Merge changes I44f90daa,I0fed6ef4,I018869d3,I9089b3ad,Ibf5b3a80 into integration

* changes:
refactor(fvp): always build RAS files
fix(fvp): give fvp_ras.c better dependencies
fix(cpufeat): add

Merge changes I44f90daa,I0fed6ef4,I018869d3,I9089b3ad,Ibf5b3a80 into integration

* changes:
refactor(fvp): always build RAS files
fix(fvp): give fvp_ras.c better dependencies
fix(cpufeat): add ras files to the build from a common location
fix(cm): do not restore spsr and elr twice on external aborts
fix(cm): do not save SCR_EL3 on external aborts

show more ...

fix(cm): do not restore spsr and elr twice on external aborts

el3_exit will restore SPSR_EL3 and ELR_EL3. There is no need to do it in
ea_proceed too as that is always followed by el3_exit.

Change-

fix(cm): do not restore spsr and elr twice on external aborts

el3_exit will restore SPSR_EL3 and ELR_EL3. There is no need to do it in
ea_proceed too as that is always followed by el3_exit.

Change-Id: I9089b3ada7785bc0d5fd1e05192f456ffe666789
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(cm): do not save SCR_EL3 on external aborts

SCR_EL3 is static. For non-root worlds, once initialised by
cm_setup_context(), its value is immutable and only restored by
el3_exit(). For the root w

fix(cm): do not save SCR_EL3 on external aborts

SCR_EL3 is static. For non-root worlds, once initialised by
cm_setup_context(), its value is immutable and only restored by
el3_exit(). For the root world (or EL3 when that's not a thing)
setup_el3_execution_context() (via prepare_el3_entry()) will write a
different static value in, with the expectation that el3_exit() will
wipe it. As such saving scr_el3 in the case of a double fault is not
necessary, and even harmful as the wrong (root's) value will get written
in.

Change-Id: Ibf5b3a809fc0208a98ded20fe8d50c7405f808b9
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving
refactor(cpufeat): convert FEAT_PAuth setup to C
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
chore(cpufeat): remove PAuth presence checks
feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

show more ...

perf(cpufeat): centralise PAuth key saving

prepare_el3_entry() is meant to be the one-stop shop for all the context
we must fiddle with to enter EL3 proper. However, PAuth is the one
exception, happ

perf(cpufeat): centralise PAuth key saving

prepare_el3_entry() is meant to be the one-stop shop for all the context
we must fiddle with to enter EL3 proper. However, PAuth is the one
exception, happening right after. Absorb it into prepare_el3_entry(),
handling the BL1/BL31 difference.

This is a good time to also move the key saving into the enable
function, also to centralise. With this it becomes apparent that saving
keys just before CPU_SUSPEND is redundant as they will be reinitialised
when the core wakes up.

Note that the key loading, now in save_gp_pmcr_pauth_regs, does not end
in an isb. The effects of the key change are not needed until the isb
in the caller, so this isb is not needed.

Change-Id: Idd286bea91140c106ab4c933c5c44b0bc2050ca2
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(el3-runtime): replace CTX_ESR_EL3 with CTX_DOUBLE_FAULT_ESR" into integration

fix(el3-runtime): replace CTX_ESR_EL3 with CTX_DOUBLE_FAULT_ESR

ESR_EL3 value is updated when an exception is taken to EL3 and its value
does not change until a new exception is taken to EL3. We nee

fix(el3-runtime): replace CTX_ESR_EL3 with CTX_DOUBLE_FAULT_ESR

ESR_EL3 value is updated when an exception is taken to EL3 and its value
does not change until a new exception is taken to EL3. We need to save
ESR in context memory only when we expect nested exception in EL3.

The scenarios where we would expect nested EL3 execution are related
with FFH_SUPPORT, namely
1.Handling pending async EAs at EL3 boundry
- It uses CTX_SAVED_ESR_EL3 to preserve origins esr_el3
2.Double fault handling
- Introduce an explicit storage (CTX_DOUBLE_FAULT_ESR) for esr_el3
to take care of DobuleFault.

