Merge changes from topic "lfa-prime-error-handling" into integration

* changes:
feat(lfa): introduce support for call_again for LFA_PRIME
feat(lfa): allow LFA_PRIME from one CPU at a time

feat(lfa): introduce support for call_again for LFA_PRIME

LFA_PRIME is a single-threaded operation that is not pinned to
a specific CPU. The implementation must support calls being
issued from diffe

feat(lfa): introduce support for call_again for LFA_PRIME

LFA_PRIME is a single-threaded operation that is not pinned to
a specific CPU. The implementation must support calls being
issued from different CPUs, even for several calls to prime the
same component.

This patch checks if the plat_lfa_load_auth_image return -EAGAIN
indicating that the platform expects the LFA_PRIME call to be
issued again. This is done by returning LFA_SUCCESS and setting
flags[0] to 1, indicating that LFA_PRIME is incomplete and must
be called again.

Change-Id: Ia3046b5467c50c4c51392bac3fb9e9533f2438db
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>

show more ...

Merge "refactor(docs): deduplicate PSCI documentation" into integration

refactor(docs): deduplicate PSCI documentation

It is already described in the porting guide and context management
sections so it's largely redundant. It also hasn't been updated for a
while despite

refactor(docs): deduplicate PSCI documentation

It is already described in the porting guide and context management
sections so it's largely redundant. It also hasn't been updated for a
while despite lots going on around PSCI so it's clearly not read often.
The only part that isn't is that for describing a new secure dispatcher,
which belongs in the porting guide.

Change-Id: Icdc53e19565f0785bc8a112e5eb49df1b365c66c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "xl/fwu-trial-run" into integration

* changes:
fix(fwu): fwu NV ctr upgraded on trial run
feat(docs): platform hook for whether NV ctr is shared
feat(fwu): add platfor

Merge changes from topic "xl/fwu-trial-run" into integration

* changes:
fix(fwu): fwu NV ctr upgraded on trial run
feat(docs): platform hook for whether NV ctr is shared
feat(fwu): add platform hook for shared NV ctr

show more ...

Merge "fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean" into integration

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7a072b6e8fc25f77218785a4fc0da8
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the M

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the MMU and we can
rely on all accesses being coherent. However, this is not the case when
HW_ASSISTED_COHERENCY=0. Most of EL3's initialisation (especially on
warm boot) happens with the MMU on but with caching being off. Caches
are only enabled deep into CPU_ON processing when we can be certain the
core has entered coherency. This latter case is the subject of this
patch.

Prior to this patch, the way to work around that was to clean the
apiakey cpu_data storage right after writing it. The write would have
gone straight to memory as caches were off and the clean asserted that
nothing would be in the caches which were assumed to be invalid since
we've just came out of reset.

The problem with this is that we cannot assume that ALL caches are
invalid when coming out of reset. We can reasonably assume those private
to the core to be (so the L1 and/or the L2; those are guaranteed to be
invalidated out of reset for every Arm core) but that is not the case
for shared caches (eg an L2/L3 DSU cache) which can be on when a core
powers down. So the old keys could still be live in the shared cache, we
write new ones to memory and clean the old to memory too, undoing the
work.

So the correct thing to do is to clean and invalidate the cache prior to
writing the keys to memory and invalidate it after. This ensures that if
there is any other data after the apiakey, which shares the cache line,
it will be safely forwarded to memory and the caches will be invalid
when caching is turned on.

It is important to note at this point that this was never observed in
practice - every known configuration that uses PAuth has the apiakey as
the very last member of the cpu_data struct which is padded up to a
cache line and the usage of the apiakey is such that it was never
allocated into the shared caches. So the clean would effectively perform
an invalidate of only the apiakey and all worked well. This was only
spotted with a proposed patch that added data after the apiakey
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/39698/7).

Change-Id: I8493221dff53114c5c56dd73fbfd2a3301e2542c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(docs): fix some broken links" into integration

fix(docs): fix some broken links

Fix few broken links from docs.

Link check was done with following steps -

[..]
tf-a/docs$ make clean -j8; poetry run make html -j8
tf-a/docs$ poetry run sphinx-bu

fix(docs): fix some broken links

Fix few broken links from docs.

Link check was done with following steps -

[..]
tf-a/docs$ make clean -j8; poetry run make html -j8
tf-a/docs$ poetry run sphinx-build -j8 -q -b linkcheck . build/
[..]

