| Age | Commit message (Collapse) | Author |
|---|
|
SPE is only supported in non-secure state. Accesses to SPE specific
registers from SEL1 will trap to EL3. During a world switch, before
`TTBR` is modified the SPE profiling buffers are drained. This is to
avoid a potential invalid memory access in SEL1.
SPE is architecturally specified only for AArch64.
Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
|
|
This patch updates the el3_arch_init_common macro so that it fully
initialises essential control registers rather then relying on hardware
to set the reset values.
The context management functions are also updated to fully initialise
the appropriate control registers when initialising the non-secure and
secure context structures and when preparing to leave EL3 for a lower
EL.
This gives better alignement with the ARM ARM which states that software
must initialise RES0 and RES1 fields with 0 / 1.
This patch also corrects the following typos:
"NASCR definitions" -> "NSACR definitions"
Change-Id: Ia8940b8351dc27bc09e2138b011e249655041cfc
Signed-off-by: David Cunado <david.cunado@arm.com>
|
|
This patch uses the U() and ULL() macros for constants, to fix some
of the signed-ness defects flagged by the MISRA scanner.
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
|
|
Reduce code size when building with Trusted Board Boot enabled
|
|
This is a reduced version of `snprintf` that only supports formats '%d',
'%i' and '%u'. It can be used when the full `snprintf` is not needed in
order to save memory. If it finds an unknown format specifier, it
prints an error message and panics.
Change-Id: I2cb06fcdf74cda2c43caf73ae0762a91499fc04e
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
|
|
Some header files need to be shared between TF and host programs.
For fiptool, two headers are copied to the tools/fiptool directory,
but it looks clumsy.
This commit introduces a new directory, include/tools_share, which
collects headers that should be shared between TF and host programs.
This will clarify the interface exposed to host tools. We should
add new headers to this directory only when we really need to do so.
For clarification, I inserted a blank line between headers from the
include/ directory (#include <...>) and ones from a local directory
(#include "..." ).
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
|
|
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
|
|
|
|
utils.h is included in various header files for the defines in it.
Some of the other header files only contain defines. This allows the
header files to be shared between host and target builds for shared defines.
Recently types.h has been included in utils.h as well as some function
prototypes.
Because of the inclusion of types.h conflicts exist building host tools
abd these header files now. To solve this problem,
move the defines to utils_def.h and have this included by utils.h and
change header files to only include utils_def.h and not pick up the new
types.h being introduced.
Fixes ARM-software/tf-issues#461
Signed-off-by: Scott Branden <scott.branden@broadcom.com>
Remove utils_def.h from utils.h
This patch removes utils_def.h from utils.h as it is not required.
And also makes a minor change to ensure Juno platform compiles.
Change-Id: I10cf1fb51e44a8fa6dcec02980354eb9ecc9fa29
|
|
Add AArch32 support for Juno
|
|
This patch adds AArch32 state support for ARM Cortex-A53,
Cortex-A57 and Cortex-A72 MPCore Processor in the CPU specific
operations framework.
NOTE: CPU errata handling code is not present in this patch.
Change-Id: I01eb3e028e40dde37565707ebc99e06e7a0c113d
Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
|
|
The build option `ENABLE_ASSERTIONS` should be used instead. That way
both C and ASM assertions can be enabled or disabled together.
All occurrences of `ASM_ASSERTION` in common code and ARM platforms have
been replaced by `ENABLE_ASSERTIONS`.
ASM_ASSERTION has been removed from the user guide.
Change-Id: I51f1991f11b9b7ff83e787c9a3270c274748ec6f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
|
|
Add support for GCC stack protection
|
|
Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.
A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.
A message is printed at the ERROR level when a stack corruption is
detected.
To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.
FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.
Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
|
|
This patch re-factors the following headers to make it easier to
integrate the PSCI library with an AArch32 Secure Payload :
* bl_common.h : The entry point information and the param
header data structures are factored out into separate
headers ep_info.h and param_headers.h
* psci.h : The PSCI library interfaces are factored out
into the new header psci_lib.h
* context_mgmt.h : The header file is modified to not include
arch.h when compiled for AArch32 mode.
