 |
+-----------------+---------------------------+------------------------------+
-| v2.6 | 4th week of Oct '21 | 1st week of Oct '21 |
+| v2.6 | 4th week of Nov '21 | 2nd week of Nov '21 |
+-----------------+---------------------------+------------------------------+
Removal of Deprecated Interfaces
diff --git a/docs/change-log.rst b/docs/change-log.rst
index 4e7c96f..9c47568 100644
--- a/docs/change-log.rst
+++ b/docs/change-log.rst
@@ -107,7 +107,7 @@ New Features
- Cortex_A78C CPU
- Makalu ELP CPU
- Makalu CPU
- - Matterhorn CPU
+ - Matterhorn ELP CPU
- Neoverse-N2 CPU
- CPU Errata
diff --git a/docs/components/activity-monitors.rst b/docs/components/activity-monitors.rst
new file mode 100644
index 0000000..dd45c43
--- /dev/null
+++ b/docs/components/activity-monitors.rst
@@ -0,0 +1,34 @@
+Activity Monitors
+=================
+
+FEAT_AMUv1 of the Armv8-A architecture introduces the Activity Monitors
+extension. This extension describes the architecture for the Activity Monitor
+Unit (|AMU|), an optional non-invasive component for monitoring core events
+through a set of 64-bit counters.
+
+When the ``ENABLE_AMU=1`` build option is provided, Trusted Firmware-A sets up
+the |AMU| prior to its exit from EL3, and will save and restore architected
+|AMU| counters as necessary upon suspend and resume.
+
+.. _Activity Monitor Auxiliary Counters:
+
+Auxiliary counters
+------------------
+
+FEAT_AMUv1 describes a set of implementation-defined auxiliary counters (also
+known as group 1 counters), controlled by the ``ENABLE_AMU_AUXILIARY_COUNTERS``
+build option.
+
+As a security precaution, Trusted Firmware-A does not enable these by default.
+Instead, platforms may configure their auxiliary counters through one of two
+possible mechanisms:
+
+- |FCONF|, controlled by the ``ENABLE_AMU_FCONF`` build option.
+- A platform implementation of the ``plat_amu_topology`` function (the default).
+
+See :ref:`Activity Monitor Unit (AMU) Bindings` for documentation on the |FCONF|
+device tree bindings.
+
+--------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
diff --git a/docs/components/fconf/amu-bindings.rst b/docs/components/fconf/amu-bindings.rst
new file mode 100644
index 0000000..047f75e
--- /dev/null
+++ b/docs/components/fconf/amu-bindings.rst
@@ -0,0 +1,142 @@
+Activity Monitor Unit (AMU) Bindings
+====================================
+
+To support platform-defined Activity Monitor Unit (|AMU|) auxiliary counters
+through FCONF, the ``HW_CONFIG`` device tree accepts several |AMU|-specific
+nodes and properties.
+
+Bindings
+^^^^^^^^
+
+.. contents::
+ :local:
+
+``/cpus/cpus/cpu*`` node properties
+"""""""""""""""""""""""""""""""""""
+
+The ``cpu`` node has been augmented to support a handle to an associated |AMU|
+view, which should describe the counters offered by the core.
+
++---------------+-------+---------------+-------------------------------------+
+| Property name | Usage | Value type | Description |
++===============+=======+===============+=====================================+
+| ``amu`` | O | ``<phandle>`` | If present, indicates that an |AMU| |
+| | | | is available and its counters are |
+| | | | described by the node provided. |
++---------------+-------+---------------+-------------------------------------+
+
+``/cpus/amus`` node properties
+""""""""""""""""""""""""""""""
+
+The ``amus`` node describes the |AMUs| implemented by the cores in the system.
+This node does not have any properties.
+
+``/cpus/amus/amu*`` node properties
+"""""""""""""""""""""""""""""""""""
+
+An ``amu`` node describes the layout and meaning of the auxiliary counter
+registers of one or more |AMUs|, and may be shared by multiple cores.
+
++--------------------+-------+------------+------------------------------------+
+| Property name | Usage | Value type | Description |
++====================+=======+============+====================================+
+| ``#address-cells`` | R | ``<u32>`` | Value shall be 1. Specifies that |
+| | | | the ``reg`` property array of |
+| | | | children of this node uses a |
+| | | | single cell. |
++--------------------+-------+------------+------------------------------------+
+| ``#size-cells`` | R | ``<u32>`` | Value shall be 0. Specifies that |
+| | | | no size is required in the ``reg`` |
+| | | | property in children of this node. |
++--------------------+-------+------------+------------------------------------+
+
+``/cpus/amus/amu*/counter*`` node properties
+""""""""""""""""""""""""""""""""""""""""""""
+
+A ``counter`` node describes an auxiliary counter belonging to the parent |AMU|
+view.
+
++-------------------+-------+-------------+------------------------------------+
+| Property name | Usage | Value type | Description |
++===================+=======+=============+====================================+
+| ``reg`` | R | array | Represents the counter register |
+| | | | index, and must be a single cell. |
++-------------------+-------+-------------+------------------------------------+
+| ``enable-at-el3`` | O | ``<empty>`` | The presence of this property |
+| | | | indicates that this counter should |
+| | | | be enabled prior to EL3 exit. |
++-------------------+-------+-------------+------------------------------------+
+
+Example
+^^^^^^^
+
+An example system offering four cores made up of two clusters, where the cores
+of each cluster share different |AMUs|, may use something like the following:
+
+.. code-block::
+
+ cpus {
+ #address-cells = <2>;
+ #size-cells = <0>;
+
+ amus {
+ amu0: amu-0 {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ counterX: counter@0 {
+ reg = <0>;
+
+ enable-at-el3;
+ };
+
+ counterY: counter@1 {
+ reg = <1>;
+
+ enable-at-el3;
+ };
+ };
+
+ amu1: amu-1 {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ counterZ: counter@0 {
+ reg = <0>;
+
+ enable-at-el3;
+ };
+ };
+ };
+
+ cpu0@00000 {
+ ...
+
+ amu = <&amu0>;
+ };
+
+ cpu1@00100 {
+ ...
+
+ amu = <&amu0>;
+ };
+
+ cpu2@10000 {
+ ...
+
+ amu = <&amu1>;
+ };
+
+ cpu3@10100 {
+ ...
+
+ amu = <&amu1>;
+ };
+ }
+
+In this situation, ``cpu0`` and ``cpu1`` (the two cores in the first cluster),
+share the view of their AMUs defined by ``amu0``. Likewise, ``cpu2`` and
+``cpu3`` (the two cores in the second cluster), share the view of their |AMUs|
+defined by ``amu1``. This will cause ``counterX`` and ``counterY`` to be enabled
+for both ``cpu0`` and ``cpu1``, and ``counterZ`` to be enabled for both ``cpu2``
+and ``cpu3``.
diff --git a/docs/components/fconf/index.rst b/docs/components/fconf/index.rst
index 9020633..029f324 100644
--- a/docs/components/fconf/index.rst
+++ b/docs/components/fconf/index.rst
@@ -145,3 +145,5 @@ Properties binding information
:maxdepth: 1
fconf_properties
+ amu-bindings
+ mpmm-bindings
diff --git a/docs/components/fconf/mpmm-bindings.rst b/docs/components/fconf/mpmm-bindings.rst
new file mode 100644
index 0000000..d3cc857
--- /dev/null
+++ b/docs/components/fconf/mpmm-bindings.rst
@@ -0,0 +1,48 @@
+Maximum Power Mitigation Mechanism (MPMM) Bindings
+==================================================
+
+|MPMM| support cannot be determined at runtime by the firmware. Instead, these
+DTB bindings allow the platform to communicate per-core support for |MPMM| via
+the ``HW_CONFIG`` device tree blob.
+
+Bindings
+^^^^^^^^
+
+.. contents::
+ :local:
+
+``/cpus/cpus/cpu*`` node properties
+"""""""""""""""""""""""""""""""""""
+
+The ``cpu`` node has been augmented to allow the platform to indicate support
+for |MPMM| on a given core.
+
++-------------------+-------+-------------+------------------------------------+
+| Property name | Usage | Value type | Description |
++===================+=======+=============+====================================+
+| ``supports-mpmm`` | O | ``<empty>`` | If present, indicates that |MPMM| |
+| | | | is available on this core. |
++-------------------+-------+-------------+------------------------------------+
+
+Example
+^^^^^^^
+
+An example system offering two cores, one with support for |MPMM| and one
+without, can be described as follows:
+
+.. code-block::
+
+ cpus {
+ #address-cells = <2>;
+ #size-cells = <0>;
+
+ cpu0@00000 {
+ ...
+
+ supports-mpmm;
+ };
+
+ cpu1@00100 {
+ ...
+ };
+ }
diff --git a/docs/components/ffa-manifest-binding.rst b/docs/components/ffa-manifest-binding.rst
index 9e3919d..df2985c 100644
--- a/docs/components/ffa-manifest-binding.rst
+++ b/docs/components/ffa-manifest-binding.rst
@@ -106,14 +106,17 @@ Partition Properties
The "compatible" must be the string "arm,ffa-manifest-rx_tx-buffer".
- messaging-method [mandatory]
- - value type: <u32>
- - Specifies which messaging methods are supported by the partition:
+ - value type: <u8>
+ - Specifies which messaging methods are supported by the partition, set bit
+ means the feature is supported, clear bit - not supported:
+
+ - Bit[0]: partition can receive direct requests if set
+ - Bit[1]: partition can send direct requests if set
+ - Bit[2]: partition can send and receive indirect messages
- - 0x0: direct messaging method
- - 0x1: indirect messaging method
- - 0x2: both direct and indirect messaging methods
- - 0x3: direct messaging method with managed exit support
- - 0x4: both messaging methods with managed exit support
+- managed-exit
+ - value type: <empty>
+ - Specifies if managed exit is supported.
- has-primary-scheduler
- value type: <empty>
diff --git a/docs/components/index.rst b/docs/components/index.rst
index 2409f96..754526d 100644
--- a/docs/components/index.rst
+++ b/docs/components/index.rst
@@ -7,12 +7,14 @@ Components
:numbered:
spd/index
+ activity-monitors
arm-sip-service
debugfs-design
exception-handling
fconf/index
firmware-update
measured_boot/index
+ mpmm
platform-interrupt-controller-API
ras
romlib-design
@@ -22,3 +24,4 @@ Components
ffa-manifest-binding
xlat-tables-lib-v2-design
cot-binding
+ realm-management-extension
diff --git a/docs/components/measured_boot/event_log.rst b/docs/components/measured_boot/event_log.rst
index 5347dcc..0881248 100644
--- a/docs/components/measured_boot/event_log.rst
+++ b/docs/components/measured_boot/event_log.rst
@@ -9,7 +9,7 @@ Dynamic configuration for Event Log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Measured Boot driver expects a *tpm_event_log* node with the following field
-in 'nt_fw_config' and 'tsp_fw_config' DTS files:
+in 'tb_fw_config', 'nt_fw_config' and 'tsp_fw_config' DTS files:
- compatible [mandatory]
- value type: <string>
diff --git a/docs/components/mpmm.rst b/docs/components/mpmm.rst
new file mode 100644
index 0000000..1b1c6d8
--- /dev/null
+++ b/docs/components/mpmm.rst
@@ -0,0 +1,30 @@
+Maximum Power Mitigation Mechanism (MPMM)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+|MPMM| is an optional microarchitectural power management mechanism supported by
+some Arm Armv9-A cores, beginning with the Cortex-X2, Cortex-A710 and
+Cortex-A510 cores. This mechanism detects and limits high-activity events to
+assist in |SoC| processor power domain dynamic power budgeting and limit the
+triggering of whole-rail (i.e. clock chopping) responses to overcurrent
+conditions.
+
+|MPMM| is enabled on a per-core basis by the EL3 runtime firmware. The presence
+of |MPMM| cannot be determined at runtime by the firmware, and therefore the
+platform must expose this information through one of two possible mechanisms:
+
+- |FCONF|, controlled by the ``ENABLE_MPMM_FCONF`` build option.
+- A platform implementation of the ``plat_mpmm_topology`` function (the
+ default).
+
+See :ref:`Maximum Power Mitigation Mechanism (MPMM) Bindings` for documentation
+on the |FCONF| device tree bindings.
+
+.. warning::
+
+ |MPMM| exposes gear metrics through the auxiliary |AMU| counters. An
+ external power controller can use these metrics to budget SoC power by
+ limiting the number of cores that can execute higher-activity workloads or
+ switching to a different DVFS operating point. When this is the case, the
+ |AMU| counters that make up the |MPMM| gears must be enabled by the EL3
+ runtime firmware - please see :ref:`Activity Monitor Auxiliary Counters` for
+ documentation on enabling auxiliary |AMU| counters.
diff --git a/docs/components/realm-management-extension.rst b/docs/components/realm-management-extension.rst
new file mode 100644
index 0000000..5c580f3
--- /dev/null
+++ b/docs/components/realm-management-extension.rst
@@ -0,0 +1,194 @@
+
+Realm Management Extension (RME)
+====================================
+
+FEAT_RME (or RME for short) is an Armv9-A extension and is one component of the
+`Arm Confidential Compute Architecture (Arm CCA)`_. TF-A supports RME starting
+from version 2.6. This document provides instructions on how to build and run
+TF-A with RME.
+
+Building and running TF-A with RME
+------------------------------------
+
+This section describes how you can build and run TF-A with RME enabled.
+We assume you have all the :ref:`Prerequisites` to build TF-A.
+
+To enable RME, you need to set the ENABLE_RME build flag when building
+TF-A. Currently, this feature is only supported for the FVP platform.
+
+The following instructions show you how to build and run TF-A with RME
+for two scenarios: TF-A with TF-A Tests, and four-world execution with
+Hafnium and TF-A Tests. The instructions assume you have already obtained
+TF-A. You can use the following command to clone TF-A.
+
+.. code:: shell
+
+ git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git
+
+To run the tests, you need an FVP model. You can download a model that supports
+RME from the `Arm Architecture Models website`_. Please select the
+*Base RevC AEM FVP* model. After extracting the downloaded file, you should be able to
+find the *FVP_Base_RevC-2xAEMvA* binary. The instructions below have been tested
+with model version 11.15 revision 18.
+
+.. note::
+
+ ENABLE_RME build option is currently experimental.
+
+Building TF-A with TF-A Tests
+********************************************
+Use the following instructions to build TF-A with `TF-A Tests`_ as the
+non-secure payload (BL33).
+
+**1. Obtain and build TF-A Tests**
+
+.. code:: shell
+
+ git clone https://git.trustedfirmware.org/TF-A/tf-a-tests.git
+ cd tf-a-tests
+ make CROSS_COMPILE=aarch64-none-elf- PLAT=fvp DEBUG=1
+
+This produces a TF-A Tests binary (*tftf.bin*) in the *build/fvp/debug* directory.
+
+**2. Build TF-A**
+
+.. code:: shell
+
+ cd trusted-firmware-a
+ make CROSS_COMPILE=aarch64-none-elf- \
+ PLAT=fvp \
+ ENABLE_RME=1 \
+ FVP_HW_CONFIG_DTS=fdts/fvp-base-gicv3-psci-1t.dts \
+ DEBUG=1 \
+ BL33=<path/to/tftf.bin> \
+ all fip
+
+This produces *bl1.bin* and *fip.bin* binaries in the *build/fvp/debug* directory.
+The above command also builds a Test Realm Payload (TRP), which is a small test
+payload that implements Realm Monitor Management (RMM) functionalities and runs
+in the realm world (R-EL2). The TRP binary is packaged in *fip.bin*.
+
+Four-world execution with Hafnium and TF-A Tests
+****************************************************
+Four-world execution involves software components at each security state: root,
+secure, realm and non-secure. This section describes how to build TF-A
+with four-world support. We use TF-A as the root firmware, `Hafnium`_ as the
+secure component, TRP as the realm-world firmware and TF-A Tests as the
+non-secure payload.
+
+Before building TF-A, you first need to build the other software components.
+You can find instructions on how to get and build TF-A Tests above.
+
+**1. Obtain and build Hafnium**
+
+.. code:: shell
+
+ git clone --recurse-submodules https://git.trustedfirmware.org/hafnium/hafnium.git
+ cd hafnium
+ make PROJECT=reference
+
+The Hafnium binary should be located at
+*out/reference/secure_aem_v8a_fvp_clang/hafnium.bin*
+
+**2. Build TF-A**
+
+Build TF-A with RME as well as SPM enabled.
+
+.. code:: shell
+
+ make CROSS_COMPILE=aarch64-none-elf- \
+ PLAT=fvp \
+ ENABLE_RME=1 \
+ FVP_HW_CONFIG_DTS=fdts/fvp-base-gicv3-psci-1t.dts \
+ SPD=spmd \
+ SPMD_SPM_AT_SEL2=1 \
+ BRANCH_PROTECTION=1 \
+ CTX_INCLUDE_PAUTH_REGS=1 \
+ DEBUG=1 \
+ SP_LAYOUT_FILE=<path/to/tf-a-tests>/build/fvp/debug/sp_layout.json> \
+ BL32=<path/to/hafnium.bin> \
+ BL33=<path/to/tftf.bin> \
+ all fip
+
+Running the tests
+*********************
+Use the following command to run the tests on FVP. TF-A Tests should boot
+and run the default tests including RME tests.
+
+.. code:: shell
+
+ FVP_Base_RevC-2xAEMvA \
+ -C bp.flashloader0.fname=<path/to/fip.bin> \
+ -C bp.secureflashloader.fname=<path/to/bl1.bin> \
+ -C bp.refcounter.non_arch_start_at_default=1 \
+ -C bp.refcounter.use_real_time=0 \
+ -C bp.ve_sysregs.exit_on_shutdown=1 \
+ -C cache_state_modelled=1 \
+ -C cluster0.NUM_CORES=4 \
+ -C cluster0.PA_SIZE=48 \
+ -C cluster0.ecv_support_level=2 \
+ -C cluster0.gicv3.cpuintf-mmap-access-level=2 \
+ -C cluster0.gicv3.without-DS-support=1 \
+ -C cluster0.gicv4.mask-virtual-interrupt=1 \
+ -C cluster0.has_arm_v8-6=1 \
+ -C cluster0.has_branch_target_exception=1 \
+ -C cluster0.has_rme=1 \
+ -C cluster0.has_rndr=1 \
+ -C cluster0.has_amu=1 \
+ -C cluster0.has_v8_7_pmu_extension=2 \
+ -C cluster0.max_32bit_el=-1 \
+ -C cluster0.restriction_on_speculative_execution=2 \
+ -C cluster0.restriction_on_speculative_execution_aarch32=2 \
+ -C cluster1.NUM_CORES=4 \
+ -C cluster1.PA_SIZE=48 \
+ -C cluster1.ecv_support_level=2 \
+ -C cluster1.gicv3.cpuintf-mmap-access-level=2 \
+ -C cluster1.gicv3.without-DS-support=1 \
+ -C cluster1.gicv4.mask-virtual-interrupt=1 \
+ -C cluster1.has_arm_v8-6=1 \
+ -C cluster1.has_branch_target_exception=1 \
+ -C cluster1.has_rme=1 \
+ -C cluster1.has_rndr=1 \
+ -C cluster1.has_amu=1 \
+ -C cluster1.has_v8_7_pmu_extension=2 \
+ -C cluster1.max_32bit_el=-1 \
+ -C cluster1.restriction_on_speculative_execution=2 \
+ -C cluster1.restriction_on_speculative_execution_aarch32=2 \
+ -C pci.pci_smmuv3.mmu.SMMU_AIDR=2 \
+ -C pci.pci_smmuv3.mmu.SMMU_IDR0=0x0046123B \
+ -C pci.pci_smmuv3.mmu.SMMU_IDR1=0x00600002 \
+ -C pci.pci_smmuv3.mmu.SMMU_IDR3=0x1714 \
+ -C pci.pci_smmuv3.mmu.SMMU_IDR5=0xFFFF0475 \
+ -C pci.pci_smmuv3.mmu.SMMU_S_IDR1=0xA0000002 \
+ -C pci.pci_smmuv3.mmu.SMMU_S_IDR2=0 \
+ -C pci.pci_smmuv3.mmu.SMMU_S_IDR3=0 \
+ -C bp.pl011_uart0.out_file=uart0.log \
+ -C bp.pl011_uart1.out_file=uart1.log \
+ -C bp.pl011_uart2.out_file=uart2.log \
+ -C pctl.startup=0.0.0.0 \
+ -Q 1000 \
+ "$@"
+
+The bottom of the output from *uart0* should look something like the following.
+
+.. code-block:: shell
+
+ ...
+
+ > Test suite 'FF-A Interrupt'
+ Passed
+ > Test suite 'SMMUv3 tests'
+ Passed
+ > Test suite 'PMU Leakage'
+ Passed
+ > Test suite 'DebugFS'
+ Passed
+ > Test suite 'Realm payload tests'
+ Passed
+ ...
+
+
+.. _Arm Confidential Compute Architecture (Arm CCA): https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture
+.. _Arm Architecture Models website: https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models
+.. _TF-A Tests: https://trustedfirmware-a-tests.readthedocs.io/en/latest
+.. _Hafnium: https://www.trustedfirmware.org/projects/hafnium
diff --git a/docs/components/secure-partition-manager.rst b/docs/components/secure-partition-manager.rst
index a5e7e8e..0572261 100644
--- a/docs/components/secure-partition-manager.rst
+++ b/docs/components/secure-partition-manager.rst
@@ -6,59 +6,59 @@ Secure Partition Manager
Acronyms
========
-+--------+-----------------------------------+
-| CoT | Chain of Trust |
-+--------+-----------------------------------+
-| DMA | Direct Memory Access |
-+--------+-----------------------------------+
-| DTB | Device Tree Blob |
-+--------+-----------------------------------+
-| DTS | Device Tree Source |
-+--------+-----------------------------------+
-| EC | Execution Context |
-+--------+-----------------------------------+
-| FIP | Firmware Image Package |
-+--------+-----------------------------------+
-| FF-A | Firmware Framework for Armv8-A |
-+--------+-----------------------------------+
-| IPA | Intermediate Physical Address |
-+--------+-----------------------------------+
-| NWd | Normal World |
-+--------+-----------------------------------+
-| ODM | Original Design Manufacturer |
-+--------+-----------------------------------+
-| OEM | Original Equipment Manufacturer |
-+--------+-----------------------------------+
-| PA | Physical Address |
-+--------+-----------------------------------+
-| PE | Processing Element |
-+--------+-----------------------------------+
-| PM | Power Management |
-+--------+-----------------------------------+
-| PVM | Primary VM |
-+--------+-----------------------------------+
-| SMMU | System Memory Management Unit |
-+--------+-----------------------------------+
-| SP | Secure Partition |
-+--------+-----------------------------------+
-| SPD | Secure Payload Dispatcher |
-+--------+-----------------------------------+
-| SPM | Secure Partition Manager |
-+--------+-----------------------------------+
-| SPMC | SPM Core |
-+--------+-----------------------------------+
-| SPMD | SPM Dispatcher |
-+--------+-----------------------------------+
-| SiP | Silicon Provider |
-+--------+-----------------------------------+
-| SWd | Secure World |
-+--------+-----------------------------------+
-| TLV | Tag-Length-Value |
-+--------+-----------------------------------+
-| TOS | Trusted Operating System |
-+--------+-----------------------------------+
-| VM | Virtual Machine |
-+--------+-----------------------------------+
++--------+--------------------------------------+
+| CoT | Chain of Trust |
++--------+--------------------------------------+
+| DMA | Direct Memory Access |
++--------+--------------------------------------+
+| DTB | Device Tree Blob |
++--------+--------------------------------------+
+| DTS | Device Tree Source |
++--------+--------------------------------------+
+| EC | Execution Context |
++--------+--------------------------------------+
+| FIP | Firmware Image Package |
++--------+--------------------------------------+
+| FF-A | Firmware Framework for Arm A-profile |
++--------+--------------------------------------+
+| IPA | Intermediate Physical Address |
++--------+--------------------------------------+
+| NWd | Normal World |
++--------+--------------------------------------+
+| ODM | Original Design Manufacturer |
++--------+--------------------------------------+
+| OEM | Original Equipment Manufacturer |
++--------+--------------------------------------+
+| PA | Physical Address |
++--------+--------------------------------------+
+| PE | Processing Element |
++--------+--------------------------------------+
+| PM | Power Management |
++--------+--------------------------------------+
+| PVM | Primary VM |
++--------+--------------------------------------+
+| SMMU | System Memory Management Unit |
++--------+--------------------------------------+
+| SP | Secure Partition |
++--------+--------------------------------------+
+| SPD | Secure Payload Dispatcher |
++--------+--------------------------------------+
+| SPM | Secure Partition Manager |
++--------+--------------------------------------+
+| SPMC | SPM Core |
++--------+--------------------------------------+
+| SPMD | SPM Dispatcher |
++--------+--------------------------------------+
+| SiP | Silicon Provider |
++--------+--------------------------------------+
+| SWd | Secure World |
++--------+--------------------------------------+
+| TLV | Tag-Length-Value |
++--------+--------------------------------------+
+| TOS | Trusted Operating System |
++--------+--------------------------------------+
+| VM | Virtual Machine |
++--------+--------------------------------------+
Foreword
========
@@ -414,13 +414,17 @@ SPMC boot
The SPMC is loaded by BL2 as the BL32 image.
-The SPMC manifest is loaded by BL2 as the ``TOS_FW_CONFIG`` image.
+The SPMC manifest is loaded by BL2 as the ``TOS_FW_CONFIG`` image `[9]`_.
BL2 passes the SPMC manifest address to BL31 through a register.
At boot time, the SPMD in BL31 runs from the primary core, initializes the core
-contexts and launches the SPMC (BL32) passing the SPMC manifest address through
-a register.
+contexts and launches the SPMC (BL32) passing the following information through
+registers:
+
+- X0 holds the ``TOS_FW_CONFIG`` physical address (or SPMC manifest blob).
+- X1 holds the ``HW_CONFIG`` physical address.
+- X4 holds the currently running core linear id.
Loading of SPs
~~~~~~~~~~~~~~
@@ -772,11 +776,155 @@ by the SPMC:
.. image:: ../resources/diagrams/ffa-ns-interrupt-handling-sp-preemption.png
Secure interrupt handling
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
+
+This section documents the support implemented for secure interrupt handling in
+SPMC as per the guidance provided by FF-A v1.1 Beta0 specification.
+The following assumptions are made about the system configuration:
+
+ - In the current implementation, S-EL1 SPs are expected to use the para
+ virtualized ABIs for interrupt management rather than accessing virtual GIC
+ interface.
+ - Unless explicitly stated otherwise, this support is applicable only for
+ S-EL1 SPs managed by SPMC.
+ - Secure interrupts are configured as G1S or G0 interrupts.
+ - All physical interrupts are routed to SPMC when running a secure partition
+ execution context.
+
+A physical secure interrupt could preempt normal world execution. Moreover, when
+the execution is in secure world, it is highly likely that the target of a
+secure interrupt is not the currently running execution context of an SP. It
+could be targeted to another FF-A component. Consequently, secure interrupt
+management depends on the state of the target execution context of the SP that
+is responsible for handling the interrupt. Hence, the spec provides guidance on
+how to signal start and completion of secure interrupt handling as discussed in
+further sections.
+
+Secure interrupt signaling mechanisms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signaling refers to the mechanisms used by SPMC to indicate to the SP execution
+context that it has a pending virtual interrupt and to further run the SP
+execution context, such that it can handle the virtual interrupt. SPMC uses
+either the FFA_INTERRUPT interface with ERET conduit or vIRQ signal for signaling
+to S-EL1 SPs. When normal world execution is preempted by a secure interrupt,
+the SPMD uses the FFA_INTERRUPT ABI with ERET conduit to signal interrupt to SPMC
+running in S-EL2.
+
++-----------+---------+---------------+---------------------------------------+
+| SP State | Conduit | Interface and | Description |
+| | | parameters | |
++-----------+---------+---------------+---------------------------------------+
+| WAITING | ERET, | FFA_INTERRUPT,| SPMC signals to SP the ID of pending |
+| | vIRQ | Interrupt ID | interrupt. It pends vIRQ signal and |
+| | | | resumes execution context of SP |
+| | | | through ERET. |
++-----------+---------+---------------+---------------------------------------+
+| BLOCKED | ERET, | FFA_INTERRUPT | SPMC signals to SP that an interrupt |
+| | vIRQ | | is pending. It pends vIRQ signal and |
+| | | | resumes execution context of SP |
+| | | | through ERET. |
++-----------+---------+---------------+---------------------------------------+
+| PREEMPTED | vIRQ | NA | SPMC pends the vIRQ signal but does |
+| | | | not resume execution context of SP. |
++-----------+---------+---------------+---------------------------------------+
+| RUNNING | ERET, | NA | SPMC pends the vIRQ signal and resumes|
+| | vIRQ | | execution context of SP through ERET. |
++-----------+---------+---------------+---------------------------------------+
+
+Secure interrupt completion mechanisms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A SP signals secure interrupt handling completion to the SPMC through the
+following mechanisms:
+
+ - ``FFA_MSG_WAIT`` ABI if it was in WAITING state.
+ - ``FFA_RUN`` ABI if its was in BLOCKED state.
+
+In the current implementation, S-EL1 SPs use para-virtualized HVC interface
+implemented by SPMC to perform priority drop and interrupt deactivation (we
+assume EOImode = 0, i.e. priority drop and deactivation are done together).
+
+If normal world execution was preempted by secure interrupt, SPMC uses
+FFA_NORMAL_WORLD_RESUME ABI to indicate completion of secure interrupt handling
+and further return execution to normal world. If the current SP execution
+context was preempted by a secure interrupt to be handled by execution context
+of target SP, SPMC resumes current SP after signal completion by target SP
+execution context.
+
+An action is broadly a set of steps taken by the SPMC in response to a physical
+interrupt. In order to simplify the design, the current version of secure
+interrupt management support in SPMC (Hafnium) does not fully implement the
+Scheduling models and Partition runtime models. However, the current
+implementation loosely maps to the following actions that are legally allowed
+by the specification. Please refer to the Table 8.4 in the spec for further
+description of actions. The action specified for a type of interrupt when the
+SP is in the message processing running state cannot be less permissive than the
+action specified for the same type of interrupt when the SP is in the interrupt
+handling running state.
+
++--------------------+--------------------+------------+-------------+
+| Runtime Model | NS-Int | Self S-Int | Other S-Int |
++--------------------+--------------------+------------+-------------+
+| Message Processing | Signalable with ME | Signalable | Signalable |
++--------------------+--------------------+------------+-------------+
+| Interrupt Handling | Queued | Queued | Queued |
++--------------------+--------------------+------------+-------------+
+
+Abbreviations:
+
+ - NS-Int: A Non-secure physical interrupt. It requires a switch to the Normal
+ world to be handled.
+ - Other S-Int: A secure physical interrupt targeted to an SP different from
+ the one that is currently running.
+ - Self S-Int: A secure physical interrupt targeted to the SP that is currently
+ running.
+
+The following figure describes interrupt handling flow when secure interrupt
+triggers while in normal world:
+
+.. image:: ../resources/diagrams/ffa-secure-interrupt-handling-nwd.png
+
+A brief description of the events:
+
+ - 1) Secure interrupt triggers while normal world is running.
+ - 2) FIQ gets trapped to EL3.
+ - 3) SPMD signals secure interrupt to SPMC at S-EL2 using FFA_INTERRUPT ABI.
+ - 4) SPMC identifies target vCPU of SP and injects virtual interrupt (pends
+ vIRQ).
+ - 5) Since SP1 vCPU is in WAITING state, SPMC signals using FFA_INTERRUPT with
+ interrupt id as argument and resume it using ERET.
+ - 6) Execution traps to vIRQ handler in SP1 provided that interrupt is not
+ masked i.e., PSTATE.I = 0
+ - 7) SP1 services the interrupt and invokes the de-activation HVC call.
+ - 8) SPMC does internal state management and further de-activates the physical
+ interrupt and resumes SP vCPU.
+ - 9) SP performs secure interrupt completion through FFA_MSG_WAIT ABI.
+ - 10) SPMC returns control to EL3 using FFA_NORMAL_WORLD_RESUME.
+ - 11) EL3 resumes normal world execution.
+
+The following figure describes interrupt handling flow when secure interrupt
+triggers while in secure world:
+
+.. image:: ../resources/diagrams/ffa-secure-interrupt-handling-swd.png
+
+A brief description of the events:
+
+ - 1) Secure interrupt triggers while SP2 is running and SP1 is blocked.
+ - 2) Gets trapped to SPMC as IRQ.
+ - 3) SPMC finds the target vCPU of secure partition responsible for handling
+ this secure interrupt. In this scenario, it is SP1.
+ - 4) SPMC pends vIRQ for SP1 and signals through FFA_INTERRUPT interface.
+ SPMC further resumes SP1 through ERET conduit.
+ - 5) Execution traps to vIRQ handler in SP1 provided that interrupt is not
+ masked i.e., PSTATE.I = 0
+ - 6) SP1 services the secure interrupt and invokes the de-activation HVC call.
+ - 7) SPMC does internal state management, de-activates the physical interrupt
+ and resumes SP1 vCPU.
+ - 8) Assuming SP1 is in BLOCKED state, SP1 performs secure interrupt completion
+ through FFA_RUN ABI.
+ - 9) SPMC resumes the pre-empted vCPU of SP2.
-The current implementation does not support handling of secure interrupts
-trapped by the SPMC at S-EL2. This is work in progress planned for future
-releases.
Power management
----------------
@@ -920,7 +1068,7 @@ References
.. _[1]:
-[1] `Arm Firmware Framework for Armv8-A <https://developer.arm.com/docs/den0077/latest>`__
+[1] `Arm Firmware Framework for Arm A-profile <https://developer.arm.com/docs/den0077/latest>`__
.. _[2]:
@@ -951,6 +1099,10 @@ Client <https://developer.arm.com/documentation/den0006/d/>`__
[8] https://lists.trustedfirmware.org/pipermail/tf-a/2020-February/000296.html
+.. _[9]:
+
+[9] https://trustedfirmware-a.readthedocs.io/en/latest/design/firmware-design.html#dynamic-configuration-during-cold-boot
+
--------------
*Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.*
diff --git a/docs/components/xlat-tables-lib-v2-design.rst b/docs/components/xlat-tables-lib-v2-design.rst
index af5151f..cac32f5 100644
--- a/docs/components/xlat-tables-lib-v2-design.rst
+++ b/docs/components/xlat-tables-lib-v2-design.rst
@@ -10,7 +10,7 @@ required Translation Lookaside Buffer (TLB) maintenance operations.
More specifically, some use cases that this library aims to support are:
#. Statically allocate translation tables and populate them (at run-time) based
- on a description of the memory layout. The memory layout is typically
+ upon a description of the memory layout. The memory layout is typically
provided by the platform port as a list of memory regions;
#. Support for generating translation tables pertaining to a different
@@ -26,22 +26,28 @@ More specifically, some use cases that this library aims to support are:
#. Support for changing memory attributes of memory regions at run-time.
-About version 1 and version 2
------------------------------
+About version 1, version 2 and MPU libraries
+--------------------------------------------
This document focuses on version 2 of the library, whose sources are available
in the ``lib/xlat_tables_v2`` directory. Version 1 of the library can still be
found in ``lib/xlat_tables`` directory but it is less flexible and doesn't
-support dynamic mapping. Although potential bug fixes will be applied to both
-versions, future features enhancements will focus on version 2 and might not be
-back-ported to version 1. Therefore, it is recommended to use version 2,
-especially for new platform ports.
-
-However, please note that version 2 is still in active development and is not
-considered stable yet. Hence, compatibility breaks might be introduced.
+support dynamic mapping. ``lib/xlat_mpu``, which configures Arm's MPU
+equivalently, is also addressed here. The ``lib/xlat_mpu`` is experimental,
+meaning that its API may change. It currently strives for consistency and
+code-reuse with xlat_tables_v2. Future versions may be more MPU-specific (e.g.,
+removing all mentions of virtual addresses). Although potential bug fixes will
+be applied to all versions of the xlat_* libs, future feature enhancements will
+focus on version 2 and might not be back-ported to version 1 and MPU versions.
+Therefore, it is recommended to use version 2, especially for new platform
+ports (unless the platform uses an MPU).
+
+However, please note that version 2 and the MPU version are still in active
+development and is not considered stable yet. Hence, compatibility breaks might
+be introduced.
From this point onwards, this document will implicitly refer to version 2 of the
-library.
+library, unless stated otherwise.
Design concepts and interfaces
@@ -102,6 +108,16 @@ The region's granularity is an optional field; if it is not specified the
library will choose the mapping granularity for this region as it sees fit (more
details can be found in `The memory mapping algorithm`_ section below).
+The MPU library also uses ``struct mmap_region`` to specify translations, but
+the MPU's translations are limited to specification of valid addresses and
+access permissions. If the requested virtual and physical addresses mismatch
+the system will panic. Being register-based for deterministic memory-reference
+timing, the MPU hardware does not involve memory-resident translation tables.
+
+Currently, the MPU library is also limited to MPU translation at EL2 with no
+MMU translation at other ELs. These limitations, however, are expected to be
+overcome in future library versions.
+
Translation Context
~~~~~~~~~~~~~~~~~~~
@@ -215,7 +231,8 @@ future.
The ``MAP_REGION()`` and ``MAP_REGION_FLAT()`` macros do not allow specifying a
mapping granularity, which leaves the library implementation free to choose
it. However, in cases where a specific granularity is required, the
-``MAP_REGION2()`` macro might be used instead.
+``MAP_REGION2()`` macro might be used instead. Using ``MAP_REGION_FLAT()`` only
+to define regions for the MPU library is strongly recommended.
As explained earlier in this document, when the dynamic mapping feature is
disabled, there is no notion of dynamic regions. Conceptually, there are only
@@ -374,6 +391,9 @@ entries in the translation tables are checked to ensure consistency. Please
refer to the comments in the source code of the core module for more details
about the sorting algorithm in use.
+This mapping algorithm does not apply to the MPU library, since the MPU hardware
+directly maps regions by "base" and "limit" (bottom and top) addresses.
+
TLB maintenance operations
~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -390,6 +410,11 @@ address translation at reset [#tlb-reset-ref]_. Therefore, the TLBs invalidation
is deferred to the ``enable_mmu*()`` family of functions, just before the MMU is
turned on.
+Regarding enabling and disabling memory management, for the MPU library, to
+reduce confusion, calls to enable or disable the MPU use ``mpu`` in their names
+in place of ``mmu``. For example, the ``enable_mmu_el2()`` call is changed to
+``enable_mpu_el2()``.
+
TLB invalidation is not required when adding dynamic regions either. Dynamic
regions are not allowed to overlap existing memory region. Therefore, if the
dynamic mapping request is deemed legitimate, it automatically concerns memory
@@ -412,6 +437,6 @@ mapping cannot be cached in the TLBs.
