Merge changes from topic "bk/no_blx_setup" into integration

* changes:
fix: replace stray BL2_AT_EL3 with RESET_TO_BL2
refactor(aarch64): move BL31 specific setup out of the PSCI entrypoint
re

Merge changes from topic "bk/no_blx_setup" into integration

* changes:
fix: replace stray BL2_AT_EL3 with RESET_TO_BL2
refactor(aarch64): move BL31 specific setup out of the PSCI entrypoint
refactor: unify blx_setup() and blx_main()
fix(bl2): unify the BL2 EL3 and RME entrypoints

show more ...

refactor: unify blx_setup() and blx_main()

All BLs have a bl_setup() for things that need to happen early, a fall
back into assembly and then bl_main() for the main functionality. This
was necessary

refactor: unify blx_setup() and blx_main()

All BLs have a bl_setup() for things that need to happen early, a fall
back into assembly and then bl_main() for the main functionality. This
was necessary in order to fiddle with PAuth related things that tend to
break C calls. Since then PAuth's enablement has seen a lot of
refactoring and this is now worked around cleanly so the distinction can
be removed. The only tradeoff is that this requires pauth to not be used
for the top-level main function.

There are two main benefits to doing this: First, code is easier to
understand as it's all together and the entrypoint is smaller. Second,
the compiler gets to see more of the code and apply optimisations
(importantly LTO).

Change-Id: Iddb93551115a2048988017547eb7b8db441dbd37
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "hm/handoff-aarch32" into integration

* changes:
refactor(arm): simplify early platform setup functions
feat(bl32): enable r3 usage for boot args
feat(handoff): add li

Merge changes from topic "hm/handoff-aarch32" into integration

* changes:
refactor(arm): simplify early platform setup functions
feat(bl32): enable r3 usage for boot args
feat(handoff): add lib to sp-min sources
feat(handoff): add 32-bit variant of SRAM layout
feat(handoff): add 32-bit variant of ep info
fix(aarch32): avoid using r12 to store boot params
fix(arm): reinit secure and non-secure tls
refactor(handoff): downgrade error messages

show more ...

fix(aarch32): avoid using r12 to store boot params

The current implementation uses the `r12` register as temporary storage
for r4. However, `r12` is a call-clobbered register, meaning its
contents a

fix(aarch32): avoid using r12 to store boot params

The current implementation uses the `r12` register as temporary storage
for r4. However, `r12` is a call-clobbered register, meaning its
contents are not preserved across function calls. This becomes
problematic when we later call the `zeromem` function, as any
information stored in `r12` will be lost. To address this issue, we
should avoid using `r12` to store boot parameters.

Change-Id: If94b7fc3a01bc617ceadaaa704d5aa5e5accfd3f
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes from topic "aarch32_debug_aborts" into integration

* changes:
feat(stm32mp1): add plat_report_*_abort functions
feat(debug): add helpers for aborts on AARCH32
feat(debug): add AA

Merge changes from topic "aarch32_debug_aborts" into integration

* changes:
feat(stm32mp1): add plat_report_*_abort functions
feat(debug): add helpers for aborts on AARCH32
feat(debug): add AARCH32 CP15 fault registers

show more ...

feat(debug): add helpers for aborts on AARCH32

New helper functions are created to handle data & prefetch aborts
in AARCH32. They call platform functions, just like what
report_exception is doing.
A

feat(debug): add helpers for aborts on AARCH32

New helper functions are created to handle data & prefetch aborts
in AARCH32. They call platform functions, just like what
report_exception is doing.
As extended MSR/MRS instructions (to access lr_abt in monitor mode)
are only available if CPU (Armv7) has virtualization extension,
the functions branch to original report_exception handlers if this is
not the case.
Those new helpers are created mainly to distinguish data and prefetch
aborts, as they both share the same mode.
This adds 40 bytes of code.

Change-Id: I5dd31930344ad4e3a658f8a9d366a87a300aeb67
Signed-off-by: Yann Gautier <yann.gautier@st.com>

show more ...

Merge changes I15e7cc43,Id7411bd5,I92bafe70,I8f1c0658 into integration

* changes:
stm32mp1: enable PIE for BL32
stm32mp1: set BL sizes regardless of flags
Add PIE support for AARCH32
Avoid t

Merge changes I15e7cc43,Id7411bd5,I92bafe70,I8f1c0658 into integration

* changes:
stm32mp1: enable PIE for BL32
stm32mp1: set BL sizes regardless of flags
Add PIE support for AARCH32
Avoid the use of linker *_SIZE__ macros

show more ...

Avoid the use of linker *_SIZE__ macros

The use of end addresses is preferred over the size of sections.
This was done for some AARCH64 files for PIE with commit [1],
and some extra explanations can

Avoid the use of linker *_SIZE__ macros

The use of end addresses is preferred over the size of sections.
This was done for some AARCH64 files for PIE with commit [1],
and some extra explanations can be found in its commit message.
Align the missing AARCH64 files.

For AARCH32 files, this is required to prepare PIE support introduction.

[1] f1722b693d36 ("PIE: Use PC relative adrp/adr for symbol reference")

Change-Id: I8f1c06580182b10c680310850f72904e58a54d7d
Signed-off-by: Yann Gautier <yann.gautier@st.com>

show more ...

Merge pull request #1878 from jts-arm/sctlr

Apply stricter speculative load restriction

Apply stricter speculative load restriction

The SCTLR.DSSBS bit is zero by default thus disabling speculative loads.
However, we also explicitly set it to zero for BL2 and TSP images when
each image

Apply stricter speculative load restriction

The SCTLR.DSSBS bit is zero by default thus disabling speculative loads.
However, we also explicitly set it to zero for BL2 and TSP images when
each image initialises its context. This is done to ensure that the
image environment is initialised in a safe state, regardless of the
reset value of the bit.