Add link check conf values to config.py
- avoid reporting false broken links when `#`(anchors) are present
in the link.
- avoid checking for broken links in "change-log.md", this is summary
of commit msg's we are not going to fix broken links in cmt-msg's

Change-Id: I384094c8dcf3e93875c9052afa79ad826b9901d9
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

Merge changes from topic "lfa-plat-activate" into integration

* changes:
feat(fvp): add stub implementation for plat_lfa_notify_activate()
feat(lfa): add platform hook for activation notification

feat(lfa): add platform hook for activation notification

Introduce a new platform API, plat_lfa_notify_activate(), which allows
the platform to notify its security engine to begin component
activati

feat(lfa): add platform hook for activation notification

Introduce a new platform API, plat_lfa_notify_activate(), which allows
the platform to notify its security engine to begin component
activation. The function accepts a component identifier and should
return 0 on success or an error code on failure.

Documentation and header files are updated accordingly, and the call is
integrated into the LFA activation path.

Change-Id: Ic66aa675bba62633cc92992b965d144a6f9ef129
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes from topic "xl/corrupted-gpt" into integration

* changes:
feat(arm): implement arm platform GPT logging
feat(docs): platform hook to log GPT corruption
feat(guid-partition): plat

Merge changes from topic "xl/corrupted-gpt" into integration

* changes:
feat(arm): implement arm platform GPT logging
feat(docs): platform hook to log GPT corruption
feat(guid-partition): platform hook to log corrupted GPT

show more ...

feat(docs): platform hook to log GPT corruption

The log GPT corruption add several platform hook for log GPT
corruption. Update the documentation for the functions.

Change-Id: Ia2ec3654c869801aece9

feat(docs): platform hook to log GPT corruption

The log GPT corruption add several platform hook for log GPT
corruption. Update the documentation for the functions.

Change-Id: Ia2ec3654c869801aece95b19ae5a5020cb01f905
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

Merge "fix(rme): fix incorrect shift operation in rmmd" into integration

fix(rme): fix incorrect shift operation in rmmd

This patch fixes the shift operation in rmmd_mecid_key_update().
Also, a function name fix is made to the platform porting guide.

Change-Id: I80f0e26

fix(rme): fix incorrect shift operation in rmmd

This patch fixes the shift operation in rmmd_mecid_key_update().
Also, a function name fix is made to the platform porting guide.

Change-Id: I80f0e2653dcb5cdd7b5937506ca040b2105ca3ce
Signed-off-by: Soby Mathew <soby.mathew@arm.com>

show more ...

Merge changes I32c5be5d,I15a652a0 into integration

* changes:
fix(qemu): add reason parameter to MEC update
refactor(rmmd): modify MEC update call to meet FIRME

refactor(rmmd): modify MEC update call to meet FIRME

Previous version of MEC refresh call was not compliant with FIRME [1].
This patch modifies the call so it is compliant with the specification.

[

refactor(rmmd): modify MEC update call to meet FIRME

Previous version of MEC refresh call was not compliant with FIRME [1].
This patch modifies the call so it is compliant with the specification.

[1] https://developer.arm.com/documentation/den0149/1-0alp0/

Change-Id: I15a652a021561edca16e79d127e6f08975cf1361
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>

show more ...

Merge changes from topic "rmm-lfa" into integration

* changes:
feat(rmmd): add RMM_RESERVE_MEMORY SMC handler
feat(rmmd): add per-CPU activation token

feat(rmmd): add RMM_RESERVE_MEMORY SMC handler

At the moment any memory required by an R-EL2 manager (RMM) needs to
be known at compile time: that sets the size of the .data and .bss
segments. Some

feat(rmmd): add RMM_RESERVE_MEMORY SMC handler

At the moment any memory required by an R-EL2 manager (RMM) needs to
be known at compile time: that sets the size of the .data and .bss
segments. Some resources depend on the particular machine this will be
running on, the prime example is TF-RMM's granule array, which needs to
know the maximum memory supported beforehand. Other data structures
might depend on the number of CPU cores.

