fix(cpus): workaround for Cortex-X925 erratum 3701747

Cortex-X925 erratum 3701747 that applies to r0p0, r0p1 and is still
Open.

The workaround is for EL3 software that performs context save/restore

fix(cpus): workaround for Cortex-X925 erratum 3701747

Cortex-X925 erratum 3701747 that applies to r0p0, r0p1 and is still
Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/109180/latest/

Change-Id: I080296666f89276b3260686c2bdb8de63fc174c1
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-X4 erratum 3701758

Cortex-X4 erratum 3701758 that applies to r0p0, r0p1, r0p2 and r0p3
is still Open.

The workaround is for EL3 software that performs context save/

fix(cpus): workaround for Cortex-X4 erratum 3701758

Cortex-X4 erratum 3701758 that applies to r0p0, r0p1, r0p2 and r0p3
is still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/109148/latest/

Change-Id: I4ee941d1e7653de7a12d69f538ca05f7f9f9961d
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-X3 erratum 3701769

Cortex-X3 erratum 3701769 that applies to r0p0, r1p0, r1p1 and r1p2
is still Open.

The workaround is for EL3 software that performs context save/

fix(cpus): workaround for Cortex-X3 erratum 3701769

Cortex-X3 erratum 3701769 that applies to r0p0, r1p0, r1p1 and r1p2
is still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2055130/latest/

Change-Id: Ifd722e1bb8616ada2ad158297a7ca80b19a3370b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-X2 erratum 3701772

Cortex-X2 erratum 3701772 that applies to r0p0, r1p0, r2p0, r2p1
is still Open.

The workaround is for EL3 software that performs context save/res

fix(cpus): workaround for Cortex-X2 erratum 3701772

Cortex-X2 erratum 3701772 that applies to r0p0, r1p0, r2p0, r2p1
is still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775100/latest/

Change-Id: I2ffc5e7d7467f1bcff8b895fea52a1daa7d14495
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-A725 erratum 3699564

Cortex-A725 erratum 3699564 that applies to r0p0, r0p1 and is
fixed in r0p2.

The workaround is for EL3 software that performs context save/rest

fix(cpus): workaround for Cortex-A725 erratum 3699564

Cortex-A725 erratum 3699564 that applies to r0p0, r0p1 and is
fixed in r0p2.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2832921/latest

Change-Id: Ifad1f6c3f5b74060273f897eb5e4b79dd9f088f7
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-A720-AE erratum 3699562

Cortex-A720-AE erratum 3699562 that applies to r0p0 and is still
Open.

The workaround is for EL3 software that performs context save/restore

fix(cpus): workaround for Cortex-A720-AE erratum 3699562

Cortex-A720-AE erratum 3699562 that applies to r0p0 and is still
Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-3090091/latest/

Change-Id: Ib830470747822cac916750c01684a65cb5efc15b
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-A720 erratum 3699561

Cortex-A720 erratum 3699561 that applies to all revisions <= r0p2
and is still Open.

The workaround is for EL3 software that performs context s

fix(cpus): workaround for Cortex-A720 erratum 3699561

Cortex-A720 erratum 3699561 that applies to all revisions <= r0p2
and is still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2439421/latest/

Change-Id: I7ea3aaf3e7bf6b4f3648f6872e505a41247b14ba
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-A715 erratum 3699560

Cortex-A715 erratum 3699560 that applies to all revisions <= r1p3
and is still Open.

The workaround is for EL3 software that performs context s

fix(cpus): workaround for Cortex-A715 erratum 3699560

Cortex-A715 erratum 3699560 that applies to all revisions <= r1p3
and is still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-2148827/latest/

Change-Id: I183aa921b4b6f715d64eb6b70809de2566017d31
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

fix(cpus): workaround for Cortex-A710 erratum 3701772

Cortex-A710 erratum 3701772 that applies to all revisions <= r2p1
and is still Open.

The workaround is for EL3 software that performs context s

fix(cpus): workaround for Cortex-A710 erratum 3701772

Cortex-A710 erratum 3701772 that applies to all revisions <= r2p1
and is still Open.

