Merge changes from topic "hm/handoff-mb" into integration

* changes:
feat(arm): support boot info handoff and event log
fix(arm): update tsp_early_platform_setup prototype
fix(xilinx): update

Merge changes from topic "hm/handoff-mb" into integration

* changes:
feat(arm): support boot info handoff and event log
fix(arm): update tsp_early_platform_setup prototype
fix(xilinx): update tsp_early_platform_setup prototype
fix(socionext): update tsp_early_platform_setup prototype
fix(msm8916): update tsp_early_platform_setup prototype
feat(tsp): cascade boot arguments to platforms
feat(fvp): port event log to firmware handoff
feat(arm): port event log to firmware handoff
feat(fvp): increase bl2 mmap len for handoff
feat(measured-boot): add fw handoff event log utils

show more ...

feat(tsp): cascade boot arguments to platforms

Enable platforms to receive boot arguments passed to the TSP, allowing
them to make use of these parameters.

This is in preparation for supporting Fir

feat(tsp): cascade boot arguments to platforms

Enable platforms to receive boot arguments passed to the TSP, allowing
them to make use of these parameters.

This is in preparation for supporting Firmware Handoff within the TSP.

BREAKING CHANGE: The prototype for `tsp_early_platform_setup` has been
redefined. Platforms must update their implementations to match the new
function signature.

Change-Id: I4b5c6493bb62846aaa0d9e330d8aa06e6a0525a8
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving
refactor(cpufeat): convert FEAT_PAuth setup to C
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
chore(cpufeat): remove PAuth presence checks
feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

show more ...

feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

Introduce the is_feat_bti_{supported, present}() helpers and replace
checks for ENABLE_BTI with it. Also factor out the setting of
SCTLR_EL3.BT o

feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

Introduce the is_feat_bti_{supported, present}() helpers and replace
checks for ENABLE_BTI with it. Also factor out the setting of
SCTLR_EL3.BT out of the PAuth enablement and place it in the respective
entrypoints where we initialise SCTLR_EL3. This makes PAuth
self-contained and SCTLR_EL3 initialisation centralised.

Change-Id: I0c0657ff1e78a9652cd2cf1603478283dc01f17b
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "ffa_el3_spmc" into integration

* changes:
feat(tsp): add FF-A support to the TSP
feat(fvp/tsp_manifest): add example manifest for TSP
fix(spmc): fix relinquish valida

Merge changes from topic "ffa_el3_spmc" into integration

* changes:
feat(tsp): add FF-A support to the TSP
feat(fvp/tsp_manifest): add example manifest for TSP
fix(spmc): fix relinquish validation check

show more ...

feat(tsp): add FF-A support to the TSP

This patch adds the FF-A programming model in the test
secure payload to ensure that it can be used to test
the following spec features.

1. SP initialisation

feat(tsp): add FF-A support to the TSP

This patch adds the FF-A programming model in the test
secure payload to ensure that it can be used to test
the following spec features.

1. SP initialisation on the primary and secondary cpus.
2. An event loop to receive direct requests and respond
with direct responses.
3. Ability to receive messages that indicate power on
and off of a cpu.
4. Ability to handle a secure interrupt.

Signed-off-by: Achin Gupta <achin.gupta@arm.com>
Signed-off-by: Marc Bonnici <marc.bonnici@arm.com>
Signed-off-by: Shruti <shruti.gupta@arm.com>
Change-Id: I81cf744904d5cdc0b27862b5e4bc6f2cfe58a13a

show more ...

Merge "fix(pie): invalidate data cache in the entire image range if PIE is enabled" into integration

fix(pie): invalidate data cache in the entire image range if PIE is enabled

Currently on image entry, the data cache in the RW address range is
invalidated before MMU is enabled to safeguard against

fix(pie): invalidate data cache in the entire image range if PIE is enabled

Currently on image entry, the data cache in the RW address range is
invalidated before MMU is enabled to safeguard against potential
stale data from previous firmware stage. If PIE is enabled however,
RO sections including the GOT may be also modified during pie fixup.
Therefore, to be on the safe side, invalidate the entire image
region if PIE is enabled.

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I7ee2a324fe4377b026e32f9ab842617ad4e09d89

show more ...

Merge changes I15e7cc43,Id7411bd5,I92bafe70,I8f1c0658 into integration

* changes:
stm32mp1: enable PIE for BL32
stm32mp1: set BL sizes regardless of flags
Add PIE support for AARCH32
Avoid t

Merge changes I15e7cc43,Id7411bd5,I92bafe70,I8f1c0658 into integration

* changes:
stm32mp1: enable PIE for BL32
stm32mp1: set BL sizes regardless of flags
Add PIE support for AARCH32
Avoid the use of linker *_SIZE__ macros

show more ...