--------------
-*Copyright (c) 2017-2019, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2017-2021, Arm Limited and Contributors. All rights reserved.*
.. |Alignment Example| image:: ../resources/diagrams/xlat_align.png
diff --git a/docs/design/cpu-specific-build-macros.rst b/docs/design/cpu-specific-build-macros.rst
index 58b0572..9d0dd5e 100644
--- a/docs/design/cpu-specific-build-macros.rst
+++ b/docs/design/cpu-specific-build-macros.rst
@@ -263,6 +263,9 @@ For Cortex-A77, the following errata build flags are defined :
- ``ERRATA_A77_1946167``: This applies errata 1946167 workaround to Cortex-A77
CPU. This needs to be enabled only for revision <= r1p1 of the CPU.
+- ``ERRATA_A77_1791578``: This applies errata 1791578 workaround to Cortex-A77
+ CPU. This needs to be enabled for r0p0, r1p0, and r1p1, it is still open.
+
For Cortex-A78, the following errata build flags are defined :
- ``ERRATA_A78_1688305``: This applies errata 1688305 workaround to Cortex-A78
@@ -275,6 +278,30 @@ For Cortex-A78, the following errata build flags are defined :
CPU. This needs to be enabled for revisions r1p0 and r1p1, r0p0 has the same
issue but there is no workaround for that revision.
+- ``ERRATA_A78_1821534``: This applies errata 1821534 workaround to Cortex-A78
+ CPU. This needs to be enabled for revisions r0p0 and r1p0.
+
+- ``ERRATA_A78_1952683``: This applies errata 1952683 workaround to Cortex-A78
+ CPU. This needs to be enabled for revision r0p0, it is fixed in r1p0.
+
+- ``ERRATA_A78_2132060``: This applies errata 2132060 workaround to Cortex-A78
+ CPU. This needs to be enabled for revisions r0p0, r1p0, r1p1, and r1p2. It
+ is still open.
+
+- ``ERRATA_A78_2242635``: This applies errata 2242635 workaround to Cortex-A78
+ CPU. This needs to be enabled for revisions r1p0, r1p1, and r1p2. The issue
+ is present in r0p0 but there is no workaround. It is still open.
+
+For Cortex-A78 AE, the following errata build flags are defined :
+
+- ``ERRATA_A78_AE_1941500`` : This applies errata 1941500 workaround to Cortex-A78
+ AE CPU. This needs to be enabled for revisions r0p0 and r0p1. This erratum is
+ still open.
+
+- ``ERRATA_A78_AE_1951502`` : This applies errata 1951502 workaround to Cortex-A78
+ AE CPU. This needs to be enabled for revisions r0p0 and r0p1. This erratum is
+ still open.
+
For Neoverse N1, the following errata build flags are defined :
- ``ERRATA_N1_1073348``: This applies errata 1073348 workaround to Neoverse-N1
@@ -317,6 +344,103 @@ For Neoverse N1, the following errata build flags are defined :
CPU. This needs to be enabled for revisions r3p0, r3p1, r4p0, and r4p1, for
revisions r0p0, r1p0, and r2p0 there is no workaround.
+For Neoverse V1, the following errata build flags are defined :
+
+- ``ERRATA_V1_1774420``: This applies errata 1774420 workaround to Neoverse-V1
+ CPU. This needs to be enabled only for revisions r0p0 and r1p0, it is fixed
+ in r1p1.
+
+- ``ERRATA_V1_1791573``: This applies errata 1791573 workaround to Neoverse-V1
+ CPU. This needs to be enabled only for revisions r0p0 and r1p0, it is fixed
+ in r1p1.
+
+- ``ERRATA_V1_1852267``: This applies errata 1852267 workaround to Neoverse-V1
+ CPU. This needs to be enabled only for revisions r0p0 and r1p0, it is fixed
+ in r1p1.
+
+- ``ERRATA_V1_1925756``: This applies errata 1925756 workaround to Neoverse-V1
+ CPU. This needs to be enabled for r0p0, r1p0, and r1p1, it is still open.
+
+- ``ERRATA_V1_1940577``: This applies errata 1940577 workaround to Neoverse-V1
+ CPU. This needs to be enabled only for revision r1p0 and r1p1 of the
+ CPU.
+
+- ``ERRATA_V1_1966096``: This applies errata 1966096 workaround to Neoverse-V1
+ CPU. This needs to be enabled for revisions r1p0 and r1p1 of the CPU, the
+ issue is present in r0p0 as well but there is no workaround for that
+ revision. It is still open.
+
+- ``ERRATA_V1_2139242``: This applies errata 2139242 workaround to Neoverse-V1
+ CPU. This needs to be enabled for revisions r0p0, r1p0, and r1p1 of the
+ CPU. It is still open.
+
+- ``ERRATA_V1_2108267``: This applies errata 2108267 workaround to Neoverse-V1
+ CPU. This needs to be enabled for revisions r0p0, r1p0, and r1p1 of the CPU.
+ It is still open.
+
+- ``ERRATA_V1_2216392``: This applies errata 2216392 workaround to Neoverse-V1
+ CPU. This needs to be enabled for revisions r1p0 and r1p1 of the CPU, the
+ issue is present in r0p0 as well but there is no workaround for that
+ revision. It is still open.
+
+For Cortex-A710, the following errata build flags are defined :
+
+- ``ERRATA_A710_1987031``: This applies errata 1987031 workaround to
+ Cortex-A710 CPU. This needs to be enabled only for revisions r0p0, r1p0 and
+ r2p0 of the CPU. It is still open.
+
+- ``ERRATA_A710_2081180``: This applies errata 2081180 workaround to
+ Cortex-A710 CPU. This needs to be enabled only for revisions r0p0, r1p0 and
+ r2p0 of the CPU. It is still open.
+
+- ``ERRATA_A710_2055002``: This applies errata 2055002 workaround to
+ Cortex-A710 CPU. This needs to be enabled for revisions r1p0, r2p0 of the CPU
+ and is still open.
+
+- ``ERRATA_A710_2017096``: This applies errata 2017096 workaround to
+ Cortex-A710 CPU. This needs to be enabled for revisions r0p0, r1p0 and r2p0
+ of the CPU and is still open.
+
+- ``ERRATA_A710_2083908``: This applies errata 2083908 workaround to
+ Cortex-A710 CPU. This needs to be enabled for revision r2p0 of the CPU and
+ is still open.
+
+- ``ERRATA_A710_2058056``: This applies errata 2058056 workaround to
+ Cortex-A710 CPU. This needs to be enabled for revisions r0p0, r1p0 and r2p0
+ of the CPU and is still open.
+
+For Neoverse N2, the following errata build flags are defined :
+
+- ``ERRATA_N2_2002655``: This applies errata 2002655 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU, it is still open.
+
+- ``ERRATA_N2_2067956``: This applies errata 2067956 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2025414``: This applies errata 2025414 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2189731``: This applies errata 2189731 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2138956``: This applies errata 2138956 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2138953``: This applies errata 2138953 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2242415``: This applies errata 2242415 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2138958``: This applies errata 2138958 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2242400``: This applies errata 2242400 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
+- ``ERRATA_N2_2280757``: This applies errata 2280757 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+
DSU Errata Workarounds
----------------------
diff --git a/docs/design/firmware-design.rst b/docs/design/firmware-design.rst
index c12e73f..ef500ff 100644
--- a/docs/design/firmware-design.rst
+++ b/docs/design/firmware-design.rst
@@ -2616,8 +2616,6 @@ Armv8.3-A
``CTX_INCLUDE_PAUTH_REGS`` to 1. This enables pointer authentication in BL1,
BL2, BL31, and the TSP if it is used.
- These options are experimental features.
-
Note that Pointer Authentication is enabled for Non-secure world irrespective
of the value of these build flags if the CPU supports it.
@@ -2629,8 +2627,7 @@ Armv8.5-A
~~~~~~~~~
- Branch Target Identification feature is selected by ``BRANCH_PROTECTION``
- option set to 1. This option defaults to 0 and this is an experimental
- feature.
+ option set to 1. This option defaults to 0.
- Memory Tagging Extension feature is unconditionally enabled for both worlds
(at EL0 and S-EL0) if it is only supported at EL0. If instead it is
diff --git a/docs/design/trusted-board-boot.rst b/docs/design/trusted-board-boot.rst
index 96cf24c..46177d7 100644
--- a/docs/design/trusted-board-boot.rst
+++ b/docs/design/trusted-board-boot.rst
@@ -239,9 +239,6 @@ optionally enabled on platforms to implement the optional requirement:
R060_TBBR_FUNCTION as specified in the `Trusted Board Boot Requirements (TBBR)`_
document.
-Note that due to security considerations and complexity of this feature, it is
-marked as experimental.
-
Firmware Encryption Tool
------------------------
diff --git a/docs/design_documents/index.rst b/docs/design_documents/index.rst
index 187510a..c82d2ee 100644
--- a/docs/design_documents/index.rst
+++ b/docs/design_documents/index.rst
@@ -7,6 +7,7 @@ Design Documents
:numbered:
cmake_framework
+ measured_boot_poc
--------------
diff --git a/docs/design_documents/measured_boot_poc.rst b/docs/design_documents/measured_boot_poc.rst
new file mode 100644
index 0000000..3ae539b
--- /dev/null
+++ b/docs/design_documents/measured_boot_poc.rst
@@ -0,0 +1,507 @@
+Interaction between Measured Boot and an fTPM (PoC)
+===================================================
+
+Measured Boot is the process of cryptographically measuring the code and
+critical data used at boot time, for example using a TPM, so that the
+security state can be attested later.
+
+The current implementation of the driver included in Trusted Firmware-A
+(TF-A) stores the measurements into a `TGC event log`_ in secure
+memory. No other means of recording measurements (such as a discrete TPM) is
+supported right now.
+
+The driver also provides mechanisms to pass the Event Log to normal world if
+needed.
+
+This manual provides instructions to build a proof of concept (PoC) with the
+sole intention of showing how Measured Boot can be used in conjunction with
+a firmware TPM (fTPM) service implemented on top of OP-TEE.
+
+.. note::
+ The instructions given in this document are meant to be used to build
+ a PoC to show how Measured Boot on TF-A can interact with a third
+ party (f)TPM service and they try to be as general as possible. Different
+ platforms might have different needs and configurations (e.g. different
+ SHA algorithms) and they might also use different types of TPM services
+ (or even a different type of service to provide the attestation)
+ and therefore the instuctions given here might not apply in such scenarios.
+
+Components
+~~~~~~~~~~
+
+The PoC is built on top of the `OP-TEE Toolkit`_, which has support to build
+TF-A with support for Measured Boot enabled (and run it on a Foundation Model)
+since commit cf56848.
+
+The aforementioned toolkit builds a set of images that contain all the components
+needed to test that the Event Log was properly created. One of these images will
+contain a third party fTPM service which in turn will be used to process the
+Event Log.
+
+The reason to choose OP-TEE Toolkit to build our PoC around it is mostly
+for convenience. As the fTPM service used is an OP-TEE TA, it was easy to add
+build support for it to the toolkit and then build the PoC around it.
+
+The most relevant components installed in the image that are closely related to
+Measured Boot/fTPM functionality are:
+
+ - **OP-TEE**: As stated earlier, the fTPM service used in this PoC is built as an
+ OP-TEE TA and therefore we need to include the OP-TEE OS image.
+ Support to interfacing with Measured Boot was added to version 3.9.0 of
+ OP-TEE by implementing the ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` syscall, which
+ allows the former to pass a copy of the Event Log to any TA requesting it.
+ OP-TEE knows the location of the Event Log by reading the DTB bindings
+ received from TF-A. Visit :ref:`DTB binding for Event Log properties`
+ for more details on this.
+
+ - **fTPM Service**: We use a third party fTPM service in order to validate
+ the Measured Boot functionality. The chosen fTPM service is a sample
+ implementation for Aarch32 architecture included on the `ms-tpm-20-ref`_
+ reference implementation from Microsoft. The service was updated in order
+ to extend the Measured Boot Event Log at boot up and it uses the
+ aforementioned ``PTA_SYSTEM_GET_TPM_EVENT_LOG`` call to retrieve a copy
+ of the former.
+
+ .. note::
+ Arm does not provide an fTPM implementation. The fTPM service used here
+ is a third party one which has been updated to support Measured Boot
+ service as provided by TF-A. As such, it is beyond the scope of this
+ manual to test and verify the correctness of the output generated by the
+ fTPM service.
+
+ - **TPM Kernel module**: In order to interact with the fTPM service, we need
+ a kernel module to forward the request from user space to the secure world.
+
+ - `tpm2-tools`_: This is a set of tools that allow to interact with the
+ fTPM service. We use this in order to read the PCRs with the measurements.
+
+Building the PoC for the Arm FVP platform
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mentioned before, this PoC is based on the OP-TEE Toolkit with some
+extensions to enable Measured Boot and an fTPM service. Therefore, we can rely
+on the instructions to build the original OP-TEE Toolkit. As a general rule,
+the following steps should suffice:
+
+(1) Start by following the `Get and build the solution`_ instructions to build
+ the OP-TEE toolkit. On step 3, you need to get the manifest for FVP
+ platform from the main branch:
+
+ .. code:: shell
+
+ $ repo init -u https://github.com/OP-TEE/manifest.git -m fvp.xml
+
+ Then proceed synching the repos as stated in step 3. Continue following
+ the instructions and stop before step 5.
+
+(2) Next you should obtain the `Armv8-A Foundation Platform (For Linux Hosts Only)`_.
+ The binary should be untar'ed to the root of the repo tree, i.e., like
+ this: ``<fvp-project>/Foundation_Platformpkg``. In the end, after cloning
+ all source code, getting the toolchains and "installing"
+ Foundation_Platformpkg, you should have a folder structure that looks like
+ this:
+
+ .. code:: shell
+
+ $ ls -la
+ total 80
+ drwxrwxr-x 20 tf-a_user tf-a_user 4096 Jul 1 12:16 .
+ drwxr-xr-x 23 tf-a_user tf-a_user 4096 Jul 1 10:40 ..
+ drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 10:45 build
+ drwxrwxr-x 16 tf-a_user tf-a_user 4096 Jul 1 12:16 buildroot
+ drwxrwxr-x 51 tf-a_user tf-a_user 4096 Jul 1 10:45 edk2
+ drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 12:14 edk2-platforms
+ drwxr-xr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:52 Foundation_Platformpkg
+ drwxrwxr-x 17 tf-a_user tf-a_user 4096 Jul 2 10:40 grub
+ drwxrwxr-x 25 tf-a_user tf-a_user 4096 Jul 2 10:39 linux
+ drwxrwxr-x 15 tf-a_user tf-a_user 4096 Jul 1 10:45 mbedtls
+ drwxrwxr-x 6 tf-a_user tf-a_user 4096 Jul 1 10:45 ms-tpm-20-ref
+ drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_client
+ drwxrwxr-x 10 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_examples
+ drwxrwxr-x 12 tf-a_user tf-a_user 4096 Jul 1 12:13 optee_os
+ drwxrwxr-x 8 tf-a_user tf-a_user 4096 Jul 1 10:45 optee_test
+ drwxrwxr-x 7 tf-a_user tf-a_user 4096 Jul 1 10:45 .repo
+ drwxrwxr-x 4 tf-a_user tf-a_user 4096 Jul 1 12:12 toolchains
+ drwxrwxr-x 21 tf-a_user tf-a_user 4096 Jul 1 12:15 trusted-firmware-a
+
+(3) Now enter into ``ms-tpm-20-ref`` and get its dependencies:
+
+ .. code:: shell
+
+ $ cd ms-tpm-20-ref
+ $ git submodule init
+ $ git submodule update
+ Submodule path 'external/wolfssl': checked out '9c87f979a7f1d3a6d786b260653d566c1d31a1c4'
+
+(4) Now, you should be able to continue with step 5 in "`Get and build the solution`_"
+ instructions. In order to enable support for Measured Boot, you need to
+ set the ``MEASURED_BOOT`` build option:
+
+ .. code:: shell
+
+ $ MEASURED_BOOT=y make -j `nproc`
+
+ .. note::
+ The build process will likely take a long time. It is strongly recommended to
+ pass the ``-j`` option to make to run the process faster.
+
+ After this step, you should be ready to run the image.
+
+Running and using the PoC on the Armv8-A Foundation AEM FVP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+With everything built, you can now run the image:
+
+.. code:: shell
+
+ $ make run-only
+
+.. note::
+ Using ``make run`` will build and run the image and it can be used instead
+ of simply ``make``. However, once the image is built, it is recommended to
+ use ``make run-only`` to avoid re-running all the building rules, which
+ would take time.
+
+When FVP is launched, two terminal windows will appear. ``FVP terminal_0``
+is the userspace terminal whereas ``FVP terminal_1`` is the counterpart for
+the secure world (where TAs will print their logs, for instance).
+
+Log into the image shell with user ``root``, no password will be required.
+Then we can issue the ``ftpm`` command, which is an alias that
+
+(1) loads the ftpm kernel module and
+
+(2) calls ``tpm2_pcrread``, which will access the fTPM service to read the
+ PCRs.
+
+When loading the ftpm kernel module, the fTPM TA is loaded into the secure
+world. This TA then requests a copy of the Event Log generated during the
+booting process so it can retrieve all the entries on the log and record them
+first thing.
+
+.. note::
+ For this PoC, nothing loaded after BL33 and NT_FW_CONFIG is recorded
+ in the Event Log.
+
+The secure world terminal should show the debug logs for the fTPM service,
+including all the measurements available in the Event Log as they are being
+processed:
+
+.. code:: shell
+
+ M/TA: Preparing to extend the following TPM Event Log:
+ M/TA: TCG_EfiSpecIDEvent:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 3
+ M/TA: Digest : 00
+ M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ M/TA: : 00 00 00
+ M/TA: EventSize : 33
+ M/TA: Signature : Spec ID Event03
+ M/TA: PlatformClass : 0
+ M/TA: SpecVersion : 2.0.2
+ M/TA: UintnSize : 1
+ M/TA: NumberOfAlgorithms : 1
+ M/TA: DigestSizes :
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: DigestSize : 32
+ M/TA: VendorInfoSize : 0
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 3
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ M/TA: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ M/TA: EventSize : 17
+ M/TA: Signature : StartupLocality
+ M/TA: StartupLocality : 0
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63
+ M/TA: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5
+ M/TA: EventSize : 5
+ M/TA: Event : BL_2
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5
+ M/TA: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c
+ M/TA: EventSize : 6
+ M/TA: Event : BL_31
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2
+ M/TA: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0
+ M/TA: EventSize : 10
+ M/TA: Event : HW_CONFIG
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a
+ M/TA: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0
+ M/TA: EventSize : 14
+ M/TA: Event : SOC_FW_CONFIG
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22
+ M/TA: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75
+ M/TA: EventSize : 6
+ M/TA: Event : BL_32
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e
+ M/TA: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63
+ M/TA: EventSize : 18
+ M/TA: Event : BL32_EXTRA1_IMAGE
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25
+ M/TA: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2
+ M/TA: EventSize : 6
+ M/TA: Event : BL_33
+ M/TA: PCR_Event2:
+ M/TA: PCRIndex : 0
+ M/TA: EventType : 1
+ M/TA: Digests Count : 1
+ M/TA: #0 AlgorithmId : SHA256
+ M/TA: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6
+ M/TA: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a
+ M/TA: EventSize : 13
+ M/TA: Event : NT_FW_CONFIG
+
+These logs correspond to the measurements stored by TF-A during the measured
+boot process and therefore, they should match the logs dumped by the former
+during the boot up process. These can be seen on the terminal_0:
+
+.. code:: shell
+
+ NOTICE: Booting Trusted Firmware
+ NOTICE: BL1: v2.5(release):v2.5
+ NOTICE: BL1: Built : 10:41:20, Jul 2 2021
+ NOTICE: BL1: Booting BL2
+ NOTICE: BL2: v2.5(release):v2.5
+ NOTICE: BL2: Built : 10:41:20, Jul 2 2021
+ NOTICE: TCG_EfiSpecIDEvent:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 3
+ NOTICE: Digest : 00
+ NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ NOTICE: : 00 00 00
+ NOTICE: EventSize : 33
+ NOTICE: Signature : Spec ID Event03
+ NOTICE: PlatformClass : 0
+ NOTICE: SpecVersion : 2.0.2
+ NOTICE: UintnSize : 1
+ NOTICE: NumberOfAlgorithms : 1
+ NOTICE: DigestSizes :
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: DigestSize : 32
+ NOTICE: VendorInfoSize : 0
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 3
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ NOTICE: : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ NOTICE: EventSize : 17
+ NOTICE: Signature : StartupLocality
+ NOTICE: StartupLocality : 0
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 58 26 32 6e 64 45 64 da 45 de 35 db 96 fd ed 63
+ NOTICE: : 2a 6a d4 0d aa 94 b0 b1 55 e4 72 e7 1f 0a e0 d5
+ NOTICE: EventSize : 5
+ NOTICE: Event : BL_2
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : cf f9 7d a3 5c 73 ac cb 7b a0 25 80 6a 6e 50 a5
+ NOTICE: : 6b 2e d2 8c c9 36 92 7d 46 c5 b9 c3 a4 6c 51 7c
+ NOTICE: EventSize : 6
+ NOTICE: Event : BL_31
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 23 b0 a3 5d 54 d9 43 1a 5c b9 89 63 1c da 06 c2
+ NOTICE: : e5 de e7 7e 99 17 52 12 7d f7 45 ca 4f 4a 39 c0
+ NOTICE: EventSize : 10
+ NOTICE: Event : HW_CONFIG
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 4e e4 8e 5a e6 50 ed e0 b5 a3 54 8a 1f d6 0e 8a
+ NOTICE: : ea 0e 71 75 0e a4 3f 82 76 ce af cd 7c b0 91 e0
+ NOTICE: EventSize : 14
+ NOTICE: Event : SOC_FW_CONFIG
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 01 b0 80 47 a1 ce 86 cd df 89 d2 1f 2e fc 6c 22
+ NOTICE: : f8 19 ec 6e 1e ec 73 ba 5a be d0 96 e3 5f 6d 75
+ NOTICE: EventSize : 6
+ NOTICE: Event : BL_32
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 5d c6 ef 35 5a 90 81 b4 37 e6 3b 52 da 92 ab 8e
+ NOTICE: : d9 6e 93 98 2d 40 87 96 1b 5a a7 ee f1 f4 40 63
+ NOTICE: EventSize : 18
+ NOTICE: Event : BL32_EXTRA1_IMAGE
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 39 b7 13 b9 93 db 32 2f 1b 48 30 eb 2c f2 5c 25
+ NOTICE: : 00 0f 38 dc 8e c8 02 cd 79 f2 48 d2 2c 25 ab e2
+ NOTICE: EventSize : 6
+ NOTICE: Event : BL_33
+ NOTICE: PCR_Event2:
+ NOTICE: PCRIndex : 0
+ NOTICE: EventType : 1
+ NOTICE: Digests Count : 1
+ NOTICE: #0 AlgorithmId : SHA256
+ NOTICE: Digest : 25 10 60 5d d4 bc 9d 82 7a 16 9f 8a cc 47 95 a6
+ NOTICE: : fd ca a0 c1 2b c9 99 8f 51 20 ff c6 ed 74 68 5a
+ NOTICE: EventSize : 13
+ NOTICE: Event : NT_FW_CONFIG
+ NOTICE: BL1: Booting BL31
+ NOTICE: BL31: v2.5(release):v2.5
+ NOTICE: BL31: Built : 10:41:20, Jul 2 2021
+
+Following up with the fTPM startup process, we can see that all the
+measurements in the Event Log are extended and recorded in the appropriate PCR:
+
+.. code:: shell
+
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: TPM2_PCR_EXTEND_COMMAND returned value:
+ M/TA: ret_tag = 0x8002, size = 0x00000013, rc = 0x00000000
+ M/TA: 9 Event logs processed
+
+After the fTPM TA is loaded, the call to ``insmod`` issued by the ``ftpm``
+alias to load the ftpm kernel module returns, and then the TPM PCRs are read
+by means of ``tpm_pcrread`` command. Note that we are only interested in the
+SHA256 logs here, as this is the algorithm we used on TF-A for the measurements
+(see the field ``AlgorithmId`` on the logs above):
+
+.. code:: shell
+
+ sha256:
+ 0 : 0xA6EB3A7417B8CFA9EBA2E7C22AD5A4C03CDB8F3FBDD7667F9C3EF2EA285A8C9F
+ 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 2 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 5 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 7 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
+ 10: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 11: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 12: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 13: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 14: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 15: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 16: 0x0000000000000000000000000000000000000000000000000000000000000000
+ 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ 23: 0x0000000000000000000000000000000000000000000000000000000000000000
+
+In this PoC we are only interested in PCR0, which must be non-null. This is
+because the boot process records all the images in this PCR (see field ``PCRIndex``
+on the Event Log above). The rest of the records must be 0 at this point.
+
+.. note::
+ The fTPM service used has support only for 16 PCRs, therefore the content
+ of PCRs above 15 can be ignored.
+
+.. note::
+ As stated earlier, Arm does not provide an fTPM implementation and therefore
+ we do not validate here if the content of PCR0 is correct or not. For this
+ PoC, we are only focused on the fact that the event log could be passed to a third
+ party fTPM and its records were properly extended.
+
+Fine-tuning the fTPM TA
+~~~~~~~~~~~~~~~~~~~~~~~
+
+As stated earlier, the OP-TEE Toolkit includes support to build a third party fTPM
+service. The build options for this service are tailored for the PoC and defined in
+the build environment variable ``FTPM_FLAGS`` (see ``<toolkit_home>/build/common.mk``)
+but they can be modified if needed to better adapt it to a specific scenario.
+
+The most relevant options for Measured Boot support are:
+
+ - **CFG_TA_DEBUG**: Enables debug logs in the Terminal_1 console.
+ - **CFG_TEE_TA_LOG_LEVEL**: Defines the log level used for the debug messages.
+ - **CFG_TA_MEASURED_BOOT**: Enables support for measured boot on the fTPM.
+ - **CFG_TA_EVENT_LOG_SIZE**: Defines the size, in bytes, of the larger event log that
+ the fTPM is able to store, as this buffer is allocated at build time. This must be at
+ least the same as the size of the event log generated by TF-A. If this build option
+ is not defined, the fTPM falls back to a default value of 1024 bytes, which is enough
+ for this PoC, so this variable is not defined in FTPM_FLAGS.
+
+--------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
+
+.. _OP-TEE Toolkit: https://github.com/OP-TEE/build
+.. _ms-tpm-20-ref: https://github.com/microsoft/ms-tpm-20-ref
+.. _Get and build the solution: https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution
+.. _Armv8-A Foundation Platform (For Linux Hosts Only): https://developer.arm.com/tools-and-software/simulation-models/fixed-virtual-platforms/arm-ecosystem-models
+.. _tpm2-tools: https://github.com/tpm2-software/tpm2-tools
+.. _TGC event log: https://trustedcomputinggroup.org/resource/tcg-efi-platform-specification/
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 2c3cd6b..e7ffd94 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -55,6 +55,9 @@ Common build options
- ``BL2_AT_EL3``: This is an optional build option that enables the use of
BL2 at EL3 execution level.
+- ``BL2_ENABLE_SP_LOAD``: Boolean option to enable loading SP packages from the
+ FIP. Automatically enabled if ``SP_LAYOUT_FILE`` is provided.
+
- ``BL2_IN_XIP_MEM``: In some use-cases BL2 will be stored in eXecute In Place
(XIP) memory, like BL1. In these use-cases, it is necessary to initialize
the RW sections in RAM, while leaving the RO sections in place. This option
@@ -117,7 +120,7 @@ Common build options
| 4 | bti | N | Y |
+-------+--------------+-------+-----+
- This option defaults to 0 and this is an experimental feature.
+ This option defaults to 0.
Note that Pointer Authentication is enabled for Non-secure world
irrespective of the value of this option if the CPU supports it.
@@ -178,7 +181,7 @@ Common build options
- ``CTX_INCLUDE_PAUTH_REGS``: Boolean option that, when set to 1, enables
Pointer Authentication for Secure world. This will cause the ARMv8.3-PAuth
registers to be included when saving and restoring the CPU context as
- part of world switch. Default value is 0 and this is an experimental feature.
+ part of world switch. Default value is 0.
Note that Pointer Authentication is enabled for Non-secure world irrespective
of the value of this flag if the CPU supports it.
@@ -189,7 +192,7 @@ Common build options
authenticated decryption algorithm to be used to decrypt firmware/s during
boot. It accepts 2 values: ``aes_gcm`` and ``none``. The default value of
this flag is ``none`` to disable firmware decryption which is an optional
- feature as per TBBR. Also, it is an experimental feature.
+ feature as per TBBR.
- ``DISABLE_BIN_GENERATION``: Boolean option to disable the generation
of the binary image. If set to 1, then only the ELF image is built.
@@ -217,6 +220,14 @@ Common build options
v8.2 implementations also implement an AMU and this option can be used to
enable this feature on those systems as well. Default is 0.
+- ``ENABLE_AMU_AUXILIARY_COUNTERS``: Enables support for AMU auxiliary counters
+ (also known as group 1 counters). These are implementation-defined counters,
+ and as such require additional platform configuration. Default is 0.
+
+- ``ENABLE_AMU_FCONF``: Enables configuration of the AMU through FCONF, which
+ allows platforms with auxiliary counters to describe them via the
+ ``HW_CONFIG`` device tree blob. Default is 0.
+
- ``ENABLE_ASSERTIONS``: This option controls whether or not calls to ``assert()``
are compiled out. For debug builds, this option defaults to 1, and calls to
``assert()`` are left in place. For release builds, this option defaults to 0
@@ -235,6 +246,10 @@ Common build options
builds, but this behaviour can be overridden in each platform's Makefile or
in the build command line.
+- ``ENABLE_FEAT_HCX``: This option sets the bit SCR_EL3.HXEn in EL3 to allow
+ access to HCRX_EL2 (extended hypervisor control register) from EL2 as well as
+ adding HCRX_EL2 to the EL2 context save/restore operations.
+
- ``ENABLE_LTO``: Boolean option to enable Link Time Optimization (LTO)
support in GCC for TF-A. This option is currently only supported for
AArch64. Default is 0.
@@ -250,6 +265,16 @@ Common build options
partitioning in EL3, however. Platform initialisation code should configure
and use partitions in EL3 as required. This option defaults to ``0``.
+- ``ENABLE_MPMM``: Boolean option to enable support for the Maximum Power
+ Mitigation Mechanism supported by certain Arm cores, which allows the SoC
+ firmware to detect and limit high activity events to assist in SoC processor
+ power domain dynamic power budgeting and limit the triggering of whole-rail
+ (i.e. clock chopping) responses to overcurrent conditions. Defaults to ``0``.
+
+- ``ENABLE_MPMM_FCONF``: Enables configuration of MPMM through FCONF, which
+ allows platforms with cores supporting MPMM to describe them via the
+ ``HW_CONFIG`` device tree blob. Default is 0.
+
- ``ENABLE_PIE``: Boolean option to enable Position Independent Executable(PIE)
support within generic code in TF-A. This option is currently only supported
in BL2_AT_EL3, BL31, and BL32 (TSP) for AARCH64 binaries, and in BL32
@@ -264,12 +289,31 @@ Common build options
be enabled. If ``ENABLE_PMF`` is set, the residency statistics are tracked in
software.
+- ``ENABLE_RME``: Boolean option to enable support for the ARMv9 Realm
+ Management Extension. Default value is 0. This is currently an experimental
+ feature.
+
- ``ENABLE_RUNTIME_INSTRUMENTATION``: Boolean option to enable runtime
instrumentation which injects timestamp collection points into TF-A to
allow runtime performance to be measured. Currently, only PSCI is
instrumented. Enabling this option enables the ``ENABLE_PMF`` build option
as well. Default is 0.
+- ``ENABLE_SME_FOR_NS``: Boolean option to enable Scalable Matrix Extension
+ (SME), SVE, and FPU/SIMD for the non-secure world only. These features share
+ registers so are enabled together. Using this option without
+ ENABLE_SME_FOR_SWD=1 will cause SME, SVE, and FPU/SIMD instructions in secure
+ world to trap to EL3. SME is an optional architectural feature for AArch64
+ and TF-A support is experimental. At this time, this build option cannot be
+ used on systems that have SPD=spmd or ENABLE_RME, and attempting to build
+ with these options will fail. Default is 0.
+
+- ``ENABLE_SME_FOR_SWD``: Boolean option to enable the Scalable Matrix
+ Extension for secure world use along with SVE and FPU/SIMD, ENABLE_SME_FOR_NS
+ must also be set to use this. If enabling this, the secure world MUST
+ handle context switching for SME, SVE, and FPU/SIMD registers to ensure that
+ no data is leaked to non-secure world. This is experimental. Default is 0.
+
- ``ENABLE_SPE_FOR_LOWER_ELS`` : Boolean option to enable Statistical Profiling
extensions. This is an optional architectural feature for AArch64.
The default is 1 but is automatically disabled when the target architecture
@@ -278,13 +322,19 @@ Common build options
- ``ENABLE_SVE_FOR_NS``: Boolean option to enable Scalable Vector Extension
(SVE) for the Non-secure world only. SVE is an optional architectural feature
for AArch64. Note that when SVE is enabled for the Non-secure world, access
- to SIMD and floating-point functionality from the Secure world is disabled.
+ to SIMD and floating-point functionality from the Secure world is disabled by
+ default and controlled with ENABLE_SVE_FOR_SWD.
This is to avoid corruption of the Non-secure world data in the Z-registers
which are aliased by the SIMD and FP registers. The build option is not
compatible with the ``CTX_INCLUDE_FPREGS`` build option, and will raise an
assert on platforms where SVE is implemented and ``ENABLE_SVE_FOR_NS`` set to
- 1. The default is 1 but is automatically disabled when the target
- architecture is AArch32.
+ 1. The default is 1 but is automatically disabled when ENABLE_SME_FOR_NS=1
+ since SME encompasses SVE.
+
+- ``ENABLE_SVE_FOR_SWD``: Boolean option to enable SVE for the Secure world.
+ SVE is an optional architectural feature for AArch64. Note that this option
+ requires ENABLE_SVE_FOR_NS to be enabled. The default is 0 and it is
+ automatically disabled when the target architecture is AArch32.
- ``ENABLE_STACK_PROTECTOR``: String option to enable the stack protection
checks in GCC. Allowed values are "all", "strong", "default" and "none". The
@@ -295,20 +345,18 @@ Common build options
component of the option ``-fstack-protector-$ENABLE_STACK_PROTECTOR``.
- ``ENCRYPT_BL31``: Binary flag to enable encryption of BL31 firmware. This
- flag depends on ``DECRYPTION_SUPPORT`` build flag which is marked as
- experimental.
+ flag depends on ``DECRYPTION_SUPPORT`` build flag.
- ``ENCRYPT_BL32``: Binary flag to enable encryption of Secure BL32 payload.
- This flag depends on ``DECRYPTION_SUPPORT`` build flag which is marked as
- experimental.
+ This flag depends on ``DECRYPTION_SUPPORT`` build flag.
- ``ENC_KEY``: A 32-byte (256-bit) symmetric key in hex string format. It could
either be SSK or BSSK depending on ``FW_ENC_STATUS`` flag. This value depends
- on ``DECRYPTION_SUPPORT`` build flag which is marked as experimental.
+ on ``DECRYPTION_SUPPORT`` build flag.
- ``ENC_NONCE``: A 12-byte (96-bit) encryption nonce or Initialization Vector
(IV) in hex string format. This value depends on ``DECRYPTION_SUPPORT``
- build flag which is marked as experimental.
+ build flag.
- ``ERROR_DEPRECATED``: This option decides whether to treat the usage of
deprecated platform APIs, helper functions or drivers within Trusted
@@ -347,8 +395,7 @@ Common build options
1: Encryption is done with Binding Secret Symmetric Key (BSSK) which is
unique per device.
- This flag depends on ``DECRYPTION_SUPPORT`` build flag which is marked as
- experimental.
+ This flag depends on ``DECRYPTION_SUPPORT`` build flag.
- ``GENERATE_COT``: Boolean flag used to build and execute the ``cert_create``
tool to create certificates as per the Chain of Trust described in
@@ -463,9 +510,11 @@ Common build options
the build. The default value is 40 in debug builds and 20 in release builds.
- ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot
- feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set.
- This option defaults to 0 and is an experimental feature in the stage of
- development.
+ feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set as well
+ in order to provide trust that the code taking the measurements and recording
+ them has not been tampered with.
+
+ This option defaults to 0.
- ``NON_TRUSTED_WORLD_KEY``: This option is used when ``GENERATE_COT=1``. It
specifies the file that contains the Non-Trusted World private key in PEM
@@ -579,6 +628,11 @@ Common build options
``BL31_NOBITS_LIMIT``. When the option is ``0`` (the default), NOBITS
sections are placed in RAM immediately following the loaded firmware image.
+- ``SMC_PCI_SUPPORT``: This option allows platforms to handle PCI configuration
+ access requests via a standard SMCCC defined in `DEN0115`_. When combined with
+ UEFI+ACPI this can provide a certain amount of OS forward compatibility
+ with newer platforms that aren't ECAM compliant.
+
- ``SPD``: Choose a Secure Payload Dispatcher component to be built into TF-A.
This build option is only valid if ``ARCH=aarch64``. The value should be
the path to the directory containing the SPD source, relative to
@@ -670,26 +724,25 @@ Common build options
- ``ARM_IO_IN_DTB``: This flag determines whether to use IO based on the
firmware configuration framework. This will move the io_policies into a
configuration device tree, instead of static structure in the code base.
- This is currently an experimental feature.
- ``COT_DESC_IN_DTB``: This flag determines whether to create COT descriptors
at runtime using fconf. If this flag is enabled, COT descriptors are
statically captured in tb_fw_config file in the form of device tree nodes
and properties. Currently, COT descriptors used by BL2 are moved to the
device tree and COT descriptors used by BL1 are retained in the code
- base statically. This is currently an experimental feature.
+ base statically.
- ``SDEI_IN_FCONF``: This flag determines whether to configure SDEI setup in
runtime using firmware configuration framework. The platform specific SDEI
shared and private events configuration is retrieved from device tree rather
- than static C structures at compile time. This is currently an experimental
- feature and is only supported if SDEI_SUPPORT build flag is enabled.
+ than static C structures at compile time. This is only supported if
+ SDEI_SUPPORT build flag is enabled.
- ``SEC_INT_DESC_IN_FCONF``: This flag determines whether to configure Group 0
and Group1 secure interrupts using the firmware configuration framework. The
platform specific secure interrupt property descriptor is retrieved from
device tree in runtime rather than depending on static C structure at compile
- time. This is currently an experimental feature.
+ time.
- ``USE_ROMLIB``: This flag determines whether library at ROM will be used.
This feature creates a library of functions to be placed in ROM and thus
@@ -761,6 +814,21 @@ Common build options
functions that wait for an arbitrary time length (udelay and mdelay). The
default value is 0.
+- ``ENABLE_TRBE_FOR_NS``: This flag is used to enable access of trace buffer
+ control registers from NS ELs, NS-EL2 or NS-EL1(when NS-EL2 is implemented
+ but unused) when FEAT_TRBE is implemented. TRBE is an optional architectural
+ feature for AArch64. The default is 0 and it is automatically disabled when
+ the target architecture is AArch32.
