Merge "feat(sptool): transfer list to replace SP Pkg" into integration

fix(cpus): avoid SME related loss of context on powerdown

Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is th

fix(cpus): avoid SME related loss of context on powerdown

Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is that
if this isn't done, the powerdown request will be rejected. On the
CPU_OFF path that's not a problem - we can force SVCR to 0 and be
certain the core will power off.

On the suspend to powerdown path, however, we cannot do this. The TRM
also tells us that the sequence could also be aborted on eg. GIC
interrupts. If this were to happen when we have overwritten SVCR to 0,
upon a return to the caller they would experience a loss of context. We
know that at least Linux may call into PSCI with SVCR != 0. One option
is to save the entire SME context which would be quite expensive just to
work around. Another option is to downgrade the request to a normal
suspend when SME was left on. This option is better as this is expected
to happen rarely enough to ignore the wasted power and we don't want to
burden the generic (correct) path with needless context management.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I698fa8490ebf51461f6aa8bba84f9827c5c46ad4

show more ...

feat(psci): allow cores to wake up from powerdown

The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do

feat(psci): allow cores to wake up from powerdown

The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.

One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.

Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.

So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.

To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.

Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.

Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.

Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.

Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.

All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.

Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.

Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(build): do not force PLAT in plat_helpers.mk" into integration

feat(sptool): transfer list to replace SP Pkg

Generate the rules for calling 'tlc' tool, and generating
a partition package as a TL:
- The data is aligned to 4k.
- Using TE types 0x103 for FF-A mani

feat(sptool): transfer list to replace SP Pkg

Generate the rules for calling 'tlc' tool, and generating
a partition package as a TL:
- The data is aligned to 4k.
- Using TE types 0x103 for FF-A manifest, and 0x106 for
FF-A SP binary.

Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I1941e3e8f43d8dad33cdd0dea0571cf4a0d5e8f3

show more ...

fix(build): do not force PLAT in plat_helpers.mk

After the change to allow overriding platform specific defaults [1],
the PLAT macro is forced to DEFAULT_PLAT in plat_helpers.mk. But this
makefile i

fix(build): do not force PLAT in plat_helpers.mk

After the change to allow overriding platform specific defaults [1],
the PLAT macro is forced to DEFAULT_PLAT in plat_helpers.mk. But this
makefile is also called for tools. For example in fiptool makefile, as
PLAT is reset to default plat (fvp), we cannot use specific platforms
plat_fiptool.mk files. Put back the setting of PLAT macro in Makefile.

[1]: 1b2fb6adb5 feat(build): add ability to define platform specific
defaults

Signed-off-by: Yann Gautier <yann.gautier@st.com>
Change-Id: Iadf8bc7fc831a728a9688d0afdd163c8dda737e5

show more ...

Merge "build: remove Windows compatibility layer" into integration

Merge "feat(mops): enable FEAT_MOPS in EL3 when INIT_UNUSED_NS_EL2=1" into integration

feat(mops): enable FEAT_MOPS in EL3 when INIT_UNUSED_NS_EL2=1

FEAT_MOPS, mandatory from Arm v8.8, is typically managed in EL2.
However, in configurations where NS_EL2 is not enabled,
EL3 must set th

feat(mops): enable FEAT_MOPS in EL3 when INIT_UNUSED_NS_EL2=1

FEAT_MOPS, mandatory from Arm v8.8, is typically managed in EL2.
However, in configurations where NS_EL2 is not enabled,
EL3 must set the HCRX_EL2.MSCEn bit to 1 to enable the feature.

This patch ensures FEAT_MOPS is enabled by setting HCRX_EL2.MSCEn to 1.

Change-Id: Ic4960e0cc14a44279156b79ded50de475b3b21c5
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>

show more ...

build: remove Windows compatibility layer

For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulat

build: remove Windows compatibility layer

For a couple of releases now we have officially withdrawn support for
building TF-A on Windows using the native environment, relying instead
on POSIX emulation layers like MSYS2, Mingw64, Cygwin or WSL.

This change removes the remainder of the OS compatibility layer
entirely, and migrates the build system over to explicitly relying on a
POSIX environment.

Change-Id: I8fb60d998162422e958009afd17eab826e3bc39b
Signed-off-by: Chris Kay <chris.kay@arm.com>

show more ...

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change own

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change owning security state when a feature is disabled

show more ...

Merge changes I1f662f82,I59a3b297 into integration

* changes:
fix(build): include platform mk earlier
fix(arm): use EL3_PAS in MAP_BL2_TOTAL definition

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1f662f82cd949eedfdbb61b9f66de15c46fb3106

show more ...

Merge "fix(rme): remove ENABLE_PIE restriction" into integration

feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY

SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is

feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY

SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is not enabled at EL3, eg due to an older FW image, but it is present in
hardware. In those cases, the EL1 ID registers do not reflect the usable
feature set and this call should provide the necessary information to
remedy that.

The call itself is very lightweight - effectively a sanitised read of
the relevant system register. Bits that are not relevant to feature
enablement are masked out and active low bits are converted to active
high.

The implementation is also very simple. All relevant, irrelevant, and
inverted bits combined into bitmasks at build time. Then at runtime the
masks are unconditionally applied to produce the right result. This
assumes that context managers will make sure that disabled features
do not have their bits set and the registers are context switched if
any fields in them make enablement ambiguous.