Avoid the use of linker *_SIZE__ macros

The use of end addresses is preferred over the size of sections.
This was done for some AARCH64 files for PIE with commit [1],
and some extra explanations can

Avoid the use of linker *_SIZE__ macros

The use of end addresses is preferred over the size of sections.
This was done for some AARCH64 files for PIE with commit [1],
and some extra explanations can be found in its commit message.
Align the missing AARCH64 files.

For AARCH32 files, this is required to prepare PIE support introduction.

[1] f1722b693d36 ("PIE: Use PC relative adrp/adr for symbol reference")

Change-Id: I8f1c06580182b10c680310850f72904e58a54d7d
Signed-off-by: Yann Gautier <yann.gautier@st.com>

show more ...

Merge "Increase type widths to satisfy width requirements" into integration

Increase type widths to satisfy width requirements

Usually, C has no problem up-converting types to larger bit sizes. MISRA
rule 10.7 requires that you not do this, or be very explicit about this.
T

Increase type widths to satisfy width requirements

Usually, C has no problem up-converting types to larger bit sizes. MISRA
rule 10.7 requires that you not do this, or be very explicit about this.
This resolves the following required rule:

bl1/aarch64/bl1_context_mgmt.c:81:[MISRA C-2012 Rule 10.7 (required)]<None>
The width of the composite expression "0U | ((mode & 3U) << 2U) | 1U |
0x3c0U" (32 bits) is less that the right hand operand
"18446744073709547519ULL" (64 bits).

This also resolves MISRA defects such as:

bl2/aarch64/bl2arch_setup.c:18:[MISRA C-2012 Rule 12.2 (required)]
In the expression "3U << 20", shifting more than 7 bits, the number
of bits in the essential type of the left expression, "3U", is
not allowed.

Further, MISRA requires that all shifts don't overflow. The definition of
PAGE_SIZE was (1U << 12), and 1U is 8 bits. This caused about 50 issues.
This fixes the violation by changing the definition to 1UL << 12. Since
this uses 32bits, it should not create any issues for aarch32.

This patch also contains a fix for a build failure in the sun50i_a64
platform. Specifically, these misra fixes removed a single and
instruction,

92407e73 and x19, x19, #0xffffffff

from the cm_setup_context function caused a relocation in
psci_cpus_on_start to require a linker-generated stub. This increased the
size of the .text section and caused an alignment later on to go over a
page boundary and round up to the end of RAM before placing the .data
section. This sectionn is of non-zero size and therefore causes a link
error.

The fix included in this reorders the functions during link time
without changing their ording with respect to alignment.

Change-Id: I76b4b662c3d262296728a8b9aab7a33b02087f16
Signed-off-by: Jimmy Brisson <jimmy.brisson@arm.com>

show more ...

Merge changes from topic "pie" into integration

* changes:
uniphier: make all BL images completely position-independent
uniphier: make uniphier_mmap_setup() work with PIE
uniphier: pass SCP ba

Merge changes from topic "pie" into integration

* changes:
uniphier: make all BL images completely position-independent
uniphier: make uniphier_mmap_setup() work with PIE
uniphier: pass SCP base address as a function parameter
uniphier: set buffer offset and length for io_block dynamically
uniphier: use more mmap_add_dynamic_region() for loading images
bl_common: add BL_END macro
uniphier: turn on ENABLE_PIE
TSP: add PIE support
BL2_AT_EL3: add PIE support
BL31: discard .dynsym .dynstr .hash sections to make ENABLE_PIE work
PIE: pass PIE options only to BL31
Build: support per-BL LDFLAGS

show more ...

TSP: add PIE support

This implementation simply mimics that of BL31.

Change-Id: Ibbaa4ca012d38ac211c52b0b3e97449947160e07
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Merge "Refactor ARMv8.3 Pointer Authentication support code" into integration

