feat(psci): make pabandon support generic

Support for aborted powerdowns does not require much dedicated code.
Rather, it is largely a matter of orchestrating things to happen in the
right order.

T

feat(psci): make pabandon support generic

Support for aborted powerdowns does not require much dedicated code.
Rather, it is largely a matter of orchestrating things to happen in the
right order.

The only exception to this are older secure world dispatchers, which
assume that a CPU_SUSPEND call will be terminal and therefore can
clobber context. This was patched over in common code and hidden behind
a flag. This patch moves this to the dispatchers themselves.

Dispatchers that don't register svc_suspend{_finish} are unaffected.
Those that do must save the NS context before clobbering it and
restoring in only in case of a pabandon. Due to this operation being
non-trivial, this patch makes the assumption that these dispatchers will
only be present on hardware that does not support pabandon and therefore
does not add any contexting for them. In case this assumption ever
changes, asserts are added that should alert us of this change.

Change-Id: I94a907515b782b4d2136c0d274246cfe1d567c0e
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

refactor(psci): absorb psci_power_down_wfi() into common code

The AArch64 and AArch32 variants are not that different so there is no
need for them to be in assembly. They should also not be called f

refactor(psci): absorb psci_power_down_wfi() into common code

The AArch64 and AArch32 variants are not that different so there is no
need for them to be in assembly. They should also not be called from
non-PSCI code as PSCI is smart enough to handle this after platform
hooks. So absorb the functions into common code.

This allows for a tiny bit of optimisation: there will be no branch
(that can be missed or non-cached) to a non-inlineable function. Then in
the terminal case we can call wfi() directly with the application of the
erratum before the loop. And finally in the wakeup case, we don't have
to explicitly clear the errata as that will happen automatically on the
second call of prepare_cpu_pwr_dwn().

The A510 erratum requires a tsb csync before the dsb+wfi combo to turn
the core off. We can do this a little bit earlier in the cpu hook and
relieve common code from the responsibility. EL3 is always a prohibited
region so the buffer will stay empty.

Change-Id: I5f950df3fb7b0736df4ce25a21f78b29896de215
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "mb/lfa-core-work" into integration

* changes:
docs(maintainers): add myself as code owner for LFA service
docs(lfa): update porting guide with LFA platform APIs
feat(

Merge changes from topic "mb/lfa-core-work" into integration

* changes:
docs(maintainers): add myself as code owner for LFA service
docs(lfa): update porting guide with LFA platform APIs
feat(lfa): add LFA holding pen logic
feat(lfa): add initial implementation for LFA_ACTIVATE
feat(lfa): add initial implementation for LFA_PRIME
feat(fvp): implement platform API for load and auth image
feat(lfa): implement LFA_CANCEL SMC
feat(fvp): implement platform API for LFA cancel operation
feat(lfa): implement LFA_GET_INVENTORY SMC
feat(fvp): implement platform API for LFA activation pending check
feat(lfa): implement LFA_GET_INFO SMC and integrate LFA build
feat(fvp): initialize LFA component activators in platform layer
feat(rmm): add placeholder activator callbacks for LFA
feat(bl31): add placeholder activator implementation for LFA
feat(lfa): add activation handler interface for component activation
feat(fvp): implement LFA get components API
feat(lfa): create LFA SMC handler template

show more ...

docs(lfa): update porting guide with LFA platform APIs

Add details about the LFA platform APIs to the porting guide,
providing guidance on their usage and integration.

Change-Id: I3888c88ac64934217

docs(lfa): update porting guide with LFA platform APIs

Add details about the LFA platform APIs to the porting guide,
providing guidance on their usage and integration.

Change-Id: I3888c88ac649342172332b02b3e685df1e833b97
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

Merge changes from topic "sm/rpkm" into integration

* changes:
docs(rmmd): document the EL3-RMM IDE KM Interface
feat(trp): test el3-rmm ide km interface
feat(rmmd): el3-rmm ide key management

Merge changes from topic "sm/rpkm" into integration

* changes:
docs(rmmd): document the EL3-RMM IDE KM Interface
feat(trp): test el3-rmm ide km interface
feat(rmmd): el3-rmm ide key management interface

show more ...

docs(rmmd): document the EL3-RMM IDE KM Interface

This patch documents the EL3-RMM IDE KM interface.