To provide more flexibility, but keep the memory footprint as small as
possible, let's introduce some memory reservation SMC. Any RMM
implementation can ask EL3 for some memory, and would get the physical
address of a usable chunk of memory back. This must happen at RMM boot
time, so before the RMM concluded the boot phase with the
RMM_BOOT_COMPLETE SMC call. Also there is no provision to free memory
again, this would not be needed for the use case of sizing platform
resources, and avoids the complexity of a full-fledged memory allocator.

Add the new RMM_RESERVE_MEMORY command to the implementation defined
RMM-EL3 SMC interface, both in code and documentation. The actual memory
reservation is made a platform implementation, but a simple
implementation is provided, which is used for the FVP platform already:
it will just pick the next matching chunk of memory from the top end of
the RMM carveout. This way the memory reservation will grow down from
the end of the carveout, in a stack-like fashion, until it reaches the
end of the RMM payload, located at the beginning of the carveout. Since
secondary cores might also reserve memory at boot time, there is a
spinlock to protect the simple allocation algorithm.
Other platforms can choose to provide a more sophisticated reservation
algorithm, for instance one taking NUMA locality into account.

This patch just provides the call, at this point there is no obligation
to use the feature, although future TF-RMM versions would rely on it.

Change-Id: I096ac8870ee38f44e18850779fcae829a43a8fd1
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge "fix(drtm): remove plat_system_reset()" into integration

fix(drtm): remove plat_system_reset()

The name plat_system_reset() has been in use for some time by a mediatek
platform (in plat/mediatek/mt8173/plat_pm.c). However, DRTM added a
global hook, that i

fix(drtm): remove plat_system_reset()

The name plat_system_reset() has been in use for some time by a mediatek
platform (in plat/mediatek/mt8173/plat_pm.c). However, DRTM added a
global hook, that is only implemented on FVP, that conflicts with it.
This sometimes results in failed builds.

DRTM remediation ends with a platform reset. However, there is currently
an error message printed that this is not supported. In this case, the
correct thing to do is to panic and as such this hook is not needed.

Further, the correct sequence to reset the system is different and is
only fully implemented by psci_system_reset(). This is a portable
implementation supported by a wide variety of platform.

So remove plat_system_reset(). Once DRTM remediation properly supports
resetting, the psci_system_reset() function should be used to achieve
reset correctly and portably.

Change-Id: Ia4e150c51aeec613838464fbb0e1d0542f19ccab
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "ar/soc_name" into integration

* changes:
feat(fvp): add SoC name support to FVP
feat(smccc): add SoC name support to SMCCC_ARCH_SOC_ID

feat(smccc): add SoC name support to SMCCC_ARCH_SOC_ID

This patch adds support for getting the SoC name string
using the SMCCC_ARCH_SOC_ID interface. The SoC name query
was introduced in SMCCC versi

feat(smccc): add SoC name support to SMCCC_ARCH_SOC_ID

This patch adds support for getting the SoC name string
using the SMCCC_ARCH_SOC_ID interface. The SoC name query
was introduced in SMCCC version 1.6. It is available only
through SMC64 calls.

A new function ID, SMCCC_GET_SOC_NAME, is added. It returns
the SoC name as a null-terminated ASCII string, spread across
registers X1 to X17 in little endian order.
The total length is 136 bytes, including the null byte.
Any space after the null terminator is filled
with zeros.

A platform hook plat_get_soc_name() is added to return the
SoC name. A weak default version is also provided that returns
SMC_ARCH_CALL_NOT_SUPPORTED for platforms that do not support
this feature.

The name should follow the SMCCC rule that it must not expose
any information that is not already reported
by the SoC version and revision calls.

Reference: https://developer.arm.com/documentation/den0028/latest/

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Idc69997c509bcbfb1cecb38ed1003b29627ade4b

show more ...

Merge changes from topic "bk/pabandon_cleanup" into integration

* changes:
feat(cpus): add pabandon support to the Alto cpu
feat(psci): optimise clock init on a pabandon
feat(psci): check that

Merge changes from topic "bk/pabandon_cleanup" into integration

* changes:
feat(cpus): add pabandon support to the Alto cpu
feat(psci): optimise clock init on a pabandon
feat(psci): check that CPUs handled a pabandon
feat(psci): make pabandon support generic
refactor(psci): unify coherency exit between AArch64 and AArch32
refactor(psci): absorb psci_power_down_wfi() into common code
refactor(platforms): remove usage of psci_power_down_wfi
fix(cm): disable SPE/TRBE correctly

show more ...