Features that are not yet supported in TF-A have not been added. On
debug builds, calling this function will fail an assert if any bits that
are not expected are set. In combination with CI this should allow for
this feature to to stay up to date as new architectural features are
added.

If a call for MPAM3_EL3 is made when MPAM is not enabled, the call
will return INVALID_PARAM, while if it is FEAT_STATE_CHECK, it will
return zero. This should be fairly consistent with feature detection.

The bitmask is meant to be interpreted as the logical AND of the
relevant ID registers. It would be permissible for this to return 1
while the ID returns 0. Despite this, this implementation takes steps
not to. In the general case, the two should match exactly.

Finally, it is not entirely clear whether this call replies to SMC32
requests. However, it will not, as the return values are all 64 bits.

[1]: https://developer.arm.com/documentation/den0028/galp1/?lang=en

Co-developed-by: Charlie Bareham <charlie.bareham@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1a74e7d0b3459b1396961b8fa27f84e3f0ad6a6f

show more ...

fix(rme): remove ENABLE_PIE restriction

The combination of ENABLE_RME=1 + ENABLE_PIE=1 build options is
prevented currently for no good reason. ENABLE_PIE in a 4 worlds
configuration is mostly for b

fix(rme): remove ENABLE_PIE restriction

The combination of ENABLE_RME=1 + ENABLE_PIE=1 build options is
prevented currently for no good reason. ENABLE_PIE in a 4 worlds
configuration is mostly for building BL31 with PIE support.
BL1 / BL2 (BL2_RUNS_AT_EL3=1) remain non-PIE. BL32 (TSP) is PIE capable
but typically unused in this configuration. TRP doesn't support PIE
but is loaded in place so isn't affected by this option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ia60e295534a92cb1b4e3eb88b3e240aea4f4fe1d

show more ...

Merge "chore: drop -fno-builtin" into integration

chore: drop -fno-builtin

It is implied by -ffreestanding

Change-Id: Ia7b0f78fd4020aceea246d10ac3d869e743e7a9f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

Merge "fix(romlib): romlib build without MbedTLS" into integration

Merge "feat(fpmr): disable FPMR trap" into integration

feat(fpmr): disable FPMR trap

This patch enables support of FEAT_FPMR by enabling access
to FPMR register. It achieves it by setting the EnFPM bit of
SCR_EL3. This feature is currently enabled for N

feat(fpmr): disable FPMR trap

This patch enables support of FEAT_FPMR by enabling access
to FPMR register. It achieves it by setting the EnFPM bit of
SCR_EL3. This feature is currently enabled for NS world only.

Reference:
https://developer.arm.com/documentation/109697/2024_09/
Feature-descriptions/The-Armv9-5-architecture-extension?lang=en

Change-Id: I580c409b9b22f8ead0737502280fb9093a3d5dd2
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>

show more ...

Merge changes from topic "hob_creation_in_tf_a" into integration

* changes:
feat(fvp): build hob library
feat(lib): introduce Hob creation library
feat(lib): modify Hob creation code imported

Merge changes from topic "hob_creation_in_tf_a" into integration

* changes:
feat(fvp): build hob library
feat(lib): introduce Hob creation library
feat(lib): modify Hob creation code imported from edk2
feat(lib): copy StandaloneMm Hob creation library in edk2

show more ...

feat(lib): introduce Hob creation library

According to Platform Initialization (PI) Specification [1] and
discussion on edk2 mailing list [2],
StandaloneMm shouldn't create Hob but it should be pass

feat(lib): introduce Hob creation library

According to Platform Initialization (PI) Specification [1] and
discussion on edk2 mailing list [2],
StandaloneMm shouldn't create Hob but it should be passed from TF-A.
IOW, TF-A should pass boot information via HOB list to initialise
StandaloneMm properly.

And this HOB lists could be delivered via
- SPM_MM: Transfer List according to the firmware handoff spec[3]

- FF-A v1.1 >= : FF-A boot protocol.

This patch introduces a TF-A HOB creation library and
some of definitions which StandaloneMm requires to boot.

Link: https://uefi.org/sites/default/files/resources/PI_Spec_1_6.pdf [1]
Link: https://edk2.groups.io/g/devel/topic/103675962#114283 [2]
Link: https://github.com/FirmwareHandoff/firmware_handoff [3]
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
Change-Id: I5e0838adce487110206998a8b79bc3adca922cec

show more ...

fix(romlib): romlib build without MbedTLS

The ROMLIB build currently has a strong dependency on MbedTLS. This
patch has been introduced to remove this dependency, making it more
flexible.

Change-Id

fix(romlib): romlib build without MbedTLS

The ROMLIB build currently has a strong dependency on MbedTLS. This
patch has been introduced to remove this dependency, making it more
flexible.

Change-Id: If8c4cc7cf557687f40b235a4b8f931cfb70943fd
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes Ibe44f19e,I9e023edb,I96d655fc into integration

* changes:
build: use parameters in calls to `MAKE_DEP`
build: disable suffix rules globally
build: use full paths for generated li

Merge changes Ibe44f19e,I9e023edb,I96d655fc into integration

* changes:
build: use parameters in calls to `MAKE_DEP`
build: disable suffix rules globally
build: use full paths for generated libraries

show more ...