+
+- ``ENABLE_SYS_REG_TRACE_FOR_NS``: Boolean option to enable trace system
+ registers access from NS ELs, NS-EL2 or NS-EL1 (when NS-EL2 is implemented
+ but unused). This feature is available if trace unit such as ETMv4.x, and
+ ETE(extending ETM feature) is implemented. This flag is disabled by default.
+
+- ``ENABLE_TRF_FOR_NS``: Boolean option to enable trace filter control registers
+ access from NS ELs, NS-EL2 or NS-EL1 (when NS-EL2 is implemented but unused),
+ if FEAT_TRF is implemented. This flag is disabled by default.
+
GICv3 driver options
--------------------
@@ -776,6 +844,11 @@ makefile:
GIC-600, so is safe to select even for a GIC500 implementation.
This option defaults to 0.
+- ``GICV3_SUPPORT_GIC600AE_FMU``: Add support for the Fault Management Unit
+ for GIC-600 AE. Enabling this option will introduce support to initialize
+ the FMU. Platforms should call the init function during boot to enable the
+ FMU and its safety mechanisms. This option defaults to 0.
+
- ``GICV3_IMPL_GIC600_MULTICHIP``: Selects GIC-600 variant with multichip
functionality. This option defaults to 0
@@ -846,6 +919,30 @@ commands can be used:
# Resume execution
continue
+Firmware update options
+-----------------------
+
+- ``NR_OF_FW_BANKS``: Define the number of firmware banks. This flag is used
+ in defining the firmware update metadata structure. This flag is by default
+ set to '2'.
+
+- ``NR_OF_IMAGES_IN_FW_BANK``: Define the number of firmware images in each
+ firmware bank. Each firmware bank must have the same number of images as per
+ the `PSA FW update specification`_.
+ This flag is used in defining the firmware update metadata structure. This
+ flag is by default set to '1'.
+
+- ``PSA_FWU_SUPPORT``: Enable the firmware update mechanism as per the
+ `PSA FW update specification`_. The default value is 0, and this is an
+ experimental feature.
+ PSA firmware update implementation has some limitations, such as BL2 is
+ not part of the protocol-updatable images, if BL2 needs to be updated, then
+ it should be done through another platform-defined mechanism, and it assumes
+ that the platform's hardware supports CRC32 instructions.
+
--------------
*Copyright (c) 2019-2021, Arm Limited. All rights reserved.*
+
+.. _DEN0115: https://developer.arm.com/docs/den0115/latest
+.. _PSA FW update specification: https://developer.arm.com/documentation/den0118/a/
diff --git a/docs/getting_started/porting-guide.rst b/docs/getting_started/porting-guide.rst
index 906daf8..92ff39f 100644
--- a/docs/getting_started/porting-guide.rst
+++ b/docs/getting_started/porting-guide.rst
@@ -562,15 +562,6 @@ behaviour of the ``assert()`` function (for example, to save memory).
doesn't print anything to the console. If ``PLAT_LOG_LEVEL_ASSERT`` isn't
defined, it defaults to ``LOG_LEVEL``.
-If the platform port uses the Activity Monitor Unit, the following constant
-may be defined:
-
-- **PLAT_AMU_GROUP1_COUNTERS_MASK**
- This mask reflects the set of group counters that should be enabled. The
- maximum number of group 1 counters supported by AMUv1 is 16 so the mask
- can be at most 0xffff. If the platform does not define this mask, no group 1
- counters are enabled.
-
File : plat_macros.S [mandatory]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -891,8 +882,55 @@ symmetric key/identifier using img_id.
On success the function should return 0 and a negative error code otherwise.
-Note that this API depends on ``DECRYPTION_SUPPORT`` build flag which is
-marked as experimental.
+Note that this API depends on ``DECRYPTION_SUPPORT`` build flag.
+
+Function : plat_fwu_set_images_source() [when PSA_FWU_SUPPORT == 1]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : struct fwu_metadata *metadata
+ Return : void
+
+This function is mandatory when PSA_FWU_SUPPORT is enabled.
+It provides a means to retrieve image specification (offset in
+non-volatile storage and length) of active/updated images using the passed
+FWU metadata, and update I/O policies of active/updated images using retrieved
+image specification information.
+Further I/O layer operations such as I/O open, I/O read, etc. on these
+images rely on this function call.
+
+In Arm platforms, this function is used to set an I/O policy of the FIP image,
+container of all active/updated secure and non-secure images.
+
+Function : plat_fwu_set_metadata_image_source() [when PSA_FWU_SUPPORT == 1]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : unsigned int image_id, uintptr_t *dev_handle,
+ uintptr_t *image_spec
+ Return : int
+
+This function is mandatory when PSA_FWU_SUPPORT is enabled. It is
+responsible for setting up the platform I/O policy of the requested metadata
+image (either FWU_METADATA_IMAGE_ID or BKUP_FWU_METADATA_IMAGE_ID) that will
+be used to load this image from the platform's non-volatile storage.
+
+FWU metadata can not be always stored as a raw image in non-volatile storage
+to define its image specification (offset in non-volatile storage and length)
+statically in I/O policy.
+For example, the FWU metadata image is stored as a partition inside the GUID
+partition table image. Its specification is defined in the partition table
+that needs to be parsed dynamically.
+This function provides a means to retrieve such dynamic information to set
+the I/O policy of the FWU metadata image.
+Further I/O layer operations such as I/O open, I/O read, etc. on FWU metadata
+image relies on this function call.
+
+It returns '0' on success, otherwise a negative error value on error.
+Alongside, returns device handle and image specification from the I/O policy
+of the requested FWU metadata image.
Common optional modifications
-----------------------------
@@ -1151,6 +1189,25 @@ This function returns SMC_ARCH_CALL_SUCCESS if the platform supports
the SMCCC function specified in the argument; otherwise returns
SMC_ARCH_CALL_NOT_SUPPORTED.
+Function : plat_mboot_measure_image()
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : unsigned int, image_info_t *
+ Return : void
+
+When the MEASURED_BOOT flag is enabled:
+
+- This function measures the given image and records its measurement using
+ the measured boot backend driver.
+- On the Arm FVP port, this function measures the given image using its
+ passed id and information and then records that measurement in the
+ Event Log buffer.
+- This function must return 0 on success, a negative error code otherwise.
+
+When the MEASURED_BOOT flag is disabled, this function doesn't do anything.
+
Modifications specific to a Boot Loader stage
---------------------------------------------
@@ -1402,6 +1459,42 @@ This function must return 0 on success, a non-null error code otherwise.
The default implementation of this function asserts therefore platforms must
override it when using the FWU feature.
+Function : bl1_plat_mboot_init() [optional]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : void
+ Return : void
+
+When the MEASURED_BOOT flag is enabled:
+
+- This function is used to initialize the backend driver(s) of measured boot.
+- On the Arm FVP port, this function is used to initialize the Event Log
+ backend driver, and also to write header information in the Event Log buffer.
+
+When the MEASURED_BOOT flag is disabled, this function doesn't do anything.
+
+Function : bl1_plat_mboot_finish() [optional]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : void
+ Return : void
+
+When the MEASURED_BOOT flag is enabled:
+
+- This function is used to finalize the measured boot backend driver(s),
+ and also, set the information for the next bootloader component to
+ extend the measurement if needed.
+- On the Arm FVP port, this function is used to pass the base address of
+ the Event Log buffer and its size to BL2 via tb_fw_config to extend the
+ Event Log buffer with the measurement of various images loaded by BL2.
+ It results in panic on error.
+
+When the MEASURED_BOOT flag is disabled, this function doesn't do anything.
+
Boot Loader Stage 2 (BL2)
-------------------------
@@ -1690,6 +1783,42 @@ Application Processor (AP) for BL2U execution to continue.
This function returns 0 on success, a negative error code otherwise.
This function is included if SCP_BL2U_BASE is defined.
+Function : bl2_plat_mboot_init() [optional]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : void
+ Return : void
+
+When the MEASURED_BOOT flag is enabled:
+
+- This function is used to initialize the backend driver(s) of measured boot.
+- On the Arm FVP port, this function is used to initialize the Event Log
+ backend driver with the Event Log buffer information (base address and
+ size) received from BL1. It results in panic on error.
+
+When the MEASURED_BOOT flag is disabled, this function doesn't do anything.
+
+Function : bl2_plat_mboot_finish() [optional]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+::
+
+ Argument : void
+ Return : void
+
+When the MEASURED_BOOT flag is enabled:
+
+- This function is used to finalize the measured boot backend driver(s),
+ and also, set the information for the next bootloader component to extend
+ the measurement if needed.
+- On the Arm FVP port, this function is used to pass the Event Log buffer
+ information (base address and size) to non-secure(BL33) and trusted OS(BL32)
+ via nt_fw and tos_fw config respectively. It results in panic on error.
+
+When the MEASURED_BOOT flag is disabled, this function doesn't do anything.
+
Boot Loader Stage 3-1 (BL31)
----------------------------
diff --git a/docs/getting_started/prerequisites.rst b/docs/getting_started/prerequisites.rst
index d116ce1..f45193a 100644
--- a/docs/getting_started/prerequisites.rst
+++ b/docs/getting_started/prerequisites.rst
@@ -26,7 +26,7 @@ Toolchain
|TF-A| can be built with any of the following *cross-compiler* toolchains that
target the Armv7-A or Armv8-A architectures:
-- GCC >= 9.2-2019.12 (from the `Arm Developer website`_)
+- GCC >= 10.3-2021.07 (from the `Arm Developer website`_)
- Clang >= 4.0
- Arm Compiler >= 6.0
@@ -112,7 +112,7 @@ Supporting Files
----------------
TF-A has been tested with pre-built binaries and file systems from `Linaro
-Release 19.06`_. Alternatively, you can build the binaries from source using
+Release 20.01`_. Alternatively, you can build the binaries from source using
instructions in :ref:`Performing an Initial Build`.
.. _prerequisites_get_source:
@@ -166,4 +166,4 @@ documentation, available `here <https://git-scm.com/docs/githooks>`_.
.. _Linaro Release Notes: https://community.arm.com/dev-platforms/w/docs/226/old-release-notes
.. _Linaro instructions: https://community.arm.com/dev-platforms/w/docs/304/arm-reference-platforms-deliverables
.. _Development Studio 5 (DS-5): https://developer.arm.com/products/software-development-tools/ds-5-development-studio
-.. _Linaro Release 19.06: http://releases.linaro.org/members/arm/platforms/19.06
+.. _Linaro Release 20.01: http://releases.linaro.org/members/arm/platforms/20.01
diff --git a/docs/global_substitutions.txt b/docs/global_substitutions.txt
index 24ac830..af15146 100644
--- a/docs/global_substitutions.txt
+++ b/docs/global_substitutions.txt
@@ -1,5 +1,7 @@
.. |AArch32| replace:: :term:`AArch32`
.. |AArch64| replace:: :term:`AArch64`
+.. |AMU| replace:: :term:`AMU`
+.. |AMUs| replace:: :term:`AMUs <AMU>`
.. |API| replace:: :term:`API`
.. |BTI| replace:: :term:`BTI`
.. |CoT| replace:: :term:`CoT`
@@ -23,6 +25,7 @@
.. |Linaro| replace:: :term:`Linaro`
.. |MMU| replace:: :term:`MMU`
.. |MPAM| replace:: :term:`MPAM`
+.. |MPMM| replace:: :term:`MPMM`
.. |MPIDR| replace:: :term:`MPIDR`
.. |MTE| replace:: :term:`MTE`
.. |OEN| replace:: :term:`OEN`
diff --git a/docs/glossary.rst b/docs/glossary.rst
index 54820e4..aeeb133 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -15,6 +15,10 @@ You can find additional definitions in the `Arm Glossary`_.
AArch64
64-bit execution state of the ARMv8 ISA
+ AMU
+ Activity Monitor Unit, a hardware monitoring unit introduced by FEAT_AMUv1
+ that exposes CPU core runtime metrics as a set of counter registers.
+
API
Application Programming Interface
@@ -60,8 +64,8 @@ You can find additional definitions in the `Arm Glossary`_.
FDT
Flattened Device Tree
- FFA
- Firmware Framework for A-class processors
+ FF-A
+ Firmware Framework for Arm A-profile
FIP
Firmware Image Package
@@ -88,6 +92,10 @@ You can find additional definitions in the `Arm Glossary`_.
MPAM
Memory Partitioning And Monitoring. An optional Armv8.4 extension.
+ MPMM
+ Maximum Power Mitigation Mechanism, an optional power management mechanism
+ supported by some Arm Armv9-A cores.
+
MPIDR
Multiprocessor Affinity Register
diff --git a/docs/index.rst b/docs/index.rst
index 29e5839..edc2535 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -30,6 +30,7 @@ such as:
- `SMC Calling Convention`_
- `System Control and Management Interface (SCMI)`_
- `Software Delegated Exception Interface (SDEI)`_
+- `PSA FW update specification`_
Where possible, the code is designed for reuse or porting to other Armv7-A and
Armv8-A model and hardware platforms.
@@ -92,3 +93,4 @@ have previously been raised against the software.
.. _System Control and Management Interface (SCMI): http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/DEN0056A_System_Control_and_Management_Interface.pdf
.. _Software Delegated Exception Interface (SDEI): http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf
.. _SMC Calling Convention: https://developer.arm.com/docs/den0028/latest
+.. _PSA FW update specification: https://developer.arm.com/documentation/den0118/a/
diff --git a/docs/license.rst b/docs/license.rst
index f0caa39..80f1118 100644
--- a/docs/license.rst
+++ b/docs/license.rst
@@ -81,6 +81,7 @@ license text is included in those source files.
terms of the MIT license. These files are:
- ``include/dt-bindings/interrupt-controller/arm-gic.h``
+ - ``include/dt-bindings/interrupt-controller/irq.h``
See the original `Linux MIT license`_.
diff --git a/docs/plat/arm/arm-build-options.rst b/docs/plat/arm/arm-build-options.rst
index db8d945..339ebbe 100644
--- a/docs/plat/arm/arm-build-options.rst
+++ b/docs/plat/arm/arm-build-options.rst
@@ -100,10 +100,16 @@ Arm Platform Build Options
- ``ARM_SPMC_MANIFEST_DTS`` : path to an alternate manifest file used as the
SPMC Core manifest. Valid when ``SPD=spmd`` is selected.
+- ``ARM_BL2_SP_LIST_DTS``: Path to DTS file snippet to override the hardcoded
+ SP nodes in tb_fw_config.
+
- ``OPTEE_SP_FW_CONFIG``: DTC build flag to include OP-TEE as SP in tb_fw_config
device tree. This flag is defined only when ``ARM_SPMC_MANIFEST_DTS`` manifest
file name contains pattern optee_sp.
+- ``TS_SP_FW_CONFIG``: DTC build flag to include Trusted Services (Crypto and
+ internal-trusted-storage) as SP in tb_fw_config device tree.
+
- ``ARM_GPT_SUPPORT``: Enable GPT parser to get the entry address and length of
the various partitions present in the GPT image. This support is available
only for the BL2 component, and it is disabled by default.
diff --git a/docs/plat/arm/diphda/index.rst b/docs/plat/arm/diphda/index.rst
new file mode 100644
index 0000000..27afda4
--- /dev/null
+++ b/docs/plat/arm/diphda/index.rst
@@ -0,0 +1,61 @@
+Diphda Platform
+==========================
+
+Some of the features of the Diphda platform referenced in TF-A include:
+
+- Cortex-A35 application processor (64-bit mode)
+- Secure Enclave
+- GIC-400
+- Trusted Board Boot
+
+Boot Sequence
+-------------
+
+The board boot relies on CoT (chain of trust). The trusted-firmware-a
+BL2 is extracted from the FIP and verified by the Secure Enclave
+processor. BL2 verification relies on the signature area at the
+beginning of the BL2 image. This area is needed by the SecureEnclave
+bootloader.
+
+Then, the application processor is released from reset and starts by
+executing BL2.
+
+BL2 performs the actions described in the trusted-firmware-a TBB design
+document.
+
+Build Procedure (TF-A only)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Obtain AArch64 ELF bare-metal target `toolchain <https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-a/downloads>`_.
+ Set the CROSS_COMPILE environment variable to point to the toolchain folder.
+
+- Build TF-A:
+
+ .. code:: shell
+
+ make LD=aarch64-none-elf-ld \
+ CC=aarch64-none-elf-gcc \
+ V=1 \
+ BUILD_BASE=<path to the build folder> \
+ PLAT=diphda \
+ SPD=spmd \
+ SPMD_SPM_AT_SEL2=0 \
+ DEBUG=1 \
+ MBEDTLS_DIR=mbedtls \
+ OPENSSL_DIR=<path to openssl usr folder> \
+ RUNTIME_SYSROOT=<path to the sysroot> \
+ ARCH=aarch64 \
+ TARGET_PLATFORM=<fpga or fvp> \
+ ENABLE_PIE=1 \
+ BL2_AT_EL3=1 \
+ CREATE_KEYS=1 \
+ GENERATE_COT=1 \
+ TRUSTED_BOARD_BOOT=1 \
+ COT=tbbr \
+ ARM_ROTPK_LOCATION=devel_rsa \
+ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
+ BL32=<path to optee binary> \
+ BL33=<path to u-boot binary> \
+ bl2
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
diff --git a/docs/plat/arm/fvp/index.rst b/docs/plat/arm/fvp/index.rst
index fb38d91..2aaf195 100644
--- a/docs/plat/arm/fvp/index.rst
+++ b/docs/plat/arm/fvp/index.rst
@@ -12,51 +12,50 @@ Arm FVPs without shifted affinities, and that do not support threaded CPU cores
(64-bit host machine only).
.. note::
- The FVP models used are Version 11.14 Build 21, unless otherwise stated.
+ The FVP models used are Version 11.16 Build 16, unless otherwise stated.
-- ``FVP_Base_AEMvA``
-- ``FVP_Base_AEMv8A-AEMv8A``
+- ``Foundation_Platform``
- ``FVP_Base_AEMv8A-AEMv8A-AEMv8A-AEMv8A-CCN502``
-- ``FVP_Base_RevC-2xAEMvA``
-- ``FVP_Base_Cortex-A32x4`` (Version 11.12 build 38)
+- ``FVP_Base_AEMv8A-AEMv8A`` (For certain configurations also uses 11.14/21)
+- ``FVP_Base_AEMv8A-GIC600AE``
+- ``FVP_Base_AEMvA`` (For certain configurations also uses 0.0/6684)
+- ``FVP_Base_Cortex-A32x4`` (Version 11.12/38)
- ``FVP_Base_Cortex-A35x4``
- ``FVP_Base_Cortex-A53x4``
-- ``FVP_Base_Cortex-A55x4+Cortex-A75x4``
- ``FVP_Base_Cortex-A55x4``
+- ``FVP_Base_Cortex-A55x4+Cortex-A75x4``
- ``FVP_Base_Cortex-A57x1-A53x1``
- ``FVP_Base_Cortex-A57x2-A53x4``
- ``FVP_Base_Cortex-A57x4-A53x4``
- ``FVP_Base_Cortex-A57x4``
-- ``FVP_Base_Cortex-A65x4``
- ``FVP_Base_Cortex-A65AEx8``
+- ``FVP_Base_Cortex-A65x4``
+- ``FVP_Base_Cortex-A710x4``
- ``FVP_Base_Cortex-A72x4-A53x4``
- ``FVP_Base_Cortex-A72x4``
- ``FVP_Base_Cortex-A73x4-A53x4``
- ``FVP_Base_Cortex-A73x4``
- ``FVP_Base_Cortex-A75x4``
-- ``FVP_Base_Cortex-A76x4``
- ``FVP_Base_Cortex-A76AEx4``
- ``FVP_Base_Cortex-A76AEx8``
+- ``FVP_Base_Cortex-A76x4``
- ``FVP_Base_Cortex-A77x4``
- ``FVP_Base_Cortex-A78x4``
-- ``FVP_Base_Matterhornx4``
-- ``FVP_Morello`` (Version 0.10 build 542)
- ``FVP_Base_Neoverse-E1x1``
- ``FVP_Base_Neoverse-E1x2``
- ``FVP_Base_Neoverse-E1x4``
- ``FVP_Base_Neoverse-N1x4``
- ``FVP_Base_Neoverse-N2x4`` (Version 11.12 build 38)
- ``FVP_Base_Neoverse-V1x4``
-- ``FVP_CSS_SGI-575`` (Version 11.10 build 36)
-- ``FVP_CSS_SGM-775``
-- ``FVP_RD_E1_edge`` (Version 11.9 build 41)
-- ``FVP_RD_N1_edge`` (Version 11.10 build 36)
-- ``FVP_RD_N1_edge_dual`` (Version 11.10 build 36)
-- ``FVP_RD_Daniel`` (Version 11.13 build 10)
-- ``FVP_RD_N2`` (Version 11.13 build 10)
-- ``FVP_TC0`` (Version 0.0 build 6509)
-- ``FVP_Base_AEMv8A-GIC600AE`` (Version 0.0 build 6415)
-- ``Foundation_Platform``
+- ``FVP_Base_RevC-2xAEMvA`` (For certain configurations also uses 0.0/6557)
+- ``FVP_CSS_SGI-575`` (Version 11.15/26)
+- ``FVP_Morello`` (Version 0.11/19)
+- ``FVP_RD_E1_edge`` (Version 11.15/26)
+- ``FVP_RD_N1_edge_dual`` (Version 11.15/26)
+- ``FVP_RD_N1_edge`` (Version 11.15/26)
+- ``FVP_RD_V1`` (Version 11.15/26)
+- ``FVP_TC0``
+- ``FVP_TC1``
The latest version of the AArch32 build of TF-A has been tested on the
following Arm FVPs without shifted affinities, and that do not support threaded
@@ -101,7 +100,7 @@ from `Arm's website`_.
the models. The models can be launched with ``-Q 100`` option if they are
required to match the run time characteristics of the older versions.
-All the above platforms have been tested with `Linaro Release 19.06`_.
+All the above platforms have been tested with `Linaro Release 20.01`_.
.. _build_options_arm_fvp_platform:
@@ -526,8 +525,8 @@ with 8 CPUs using the AArch64 build of TF-A.
Notes:
-- If Position Independent Executable (PIE) support is enabled for BL31
- in this config, it can be loaded at any valid address for execution.
+- Position Independent Executable (PIE) support is enabled in this
+ config allowing BL31 to be loaded at any valid address for execution.
- Since a FIP is not loaded when using BL31 as reset entrypoint, the
``--data="<path-to><bl31|bl32|bl33-binary>"@<base-address-of-binary>``
@@ -588,8 +587,8 @@ with 8 CPUs using the AArch32 build of TF-A.
--data cluster0.cpu0="<path-to>/<ramdisk>"@0x84000000
.. note::
- The load address of ``<bl32-binary>`` depends on the value ``BL32_BASE``.
- It should match the address programmed into the RVBAR register as well.
+ Position Independent Executable (PIE) support is enabled in this
+ config allowing SP_MIN to be loaded at any valid address for execution.
Running on the Cortex-A57-A53 Base FVP with reset to BL31 entrypoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -649,5 +648,5 @@ boot Linux with 4 CPUs using the AArch32 build of TF-A.
.. _TB_FW_CONFIG for FVP: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/fdts/fvp_tb_fw_config.dts
.. _Arm's website: `FVP models`_
.. _FVP models: https://developer.arm.com/products/system-design/fixed-virtual-platforms
-.. _Linaro Release 19.06: http://releases.linaro.org/members/arm/platforms/19.06
+.. _Linaro Release 20.01: http://releases.linaro.org/members/arm/platforms/20.01
.. _Arm FVP website: https://developer.arm.com/products/system-design/fixed-virtual-platforms
diff --git a/docs/plat/arm/fvp_r/index.rst b/docs/plat/arm/fvp_r/index.rst
new file mode 100644
index 0000000..8af16ba
--- /dev/null
+++ b/docs/plat/arm/fvp_r/index.rst
@@ -0,0 +1,46 @@
+ARM V8-R64 Fixed Virtual Platform (FVP)
+=======================================
+
+Some of the features of Armv8-R AArch64 FVP platform referenced in Trusted
+Boot R-class include:
+
+- Secure World Support Only
+- EL2 as Maximum EL support (No EL3)
+- MPU Support only at EL2
+- MPU or MMU Support at EL0/EL1
+- AArch64 Support Only
+- Trusted Board Boot
+
+Further information on v8-R64 FVP is available at `info <https://developer.arm.com/documentation/ddi0600/latest/>`_
+
+Boot Sequence
+-------------
+
+BL1 –> BL33
+
+The execution begins from BL1 which loads the BL33 image, a boot-wrapped (bootloader + Operating System)
+Operating System, from FIP to DRAM.
+
+Build Procedure
+~~~~~~~~~~~~~~~
+
+- Obtain arm `toolchain <https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-a/downloads>`_.
+ Set the CROSS_COMPILE environment variable to point to the toolchain folder.
+
+- Build TF-A:
+
+ .. code:: shell
+
+ make PLAT=fvp_r BL33=<path_to_os.bin> all fip
+
+ Enable TBBR by adding the following options to the make command:
+
+ .. code:: shell
+
+ MBEDTLS_DIR=<path_to_mbedtls_directory> \
+ TRUSTED_BOARD_BOOT=1 \
+ GENERATE_COT=1 \
+ ARM_ROTPK_LOCATION=devel_rsa \
+ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
diff --git a/docs/plat/arm/index.rst b/docs/plat/arm/index.rst
index f72992b..f262dc0 100644
--- a/docs/plat/arm/index.rst
+++ b/docs/plat/arm/index.rst
@@ -7,11 +7,13 @@ Arm Development Platforms
juno/index
fvp/index
+ fvp_r/index
fvp-ve/index
- tc0/index
+ tc/index
arm_fpga/index
arm-build-options
morello/index
+ diphda/index
This chapter holds documentation related to Arm's development platforms,
including both software models (FVPs) and hardware development boards
@@ -19,4 +21,4 @@ such as Juno.
--------------
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2021, Arm Limited. All rights reserved.*
diff --git a/docs/plat/arm/tc0/index.rst b/docs/plat/arm/tc/index.rst
index 34d1f13..20d3e56 100644
--- a/docs/plat/arm/tc0/index.rst
+++ b/docs/plat/arm/tc/index.rst
@@ -1,7 +1,7 @@
-TC0 Total Compute Platform
+TC Total Compute Platform
==========================
-Some of the features of TC0 platform referenced in TF-A include:
+Some of the features of TC platform referenced in TF-A include:
- A `System Control Processor <https://github.com/ARM-software/SCP-firmware>`_
to abstract power and system management tasks away from application
@@ -13,6 +13,12 @@ Some of the features of TC0 platform referenced in TF-A include:
- SCMI
- MHUv2
+Currently, the main difference between TC0 (TARGET_PLATFORM=0) and TC1
+(TARGET_PLATFORM=1) platforms w.r.t to TF-A is the CPUs supported. TC0 has
+support for Cortex A510, Cortex A710 and Cortex X2, while TC1 has support for
+Cortex A510, Cortex Makalu and Cortex Makalu ELP Arm CPUs.
+
+
Boot Sequence
-------------
@@ -34,8 +40,8 @@ Build Procedure (TF-A only)
.. code:: shell
- make PLAT=tc0 BL33=<path_to_uboot.bin> \
- SCP_BL2=<path_to_scp_ramfw.bin> all fip
+ make PLAT=tc BL33=<path_to_uboot.bin> \
+ SCP_BL2=<path_to_scp_ramfw.bin> TARGET_PLATFORM={0,1} all fip
Enable TBBR by adding the following options to the make command:
@@ -47,4 +53,4 @@ Build Procedure (TF-A only)
ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
-*Copyright (c) 2020, Arm Limited. All rights reserved.*
+*Copyright (c) 2020-2021, Arm Limited. All rights reserved.*
diff --git a/docs/plat/deprecated.rst b/docs/plat/deprecated.rst
index 203ae00..7cc4258 100644
--- a/docs/plat/deprecated.rst
+++ b/docs/plat/deprecated.rst
@@ -16,3 +16,5 @@ List of deprecated platforms
+================+================+====================+====================+
| sgm775 | Arm | 2.5 | 2.7 |
+----------------+----------------+--------------------+--------------------+
+| mt6795 | MTK | 2.5 | 2.7 |
++----------------+----------------+--------------------+--------------------+
diff --git a/docs/plat/imx8m.rst b/docs/plat/imx8m.rst
index 0408730..0fe15c9 100644
--- a/docs/plat/imx8m.rst
+++ b/docs/plat/imx8m.rst
@@ -6,6 +6,9 @@ cores provide high-performance computing, power efficiency, enhanced system
reliability and embedded security needed to drive the growth of fast-growing
edge node computing, streaming multimedia, and machine learning applications.
+imx8mq is dropped in TF-A CI build due to the small OCRAM size, but still actively
+maintained in NXP official release.
+
Boot Sequence
-------------
diff --git a/docs/plat/index.rst b/docs/plat/index.rst
index 4dc9ecd..5848005 100644
--- a/docs/plat/index.rst
+++ b/docs/plat/index.rst
@@ -27,6 +27,7 @@ Platform Ports
imx8
imx8m
ls1043a
+ nxp/index
poplar
qemu
qemu-sbsa
diff --git a/docs/plat/marvell/armada/build.rst b/docs/plat/marvell/armada/build.rst
index c9f5e82..6872f56 100644
--- a/docs/plat/marvell/armada/build.rst
+++ b/docs/plat/marvell/armada/build.rst
@@ -58,10 +58,12 @@ There are several build options:
- a3700 - A3720 DB, EspressoBin and Turris MOX
- a70x0
- a70x0_amc - AMC board
+ - a70x0_mochabin - Globalscale MOCHAbin
- a80x0
- a80x0_mcbin - MacchiatoBin
- a80x0_puzzle - IEI Puzzle-M801
- t9130 - CN913x
+ - t9130_cex7_eval - CN913x CEx7 Evaluation Board
- DEBUG
@@ -98,50 +100,26 @@ There are several build options:
There is no reason to enable this feature if OP-TEE OS built with CFG_WITH_PAGER=n.
Only set LLC_SRAM=1 if OP-TEE OS is built with CFG_WITH_PAGER=y.
-- CM3_SYSTEM_RESET
-
- For Armada37x0 only, when ``CM3_SYSTEM_RESET=1``, the Cortex-M3 secure coprocessor will
- be used for system reset.
- TF-A will send command 0x0009 with a magic value via the rWTM mailbox interface to the
- Cortex-M3 secure coprocessor.
- The firmware running in the coprocessor must either implement this functionality or
- ignore the 0x0009 command (which is true for the firmware from A3700-utils-marvell
- repository). If this option is enabled but the firmware does not support this command,
- an error message will be printed prior trying to reboot via the usual way.
-
- This option is needed on Turris MOX as a workaround to a HW bug which causes reset to
- sometime hang the board.
-
-- A3720_DB_PM_WAKEUP_SRC
-
- For Armada 3720 Develpment Board only, when ``A3720_DB_PM_WAKEUP_SRC=1``,
- TF-A will setup PM wake up src configuration. This option is disabled by default.
-
- MARVELL_SECURE_BOOT
Build trusted(=1)/non trusted(=0) image, default is non trusted.
-
-- BLE_PATH
-
- Points to BLE (Binary ROM extension) sources folder.
- Only required for A7K/8K/CN913x builds.
- The parameter is optional, its default value is ``plat/marvell/armada/a8k/common/ble``.
+ This parameter is used only for ``mrvl_flash`` and ``mrvl_uart`` targets.
- MV_DDR_PATH
- For A7K/8K/CN913x, use this parameter to point to mv_ddr driver sources to allow BLE build. For A37x0,
- it is used for ddr_tool build.
+ This parameter is required for ``mrvl_flash`` and ``mrvl_uart`` targets.
+ For A7K/8K/CN913x it is used for BLE build and for Armada37x0 it used
+ for ddr_tool build.
- Usage example: MV_DDR_PATH=path/to/mv_ddr
+ Specify path to the full checkout of Marvell mv-ddr-marvell git
+ repository. Checkout must contain also .git subdirectory because
+ mv-ddr build process calls git commands.
- The parameter is optional for A7K/8K/CN913x, when this parameter is not set, the mv_ddr
- sources are expected to be located at: drivers/marvell/mv_ddr. However, the parameter
- is necessary for A37x0.
+ Do not remove any parts of git checkout becuase build process and other
+ applications need them for correct building and version determination.
- For the mv_ddr source location, check the section "Tools and external components installation"
- If MV_DDR_PATH source code is a git snapshot then provide path to the full git
- repository (including .git subdir) because mv_ddr build process calls git commands.
+CN913x specific build options:
- CP_NUM
@@ -151,9 +129,89 @@ There are several build options:
family (PLAT=t9130), which can have external CPs connected to the MCI ports. Valid
values with CP_NUM are in a range of 1 to 3.
+
+A7K/8K/CN913x specific build options:
+
+- BLE_PATH
+
+ Points to BLE (Binary ROM extension) sources folder.
+ The parameter is optional, its default value is ``plat/marvell/armada/a8k/common/ble``
+ which uses TF-A in-tree BLE implementation.
+
+- MSS_SUPPORT
+
+ When ``MSS_SUPPORT=1``, then TF-A includes support for Management SubSystem (MSS).
+ When enabled it is required to specify path to the MSS firmware image via ``SCP_BL2``
+ option.
+
+ This option is by default enabled.
+
+- SCP_BL2
+
+ Specify path to the MSS fimware image binary which will run on Cortex-M3 coprocessor.
+ It is available in Marvell binaries-marvell git repository. Required when ``MSS_SUPPORT=1``.
+
+Globalscale MOCHAbin specific build options:
+
+- DDR_TOPOLOGY
+
+ The DDR topology map index/name, default is 0.
+
+ Supported Options:
+ - 0 - DDR4 1CS 2GB
+ - 1 - DDR4 1CS 4GB
+ - 2 - DDR4 2CS 8GB
+
+Armada37x0 specific build options:
+
+- HANDLE_EA_EL3_FIRST
+
+ When ``HANDLE_EA_EL3_FIRST=1``, External Aborts and SError Interrupts will be always trapped
+ in TF-A. TF-A in this case enables dirty hack / workaround for a bug found in U-Boot and
+ Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks SError interrupt
+ caused by AXI SLVERR on external access (syndrome 0xbf000002).
+
+ Otherwise when ``HANDLE_EA_EL3_FIRST=0``, these exceptions will be trapped in the current
+ exception level (or in EL1 if the current exception level is EL0). So exceptions caused by
+ U-Boot will be trapped in U-Boot, exceptions caused by Linux kernel (or user applications)
+ will be trapped in Linux kernel.
+
+ Mentioned bug in pci-aardvark.c driver is fixed in U-Boot version v2021.07 and Linux kernel
+ version v5.13 (workarounded since Linux kernel version 5.9) and also backported in Linux
+ kernel stable releases since versions v5.12.13, v5.10.46, v5.4.128, v4.19.198, v4.14.240.
+
+ If target system has already patched version of U-Boot and Linux kernel then it is strongly
+ recommended to not enable this workaround as it disallows propagating of all External Aborts
+ to running Linux kernel and makes correctable errors as fatal aborts.
+
+ This option is now disabled by default. In past this option was enabled by default in
+ TF-A versions v2.2, v2.3, v2.4 and v2.5.
+
+- CM3_SYSTEM_RESET
+
+ When ``CM3_SYSTEM_RESET=1``, the Cortex-M3 secure coprocessor will be used for system reset.
+
+ TF-A will send command 0x0009 with a magic value via the rWTM mailbox interface to the
+ Cortex-M3 secure coprocessor.
+ The firmware running in the coprocessor must either implement this functionality or
+ ignore the 0x0009 command (which is true for the firmware from A3700-utils-marvell
+ repository). If this option is enabled but the firmware does not support this command,
+ an error message will be printed prior trying to reboot via the usual way.
+
+ This option is needed on Turris MOX as a workaround to a HW bug which causes reset to
+ sometime hang the board.
+
+- A3720_DB_PM_WAKEUP_SRC
+
+ For Armada 3720 Development Board only, when ``A3720_DB_PM_WAKEUP_SRC=1``,
+ TF-A will setup PM wake up src configuration. This option is disabled by default.
+
+
+Armada37x0 specific build options for ``mrvl_flash`` and ``mrvl_uart`` targets:
+
- DDR_TOPOLOGY
- For Armada37x0 only, the DDR topology map index/name, default is 0.
+ The DDR topology map index/name, default is 0.
Supported Options:
- 0 - DDR3 1CS 512MB (DB-88F3720-DDR3-Modular, EspressoBin V3-V5)
@@ -168,7 +226,7 @@ There are several build options:
- CLOCKSPRESET
- For Armada37x0 only, the clock tree configuration preset including CPU and DDR frequency,
+ The clock tree configuration preset including CPU and DDR frequency,
default is CPU_800_DDR_800.
- CPU_600_DDR_600 - CPU at 600 MHz, DDR at 600 MHz
@@ -185,7 +243,7 @@ There are several build options:
- BOOTDEV
- For Armada37x0 only, the flash boot device, default is ``SPINOR``.
+ The flash boot device, default is ``SPINOR``.
Currently, Armada37x0 only supports ``SPINOR``, ``SPINAND``, ``EMMCNORM`` and ``SATA``:
@@ -204,7 +262,7 @@ There are several build options:
- PARTNUM
- For Armada37x0 only, the boot partition number, default is 0.
+ The boot partition number, default is 0.
To boot from eMMC, the value should be aligned with the parameter in
U-Boot with name of ``CONFIG_SYS_MMC_ENV_PART``, whose value by default is
@@ -213,7 +271,7 @@ There are several build options:
- WTMI_IMG
- For Armada37x0 only, the path of the binary can point to an image which
+ The path of the binary can point to an image which
does nothing, an image which supports EFUSE or a customized CM3 firmware
binary. The default image is ``fuse.bin`` that built from sources in WTP
folder, which is the next option. If the default image is OK, then this
@@ -236,16 +294,19 @@ There are several build options:
- WTP
- For Armada37x0 only, use this parameter to point to wtptools source code
- directory, which can be found as a3700_utils.zip in the release. Usage
- example: ``WTP=/path/to/a3700_utils``
+ Specify path to the full checkout of Marvell A3700-utils-marvell git
+ repository. Checkout must contain also .git subdirectory because WTP
+ build process calls git commands.
+
+ WTP build process uses also Marvell mv-ddr-marvell git repository
+ specified in MV_DDR_PATH option.
- If WTP source code is a git snapshot then provide path to the full git
- repository (including .git subdir) because WTP build process calls git commands.
+ Do not remove any parts of git checkout becuase build process and other
+ applications need them for correct building and version determination.
- CRYPTOPP_PATH
- For Armada37x0 only, use this parameter to point to Crypto++ source code
+ Use this parameter to point to Crypto++ source code
directory. If this option is specified then Crypto++ source code in
CRYPTOPP_PATH directory will be automatically compiled. Crypto++ library
is required for building WTP image tool. Either CRYPTOPP_PATH or
@@ -253,12 +314,12 @@ There are several build options:
- CRYPTOPP_LIBDIR
- For Armada37x0 only, use this parameter to point to the directory with
+ Use this parameter to point to the directory with
compiled Crypto++ library. By default it points to the CRYPTOPP_PATH.
