core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander

core: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-vexpress: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens

plat-vexpress: remove unnecessary includes

Remove unnecessary includes.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

riscv: mm: Set A/D bits of PTE(page table entry) by default

According to RISC-V privileged ISA manual:
Each leaf PTE contains an accessed (A) and dirty (D) bit. The A bit
indicates the virtual page

riscv: mm: Set A/D bits of PTE(page table entry) by default

According to RISC-V privileged ISA manual:
Each leaf PTE contains an accessed (A) and dirty (D) bit. The A bit
indicates the virtual page has been read, written, or fetched from since
the last time the A bit was cleared. The D bit indicates the virtual
page has been written since the last time the D bit was cleared.
When a virtual page is accessed and the A bit is clear, or is written
and the D bit is clear, a page-fault exception is raised.

And the manual also suggests:
If the supervisor software does not rely on accessed and/or dirty bits,
it should always set them to 1 in the PTE to improve performance.

Since OP-TEE does not rely on A/D bits, we by default set them to 1 to
avoid unnecessary page-fault exceptions when OP-TEE touches those pages.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: riscv: Rename thread_return_to_ree() to thread_return_to_udomain()

The terminology "udomain", which means untrusted domain, is more precise
terminology for RISC-V architecture, where "domain"

core: riscv: Rename thread_return_to_ree() to thread_return_to_udomain()

The terminology "udomain", which means untrusted domain, is more precise
terminology for RISC-V architecture, where "domain" has already been
defined in RISC-V CoVE and Smmtt specifications.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Marouene Boubakri <marouene.boubakri@nxp.com>

show more ...

core: ffa: Read FF-A version from the SP manifest

Read the SP's FF-A version from the ffa-version property of the SP
manifest. This property is mandatory according to the FF-A
specification.
SPs are

core: ffa: Read FF-A version from the SP manifest

Read the SP's FF-A version from the ffa-version property of the SP
manifest. This property is mandatory according to the FF-A
specification.
SPs are still able to do runtime version negotiation via the FFA_VERSION
interface.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: get DDR range from embedded DTB

Find main memory (DDR) physical range(s) from the secure embedded DTB
if not found from the external DDR.

Reviewed-by: Jens Wiklander <jens.wiklander@lina

core: arm: get DDR range from embedded DTB

Find main memory (DDR) physical range(s) from the secure embedded DTB
if not found from the external DDR.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: imx: disable ELE support on imx8ulp, imx93 by default

On imx8ulp and imx93, there is only one MU to communicate with
ELE, which cannot be dedicated on OP-TEE side all the time.
There may be EL

core: imx: disable ELE support on imx8ulp, imx93 by default

On imx8ulp and imx93, there is only one MU to communicate with
ELE, which cannot be dedicated on OP-TEE side all the time.
There may be ELE services running on Linux side, which can
cause conflict with OP-TEE.
So disablig ELE by default for now.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

plat: rcar-gen3: disable HWRNG by default

Sometimes ROM code fails to provide random numbers, which leads to
OP-TEE panic with "ROM_GetRndVector() returned error!" message.

So far this behavior was

plat: rcar-gen3: disable HWRNG by default

Sometimes ROM code fails to provide random numbers, which leads to
OP-TEE panic with "ROM_GetRndVector() returned error!" message.

So far this behavior was observed only on M3 Ver.3.0, but it is
unclear if other SoCs are affected. There is a workaround which
retries and operation and this workaround seems to work, but again, it
is unclear if this is the correct way to deal with the issue. So it is
better to disable use of HWRNG by default, until we get clarification
on those errors from Renesas.

This patch moves HWRNG code under CFG_RCAR_GEN3_HWRNG option, so
expert user still can try to use it.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-rcar: romapi: retry call to ROM_GetRndVector

Sometimes ROM_GetRndVector() function returns an error, which causes
OP-TEE panic down the call path, as OP-TEE can't handle errors from
the hardwar

plat-rcar: romapi: retry call to ROM_GetRndVector

Sometimes ROM_GetRndVector() function returns an error, which causes
OP-TEE panic down the call path, as OP-TEE can't handle errors from
the hardware random number generator. As a workaround, we can try to
repeat call to the ROM_GetRndVector() because it succeeds on the next
try.