No functional changes are introduced by this patch.
Change-Id: I5e21a843c0af2ba8e47dee4e577cf95929be8cd4
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
|
|
Disable secure self-hosted debug
|
|
Trusted Firmware currently has no support for secure self-hosted
debug. To avoid unexpected exceptions, disable software debug
exceptions, other than software breakpoint instruction exceptions,
from all exception levels in secure state. This applies to both
AArch32 and AArch64 EL3 initialization.
Change-Id: Id097e54a6bbcd0ca6a2be930df5d860d8d09e777
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
|
|
Introduce zeromem_dczva function on AArch64 that can handle unaligned
addresses and make use of DC ZVA instruction to zero a whole block at a
time. This zeroing takes place directly in the cache to speed it up
without doing external memory access.
Remove the zeromem16 function on AArch64 and replace it with an alias to
zeromem. This zeromem16 function is now deprecated.
Remove the 16-bytes alignment constraint on __BSS_START__ in
firmware-design.md as it is now not mandatory anymore (it used to comply
with zeromem16 requirements).
Change the 16-bytes alignment constraints in SP min's linker script to a
8-bytes alignment constraint as the AArch32 zeromem implementation is now
more efficient on 8-bytes aligned addresses.
Introduce zero_normalmem and zeromem helpers in platform agnostic header
that are implemented this way:
* AArch32:
* zero_normalmem: zero using usual data access
* zeromem: alias for zero_normalmem
* AArch64:
* zero_normalmem: zero normal memory using DC ZVA instruction
(needs MMU enabled)
* zeromem: zero using usual data access
Usage guidelines: in most cases, zero_normalmem should be preferred.
There are 2 scenarios where zeromem (or memset) must be used instead:
* Code that must run with MMU disabled (which means all memory is
considered device memory for data accesses).
* Code that fills device memory with null bytes.
Optionally, the following rule can be applied if performance is
important:
* Code zeroing small areas (few bytes) that are not secrets should use
memset to take advantage of compiler optimizations.
Note: Code zeroing security-related critical information should use
zero_normalmem/zeromem instead of memset to avoid removal by
compilers' optimizations in some cases or misbehaving versions of GCC.
Fixes ARM-software/tf-issues#408
Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
|
|
At present, spin locks can only defined from C files. Add some macros
such that they can be defined from assembly files too.
Change-Id: I64f0c214062f5c15b3c8b412c7f25c908e87d970
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
|
|
One nasty part of ATF is some of boolean macros are always defined
as 1 or 0, and the rest of them are only defined under certain
conditions.
For the former group, "#if FOO" or "#if !FOO" must be used because
"#ifdef FOO" is always true. (Options passed by $(call add_define,)
are the cases.)
For the latter, "#ifdef FOO" or "#ifndef FOO" should be used because
checking the value of an undefined macro is strange.
Here, IMAGE_BL* is handled by make_helpers/build_macro.mk like
follows:
$(eval IMAGE := IMAGE_BL$(call uppercase,$(3)))
$(OBJ): $(2)
@echo " CC $$<"
$$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) -D$(IMAGE) -c $$< -o $$@
This means, IMAGE_BL* is defined when building the corresponding
image, but *undefined* for the other images.
So, IMAGE_BL* belongs to the latter group where we should use #ifdef
or #ifndef.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
|
|
AArch32: Print ASM_ASSERT and panic messages
|
|
The is_mem_free() function used to be local to bl_common.c.
This patch exports it so that it can be used outside of bl_common.c.
Change-Id: I01dcb4229f3a36f56a4724b567c5e6c416dc5e98
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
|
|
ASM_ASSERT failure and panic messages are suppressed at present. This
patch enables printing the PC location for panic messages, and file name
and line number upon assembly assert failure.