- CRYPTOPP_INCDIR
- For Armada37x0 only, use this parameter to point to the directory with
+ Use this parameter to point to the directory with
header files of Crypto++ library. By default it points to the CRYPTOPP_PATH.
@@ -354,8 +415,8 @@ produce ``uart-images.tgz.bin`` file.
Tools and external components installation
------------------------------------------
-Armada37x0 Builds require installation of 3 components
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Armada37x0 Builds require installation of additional components
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(1) ARM cross compiler capable of building images for the service CPU (CM3).
This component is usually included in the Linux host packages.
@@ -388,10 +449,19 @@ Armada37x0 Builds require installation of 3 components
https://github.com/weidai11/cryptopp.git
-Armada70x0 and Armada80x0 Builds require installation of an additional component
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(5) Optional CZ.NIC's Armada 3720 Secure Firmware:
+
+ https://gitlab.nic.cz/turris/mox-boot-builder.git
+
+Armada70x0, Armada80x0 and CN913x Builds require installation of additional components
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(1) DDR initialization library sources (mv_ddr) available at the following repository
(use the "master" branch):
https://github.com/MarvellEmbeddedProcessors/mv-ddr-marvell.git
+
+(2) MSS Management SubSystem Firmware available at the following repository
+ (use the "binaries-marvell-armada-SDK10.0.1.0" branch):
+
+ https://github.com/MarvellEmbeddedProcessors/binaries-marvell.git
diff --git a/docs/plat/nvidia-tegra.rst b/docs/plat/nvidia-tegra.rst
index 02ff38b..391c7c8 100644
--- a/docs/plat/nvidia-tegra.rst
+++ b/docs/plat/nvidia-tegra.rst
@@ -19,7 +19,7 @@ The NVIDIA® Parker (T186) series system-on-chip (SoC) delivers a heterogeneous
multi-processing (HMP) solution designed to optimize performance and
efficiency.
-T186 has Dual NVIDIA Denver 2 ARM® CPU cores, plus Quad ARM Cortex®-A57 cores,
+T186 has Dual NVIDIA Denver2 ARM® CPU cores, plus Quad ARM Cortex®-A57 cores,
in a coherent multiprocessor configuration. The Denver 2 and Cortex-A57 cores
support ARMv8, executing both 64-bit Aarch64 code, and 32-bit Aarch32 code
including legacy ARMv7 applications. The Denver 2 processors each have 128 KB
@@ -29,20 +29,6 @@ Data Level 1 caches; and also have a 2 MB shared Level 2 unified cache. A
high speed coherency fabric connects these two processor complexes and allows
heterogeneous multi-processing with all six cores if required.
-- .. rubric:: T210
- :name: t210
-
-T210 has Quad Arm® Cortex®-A57 cores in a switched configuration with a
-companion set of quad Arm Cortex-A53 cores. The Cortex-A57 and A53 cores
-support Armv8-A, executing both 64-bit Aarch64 code, and 32-bit Aarch32 code
-including legacy Armv7-A applications. The Cortex-A57 processors each have
-48 KB Instruction and 32 KB Data Level 1 caches; and have a 2 MB shared
-Level 2 unified cache. The Cortex-A53 processors each have 32 KB Instruction
-and 32 KB Data Level 1 caches; and have a 512 KB shared Level 2 unified cache.
-
-- .. rubric:: T132
- :name: t132
-
Denver is NVIDIA's own custom-designed, 64-bit, dual-core CPU which is
fully Armv8-A architecture compatible. Each of the two Denver cores
implements a 7-way superscalar microarchitecture (up to 7 concurrent
@@ -68,6 +54,17 @@ Denver also features new low latency power-state transitions, in addition
to extensive power-gating and dynamic voltage and clock scaling based on
workloads.
+- .. rubric:: T210
+ :name: t210
+
+T210 has Quad Arm® Cortex®-A57 cores in a switched configuration with a
+companion set of quad Arm Cortex-A53 cores. The Cortex-A57 and A53 cores
+support Armv8-A, executing both 64-bit Aarch64 code, and 32-bit Aarch32 code
+including legacy Armv7-A applications. The Cortex-A57 processors each have
+48 KB Instruction and 32 KB Data Level 1 caches; and have a 2 MB shared
+Level 2 unified cache. The Cortex-A53 processors each have 32 KB Instruction
+and 32 KB Data Level 1 caches; and have a 512 KB shared Level 2 unified cache.
+
Directory structure
-------------------
@@ -89,7 +86,6 @@ their dispatchers in the image without changing any makefiles.
These are the supported Trusted OS' by Tegra platforms.
-- Tegra132: TLK
- Tegra210: TLK and Trusty
- Tegra186: Trusty
- Tegra194: Trusty
@@ -110,7 +106,7 @@ Preparing the BL31 image to run on Tegra SoCs
.. code:: shell
CROSS_COMPILE=<path-to-aarch64-gcc>/bin/aarch64-none-elf- make PLAT=tegra \
- TARGET_SOC=<target-soc e.g. t194|t186|t210|t132> SPD=<dispatcher e.g. trusty|tlkd>
+ TARGET_SOC=<target-soc e.g. t194|t186|t210> SPD=<dispatcher e.g. trusty|tlkd>
bl31
Platforms wanting to use different TZDRAM\_BASE, can add ``TZDRAM_BASE=<value>``
diff --git a/docs/plat/nxp/index.rst b/docs/plat/nxp/index.rst
new file mode 100644
index 0000000..8546887
--- /dev/null
+++ b/docs/plat/nxp/index.rst
@@ -0,0 +1,17 @@
+NXP Reference Development Platforms
+===================================
+
+.. toctree::
+ :maxdepth: 1
+ :caption: Contents
+
+ nxp-layerscape
+ nxp-ls-fuse-prov
+ nxp-ls-tbbr
+
+This chapter holds documentation related to NXP reference development platforms.
+It includes details on image flashing, fuse provisioning and trusted board boot-up.
+
+--------------
+
+*Copyright (c) 2021, NXP Limited. All rights reserved.*
diff --git a/docs/plat/nxp/nxp-layerscape.rst b/docs/plat/nxp/nxp-layerscape.rst
new file mode 100644
index 0000000..9a470e6
--- /dev/null
+++ b/docs/plat/nxp/nxp-layerscape.rst
@@ -0,0 +1,301 @@
+NXP SoCs - Overview
+=====================
+.. section-numbering::
+ :suffix: .
+
+The QorIQ family of ARM based SoCs that are supported on TF-A are:
+
+1. LX2160A
+
+- SoC Overview:
+
+The LX2160A multicore processor, the highest-performance member of the
+Layerscape family, combines FinFET process technology's low power and
+sixteen Arm® Cortex®-A72 cores with datapath acceleration optimized for
+L2/3 packet processing, together with security offload, robust traffic
+management and quality of service.
+
+Details about LX2160A can be found at `lx2160a`_.
+
+- LX2160ARDB Board:
+
+The LX2160A reference design board provides a comprehensive platform
+that enables design and evaluation of the LX2160A or LX2162A processors. It
+comes preloaded with a board support package (BSP) based on a standard Linux
+kernel.
+
+Board details can be fetched from the link: `lx2160ardb`_.
+
+2. LS1028A
+
+- SoC Overview:
+
+The Layerscape LS1028A applications processor for industrial and
+automotive includes a time-sensitive networking (TSN) -enabled Ethernet
+switch and Ethernet controllers to support converged IT and OT networks.
+Two powerful 64-bit Arm®v8 cores support real-time processing for
+industrial control and virtual machines for edge computing in the IoT.
+The integrated GPU and LCD controller enable Human-Machine Interface
+(HMI) systems with next-generation interfaces.
+
+Details about LS1028A can be found at `ls1028a`_.
+
+- LS1028ARDB Boards:
+
+The LS1028A reference design board (RDB) is a computing, evaluation,
+and development platform that supports industrial IoT applications, human
+machine interface solutions, and industrial networking.
+
+Details about LS1028A RDB board can be found at `ls1028ardb`_.
+
+Table of supported boot-modes by each platform & platform that needs FIP-DDR:
+-----------------------------------------------------------------------------
+
++---------------------+---------------------------------------------------------------------+-----------------+
+| | BOOT_MODE | |
+| PLAT +-------+--------+-------+-------+-------+-------------+--------------+ fip_ddr_needed |
+| | sd | qspi | nor | nand | emmc | flexspi_nor | flexspi_nand | |
++=====================+=======+========+=======+=======+=======+=============+==============+=================+
+| lx2160ardb | yes | | | | yes | yes | | yes |
++---------------------+-------+--------+-------+-------+-------+-------------+--------------+-----------------+
+| ls1028ardb | yes | | | | yes | yes | | no |
++---------------------+-------+--------+-------+-------+-------+-------------+--------------+-----------------+
+
+
+Boot Sequence
+-------------
+::
+
++ Secure World | Normal World
++ EL0 |
++ |
++ EL1 BL32(Tee OS) | kernel
++ ^ | | ^
++ | | | |
++ EL2 | | | BL33(u-boot)
++ | | | ^
++ | v | /
++ EL3 BootROM --> BL2 --> BL31 ---------------/
++
+
+Boot Sequence with FIP-DDR
+--------------------------
+::
+
++ Secure World | Normal World
++ EL0 |
++ |
++ EL1 fip-ddr BL32(Tee OS) | kernel
++ ^ | ^ | | ^
++ | | | | | |
++ EL2 | | | | | BL33(u-boot)
++ | | | | | ^
++ | v | v | /
++ EL3 BootROM --> BL2 -----> BL31 ---------------/
++
+
+DDR Memory Layout
+--------------------------
+
+NXP Platforms divide DRAM into banks:
+
+- DRAM0 Bank: Maximum size of this bank is fixed to 2GB, DRAM0 size is defined in platform_def.h if it is less than 2GB.
+
+- DRAM1 ~ DRAMn Bank: Greater than 2GB belongs to DRAM1 and following banks, and size of DRAMn Bank varies for one platform to others.
+
+The following diagram is default DRAM0 memory layout in which secure memory is at top of DRAM0.
+
+::
+
+ high +---------------------------------------------+
+ | |
+ | Secure EL1 Payload Shared Memory (2 MB) |
+ | |
+ +---------------------------------------------+
+ | |
+ | Secure Memory (64 MB) |
+ | |
+ +---------------------------------------------+
+ | |
+ | Non Secure Memory |
+ | |
+ low +---------------------------------------------+
+
+How to build
+=============
+
+Code Locations
+--------------
+
+- OP-TEE:
+ `link <https://source.codeaurora.org/external/qoriq/qoriq-components/optee_os>`__
+
+- U-Boot:
+ `link <https://source.codeaurora.org/external/qoriq/qoriq-components/u-boot>`__
+
+- RCW:
+ `link <https://source.codeaurora.org/external/qoriq/qoriq-components/rcw>`__
+
+- ddr-phy-binary: Required by platforms that need fip-ddr.
+ `link <https:://github.com/NXP/ddr-phy-binary>`__
+
+- cst: Required for TBBR.
+ `link <https:://source.codeaurora.org/external/qoriq/qoriq-components/cst>`__
+
+Build Procedure
+---------------
+
+- Fetch all the above repositories into local host.
+
+- Prepare AARCH64 toolchain and set the environment variable "CROSS_COMPILE".
+
+ .. code:: shell
+
+ export CROSS_COMPILE=.../bin/aarch64-linux-gnu-
+
+- Build RCW. Refer README from the respective cloned folder for more details.
+
+- Build u-boot and OPTee firstly, and get binary images: u-boot.bin and tee.bin.
+ For u-boot you can use the <platform>_tfa_defconfig for build.
+
+- Copy/clone the repo "ddr-phy-binary" to the tfa directory for platform needing ddr-fip.
+
+- Below are the steps to build TF-A images for the supported platforms.
+
+Compilation steps without BL32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+BUILD BL2:
+
+-To compile
+ .. code:: shell
+
+ make PLAT=$PLAT \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ pbl
+
+BUILD FIP:
+
+ .. code:: shell
+
+ make PLAT=$PLAT \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL33=$UBOOT_SECURE_BIN \
+ pbl \
+ fip
+
+Compilation steps with BL32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+BUILD BL2:
+
+-To compile
+ .. code:: shell
+
+ make PLAT=$PLAT \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL32=$TEE_BIN SPD=opteed\
+ pbl
+
+BUILD FIP:
+
+ .. code:: shell
+
+ make PLAT=$PLAT \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL32=$TEE_BIN SPD=opteed\
+ BL33=$UBOOT_SECURE_BIN \
+ pbl \
+ fip
+
+
+BUILD fip-ddr (Mandatory for certain platforms, refer table above):
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-To compile additional fip-ddr for selected platforms(Refer above table if the platform needs fip-ddr).
+ .. code:: shell
+
+ make PLAT=<platform_name> fip-ddr
+
+
+Deploy ATF Images
+=================
+
+Note: The size in the standard uboot commands for copy to nor, qspi, nand or sd
+should be modified based on the binary size of the image to be copied.
+
+- Deploy ATF images on flexspi-Nor flash Alt Bank from U-Boot prompt.
+ -- Commands to flash images for bl2_xxx.pbl and fip.bin.
+
+ .. code:: shell
+
+ tftp 82000000 $path/bl2_flexspi_nor.pbl;
+ i2c mw 66 50 20;sf probe 0:0; sf erase 0 +$filesize; sf write 0x82000000 0x0 $filesize;
+
+ tftp 82000000 $path/fip.bin;
+ i2c mw 66 50 20;sf probe 0:0; sf erase 0x100000 +$filesize; sf write 0x82000000 0x100000 $filesize;
+
+ -- Next step is valid for platform where FIP-DDR is needed.
+
+ .. code:: shell
+
+ tftp 82000000 $path/ddr_fip.bin;
+ i2c mw 66 50 20;sf probe 0:0; sf erase 0x800000 +$filesize; sf write 0x82000000 0x800000 $filesize;
+
+ -- Then reset to alternate bank to boot up ATF.
+
+ .. code:: shell
+
+ qixisreset altbank;
+
+- Deploy ATF images on SD/eMMC from U-Boot prompt.
+ -- file_size_in_block_sizeof_512 = (Size_of_bytes_tftp / 512)
+
+ .. code:: shell
+
+ mmc dev <idx>; (idx = 1 for eMMC; idx = 0 for SD)
+
+ tftp 82000000 $path/bl2_<sd>_or_<emmc>.pbl;
+ mmc write 82000000 8 <file_size_in_block_sizeof_512>;
+
+ tftp 82000000 $path/fip.bin;
+ mmc write 82000000 0x800 <file_size_in_block_sizeof_512>;
+
+ -- Next step is valid for platform that needs FIP-DDR.
+
+ .. code:: shell
+
+ tftp 82000000 $path/ddr_fip.bin;
+ mmc write 82000000 0x4000 <file_size_in_block_sizeof_512>;
+
+ -- Then reset to sd/emmc to boot up ATF from sd/emmc as boot-source.
+
+ .. code:: shell
+
+ qixisreset <sd or emmc>;
+
+Trusted Board Boot:
+===================
+
+For TBBR, the binary name changes:
+
++-------------+--------------------------+---------+-------------------+
+| Boot Type | BL2 | FIP | FIP-DDR |
++=============+==========================+=========+===================+
+| Normal Boot | bl2_<boot_mode>.pbl | fip.bin | ddr_fip.bin |
++-------------+--------------------------+---------+-------------------+
+| TBBR Boot | bl2_<boot_mode>_sec.pbl | fip.bin | ddr_fip_sec.bin |
++-------------+--------------------------+---------+-------------------+
+
+Refer `nxp-ls-tbbr.rst`_ for detailed user steps.
+
+
+.. _lx2160a: https://www.nxp.com/products/processors-and-microcontrollers/arm-processors/layerscape-processors/layerscape-lx2160a-lx2120a-lx2080a-processors:LX2160A
+.. _lx2160ardb: https://www.nxp.com/products/processors-and-microcontrollers/arm-processors/layerscape-communication-process/layerscape-lx2160a-multicore-communications-processor:LX2160A
+.. _ls1028a: https://www.nxp.com/products/processors-and-microcontrollers/arm-processors/layerscape-processors/layerscape-1028a-applications-processor:LS1028A
+.. _ls1028ardb: https://www.nxp.com/design/qoriq-developer-resources/layerscape-ls1028a-reference-design-board:LS1028ARDB
+.. _nxp-ls-tbbr.rst: ./nxp-ls-tbbr.rst
diff --git a/docs/plat/nxp/nxp-ls-fuse-prov.rst b/docs/plat/nxp/nxp-ls-fuse-prov.rst
new file mode 100644
index 0000000..64e1c6f
--- /dev/null
+++ b/docs/plat/nxp/nxp-ls-fuse-prov.rst
@@ -0,0 +1,271 @@
+
+Steps to blow fuses on NXP LS SoC:
+==================================
+
+
+- Enable POVDD
+ -- Refer board GSG(Getting Started Guide) for the steps to enable POVDD.
+ -- Once the POVDD is enabled, make sure to set variable POVDD_ENABLE := yes, in the platform.mk.
+
++---+-----------------+-----------+------------+-----------------+-----------------------------+
+| | Platform | Jumper | Switch | LED to Verify | Through GPIO Pin (=number) |
++===+=================+===========+============+=================+=============================+
+| 1.| lx2160ardb | J9 | | | no |
++---+-----------------+-----------+------------+-----------------+-----------------------------+
+| 2.| lx2160aqds | J35 | | | no |
++---+-----------------+-----------+------------+-----------------+-----------------------------+
+| 3.| lx2162aqds | J35 | SW9[4] = 1 | D15 | no |
++---+-----------------+-----------+------------+-----------------+-----------------------------+
+
+- SFP registers to be written to:
+
++---+----------------------------------+----------------------+----------------------+
+| | Platform | OTPMKR0..OTPMKR7 | SRKHR0..SRKHR7 |
++===+==================================+======================+======================+
+| 1.| lx2160ardb/lx2160aqds/lx2162aqds | 0x1e80234..0x1e80250 | 0x1e80254..0x1e80270 |
++---+----------------------------------+----------------------+----------------------+
+
+- At U-Boot prompt, verify that SNVS register - HPSR, whether OTPMK was written, already:
+
++---+----------------------------------+-------------------------------------------+---------------+
+| | Platform | OTPMK_ZERO_BIT(=value) | SNVS_HPSR_REG |
++===+==================================+===========================================+===============+
+| 1.| lx2160ardb/lx2160aqds/lx2162aqds | 27 (= 1 means not blown, =0 means blown) | 0x01E90014 |
++---+----------------------------------+-------------------------------------------+---------------+
+
+From u-boot prompt:
+
+ -- Check for the OTPMK.
+ .. code:: shell
+
+ md $SNVS_HPSR_REG
+
+ Command Output:
+ 01e90014: 88000900
+
+ In case it is read as 00000000, then read this register using jtag (in development mode only through CW tap).
+ +0 +4 +8 +C
+ [0x01E90014] 88000900
+
+ Note: OTPMK_ZERO_BIT is 1, indicating that the OTPMK is not blown.
+
+ -- Check for the SRK Hash.
+ .. code:: shell
+
+ md $SRKHR0 0x10
+
+ Command Output:
+ 01e80254: 00000000 00000000 00000000 00000000 ................
+ 01e80264: 00000000 00000000 00000000 00000000 ................
+
+ Note: Zero means that SRK hash is not blown.
+
+- If not blown, then from the U-Boot prompt, using following commands:
+ -- Provision the OTPMK.
+
+ .. code:: shell
+
+ mw.l $OTPMKR0 <OTMPKR_0_32Bit_val>
+ mw.l $OTPMKR1 <OTMPKR_1_32Bit_val>
+ mw.l $OTPMKR2 <OTMPKR_2_32Bit_val>
+ mw.l $OTPMKR3 <OTMPKR_3_32Bit_val>
+ mw.l $OTPMKR4 <OTMPKR_4_32Bit_val>
+ mw.l $OTPMKR5 <OTMPKR_5_32Bit_val>
+ mw.l $OTPMKR6 <OTMPKR_6_32Bit_val>
+ mw.l $OTPMKR7 <OTMPKR_7_32Bit_val>
+
+ -- Provision the SRK Hash.
+
+ .. code:: shell
+
+ mw.l $SRKHR0 <SRKHR_0_32Bit_val>
+ mw.l $SRKHR1 <SRKHR_1_32Bit_val>
+ mw.l $SRKHR2 <SRKHR_2_32Bit_val>
+ mw.l $SRKHR3 <SRKHR_3_32Bit_val>
+ mw.l $SRKHR4 <SRKHR_4_32Bit_val>
+ mw.l $SRKHR5 <SRKHR_5_32Bit_val>
+ mw.l $SRKHR6 <SRKHR_6_32Bit_val>
+ mw.l $SRKHR7 <SRKHR_7_32Bit_val>
+
+ Note: SRK Hash should be carefully written keeping in mind the SFP Block Endianness.
+
+- At U-Boot prompt, verify that SNVS registers for OTPMK are correctly written:
+
+ -- Check for the OTPMK.
+ .. code:: shell
+
+ md $SNVS_HPSR_REG
+
+ Command Output:
+ 01e90014: 80000900
+
+ OTPMK_ZERO_BIT is zero, indicating that the OTPMK is blown.
+
+ Note: In case it is read as 00000000, then read this register using jtag (in development mode only through CW tap).
+
+ .. code:: shell
+
+ md $OTPMKR0 0x10
+
+ Command Output:
+ 01e80234: ffffffff ffffffff ffffffff ffffffff ................
+ 01e80244: ffffffff ffffffff ffffffff ffffffff ................
+
+ Note: OTPMK will never be visible in plain.
+
+ -- Check for the SRK Hash. For example, if following SRK hash is written:
+
+ SFP SRKHR0 = fdc2fed4
+ SFP SRKHR1 = 317f569e
+ SFP SRKHR2 = 1828425c
+ SFP SRKHR3 = e87b5cfd
+ SFP SRKHR4 = 34beab8f
+ SFP SRKHR5 = df792a70
+ SFP SRKHR6 = 2dff85e1
+ SFP SRKHR7 = 32a29687,
+
+ then following would be the value on dumping SRK hash.
+
+ .. code:: shell
+
+ md $SRKHR0 0x10
+
+ Command Output:
+ 01e80254: d4fec2fd 9e567f31 5c422818 fd5c7be8 ....1.V..(B\.{\.
+ 01e80264: 8fabbe34 702a79df e185ff2d 8796a232 4....y*p-...2...
+
+ Note: SRK Hash is visible in plain based on the SFP Block Endianness.
+
+- Caution: Donot proceed to the next step, until you are sure that OTPMK and SRKH are correctly blown from above steps.
+ -- After the next step, there is no turning back.
+ -- Fuses will be burnt, which cannot be undo.
+
+- Write SFP_INGR[INST] with the PROGFB(0x2) instruction to blow the fuses.
+ -- User need to save the SRK key pair and OTPMK Key forever, to continue using this board.
+
++---+----------------------------------+-------------------------------------------+-----------+
+| | Platform | SFP_INGR_REG | SFP_WRITE_DATE_FRM_MIRROR_REG_TO_FUSE |
++===+==================================+=======================================================+
+| 1.| lx2160ardb/lx2160aqds/lx2162aqds | 0x01E80020 | 0x2 |
++---+----------------------------------+--------------+----------------------------------------+
+
+ .. code:: shell
+
+ md $SFP_INGR_REG $SFP_WRITE_DATE_FRM_MIRROR_REG_TO_FUSE
+
+- On reset, if the SFP register were read from u-boot, it will show the following:
+ -- Check for the OTPMK.
+
+ .. code:: shell
+
+ md $SNVS_HPSR_REG
+
+ Command Output:
+ 01e90014: 80000900
+
+ In case it is read as 00000000, then read this register using jtag (in development mode only through CW tap).
+ +0 +4 +8 +C
+ [0x01E90014] 80000900
+
+ Note: OTPMK_ZERO_BIT is zero, indicating that the OTPMK is blown.
+
+ .. code:: shell
+
+ md $OTPMKR0 0x10
+
+ Command Output:
+ 01e80234: ffffffff ffffffff ffffffff ffffffff ................
+ 01e80244: ffffffff ffffffff ffffffff ffffffff ................
+
+ Note: OTPMK will never be visible in plain.
+
+ -- SRK Hash
+
+ .. code:: shell
+
+ md $SRKHR0 0x10
+
+ Command Output:
+ 01e80254: d4fec2fd 9e567f31 5c422818 fd5c7be8 ....1.V..(B\.{\.
+ 01e80264: 8fabbe34 702a79df e185ff2d 8796a232 4....y*p-...2...
+
+ Note: SRK Hash is visible in plain based on the SFP Block Endianness.
+
+Second method to do the fuse provsioning:
+=========================================
+
+This method is used for quick way to provision fuses.
+Typically used by those who needs to provision number of boards.
+
+- Enable POVDD:
+ -- Refer the table above to enable POVDD.
+
+ Note: If GPIO Pin supports enabling POVDD, it can be done through the below input_fuse_file.
+
+ -- Once the POVDD is enabled, make sure to set variable POVDD_ENABLE := yes, in the platform.mk.
+
+- User need to populate the "input_fuse_file", corresponding to the platform for:
+
+ -- OTPMK
+ -- SRKH
+
+ Table of fuse provisioning input file for every supported platform:
+
++---+----------------------------------+-----------------------------------------------------------------+
+| | Platform | FUSE_PROV_FILE |
++===+==================================+=================================================================+
+| 1.| lx2160ardb/lx2160aqds/lx2162aqds | ${CST_DIR}/input_files/gen_fusescr/ls2088_1088/input_fuse_file |
++---+----------------------------------+--------------+--------------------------------------------------+
+
+- Create the TF-A binary with FUSE_PROG=1.
+
+ .. code:: shell
+
+ make PLAT=$PLAT FUSE_PROG=1\
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL32=$TEE_BIN SPD=opteed\
+ BL33=$UBOOT_SECURE_BIN \
+ pbl \
+ fip \
+ fip_fuse \
+ FUSE_PROV_FILE=../../apps/security/cst/input_files/gen_fusescr/ls2088_1088/input_fuse_file
+
+- Deployment:
+ -- Refer the nxp-layerscape.rst for deploying TF-A images.
+ -- Deploying fip_fuse.bin:
+
+ For Flexspi-Nor:
+
+ .. code:: shell
+
+ tftp 82000000 $path/fuse_fip.bin;
+ i2c mw 66 50 20;sf probe 0:0; sf erase 0x880000 +$filesize; sf write 0x82000000 0x880000 $filesize;
+
+ For SD or eMMC [file_size_in_block_sizeof_512 = (Size_of_bytes_tftp / 512)]:
+
+ .. code:: shell
+
+ tftp 82000000 $path/fuse_fip.bin;
+ mmc write 82000000 0x4408 <file_size_in_block_sizeof_512>;
+
+- Valiation:
+
++---+----------------------------------+---------------------------------------------------+
+| | Platform | Error_Register | Error_Register_Address |
++===+==================================+===================================================+
+| 1.| lx2160ardb/lx2160aqds/lx2162aqds | DCFG scratch 4 register | 0x01EE020C |
++---+----------------------------------+---------------------------------------------------+
+
+ At the U-Boot prompt, check DCFG scratch 4 register for any error.
+
+ .. code:: shell
+
+ md $Error_Register_Address 1
+
+ Command Ouput:
+ 01ee020c: 00000000
+
+ Note:
+ - 0x00000000 shows no error, then fuse provisioning is successful.
+ - For non-zero value, refer the code header file ".../drivers/nxp/sfp/sfp_error_codes.h"
diff --git a/docs/plat/nxp/nxp-ls-tbbr.rst b/docs/plat/nxp/nxp-ls-tbbr.rst
new file mode 100644
index 0000000..43e15f7
--- /dev/null
+++ b/docs/plat/nxp/nxp-ls-tbbr.rst
@@ -0,0 +1,210 @@
+
+--------------
+NXP Platforms:
+--------------
+TRUSTED_BOARD_BOOT option can be enabled by specifying TRUSTED_BOARD_BOOT=1 on command line during make.
+
+
+
+Bare-Minimum Preparation to run TBBR on NXP Platforms:
+=======================================================
+- OTPMK(One Time Programable Key) needs to be burnt in fuses.
+ -- It is the 256 bit key that stores a secret value used by the NXP SEC 4.0 IP in Trusted or Secure mode.
+
+ Note: It is primarily for the purpose of decrypting additional secrets stored in system non-volatile memory.
+
+ -- NXP CST tool gives an option to generate it.
+
+ Use the below command from directory 'cst', with correct options.
+
+ .. code:: shell
+
+ ./gen_otpmk_drbg
+
+- SRKH (Super Root Key Hash) needs to be burnt in fuses.
+ -- It is the 256 bit hash of the list of the public keys of the SRK key pair.
+ -- NXP CST tool gives an option to generate the RSA key pair and its hash.
+
+ Use the below command from directory 'cst', with correct options.
+
+ .. code:: shell
+
+ ./gen_keys
+
+Refer fuse frovisioning readme 'nxp-ls-fuse-prov.rst' for steps to blow these keys.
+
+
+
+Two options are provided for TRUSTED_BOARD_BOOT:
+================================================
+
+-------------------------------------------------------------------------
+Option 1: CoT using X 509 certificates
+-------------------------------------------------------------------------
+
+- This CoT is as provided by ARM.
+
+- To use this option user needs to specify mbedtld dir path in MBEDTLS_DIR.
+
+- To generate CSF header, path of CST repository needs to be specified as CST_DIR
+
+- CSF header is embedded to each of the BL2 image.
+
+- GENERATE_COT=1 adds the tool 'cert_create' to the build environment to generate:
+ -- X509 Certificates as (.crt) files.
+ -- X509 Pem key file as (.pem) files.
+
+- SAVE_KEYS=1 saves the keys and certificates, if GENERATE_COT=1.
+ -- For this to work, file name for cert and keys are provided as part of compilation or build command.
+
+ --- default file names will be used, incase not provided as part compilation or build command.
+ --- default folder 'BUILD_PLAT' will be used to store them.
+
+- ROTPK for x.509 certificates is generated and embedded in bl2.bin and
+ verified as part of CoT by Boot ROM during secure boot.
+
+- Compilation steps:
+
+All Images
+ .. code:: shell
+
+ make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 MBEDTLS_DIR=$MBEDTLS_PATH CST_DIR=$CST_DIR_PATH \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL32=$TEE_BIN SPD=opteed\
+ BL33=$UBOOT_SECURE_BIN \
+ pbl \
+ fip
+
+Additional FIP_DDR Image (For NXP platforms like lx2160a)
+ .. code:: shell
+
+ make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 MBEDTLS_DIR=$MBEDTLS_PATH fip_ddr
+
+ Note: make target 'fip_ddr' should never be combine with other make target 'fip', 'pbl' & 'bl2'.
+
+-------------------------------------------------------------------------
+Option 2: CoT using NXP CSF headers.
+-------------------------------------------------------------------------
+
+- This option is automatically selected when TRUSTED_BOARD_BOOT is set but MBEDTLS_DIR path is not specified.
+
+- CSF header is embedded to each of the BL31, BL32 and BL33 image.
+
+- To generate CSF header, path of CST repository needs to be specified as CST_DIR
+
+- Default input files for CSF header generation is added in this repo.
+
+- Default input file requires user to generate RSA key pair named
+ -- srk.pri, and
+ -- srk.pub, and add them in ATF repo.
+ -- These keys can be generated using gen_keys tool of CST.
+
+- To change the input file , user can use the options BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE
+
+- There are 2 paths in secure boot flow :
+ -- Development Mode (sb_en in RCW = 1, SFP->OSPR, ITS = 0)
+
+ --- In this flow , even on ROTPK comparison failure, flow would continue.
+ --- However SNVS is transitioned to non-secure state
+
+ -- Production mode (SFP->OSPR, ITS = 1)
+
+ --- Any failure is fatal failure
+
+- Compilation steps:
+
+All Images
+ .. code:: shell
+
+ make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 CST_DIR=$CST_DIR_PATH \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL32=$TEE_BIN SPD=opteed\
+ BL33=$UBOOT_SECURE_BIN \
+ pbl \
+ fip
+
+Additional FIP_DDR Image (For NXP platforms like lx2160a)
+ .. code:: shell
+
+ make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 CST_DIR=$CST_DIR_PATH fip_ddr
+
+- Compilation Steps with build option for generic image processing filters to prepend CSF header:
+ -- Generic image processing filters to prepend CSF header
+
+ BL32_INPUT_FILE = < file name>
+ BL33_INPUT_FILE = <file name>
+
+ .. code:: shell
+
+ make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 CST_DIR=$CST_DIR_PATH \
+ BOOT_MODE=<platform_supported_boot_mode> \
+ RCW=$RCW_BIN \
+ BL32=$TEE_BIN SPD=opteed\
+ BL33=$UBOOT_SECURE_BIN \
+ BL33_INPUT_FILE = <ip file> \
+ BL32_INPUT_FILE = <ip_file> \
+ BL31_INPUT_FILE = <ip file> \
+ pbl \
+ fip
+
+
+Deploy ATF Images
+=================
+Same steps as mentioned in the readme "nxp-layerscape.rst".
+
+
+
+Verification to check if Secure state is achieved:
+==================================================
+
++---+----------------+-----------------+------------------------+----------------------------------+-------------------------------+
+| | Platform | SNVS_HPSR_REG | SYS_SECURE_BIT(=value) | SYSTEM_SECURE_CONFIG_BIT(=value) | SSM_STATE |
++===+================+=================+========================+==================================+===============================+
+| 1.| lx2160ardb or | 0x01E90014 | 15 | 14-12 | 11-8 |
+| | lx2160aqds or | | ( = 1, BootROM Booted) | ( = 010 means Intent to Secure, | (=1111 means secure boot) |
+| | lx2162aqds | | | ( = 000 Unsecure) | (=1011 means Non-secure Boot) |
++---+----------------+-----------------+------------------------+----------------------------------+-------------------------------+
+
+- Production mode (SFP->OSPR, ITS = 1)
+ -- Linux prompt will successfully come. if the TBBR is successful.
+
+ --- Else, Linux boot will be successful.
+
+ -- For secure-boot status, read SNVS Register $SNVS_HPSR_REG from u-boot prompt:
+
+ .. code:: shell
+
+ md $SNVS_HPSR_REG
+
+ Command Output:
+ 1e90014: 8000AF00
+
+ In case it is read as 00000000, then read this register using jtag (in development mode only through CW tap).
+ +0 +4 +8 +C
+ [0x01E90014] 8000AF00
+
+
+- Development Mode (sb_en in RCW = 1, SFP->OSPR, ITS = 0)
+ -- Refer the SoC specific table to read the register to interpret whether the secure boot is achieved or not.
+ -- Using JTAG (in development environment only, using CW tap):
+
+ --- For secure-boot status, read SNVS Register $SNVS_HPSR_REG
+
+ .. code:: shell
+
+ ccs::display_regs 86 0x01E90014 4 0 1
+
+ Command Output:
+ Using the SAP chain position number 86, following is the output.
+
+ +0 +4 +8 +C
+ [0x01E90014] 8000AF00
+
+ Note: Chain position number will vary from one SoC to other SoC.
+
+- Interpretation of the value:
+
+ -- 0xA indicates BootROM booted, with intent to secure.
+ -- 0xF = secure boot, as SSM_STATE.
diff --git a/docs/plat/qti.rst b/docs/plat/qti.rst
index 814e672..1d483e7 100644
--- a/docs/plat/qti.rst
+++ b/docs/plat/qti.rst
@@ -1,8 +1,8 @@
Qualcomm Technologies, Inc.
===========================
-Trusted Firmware-A (TF-A) implements the EL3 firmware layer for QTI SC7180.
-
+Trusted Firmware-A (TF-A) implements the EL3 firmware layer for QTI SC7180,
+SC7280.
Boot Trace
-------------
@@ -38,4 +38,6 @@ is picked. qtiseclib with stub implementation doesn't boot device. This was
added to satisfy compilation.
QTISELIB for SC7180 is available at
-`link <https://review.coreboot.org/cgit/qc_blobs.git/plain/sc7180/qtiseclib/libqtisec.a>`__
+`link <https://github.com/coreboot/qc_blobs/blob/master/sc7180/qtiseclib/libqtisec.a?raw=true>`__
+QTISELIB for SC7280 is available at
+`link <https://github.com/coreboot/qc_blobs/blob/master/sc7280/qtiseclib/libqtisec.a?raw=true>`__
diff --git a/docs/plat/stm32mp1.rst b/docs/plat/stm32mp1.rst
index 0ef2923..af302c6 100644
--- a/docs/plat/stm32mp1.rst
+++ b/docs/plat/stm32mp1.rst
@@ -37,6 +37,17 @@ The TF-A image must be properly formatted with a STM32 header structure
for ROM code is able to load this image.
Tool stm32image can be used to prepend this header to the generated TF-A binary.
+Boot with FIP
+~~~~~~~~~~~~~
+The use of FIP is now the recommended way to boot STM32MP1 platform.
+Only BL2 (with STM32 header) is loaded by ROM code. The other binaries are
+inside the FIP binary: BL32 (SP_min or OP-TEE), U-Boot and their respective
+device tree blobs.
+
+STM32IMAGE bootchain
+~~~~~~~~~~~~~~~~~~~~
+Although still supported, this way of booting is not recommended.
+Pease use FIP instead.
At compilation step, BL2, BL32 and DTB file are linked together in a single
binary. The stm32image tool is also generated and the header is added to TF-A
binary. This binary file with header is named tf-a-stm32mp157c-ev1.stm32.
@@ -55,15 +66,17 @@ Memory mapping
| ... |
| |
0x2FFC0000 +-----------------+ \
- | | |
+ | BL32 DTB | |
+ 0x2FFC5000 +-----------------+ |
+ | BL32 | |
+ 0x2FFDF000 +-----------------+ |
| ... | |
- | | |
- 0x2FFD8000 +-----------------+ |
- | TF-A DTB | | Embedded SRAM
- 0x2FFDC000 +-----------------+ |
+ 0x2FFE3000 +-----------------+ |
+ | BL2 DTB | | Embedded SRAM
+ 0x2FFEA000 +-----------------+ |
| BL2 | |
- 0x2FFEF000 +-----------------+ |
- | BL32 | |
+ 0x2FFFF000 +-----------------+ |
+ | SCMI mailbox | |
0x30000000 +-----------------+ /
| |
| ... |
@@ -102,23 +115,111 @@ Available storage medias are:
- ``STM32MP_SPI_NAND``
- ``STM32MP_SPI_NOR``
-To build with SP_min and support for all bootable devices:
+Boot with FIP
+~~~~~~~~~~~~~
+You need to build BL2, BL32 (SP_min or OP-TEE) and BL33 (U-Boot) before building FIP binary.
+
+U-Boot
+______
+
+.. code:: bash
+
+ cd <u-boot_directory>
+ make stm32mp15_trusted_defconfig
+ make DEVICE_TREE=stm32mp157c-ev1 all
+
+OP-TEE (optional)
+_________________
+
+.. code:: bash
+
+ cd <optee_directory>
+ make CROSS_COMPILE=arm-linux-gnueabihf- ARCH=arm PLATFORM=stm32mp1 \
+ CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts
+
+
+TF-A BL32 (SP_min)
+__________________
+If you choose not to use OP-TEE, you can use TF-A SP_min.