Four IDE Key management smc calls have been added:
- RMM_IDE_KEY_PROG()
- RMM_IDE_KEY_SET_GO()

docs(rmmd): document the EL3-RMM IDE KM Interface

This patch documents the EL3-RMM IDE KM interface.

Four IDE Key management smc calls have been added:
- RMM_IDE_KEY_PROG()
- RMM_IDE_KEY_SET_GO()
- RMM_IDE_KEY_SET_STOP()
- RMM_IDE_KM_PULL_RESPONSE()

Change-Id: Iea357ec16a2bee88573266c7a5c9fb36025f15f1
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...

Merge changes from topic "mec" into integration

* changes:
feat(qemu): add plat_rmmd_mecid_key_update()
feat(rmmd): add RMM_MECID_KEY_UPDATE call

feat(rmmd): add RMM_MECID_KEY_UPDATE call

With this addition, TF-A now has an SMC call to handle the
update of MEC keys associated to MECIDs.

The behavior of this newly added call is empty for now

feat(rmmd): add RMM_MECID_KEY_UPDATE call

With this addition, TF-A now has an SMC call to handle the
update of MEC keys associated to MECIDs.

The behavior of this newly added call is empty for now until an
implementation for the MPE (Memory Protection Engine) driver is
available. Only parameter sanitization has been implemented.

Signed-off-by: Tushar Khandelwal <tushar.khandelwal@arm.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Signed-off-by: Juan Pablo Conde <juanpablo.conde@arm.com>
Change-Id: I2a969310b47e8c6da1817a79be0cd56158c6efc3

show more ...

Merge "docs(ras): document RAS considerations with powerdown" into integration

Merge "docs(psci): add a mention to the pwr_domain_pwr_down_wfi()" into integration

docs(psci): add a mention to the pwr_domain_pwr_down_wfi()

The function got renamed to pwr_domain_pwr_down() but have a reference
to it for anyone wondering where it went.

Change-Id: Ica5fa11b9f18a

docs(psci): add a mention to the pwr_domain_pwr_down_wfi()

The function got renamed to pwr_domain_pwr_down() but have a reference
to it for anyone wondering where it went.

Change-Id: Ica5fa11b9f18a7446c188e37b9f1d5508f4cf749
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "mb/drtm" into integration

* changes:
feat(drtm): retrieve DLME image authentication features
feat(drtm): log No-Action Event in Event Log for DRTM measurements
feat(f

Merge changes from topic "mb/drtm" into integration

* changes:
feat(drtm): retrieve DLME image authentication features
feat(drtm): log No-Action Event in Event Log for DRTM measurements
feat(fvp): add stub function to retrieve DLME image auth features
feat(drtm): introduce plat API for DLME authentication features
feat(drtm): ensure event types aligns with DRTM specification v1.1
fix(drtm): add missing DLME data regions for min size requirement
feat(fvp): add stub platform function to get ACPI table region size
feat(drtm): add platform API to retrieve ACPI tables region size

show more ...

feat(drtm): introduce plat API for DLME authentication features

This patch introduces a platform-specific function to provide DLME
authentication features. While no platforms currently support DLME

feat(drtm): introduce plat API for DLME authentication features

This patch introduces a platform-specific function to provide DLME
authentication features. While no platforms currently support DLME
authentication, this change offers a structured way for platforms
to define and expose their DLME authentication features, with the
flexibility to extend support in the future if needed.

Change-Id: Ia708914477c4d8cfee4809a9daade9a3e91ed073
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

feat(drtm): add platform API to retrieve ACPI tables region size

Introduces a platform-specific API to retrieve the ACPI table
region size. This will be used in a subsequent patch to specify
the min

feat(drtm): add platform API to retrieve ACPI tables region size

Introduces a platform-specific API to retrieve the ACPI table
region size. This will be used in a subsequent patch to specify
the minimum DLME size requirement for the DCE preamble.

Change-Id: I44ce9241733b22fea3cbce9d42f1c2cc5ef20852
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

show more ...

docs(ras): document RAS considerations with powerdown

RAS errors can cause problems for powerdown. On cpus like the A510,
receiving a RAS error after executing the powerdown `wfi` will deadlock
the

docs(ras): document RAS considerations with powerdown

RAS errors can cause problems for powerdown. On cpus like the A510,
receiving a RAS error after executing the powerdown `wfi` will deadlock
the core. The TRM suggests disabling the generation of interrupts.
However, which interrupts to disable is not apparent for generic code as
the meaning of each error record is *heavily* IMPDEF, despite the
standard format. Iterating over the list and disabling all is not
desirable as this might disable errors for components that do not have
an effect on the core that is powering down.