Change-Id: I80cb715988e7ce766f64da1e1d7065a74a096a0c
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
|
|
Define and use no_ret macro where no return is expected
|
|
There are many instances in ARM Trusted Firmware where control is
transferred to functions from which return isn't expected. Such jumps
are made using 'bl' instruction to provide the callee with the location
from which it was jumped to. Additionally, debuggers infer the caller by
examining where 'lr' register points to. If a 'bl' of the nature
described above falls at the end of an assembly function, 'lr' will be
left pointing to a location outside of the function range. This misleads
the debugger back trace.
This patch defines a 'no_ret' macro to be used when jumping to functions
from which return isn't expected. The macro ensures to use 'bl'
instruction for the jump, and also, for debug builds, places a 'nop'
instruction immediately thereafter (unless instructed otherwise) so as
to leave 'lr' pointing within the function range.
Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
|
|
This patch resets EL2 and EL3 registers that have architecturally
UNKNOWN values on reset and that also provide EL2/EL3 configuration
and trap controls.
Specifically, the EL2 physical timer is disabled to prevent timer
interrups into EL2 - CNTHP_CTL_EL2 and CNTHP_CTL for AArch64 and AArch32,
respectively.
Additionally, for AArch64, HSTR_EL2 is reset to avoid unexpected traps of
non-secure access to certain system registers at EL1 or lower.
For AArch32, the patch also reverts the reset to SDCR which was
incorrectly added in a previous change.
Change-Id: If00eaa23afa7dd36a922265194ccd6223187414f
Signed-off-by: David Cunado <david.cunado@arm.com>
|
|
This allows the debugger to print the callstack when there is an
assembly function in the callstack.
It will work as long as the CFA pointer (frame pointer) location is not
modified (i.e. x29 is not touched in AArch64 state). It is the case in
almost all assembly functions, so this patch improves the average
debugging experience. Call stacks from the debugger should still be
interpreted with care. In more complex functions, one could use .cfi*
directives to inform the debugger about the new location of the CFA
pointer.
Change-Id: I9dabfbc033b45e8528e67f4823c17de7bf02fa24
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
|
|
In order to avoid unexpected traps into EL3/MON mode, this patch
resets the debug registers, MDCR_EL3 and MDCR_EL2 for AArch64,
and SDCR and HDCR for AArch32.
MDCR_EL3/SDCR is zero'ed when EL3/MON mode is entered, at the
start of BL1 and BL31/SMP_MIN.
For MDCR_EL2/HDCR, this patch zero's the bits that are
architecturally UNKNOWN values on reset. This is done when
exiting from EL3/MON mode but only on platforms that support
EL2/HYP mode but choose to exit to EL1/SVC mode.
Fixes ARM-software/tf-issues#430
Change-Id: Idb992232163c072faa08892251b5626ae4c3a5b6
Signed-off-by: David Cunado <david.cunado@arm.com>
|
|
At present the `el3_entrypoint_common` macro uses `memcpy`
function defined in lib/stdlib/mem.c file, to copy data
from ROM to RAM for BL1. Depending on the compiler being
used the stack could potentially be used, in `memcpy`,
for storing the local variables. Since the stack is
initialized much later in `el3_entrypoint_common` it
may result in unknown behaviour.
This patch adds `memcpy4` function definition in assembly so
that it can be used before the stack is initialized and it
also replaces `memcpy` by `memcpy4` in `el3_entrypoint_common`
macro, to copy data from ROM to RAM for BL1.
Change-Id: I3357a0e8095f05f71bbbf0b185585d9499bfd5e0
|
|
This patch introduces a `psci_lib_args_t` structure which must be
passed into `psci_setup()` which is then used to initialize the PSCI
library. The `psci_lib_args_t` is a versioned structure so as to enable
compatibility checks during library initialization. Both BL31 and SP_MIN
are modified to use the new structure.
SP_MIN is also modified to add version string and build message as part
of its cold boot log just like the other BLs in Trusted Firmware.