+To build TF-A BL32, and its device tree file:
+
+.. code:: bash
+
+ make CROSS_COMPILE=arm-none-eabi- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ AARCH32_SP=sp_min DTB_FILE_NAME=stm32mp157c-ev1.dtb bl32 dtbs
+
+TF-A BL2
+________
+To build TF-A BL2 with its STM32 header for SD-card boot:
+
+.. code:: bash
+
+ make CROSS_COMPILE=arm-none-eabi- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ DTB_FILE_NAME=stm32mp157c-ev1.dtb STM32MP_SDMMC=1
+
+For other boot devices, you have to replace STM32MP_SDMMC in the previous command
+with the desired device flag.
+
+This BL2 is independent of the BL32 used (SP_min or OP-TEE)
+
+
+FIP
+___
+With BL32 SP_min:
.. code:: bash
- make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min STM32MP_SDMMC=1 STM32MP_EMMC=1 STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1
- STM32MP_SPI_NOR=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb
+ make CROSS_COMPILE=arm-none-eabi- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ AARCH32_SP=sp_min \
+ DTB_FILE_NAME=stm32mp157c-ev1.dtb \
+ BL33=<u-boot_directory>/u-boot-nodtb.bin \
+ BL33_CFG=<u-boot_directory>/u-boot.dtb \
+ fip
+
+With OP-TEE:
+
+.. code:: bash
+
+ make CROSS_COMPILE=arm-none-eabi- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ AARCH32_SP=optee \
+ DTB_FILE_NAME=stm32mp157c-ev1.dtb \
+ BL33=<u-boot_directory>/u-boot-nodtb.bin \
+ BL33_CFG=<u-boot_directory>/u-boot.dtb \
+ BL32=<optee_directory>/tee-header_v2.bin \
+ BL32_EXTRA1=<optee_directory>/tee-pager_v2.bin
+ BL32_EXTRA2=<optee_directory>/tee-pageable_v2.bin
+ fip
+
+
+STM32IMAGE bootchain
+~~~~~~~~~~~~~~~~~~~~
+You need to add the following flag to the make command:
+``STM32MP_USE_STM32IMAGE=1``
+
+To build with SP_min and support for SD-card boot:
+
+.. code:: bash
+
+ make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ AARCH32_SP=sp_min STM32MP_SDMMC=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb \
+ STM32MP_USE_STM32IMAGE=1
+
cd <u-boot_directory>
make stm32mp15_trusted_defconfig
make DEVICE_TREE=stm32mp157c-ev1 all
-To build TF-A with OP-TEE support for all bootable devices:
+To build TF-A with OP-TEE support for SD-card boot:
.. code:: bash
- make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 AARCH32_SP=optee STM32MP_SDMMC=1 STM32MP_EMMC=1 STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb
+ make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=stm32mp1 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ AARCH32_SP=optee STM32MP_SDMMC=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb \
+ STM32MP_USE_STM32IMAGE=1
+
cd <optee_directory>
- make CROSS_COMPILE=arm-linux-gnueabihf- ARCH=arm PLATFORM=stm32mp1 CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts
+ make CROSS_COMPILE=arm-linux-gnueabihf- ARCH=arm PLATFORM=stm32mp1 \
+ CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-ev1.dts
+
cd <u-boot_directory>
make stm32mp15_trusted_defconfig
make DEVICE_TREE=stm32mp157c-ev1 all
@@ -132,7 +233,19 @@ The following build options are supported:
Populate SD-card
----------------
-The SD-card has to be formated with GPT.
+Boot with FIP
+~~~~~~~~~~~~~
+The SD-card has to be formatted with GPT.
+It should contain at least those partitions:
+
+- fsbl: to copy the tf-a-stm32mp157c-ev1.stm32 binary (BL2)
+- fip: which contains the FIP binary
+
+Usually, two copies of fsbl are used (fsbl1 and fsbl2) instead of one partition fsbl.
+
+STM32IMAGE bootchain
+~~~~~~~~~~~~~~~~~~~~
+The SD-card has to be formatted with GPT.
It should contain at least those partitions:
- fsbl: to copy the tf-a-stm32mp157c-ev1.stm32 binary
diff --git a/docs/plat/xilinx-versal.rst b/docs/plat/xilinx-versal.rst
index 3d4c4a4..d65b048 100644
--- a/docs/plat/xilinx-versal.rst
+++ b/docs/plat/xilinx-versal.rst
@@ -24,6 +24,11 @@ To build TF-A for JTAG DCC console
make RESET_TO_BL31=1 CROSS_COMPILE=aarch64-none-elf- PLAT=versal bl31 VERSAL_CONSOLE=dcc
```
+To build TF-A with Straight-Line Speculation(SLS)
+```bash
+make RESET_TO_BL31=1 CROSS_COMPILE=aarch64-none-elf- PLAT=versal bl31 HARDEN_SLS_ALL=1
+```
+
Xilinx Versal platform specific build options
---------------------------------------------
diff --git a/docs/process/contributing.rst b/docs/process/contributing.rst
index c91903a..aa050da 100644
--- a/docs/process/contributing.rst
+++ b/docs/process/contributing.rst
@@ -209,6 +209,65 @@ Submitting Changes
revert your patches and ask you to resubmit a reworked version of them or
they may ask you to provide a fix-up patch.
+Add Build Configurations
+------------------------
+
+- TF-A uses Jenkins tool for Continuous Integration and testing activities.
+ Various CI Jobs are deployed which run tests on every patch before being
+ merged. So each of your patches go through a series of checks before they
+ get merged on to the master branch.
+
+- ``Coverity Scan analysis`` is one of the tests we perform on our source code
+ at regular intervals. We maintain a build script ``tf-cov-make`` which contains the
+ build configurations of various platforms in order to cover the entire source
+ code being analysed by Coverity.
+
+- When you submit your patches for review containing new source files, please
+ ensure to include them for the ``Coverity Scan analysis`` by adding the
+ respective build configurations in the ``tf-cov-make`` build script.
+
+- In this section you find the details on how to append your new build
+ configurations for Coverity Scan analysis:
+
+#. We maintain a separate repository named `tf-a-ci-scripts repository`_
+ for placing all the test scripts which will be executed by the CI Jobs.
+
+#. In this repository, ``tf-cov-make`` script is located at
+ ``tf-a-ci-scripts/script/tf-coverity/tf-cov-make``
+
+#. Edit `tf-cov-make`_ script by appending all the possible build configurations with
+ the specific ``build-flags`` relevant to your platform, so that newly added
+ source files get built and analysed by Coverity.
+
+#. For better understanding follow the below specified examples listed in the
+ ``tf-cov-make`` script.
+
+.. code:: shell
+
+ Example 1:
+ #Intel
+ make PLAT=stratix10 $(common_flags) all
+ make PLAT=agilex $(common_flags) all
+
+- In the above example there are two different SoCs ``stratix`` and ``agilex``
+ under the Intel platform and the build configurations has been added suitably
+ to include most of their source files.
+
+.. code:: shell
+
+ Example 2:
+ #Hikey
+ make PLAT=hikey $(common_flags) ${TBB_OPTIONS} ENABLE_PMF=1 all
+ make PLAT=hikey960 $(common_flags) ${TBB_OPTIONS} all
+ make PLAT=poplar $(common_flags) all
+
+- In this case for ``Hikey`` boards additional ``build-flags`` has been included
+ along with the ``commom_flags`` to cover most of the files relevant to it.
+
+- Similar to this you can still find many other different build configurations
+ of various other platforms listed in the ``tf-cov-make`` script. Kindly refer
+ them and append your build configurations respectively.
+
Binary Components
-----------------
@@ -228,7 +287,7 @@ Binary Components
--------------
-*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.*
.. _Conventional Commits: https://www.conventionalcommits.org/en/v1.0.0
.. _developer.trustedfirmware.org: https://developer.trustedfirmware.org
@@ -243,3 +302,5 @@ Binary Components
.. _Trusted Firmware binary repository: https://review.trustedfirmware.org/admin/repos/tf-binaries
.. _tf-binaries-readme: https://git.trustedfirmware.org/tf-binaries.git/tree/readme.rst
.. _TF-A mailing list: https://lists.trustedfirmware.org/mailman/listinfo/tf-a
+.. _tf-a-ci-scripts repository: https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/
+.. _tf-cov-make: https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/tree/script/tf-coverity/tf-cov-make
diff --git a/docs/resources/diagrams/ffa-secure-interrupt-handling-nwd.png b/docs/resources/diagrams/ffa-secure-interrupt-handling-nwd.png
new file mode 100755
index 0000000..c318610
--- /dev/null
+++ b/docs/resources/diagrams/ffa-secure-interrupt-handling-nwd.png
Binary files differ
diff --git a/docs/resources/diagrams/ffa-secure-interrupt-handling-swd.png b/docs/resources/diagrams/ffa-secure-interrupt-handling-swd.png
new file mode 100755
index 0000000..b62000d
--- /dev/null
+++ b/docs/resources/diagrams/ffa-secure-interrupt-handling-swd.png
Binary files differ
diff --git a/docs/resources/diagrams/plantuml/spm_dfd.puml b/docs/resources/diagrams/plantuml/spm_dfd.puml
new file mode 100644
index 0000000..ad4996e
--- /dev/null
+++ b/docs/resources/diagrams/plantuml/spm_dfd.puml
@@ -0,0 +1,82 @@
+/'
+ ' Copyright (c) 2021, Arm Limited. All rights reserved.
+ '
+ ' SPDX-License-Identifier: BSD-3-Clause
+ '/
+
+/'
+TF-A SPMC Data Flow Diagram
+'/
+
+@startuml
+digraph tfa_dfd {
+
+ # Allow arrows to end on cluster boundaries
+ compound=true
+
+ # Default settings for edges and nodes
+ edge [minlen=2 color="#8c1b07"]
+ node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]
+
+ # Nodes outside of the trust boundary
+ nsec [label="NS Client"]
+ ddr [label="External memory (DDR)"]
+
+ # Trust boundary cluster
+ subgraph cluster_trusted {
+ graph [style=dashed color="#f22430"]
+
+ # HW IPs cluster
+ subgraph cluster_ip {
+ label ="Hardware IPs";
+ graph [style=filled color="#000000" fillcolor="#ffd29e"]
+
+ rank="same"
+ gic [label="GIC" width=1.2 height=0.5]
+ smmu [label="SMMU" width=1.2 height=0.5]
+ uart [label="UART" width=1.2 height=0.5]
+ pe [label="PE" width=1.2 height=0.5]
+ }
+
+ # TF-A cluster
+ subgraph cluster_tfa {
+ label ="EL3 monitor";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ bl31 [label="BL31" fillcolor="#ddffb3"];
+ spmd [label="SPMD" fillcolor="#ddffb3" height=1]
+ }
+
+ # SPMC cluster
+ subgraph cluster_spmc {
+ label ="SPMC";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ spmc [label="SPMC" fillcolor="#ddffb3" height=1]
+ }
+ bl2 [label="BL2" width=1.2 height=0.5]
+ }
+
+ # Secure Partitions cluster
+ subgraph cluster_sp {
+ label ="Secure Partitions";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ sp1 [label="SP1" fillcolor="#ddffb3" height=1]
+ sp2 [label="SP2" fillcolor="#ddffb3" height=1]
+ spn [label="SP..." fillcolor="#ddffb3" height=1]
+ }
+
+ # Interactions between nodes
+ sp1 -> spmc [dir="both" label="DF1"]
+ spmc -> spmd [dir="both" label="DF2"]
+ spmd -> nsec [dir="both" label="DF3"]
+ sp1 -> sp2 [dir="both" label="DF4"]
+ spmc -> smmu [lhead=cluster_spmc label="DF5"]
+ bl2 -> spmc [lhead=cluster_spmc label="DF6"]
+ bl2 -> spn [lhead=cluster_spmc label="DF6"]
+ sp1 -> ddr [dir="both" label="DF7"]
+ spmc -> ddr [dir="both" label="DF7"]
+}
+
+@enduml
diff --git a/docs/resources/diagrams/spm-threat-model-trust-boundaries.png b/docs/resources/diagrams/spm-threat-model-trust-boundaries.png
new file mode 100644
index 0000000..58898c5
--- /dev/null
+++ b/docs/resources/diagrams/spm-threat-model-trust-boundaries.png
Binary files differ
diff --git a/docs/threat_model/index.rst b/docs/threat_model/index.rst
index e8f09b9..b5ede69 100644
--- a/docs/threat_model/index.rst
+++ b/docs/threat_model/index.rst
@@ -1,5 +1,12 @@
Threat Model
-=============
+============
+
+Threat modeling is an important part of Secure Development Lifecycle (SDL)
+that helps us identify potential threats and mitigations affecting a system.
+
+In the next sections, we first give a description of the target of evaluation
+using a data flow diagram. Then we provide a list of threats we have identified
+based on the data flow diagram and potential threat mitigations.
.. toctree::
:maxdepth: 1
@@ -7,6 +14,7 @@ Threat Model
:numbered:
threat_model
+ threat_model_spm
--------------
diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 9cee104..9f26487 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@@ -1,13 +1,10 @@
-*****************
-Introduction
-*****************
-Threat modeling is an important part of Secure Development Lifecycle (SDL)
-that helps us identify potential threats and mitigations affecting a system.
+Generic threat model
+********************
-This document provides a generic threat model for TF-A firmware. In the
-next sections, we first give a description of the target of evaluation
-using a data flow diagram. Then we provide a list of threats we have
-identified based on the data flow diagram and potential threat mitigations.
+************************
+Introduction
+************************
+This document provides a generic threat model for TF-A firmware.
************************
Target of Evaluation
@@ -781,4 +778,4 @@ each diagram element of the data flow diagram.
.. _Trusted Board Boot (TBB): https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
.. _TF-A error handling policy: https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#error-handling-and-robustness
.. _Secure Development Guidelines: https://trustedfirmware-a.readthedocs.io/en/latest/process/security-hardening.html#secure-development-guidelines
-.. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/ \ No newline at end of file
+.. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/
diff --git a/docs/threat_model/threat_model_spm.rst b/docs/threat_model/threat_model_spm.rst
new file mode 100644
index 0000000..82f9916
--- /dev/null
+++ b/docs/threat_model/threat_model_spm.rst
@@ -0,0 +1,617 @@
+SPMC threat model
+*****************
+
+************************
+Introduction
+************************
+This document provides a threat model for the TF-A `Secure Partition Manager`_
+(SPM) implementation or more generally the S-EL2 reference firmware running on
+systems implementing the FEAT_SEL2 (formerly Armv8.4 Secure EL2) architecture
+extension. The SPM implementation is based on the `Arm Firmware Framework for
+Arm A-profile`_ specification.
+
+In brief, the broad FF-A specification and S-EL2 firmware implementation
+provide:
+
+- Isolation of mutually mistrusting SW components, or endpoints in the FF-A
+ terminology.
+- Distinct sandboxes in the secure world called secure partitions. This permits
+ isolation of services from multiple vendors.
+- A standard protocol for communication and memory sharing between FF-A
+ endpoints.
+- Mutual isolation of the normal world and the secure world (e.g. a Trusted OS
+ is prevented to map an arbitrary NS physical memory region such as the kernel
+ or the Hypervisor).
+
+************************
+Target of Evaluation
+************************
+In this threat model, the target of evaluation is the S-EL2 firmware or the
+``Secure Partition Manager Core`` component (SPMC).
+The monitor and SPMD at EL3 are covered by the `Generic TF-A threat model`_.
+
+The scope for this threat model is:
+
+- The TF-A implementation for the S-EL2 SPMC based on the Hafnium hypervisor
+ running in the secure world of TrustZone (at S-EL2 exception level).
+ The threat model is not related to the normal world Hypervisor or VMs.
+ The S-EL1 SPMC solution is not covered.
+- The implementation complies with the FF-A v1.0 specification.
+- Secure partitions are statically provisioned at boot time.
+- Focus on the run-time part of the life-cycle (no specific emphasis on boot
+ time, factory firmware provisioning, firmware udpate etc.)
+- Not covering advanced or invasive physical attacks such as decapsulation,
+ FIB etc.
+- Assumes secure boot or in particular TF-A trusted boot (TBBR or dual CoT) is
+ enabled. An attacker cannot boot arbitrary images that are not approved by the
+ SiP or platform providers.
+
+Data Flow Diagram
+======================
+Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD
+component at EL3 and an SPMC component at S-EL2. The SPMD mostly acts as a
+relayer/pass-through between the normal world and the secure world. It is
+assumed to expose small attack surface.
+
+A description of each diagram element is given in Table 1. In the diagram, the
+red broken lines indicate trust boundaries.
+
+Components outside of the broken lines are considered untrusted.
+
+.. uml:: ../resources/diagrams/plantuml/spm_dfd.puml
+ :caption: Figure 1: SPMC Data Flow Diagram
+
+.. table:: Table 1: SPMC Data Flow Diagram Description
+
+ +---------------------+--------------------------------------------------------+
+ | Diagram Element | Description |
+ +=====================+========================================================+
+ | ``DF1`` | SP to SPMC communication. FF-A function invocation or |
+ | | implementation-defined Hypervisor call. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF2`` | SPMC to SPMD FF-A call. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF3`` | SPMD to NS forwarding. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF4`` | SP to SP FF-A direct message request/response. |
+ | | Note as a matter of simplifying the diagram |
+ | | the SP to SP communication happens through the SPMC |
+ | | (SP1 performs a direct message request to the |
+ | | SPMC targeting SP2 as destination. And similarly for |
+ | | the direct message response from SP2 to SP1). |
+ +---------------------+--------------------------------------------------------+
+ | ``DF5`` | HW control. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF6`` | Bootloader image loading. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF7`` | External memory access. |
+ +---------------------+--------------------------------------------------------+
+
+*********************
+Threat Analysis
+*********************
+
+This threat model follows a similar methodology to the `Generic TF-A threat model`_.
+The following sections define:
+
+- Trust boundaries
+- Assets
+- Theat agents
+- Threat types
+
+Trust boundaries
+============================
+
+- Normal world is untrusted.
+- Secure world and normal world are separate trust boundaries.
+- EL3 monitor, SPMD and SPMC are trusted.
+- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
+ implicitely trusted by the usage of secure boot.
+- EL3 monitor, SPMD, SPMC do not trust SPs.
+
+.. figure:: ../resources/diagrams/spm-threat-model-trust-boundaries.png
+
+ Figure 2: Trust boundaries
+
+Assets
+============================
+
+The following assets are identified:
+
+- SPMC state.
+- SP state.
+- Information exchange between endpoints (partition messages).
+- SPMC secrets (e.g. pointer authentication key when enabled)
+- SP secrets (e.g. application keys).
+- Scheduling cycles.
+- Shared memory.
+
+Threat Agents
+============================
+
+The following threat agents are identified:
+
+- NS-Endpoint identifies a non-secure endpoint: normal world client at NS-EL2
+ (Hypervisor) or NS-EL1 (VM or OS kernel).
+- S-Endpoint identifies a secure endpoint typically a secure partition.
+- Hardware attacks (non-invasive) requiring a physical access to the device,
+ such as bus probing or DRAM stress.
+
+Threat types
+============================
+
+The following threat categories as exposed in the `Generic TF-A threat model`_
+are re-used:
+
+- Spoofing
+- Tampering
+- Repudiation
+- Information disclosure
+- Denial of service
+- Elevation of privileges
+
+Similarly this threat model re-uses the same threat risk ratings. The risk
+analysis is evaluated based on the environment being ``Server`` or ``Mobile``.
+
+Threat Assessment
+============================
+
+The following threats are identified by applying STRIDE analysis on each diagram
+element of the data flow diagram.
+
++------------------------+----------------------------------------------------+
+| ID | 01 |
++========================+====================================================+
+| ``Threat`` | **An endpoint impersonates the sender or receiver |
+| | FF-A ID in a direct request/response invocation.** |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMD, SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Spoofing |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------++----------------+---------------+
+| ``Impact`` | Critical(5) | Critical(5) | |
++------------------------+------------------++----------------+---------------+
+| ``Likelihood`` | Critical(5) | Critical(5) | |
++------------------------+------------------++----------------+---------------+
+| ``Total Risk Rating`` | Critical(25) | Critical(25) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
+| | The guidance below is left for a system integrator |
+| | to implemented as necessary. |
+| | The SPMC must enforce checks in the direct message |
+| | request/response interfaces such an endpoint cannot|
+| | spoof the origin and destination worlds (e.g. a NWd|
+| | originated message directed to the SWd cannot use a|
+| | SWd ID as the sender ID). |
+| | Additionally a software component residing in the |
+| | SPMC can be added for the purpose of direct |
+| | request/response filtering. |
+| | It can be configured with the list of known IDs |
+| | and about which interaction can occur between one |
+| | and another endpoint (e.g. which NWd endpoint ID |
+| | sends a direct request to which SWd endpoint ID). |
+| | This component checks the sender/receiver fields |
+| | for a legitimate communication between endpoints. |
+| | A similar component can exist in the OS kernel |
+| | driver, or Hypervisor although it remains untrusted|
+| | by the SPMD/SPMC. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 02 |
++========================+====================================================+
+| ``Threat`` | **Tampering with memory shared between an endpoint |
+| | and the SPMC.** |
+| | A malicious endpoint may attempt tampering with its|
+| | RX/TX buffer contents while the SPMC is processing |
+| | it (TOCTOU). |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF3, DF4, DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | Shared memory, Information exchange |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | High (4) | High (4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | High (16) | High (16) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | In context of FF-A v1.0 this is the case of sharing|
+| | the RX/TX buffer pair and usage in the |
+| | PARTITION_INFO_GET or mem sharing primitives. |
+| | The SPMC must copy the contents of the TX buffer |
+| | to an internal temporary buffer before processing |
+| | its contents. The SPMC must implement hardened |
+| | input validation on data transmitted through the TX|
+| | buffer by an untrusted endpoint. |
+| | The TF-A SPMC mitigates this threat by enforcing |
+| | checks on data transmitted through RX/TX buffers. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 03 |
++========================+====================================================+
+| ``Threat`` | **An endpoint may tamper with its own state or the |
+| | state of another endpoint.** |
+| | A malicious endpoint may attempt violating: |
+| | - its own or another SP state by using an unusual |
+| | combination (or out-of-order) FF-A function |
+| | invocations. |
+| | This can also be an endpoint emitting |
+| | FF-A function invocations to another endpoint while|
+| | the latter in not in a state to receive it (e.g. a |
+| | SP sends a direct request to the normal world early|
+| | while the normal world is not booted yet). |
+| | - the SPMC state itself by employing unexpected |
+| | transitions in FF-A memory sharing, direct requests|
+| | and responses, or handling of interrupts. |
+| | This can be led by random stimuli injection or |
+| | fuzzing. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMD, SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The SPMC may be vulnerable to invalid state |
+| | transitions for itself or while handling an SP |
+| | state. The FF-A v1.1 specification provides a |
+| | guidance on those state transitions (run-time |
+| | model). The TF-A SPMC will be hardened in future |
+| | releases to follow this guidance. |
+| | Additionally The TF-A SPMC mitigates the threat by |
+| | runs of the Arm `FF-A ACS`_ compliance test suite. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 04 |
++========================+====================================================+
+| ``Threat`` | *An attacker may attempt injecting errors by the |
+| | use of external DRAM stress techniques.** |
+| | A malicious agent may attempt toggling an SP |
+| | Stage-2 MMU descriptor bit within the page tables |
+| | that the SPMC manages. This can happen in Rowhammer|
+| | types of attack. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP or SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | Hardware attack |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Low (2) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | Medium (8) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | The TF-A SPMC does not provide mitigations to this |
+| | type of attack. It can be addressed by the use of |
+| | dedicated HW circuity or hardening at the chipset |
+| | or platform level left to the integrator. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 05 |
++========================+====================================================+
+| ``Threat`` | **Protection of the SPMC from a DMA capable device |
+| | upstream to an SMMU.** |
+| | A device may attempt to tamper with the internal |
+| | SPMC code/data sections. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF5 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC or SP state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering, Elevation of privileges |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | A platform may prefer assigning boot time, |
+| | statically alocated memory regions through the SMMU|
+| | configuration and page tables. The FF-A v1.1 |
+| | specification provisions this capability through |
+| | static DMA isolation. |
+| | The TF-A SPMC does not mitigate this threat. |
+| | It will adopt the static DMA isolation approach in |
+| | a future release. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 06 |
++========================+====================================================+
+| ``Threat`` | **Replay fragments of past communication between |
+| | endpoints.** |
+| | A malicious endpoint may replay a message exchange |
+| | that occured between two legitimate endpoint as |
+| | a matter of triggering a malfunction or extracting |
+| | secrets from the receiving endpoint. In particular |
+| | the memory sharing operation with fragmented |
+| | messages between an endpoint and the SPMC may be |
+| | replayed by a malicious agent as a matter of |
+| | getting access or gaining permissions to a memory |
+| | region which does not belong to this agent. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | Information exchange |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Repdudiation |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 07 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may attempt to extract data |
+| | or state information by the use of invalid or |
+| | incorrect input arguments.** |
+| | Lack of input parameter validation or side effects |
+| | of maliciously forged input parameters might affect|
+| | the SPMC. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMD, SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP secrets, SPMC secrets, SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information discolure |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | Secure Partitions must follow security standards |
+| | and best practises as a way to mitigate the risk |
+| | of common vulnerabilities to be exploited. |
+| | The use of software (canaries) or hardware |
+| | hardening techniques (XN, WXN, BTI, pointer |
+| | authentication, MTE) helps detecting and stopping |
+| | an exploitation early. |
+| | The TF-A SPMC mitigates this threat by implementing|
+| | stack protector, pointer authentication, BTI, XN, |
+| | WXN, security hardening techniques. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 08 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may forge a direct message |
+| | request such that it reveals the internal state of |
+| | another endpoint through the direct message |
+| | response.** |
+| | The secure partition or SPMC replies to a partition|
+| | message by a direct message response with |
+| | information which may reveal its internal state |
+| | (.e.g. partition message response outside of |
+| | allowed bounds). |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC or SP state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information discolure |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Low (2) | Low (2) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | For the specific case of direct requests targetting|
+| | the SPMC, the latter is hardened to prevent |
+| | its internal state or the state of an SP to be |
+| | revealed through a direct message response. |
+| | Further FF-A v1.1 guidance about run time models |
+| | and partition states will be implemented in future |
+| | TF-A SPMC releases. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 09 |
++========================+====================================================+
+| ``Threat`` | **Probing the FF-A communication between |
+| | endpoints.** |
+| | SPMC and SPs are typically loaded to external |
+| | memory (protected by a TrustZone memory |
+| | controller). A malicious agent may use non invasive|
+| | methods to probe the external memory bus and |
+| | extract the traffic between an SP and the SPMC or |
+| | among SPs when shared buffers are held in external |
+| | memory. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP/SPMC state, SP/SPMC secrets |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | Hardware attack |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information disclosure |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low (2) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium (6) | Medium (9) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | It is expected the platform or chipset provides |
+| | guarantees in protecting the DRAM contents. |
+| | The TF-A SPMC does not mitigate this class of |
+| | attack and this is left to the integrator. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 10 |
++========================+====================================================+
+| ``Threat`` | **A malicious agent may attempt revealing the SPMC |
+| | state or secrets by the use of software-based cache|
+| | side-channel attack techniques.** |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP or SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information disclosure |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low (2) | Low (2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | From an integration perspective it is assumed |
+| | platforms consuming the SPMC component at S-EL2 |
+| | (hence implementing the Armv8.4 FEAT_SEL2 |
+| | architecture extension) implement mitigations to |
+| | Spectre, Meltdown or other cache timing |
+| | side-channel type of attacks. |
+| | The TF-A SPMC implements one mitigation (barrier |
+| | preventing speculation past exeception returns). |
+| | The SPMC may be hardened further with SW |
+| | mitigations (e.g. speculation barriers) for the |
+| | cases not covered in HW. Usage of hardened |
+| | compilers and appropriate options, code inspection |
+| | are recommended ways to mitigate Spectre types of |
+| | attacks. For non-hardened cores, the usage of |
+| | techniques such a kernel page table isolation can |
+| | help mitigating Meltdown type of attacks. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 11 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may attempt flooding the |
+| | SPMC with requests targetting a service within an |
+| | endpoint such that it denies another endpoint to |
+| | access this service.** |
+| | Similarly, the malicious endpoint may target a |
+| | a service within an endpoint such that the latter |
+| | is unable to request services from another |
+| | endpoint. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Denial of service |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
+| | Bounding the time for operations to complete can |
+| | be achieved by the usage of a trusted watchdog. |
+| | Other quality of service monitoring can be achieved|
+| | in the SPMC such as counting a number of operations|
+| | in a limited timeframe. |
++------------------------+----------------------------------------------------+
+
+--------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
+
+.. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest
+.. _Secure Partition Manager: ../components/secure-partition-manager.html
+.. _Generic TF-A threat model: ./threat_model.html#threat-analysis
+.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases
diff --git a/drivers/arm/css/scmi/scmi_common.c b/drivers/arm/css/scmi/scmi_common.c
index 5b3724a..ec749fb 100644
--- a/drivers/arm/css/scmi/scmi_common.c
+++ b/drivers/arm/css/scmi/scmi_common.c
@@ -173,12 +173,12 @@ void *scmi_init(scmi_channel_t *ch)
ret = scmi_proto_version(ch, SCMI_PWR_DMN_PROTO_ID, &version);
if (ret != SCMI_E_SUCCESS) {
- WARN("SCMI power domain protocol version message failed");
+ WARN("SCMI power domain protocol version message failed\n");
goto error;
}
if (!is_scmi_version_compatible(SCMI_PWR_DMN_PROTO_VER, version)) {
- WARN("SCMI power domain protocol version 0x%x incompatible with driver version 0x%x",
+ WARN("SCMI power domain protocol version 0x%x incompatible with driver version 0x%x\n",
version, SCMI_PWR_DMN_PROTO_VER);
goto error;
}
@@ -187,12 +187,12 @@ void *scmi_init(scmi_channel_t *ch)
ret = scmi_proto_version(ch, SCMI_SYS_PWR_PROTO_ID, &version);
if ((ret != SCMI_E_SUCCESS)) {
- WARN("SCMI system power protocol version message failed");
+ WARN("SCMI system power protocol version message failed\n");
goto error;
}
if (!is_scmi_version_compatible(SCMI_SYS_PWR_PROTO_VER, version)) {
- WARN("SCMI system power management protocol version 0x%x incompatible with driver version 0x%x",
+ WARN("SCMI system power management protocol version 0x%x incompatible with driver version 0x%x\n",
version, SCMI_SYS_PWR_PROTO_VER);
goto error;
}
diff --git a/drivers/arm/css/scp/css_pm_scmi.c b/drivers/arm/css/scp/css_pm_scmi.c
index aeb7eda..5de2604 100644
--- a/drivers/arm/css/scp/css_pm_scmi.c
+++ b/drivers/arm/css/scp/css_pm_scmi.c
@@ -357,7 +357,7 @@ void __init plat_arm_pwrc_setup(void)
unsigned int composite_id, idx;
for (idx = 0; idx < PLAT_ARM_SCMI_CHANNEL_COUNT; idx++) {
- INFO("Initializing driver on Channel %d\n", idx);
+ INFO("Initializing SCMI driver on channel %d\n", idx);
scmi_channels[idx].info = plat_css_get_scmi_info(idx);
scmi_channels[idx].lock = ARM_SCMI_LOCK_GET_INSTANCE;
diff --git a/drivers/arm/ethosn/ethosn_smc.c b/drivers/arm/ethosn/ethosn_smc.c
index 299d07c..60364cd 100644
--- a/drivers/arm/ethosn/ethosn_smc.c
+++ b/drivers/arm/ethosn/ethosn_smc.c
@@ -14,11 +14,10 @@
#include <lib/mmio.h>
#include <plat/arm/common/fconf_ethosn_getter.h>
-/* Arm Ethos-N NPU (NPU) status */
-#define ETHOSN_STATUS \
- FCONF_GET_PROPERTY(hw_config, ethosn_config, status)
-
-/* Number of NPU cores available */
+/*
+ * Number of Arm Ethos-N NPU (NPU) cores available for a
+ * particular parent device
+ */
#define ETHOSN_NUM_CORES \
FCONF_GET_PROPERTY(hw_config, ethosn_config, num_cores)
@@ -51,6 +50,17 @@
#define SEC_SYSCTRL0_SOFT_RESET U(3U << 29)
#define SEC_SYSCTRL0_HARD_RESET U(1U << 31)
+static bool ethosn_is_core_addr_valid(uintptr_t core_addr)
+{
+ for (uint32_t core_idx = 0U; core_idx < ETHOSN_NUM_CORES; core_idx++) {
+ if (ETHOSN_CORE_ADDR(core_idx) == core_addr) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
static void ethosn_delegate_to_ns(uintptr_t core_addr)
{
mmio_setbits_32(ETHOSN_CORE_SEC_REG(core_addr, SEC_SECCTLR_REG),
@@ -66,9 +76,9 @@ static void ethosn_delegate_to_ns(uintptr_t core_addr)
SEC_DEL_ADDR_EXT_VAL);
}
-static int ethosn_is_sec(void)
+static int ethosn_is_sec(uintptr_t core_addr)
{
- if ((mmio_read_32(ETHOSN_CORE_SEC_REG(ETHOSN_CORE_ADDR(0), SEC_DEL_REG))
+ if ((mmio_read_32(ETHOSN_CORE_SEC_REG(core_addr, SEC_DEL_REG))
& SEC_DEL_EXCC_MASK) != 0U) {
return 0;
}
@@ -101,7 +111,7 @@ static bool ethosn_reset(uintptr_t core_addr, int hard_reset)
}
uintptr_t ethosn_smc_handler(uint32_t smc_fid,
- u_register_t core_idx,
+ u_register_t core_addr,
u_register_t x2,
u_register_t x3,
u_register_t x4,
@@ -109,8 +119,8 @@ uintptr_t ethosn_smc_handler(uint32_t smc_fid,
void *handle,
u_register_t flags)
{
- uintptr_t core_addr;
int hard_reset = 0;
+ const uint32_t fid = smc_fid & FUNCID_NUM_MASK;
/* Only SiP fast calls are expected */
if ((GET_SMC_TYPE(smc_fid) != SMC_TYPE_FAST) ||
@@ -120,7 +130,7 @@ uintptr_t ethosn_smc_handler(uint32_t smc_fid,
/* Truncate parameters to 32-bits for SMC32 */
if (GET_SMC_CC(smc_fid) == SMC_32) {
- core_idx &= 0xFFFFFFFF;
+ core_addr &= 0xFFFFFFFF;
x2 &= 0xFFFFFFFF;
x3 &= 0xFFFFFFFF;
x4 &= 0xFFFFFFFF;
@@ -130,33 +140,29 @@ uintptr_t ethosn_smc_handler(uint32_t smc_fid,
SMC_RET1(handle, SMC_UNK);
}
- if (ETHOSN_STATUS == ETHOSN_STATUS_DISABLED) {
- WARN("ETHOSN: Arm Ethos-N NPU not available\n");
- SMC_RET1(handle, ETHOSN_NOT_SUPPORTED);
- }
-
- switch (smc_fid & FUNCID_NUM_MASK) {
+ /* Commands that do not require a valid core address */
+ switch (fid) {
case ETHOSN_FNUM_VERSION:
SMC_RET2(handle, ETHOSN_VERSION_MAJOR, ETHOSN_VERSION_MINOR);
+ }
+
+ if (!ethosn_is_core_addr_valid(core_addr)) {
+ WARN("ETHOSN: Unknown core address given to SMC call.\n");
+ SMC_RET1(handle, ETHOSN_UNKNOWN_CORE_ADDRESS);
+ }
+
+ /* Commands that require a valid addr */
+ switch (fid) {
case ETHOSN_FNUM_IS_SEC:
- SMC_RET1(handle, ethosn_is_sec());
+ SMC_RET1(handle, ethosn_is_sec(core_addr));
case ETHOSN_FNUM_HARD_RESET:
hard_reset = 1;
/* Fallthrough */
case ETHOSN_FNUM_SOFT_RESET:
- if (core_idx >= ETHOSN_NUM_CORES) {
- WARN("ETHOSN: core index out of range\n");
- SMC_RET1(handle, ETHOSN_CORE_IDX_OUT_OF_RANGE);
- }
-
- core_addr = ETHOSN_CORE_ADDR(core_idx);
-
if (!ethosn_reset(core_addr, hard_reset)) {
SMC_RET1(handle, ETHOSN_FAILURE);
}
-
ethosn_delegate_to_ns(core_addr);
-
SMC_RET1(handle, ETHOSN_SUCCESS);
default:
SMC_RET1(handle, SMC_UNK);
diff --git a/drivers/arm/gic/v3/gic-x00.c b/drivers/arm/gic/v3/gic-x00.c
index 6e106ba..aaef485 100644
--- a/drivers/arm/gic/v3/gic-x00.c
+++ b/drivers/arm/gic/v3/gic-x00.c
@@ -16,15 +16,13 @@
#include <assert.h>
#include <arch_helpers.h>
+#include <drivers/arm/arm_gicv3_common.h>
#include <drivers/arm/gicv3.h>
#include "gicv3_private.h"
/* GIC-600 specific register offsets */
#define GICR_PWRR 0x24U
-#define IIDR_MODEL_ARM_GIC_600 U(0x0200043b)
-#define IIDR_MODEL_ARM_GIC_600AE U(0x0300043b)
-#define IIDR_MODEL_ARM_GIC_CLAYTON U(0x0400043b)
/* GICR_PWRR fields */
#define PWRR_RDPD_SHIFT 0
@@ -46,7 +44,7 @@
#if GICV3_SUPPORT_GIC600
-/* GIC-600/Clayton specific accessor functions */
+/* GIC-600/700 specific accessor functions */
static void gicr_write_pwrr(uintptr_t base, unsigned int val)
{
mmio_write_32(base + GICR_PWRR, val);
@@ -123,12 +121,12 @@ static bool gicv3_redists_need_power_mgmt(uintptr_t gicr_base)
uint32_t reg = mmio_read_32(gicr_base + GICR_IIDR);
/*
- * The Arm GIC-600 and GIC-Clayton models have their redistributors
+ * The Arm GIC-600 and GIC-700 models have their redistributors
* powered down at reset.
*/
return (((reg & IIDR_MODEL_MASK) == IIDR_MODEL_ARM_GIC_600) ||
((reg & IIDR_MODEL_MASK) == IIDR_MODEL_ARM_GIC_600AE) ||
- ((reg & IIDR_MODEL_MASK) == IIDR_MODEL_ARM_GIC_CLAYTON));
+ ((reg & IIDR_MODEL_MASK) == IIDR_MODEL_ARM_GIC_700));
}
#endif /* GICV3_SUPPORT_GIC600 */
diff --git a/drivers/arm/gic/v3/gic600_multichip.c b/drivers/arm/gic/v3/gic600_multichip.c
index ca7c43b..5f42ad9 100644
--- a/drivers/arm/gic/v3/gic600_multichip.c
+++ b/drivers/arm/gic/v3/gic600_multichip.c
@@ -11,14 +11,13 @@
#include <assert.h>
#include <common/debug.h>
+#include <drivers/arm/arm_gicv3_common.h>
#include <drivers/arm/gic600_multichip.h>
#include <drivers/arm/gicv3.h>
#include "../common/gic_common_private.h"
#include "gic600_multichip_private.h"
-#warning "GIC-600 Multichip driver is currently experimental and the API may change in future."