The workaround is for EL3 software that performs context save/restore
on a change of Security state to use a value of SCR_EL3.NS when
accessing ICH_VMCR_EL2 that reflects the Security state that owns the
data being saved or restored.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-1775101/latest/

Change-Id: I997c9cfaa75321f22b4f690c4d3f234c0b51c670
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`

To allow for generic handling of a wakeup, this hook is no longer
expected to call wfi itself. Update the name everywhere to reflect this
e

chore(docs): drop the "wfi" from `pwr_domain_pwr_down_wfi`

To allow for generic handling of a wakeup, this hook is no longer
expected to call wfi itself. Update the name everywhere to reflect this
expectation so that future platform implementers don't get misled.

Change-Id: Ic33f0b6da74592ad6778fd802c2f0b85223af614
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(cpus): avoid SME related loss of context on powerdown

Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is th

fix(cpus): avoid SME related loss of context on powerdown

Travis' and Gelas' TRMs tell us to disable SME (set PSTATE.{ZA, SM} to
0) when we're attempting to power down. What they don't tell us is that
if this isn't done, the powerdown request will be rejected. On the
CPU_OFF path that's not a problem - we can force SVCR to 0 and be
certain the core will power off.

On the suspend to powerdown path, however, we cannot do this. The TRM
also tells us that the sequence could also be aborted on eg. GIC
interrupts. If this were to happen when we have overwritten SVCR to 0,
upon a return to the caller they would experience a loss of context. We
know that at least Linux may call into PSCI with SVCR != 0. One option
is to save the entire SME context which would be quite expensive just to
work around. Another option is to downgrade the request to a normal
suspend when SME was left on. This option is better as this is expected
to happen rarely enough to ignore the wasted power and we don't want to
burden the generic (correct) path with needless context management.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I698fa8490ebf51461f6aa8bba84f9827c5c46ad4

show more ...

feat(psci): allow cores to wake up from powerdown

The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do

feat(psci): allow cores to wake up from powerdown

The simplistic view of a core's powerdown sequence is that power is
atomically cut upon calling `wfi`. However, it turns out that it has
lots to do - it has to talk to the interconnect to exit coherency, clean
caches, check for RAS errors, etc. These take significant amounts of
time and are certainly not atomic. As such there is a significant window
of opportunity for external events to happen. Many of these steps are
not destructive to context, so theoretically, the core can just "give
up" half way (or roll certain actions back) and carry on running. The
point in this sequence after which roll back is not possible is called
the point of no return.

One of these actions is the checking for RAS errors. It is possible for
one to happen during this lengthy sequence, or at least remain
undiscovered until that point. If the core were to continue powerdown
when that happens, there would be no (easy) way to inform anyone about
it. Rejecting the powerdown and letting software handle the error is the
best way to implement this.

Arm cores since at least the a510 have included this exact feature. So
far it hasn't been deemed necessary to account for it in firmware due to
the low likelihood of this happening. However, events like GIC wakeup
requests are much more probable. Older cores will powerdown and
immediately power back up when this happens. Travis and Gelas include a
feature similar to the RAS case above, called powerdown abandon. The
idea is that this will improve the latency to service the interrupt by
saving on work which the core and software need to do.

So far firmware has relied on the `wfi` being the point of no return and
if it doesn't explicitly detect a pending interrupt quite early on, it
will embark onto a sequence that it expects to end with shutdown. To
accommodate for it not being a point of no return, we must undo all of
the system management we did, just like in the warm boot entrypoint.

To achieve that, the pwr_domain_pwr_down_wfi hook must not be terminal.
Most recent platforms do some platform management and finish on the
standard `wfi`, followed by a panic or an endless loop as this is
expected to not return. To make this generic, any platform that wishes
to support wakeups must instead let common code call
`psci_power_down_wfi()` right after. Besides wakeups, this lets common
code handle powerdown errata better as well.

Then, the CPU_OFF case is simple - PSCI does not allow it to return. So
the best that can be done is to attempt the `wfi` a few times (the
choice of 32 is arbitrary) in the hope that the wakeup is transient. If
it isn't, the only choice is to panic, as the system is likely to be in
a bad state, eg. interrupts weren't routed away. The same applies for
SYSTEM_OFF, SYSTEM_RESET, and SYSTEM_RESET2. There the panic won't
matter as the system is going offline one way or another. The RAS case
will be considered in a separate patch.