As the ESR context has been removed, read the register directly instead
of its context value in RD platform.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I7720c5f03903f894a77413a235e3cc05c86f9c17

show more ...

Merge "fix(el3-runtime): for nested serrors, restore x30 to lower EL address" into integration

fix(el3-runtime): for nested serrors, restore x30 to lower EL address

In FFH mode, When handling nested serrors, serror is handled once and
all subsequent serrors are considered handled.And EL3 dire

fix(el3-runtime): for nested serrors, restore x30 to lower EL address

In FFH mode, When handling nested serrors, serror is handled once and
all subsequent serrors are considered handled.And EL3 directly return
to lower EL.

While returning to lower EL, x30 is restore to CTX_SAVED_GPREG_LR
address.CTX_SAVED_GPREG_LR address belongs to EL3 address range and
this address will not be accessible in lower EL.

After return to lower EL, when lower EL access x30, segmentation fault
happens and Kernel kills application.

This patch restore x30 to lower EL address (CTX_GPREG_LR) to avoid
segmentation fault at lower EL.

Change-Id: Ie8becb206e0c0204e01d12ab63ae6e915dcf33e4
Signed-off-by: Jaiprakash Singh <jaiprakashs@marvell.com>

show more ...

Merge changes from topic "mp/exceptions" into integration

* changes:
docs(ras): update RAS documentation
docs(el3-runtime): update BL31 exception vector handling
fix(el3-runtime): restrict low

Merge changes from topic "mp/exceptions" into integration

* changes:
docs(ras): update RAS documentation
docs(el3-runtime): update BL31 exception vector handling
fix(el3-runtime): restrict lower el EA handlers in FFH mode
fix(ras): remove RAS_FFH_SUPPORT and introduce FFH_SUPPORT
fix(ras): restrict ENABLE_FEAT_RAS to have only two states
feat(ras): use FEAT_IESB for error synchronization
feat(el3-runtime): modify vector entry paths

show more ...

fix(el3-runtime): restrict lower el EA handlers in FFH mode

This patch does following changes to restrict handling of lower EL
EA's only if FFH mode is enabled.

- Compile ea_delegate.S only if FFH

fix(el3-runtime): restrict lower el EA handlers in FFH mode

This patch does following changes to restrict handling of lower EL
EA's only if FFH mode is enabled.

- Compile ea_delegate.S only if FFH mode is enabled.
- For Sync exception from lower ELs if the EC is not SMC or SYS reg
trap it was assumed that it is an EA, which is not correct. Move
the known Sync exceptions (EL3 Impdef) out of sync EA handler.
- Report unhandled exceptions if there are SError from lower EL in
KFH mode, as this is unexpected.
- Move code out of ea_delegate.S which are used for KFH mode.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I577089677d0ec8cde7c20952172bee955573d2ed

show more ...

fix(ras): remove RAS_FFH_SUPPORT and introduce FFH_SUPPORT

This patch removes RAS_FFH_SUPPORT macro which is the combination of
ENABLE_FEAT_RAS and HANDLE_EA_EL3_FIRST_NS. Instead introduce an
inter

fix(ras): remove RAS_FFH_SUPPORT and introduce FFH_SUPPORT

This patch removes RAS_FFH_SUPPORT macro which is the combination of
ENABLE_FEAT_RAS and HANDLE_EA_EL3_FIRST_NS. Instead introduce an
internal macro FFH_SUPPORT which gets enabled when platforms wants
to enable lower EL EA handling at EL3. The internal macro FFH_SUPPORT
will be automatically enabled if HANDLE_EA_EL3_FIRST_NS is enabled.
FFH_SUPPORT along with ENABLE_FEAT_RAS will be used in source files
to provide equivalent check which was provided by RAS_FFH_SUPPORT
earlier. In generic code we needed a macro which could abstract both
HANDLE_EA_EL3_FIRST_NS and RAS_FFH_SUPPORT macros that had limitations.
Former was tied up with NS world only while the latter was tied to RAS
feature.