-
/*******************************************************************************
* GIC-600 multichip operation related helper functions
******************************************************************************/
@@ -73,6 +72,7 @@ static void set_gicd_chipr_n(uintptr_t base,
unsigned int spi_id_max)
{
unsigned int spi_block_min, spi_blocks;
+ unsigned int gicd_iidr_val = gicd_read_iidr(base);
uint64_t chipr_n_val;
/*
@@ -100,8 +100,24 @@ static void set_gicd_chipr_n(uintptr_t base,
spi_block_min = SPI_BLOCK_MIN_VALUE(spi_id_min);
spi_blocks = SPI_BLOCKS_VALUE(spi_id_min, spi_id_max);
- chipr_n_val = (GICD_CHIPR_VALUE(chip_addr, spi_block_min, spi_blocks)) |
- GICD_CHIPRx_SOCKET_STATE;
+ switch ((gicd_iidr_val & IIDR_MODEL_MASK)) {
+ case IIDR_MODEL_ARM_GIC_600:
+ chipr_n_val = GICD_CHIPR_VALUE_GIC_600(chip_addr,
+ spi_block_min,
+ spi_blocks);
+ break;
+ case IIDR_MODEL_ARM_GIC_700:
+ chipr_n_val = GICD_CHIPR_VALUE_GIC_700(chip_addr,
+ spi_block_min,
+ spi_blocks);
+ break;
+ default:
+ ERROR("Unsupported GIC model 0x%x for multichip setup.\n",
+ gicd_iidr_val);
+ panic();
+ break;
+ }
+ chipr_n_val |= GICD_CHIPRx_SOCKET_STATE;
/*
* Wait for DCHIPR.PUP to be zero before commencing writes to
@@ -194,8 +210,6 @@ void gic600_multichip_init(struct gic600_multichip_data *multichip_data)
gic600_multichip_validate_data(multichip_data);
- INFO("GIC-600 Multichip driver is experimental\n");
-
/*
* Ensure that G0/G1S/G1NS interrupts are disabled. This also ensures
* that GIC-600 Multichip configuration is done first.
diff --git a/drivers/arm/gic/v3/gic600_multichip_private.h b/drivers/arm/gic/v3/gic600_multichip_private.h
index fe4134c..5d1ff6a 100644
--- a/drivers/arm/gic/v3/gic600_multichip_private.h
+++ b/drivers/arm/gic/v3/gic600_multichip_private.h
@@ -27,17 +27,11 @@
#define GICD_CHIPSR_RTS_SHIFT 4
#define GICD_DCHIPR_RT_OWNER_SHIFT 4
-/*
- * If GIC v4 extension is enabled, then use SPI macros specific to GIC-Clayton.
- * Other shifts and mask remains same between GIC-600 and GIC-Clayton.
- */
-#if GIC_ENABLE_V4_EXTN
-#define GICD_CHIPRx_SPI_BLOCK_MIN_SHIFT 9
-#define GICD_CHIPRx_SPI_BLOCKS_SHIFT 3
-#else
-#define GICD_CHIPRx_SPI_BLOCK_MIN_SHIFT 10
-#define GICD_CHIPRx_SPI_BLOCKS_SHIFT 5
-#endif
+/* Other shifts and masks remain the same between GIC-600 and GIC-700. */
+#define GIC_700_SPI_BLOCK_MIN_SHIFT 9
+#define GIC_700_SPI_BLOCKS_SHIFT 3
+#define GIC_600_SPI_BLOCK_MIN_SHIFT 10
+#define GIC_600_SPI_BLOCKS_SHIFT 5
#define GICD_CHIPSR_RTS_STATE_DISCONNECTED U(0)
#define GICD_CHIPSR_RTS_STATE_UPDATING U(1)
@@ -59,10 +53,14 @@
#define SPI_BLOCKS_VALUE(spi_id_min, spi_id_max) \
(((spi_id_max) - (spi_id_min) + 1) / \
GIC600_SPI_ID_MIN)
-#define GICD_CHIPR_VALUE(chip_addr, spi_block_min, spi_blocks) \
+#define GICD_CHIPR_VALUE_GIC_700(chip_addr, spi_block_min, spi_blocks) \
+ (((chip_addr) << GICD_CHIPRx_ADDR_SHIFT) | \
+ ((spi_block_min) << GIC_700_SPI_BLOCK_MIN_SHIFT) | \
+ ((spi_blocks) << GIC_700_SPI_BLOCKS_SHIFT))
+#define GICD_CHIPR_VALUE_GIC_600(chip_addr, spi_block_min, spi_blocks) \
(((chip_addr) << GICD_CHIPRx_ADDR_SHIFT) | \
- ((spi_block_min) << GICD_CHIPRx_SPI_BLOCK_MIN_SHIFT) | \
- ((spi_blocks) << GICD_CHIPRx_SPI_BLOCKS_SHIFT))
+ ((spi_block_min) << GIC_600_SPI_BLOCK_MIN_SHIFT) | \
+ ((spi_blocks) << GIC_600_SPI_BLOCKS_SHIFT))
/*
* Multichip data assertion macros
diff --git a/drivers/arm/gic/v3/gic600ae_fmu.c b/drivers/arm/gic/v3/gic600ae_fmu.c
new file mode 100644
index 0000000..13979fa
--- /dev/null
+++ b/drivers/arm/gic/v3/gic600ae_fmu.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 2021, NVIDIA Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/*
+ * Driver for GIC-600AE Fault Management Unit
+ */
+
+#include <assert.h>
+
+#include <arch_helpers.h>
+#include <common/debug.h>
+#include <drivers/arm/gic600ae_fmu.h>
+#include <drivers/arm/gicv3.h>
+
+/* GIC-600 AE FMU specific register offsets */
+
+/* GIC-600 AE FMU specific macros */
+#define FMU_ERRIDR_NUM U(44)
+#define FMU_ERRIDR_NUM_MASK U(0xFFFF)
+
+/* Safety mechanisms for GICD block */
+static char *gicd_sm_info[] = {
+ "Reserved",
+ "GICD dual lockstep error",
+ "GICD AXI4 slave interface error",
+ "GICD-PPI AXI4-Stream interface error",
+ "GICD-ITS AXI4-Stream interface error",
+ "GICD-SPI-Collator AXI4-Stream interface error",
+ "GICD AXI4 master interface error",
+ "SPI RAM DED error",
+ "SGI RAM DED error",
+ "Reserved",
+ "LPI RAM DED error",
+ "GICD-remote-GICD AXI4-Stream interface error",
+ "GICD Q-Channel interface error",
+ "GICD P-Channel interface error",
+ "SPI RAM address decode error",
+ "SGI RAM address decode error",
+ "Reserved",
+ "LPI RAM address decode error",
+ "FMU dual lockstep error",
+ "FMU ping ACK error",
+ "FMU APB parity error",
+ "GICD-Wake AXI4-Stream interface error",
+ "GICD PageOffset or Chip ID error",
+ "MBIST REQ error",
+ "SPI RAM SEC error",
+ "SGI RAM SEC error",
+ "Reserved",
+ "LPI RAM SEC error",
+ "User custom SM0 error",
+ "User custom SM1 error",
+ "GICD-ITS Monolithic switch error",
+ "GICD-ITS Q-Channel interface error",
+ "GICD-ITS Monolithic interface error",
+ "GICD FMU ClkGate override"
+};
+
+/* Safety mechanisms for PPI block */
+static char *ppi_sm_info[] = {
+ "Reserved",
+ "PPI dual lockstep error",
+ "PPI-GICD AXI4-Stream interface error",
+ "PPI-CPU-IF AXI4-Stream interface error",
+ "PPI Q-Channel interface error",
+ "PPI RAM DED error",
+ "PPI RAM address decode error",
+ "PPI RAM SEC error",
+ "PPI User0 SM",
+ "PPI User1 SM",
+ "MBIST REQ error",
+ "PPI interrupt parity protection error",
+ "PPI FMU ClkGate override"
+};
+
+/* Safety mechanisms for ITS block */
+static char *its_sm_info[] = {
+ "Reserved",
+ "ITS dual lockstep error",
+ "ITS-GICD AXI4-Stream interface error",
+ "ITS AXI4 slave interface error",
+ "ITS AXI4 master interface error",
+ "ITS Q-Channel interface error",
+ "ITS RAM DED error",
+ "ITS RAM address decode error",
+ "Bypass ACE switch error",
+ "ITS RAM SEC error",
+ "ITS User0 SM",
+ "ITS User1 SM",
+ "ITS-GICD Monolithic interface error",
+ "MBIST REQ error",
+ "ITS FMU ClkGate override"
+};
+
+/* Safety mechanisms for SPI Collator block */
+static char *spicol_sm_info[] = {
+ "Reserved",
+ "SPI Collator dual lockstep error",
+ "SPI-Collator-GICD AXI4-Stream interface error",
+ "SPI Collator Q-Channel interface error",
+ "SPI Collator Q-Channel clock error",
+ "SPI interrupt parity error"
+};
+
+/* Safety mechanisms for Wake Request block */
+static char *wkrqst_sm_info[] = {
+ "Reserved",
+ "Wake dual lockstep error",
+ "Wake-GICD AXI4-Stream interface error"
+};
+
+/*
+ * Initialization sequence for the FMU
+ *
+ * 1. enable error detection for error records that are passed in the blk_present_mask
+ * 2. enable MBIST REQ and FMU Clk Gate override safety mechanisms for error records
+ * that are present on the platform
+ *
+ * The platforms are expected to pass `errctlr_ce_en` and `errctlr_ue_en`.
+ */
+void gic600_fmu_init(uint64_t base, uint64_t blk_present_mask,
+ bool errctlr_ce_en, bool errctlr_ue_en)
+{
+ unsigned int num_blk = gic_fmu_read_erridr(base) & FMU_ERRIDR_NUM_MASK;
+ uint64_t errctlr;
+ uint32_t smen;
+
+ INFO("GIC600-AE FMU supports %d error records\n", num_blk);
+
+ assert(num_blk == FMU_ERRIDR_NUM);
+
+ /* sanitize block present mask */
+ blk_present_mask &= FMU_BLK_PRESENT_MASK;
+
+ /* Enable error detection for all error records */
+ for (unsigned int i = 0U; i < num_blk; i++) {
+
+ /* Skip next steps if the block is not present */
+ if ((blk_present_mask & BIT(i)) == 0U) {
+ continue;
+ }
+
+ /* Read the error record control register */
+ errctlr = gic_fmu_read_errctlr(base, i);
+
+ /* Enable error reporting and logging, if it is disabled */
+ if ((errctlr & FMU_ERRCTLR_ED_BIT) == 0U) {
+ errctlr |= FMU_ERRCTLR_ED_BIT;
+ }
+
+ /* Enable client provided ERRCTLR settings */
+ errctlr |= (errctlr_ce_en ? (FMU_ERRCTLR_CI_BIT | FMU_ERRCTLR_CE_EN_BIT) : 0);
+ errctlr |= (errctlr_ue_en ? FMU_ERRCTLR_UI_BIT : 0U);
+
+ gic_fmu_write_errctlr(base, i, errctlr);
+ }
+
+ /*
+ * Enable MBIST REQ error and FMU CLK gate override safety mechanisms for
+ * all blocks
+ *
+ * GICD, SMID 23 and SMID 33
+ * PPI, SMID 10 and SMID 12
+ * ITS, SMID 13 and SMID 14
+ */
+ if ((blk_present_mask & BIT(FMU_BLK_GICD)) != 0U) {
+ smen = (GICD_MBIST_REQ_ERROR << FMU_SMEN_SMID_SHIFT) |
+ (FMU_BLK_GICD << FMU_SMEN_BLK_SHIFT);
+ gic_fmu_write_smen(base, smen);
+
+ smen = (GICD_FMU_CLKGATE_ERROR << FMU_SMEN_SMID_SHIFT) |
+ (FMU_BLK_GICD << FMU_SMEN_BLK_SHIFT);
+ gic_fmu_write_smen(base, smen);
+ }
+
+ for (unsigned int i = FMU_BLK_PPI0; i < FMU_BLK_PPI31; i++) {
+ if ((blk_present_mask & BIT(i)) != 0U) {
+ smen = (PPI_MBIST_REQ_ERROR << FMU_SMEN_SMID_SHIFT) |
+ (i << FMU_SMEN_BLK_SHIFT);
+ gic_fmu_write_smen(base, smen);
+
+ smen = (PPI_FMU_CLKGATE_ERROR << FMU_SMEN_SMID_SHIFT) |
+ (i << FMU_SMEN_BLK_SHIFT);
+ gic_fmu_write_smen(base, smen);
+ }
+ }
+
+ for (unsigned int i = FMU_BLK_ITS0; i < FMU_BLK_ITS7; i++) {
+ if ((blk_present_mask & BIT(i)) != 0U) {
+ smen = (ITS_MBIST_REQ_ERROR << FMU_SMEN_SMID_SHIFT) |
+ (i << FMU_SMEN_BLK_SHIFT);
+ gic_fmu_write_smen(base, smen);
+
+ smen = (ITS_FMU_CLKGATE_ERROR << FMU_SMEN_SMID_SHIFT) |
+ (i << FMU_SMEN_BLK_SHIFT);
+ gic_fmu_write_smen(base, smen);
+ }
+ }
+}
+
+/*
+ * This function enable the GICD background ping engine. The GICD sends ping
+ * messages to each remote GIC block, and expects a PING_ACK back within the
+ * specified timeout. Pings need to be enabled after programming the timeout
+ * value.
+ */
+void gic600_fmu_enable_ping(uint64_t base, uint64_t blk_present_mask,
+ unsigned int timeout_val, unsigned int interval_diff)
+{
+ /*
+ * Populate the PING Mask to skip a specific block while generating
+ * background ping messages and enable the ping mechanism.
+ */
+ gic_fmu_write_pingmask(base, ~blk_present_mask);
+ gic_fmu_write_pingctlr(base, (interval_diff << FMU_PINGCTLR_INTDIFF_SHIFT) |
+ (timeout_val << FMU_PINGCTLR_TIMEOUTVAL_SHIFT) | FMU_PINGCTLR_EN_BIT);
+}
+
+/* Print the safety mechanism description for a given block */
+void gic600_fmu_print_sm_info(uint64_t base, unsigned int blk, unsigned int smid)
+{
+ if (blk == FMU_BLK_GICD && smid <= FMU_SMID_GICD_MAX) {
+ INFO("GICD, SMID %d: %s\n", smid, gicd_sm_info[smid]);
+ }
+
+ if (blk == FMU_BLK_SPICOL && smid <= FMU_SMID_SPICOL_MAX) {
+ INFO("SPI Collator, SMID %d: %s\n", smid, spicol_sm_info[smid]);
+ }
+
+ if (blk == FMU_BLK_WAKERQ && (smid <= FMU_SMID_WAKERQ_MAX)) {
+ INFO("Wake Request, SMID %d: %s\n", smid, wkrqst_sm_info[smid]);
+ }
+
+ if (((blk >= FMU_BLK_ITS0) && (blk <= FMU_BLK_ITS7)) && (smid <= FMU_SMID_ITS_MAX)) {
+ INFO("ITS, SMID %d: %s\n", smid, its_sm_info[smid]);
+ }
+
+ if (((blk >= FMU_BLK_PPI0) && (blk <= FMU_BLK_PPI31)) && (smid <= FMU_SMID_PPI_MAX)) {
+ INFO("PPI, SMID %d: %s\n", smid, ppi_sm_info[smid]);
+ }
+}
diff --git a/drivers/arm/gic/v3/gic600ae_fmu_helpers.c b/drivers/arm/gic/v3/gic600ae_fmu_helpers.c
new file mode 100644
index 0000000..84f7292
--- /dev/null
+++ b/drivers/arm/gic/v3/gic600ae_fmu_helpers.c
@@ -0,0 +1,257 @@
+/*
+ * Copyright (c) 2021, NVIDIA Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <errno.h>
+
+#include <arch.h>
+#include <arch_helpers.h>
+#include <drivers/arm/gic600ae_fmu.h>
+#include <drivers/delay_timer.h>
+#include <lib/mmio.h>
+
+#define GICFMU_IDLE_TIMEOUT_US U(2000000)
+
+/* Macro to write 32-bit FMU registers */
+#define GIC_FMU_WRITE_32(base, reg, val) \
+ do { \
+ /* \
+ * This register receives the unlock key that is required for \
+ * writes to FMU registers to be successful. \
+ */ \
+ mmio_write_32(base + GICFMU_KEY, 0xBE); \
+ /* Perform the actual write */ \
+ mmio_write_32((base) + (reg), (val)); \
+ } while (false)
+
+/* Macro to write 64-bit FMU registers */
+#define GIC_FMU_WRITE_64(base, reg, n, val) \
+ do { \
+ /* \
+ * This register receives the unlock key that is required for \
+ * writes to FMU registers to be successful. \
+ */ \
+ mmio_write_32(base + GICFMU_KEY, 0xBE); \
+ /* \
+ * APB bus is 32-bit wide; so split the 64-bit write into \
+ * two 32-bit writes \
+ */ \
+ mmio_write_32((base) + reg##_LO + (n * 64), (val)); \
+ mmio_write_32((base) + reg##_HI + (n * 64), (val)); \
+ } while (false)
+
+/* Helper function to wait until FMU is ready to accept the next command */
+static void wait_until_fmu_is_idle(uintptr_t base)
+{
+ uint64_t timeout_ref = timeout_init_us(GICFMU_IDLE_TIMEOUT_US);
+ uint64_t status;
+
+ /* wait until status is 'busy' */
+ do {
+ status = (gic_fmu_read_status(base) & BIT(0));
+
+ if (timeout_elapsed(timeout_ref)) {
+ ERROR("GIC600 AE FMU is not responding\n");
+ panic();
+ }
+ } while (status == U(0));
+}
+
+#define GIC_FMU_WRITE_ON_IDLE_32(base, reg, val) \
+ do { \
+ /* Wait until FMU is ready */ \
+ wait_until_fmu_is_idle(base); \
+ /* Actual register write */ \
+ GIC_FMU_WRITE_32(base, reg, val); \
+ /* Wait until FMU is ready */ \
+ wait_until_fmu_is_idle(base); \
+ } while (false)
+
+#define GIC_FMU_WRITE_ON_IDLE_64(base, reg, n, val) \
+ do { \
+ /* Wait until FMU is ready */ \
+ wait_until_fmu_is_idle(base); \
+ /* Actual register write */ \
+ GIC_FMU_WRITE_64(base, reg, n, val); \
+ /* Wait until FMU is ready */ \
+ wait_until_fmu_is_idle(base); \
+ } while (false)
+
+/*******************************************************************************
+ * GIC FMU functions for accessing the Fault Management Unit registers
+ ******************************************************************************/
+
+/*
+ * Accessors to read the Error Record Feature Register bits corresponding
+ * to an error record 'n'
+ */
+uint64_t gic_fmu_read_errfr(uintptr_t base, unsigned int n)
+{
+ /*
+ * APB bus is 32-bit wide; so split the 64-bit read into
+ * two 32-bit reads
+ */
+ uint64_t reg_val = (uint64_t)mmio_read_32(base + GICFMU_ERRFR_LO + n * 64U);
+
+ reg_val |= ((uint64_t)mmio_read_32(base + GICFMU_ERRFR_HI + n * 64U) << 32);
+ return reg_val;
+}
+
+/*
+ * Accessors to read the Error Record Control Register bits corresponding
+ * to an error record 'n'
+ */
+uint64_t gic_fmu_read_errctlr(uintptr_t base, unsigned int n)
+{
+ /*
+ * APB bus is 32-bit wide; so split the 64-bit read into
+ * two 32-bit reads
+ */
+ uint64_t reg_val = (uint64_t)mmio_read_32(base + GICFMU_ERRCTLR_LO + n * 64U);
+
+ reg_val |= ((uint64_t)mmio_read_32(base + GICFMU_ERRCTLR_HI + n * 64U) << 32);
+ return reg_val;
+}
+
+/*
+ * Accessors to read the Error Record Primary Status Register bits
+ * corresponding to an error record 'n'
+ */
+uint64_t gic_fmu_read_errstatus(uintptr_t base, unsigned int n)
+{
+ /*
+ * APB bus is 32-bit wide; so split the 64-bit read into
+ * two 32-bit reads
+ */
+ uint64_t reg_val = (uint64_t)mmio_read_32(base + GICFMU_ERRSTATUS_LO + n * 64U);
+
+ reg_val |= ((uint64_t)mmio_read_32(base + GICFMU_ERRSTATUS_HI + n * 64U) << 32);
+ return reg_val;
+}
+
+/*
+ * Accessors to read the Error Group Status Register
+ */
+uint64_t gic_fmu_read_errgsr(uintptr_t base)
+{
+ /*
+ * APB bus is 32-bit wide; so split the 64-bit read into
+ * two 32-bit reads
+ */
+ uint64_t reg_val = (uint64_t)mmio_read_32(base + GICFMU_ERRGSR_LO);
+
+ reg_val |= ((uint64_t)mmio_read_32(base + GICFMU_ERRGSR_HI) << 32);
+ return reg_val;
+}
+
+/*
+ * Accessors to read the Ping Control Register
+ */
+uint32_t gic_fmu_read_pingctlr(uintptr_t base)
+{
+ return mmio_read_32(base + GICFMU_PINGCTLR);
+}
+
+/*
+ * Accessors to read the Ping Now Register
+ */
+uint32_t gic_fmu_read_pingnow(uintptr_t base)
+{
+ return mmio_read_32(base + GICFMU_PINGNOW);
+}
+
+/*
+ * Accessors to read the Ping Mask Register
+ */
+uint64_t gic_fmu_read_pingmask(uintptr_t base)
+{
+ /*
+ * APB bus is 32-bit wide; so split the 64-bit read into
+ * two 32-bit reads
+ */
+ uint64_t reg_val = (uint64_t)mmio_read_32(base + GICFMU_PINGMASK_LO);
+
+ reg_val |= ((uint64_t)mmio_read_32(base + GICFMU_PINGMASK_HI) << 32);
+ return reg_val;
+}
+
+/*
+ * Accessors to read the FMU Status Register
+ */
+uint32_t gic_fmu_read_status(uintptr_t base)
+{
+ return mmio_read_32(base + GICFMU_STATUS);
+}
+
+/*
+ * Accessors to read the Error Record ID Register
+ */
+uint32_t gic_fmu_read_erridr(uintptr_t base)
+{
+ return mmio_read_32(base + GICFMU_ERRIDR);
+}
+
+/*
+ * Accessors to write a 64 bit value to the Error Record Control Register
+ */
+void gic_fmu_write_errctlr(uintptr_t base, unsigned int n, uint64_t val)
+{
+ GIC_FMU_WRITE_64(base, GICFMU_ERRCTLR, n, val);
+}
+
+/*
+ * Accessors to write a 64 bit value to the Error Record Primary Status
+ * Register
+ */
+void gic_fmu_write_errstatus(uintptr_t base, unsigned int n, uint64_t val)
+{
+ /* Wait until FMU is ready before writing */
+ GIC_FMU_WRITE_ON_IDLE_64(base, GICFMU_ERRSTATUS, n, val);
+}
+
+/*
+ * Accessors to write a 32 bit value to the Ping Control Register
+ */
+void gic_fmu_write_pingctlr(uintptr_t base, uint32_t val)
+{
+ GIC_FMU_WRITE_32(base, GICFMU_PINGCTLR, val);
+}
+
+/*
+ * Accessors to write a 32 bit value to the Ping Now Register
+ */
+void gic_fmu_write_pingnow(uintptr_t base, uint32_t val)
+{
+ /* Wait until FMU is ready before writing */
+ GIC_FMU_WRITE_ON_IDLE_32(base, GICFMU_PINGNOW, val);
+}
+
+/*
+ * Accessors to write a 32 bit value to the Safety Mechanism Enable Register
+ */
+void gic_fmu_write_smen(uintptr_t base, uint32_t val)
+{
+ /* Wait until FMU is ready before writing */
+ GIC_FMU_WRITE_ON_IDLE_32(base, GICFMU_SMEN, val);
+}
+
+/*
+ * Accessors to write a 32 bit value to the Safety Mechanism Inject Error
+ * Register
+ */
+void gic_fmu_write_sminjerr(uintptr_t base, uint32_t val)
+{
+ /* Wait until FMU is ready before writing */
+ GIC_FMU_WRITE_ON_IDLE_32(base, GICFMU_SMINJERR, val);
+}
+
+/*
+ * Accessors to write a 64 bit value to the Ping Mask Register
+ */
+void gic_fmu_write_pingmask(uintptr_t base, uint64_t val)
+{
+ GIC_FMU_WRITE_64(base, GICFMU_PINGMASK, 0, val);
+}
diff --git a/drivers/arm/gic/v3/gicv3.mk b/drivers/arm/gic/v3/gicv3.mk
index a2fc16f..d7e3536 100644
--- a/drivers/arm/gic/v3/gicv3.mk
+++ b/drivers/arm/gic/v3/gicv3.mk
@@ -1,11 +1,13 @@
#
# Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021, NVIDIA Corporation. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Default configuration values
GICV3_SUPPORT_GIC600 ?= 0
+GICV3_SUPPORT_GIC600AE_FMU ?= 0
GICV3_IMPL_GIC600_MULTICHIP ?= 0
GICV3_OVERRIDE_DISTIF_PWR_OPS ?= 0
GIC_ENABLE_V4_EXTN ?= 0
@@ -16,6 +18,11 @@ GICV3_SOURCES += drivers/arm/gic/v3/gicv3_main.c \
drivers/arm/gic/v3/gicdv3_helpers.c \
drivers/arm/gic/v3/gicrv3_helpers.c
+ifeq (${GICV3_SUPPORT_GIC600AE_FMU}, 1)
+GICV3_SOURCES += drivers/arm/gic/v3/gic600ae_fmu.c \
+ drivers/arm/gic/v3/gic600ae_fmu_helpers.c
+endif
+
ifeq (${GICV3_OVERRIDE_DISTIF_PWR_OPS}, 0)
GICV3_SOURCES += drivers/arm/gic/v3/arm_gicv3_common.c
endif
@@ -29,6 +36,10 @@ endif
$(eval $(call assert_boolean,GICV3_SUPPORT_GIC600))
$(eval $(call add_define,GICV3_SUPPORT_GIC600))
+# Set GIC-600AE FMU support
+$(eval $(call assert_boolean,GICV3_SUPPORT_GIC600AE_FMU))
+$(eval $(call add_define,GICV3_SUPPORT_GIC600AE_FMU))
+
# Set GICv4 extension
$(eval $(call assert_boolean,GIC_ENABLE_V4_EXTN))
$(eval $(call add_define,GIC_ENABLE_V4_EXTN))
diff --git a/drivers/arm/gic/v3/gicv3_helpers.c b/drivers/arm/gic/v3/gicv3_helpers.c
index 6bb66a0..753d995 100644
--- a/drivers/arm/gic/v3/gicv3_helpers.c
+++ b/drivers/arm/gic/v3/gicv3_helpers.c
@@ -86,12 +86,52 @@ void gicv3_rdistif_base_addrs_probe(uintptr_t *rdistif_base_addrs,
if (proc_num < rdistif_num) {
rdistif_base_addrs[proc_num] = rdistif_base;
}
-
- rdistif_base += (1U << GICR_PCPUBASE_SHIFT);
+ rdistif_base += gicv3_redist_size(typer_val);
} while ((typer_val & TYPER_LAST_BIT) == 0U);
}
/*******************************************************************************
+ * Helper function to get the maximum SPI INTID + 1.
+ ******************************************************************************/
+unsigned int gicv3_get_spi_limit(uintptr_t gicd_base)
+{
+ unsigned int spi_limit;
+ unsigned int typer_reg = gicd_read_typer(gicd_base);
+
+ /* (maximum SPI INTID + 1) is equal to 32 * (GICD_TYPER.ITLinesNumber+1) */
+ spi_limit = ((typer_reg & TYPER_IT_LINES_NO_MASK) + 1U) << 5;
+
+ /* Filter out special INTIDs 1020-1023 */
+ if (spi_limit > (MAX_SPI_ID + 1U)) {
+ return MAX_SPI_ID + 1U;
+ }
+
+ return spi_limit;
+}
+
+#if GIC_EXT_INTID
+/*******************************************************************************
+ * Helper function to get the maximum ESPI INTID + 1.
+ ******************************************************************************/
+unsigned int gicv3_get_espi_limit(uintptr_t gicd_base)
+{
+ unsigned int typer_reg = gicd_read_typer(gicd_base);
+
+ /* Check if extended SPI range is implemented */
+ if ((typer_reg & TYPER_ESPI) != 0U) {
+ /*
+ * (maximum ESPI INTID + 1) is equal to
+ * 32 * (GICD_TYPER.ESPI_range + 1) + 4096
+ */
+ return ((((typer_reg >> TYPER_ESPI_RANGE_SHIFT) &
+ TYPER_ESPI_RANGE_MASK) + 1U) << 5) + MIN_ESPI_ID;
+ }
+
+ return 0U;
+}
+#endif /* GIC_EXT_INTID */
+
+/*******************************************************************************
* Helper function to configure the default attributes of (E)SPIs.
******************************************************************************/
void gicv3_spis_config_defaults(uintptr_t gicd_base)
@@ -100,19 +140,8 @@ void gicv3_spis_config_defaults(uintptr_t gicd_base)
#if GIC_EXT_INTID
unsigned int num_eints;
#endif
- unsigned int typer_reg = gicd_read_typer(gicd_base);
-
- /* Maximum SPI INTID is 32 * (GICD_TYPER.ITLinesNumber + 1) - 1 */
- num_ints = ((typer_reg & TYPER_IT_LINES_NO_MASK) + 1U) << 5;
- /*
- * The GICv3 architecture allows GICD_TYPER.ITLinesNumber to be 31, so
- * the maximum possible value for num_ints is 1024. Limit the value to
- * MAX_SPI_ID + 1 to avoid getting wrong address in GICD_OFFSET() macro.
- */
- if (num_ints > MAX_SPI_ID + 1U) {
- num_ints = MAX_SPI_ID + 1U;
- }
+ num_ints = gicv3_get_spi_limit(gicd_base);
INFO("Maximum SPI INTID supported: %u\n", num_ints - 1);
/* Treat all (E)SPIs as G1NS by default. We do 32 at a time. */
@@ -121,13 +150,8 @@ void gicv3_spis_config_defaults(uintptr_t gicd_base)
}
#if GIC_EXT_INTID
- /* Check if extended SPI range is implemented */
- if ((typer_reg & TYPER_ESPI) != 0U) {
- /*
- * Maximum ESPI INTID is 32 * (GICD_TYPER.ESPI_range + 1) + 4095
- */
- num_eints = ((((typer_reg >> TYPER_ESPI_RANGE_SHIFT) &
- TYPER_ESPI_RANGE_MASK) + 1U) << 5) + MIN_ESPI_ID;
+ num_eints = gicv3_get_espi_limit(gicd_base);
+ if (num_eints != 0U) {
INFO("Maximum ESPI INTID supported: %u\n", num_eints - 1);
for (i = MIN_ESPI_ID; i < num_eints;
@@ -135,7 +159,6 @@ void gicv3_spis_config_defaults(uintptr_t gicd_base)
gicd_write_igroupr(gicd_base, i, ~0U);
}
} else {
- num_eints = 0U;
INFO("ESPI range is not implemented.\n");
}
#endif
@@ -359,12 +382,29 @@ unsigned int gicv3_rdistif_get_number_frames(const uintptr_t gicr_frame)
uintptr_t rdistif_base = gicr_frame;
unsigned int count;
- for (count = 1; count < PLATFORM_CORE_COUNT; count++) {
- if ((gicr_read_typer(rdistif_base) & TYPER_LAST_BIT) != 0U) {
+ for (count = 1U; count < PLATFORM_CORE_COUNT; count++) {
+ uint64_t typer_val = gicr_read_typer(rdistif_base);
+
+ if ((typer_val & TYPER_LAST_BIT) != 0U) {
break;
}
- rdistif_base += (1U << GICR_PCPUBASE_SHIFT);
+ rdistif_base += gicv3_redist_size(typer_val);
}
return count;
}
+
+unsigned int gicv3_get_component_partnum(const uintptr_t gic_frame)
+{
+ unsigned int part_id;
+
+ /*
+ * The lower 8 bits of PIDR0, complemented by the lower 4 bits of
+ * PIDR1 contain a part number identifying the GIC component at a
+ * particular base address.
+ */
+ part_id = mmio_read_32(gic_frame + GICD_PIDR0_GICV3) & 0xff;
+ part_id |= (mmio_read_32(gic_frame + GICD_PIDR1_GICV3) << 8) & 0xf00;
+
+ return part_id;
+}
diff --git a/drivers/arm/gic/v3/gicv3_main.c b/drivers/arm/gic/v3/gicv3_main.c
index 5a49b4f..53a8fae 100644
--- a/drivers/arm/gic/v3/gicv3_main.c
+++ b/drivers/arm/gic/v3/gicv3_main.c
@@ -123,13 +123,7 @@ void __init gicv3_driver_init(const gicv3_driver_data_t *plat_driver_data)
gic_version &= PIDR2_ARCH_REV_MASK;
/* Check GIC version */
-#if GIC_ENABLE_V4_EXTN
- assert(gic_version == ARCH_REV_GICV4);
-
- /* GICv4 supports Direct Virtual LPI injection */
- assert((gicd_read_typer(plat_driver_data->gicd_base)
- & TYPER_DVIS) != 0);
-#else
+#if !GIC_ENABLE_V4_EXTN
assert(gic_version == ARCH_REV_GICV3);
#endif
/*
@@ -332,6 +326,8 @@ void gicv3_cpuif_enable(unsigned int proc_num)
write_icc_igrpen1_el3(read_icc_igrpen1_el3() |
IGRPEN1_EL3_ENABLE_G1S_BIT);
isb();
+ /* Add DSB to ensure visibility of System register writes */
+ dsb();
}
/*******************************************************************************
@@ -363,6 +359,8 @@ void gicv3_cpuif_disable(unsigned int proc_num)
/* Synchronise accesses to group enable registers */
isb();
+ /* Add DSB to ensure visibility of System register writes */
+ dsb();
/* Mark the connected core as asleep */
gicr_base = gicv3_driver_data->rdistif_base_addrs[proc_num];
@@ -728,40 +726,17 @@ void gicv3_rdistif_init_restore(unsigned int proc_num,
*****************************************************************************/
void gicv3_distif_save(gicv3_dist_ctx_t * const dist_ctx)
{
- unsigned int typer_reg, num_ints;
-#if GIC_EXT_INTID
- unsigned int num_eints;
-#endif
-
assert(gicv3_driver_data != NULL);
assert(gicv3_driver_data->gicd_base != 0U);
assert(IS_IN_EL3());
assert(dist_ctx != NULL);
uintptr_t gicd_base = gicv3_driver_data->gicd_base;
-
- typer_reg = gicd_read_typer(gicd_base);
-
- /* Maximum SPI INTID is 32 * (GICD_TYPER.ITLinesNumber + 1) - 1 */
- num_ints = ((typer_reg & TYPER_IT_LINES_NO_MASK) + 1U) << 5;
-
- /* Filter out special INTIDs 1020-1023 */
- if (num_ints > (MAX_SPI_ID + 1U)) {
- num_ints = MAX_SPI_ID + 1U;
- }
-
+ unsigned int num_ints = gicv3_get_spi_limit(gicd_base);
#if GIC_EXT_INTID
- /* Check if extended SPI range is implemented */
- if ((typer_reg & TYPER_ESPI) != 0U) {
- /*
- * Maximum ESPI INTID is 32 * (GICD_TYPER.ESPI_range + 1) + 4095
- */
- num_eints = ((((typer_reg >> TYPER_ESPI_RANGE_SHIFT) &
- TYPER_ESPI_RANGE_MASK) + 1U) << 5) + MIN_ESPI_ID;
- } else {
- num_eints = 0U;
- }
+ unsigned int num_eints = gicv3_get_espi_limit(gicd_base);
#endif
+
/* Wait for pending write to complete */
gicd_wait_for_pending_write(gicd_base);
@@ -838,11 +813,6 @@ void gicv3_distif_save(gicv3_dist_ctx_t * const dist_ctx)
*****************************************************************************/
void gicv3_distif_init_restore(const gicv3_dist_ctx_t * const dist_ctx)
{
- unsigned int typer_reg, num_ints;
-#if GIC_EXT_INTID
- unsigned int num_eints;
-#endif
-
assert(gicv3_driver_data != NULL);
assert(gicv3_driver_data->gicd_base != 0U);
assert(IS_IN_EL3());
@@ -864,27 +834,9 @@ void gicv3_distif_init_restore(const gicv3_dist_ctx_t * const dist_ctx)
/* Set the ARE_S and ARE_NS bit now that interrupts have been disabled */
gicd_set_ctlr(gicd_base, CTLR_ARE_S_BIT | CTLR_ARE_NS_BIT, RWP_TRUE);
- typer_reg = gicd_read_typer(gicd_base);
-
- /* Maximum SPI INTID is 32 * (GICD_TYPER.ITLinesNumber + 1) - 1 */
- num_ints = ((typer_reg & TYPER_IT_LINES_NO_MASK) + 1U) << 5;
-
- /* Filter out special INTIDs 1020-1023 */
- if (num_ints > (MAX_SPI_ID + 1U)) {
- num_ints = MAX_SPI_ID + 1U;
- }
-
+ unsigned int num_ints = gicv3_get_spi_limit(gicd_base);
#if GIC_EXT_INTID
- /* Check if extended SPI range is implemented */
- if ((typer_reg & TYPER_ESPI) != 0U) {
- /*
- * Maximum ESPI INTID is 32 * (GICD_TYPER.ESPI_range + 1) + 4095
- */
- num_eints = ((((typer_reg >> TYPER_ESPI_RANGE_SHIFT) &
- TYPER_ESPI_RANGE_MASK) + 1U) << 5) + MIN_ESPI_ID;
- } else {
- num_eints = 0U;
- }
+ unsigned int num_eints = gicv3_get_espi_limit(gicd_base);
#endif
/* Restore GICD_IGROUPR for INTIDs 32 - 1019 */
RESTORE_GICD_REGS(gicd_base, dist_ctx, num_ints, igroupr, IGROUP);
@@ -1340,7 +1292,7 @@ int gicv3_rdistif_probe(const uintptr_t gicr_frame)
gicr_frame_found = true;
break;
}
- rdistif_base += (uintptr_t)(ULL(1) << GICR_PCPUBASE_SHIFT);
+ rdistif_base += gicv3_redist_size(typer_val);
} while ((typer_val & TYPER_LAST_BIT) == 0U);
if (!gicr_frame_found) {
diff --git a/drivers/arm/gic/v3/gicv3_private.h b/drivers/arm/gic/v3/gicv3_private.h
index 416cdd0..93ee1a1 100644
--- a/drivers/arm/gic/v3/gicv3_private.h
+++ b/drivers/arm/gic/v3/gicv3_private.h
@@ -233,6 +233,8 @@ void gicr_set_icfgr(uintptr_t base, unsigned int id, unsigned int cfg);
/*******************************************************************************
* Private GICv3 helper function prototypes
******************************************************************************/
+unsigned int gicv3_get_spi_limit(uintptr_t gicd_base);
+unsigned int gicv3_get_espi_limit(uintptr_t gicd_base);
void gicv3_spis_config_defaults(uintptr_t gicd_base);
void gicv3_ppi_sgi_config_defaults(uintptr_t gicr_base);
unsigned int gicv3_secure_ppi_sgi_config_props(uintptr_t gicr_base,
diff --git a/drivers/arm/tzc/tzc400.c b/drivers/arm/tzc/tzc400.c
index 9fc1578..e4fc8c9 100644
--- a/drivers/arm/tzc/tzc400.c
+++ b/drivers/arm/tzc/tzc400.c
@@ -68,6 +68,7 @@ DEFINE_TZC_COMMON_WRITE_REGION_BASE(400, 400)
DEFINE_TZC_COMMON_WRITE_REGION_TOP(400, 400)
DEFINE_TZC_COMMON_WRITE_REGION_ATTRIBUTES(400, 400)
DEFINE_TZC_COMMON_WRITE_REGION_ID_ACCESS(400, 400)
+DEFINE_TZC_COMMON_UPDATE_FILTERS(400, 400)
DEFINE_TZC_COMMON_CONFIGURE_REGION0(400)
DEFINE_TZC_COMMON_CONFIGURE_REGION(400)
@@ -271,6 +272,15 @@ void tzc400_configure_region(unsigned int filters,
sec_attr, nsaid_permissions);
}
+void tzc400_update_filters(unsigned int region, unsigned int filters)
+{
+ /* Do range checks on filters and regions. */
+ assert(((filters >> tzc400.num_filters) == 0U) &&
+ (region < tzc400.num_regions));
+
+ _tzc400_update_filters(tzc400.base, region, tzc400.num_filters, filters);
+}
+
void tzc400_enable_filters(void)
{
unsigned int state;
@@ -281,6 +291,11 @@ void tzc400_enable_filters(void)
for (filter = 0U; filter < tzc400.num_filters; filter++) {
state = _tzc400_get_gate_keeper(tzc400.base, filter);
if (state != 0U) {
+ /* Filter 0 is special and cannot be disabled.