Change-Id: If25a8396641edb640f7f298b8d3309d5cba3cd79
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

show more ...

Merge pull request #1829 from antonio-nino-diaz-arm/an/pauth

Add Pointer Authentication (ARMv8.3-PAuth) support to the TF

BL2: Enable pointer authentication support

The size increase after enabling options related to ARMv8.3-PAuth is:

+----------------------------+-------+-------+-------+--------+
|

BL2: Enable pointer authentication support

The size increase after enabling options related to ARMv8.3-PAuth is:

+----------------------------+-------+-------+-------+--------+
| | text | bss | data | rodata |
+----------------------------+-------+-------+-------+--------+
| CTX_INCLUDE_PAUTH_REGS = 1 | +40 | +0 | +0 | +0 |
| | 0.2% | | | |
+----------------------------+-------+-------+-------+--------+
| ENABLE_PAUTH = 1 | +664 | +0 | +16 | +0 |
| | 3.1% | | 0.9% | |
+----------------------------+-------+-------+-------+--------+

Results calculated with the following build configuration:

make PLAT=fvp SPD=tspd DEBUG=1 \
SDEI_SUPPORT=1 \
EL3_EXCEPTION_HANDLING=1 \
TSP_NS_INTR_ASYNC_PREEMPT=1 \
CTX_INCLUDE_PAUTH_REGS=1 \
ENABLE_PAUTH=1

The changes for BL2_AT_EL3 aren't done in this commit.

Change-Id: I8c803b40c7160525a06173bc6cdca21c4505837d
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1726 from antonio-nino-diaz-arm/an/includes

Sanitise includes across codebase

Sanitise includes across codebase

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- inclu

Sanitise includes across codebase

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a282 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca33988b9 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1263 from soby-mathew/sm/dyn_config

Dynamic Configuration Prototype

Introduce the new BL handover interface

This patch introduces a new BL handover interface. It essentially allows
passing 4 arguments between the different BL stages. Effort has been made
so as to be

Introduce the new BL handover interface

This patch introduces a new BL handover interface. It essentially allows
passing 4 arguments between the different BL stages. Effort has been made
so as to be compatible with the previous handover interface. The previous
blx_early_platform_setup() platform API is now deprecated and the new
blx_early_platform_setup2() variant is introduced. The weak compatiblity
implementation for the new API is done in the `plat_bl_common.c` file.
Some of the new arguments in the new API will be reserved for generic
code use when dynamic configuration support is implemented. Otherwise
the other registers are available for platform use.

Change-Id: Ifddfe2ea8e32497fe1beb565cac155ad9d50d404
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

show more ...

Merge pull request #925 from dp-arm/dp/spdx

Use SPDX license identifiers

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by

Use SPDX license identifiers

To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.

NOTE: Files that have been imported by FreeBSD have not been modified.

[0]: https://spdx.org/

Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

show more ...

Merge pull request #886 from dp-arm/dp/stack-protector

Add support for GCC stack protection

Add support for GCC stack protection

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform funct

Add support for GCC stack protection

Introduce new build option ENABLE_STACK_PROTECTOR. It enables
compilation of all BL images with one of the GCC -fstack-protector-*
options.

A new platform function plat_get_stack_protector_canary() is introduced.
It returns a value that is used to initialize the canary for stack
corruption detection. Returning a random value will prevent an attacker
from predicting the value and greatly increase the effectiveness of the
protection.

A message is printed at the ERROR level when a stack corruption is
detected.

To be effective, the global data must be stored at an address
lower than the base of the stacks. Failure to do so would allow an
attacker to overwrite the canary as part of an attack which would void
the protection.

FVP implementation of plat_get_stack_protector_canary is weak as
there is no real source of entropy on the FVP. It therefore relies on a
timer's value, which could be predictable.

Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

show more ...

Merge pull request #774 from jeenu-arm/no-return-macro

Define and use no_ret macro where no return is expected

Define and use no_ret macro where no return is expected

There are many instances in ARM Trusted Firmware where control is
transferred to functions from which return isn't expected. Such jumps
are ma

Define and use no_ret macro where no return is expected

There are many instances in ARM Trusted Firmware where control is
transferred to functions from which return isn't expected. Such jumps
are made using 'bl' instruction to provide the callee with the location
from which it was jumped to. Additionally, debuggers infer the caller by
examining where 'lr' register points to. If a 'bl' of the nature
described above falls at the end of an assembly function, 'lr' will be
left pointing to a location outside of the function range. This misleads
the debugger back trace.

This patch defines a 'no_ret' macro to be used when jumping to functions
from which return isn't expected. The macro ensures to use 'bl'
instruction for the jump, and also, for debug builds, places a 'nop'
instruction immediately thereafter (unless instructed otherwise) so as
to leave 'lr' pointing within the function range.

Change-Id: Ib34c69fc09197cfd57bc06e147cc8252910e01b0
Co-authored-by: Douglas Raillard <douglas.raillard@arm.com>
Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>

show more ...

Merge pull request #713 from yatharth-arm/yk/AArch32_porting

Add basic AArch32 support for BL1 & BL2

AArch32: Add generic changes in BL2

This patch adds generic changes in BL2 to support AArch32 state.
New AArch32 specific assembly/C files are introduced and
some files are moved to AArch32/64 speci

AArch32: Add generic changes in BL2

This patch adds generic changes in BL2 to support AArch32 state.
New AArch32 specific assembly/C files are introduced and
some files are moved to AArch32/64 specific folders.
BL2 for AArch64 is refactored but functionally identical.

BL2 executes in Secure SVC mode in AArch32 state.

Change-Id: Ifaacbc2a91f8640876385b953adb24744d9dbde3

show more ...