This is to allow Secure/Realm world to have their own FFH macros
in future.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ie5692ccbf462f5dcc3f005a5beea5aa35124ac73

show more ...

feat(el3-runtime): modify vector entry paths

Vector entries in EL3 from lower ELs, first check for any pending
async EAs from lower EL before handling the original exception.
This happens when there

feat(el3-runtime): modify vector entry paths

Vector entries in EL3 from lower ELs, first check for any pending
async EAs from lower EL before handling the original exception.
This happens when there is an error (EA) in the system which is not
yet signaled to PE while executing at lower EL. During entry into EL3
the errors (EA) are synchronized causing async EA to pend at EL3.

On detecting the pending EA (via ISR_EL1.A) EL3 either reflects it back
to lower EL (KFH) or handles it in EL3 (FFH) based on EA routing model.

In case of Firmware First handling mode (FFH), EL3 handles the pended
EA first before returing back to handle the original exception.

While in case of Kernel First handling mode (KFH), EL3 will return back
to lower EL without handling the original exception. On returing to
lower EL, EA will be pended. In KFH mode there is a risk of back and
forth between EL3 and lower EL if the EA is masked at lower EL or
priority of EA is lower than that of original exception. This is a
limitation in current architecture but can be solved in future if EL3
gets a capability to inject virtual SError.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I3a2a31de7cf454d9d690b1ef769432a5b24f6c11

show more ...

Merge "fix(pmu): unconditionally save PMCR_EL0" into integration

Merge changes from topic "mp/feat_ras" into integration

* changes:
refactor(cpufeat): enable FEAT_RAS for FEAT_STATE_CHECKED
refactor(ras): replace RAS_EXTENSION with FEAT_RAS

refactor(ras): replace RAS_EXTENSION with FEAT_RAS

The current usage of RAS_EXTENSION in TF-A codebase is to cater for two
things in TF-A :
1. Pull in necessary framework and platform hooks for Firm

refactor(ras): replace RAS_EXTENSION with FEAT_RAS

The current usage of RAS_EXTENSION in TF-A codebase is to cater for two
things in TF-A :
1. Pull in necessary framework and platform hooks for Firmware first
handling(FFH) of RAS errors.
2. Manage the FEAT_RAS extension when switching the worlds.

FFH means that all the EAs from NS are trapped in EL3 first and signaled
to NS world later after the first handling is done in firmware. There is
an alternate way of handling RAS errors viz Kernel First handling(KFH).
Tying FEAT_RAS to RAS_EXTENSION build flag was not correct as the
feature is needed for proper handling KFH in as well.

This patch breaks down the RAS_EXTENSION flag into a flag to denote the
CPU architecture `ENABLE_FEAT_RAS` which is used in context management
during world switch and another flag `RAS_FFH_SUPPORT` to pull in
required framework and platform hooks for FFH.

Proper support for KFH will be added in future patches.

BREAKING CHANGE: The previous RAS_EXTENSION is now deprecated. The
equivalent functionality can be achieved by the following
2 options:
- ENABLE_FEAT_RAS
- RAS_FFH_SUPPORT

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I1abb9ab6622b8f1b15712b12f17612804d48a6ec

show more ...

fix(pmu): unconditionally save PMCR_EL0

Reading back a RES0 bit does not necessarily mean it will be read as 0.
The Arm ARM explicitly warns against doing this. The PMU initialisation
code tries to

fix(pmu): unconditionally save PMCR_EL0

Reading back a RES0 bit does not necessarily mean it will be read as 0.
The Arm ARM explicitly warns against doing this. The PMU initialisation
code tries to set such bits to 1 (in MDCR_EL3) regardless of whether
they are in use or are RES0, checking their value could be wrong and
PMCR_EL0 might not end up being saved.