NOTE: Please be aware that this patch modifies the prototype of
`psci_setup()`, which breaks compatibility with EL3 Runtime Firmware
(excluding BL31 and SP_MIN) integrated with the PSCI Library.
Change-Id: Ic3761db0b790760a7ad664d8a437c72ea5edbcd6
|
|
This patch adds common changes to support AArch32 state in
BL1 and BL2. Following are the changes:
* Added functions for disabling MMU from Secure state.
* Added AArch32 specific SMC function.
* Added semihosting support.
* Added reporting of unhandled exceptions.
* Added uniprocessor stack support.
* Added `el3_entrypoint_common` macro that can be
shared by BL1 and BL32 (SP_MIN) BL stages. The
`el3_entrypoint_common` is similar to the AArch64
counterpart with the main difference in the assembly
instructions and the registers that are relevant to
AArch32 execution state.
* Enabled `LOAD_IMAGE_V2` flag in Makefile for
`ARCH=aarch32` and added check to make sure that
platform has not overridden to disable it.
Change-Id: I33c6d8dfefb2e5d142fdfd06a0f4a7332962e1a3
|
|
This patch adds capability to load BL images based on image
descriptors instead of hard coded way of loading BL images.
This framework is designed such that it can be readily adapted
by any BL stage that needs to load images.
In order to provide the above capability the following new
platform functions are introduced:
bl_load_info_t *plat_get_bl_image_load_info(void);
This function returns pointer to the list of images that the
platform has populated to load.
bl_params_t *plat_get_next_bl_params(void);
This function returns a pointer to the shared memory that the
platform has kept aside to pass trusted firmware related
information that next BL image needs.
void plat_flush_next_bl_params(void);
This function flushes to main memory all the params that
are passed to next image.
int bl2_plat_handle_post_image_load(unsigned int image_id)
This function can be used by the platforms to update/use
image information for given `image_id`.
`desc_image_load.c` contains utility functions which can be used
by the platforms to generate, load and executable, image list
based on the registered image descriptors.
This patch also adds new version of `load_image/load_auth_image`
functions in-order to achieve the above capability.
Following are the changes for the new version as compared to old:
- Refactor the signature and only keep image_id and image_info_t
arguments. Removed image_base argument as it is already passed
through image_info_t. Given that the BL image base addresses and
limit/size are already provided by the platforms, the meminfo_t
and entry_point_info arguments are not needed to provide/reserve
the extent of free memory for the given BL image.
- Added check for the image size against the defined max size.
This is needed because the image size could come from an
unauthenticated source (e.g. the FIP header).
To make this check, new member is added to the image_info_t
struct for identifying the image maximum size.
New flag `LOAD_IMAGE_V2` is added in the Makefile.
Default value is 0.
NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when
`LOAD_IMAGE_V2` is enabled.
Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
|
|
This patch adds AArch32 support to cpu ops, context management,
per-cpu data and spinlock libraries. The `entrypoint_info`
structure is modified to add support for AArch32 register
arguments. The CPU operations for AEM generic cpu in AArch32
mode is also added.
Change-Id: I1e52e79f498661d8f31f1e7b3a29e222bc7a4483
|
|
This patch adds an API in runtime service framework to
invoke the registered handler corresponding to the SMC function
identifier. This is helpful for AArch32 because the number of
arguments required by the handler is more than registers
available as per AArch32 program calling conventions and
requires the use of stack. Hence this new API will do the
necessary argument setup and invoke the appropriate
handler. Although this API is primarily intended for AArch32,
it can be used for AArch64 as well.
Change-Id: Iefa15947fe5a1df55b0859886e677446a0fd7241
|
|
This patch adds various assembly helpers for AArch32 like :
* cache management : Functions to flush, invalidate and clean
cache by MVA. Also helpers to do cache operations by set-way
are also added.
* stack management: Macros to declare stack and get the current
stack corresponding to current CPU.
