4 files changed, 54 insertions, 2 deletions

diff --git a/bl1/aarch64/bl1_exceptions.S b/bl1/aarch64/bl1_exceptions.S
index 3e72e39f..9bba6eef 100644
--- a/bl1/aarch64/bl1_exceptions.S
+++ b/bl1/aarch64/bl1_exceptions.S
@@ -226,6 +226,15 @@ smc_handler:
 	 */
 	bl	save_gp_pmcr_pauth_regs
 
+#if ENABLE_PAUTH
+	/* -----------------------------------------------------
+	 * Load and program stored APIAKey firmware key.
+	 * Re-enable pointer authentication in EL3, as it was
+	 * disabled before jumping to the next boot image.
+	 * -----------------------------------------------------
+	 */
+	bl	pauth_load_bl1_apiakey_enable
+#endif
 	/* -----------------------------------------------------
 	 * Populate the parameters for the SMC handler. We
 	 * already have x0-x4 in place. x5 will point to a
diff --git a/bl1/bl1_main.c b/bl1/bl1_main.c
index 2bb85114..cd6fe7d5 100644
--- a/bl1/bl1_main.c
+++ b/bl1/bl1_main.c
@@ -31,6 +31,10 @@ DEFINE_SVC_UUID2(bl1_svc_uid,
 
 static void bl1_load_bl2(void);
 
+#if ENABLE_PAUTH
+uint64_t bl1_apiakey[2];
+#endif
+
 /*******************************************************************************
  * Helper utility to calculate the BL2 memory layout taking into consideration
  * the BL1 RW data assuming that it is at the top of the memory layout.
@@ -131,6 +135,12 @@ void bl1_main(void)
 	/* Perform platform setup in BL1. */
 	bl1_platform_setup();
 
+#if ENABLE_PAUTH
+	/* Store APIAKey_EL1 key */
+	bl1_apiakey[0] = read_apiakeylo_el1();
+	bl1_apiakey[1] = read_apiakeyhi_el1();
+#endif /* ENABLE_PAUTH */
+
 	/* Get the image id of next image to load and run. */
 	image_id = bl1_plat_get_next_image_id();
 
diff --git a/bl2u/aarch64/bl2u_entrypoint.S b/bl2u/aarch64/bl2u_entrypoint.S
index 452869ea..3e37b44f 100644
--- a/bl2u/aarch64/bl2u_entrypoint.S
+++ b/bl2u/aarch64/bl2u_entrypoint.S
@@ -102,6 +102,15 @@ func bl2u_entrypoint
 	bl	bl2u_early_platform_setup
 	bl	bl2u_plat_arch_setup
 
+#if ENABLE_PAUTH
+	/* ---------------------------------------------
+	 * Program APIAKey_EL1
+	 * and enable pointer authentication.
+	 * ---------------------------------------------
+	 */
+	bl	pauth_init_enable_el1
+#endif
+
 	/* ---------------------------------------------
 	 * Jump to bl2u_main function.
 	 * ---------------------------------------------
diff --git a/lib/extensions/pauth/pauth_helpers.S b/lib/extensions/pauth/pauth_helpers.S
index c6808de5..d483c7df 100644
--- a/lib/extensions/pauth/pauth_helpers.S
+++ b/lib/extensions/pauth/pauth_helpers.S
@@ -13,6 +13,7 @@
 	.global	pauth_init_enable_el3
 	.global	pauth_disable_el3
 	.globl	pauth_load_bl31_apiakey
+	.globl	pauth_load_bl1_apiakey_enable
 
 /* -------------------------------------------------------------
  * Program APIAKey_EL1 and enable pointer authentication in EL1
@@ -97,9 +98,9 @@ func pauth_disable_el3
 endfunc pauth_disable_el3
 
 /* -------------------------------------------------------------
- * The following function strictly follows the AArch64 PCS
+ * The following functions strictly follow the AArch64 PCS
  * to use x9-x17 (temporary caller-saved registers) to load
- * the APIAKey_EL1 used by the firmware.
+ * the APIAKey_EL1 and enable pointer authentication.
  * -------------------------------------------------------------
  */
 func pauth_load_bl31_apiakey
@@ -115,3 +116,26 @@ func pauth_load_bl31_apiakey
 	isb
 	ret
 endfunc pauth_load_bl31_apiakey
+
+func pauth_load_bl1_apiakey_enable
+	/* Load instruction key A used by the Trusted Firmware */
+	adrp	x9, bl1_apiakey
+	add	x9, x9, :lo12:bl1_apiakey
+	ldp	x10, x11, [x9]
+
+	/* Program instruction key A */
+	msr	APIAKeyLo_EL1, x10
+	msr	APIAKeyHi_EL1, x11
+
+	/* Enable pointer authentication */
+	mrs	x9, sctlr_el3
+	orr	x9, x9, #SCTLR_EnIA_BIT
+
+#if ENABLE_BTI
+	 /* Enable PAC branch type compatibility */
+	bic	x9, x9, #SCTLR_BT_BIT
+#endif
+	msr	sctlr_el3, x9
+	isb
+	ret
+endfunc pauth_load_bl1_apiakey_enable