Anyways, this hardly can be considered as a normal behavior so it is
better to disable HW RNG by default, which will be done in a separate
patch.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: fix misnamed 157C_EV1_SCMI flavor

Correct platform flavor name 157C_EV1_SCMI, not 157F_EV1_SCMI.

Fixes: 36f1fd6d4930 ("dts: add stm32mp15*-scmi.dts files for when RCC is secure")
Ack

plat-stm32mp1: fix misnamed 157C_EV1_SCMI flavor

Correct platform flavor name 157C_EV1_SCMI, not 157F_EV1_SCMI.

Fixes: 36f1fd6d4930 ("dts: add stm32mp15*-scmi.dts files for when RCC is secure")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-k3: sa2ul_rng: Use mutex instead of spinlock for critical section

While spinlock are slightly more lightweight, they currently require that
interrupts are disabled during the critical section.

plat-k3: sa2ul_rng: Use mutex instead of spinlock for critical section

While spinlock are slightly more lightweight, they currently require that
interrupts are disabled during the critical section. If this section is
long enough it can have a negative affect on realtime sensitive tasks
that require deterministic preemption.

As our RNG gathering can loop while waiting for new random numbers to
become available we cannot know how long this section will take, so we
should use a mutex. Do that here.

Signed-off-by: Andrew Davis <afd@ti.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Bryan Brattlof <bb@ti.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-vexpress: configure CFG_CORE_ASYNC_NOTIF_GIC_INTID

When compiled for SPMC at S-EL1 (CFG_CORE_SEL1_SPMC=y), configure
CFG_CORE_ASYNC_NOTIF_GIC_INTID to an unused secure SGI that can be
donated t

plat-vexpress: configure CFG_CORE_ASYNC_NOTIF_GIC_INTID

When compiled for SPMC at S-EL1 (CFG_CORE_SEL1_SPMC=y), configure
CFG_CORE_ASYNC_NOTIF_GIC_INTID to an unused secure SGI that can be
donated to the normal world.

In boot_primary_init_intc(), only donate the interrupt id if it's in the
predefined secure SGI range.

Fixes: 462028ede02d ("qemu_armv8a: add GIC v3 redistributor base address")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-vexpress: fvp: configure GIC redistributor base address

Configure GIC redistributor base address needed with GICv3.

Fixes: 462028ede02d ("qemu_armv8a: add GIC v3 redistributor base address")
S

plat-vexpress: fvp: configure GIC redistributor base address

Configure GIC redistributor base address needed with GICv3.

Fixes: 462028ede02d ("qemu_armv8a: add GIC v3 redistributor base address")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: ffa: optionally use CFG_CORE_ASYNC_NOTIF_GIC_INTID

Allow an FF-A configuration to optionally use
CFG_CORE_ASYNC_NOTIF_GIC_INTID to configure the interrupt used to notify
the normal world

core: arm: ffa: optionally use CFG_CORE_ASYNC_NOTIF_GIC_INTID

Allow an FF-A configuration to optionally use
CFG_CORE_ASYNC_NOTIF_GIC_INTID to configure the interrupt used to notify
the normal world that there are pending notifications. For FF-A
CFG_CORE_ASYNC_NOTIF_GIC_INTID is only dealt with in platform code so
relax the static assert about interrupt IDs in (the unused)
add_optee_dt_node().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-sam: enable nvmem support

Enable nvmem support to allow reading hardware unique key from the fuses.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Signed-off-by: Thomas Perrot <thoma

plat-sam: enable nvmem support

Enable nvmem support to allow reading hardware unique key from the fuses.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: sama5d2: add sfc node for the secure fuse controller

Add the definition of the atmel_sfc controller in the sama5d2 device-tree.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Signed-

dts: sama5d2: add sfc node for the secure fuse controller

Add the definition of the atmel_sfc controller in the sama5d2 device-tree.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: Clear FFA_MEM_RETRIEVE_RESP memory descriptor fields