Now, the CPU_SUSPEND case is more involved. First, to powerdown it must
wipe its context as it is not written on warm boot. But it cannot be
overwritten in case of a wakeup. To avoid the catch 22, save a copy that
will only be used if powerdown fails. That is about 500 bytes on the
stack so it hopefully doesn't tip anyone over any limits. In future that
can be avoided by having a core manage its own context.

Second, when the core wakes up, it must undo anything it did to prepare
for poweroff, which for the cores we care about, is writing
CPUPWRCTLR_EL1.CORE_PWRDN_EN. The least intrusive for the cpu library
way of doing this is to simply call the power off hook again and have
the hook toggle the bit. If in the future there need to be more complex
sequences, their direction can be advised on the value of this bit.

Third, do the actual "resume". Most of the logic is already there for
the retention suspend, so that only needs a small touch up to apply to
the powerdown case as well. The missing bit is the powerdown specific
state management. Luckily, the warmboot entrypoint does exactly that
already too, so steal that and we're done.

All of this is hidden behind a FEAT_PABANDON flag since it has a large
memory and runtime cost that we don't want to burden non pabandon cores
with.

Finally, do some function renaming to better reflect their purpose and
make names a little bit more consistent.

Change-Id: I2405b59300c2e24ce02e266f91b7c51474c1145f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(security): enable WORKAROUND_CVE_2024_7881 build option

This patch enables build option needed to include
support for CVE_2024_7881 [1] migitation.

[1]: https://developer.arm.com/Arm%20Security

fix(security): enable WORKAROUND_CVE_2024_7881 build option

This patch enables build option needed to include
support for CVE_2024_7881 [1] migitation.

[1]: https://developer.arm.com/Arm%20Security%20Center/Arm%20CPU%20Vulnerability%20CVE-2024-7881

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Id77f82a4dfaa4422729f7e3f2429f47cc90d9782

show more ...

Merge changes Ided750de,Id3cc887c into integration

* changes:
docs(gxl): add build instructions for booting BL31 from U-Boot SPL
feat(gxl): add support for booting from U-Boot SPL/with standard

Merge changes Ided750de,Id3cc887c into integration

* changes:
docs(gxl): add build instructions for booting BL31 from U-Boot SPL
feat(gxl): add support for booting from U-Boot SPL/with standard params

show more ...

docs(maintainers): update LTS maintainers

Updating LTS maintainers list as agreed with other LTS
maintainers.

Change-Id: Ibf087c6b0e24d6faa9dafb6f8a0955a47f583f28
Signed-off-by: Govindraj Raja <gov

docs(maintainers): update LTS maintainers

Updating LTS maintainers list as agreed with other LTS
maintainers.

Change-Id: Ibf087c6b0e24d6faa9dafb6f8a0955a47f583f28
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

docs(context-mgmt): remove redundant information

The details specified under "Design" section with regard to
enhancing the context_management library specifies the information
on introducing root_co

docs(context-mgmt): remove redundant information

The details specified under "Design" section with regard to
enhancing the context_management library specifies the information
on introducing root_context.

This design has been through several discussions and based on its
outcome, library has been enhanced.

The updated information covering all the aspects with regard to
implementation is listed under "Components" section.
https://trustedfirmware-a.readthedocs.io/en/latest/components/context-management-library.html

Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I2cf3ccd8cd94444b90fdc627f45a72a4b6096638

show more ...

docs: updates to LTS

Adding updates to LTS process -

- This is based on review comments in here -
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/34069/3/docs/lts.rst#37
- Based on

docs: updates to LTS

Adding updates to LTS process -

- This is based on review comments in here -
https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/34069/3/docs/lts.rst#37
- Based on discussions with other LTS maintainers.

Change-Id: Iafc606a66ea3ea69c51b433867b5025b8debebe9
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

docs: add inital lts doc

Ref: https://linaro.atlassian.net/browse/TFC-669

The initial LTS document was created as pdf and was maintained in a
shared folder location, to avoid pdf getting lost and t

docs: add inital lts doc

Ref: https://linaro.atlassian.net/browse/TFC-669

The initial LTS document was created as pdf and was maintained in a
shared folder location, to avoid pdf getting lost and trying to find
where it is we decided to have LTS details part of docs in TF-A.

This patch directly reflects the data from pdf attached to TFC-669.
Any improvements or amends to this will be done at later phases based
on LTS maintainers comments and agreements.