As such, leave this for the platform port to handle. Leave a note in the
porting guide so this is not missed.

Change-Id: I43c3f6f909fafc449d3b4e748b015b05338d9618
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "docs(console): updated console docs" into integration

docs(console): updated console docs

Add documentation for the console framework on how to go about
instantiating a new console and how to use these consoles in TF-A.
This includes BOOT, RUNTIME and

docs(console): updated console docs

Add documentation for the console framework on how to go about
instantiating a new console and how to use these consoles in TF-A.
This includes BOOT, RUNTIME and CRASH consoles.

Change-Id: I746d38f69f1b035d2e85d2589646e7fd67cb9cc3
Signed-off-by: Salman Nabi <salman.nabi@arm.com>

show more ...

Merge changes I765a7fa0,Ic33f0b6d,I8d1a88c7,I381f96be,I698fa849, ... into integration

* changes:
fix(cpus): clear CPUPWRCTLR_EL1.CORE_PWRDN_EN_BIT on reset
chore(docs): drop the "wfi" from `pwr_

Merge changes I765a7fa0,Ic33f0b6d,I8d1a88c7,I381f96be,I698fa849, ... into integration

* changes:
fix(cpus): clear CPUPWRCTLR_EL1.CORE_PWRDN_EN_BIT on reset
chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`
chore(psci): drop skip_wfi variable
feat(arm): convert arm platforms to expect a wakeup
fix(cpus): avoid SME related loss of context on powerdown
feat(psci): allow cores to wake up from powerdown
refactor: panic after calling psci_power_down_wfi()
refactor(cpus): undo errata mitigations
feat(cpus): add sysreg_bit_toggle

show more ...

chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`

To allow for generic handling of a wakeup, this hook is no longer
expected to call wfi itself. Update the name everywhere to reflect this
e

chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`

To allow for generic handling of a wakeup, this hook is no longer
expected to call wfi itself. Update the name everywhere to reflect this
expectation so that future platform implementers don't get misled.

Change-Id: Ic33f0b6da74592ad6778fd802c2f0b85223af614
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(psci): allow cores to wake up from powerdown

The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do

feat(psci): allow cores to wake up from powerdown

The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.

One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.

Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.

So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.

To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.

Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.

Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.

Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.

Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.

All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.

Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.

Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change own

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change owning security state when a feature is disabled

show more ...

Merge changes I1f662f82,I59a3b297 into integration

* changes:
fix(build): include platform mk earlier
fix(arm): use EL3_PAS in MAP_BL2_TOTAL definition

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1f662f82cd949eedfdbb61b9f66de15c46fb3106

show more ...

feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY

SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is

feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY

SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is not enabled at EL3, eg due to an older FW image, but it is present in
hardware. In those cases, the EL1 ID registers do not reflect the usable
feature set and this call should provide the necessary information to
remedy that.

The call itself is very lightweight - effectively a sanitised read of
the relevant system register. Bits that are not relevant to feature
enablement are masked out and active low bits are converted to active
high.

The implementation is also very simple. All relevant, irrelevant, and
inverted bits combined into bitmasks at build time. Then at runtime the
masks are unconditionally applied to produce the right result. This
assumes that context managers will make sure that disabled features
do not have their bits set and the registers are context switched if
any fields in them make enablement ambiguous.

Features that are not yet supported in TF-A have not been added. On
debug builds, calling this function will fail an assert if any bits that
are not expected are set. In combination with CI this should allow for
this feature to to stay up to date as new architectural features are
added.

If a call for MPAM3_EL3 is made when MPAM is not enabled, the call
will return INVALID_PARAM, while if it is FEAT_STATE_CHECK, it will
return zero. This should be fairly consistent with feature detection.

The bitmask is meant to be interpreted as the logical AND of the
relevant ID registers. It would be permissible for this to return 1
while the ID returns 0. Despite this, this implementation takes steps
not to. In the general case, the two should match exactly.

Finally, it is not entirely clear whether this call replies to SMC32
requests. However, it will not, as the return values are all 64 bits.

[1]: https://developer.arm.com/documentation/den0028/galp1/?lang=en

Co-developed-by: Charlie Bareham <charlie.bareham@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1a74e7d0b3459b1396961b8fa27f84e3f0ad6a6f

show more ...

Merge "docs: el3 token signing" into integration