Save PMCR_EL0 unconditionally to prevent this. Remove the security state
change as the outgoing state is not relevant to what the root world
context should look like.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Id43667d37b0e2da3ded0beaf23fa0d4f9013f470

show more ...

Merge changes from topic "panic_cleanup" into integration

* changes:
refactor(bl31): use elx_panic for sysreg_handler64
refactor(aarch64): rename do_panic and el3_panic
refactor(aarch64): remo

Merge changes from topic "panic_cleanup" into integration

* changes:
refactor(bl31): use elx_panic for sysreg_handler64
refactor(aarch64): rename do_panic and el3_panic
refactor(aarch64): remove weak links to el3_panic
refactor(aarch64): refactor usage of elx_panic
refactor(aarch64): cleanup HANDLE_EA_EL3_FIRST_NS usage

show more ...

refactor(aarch64): rename do_panic and el3_panic

Current panic call invokes do_panic which calls el3_panic, but now panic
handles only panic from EL3 anid clear separation to use lower_el_panic()
wh

refactor(aarch64): rename do_panic and el3_panic

Current panic call invokes do_panic which calls el3_panic, but now panic
handles only panic from EL3 anid clear separation to use lower_el_panic()
which handles panic from lower ELs.

So now we can remove do_panic and just call el3_panic for all panics.

Change-Id: I739c69271b9fb15c1176050877a9b0c0394dc739
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

Merge changes I63b584cf,I617f3d41 into integration

* changes:
refactor(el3_runtime): unify handle/enter_lower_el_async_ea
refactor(el3_runtime): introduce save_x30 macro

refactor(el3_runtime): unify handle/enter_lower_el_async_ea

handle_lower_el_async_ea and enter_lower_el_async_ea are same except for
saving x30 register, with previous patch x30 is now freed before

refactor(el3_runtime): unify handle/enter_lower_el_async_ea

handle_lower_el_async_ea and enter_lower_el_async_ea are same except for
saving x30 register, with previous patch x30 is now freed before calling
these function we don't need both of them.

This patch also unifies the naming convention, now we have 3 handlers
- handle_lower_el_ea_esb
- handle_lower_el_sync_ea
- handle_lower_el_async_ea

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I63b584cf059bac80195aa334981d50fa6272cf49

show more ...

Merge changes from topic "mp/ras_refactoring" into integration

* changes:
fix(debug): decouple "get_el_str()" from backtrace
fix(bl31): harden check in delegate_async_ea

fix(bl31): harden check in delegate_async_ea

Following hardening done around ESR_EL3 register usage
- Panic if exception is anyting other than SError
- AET bit is only valid if DFSC is 0x11, move

fix(bl31): harden check in delegate_async_ea

Following hardening done around ESR_EL3 register usage
- Panic if exception is anyting other than SError
- AET bit is only valid if DFSC is 0x11, move DFSC check before AET.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ib15159920f6cad964332fd40f88943aee2bc73b4

show more ...

Merge "fix(bl31): pass the EA bit to 'delegate_sync_ea'" into integration

fix(bl31): pass the EA bit to 'delegate_sync_ea'

During a synchronous exception, the 'enter_lower_el_sync_ea' handler
tests the ESR_EL3 EA bit and calls 'report_unhandled_exception', if
it is not se

fix(bl31): pass the EA bit to 'delegate_sync_ea'

During a synchronous exception, the 'enter_lower_el_sync_ea' handler
tests the ESR_EL3 EA bit and calls 'report_unhandled_exception', if
it is not set.

EA = 0 and IFSC = SEA, seems to be a contradiction. EA provides further
classification of a synchronous abort. A synchronous abort is determined
by the IFSC value on an instruction fetch synchronous abort. As a result,
EA will never be set to 1 on an instruction fetch synchronous abort and
'report_unhandled_exception' should not be called.

This patch removes this behavior to allow the platform to handle the
exception.

Signed-off-by: Nicolas Benech <nbenech@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Change-Id: I3f004447ad4316d81649063e1ffb3ac644c83ede

show more ...