Refactor ARMv8.3 Pointer Authentication support code

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key gene

Refactor ARMv8.3 Pointer Authentication support code

This patch provides the following features and makes modifications
listed below:
- Individual APIAKey key generation for each CPU.
- New key generation on every BL31 warm boot and TSP CPU On event.
- Per-CPU storage of APIAKey added in percpu_data[]
of cpu_data structure.
- `plat_init_apiakey()` function replaced with `plat_init_apkey()`
which returns 128-bit value and uses Generic timer physical counter
value to increase the randomness of the generated key.
The new function can be used for generation of all ARMv8.3-PAuth keys
- ARMv8.3-PAuth specific code placed in `lib\extensions\pauth`.
- New `pauth_init_enable_el1()` and `pauth_init_enable_el3()` functions
generate, program and enable APIAKey_EL1 for EL1 and EL3 respectively;
pauth_disable_el1()` and `pauth_disable_el3()` functions disable
PAuth for EL1 and EL3 respectively;
`pauth_load_bl31_apiakey()` loads saved per-CPU APIAKey_EL1 from
cpu-data structure.
- Combined `save_gp_pauth_registers()` function replaces calls to
`save_gp_registers()` and `pauth_context_save()`;
`restore_gp_pauth_registers()` replaces `pauth_context_restore()`
and `restore_gp_registers()` calls.
- `restore_gp_registers_eret()` function removed with corresponding
code placed in `el3_exit()`.
- Fixed the issue when `pauth_t pauth_ctx` structure allocated space
for 12 uint64_t PAuth registers instead of 10 by removal of macro
CTX_PACGAKEY_END from `include/lib/el3_runtime/aarch64/context.h`
and assigning its value to CTX_PAUTH_REGS_END.
- Use of MODE_SP_ELX and MODE_SP_EL0 macro definitions
in `msr spsel` instruction instead of hard-coded values.
- Changes in documentation related to ARMv8.3-PAuth and ARMv8.5-BTI.

Change-Id: Id18b81cc46f52a783a7e6a09b9f149b6ce803211
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

show more ...

Merge "Add support for Branch Target Identification" into integration

Add support for Branch Target Identification

This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by add

Add support for Branch Target Identification

This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit [50] to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
than BTI.
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
instruction.
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.

Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

show more ...

Merge pull request #1878 from jts-arm/sctlr

Apply stricter speculative load restriction

Apply stricter speculative load restriction

The SCTLR.DSSBS bit is zero by default thus disabling speculative loads.
However, we also explicitly set it to zero for BL2 and TSP images when
each image

Apply stricter speculative load restriction

The SCTLR.DSSBS bit is zero by default thus disabling speculative loads.
However, we also explicitly set it to zero for BL2 and TSP images when
each image initialises its context. This is done to ensure that the
image environment is initialised in a safe state, regardless of the
reset value of the bit.

Change-Id: If25a8396641edb640f7f298b8d3309d5cba3cd79
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>

show more ...

Merge pull request #1829 from antonio-nino-diaz-arm/an/pauth

Add Pointer Authentication (ARMv8.3-PAuth) support to the TF

TSP: Enable pointer authentication support

The size increase after enabling options related to ARMv8.3-PAuth is:

+----------------------------+-------+-------+-------+--------+
|

TSP: Enable pointer authentication support

The size increase after enabling options related to ARMv8.3-PAuth is:

+----------------------------+-------+-------+-------+--------+
| | text | bss | data | rodata |
+----------------------------+-------+-------+-------+--------+
| CTX_INCLUDE_PAUTH_REGS = 1 | +40 | +0 | +0 | +0 |
| | 0.4% | | | |
+----------------------------+-------+-------+-------+--------+
| ENABLE_PAUTH = 1 | +352 | +0 | +16 | +0 |
| | 3.1% | | 15.8% | |
+----------------------------+-------+-------+-------+--------+

Results calculated with the following build configuration:

make PLAT=fvp SPD=tspd DEBUG=1 \
SDEI_SUPPORT=1 \
EL3_EXCEPTION_HANDLING=1 \
TSP_NS_INTR_ASYNC_PREEMPT=1 \
CTX_INCLUDE_PAUTH_REGS=1 \
ENABLE_PAUTH=1

Change-Id: I6cc1fe0b2345c547dcef66f98758c4eb55fe5ee4
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1726 from antonio-nino-diaz-arm/an/includes

Sanitise includes across codebase

Sanitise includes across codebase

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- inclu

Sanitise includes across codebase

Enforce full include path for includes. Deprecate old paths.

The following folders inside include/lib have been left unchanged:

- include/lib/cpus/${ARCH}
- include/lib/el3_runtime/${ARCH}

The reason for this change is that having a global namespace for
includes isn't a good idea. It defeats one of the advantages of having
folders and it introduces problems that are sometimes subtle (because
you may not know the header you are actually including if there are two
of them).

For example, this patch had to be created because two headers were
called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform
to avoid collision."). More recently, this patch has had similar
problems: 46f9b2c3a282 ("drivers: add tzc380 support").

This problem was introduced in commit 4ecca33988b9 ("Move include and
source files to logical locations"). At that time, there weren't too
many headers so it wasn't a real issue. However, time has shown that
this creates problems.

Platforms that want to preserve the way they include headers may add the
removed paths to PLAT_INCLUDES, but this is discouraged.

Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>

show more ...

Merge pull request #1429 from jeenu-arm/mmu-direct

Enable MMU without stack for xlat v2/DynamIQ