+ * So here we allow it being already enabled. */
+ if (filter == 0U) {
+ continue;
+ }
/*
* The TZC filter is already configured. Changing the
* programmer's view in an active system can cause
@@ -302,14 +317,17 @@ void tzc400_enable_filters(void)
void tzc400_disable_filters(void)
{
unsigned int filter;
+ unsigned int state;
+ unsigned int start = 0U;
assert(tzc400.base != 0U);
- /*
- * We don't do the same state check as above as the Gatekeepers are
- * disabled after reset.
- */
- for (filter = 0; filter < tzc400.num_filters; filter++)
+ /* Filter 0 is special and cannot be disabled. */
+ state = _tzc400_get_gate_keeper(tzc400.base, 0);
+ if (state != 0U) {
+ start++;
+ }
+ for (filter = start; filter < tzc400.num_filters; filter++)
_tzc400_set_gate_keeper(tzc400.base, filter, 0);
}
diff --git a/drivers/arm/tzc/tzc_common_private.h b/drivers/arm/tzc/tzc_common_private.h
index 1d99077..2090944 100644
--- a/drivers/arm/tzc/tzc_common_private.h
+++ b/drivers/arm/tzc/tzc_common_private.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2016-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -90,6 +90,27 @@
}
/*
+ * It is used to modify the filters status for a defined region.
+ */
+#define DEFINE_TZC_COMMON_UPDATE_FILTERS(fn_name, macro_name) \
+ static inline void _tzc##fn_name##_update_filters( \
+ uintptr_t base, \
+ unsigned int region_no, \
+ unsigned int nbfilters, \
+ unsigned int filters) \
+ { \
+ uint32_t filters_mask = GENMASK(nbfilters - 1U, 0); \
+ \
+ mmio_clrsetbits_32(base + \
+ TZC_REGION_OFFSET( \
+ TZC_##macro_name##_REGION_SIZE, \
+ region_no) + \
+ TZC_##macro_name##_REGION_ATTR_0_OFFSET, \
+ filters_mask << TZC_REGION_ATTR_F_EN_SHIFT, \
+ filters << TZC_REGION_ATTR_F_EN_SHIFT); \
+ }
+
+/*
* It is used to program region 0 ATTRIBUTES and ACCESS register.
*/
#define DEFINE_TZC_COMMON_CONFIGURE_REGION0(fn_name) \
diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c
index c7f84af..917ee4a 100644
--- a/drivers/auth/auth_mod.c
+++ b/drivers/auth/auth_mod.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -16,6 +16,7 @@
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/auth/img_parser_mod.h>
+#include <drivers/fwu/fwu.h>
#include <lib/fconf/fconf_tbbr_getter.h>
#include <plat/common/platform.h>
@@ -242,6 +243,7 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param,
unsigned int data_len, len, i;
unsigned int plat_nv_ctr;
int rc = 0;
+ bool is_trial_run = false;
/* Get the counter value from current image. The AM expects the IPM
* to return the counter value as a DER encoded integer */
@@ -284,7 +286,10 @@ static int auth_nvctr(const auth_method_param_nv_ctr_t *param,
/* Invalid NV-counter */
return 1;
} else if (*cert_nv_ctr > plat_nv_ctr) {
- *need_nv_ctr_upgrade = true;
+#if PSA_FWU_SUPPORT && IMAGE_BL2
+ is_trial_run = fwu_is_trial_run_state();
+#endif /* PSA_FWU_SUPPORT && IMAGE_BL2 */
+ *need_nv_ctr_upgrade = !is_trial_run;
}
return 0;
diff --git a/drivers/auth/cryptocell/713/cryptocell_crypto.c b/drivers/auth/cryptocell/713/cryptocell_crypto.c
index 5f390a2..077317e 100644
--- a/drivers/auth/cryptocell/713/cryptocell_crypto.c
+++ b/drivers/auth/cryptocell/713/cryptocell_crypto.c
@@ -13,6 +13,7 @@
#include <drivers/auth/crypto_mod.h>
#include <mbedtls/oid.h>
+#include <mbedtls/x509.h>
#define LIB_NAME "CryptoCell 713 SBROM"
#define RSA_SALT_LEN 32
diff --git a/drivers/auth/tbbr/tbbr_cot_bl1_r64.c b/drivers/auth/tbbr/tbbr_cot_bl1_r64.c
new file mode 100644
index 0000000..e8e017c
--- /dev/null
+++ b/drivers/auth/tbbr/tbbr_cot_bl1_r64.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2021, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stddef.h>
+
+#include <drivers/auth/auth_mod.h>
+#include <drivers/auth/mbedtls/mbedtls_config.h>
+#include <drivers/auth/tbbr_cot_common.h>
+
+#if USE_TBBR_DEFS
+#include <tools_share/tbbr_oid.h>
+#else
+#include <platform_oid.h>
+#endif
+#include <platform_def.h>
+
+
+static unsigned char trusted_world_pk_buf[PK_DER_LEN];
+static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
+static unsigned char content_pk_buf[PK_DER_LEN];
+static unsigned char nt_fw_config_hash_buf[HASH_DER_LEN];
+
+static auth_param_type_desc_t non_trusted_nv_ctr = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_NV_CTR, NON_TRUSTED_FW_NVCOUNTER_OID);
+static auth_param_type_desc_t trusted_world_pk = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_PUB_KEY, TRUSTED_WORLD_PK_OID);
+static auth_param_type_desc_t non_trusted_world_pk = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_PUB_KEY, NON_TRUSTED_WORLD_PK_OID);
+static auth_param_type_desc_t nt_fw_content_pk = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_PUB_KEY, NON_TRUSTED_FW_CONTENT_CERT_PK_OID);
+static auth_param_type_desc_t nt_world_bl_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, NON_TRUSTED_WORLD_BOOTLOADER_HASH_OID);
+static auth_param_type_desc_t nt_fw_config_hash = AUTH_PARAM_TYPE_DESC(
+ AUTH_PARAM_HASH, NON_TRUSTED_FW_CONFIG_HASH_OID);
+/*
+ * Trusted key certificate
+ */
+static const auth_img_desc_t trusted_key_cert = {
+ .img_id = TRUSTED_KEY_CERT_ID,
+ .img_type = IMG_CERT,
+ .parent = NULL,
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+ [0] = {
+ .type = AUTH_METHOD_SIG,
+ .param.sig = {
+ .pk = &subject_pk,
+ .sig = &sig,
+ .alg = &sig_alg,
+ .data = &raw_data
+ }
+ },
+ [1] = {
+ .type = AUTH_METHOD_NV_CTR,
+ .param.nv_ctr = {
+ .cert_nv_ctr = &trusted_nv_ctr,
+ .plat_nv_ctr = &trusted_nv_ctr
+ }
+ }
+ },
+ .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+ [0] = {
+ .type_desc = &trusted_world_pk,
+ .data = {
+ .ptr = (void *)trusted_world_pk_buf,
+ .len = (unsigned int)PK_DER_LEN
+ }
+ },
+ [1] = {
+ .type_desc = &non_trusted_world_pk,
+ .data = {
+ .ptr = (void *)non_trusted_world_pk_buf,
+ .len = (unsigned int)PK_DER_LEN
+ }
+ }
+ }
+};
+/*
+ * Non-Trusted Firmware
+ */
+static const auth_img_desc_t non_trusted_fw_key_cert = {
+ .img_id = NON_TRUSTED_FW_KEY_CERT_ID,
+ .img_type = IMG_CERT,
+ .parent = &trusted_key_cert,
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+ [0] = {
+ .type = AUTH_METHOD_SIG,
+ .param.sig = {
+ .pk = &non_trusted_world_pk,
+ .sig = &sig,
+ .alg = &sig_alg,
+ .data = &raw_data
+ }
+ },
+ [1] = {
+ .type = AUTH_METHOD_NV_CTR,
+ .param.nv_ctr = {
+ .cert_nv_ctr = &non_trusted_nv_ctr,
+ .plat_nv_ctr = &non_trusted_nv_ctr
+ }
+ }
+ },
+ .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+ [0] = {
+ .type_desc = &nt_fw_content_pk,
+ .data = {
+ .ptr = (void *)content_pk_buf,
+ .len = (unsigned int)PK_DER_LEN
+ }
+ }
+ }
+};
+static const auth_img_desc_t non_trusted_fw_content_cert = {
+ .img_id = NON_TRUSTED_FW_CONTENT_CERT_ID,
+ .img_type = IMG_CERT,
+ .parent = &non_trusted_fw_key_cert,
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+ [0] = {
+ .type = AUTH_METHOD_SIG,
+ .param.sig = {
+ .pk = &nt_fw_content_pk,
+ .sig = &sig,
+ .alg = &sig_alg,
+ .data = &raw_data
+ }
+ },
+ [1] = {
+ .type = AUTH_METHOD_NV_CTR,
+ .param.nv_ctr = {
+ .cert_nv_ctr = &non_trusted_nv_ctr,
+ .plat_nv_ctr = &non_trusted_nv_ctr
+ }
+ }
+ },
+ .authenticated_data = (const auth_param_desc_t[COT_MAX_VERIFIED_PARAMS]) {
+ [0] = {
+ .type_desc = &nt_world_bl_hash,
+ .data = {
+ .ptr = (void *)nt_world_bl_hash_buf,
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ },
+ [1] = {
+ .type_desc = &nt_fw_config_hash,
+ .data = {
+ .ptr = (void *)nt_fw_config_hash_buf,
+ .len = (unsigned int)HASH_DER_LEN
+ }
+ }
+ }
+};
+static const auth_img_desc_t bl33_image = {
+ .img_id = BL33_IMAGE_ID,
+ .img_type = IMG_RAW,
+ .parent = &non_trusted_fw_content_cert,
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) {
+ [0] = {
+ .type = AUTH_METHOD_HASH,
+ .param.hash = {
+ .data = &raw_data,
+ .hash = &nt_world_bl_hash
+ }
+ }
+ }
+};
+
+static const auth_img_desc_t * const cot_desc[] = {
+ [TRUSTED_KEY_CERT_ID] = &trusted_key_cert,
+ [NON_TRUSTED_FW_KEY_CERT_ID] = &non_trusted_fw_key_cert,
+ [NON_TRUSTED_FW_CONTENT_CERT_ID] = &non_trusted_fw_content_cert,
+ [BL33_IMAGE_ID] = &bl33_image,
+};
+
+/* Register the CoT in the authentication module */
+REGISTER_COT(cot_desc);
diff --git a/drivers/brcm/emmc/emmc_csl_sdcard.c b/drivers/brcm/emmc/emmc_csl_sdcard.c
index d6ad4bc..9e2c618 100644
--- a/drivers/brcm/emmc/emmc_csl_sdcard.c
+++ b/drivers/brcm/emmc/emmc_csl_sdcard.c
@@ -4,9 +4,11 @@
* SPDX-License-Identifier: BSD-3-Clause
*/
+#include <inttypes.h>
+#include <stddef.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
-#include <stddef.h>
#include <arch_helpers.h>
#include <lib/mmio.h>
@@ -521,7 +523,7 @@ static int xfer_data(struct sd_handle *handle,
{
int rc = SD_OK;
- VERBOSE("XFER: dest: 0x%llx, addr: 0x%x, size: 0x%x bytes\n",
+ VERBOSE("XFER: dest: 0x%" PRIx64 ", addr: 0x%x, size: 0x%x bytes\n",
(uint64_t)base, addr, length);
if ((length / handle->device->cfg.blockSize) > 1) {
diff --git a/drivers/fwu/fwu.c b/drivers/fwu/fwu.c
new file mode 100644
index 0000000..7cb4c29
--- /dev/null
+++ b/drivers/fwu/fwu.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+
+#include <common/debug.h>
+#include <common/tf_crc32.h>
+#include <common/tbbr/tbbr_img_def.h>
+#include <drivers/fwu/fwu.h>
+#include <drivers/fwu/fwu_metadata.h>
+#include <drivers/io/io_storage.h>
+
+#include <plat/common/platform.h>
+
+/*
+ * Assert that crc_32 is the first member of fwu_metadata structure.
+ * It avoids accessing data outside of the metadata structure during
+ * CRC32 computation if the crc_32 field gets moved due the structure
+ * member(s) addition in the future.
+ */
+CASSERT((offsetof(struct fwu_metadata, crc_32) == 0),
+ crc_32_must_be_first_member_of_structure);
+
+static struct fwu_metadata metadata;
+static bool is_fwu_initialized;
+
+/*******************************************************************************
+ * Compute CRC32 of the FWU metadata, and check it against the CRC32 value
+ * present in the FWU metadata.
+ *
+ * return -1 on error, otherwise 0
+ ******************************************************************************/
+static int fwu_metadata_crc_check(void)
+{
+ unsigned char *data = (unsigned char *)&metadata;
+
+ uint32_t calc_crc = tf_crc32(0U, data + sizeof(metadata.crc_32),
+ (sizeof(metadata) -
+ sizeof(metadata.crc_32)));
+
+ if (metadata.crc_32 != calc_crc) {
+ return -1;
+ }
+
+ return 0;
+}
+
+/*******************************************************************************
+ * Check the sanity of FWU metadata.
+ *
+ * return -1 on error, otherwise 0
+ ******************************************************************************/
+static int fwu_metadata_sanity_check(void)
+{
+ /* ToDo: add more conditions for sanity check */
+ if ((metadata.active_index >= NR_OF_FW_BANKS) ||
+ (metadata.previous_active_index >= NR_OF_FW_BANKS)) {
+ return -1;
+ }
+
+ return 0;
+}
+
+/*******************************************************************************
+ * Verify and load specified FWU metadata image to local FWU metadata structure.
+ *
+ * @image_id: FWU metadata image id (either FWU_METADATA_IMAGE_ID or
+ * BKUP_FWU_METADATA_IMAGE_ID)
+ *
+ * return a negative value on error, otherwise 0
+ ******************************************************************************/
+static int fwu_metadata_load(unsigned int image_id)
+{
+ int result;
+ uintptr_t dev_handle, image_handle, image_spec;
+ size_t bytes_read;
+
+ assert((image_id == FWU_METADATA_IMAGE_ID) ||
+ (image_id == BKUP_FWU_METADATA_IMAGE_ID));
+
+ result = plat_fwu_set_metadata_image_source(image_id,
+ &dev_handle,
+ &image_spec);
+ if (result != 0) {
+ WARN("Failed to set reference to image id=%u (%i)\n",
+ image_id, result);
+ return result;
+ }
+
+ result = io_open(dev_handle, image_spec, &image_handle);
+ if (result != 0) {
+ WARN("Failed to load image id id=%u (%i)\n",
+ image_id, result);
+ return result;
+ }
+
+ result = io_read(image_handle, (uintptr_t)&metadata,
+ sizeof(struct fwu_metadata), &bytes_read);
+
+ if (result != 0) {
+ WARN("Failed to read image id=%u (%i)\n", image_id, result);
+ goto exit;
+ }
+
+ if (sizeof(struct fwu_metadata) != bytes_read) {
+ /* return -1 in case of partial/no read */
+ result = -1;
+ WARN("Read bytes (%zu) instead of expected (%zu) bytes\n",
+ bytes_read, sizeof(struct fwu_metadata));
+ goto exit;
+ }
+
+ /* sanity check on loaded parameters */
+ result = fwu_metadata_sanity_check();
+ if (result != 0) {
+ WARN("Sanity %s\n", "check failed on FWU metadata");
+ goto exit;
+ }
+
+ /* CRC check on loaded parameters */
+ result = fwu_metadata_crc_check();
+ if (result != 0) {
+ WARN("CRC %s\n", "check failed on FWU metadata");
+ }
+
+exit:
+ (void)io_close(image_handle);
+
+ return result;
+}
+
+/*******************************************************************************
+ * The system runs in the trial run state if any of the images in the active
+ * firmware bank has not been accepted yet.
+ *
+ * Returns true if the system is running in the trial state.
+ ******************************************************************************/
+bool fwu_is_trial_run_state(void)
+{
+ bool trial_run = false;
+
+ assert(is_fwu_initialized == true);
+
+ for (unsigned int i = 0U; i < NR_OF_IMAGES_IN_FW_BANK; i++) {
+ struct fwu_image_entry *entry = &metadata.img_entry[i];
+ struct fwu_image_properties *img_props =
+ &entry->img_props[metadata.active_index];
+ if (img_props->accepted == 0) {
+ trial_run = true;
+ break;
+ }
+ }
+
+ return trial_run;
+}
+
+/*******************************************************************************
+ * Load verified copy of FWU metadata image kept in the platform NV storage
+ * into local FWU metadata structure.
+ * Also, update platform I/O policies with the offset address and length of
+ * firmware-updated images kept in the platform NV storage.
+ ******************************************************************************/
+void fwu_init(void)
+{
+ /* Load FWU metadata which will be used to load the images in the
+ * active bank as per PSA FWU specification
+ */
+ int result = fwu_metadata_load(FWU_METADATA_IMAGE_ID);
+
+ if (result != 0) {
+ WARN("loading of FWU-Metadata failed, "
+ "using Bkup-FWU-Metadata\n");
+
+ result = fwu_metadata_load(BKUP_FWU_METADATA_IMAGE_ID);
+ if (result != 0) {
+ ERROR("loading of Bkup-FWU-Metadata failed\n");
+ panic();
+ }
+ }
+
+ plat_fwu_set_images_source(&metadata);
+
+ is_fwu_initialized = true;
+}
diff --git a/drivers/fwu/fwu.mk b/drivers/fwu/fwu.mk
new file mode 100644
index 0000000..f4452e0
--- /dev/null
+++ b/drivers/fwu/fwu.mk
@@ -0,0 +1,11 @@
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+FWU_SRC_DIR := drivers/fwu/
+
+FWU_SRCS := ${FWU_SRC_DIR}fwu.c
+
+BL2_SOURCES += ${FWU_SRCS}
diff --git a/drivers/io/io_mtd.c b/drivers/io/io_mtd.c
index 7575fa2..ba8cecd 100644
--- a/drivers/io/io_mtd.c
+++ b/drivers/io/io_mtd.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2019-2021, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -18,8 +18,9 @@
typedef struct {
io_mtd_dev_spec_t *dev_spec;
uintptr_t base;
- unsigned long long offset; /* Offset in bytes */
- unsigned long long size; /* Size of device in bytes */
+ unsigned long long pos; /* Offset in bytes */
+ unsigned long long size; /* Size of device in bytes */
+ unsigned long long extra_offset; /* Extra offset in bytes */
} mtd_dev_state_t;
io_type_t device_type_mtd(void);
@@ -110,16 +111,47 @@ static int free_dev_info(io_dev_info_t *dev_info)
return 0;
}
+static int mtd_add_extra_offset(mtd_dev_state_t *cur, size_t *extra_offset)
+{
+ io_mtd_ops_t *ops = &cur->dev_spec->ops;
+ int ret;
+
+ if (ops->seek == NULL) {
+ return 0;
+ }
+
+ ret = ops->seek(cur->base, cur->pos, extra_offset);
+ if (ret != 0) {
+ ERROR("%s: Seek error %d\n", __func__, ret);
+ return ret;
+ }
+
+ return 0;
+}
+
static int mtd_open(io_dev_info_t *dev_info, const uintptr_t spec,
io_entity_t *entity)
{
mtd_dev_state_t *cur;
+ io_block_spec_t *region;
+ size_t extra_offset = 0U;
+ int ret;
assert((dev_info->info != 0UL) && (entity->info == 0UL));
+ region = (io_block_spec_t *)spec;
cur = (mtd_dev_state_t *)dev_info->info;
entity->info = (uintptr_t)cur;
- cur->offset = 0U;
+ cur->base = region->offset;
+ cur->pos = 0U;
+ cur->extra_offset = 0U;
+
+ ret = mtd_add_extra_offset(cur, &extra_offset);
+ if (ret != 0) {
+ return ret;
+ }
+
+ cur->base += extra_offset;
return 0;
}
@@ -128,6 +160,8 @@ static int mtd_open(io_dev_info_t *dev_info, const uintptr_t spec,
static int mtd_seek(io_entity_t *entity, int mode, signed long long offset)
{
mtd_dev_state_t *cur;
+ size_t extra_offset = 0U;
+ int ret;
assert((entity->info != (uintptr_t)NULL) && (offset >= 0));
@@ -140,22 +174,29 @@ static int mtd_seek(io_entity_t *entity, int mode, signed long long offset)
return -EINVAL;
}
- cur->offset = offset;
+ cur->pos = offset;
break;
case IO_SEEK_CUR:
- if (((cur->offset + (unsigned long long)offset) >=
+ if (((cur->base + cur->pos + (unsigned long long)offset) >=
cur->size) ||
- ((cur->offset + (unsigned long long)offset) <
- cur->offset)) {
+ ((cur->base + cur->pos + (unsigned long long)offset) <
+ cur->base + cur->pos)) {
return -EINVAL;
}
- cur->offset += (unsigned long long)offset;
+ cur->pos += (unsigned long long)offset;
break;
default:
return -EINVAL;
}
+ ret = mtd_add_extra_offset(cur, &extra_offset);
+ if (ret != 0) {
+ return ret;
+ }
+
+ cur->extra_offset = extra_offset;
+
return 0;
}
@@ -174,18 +215,19 @@ static int mtd_read(io_entity_t *entity, uintptr_t buffer, size_t length,
assert(ops->read != NULL);
VERBOSE("Read at %llx into %lx, length %zi\n",
- cur->offset, buffer, length);
- if ((cur->offset + length) > cur->dev_spec->device_size) {
+ cur->base + cur->pos, buffer, length);
+ if ((cur->base + cur->pos + length) > cur->dev_spec->device_size) {
return -EINVAL;
}
- ret = ops->read(cur->offset, buffer, length, out_length);
+ ret = ops->read(cur->base + cur->pos + cur->extra_offset, buffer,
+ length, out_length);
if (ret < 0) {
return ret;
}
assert(*out_length == length);
- cur->offset += *out_length;
+ cur->pos += *out_length;
return 0;
}
diff --git a/drivers/marvell/amb_adec.c b/drivers/marvell/amb_adec.c
index 1f67105..d78fa25 100644
--- a/drivers/marvell/amb_adec.c
+++ b/drivers/marvell/amb_adec.c
@@ -7,6 +7,9 @@
/* AXI to M-Bridge decoding unit driver for Marvell Armada 8K and 8K+ SoCs */
+#include <inttypes.h>
+#include <stdint.h>
+
#include <common/debug.h>
#include <lib/mmio.h>
@@ -44,10 +47,10 @@ static void amb_check_win(struct addr_map_win *win, uint32_t win_num)
/* make sure the base address is in 16-bit range */
if (win->base_addr > AMB_BASE_ADDR_MASK) {
- WARN("Window %d: base address is too big 0x%llx\n",
+ WARN("Window %d: base address is too big 0x%" PRIx64 "\n",
win_num, win->base_addr);
win->base_addr = AMB_BASE_ADDR_MASK;
- WARN("Set the base address to 0x%llx\n", win->base_addr);
+ WARN("Set the base address to 0x%" PRIx64 "\n", win->base_addr);
}
base_addr = win->base_addr << AMB_BASE_OFFSET;
@@ -57,15 +60,15 @@ static void amb_check_win(struct addr_map_win *win, uint32_t win_num)
win->base_addr = ALIGN_UP(base_addr, AMB_WIN_ALIGNMENT_1M);
WARN("Window %d: base address unaligned to 0x%x\n",
win_num, AMB_WIN_ALIGNMENT_1M);
- WARN("Align up the base address to 0x%llx\n", win->base_addr);
+ WARN("Align up the base address to 0x%" PRIx64 "\n", win->base_addr);
}
/* size parameter validity check */
if (!IS_POWER_OF_2(win->win_size)) {
- WARN("Window %d: window size is not power of 2 (0x%llx)\n",
+ WARN("Window %d: window size is not power of 2 (0x%" PRIx64 ")\n",
win_num, win->win_size);
win->win_size = ROUND_UP_TO_POW_OF_2(win->win_size);
- WARN("Rounding size to 0x%llx\n", win->win_size);
+ WARN("Rounding size to 0x%" PRIx64 "\n", win->win_size);
}
}
diff --git a/drivers/marvell/ccu.c b/drivers/marvell/ccu.c
index b4251f4..c206f11 100644
--- a/drivers/marvell/ccu.c
+++ b/drivers/marvell/ccu.c
@@ -7,6 +7,9 @@
/* CCU unit device driver for Marvell AP807, AP807 and AP810 SoCs */
+#include <inttypes.h>
+#include <stdint.h>
+
#include <common/debug.h>
#include <drivers/marvell/ccu.h>
#include <lib/mmio.h>
@@ -84,7 +87,7 @@ static void dump_ccu(int ap_index)
win_id));
start = ((uint64_t)alr << ADDRESS_SHIFT);
end = (((uint64_t)ahr + 0x10) << ADDRESS_SHIFT);
- printf("\tccu%d %02x 0x%016llx 0x%016llx\n",
+ printf("\tccu%d %02x 0x%016" PRIx64 " 0x%016" PRIx64 "\n",
win_id, target_id, start, end);
}
}
@@ -99,14 +102,14 @@ void ccu_win_check(struct addr_map_win *win)
/* check if address is aligned to 1M */
if (IS_NOT_ALIGN(win->base_addr, CCU_WIN_ALIGNMENT)) {
win->base_addr = ALIGN_UP(win->base_addr, CCU_WIN_ALIGNMENT);
- NOTICE("%s: Align up the base address to 0x%llx\n",
+ NOTICE("%s: Align up the base address to 0x%" PRIx64 "\n",
__func__, win->base_addr);
}
/* size parameter validity check */
if (IS_NOT_ALIGN(win->win_size, CCU_WIN_ALIGNMENT)) {
win->win_size = ALIGN_UP(win->win_size, CCU_WIN_ALIGNMENT);
- NOTICE("%s: Aligning size to 0x%llx\n",
+ NOTICE("%s: Aligning size to 0x%" PRIx64 "\n",
__func__, win->win_size);
}
}
diff --git a/drivers/marvell/comphy/comphy-cp110.h b/drivers/marvell/comphy/comphy-cp110.h
index 9b10619..af5c715 100644
--- a/drivers/marvell/comphy/comphy-cp110.h
+++ b/drivers/marvell/comphy/comphy-cp110.h
@@ -54,7 +54,7 @@
#define COMMON_SELECTOR_PIPE_COMPHY_USBH 0x1
#define COMMON_SELECTOR_PIPE_COMPHY_USBD 0x2
-/* SGMII/HS-SGMII/SFI/RXAUI */
+/* SGMII/Base-X/SFI/RXAUI */
#define COMMON_SELECTOR_COMPHY0_1_2_NETWORK 0x1
#define COMMON_SELECTOR_COMPHY3_RXAUI 0x1
#define COMMON_SELECTOR_COMPHY3_SGMII 0x2
diff --git a/drivers/marvell/comphy/phy-comphy-3700.c b/drivers/marvell/comphy/phy-comphy-3700.c
index 02fe97c..a3e414c 100644
--- a/drivers/marvell/comphy/phy-comphy-3700.c
+++ b/drivers/marvell/comphy/phy-comphy-3700.c
@@ -14,6 +14,7 @@
#include <mvebu.h>
#include <mvebu_def.h>
+#include <plat_marvell.h>
#include "phy-comphy-3700.h"
#include "phy-comphy-common.h"
@@ -29,15 +30,6 @@
#define USB3_GBE1_PHY (MVEBU_REGS_BASE + 0x5C000)
#define COMPHY_SD_ADDR (MVEBU_REGS_BASE + 0x1F000)
-/*
- * Below address in used only for reading, therefore no problem with concurrent
- * Linux access.
- */
-#define MVEBU_TEST_PIN_LATCH_N (MVEBU_NB_GPIO_REG_BASE + 0x8)
- #define MVEBU_XTAL_MODE_MASK BIT(9)
- #define MVEBU_XTAL_MODE_OFFS 9
- #define MVEBU_XTAL_CLOCK_25MHZ 0x0
-
struct sgmii_phy_init_data_fix {
uint16_t addr;
uint16_t value;
@@ -125,22 +117,8 @@ static uint16_t sgmii_phy_init[512] = {
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000 /*1F8 */
};
-/* returns reference clock in MHz (25 or 40) */
-static uint32_t get_ref_clk(void)
-{
- uint32_t val;
-
- val = (mmio_read_32(MVEBU_TEST_PIN_LATCH_N) & MVEBU_XTAL_MODE_MASK) >>
- MVEBU_XTAL_MODE_OFFS;
-
- if (val == MVEBU_XTAL_CLOCK_25MHZ)
- return 25;
- else
- return 40;
-}
-
/* PHY selector configures with corresponding modes */
-static void mvebu_a3700_comphy_set_phy_selector(uint8_t comphy_index,
+static int mvebu_a3700_comphy_set_phy_selector(uint8_t comphy_index,
uint32_t comphy_mode)
{
uint32_t reg;
@@ -157,7 +135,7 @@ static void mvebu_a3700_comphy_set_phy_selector(uint8_t comphy_index,
break;
case (COMPHY_SGMII_MODE):
- case (COMPHY_HS_SGMII_MODE):
+ case (COMPHY_2500BASEX_MODE):
if (comphy_index == COMPHY_LANE0)
reg &= ~COMPHY_SELECTOR_USB3_GBE1_SEL_BIT;
else if (comphy_index == COMPHY_LANE1)
@@ -190,9 +168,10 @@ static void mvebu_a3700_comphy_set_phy_selector(uint8_t comphy_index,
}
mmio_write_32(MVEBU_COMPHY_REG_BASE + COMPHY_SELECTOR_PHY_REG, reg);
- return;
+ return 0;
error:
ERROR("COMPHY[%d] mode[%d] is invalid\n", comphy_index, mode);
+ return -EINVAL;
}
/*
@@ -205,7 +184,7 @@ error:
* with COMPHY_USB3D_MODE or COMPHY_USB3H_MODE. (The usb3 phy initialization
* code does not differentiate between these modes.)
* Also it returns COMPHY_SGMII_MODE even if the phy was configures with
- * COMPHY_HS_SGMII_MODE. (The sgmii phy initialization code does differentiate
+ * COMPHY_2500BASEX_MODE. (The sgmii phy initialization code does differentiate
* between these modes, but it is irrelevant when powering the phy off.)
*/
static int mvebu_a3700_comphy_get_mode(uint8_t comphy_index)
@@ -236,7 +215,7 @@ static int mvebu_a3700_comphy_get_mode(uint8_t comphy_index)
/* It is only used for SATA and USB3 on comphy lane2. */
static void comphy_set_indirect(uintptr_t addr, uint32_t offset, uint16_t data,
- uint16_t mask, int mode)
+ uint16_t mask, bool is_sata)
{
/*
* When Lane 2 PHY is for USB3, access the PHY registers
@@ -246,27 +225,38 @@ static void comphy_set_indirect(uintptr_t addr, uint32_t offset, uint16_t data,
* within the SATA Host Controller registers, Lane 2 base register
* offset is 0x200
*/
- if (mode == COMPHY_UNUSED)
- return;
-
- if (mode == COMPHY_SATA_MODE)
+ if (is_sata) {
mmio_write_32(addr + COMPHY_LANE2_INDIR_ADDR_OFFSET, offset);
- else
+ } else {
mmio_write_32(addr + COMPHY_LANE2_INDIR_ADDR_OFFSET,
offset + USB3PHY_LANE2_REG_BASE_OFFSET);
+ }
reg_set(addr + COMPHY_LANE2_INDIR_DATA_OFFSET, data, mask);
}
-/* It is only used USB3 direct access not on comphy lane2. */
+/* It is only used for SATA on comphy lane2. */
+static void comphy_sata_set_indirect(uintptr_t addr, uint32_t reg_offset,
+ uint16_t data, uint16_t mask)
+{
+ comphy_set_indirect(addr, reg_offset, data, mask, true);
+}
+
+/* It is only used for USB3 indirect access on comphy lane2. */
+static void comphy_usb3_set_indirect(uintptr_t addr, uint32_t reg_offset,
+ uint16_t data, uint16_t mask)
+{
+ comphy_set_indirect(addr, reg_offset, data, mask, false);
+}
+
+/* It is only used for USB3 direct access not on comphy lane2. */
static void comphy_usb3_set_direct(uintptr_t addr, uint32_t reg_offset,
- uint16_t data, uint16_t mask, int mode)
+ uint16_t data, uint16_t mask)
{
reg_set16((reg_offset * PHY_SHFT(USB3) + addr), data, mask);
}
-static void comphy_sgmii_phy_init(uint32_t comphy_index, uint32_t mode,
- uintptr_t sd_ip_addr)
+static void comphy_sgmii_phy_init(uintptr_t sd_ip_addr, bool is_1gbps)
{
const int fix_arr_sz = ARRAY_SIZE(sgmii_phy_init_fix);
int addr, fix_idx;
@@ -281,8 +271,7 @@ static void comphy_sgmii_phy_init(uint32_t comphy_index, uint32_t mode,
* comparison to 3.125 Gbps values. These register values are
* stored in "sgmii_phy_init_fix" array.
*/
- if ((mode != COMPHY_SGMII_MODE) &&
- (sgmii_phy_init_fix[fix_idx].addr == addr)) {
+ if (!is_1gbps && sgmii_phy_init_fix[fix_idx].addr == addr) {
/* Use new value */
val = sgmii_phy_init_fix[fix_idx].value;
if (fix_idx < fix_arr_sz)
@@ -298,21 +287,22 @@ static void comphy_sgmii_phy_init(uint32_t comphy_index, uint32_t mode,
static int mvebu_a3700_comphy_sata_power_on(uint8_t comphy_index,
uint32_t comphy_mode)
{
- int ret = 0;
+ int ret;
uint32_t offset, data = 0, ref_clk;
uintptr_t comphy_indir_regs = COMPHY_INDIRECT_REG;
- int mode = COMPHY_GET_MODE(comphy_mode);
int invert = COMPHY_GET_POLARITY_INVERT(comphy_mode);
debug_enter();
/* Configure phy selector for SATA */
- mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ ret = mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ if (ret) {
+ return ret;
+ }
/* Clear phy isolation mode to make it work in normal mode */
offset = COMPHY_ISOLATION_CTRL_REG + SATAPHY_LANE2_REG_BASE_OFFSET;
- comphy_set_indirect(comphy_indir_regs, offset, 0, PHY_ISOLATE_MODE,
- mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, 0, PHY_ISOLATE_MODE);
/* 0. Check the Polarity invert bits */
if (invert & COMPHY_POLARITY_TXD_INVERT)
@@ -321,13 +311,13 @@ static int mvebu_a3700_comphy_sata_power_on(uint8_t comphy_index,
data |= RXD_INVERT_BIT;
offset = COMPHY_SYNC_PATTERN_REG + SATAPHY_LANE2_REG_BASE_OFFSET;
- comphy_set_indirect(comphy_indir_regs, offset, data, TXD_INVERT_BIT |
- RXD_INVERT_BIT, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, data, TXD_INVERT_BIT |
+ RXD_INVERT_BIT);
/* 1. Select 40-bit data width width */
offset = COMPHY_LOOPBACK_REG0 + SATAPHY_LANE2_REG_BASE_OFFSET;
- comphy_set_indirect(comphy_indir_regs, offset, DATA_WIDTH_40BIT,
- SEL_DATA_WIDTH_MASK, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, DATA_WIDTH_40BIT,
+ SEL_DATA_WIDTH_MASK);
/* 2. Select reference clock(25M) and PHY mode (SATA) */
offset = COMPHY_POWER_PLL_CTRL + SATAPHY_LANE2_REG_BASE_OFFSET;
@@ -336,17 +326,17 @@ static int mvebu_a3700_comphy_sata_power_on(uint8_t comphy_index,
else
ref_clk = REF_CLOCK_SPEED_25M;
- comphy_set_indirect(comphy_indir_regs, offset, ref_clk | PHY_MODE_SATA,
- REF_FREF_SEL_MASK | PHY_MODE_MASK, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, ref_clk | PHY_MODE_SATA,
+ REF_FREF_SEL_MASK | PHY_MODE_MASK);
/* 3. Use maximum PLL rate (no power save) */
offset = COMPHY_KVCO_CAL_CTRL + SATAPHY_LANE2_REG_BASE_OFFSET;
- comphy_set_indirect(comphy_indir_regs, offset, USE_MAX_PLL_RATE_BIT,
- USE_MAX_PLL_RATE_BIT, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, USE_MAX_PLL_RATE_BIT,
+ USE_MAX_PLL_RATE_BIT);
/* 4. Reset reserved bit */
- comphy_set_indirect(comphy_indir_regs, COMPHY_RESERVED_REG, 0,
- PHYCTRL_FRM_PIN_BIT, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, COMPHY_RESERVED_REG, 0,
+ PHYCTRL_FRM_PIN_BIT);
/* 5. Set vendor-specific configuration (It is done in sata driver) */
/* XXX: in U-Boot below sequence was executed in this place, in Linux
@@ -368,17 +358,21 @@ static int mvebu_a3700_comphy_sata_power_on(uint8_t comphy_index,
COMPHY_LANE2_INDIR_DATA_OFFSET,
PLL_READY_TX_BIT, PLL_READY_TX_BIT,
COMPHY_PLL_TIMEOUT, REG_32BIT);
+ if (ret) {
+ return -ETIMEDOUT;
+ }
debug_exit();
- return ret;
+ return 0;
}
static int mvebu_a3700_comphy_sgmii_power_on(uint8_t comphy_index,
uint32_t comphy_mode)
{
- int ret = 0;
- uint32_t mask, data, offset;
+ int ret;
+ uint32_t mask, data;
+ uintptr_t offset;
uintptr_t sd_ip_addr;
int mode = COMPHY_GET_MODE(comphy_mode);
int invert = COMPHY_GET_POLARITY_INVERT(comphy_mode);
@@ -386,7 +380,10 @@ static int mvebu_a3700_comphy_sgmii_power_on(uint8_t comphy_index,
debug_enter();
/* Set selector */
- mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ ret = mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ if (ret) {
+ return ret;
+ }
/* Serdes IP Base address
* COMPHY Lane0 -- USB3/GBE1
@@ -423,8 +420,8 @@ static int mvebu_a3700_comphy_sgmii_power_on(uint8_t comphy_index,
/* SGMII 1G, SerDes speed 1.25G */
data |= SD_SPEED_1_25_G << GEN_RX_SEL_OFFSET;
data |= SD_SPEED_1_25_G << GEN_TX_SEL_OFFSET;
- } else if (mode == COMPHY_HS_SGMII_MODE) {
- /* HS SGMII (2.5G), SerDes speed 3.125G */
+ } else if (mode == COMPHY_2500BASEX_MODE) {
+ /* 2500Base-X, SerDes speed 3.125G */
data |= SD_SPEED_2_5_G << GEN_RX_SEL_OFFSET;
data |= SD_SPEED_2_5_G << GEN_TX_SEL_OFFSET;
} else {
@@ -501,9 +498,9 @@ static int mvebu_a3700_comphy_sgmii_power_on(uint8_t comphy_index,
* 25 MHz the default values stored in PHY registers are OK.