Clear the memory descriptors in FFA_MEM_RETRIEVE_RESP calls in order to
set the reserved fields to zero. The caller might check if the

core: ffa: Clear FFA_MEM_RETRIEVE_RESP memory descriptor fields

Clear the memory descriptors in FFA_MEM_RETRIEVE_RESP calls in order to
set the reserved fields to zero. The caller might check if the reserved
fields are zero as it is stated in the FF-A spec. With FF-A v1.1 the
memory transaction descriptor's 4 byte field at offset 24 has changed
from reserved (MBZ) to Endpoint memory access descriptor size
(non-zero). With the reserved field not cleared in the v1.0 descriptor,
the caller cannot verify if it got the right version of the memory
transaction descriptor.

This issue only affects the FFA_MEM_RETRIEVE_RESP call at the
S-EL1 <-> S-EL0 interface, in all other cases the descriptors are
cleared properly.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: allow cache_op_outer() to operate on non-secure buffers

According the ARM PL310 documentation, if the operation is specific
to the PA, the behavior is presented in the following manner:

core: arm: allow cache_op_outer() to operate on non-secure buffers

According the ARM PL310 documentation, if the operation is specific
to the PA, the behavior is presented in the following manner:
- Secure access: The data in the cache is only affected by the
the operation if it is secure.
- Non-secure access: The data in the cache is only affected by the
operation if it is non-secure.

Depending on the buffer location, use the secure or non-secure PL310
base address to do physical address based cache operation on the
buffer.

Link: https://developer.arm.com/documentation/ddi0246/a/programmer-s-model/register-descriptions/register-7--cache-maintenance-operations
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: plat: imx: implement pl310_nsbase()

Map PL310 registers as non-secure.
Implement pl310_nsbase() that returns non-secure PL310 base address.

Signed-off-by: Clement Faure <clement.faure@nxp.com

core: plat: imx: implement pl310_nsbase()

Map PL310 registers as non-secure.
Implement pl310_nsbase() that returns non-secure PL310 base address.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add pl310_nsbase() function

Add pl310_nsbase() function to return non-secure PL310 base address.

The default implementation is a weak function that returns the secure
PL310 base address to ma

core: add pl310_nsbase() function

Add pl310_nsbase() function to return non-secure PL310 base address.

The default implementation is a weak function that returns the secure
PL310 base address to match the previous behavior where only the secure
base address was returned.

It is up to the platform to implement that function.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-k3: sa2ul_rng: check if rng is enabled before to do a read

Check if rng is enabled in sa2ul_rng_read128(), if not the
initialization sequence is run.
After a suspend to ram, the rng may be in r

plat-k3: sa2ul_rng: check if rng is enabled before to do a read

Check if rng is enabled in sa2ul_rng_read128(), if not the
initialization sequence is run.
After a suspend to ram, the rng may be in reset state, and it has to be
re-initialized if in reset state.

Signed-off-by: Thomas Richard <thomas.richard@bootlin.com>
Reviewed-by: Andrew Davis <afd@ti.com>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: riscv: Include kernel/interrupt.h for thread_arch.c

Otherwise, the compiler can not find the declaration of
interrupt_main_handler().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-

core: riscv: Include kernel/interrupt.h for thread_arch.c

Otherwise, the compiler can not find the declaration of
interrupt_main_handler().

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: riscv: Add missing initial value for read_tp()

The stack variable "tp" should have its initial value.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wikland

core: riscv: Add missing initial value for read_tp()

The stack variable "tp" should have its initial value.

Signed-off-by: Alvin Chang <alvinga@andestech.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: read_64bit_pair()

Implement read_64bit_pair that read two 64 bits data together.

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

plat-sam: force CFG_EXTERNAL_DT to n

Because this feature isn't used on SAM platforms and to disable DT
insecure warning.

Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Acked-by: Jens Wik

plat-sam: force CFG_EXTERNAL_DT to n

Because this feature isn't used on SAM platforms and to disable DT
insecure warning.

Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...