* Misc: Macros to access co processor registers in AArch32,
macros to define functions in assembly, assert macros, generic
`do_panic()` implementation and function to zero block of memory.
Change-Id: I7b78ca3f922c0eda39beb9786b7150e9193425be
|
|
This patch moves assembler macros which are not architecture specific
to a new file `asm_macros_common.S` and moves the `el3_common_macros.S`
into `aarch64` specific folder.
Change-Id: I444a1ee3346597bf26a8b827480cd9640b38c826
|
|
This patch introduces the PSCI Library interface. The major changes
introduced are as follows:
* Earlier BL31 was responsible for Architectural initialization during cold
boot via bl31_arch_setup() whereas PSCI was responsible for the same during
warm boot. This functionality is now consolidated by the PSCI library
and it does Architectural initialization via psci_arch_setup() during both
cold and warm boots.
* Earlier the warm boot entry point was always `psci_entrypoint()`. This was
not flexible enough as a library interface. Now PSCI expects the runtime
firmware to provide the entry point via `psci_setup()`. A new function
`bl31_warm_entrypoint` is introduced in BL31 and the previous
`psci_entrypoint()` is deprecated.
* The `smc_helpers.h` is reorganized to separate the SMC Calling Convention
defines from the Trusted Firmware SMC helpers. The former is now in a new
header file `smcc.h` and the SMC helpers are moved to Architecture specific
header.
* The CPU context is used by PSCI for context initialization and
restoration after power down (PSCI Context). It is also used by BL31 for SMC
handling and context management during Normal-Secure world switch (SMC
Context). The `psci_smc_handler()` interface is redefined to not use SMC
helper macros thus enabling to decouple the PSCI context from EL3 runtime
firmware SMC context. This enables PSCI to be integrated with other runtime
firmware using a different SMC context.
NOTE: With this patch the architectural setup done in `bl31_arch_setup()`
is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be
invoked prior to architectural setup. It is highly unlikely that the platform
setup will depend on architectural setup and cause any failure. Please be
be aware of this change in sequence.
Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73
|
|
This patch moves the PSCI services and BL31 frameworks like context
management and per-cpu data into new library components `PSCI` and
`el3_runtime` respectively. This enables PSCI to be built independently from
BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
PSCI library sources and gets included by `bl31.mk`. Other changes which
are done as part of this patch are:
* The runtime services framework is now moved to the `common/` folder to
enable reuse.
* The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
specific folder.
* The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
to `plat/common` folder. The original file location now has a stub which
just includes the file from new location to maintain platform compatibility.
Most of the changes wouldn't affect platform builds as they just involve
changes to the generic bl1.mk and bl31.mk makefiles.
NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.
Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86
|
|
This patch fixes some coding guideline warnings reported by the checkpatch
script. Only files related to upcoming feature development have been fixed.
Change-Id: I26fbce75c02ed62f00493ed6c106fe7c863ddbc5
|
|
This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:
* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
whether AArch64 or AArch32.
* Use generic C types where-ever possible.
In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.
Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
|
|
Map read-only data as execute-never
|
|
At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.
This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.
This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.
- When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
the read-only section still looks like this (padding omitted):
| ... |
+-------------------+
| Exception vectors |
+-------------------+
| Read-only data |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script provides the limits of the whole
read-only section.
- When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
read-only data are swapped, such that the code and exception
vectors are contiguous, followed by the read-only data. This
gives the following new layout (padding omitted):
| ... |
+-------------------+
| Read-only data |
+-------------------+
| Exception vectors |
+-------------------+
| Code |
+-------------------+ BLx_BASE
In this case, the linker script now exports 2 sets of addresses
instead: the limits of the code and the limits of the read-only
data. Refer to the Firmware Design guide for more details. This
provides platform code with a finer-grained view of the image
layout and allows it to map these 2 regions with the appropriate
access permissions.
Note that SEPARATE_CODE_AND_RODATA applies to all BL images.
Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
|
|
This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.
For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.
bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.
Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9
|
|
The per-cpu stacks should be aligned to the cache-line size and
the `declare_stack` helper in asm_macros.S macro assumed a
cache-line size of 64 bytes. The platform defines the cache-line
size via CACHE_WRITEBACK_GRANULE macro. This patch modifies
`declare_stack` helper macro to derive stack alignment from the
platform defined macro.
Change-Id: I1e1b00fc8806ecc88190ed169f4c8d3dd25fe95b
|
|
Build option to include AArch32 registers in cpu context
|
|
The system registers that are saved and restored in CPU context include
AArch32 systems registers like SPSR_ABT, SPSR_UND, SPSR_IRQ, SPSR_FIQ,
DACR32_EL2, IFSR32_EL2 and FPEXC32_EL2. Accessing these registers on an
AArch64-only (i.e. on hardware that does not implement AArch32, or at
least not at EL1 and higher ELs) platform leads to an exception. This patch
introduces the build option `CTX_INCLUDE_AARCH32_REGS` to specify whether to
include these AArch32 systems registers in the cpu context or not. By default
this build option is set to 1 to ensure compatibility. AArch64-only platforms
must set it to 0. A runtime check is added in BL1 and BL31 cold boot path to
verify this.
Fixes ARM-software/tf-issues#386
Change-Id: I720cdbd7ed7f7d8516635a2ec80d025f478b95ee
|
|
The documentation of the GNU assembler specifies the following about
the .align assembler directive:
"the padding bytes are normally zero. However, on some systems, if
the section is marked as containing code and the fill value is
omitted, the space is filled with no-op instructions."
(see https://sourceware.org/binutils/docs/as/Align.html)
When building Trusted Firmware, the AArch64 GNU assembler uses a
mix of zero bytes and no-op instructions as the padding bytes to
align exception vectors.
This patch mandates to use zero bytes to be stored in the padding
bytes in the exception vectors. In the AArch64 instruction set, no
valid instruction encodes as zero so this effectively inserts
illegal instructions. Should this code end up being executed for
any reason, it would crash immediately. This gives us an extra
protection against misbehaving code at no extra cost.
Change-Id: I4f2abb39d0320ca0f9d467fc5af0cb92ae297351
|
|
This patch introduces some assembler macros to simplify the
declaration of the exception vectors. It abstracts the section
the exception code is put into as well as the alignments
constraints mandated by the ARMv8 architecture. For all TF images,
the exception code has been updated to make use of these macros.
This patch also updates some invalid comments in the exception
vector code.
Change-Id: I35737b8f1c8c24b6da89b0a954c8152a4096fa95
|
|
If Trusted Firmware is built with optimizations disabled (-O0), the
linker throws the following error:
undefined reference to 'xxx'
Where 'xxx' is a raw inline function defined in a header file. The
reason is that, with optimizations disabled, GCC may decide to skip
the inlining. If that is the case, an external definition to the
compilation unit must be provided. Because no external definition
is present, the linker throws the error.
This patch fixes the problem by declaring the following inline
functions static, so the internal definition is used:
- cm_set_next_context()
- bakery_lock_init()
Note that building the TF with optimizations disabled when Trusted
Board Boot is enabled is currently unsupported, as this makes the BL2
image too big to fit in memory without any adjustment of its base
address. Similarly, disabling optimizations for debug builds on FVP
is unsupported at the moment.
Change-Id: I284a9f84cc8df96a0c1a52dfe05c9e8544c0cefe
|
|
This patch enables the SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and
BL31 common architectural setup code. When in secure state, this disables
instruction fetches from Non-secure memory.
NOTE: THIS COULD BREAK PLATFORMS THAT HAVE SECURE WORLD CODE EXECUTING FROM
NON-SECURE MEMORY, BUT THIS IS CONSIDERED UNLIKELY AND IS A SERIOUS SECURITY
RISK.
Fixes ARM-Software/tf-issues#372
Change-Id: I684e84b8d523c3b246e9a5fabfa085b6405df319
|