*/
debug("Running C-DPI phy init %s mode\n",
- mode == COMPHY_HS_SGMII_MODE ? "2G5" : "1G");
+ mode == COMPHY_2500BASEX_MODE ? "2G5" : "1G");
if (get_ref_clk() == 40)
- comphy_sgmii_phy_init(comphy_index, mode, sd_ip_addr);
+ comphy_sgmii_phy_init(sd_ip_addr, mode != COMPHY_2500BASEX_MODE);
/*
* 14. [Simulation Only] should not be used for real chip.
@@ -547,8 +544,10 @@ static int mvebu_a3700_comphy_sgmii_power_on(uint8_t comphy_index,
PHY_PLL_READY_TX_BIT | PHY_PLL_READY_RX_BIT,
PHY_PLL_READY_TX_BIT | PHY_PLL_READY_RX_BIT,
COMPHY_PLL_TIMEOUT, REG_32BIT);
- if (ret)
+ if (ret) {
ERROR("Failed to lock PLL for SGMII PHY %d\n", comphy_index);
+ return -ETIMEDOUT;
+ }
/*
* 19. Set COMPHY input port PIN_TX_IDLE=0
@@ -571,26 +570,29 @@ static int mvebu_a3700_comphy_sgmii_power_on(uint8_t comphy_index,
PHY_PLL_READY_TX_BIT | PHY_PLL_READY_RX_BIT,
PHY_PLL_READY_TX_BIT | PHY_PLL_READY_RX_BIT,
COMPHY_PLL_TIMEOUT, REG_32BIT);
- if (ret)
+ if (ret) {
ERROR("Failed to lock PLL for SGMII PHY %d\n", comphy_index);
-
+ return -ETIMEDOUT;
+ }
ret = polling_with_timeout(MVEBU_COMPHY_REG_BASE +
COMPHY_PHY_STATUS_OFFSET(comphy_index),
PHY_RX_INIT_DONE_BIT, PHY_RX_INIT_DONE_BIT,
COMPHY_PLL_TIMEOUT, REG_32BIT);
- if (ret)
+ if (ret) {
ERROR("Failed to init RX of SGMII PHY %d\n", comphy_index);
+ return -ETIMEDOUT;
+ }
debug_exit();
- return ret;
+ return 0;
}
static int mvebu_a3700_comphy_sgmii_power_off(uint8_t comphy_index)
{
- int ret = 0;
- uint32_t mask, data, offset;
+ uintptr_t offset;
+ uint32_t mask, data;
debug_enter();
@@ -601,28 +603,31 @@ static int mvebu_a3700_comphy_sgmii_power_off(uint8_t comphy_index)
debug_exit();
- return ret;
+ return 0;
}
static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
uint32_t comphy_mode)
{
- int ret = 0;
+ int ret;
uintptr_t reg_base = 0;
- uint32_t mask, data, addr, cfg, ref_clk;
+ uintptr_t addr;
+ uint32_t mask, data, cfg, ref_clk;
void (*usb3_reg_set)(uintptr_t addr, uint32_t reg_offset, uint16_t data,
- uint16_t mask, int mode);
- int mode = COMPHY_GET_MODE(comphy_mode);
+ uint16_t mask);
int invert = COMPHY_GET_POLARITY_INVERT(comphy_mode);
debug_enter();
/* Set phy seclector */
- mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ ret = mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ if (ret) {
+ return ret;
+ }
/* Set usb3 reg access func, Lane2 is indirect access */
if (comphy_index == COMPHY_LANE2) {
- usb3_reg_set = &comphy_set_indirect;
+ usb3_reg_set = &comphy_usb3_set_indirect;
reg_base = COMPHY_INDIRECT_REG;
} else {
/* Get the direct access register resource and map */
@@ -641,7 +646,7 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
mask = PRD_TXDEEMPH0_MASK | PRD_TXMARGIN_MASK | PRD_TXSWING_MASK |
CFG_TX_ALIGN_POS_MASK;
usb3_reg_set(reg_base, COMPHY_REG_LANE_CFG0_ADDR, PRD_TXDEEMPH0_MASK,
- mask, mode);
+ mask);
/*
* 2. Set BIT0: enable transmitter in high impedance mode
@@ -653,20 +658,20 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
mask = PRD_TXDEEMPH1_MASK | TX_DET_RX_MODE | GEN2_TX_DATA_DLY_MASK |
TX_ELEC_IDLE_MODE_EN;
data = TX_DET_RX_MODE | GEN2_TX_DATA_DLY_DEFT | TX_ELEC_IDLE_MODE_EN;
- usb3_reg_set(reg_base, COMPHY_REG_LANE_CFG1_ADDR, data, mask, mode);
+ usb3_reg_set(reg_base, COMPHY_REG_LANE_CFG1_ADDR, data, mask);
/*
* 3. Set Spread Spectrum Clock Enabled
*/
usb3_reg_set(reg_base, COMPHY_REG_LANE_CFG4_ADDR,
- SPREAD_SPECTRUM_CLK_EN, SPREAD_SPECTRUM_CLK_EN, mode);
+ SPREAD_SPECTRUM_CLK_EN, SPREAD_SPECTRUM_CLK_EN);
/*
* 4. Set Override Margining Controls From the MAC:
* Use margining signals from lane configuration
*/
usb3_reg_set(reg_base, COMPHY_REG_TEST_MODE_CTRL_ADDR,
- MODE_MARGIN_OVERRIDE, REG_16_BIT_MASK, mode);
+ MODE_MARGIN_OVERRIDE, REG_16_BIT_MASK);
/*
* 5. Set Lane-to-Lane Bundle Clock Sampling Period = per PCLK cycles
@@ -674,13 +679,13 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
*/
usb3_reg_set(reg_base, COMPHY_REG_GLOB_CLK_SRC_LO_ADDR, 0x0,
(MODE_CLK_SRC | BUNDLE_PERIOD_SEL | BUNDLE_PERIOD_SCALE |
- BUNDLE_SAMPLE_CTRL | PLL_READY_DLY), mode);
+ BUNDLE_SAMPLE_CTRL | PLL_READY_DLY));
/*
* 6. Set G2 Spread Spectrum Clock Amplitude at 4K
*/
usb3_reg_set(reg_base, COMPHY_REG_GEN2_SET_2,
- G2_TX_SSC_AMP_VALUE_20, G2_TX_SSC_AMP_MASK, mode);
+ G2_TX_SSC_AMP_VALUE_20, G2_TX_SSC_AMP_MASK);
/*
* 7. Unset G3 Spread Spectrum Clock Amplitude
@@ -689,7 +694,7 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
mask = G3_TX_SSC_AMP_MASK | G3_VREG_RXTX_MAS_ISET_MASK |
RSVD_PH03FH_6_0_MASK;
usb3_reg_set(reg_base, COMPHY_REG_GEN2_SET_3,
- G3_VREG_RXTX_MAS_ISET_60U, mask, mode);
+ G3_VREG_RXTX_MAS_ISET_60U, mask);
/*
* 8. Check crystal jumper setting and program the Power and PLL Control
@@ -710,39 +715,37 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
REF_FREF_SEL_MASK;
data = PU_IVREF_BIT | PU_PLL_BIT | PU_RX_BIT | PU_TX_BIT |
PU_TX_INTP_BIT | PU_DFE_BIT | PHY_MODE_USB3 | ref_clk;
- usb3_reg_set(reg_base, COMPHY_POWER_PLL_CTRL, data, mask, mode);
+ usb3_reg_set(reg_base, COMPHY_POWER_PLL_CTRL, data, mask);
mask = CFG_PM_OSCCLK_WAIT_MASK | CFG_PM_RXDEN_WAIT_MASK |
CFG_PM_RXDLOZ_WAIT_MASK;
data = CFG_PM_RXDEN_WAIT_1_UNIT | cfg;
- usb3_reg_set(reg_base, COMPHY_REG_PWR_MGM_TIM1_ADDR, data, mask, mode);
+ usb3_reg_set(reg_base, COMPHY_REG_PWR_MGM_TIM1_ADDR, data, mask);
/*
* 9. Enable idle sync
*/
data = UNIT_CTRL_DEFAULT_VALUE | IDLE_SYNC_EN;
- usb3_reg_set(reg_base, COMPHY_REG_UNIT_CTRL_ADDR, data, REG_16_BIT_MASK,
- mode);
+ usb3_reg_set(reg_base, COMPHY_REG_UNIT_CTRL_ADDR, data, REG_16_BIT_MASK);
/*
* 10. Enable the output of 500M clock
*/
data = MISC_REG0_DEFAULT_VALUE | CLK500M_EN;
- usb3_reg_set(reg_base, COMPHY_MISC_REG0_ADDR, data, REG_16_BIT_MASK,
- mode);
+ usb3_reg_set(reg_base, COMPHY_MISC_REG0_ADDR, data, REG_16_BIT_MASK);
/*
* 11. Set 20-bit data width
*/
usb3_reg_set(reg_base, COMPHY_LOOPBACK_REG0, DATA_WIDTH_20BIT,
- REG_16_BIT_MASK, mode);
+ REG_16_BIT_MASK);
/*
* 12. Override Speed_PLL value and use MAC PLL
*/
usb3_reg_set(reg_base, COMPHY_KVCO_CAL_CTRL,
(SPEED_PLL_VALUE_16 | USE_MAX_PLL_RATE_BIT),
- REG_16_BIT_MASK, mode);
+ REG_16_BIT_MASK);
/*
* 13. Check the Polarity invert bit
@@ -755,27 +758,26 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
data |= RXD_INVERT_BIT;
}
mask = TXD_INVERT_BIT | RXD_INVERT_BIT;
- usb3_reg_set(reg_base, COMPHY_SYNC_PATTERN_REG, data, mask, mode);
+ usb3_reg_set(reg_base, COMPHY_SYNC_PATTERN_REG, data, mask);
/*
* 14. Set max speed generation to USB3.0 5Gbps
*/
usb3_reg_set(reg_base, COMPHY_SYNC_MASK_GEN_REG, PHY_GEN_USB3_5G,
- PHY_GEN_MAX_MASK, mode);
+ PHY_GEN_MAX_MASK);
/*
* 15. Set capacitor value for FFE gain peaking to 0xF
*/
usb3_reg_set(reg_base, COMPHY_REG_GEN3_SETTINGS_3,
- COMPHY_GEN_FFE_CAP_SEL_VALUE, COMPHY_GEN_FFE_CAP_SEL_MASK,
- mode);
+ COMPHY_GEN_FFE_CAP_SEL_VALUE, COMPHY_GEN_FFE_CAP_SEL_MASK);
/*
* 16. Release SW reset
*/
data = MODE_CORE_CLK_FREQ_SEL | MODE_PIPE_WIDTH_32 | MODE_REFDIV_BY_4;
usb3_reg_set(reg_base, COMPHY_REG_GLOB_PHY_CTRL0_ADDR, data,
- REG_16_BIT_MASK, mode);
+ REG_16_BIT_MASK);
/* Wait for > 55 us to allow PCLK be enabled */
udelay(PLL_SET_DELAY_US);
@@ -793,12 +795,14 @@ static int mvebu_a3700_comphy_usb3_power_on(uint8_t comphy_index,
TXDCLK_PCLK_EN, TXDCLK_PCLK_EN,
COMPHY_PLL_TIMEOUT, REG_16BIT);
}
- if (ret)
+ if (ret) {
ERROR("Failed to lock USB3 PLL\n");
+ return -ETIMEDOUT;
+ }
debug_exit();
- return ret;
+ return 0;
}
static int mvebu_a3700_comphy_pcie_power_on(uint8_t comphy_index,
@@ -811,6 +815,12 @@ static int mvebu_a3700_comphy_pcie_power_on(uint8_t comphy_index,
debug_enter();
+ /* Configure phy selector for PCIe */
+ ret = mvebu_a3700_comphy_set_phy_selector(comphy_index, comphy_mode);
+ if (ret) {
+ return ret;
+ }
+
/* 1. Enable max PLL. */
reg_set16(LANE_CFG1_ADDR(PCIE) + COMPHY_SD_ADDR,
USE_MAX_PLL_RATE_EN, USE_MAX_PLL_RATE_EN);
@@ -884,12 +894,14 @@ static int mvebu_a3700_comphy_pcie_power_on(uint8_t comphy_index,
ret = polling_with_timeout(LANE_STATUS1_ADDR(PCIE) + COMPHY_SD_ADDR,
TXDCLK_PCLK_EN, TXDCLK_PCLK_EN,
COMPHY_PLL_TIMEOUT, REG_16BIT);
- if (ret)
+ if (ret) {
ERROR("Failed to lock PCIE PLL\n");
+ return -ETIMEDOUT;
+ }
debug_exit();
- return ret;
+ return 0;
}
int mvebu_3700_comphy_power_on(uint8_t comphy_index, uint32_t comphy_mode)
@@ -905,7 +917,7 @@ int mvebu_3700_comphy_power_on(uint8_t comphy_index, uint32_t comphy_mode)
comphy_mode);
break;
case(COMPHY_SGMII_MODE):
- case(COMPHY_HS_SGMII_MODE):
+ case(COMPHY_2500BASEX_MODE):
ret = mvebu_a3700_comphy_sgmii_power_on(comphy_index,
comphy_mode);
break;
@@ -941,23 +953,22 @@ static int mvebu_a3700_comphy_usb3_power_off(void)
return 0;
}
-static int mvebu_a3700_comphy_sata_power_off(uint32_t comphy_mode)
+static int mvebu_a3700_comphy_sata_power_off(void)
{
uintptr_t comphy_indir_regs = COMPHY_INDIRECT_REG;
- int mode = COMPHY_GET_MODE(comphy_mode);
uint32_t offset;
debug_enter();
/* Set phy isolation mode */
offset = COMPHY_ISOLATION_CTRL_REG + SATAPHY_LANE2_REG_BASE_OFFSET;
- comphy_set_indirect(comphy_indir_regs, offset, PHY_ISOLATE_MODE,
- PHY_ISOLATE_MODE, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, PHY_ISOLATE_MODE,
+ PHY_ISOLATE_MODE);
/* Power off PLL, Tx, Rx */
offset = COMPHY_POWER_PLL_CTRL + SATAPHY_LANE2_REG_BASE_OFFSET;
- comphy_set_indirect(comphy_indir_regs, offset, 0,
- PU_PLL_BIT | PU_RX_BIT | PU_TX_BIT, mode);
+ comphy_sata_set_indirect(comphy_indir_regs, offset, 0,
+ PU_PLL_BIT | PU_RX_BIT | PU_TX_BIT);
debug_exit();
@@ -982,7 +993,7 @@ int mvebu_3700_comphy_power_off(uint8_t comphy_index, uint32_t comphy_mode)
switch (mode) {
case(COMPHY_SGMII_MODE):
- case(COMPHY_HS_SGMII_MODE):
+ case(COMPHY_2500BASEX_MODE):
err = mvebu_a3700_comphy_sgmii_power_off(comphy_index);
break;
case (COMPHY_USB3_MODE):
@@ -990,7 +1001,7 @@ int mvebu_3700_comphy_power_off(uint8_t comphy_index, uint32_t comphy_mode)
err = mvebu_a3700_comphy_usb3_power_off();
break;
case (COMPHY_SATA_MODE):
- err = mvebu_a3700_comphy_sata_power_off(comphy_mode);
+ err = mvebu_a3700_comphy_sata_power_off();
break;
default:
diff --git a/drivers/marvell/comphy/phy-comphy-common.h b/drivers/marvell/comphy/phy-comphy-common.h
index e3b430a..c599437 100644
--- a/drivers/marvell/comphy/phy-comphy-common.h
+++ b/drivers/marvell/comphy/phy-comphy-common.h
@@ -87,7 +87,7 @@
#define COMPHY_SATA_MODE 0x1
#define COMPHY_SGMII_MODE 0x2 /* SGMII 1G */
-#define COMPHY_HS_SGMII_MODE 0x3 /* SGMII 2.5G */
+#define COMPHY_2500BASEX_MODE 0x3 /* 2500Base-X */
#define COMPHY_USB3H_MODE 0x4
#define COMPHY_USB3D_MODE 0x5
#define COMPHY_PCIE_MODE 0x6
diff --git a/drivers/marvell/comphy/phy-comphy-cp110.c b/drivers/marvell/comphy/phy-comphy-cp110.c
index c8ba9b8..fa9fe41 100644
--- a/drivers/marvell/comphy/phy-comphy-cp110.c
+++ b/drivers/marvell/comphy/phy-comphy-cp110.c
@@ -8,6 +8,8 @@
/* Marvell CP110 SoC COMPHY unit driver */
#include <errno.h>
+#include <inttypes.h>
+#include <stdint.h>
#include <common/debug.h>
#include <drivers/delay_timer.h>
@@ -30,7 +32,7 @@
/* COMPHY speed macro */
#define COMPHY_SPEED_1_25G 0 /* SGMII 1G */
#define COMPHY_SPEED_2_5G 1
-#define COMPHY_SPEED_3_125G 2 /* SGMII 2.5G */
+#define COMPHY_SPEED_3_125G 2 /* 2500Base-X */
#define COMPHY_SPEED_5G 3
#define COMPHY_SPEED_5_15625G 4 /* XFI 5G */
#define COMPHY_SPEED_6G 5
@@ -53,13 +55,13 @@
#define SYS_CTRL_FROM_COMPHY_ADDR(x) ((x & ~0xffffff) + 0x440000)
/* DFX register spaces */
-#define SAR_RST_PCIE0_CLOCK_CONFIG_CP1_OFFSET (0)
-#define SAR_RST_PCIE0_CLOCK_CONFIG_CP1_MASK (0x1 << \
- SAR_RST_PCIE0_CLOCK_CONFIG_CP1_OFFSET)
-#define SAR_RST_PCIE1_CLOCK_CONFIG_CP1_OFFSET (1)
-#define SAR_RST_PCIE1_CLOCK_CONFIG_CP1_MASK (0x1 << \
- SAR_RST_PCIE1_CLOCK_CONFIG_CP1_OFFSET)
-#define SAR_STATUS_0_REG 200
+#define SAR_RST_PCIE0_CLOCK_CONFIG_CP0_OFFSET (30)
+#define SAR_RST_PCIE0_CLOCK_CONFIG_CP0_MASK (0x1UL << \
+ SAR_RST_PCIE0_CLOCK_CONFIG_CP0_OFFSET)
+#define SAR_RST_PCIE1_CLOCK_CONFIG_CP0_OFFSET (31)
+#define SAR_RST_PCIE1_CLOCK_CONFIG_CP0_MASK (0x1UL << \
+ SAR_RST_PCIE1_CLOCK_CONFIG_CP0_OFFSET)
+#define SAR_STATUS_0_REG 0x40600
#define DFX_FROM_COMPHY_ADDR(x) ((x & ~0xffffff) + DFX_BASE)
/* Common Phy training */
#define COMPHY_TRX_TRAIN_COMPHY_OFFS 0x1000
@@ -102,7 +104,7 @@ static void mvebu_cp110_get_ap_and_cp_nr(uint8_t *ap_nr, uint8_t *cp_nr,
*cp_nr = (((comphy_base & ~0xffffff) - MVEBU_AP_IO_BASE(*ap_nr)) /
MVEBU_CP_OFFSET);
- debug("cp_base 0x%llx, ap_io_base 0x%lx, cp_offset 0x%lx\n",
+ debug("cp_base 0x%" PRIx64 ", ap_io_base 0x%lx, cp_offset 0x%lx\n",
comphy_base, (unsigned long)MVEBU_AP_IO_BASE(*ap_nr),
(unsigned long)MVEBU_CP_OFFSET);
}
@@ -191,7 +193,7 @@ static void mvebu_cp110_comphy_set_phy_selector(uint64_t comphy_base,
case(3):
/* For comphy 3:
* 0x1 = RXAUI_Lane1
- * 0x2 = SGMII/HS-SGMII Port1
+ * 0x2 = SGMII/Base-X Port1
*/
if (mode == COMPHY_RXAUI_MODE)
reg |= COMMON_SELECTOR_COMPHY3_RXAUI <<
@@ -202,20 +204,20 @@ static void mvebu_cp110_comphy_set_phy_selector(uint64_t comphy_base,
break;
case(4):
/* For comphy 4:
- * 0x1 = SGMII/HS-SGMII Port1, XFI1/SFI1
- * 0x2 = SGMII/HS-SGMII Port0: XFI0/SFI0, RXAUI_Lane0
+ * 0x1 = SGMII/Base-X Port1, XFI1/SFI1
+ * 0x2 = SGMII/Base-X Port0: XFI0/SFI0, RXAUI_Lane0
*
- * We want to check if SGMII1/HS_SGMII1 is the
+ * We want to check if SGMII1 is the
* requested mode in order to determine which value
* should be set (all other modes use the same value)
* so we need to strip the mode, and check the ID
- * because we might handle SGMII0/HS_SGMII0 too.
+ * because we might handle SGMII0 too.
*/
/* TODO: need to distinguish between CP110 and CP115
* as SFI1/XFI1 available only for CP115.
*/
if ((mode == COMPHY_SGMII_MODE ||
- mode == COMPHY_HS_SGMII_MODE ||
+ mode == COMPHY_2500BASEX_MODE ||
mode == COMPHY_SFI_MODE ||
mode == COMPHY_XFI_MODE ||
mode == COMPHY_AP_MODE)
@@ -228,7 +230,7 @@ static void mvebu_cp110_comphy_set_phy_selector(uint64_t comphy_base,
break;
case(5):
/* For comphy 5:
- * 0x1 = SGMII/HS-SGMII Port2
+ * 0x1 = SGMII/Base-X Port2
* 0x2 = RXAUI Lane1
*/
if (mode == COMPHY_RXAUI_MODE)
@@ -713,7 +715,7 @@ static int mvebu_cp110_comphy_sgmii_power_on(uint64_t comphy_base,
data |= 0x6 << SD_EXTERNAL_CONFIG0_SD_PHY_GEN_RX_OFFSET;
data |= 0x6 << SD_EXTERNAL_CONFIG0_SD_PHY_GEN_TX_OFFSET;
} else if (sgmii_speed == COMPHY_SPEED_3_125G) {
- /* HS SGMII (2.5G), SerDes speed 3.125G */
+ /* 2500Base-X, SerDes speed 3.125G */
data |= 0x8 << SD_EXTERNAL_CONFIG0_SD_PHY_GEN_RX_OFFSET;
data |= 0x8 << SD_EXTERNAL_CONFIG0_SD_PHY_GEN_TX_OFFSET;
} else {
@@ -1318,11 +1320,11 @@ static int mvebu_cp110_comphy_pcie_power_on(uint64_t comphy_base,
reg = mmio_read_32(DFX_FROM_COMPHY_ADDR(comphy_base) +
SAR_STATUS_0_REG);
if (comphy_index == COMPHY_LANE4 || comphy_index == COMPHY_LANE5)
- clk_dir = (reg & SAR_RST_PCIE1_CLOCK_CONFIG_CP1_MASK) >>
- SAR_RST_PCIE1_CLOCK_CONFIG_CP1_OFFSET;
+ clk_dir = (reg & SAR_RST_PCIE1_CLOCK_CONFIG_CP0_MASK) >>
+ SAR_RST_PCIE1_CLOCK_CONFIG_CP0_OFFSET;
else
- clk_dir = (reg & SAR_RST_PCIE0_CLOCK_CONFIG_CP1_MASK) >>
- SAR_RST_PCIE0_CLOCK_CONFIG_CP1_OFFSET;
+ clk_dir = (reg & SAR_RST_PCIE0_CLOCK_CONFIG_CP0_MASK) >>
+ SAR_RST_PCIE0_CLOCK_CONFIG_CP0_OFFSET;
debug("On lane %d\n", comphy_index);
debug("PCIe clock direction = %x\n", clk_dir);
@@ -1730,11 +1732,13 @@ static int mvebu_cp110_comphy_pcie_power_on(uint64_t comphy_base,
HPIPE_LANE_STATUS1_REG;
data = HPIPE_LANE_STATUS1_PCLK_EN_MASK;
mask = data;
- ret = polling_with_timeout(addr, data, mask,
+ data = polling_with_timeout(addr, data, mask,
PLL_LOCK_TIMEOUT,
REG_32BIT);
- if (ret)
+ if (data) {
ERROR("Failed to lock PCIE PLL\n");
+ ret = -ETIMEDOUT;
+ }
}
}
@@ -2343,7 +2347,7 @@ int mvebu_cp110_comphy_digital_reset(uint64_t comphy_base,
switch (mode) {
case (COMPHY_SGMII_MODE):
- case (COMPHY_HS_SGMII_MODE):
+ case (COMPHY_2500BASEX_MODE):
case (COMPHY_XFI_MODE):
case (COMPHY_SFI_MODE):
case (COMPHY_RXAUI_MODE):
@@ -2378,7 +2382,7 @@ int mvebu_cp110_comphy_power_on(uint64_t comphy_base,
comphy_mode);
break;
case(COMPHY_SGMII_MODE):
- case(COMPHY_HS_SGMII_MODE):
+ case(COMPHY_2500BASEX_MODE):
err = mvebu_cp110_comphy_sgmii_power_on(comphy_base,
comphy_index,
comphy_mode);
diff --git a/drivers/marvell/gwin.c b/drivers/marvell/gwin.c
index 9d94308..fa59cb0 100644
--- a/drivers/marvell/gwin.c
+++ b/drivers/marvell/gwin.c
@@ -7,6 +7,9 @@
/* GWIN unit device driver for Marvell AP810 SoC */
+#include <inttypes.h>
+#include <stdint.h>
+
#include <common/debug.h>
#include <drivers/marvell/gwin.h>
#include <lib/mmio.h>
@@ -49,14 +52,14 @@ static void gwin_check(struct addr_map_win *win)
/* The base is always 64M aligned */
if (IS_NOT_ALIGN(win->base_addr, GWIN_ALIGNMENT_64M)) {
win->base_addr &= ~(GWIN_ALIGNMENT_64M - 1);
- NOTICE("%s: Align the base address to 0x%llx\n",
+ NOTICE("%s: Align the base address to 0x%" PRIx64 "\n",
__func__, win->base_addr);
}
/* size parameter validity check */
if (IS_NOT_ALIGN(win->win_size, GWIN_ALIGNMENT_64M)) {
win->win_size = ALIGN_UP(win->win_size, GWIN_ALIGNMENT_64M);
- NOTICE("%s: Aligning window size to 0x%llx\n",
+ NOTICE("%s: Aligning window size to 0x%" PRIx64 "\n",
__func__, win->win_size);
}
}
@@ -167,7 +170,7 @@ static void dump_gwin(int ap_index)
alr = (alr >> ADDRESS_LSHIFT) << ADDRESS_RSHIFT;
ahr = mmio_read_32(GWIN_AHR_OFFSET(ap_index, win_num));
ahr = (ahr >> ADDRESS_LSHIFT) << ADDRESS_RSHIFT;
- printf("\tgwin %d 0x%016llx 0x%016llx\n",
+ printf("\tgwin %d 0x%016" PRIx64 " 0x%016" PRIx64 "\n",
(cr >> 8) & 0xF, alr, ahr);
}
}
diff --git a/drivers/marvell/io_win.c b/drivers/marvell/io_win.c
index c4257fa..124382a 100644
--- a/drivers/marvell/io_win.c
+++ b/drivers/marvell/io_win.c
@@ -7,6 +7,9 @@
/* IO Window unit device driver for Marvell AP807, AP807 and AP810 SoCs */
+#include <inttypes.h>
+#include <stdint.h>
+
#include <common/debug.h>
#include <drivers/marvell/io_win.h>
#include <lib/mmio.h>
@@ -44,14 +47,14 @@ static void io_win_check(struct addr_map_win *win)
/* check if address is aligned to 1M */
if (IS_NOT_ALIGN(win->base_addr, IO_WIN_ALIGNMENT_1M)) {
win->base_addr = ALIGN_UP(win->base_addr, IO_WIN_ALIGNMENT_1M);
- NOTICE("%s: Align up the base address to 0x%llx\n",
+ NOTICE("%s: Align up the base address to 0x%" PRIx64 "\n",
__func__, win->base_addr);
}
/* size parameter validity check */
if (IS_NOT_ALIGN(win->win_size, IO_WIN_ALIGNMENT_1M)) {
win->win_size = ALIGN_UP(win->win_size, IO_WIN_ALIGNMENT_1M);
- NOTICE("%s: Aligning size to 0x%llx\n",
+ NOTICE("%s: Aligning size to 0x%" PRIx64 "\n",
__func__, win->win_size);
}
}
@@ -170,7 +173,7 @@ static void dump_io_win(int ap_index)
win_id));
start = ((uint64_t)alr << ADDRESS_SHIFT);
end = (((uint64_t)ahr + 0x10) << ADDRESS_SHIFT);
- printf("\tio-win %d 0x%016llx 0x%016llx\n",
+ printf("\tio-win %d 0x%016" PRIx64 " 0x%016" PRIx64 "\n",
trgt_id, start, end);
}
}
diff --git a/drivers/marvell/iob.c b/drivers/marvell/iob.c
index 29088aa..1f39395 100644
--- a/drivers/marvell/iob.c
+++ b/drivers/marvell/iob.c
@@ -7,6 +7,9 @@
/* IOW unit device driver for Marvell CP110 and CP115 SoCs */
+#include <inttypes.h>
+#include <stdint.h>
+
#include <arch_helpers.h>
#include <common/debug.h>
#include <drivers/marvell/iob.h>
@@ -57,7 +60,7 @@ static void iob_win_check(struct addr_map_win *win, uint32_t win_num)
win->base_addr = ALIGN_UP(win->base_addr, IOB_WIN_ALIGNMENT);
ERROR("Window %d: base address unaligned to 0x%x\n",
win_num, IOB_WIN_ALIGNMENT);
- printf("Align up the base address to 0x%llx\n",
+ printf("Align up the base address to 0x%" PRIx64 "\n",
win->base_addr);
}
@@ -66,7 +69,7 @@ static void iob_win_check(struct addr_map_win *win, uint32_t win_num)
win->win_size = ALIGN_UP(win->win_size, IOB_WIN_ALIGNMENT);
ERROR("Window %d: window size unaligned to 0x%x\n", win_num,
IOB_WIN_ALIGNMENT);
- printf("Aligning size to 0x%llx\n", win->win_size);
+ printf("Aligning size to 0x%" PRIx64 "\n", win->win_size);
}
}
@@ -130,7 +133,7 @@ static void dump_iob(void)
*/
end = start + (16 << 20);
}
- printf("iob %02d %s 0x%016llx 0x%016llx\n",
+ printf("iob %02d %s 0x%016" PRIx64 " 0x%016" PRIx64 "\n",
win_id, iob_target_name[target_id],
start, end);
}
diff --git a/drivers/marvell/mc_trustzone/mc_trustzone.c b/drivers/marvell/mc_trustzone/mc_trustzone.c
index 52b3006..648bd0e 100644
--- a/drivers/marvell/mc_trustzone/mc_trustzone.c
+++ b/drivers/marvell/mc_trustzone/mc_trustzone.c
@@ -5,6 +5,9 @@
* https://spdx.org/licenses
*/
+#include <inttypes.h>
+#include <stdint.h>
+
#include <common/debug.h>
#include <drivers/marvell/addr_map.h>
#include <lib/mmio.h>
@@ -39,7 +42,7 @@ void tz_enable_win(int ap_index, const struct addr_map_win *win, int win_id)
/* map the window size to trustzone register convention */
tz_size = fls(TZ_SIZE(win->win_size));
- VERBOSE("%s: window size = 0x%llx maps to tz_size %d\n",
+ VERBOSE("%s: window size = 0x%" PRIx64 " maps to tz_size %d\n",
__func__, win->win_size, tz_size);
if (tz_size < 0 || tz_size > 31) {
ERROR("Using not allowed size for MC TrustZone window %d!\n",
@@ -49,7 +52,7 @@ void tz_enable_win(int ap_index, const struct addr_map_win *win, int win_id)
if (base & 0xfff) {
base = base & ~0xfff;
- WARN("Attempt to open MC TZ win. at 0x%llx, truncate to 0x%x\n",
+ WARN("Attempt to open MC TZ win. at 0x%" PRIx64 ", truncate to 0x%x\n",
win->base_addr, base);
}
diff --git a/drivers/marvell/uart/a3700_console.S b/drivers/marvell/uart/a3700_console.S
index b377321..218fd86 100644
--- a/drivers/marvell/uart/a3700_console.S
+++ b/drivers/marvell/uart/a3700_console.S
@@ -45,15 +45,13 @@ func console_a3700_core_init
cbz w2, init_fail
/* Program the baudrate */
- /* Divisor = Uart clock / (16 * baudrate) */
+ /* Divisor = Round(Uartclock / (16 * baudrate)) */
lsl w2, w2, #4
+ add w1, w1, w2, lsr #1
udiv w2, w1, w2
- and w2, w2, #0x3ff
+ and w2, w2, #0x3ff /* clear all other bits to use default clock */
- ldr w3, [x0, #UART_BAUD_REG]
- bic w3, w3, 0x3ff
- orr w3, w3, w2
- str w3, [x0, #UART_BAUD_REG]/* set baud rate divisor */
+ str w2, [x0, #UART_BAUD_REG]/* set baud rate divisor */
/* Set UART to default 16X scheme */
mov w3, #0
diff --git a/drivers/measured_boot/event_log.c b/drivers/measured_boot/event_log.c
deleted file mode 100644
index 727bdf5..0000000
--- a/drivers/measured_boot/event_log.c
+++ /dev/null
@@ -1,410 +0,0 @@
-/*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#include <assert.h>
-#include <errno.h>
-#include <string.h>
-#include <arch_helpers.h>
-
-#include <common/bl_common.h>
-#include <common/debug.h>
-#include <drivers/auth/crypto_mod.h>
-#include <drivers/measured_boot/event_log.h>
-#include <mbedtls/md.h>
-
-#include <plat/common/platform.h>
-
-/* Event Log data */
-static uint8_t event_log[EVENT_LOG_SIZE];
-
-/* End of Event Log */
-#define EVENT_LOG_END ((uintptr_t)event_log + sizeof(event_log) - 1U)
-
-CASSERT(sizeof(event_log) >= LOG_MIN_SIZE, assert_event_log_size);
-
-/* Pointer in event_log[] */
-static uint8_t *log_ptr = event_log;
-
-/* Pointer to measured_boot_data_t */
-const static measured_boot_data_t *plat_data_ptr;
-
-static uintptr_t tos_fw_config_base;
-static uintptr_t nt_fw_config_base;
-
-/* TCG_EfiSpecIdEvent */
-static const id_event_headers_t id_event_header = {
- .header = {
- .pcr_index = PCR_0,
- .event_type = EV_NO_ACTION,
- .digest = {0},
- .event_size = (uint32_t)(sizeof(id_event_struct_t) +
- (sizeof(id_event_algorithm_size_t) *
- HASH_ALG_COUNT))
- },
-
- .struct_header = {
- .signature = TCG_ID_EVENT_SIGNATURE_03,
- .platform_class = PLATFORM_CLASS_CLIENT,
- .spec_version_minor = TCG_SPEC_VERSION_MINOR_TPM2,
- .spec_version_major = TCG_SPEC_VERSION_MAJOR_TPM2,
- .spec_errata = TCG_SPEC_ERRATA_TPM2,
- .uintn_size = (uint8_t)(sizeof(unsigned int) /
- sizeof(uint32_t)),
- .number_of_algorithms = HASH_ALG_COUNT
- }
-};
-
-static const event2_header_t locality_event_header = {
- /*
- * All EV_NO_ACTION events SHALL set
- * TCG_PCR_EVENT2.pcrIndex = 0, unless otherwise specified
- */
- .pcr_index = PCR_0,
-
- /*
- * All EV_NO_ACTION events SHALL set
- * TCG_PCR_EVENT2.eventType = 03h
- */
- .event_type = EV_NO_ACTION,
-
- /*
- * All EV_NO_ACTION events SHALL set
- * TCG_PCR_EVENT2.digests to all
- * 0x00's for each allocated Hash algorithm
- */
- .digests = {
- .count = HASH_ALG_COUNT
- }
-};
-
-/* Platform's table with platform specific image IDs, names and PCRs */
-static const image_data_t plat_images_data[] = {
- { BL2_IMAGE_ID, BL2_STRING, PCR_0 }, /* Reserved for BL2 */
- { INVALID_ID, NULL, (unsigned int)(-1) } /* Terminator */
-};
-
-static const measured_boot_data_t plat_measured_boot_data = {
- plat_images_data,
- NULL, /* platform_set_nt_fw_info */
- NULL /* platform_set_tos_fw_info */
-};
-
-/*
- * Function retuns pointer to platform's measured_boot_data_t structure
- *
- * Must be overridden in the platform code
- */
-#pragma weak plat_get_measured_boot_data
-
-const measured_boot_d