Change-Id: I1434c29f0236161d2a127596e2cc528bf4cc3e85
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

feat(mops): enable FEAT_MOPS in EL3 when INIT_UNUSED_NS_EL2=1

FEAT_MOPS, mandatory from Arm v8.8, is typically managed in EL2.
However, in configurations where NS_EL2 is not enabled,
EL3 must set th

feat(mops): enable FEAT_MOPS in EL3 when INIT_UNUSED_NS_EL2=1

FEAT_MOPS, mandatory from Arm v8.8, is typically managed in EL2.
However, in configurations where NS_EL2 is not enabled,
EL3 must set the HCRX_EL2.MSCEn bit to 1 to enable the feature.

This patch ensures FEAT_MOPS is enabled by setting HCRX_EL2.MSCEn to 1.

Change-Id: Ic4960e0cc14a44279156b79ded50de475b3b21c5
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>

show more ...

docs(gxl): add build instructions for booting BL31 from U-Boot SPL

Change-Id: Ided750decea924ff8d78d2d345d34bc40b05f0cb
Signed-off-by: Ferass El Hafidi <funderscore@postmarketos.org>

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change own

Merge changes from topic "bk/smccc_feature" into integration

* changes:
feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY
refactor(cm): clean up per-world context
refactor(cm): change owning security state when a feature is disabled

show more ...

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.

fix(build): include platform mk earlier

Move platform.mk inclusion in top level Makefile to permit a platform
specifying BRANCH_PROTECTION option.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I1f662f82cd949eedfdbb61b9f66de15c46fb3106

show more ...

feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY

SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is

feat(smccc): implement SMCCC_ARCH_FEATURE_AVAILABILITY

SMCCC_ARCH_FEATURE_AVAILABILITY [1] is a call to query firmware about
the features it is aware of and enables. This is useful when a feature
is not enabled at EL3, eg due to an older FW image, but it is present in
hardware. In those cases, the EL1 ID registers do not reflect the usable
feature set and this call should provide the necessary information to
remedy that.

The call itself is very lightweight - effectively a sanitised read of
the relevant system register. Bits that are not relevant to feature
enablement are masked out and active low bits are converted to active
high.

The implementation is also very simple. All relevant, irrelevant, and
inverted bits combined into bitmasks at build time. Then at runtime the
masks are unconditionally applied to produce the right result. This
assumes that context managers will make sure that disabled features
do not have their bits set and the registers are context switched if
any fields in them make enablement ambiguous.

Features that are not yet supported in TF-A have not been added. On
debug builds, calling this function will fail an assert if any bits that
are not expected are set. In combination with CI this should allow for
this feature to to stay up to date as new architectural features are
added.

If a call for MPAM3_EL3 is made when MPAM is not enabled, the call
will return INVALID_PARAM, while if it is FEAT_STATE_CHECK, it will
return zero. This should be fairly consistent with feature detection.

The bitmask is meant to be interpreted as the logical AND of the
relevant ID registers. It would be permissible for this to return 1
while the ID returns 0. Despite this, this implementation takes steps
not to. In the general case, the two should match exactly.

Finally, it is not entirely clear whether this call replies to SMC32
requests. However, it will not, as the return values are all 64 bits.

[1]: https://developer.arm.com/documentation/den0028/galp1/?lang=en

Co-developed-by: Charlie Bareham <charlie.bareham@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: I1a74e7d0b3459b1396961b8fa27f84e3f0ad6a6f

show more ...

Merge "fix(cert-create): add default keysize to Brainpool ECDSA" into integration

fix(cert-create): add default keysize to Brainpool ECDSA

By default, the ECDSA Brainpool regular and ECDSA Brainpool twisted
algorithms support 256-bit sized keys. Not defining this leads to
an erro

fix(cert-create): add default keysize to Brainpool ECDSA

By default, the ECDSA Brainpool regular and ECDSA Brainpool twisted
algorithms support 256-bit sized keys. Not defining this leads to
an error indicating that '256' is not a valid key size for ECDSA
Brainpool. KEY_SIZES matrix must have a value in its table to avoid
problems when KEY_SIZE is defined.

Signed-off-by: Maxime Méré <maxime.mere@foss.st.com>
Change-Id: I34886659315f59a9582dcee1d92d0e24d4a4138e

show more ...