feat(crypto): enable floating point register traps in EL3

To prevent the leakage of EL3 information to lower ELs, access to
floating point registers needed to be traped to EL3 unless necessary
(e.g

feat(crypto): enable floating point register traps in EL3

To prevent the leakage of EL3 information to lower ELs, access to
floating point registers needed to be traped to EL3 unless necessary
(e.g the SIMD crypto extension, SIMD context save/restore).

Change-Id: I28a734c43d3e965de87ccc08e99f86669729871f
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

feat(crypto): build flag for SIMD crypto extensions for v8+ platform

Add new build flags ENABLE_FEAT_CRYPTO to enable SIMD crypto extension
for hash256 in bootflow authentication process and ENABLE_

feat(crypto): build flag for SIMD crypto extensions for v8+ platform

Add new build flags ENABLE_FEAT_CRYPTO to enable SIMD crypto extension
for hash256 in bootflow authentication process and ENABLE_FEAT_CRYPTO_SHA3
to enable SIMD crypto extension for sha384 and sha512 in bootflow authentication
process for Arm platform greater than v8.0.

Change-Id: I6e52feb318136910d34cafd89319bf94f90e16fc
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

fix(security): add workaround for CVE-2025-0647

This workaround fixes an issue with the CPP RCTX instruction by
issuing an instruction patch sequence to trap uses of the CPP RCTX
instruction from EL

fix(security): add workaround for CVE-2025-0647

This workaround fixes an issue with the CPP RCTX instruction by
issuing an instruction patch sequence to trap uses of the CPP RCTX
instruction from EL0, EL1, and EL2 to EL3 and perform a workaround
procedure using the implementation defined trap handler to ensure
the correct behavior of the system. In addition, it includes an EL3
API to be used if EL3 firmware needs to use the CPP RCTX instruction.
This saves the overhead of exception handling, and EL3 does not
generically support trapping EL3->EL3, and adding support for that
is not trivial due to the implications for context management.

The issue affects the following CPUs:

C1-Premium
C1-Ultra
Cortex-A710
Cortex-X2
Cortex-X3
Cortex-X4
Cortex-X925
Neoverse N2
Neoverse V2
Neoverse V3
Neoverse V3AE (handled same as V3 CPU in TF-A CPU-Lib)

Arm Security Bulletin Document:
https://developer.arm.com/documentation/111546

Change-Id: I5e7589afbeb69ebb79c01bec80e29f572aff3d89
Signed-off-by: John Powell <john.powell@arm.com>
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

Merge changes I2485d583,I1374c482,I07e29dbb,I949e6486 into integration

* changes:
feat(qemu): enable ENABLE_FEAT_RAS and ENABLE_FEAT_SB
feat(cpufeat): update FEAT_SB's FEAT_STATE_CHECKED status

Merge changes I2485d583,I1374c482,I07e29dbb,I949e6486 into integration

* changes:
feat(qemu): enable ENABLE_FEAT_RAS and ENABLE_FEAT_SB
feat(cpufeat): update FEAT_SB's FEAT_STATE_CHECKED status
feat(cpufeat): advertise support for FEAT_RASv2
feat(cpufeat): enable FEAT_RAS for FEAT_STATE_CHECKED again

show more ...

feat(cpufeat): update FEAT_SB's FEAT_STATE_CHECKED status

FEAT_SB is mostly FEAT_STATE_CHECKED enabled but that is not apparent
from docs and code's check is sub-optimal. Update docs to make this
ap

feat(cpufeat): update FEAT_SB's FEAT_STATE_CHECKED status

FEAT_SB is mostly FEAT_STATE_CHECKED enabled but that is not apparent
from docs and code's check is sub-optimal. Update docs to make this
apparent and update code to have a proper FEAT_STATE_CHECKED fallback.

Also enable it for FVP so it's tested a bit more.

Change-Id: I1374c4828b235ad16904f6c4ac9e39b9c2596a37
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(cpufeat): enable FEAT_RAS for FEAT_STATE_CHECKED again

FEAT_RAS was originally converted to FEAT_STATE_CHECKED in 6503ff291.
However, the ability to use it was removed with 970a4a8d8 by simply

feat(cpufeat): enable FEAT_RAS for FEAT_STATE_CHECKED again

FEAT_RAS was originally converted to FEAT_STATE_CHECKED in 6503ff291.
However, the ability to use it was removed with 970a4a8d8 by simply
saying it impacts execution at EL3. That's true, but FEAT_STATE_CHECKED
can still be allowed by being a bit clever about it.

First, the remainder of common code can be converted to use the
is_feat_ras_supported() helper instead of the `#if FEATURE` pattern.
There are no corner cases to consider there. The feature is either
present (and appropriate action must be taken) or the feature is not (so
we can skip RAS code).

A conscious choice is taken to check the RAS code in synchronize_errors
despite it being in a hot path. Any fixed platform that seeks to be
performant should be setting features to 0 or 1. Then, the
SCTLR_EL3.IESB bit is always set if ENABLE_FEAT_RAS != 0 since we expect
FEAT_IESB to be present if FEAT_RAS is (despite the architecture not
guaranteeing it). If FEAT_RAS isn't present then we don't particularly
care about the status of FEAT_IESB.

Second, platforms that don't set ENABLE_FEAT_RAS must continue to work.
This is true out of the box with the is_feat_xyz_supported() helpers, as
they make sure to fully disable code within them.

Third, platforms that do set ENABLE_FEAT_RAS=1 must continue to work.
This is also true out of the box and no logical change is undertaken in
common code.

Finally, ENABLE_FEAT_RAS is set to 2 on FVP. Having RAS implies that the
whole handling machinery will be built-in and registered as appropriate.
However, when RAS is built-in but not present in hardware, these
registrations can still happen, they will only never be invoked at
runtime.

Change-Id: I949e648601dc0951ef9c2b217f34136b6ea4b3dc
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(cpufeat): enable access to extended BRPs/WRPs" into integration

feat(el3-runtime): check the exception vector size

Currently, if the exception vector is too big it will fail with a
"Warning: repeat < 0; .fill ignored" error that is quite unclear. This
only happe

feat(el3-runtime): check the exception vector size

Currently, if the exception vector is too big it will fail with a
"Warning: repeat < 0; .fill ignored" error that is quite unclear. This
only happens when the vector entry is bigger than its allocated 128
bytes so add an explicit check with a descriptive message to ease
debugging when this happens.

Change-Id: I4f7acdcedab38bc96416dd0d0c6a8a60b7986e17
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "bk/simpler_panic" into integration

* changes:
refactor(aarch64): remove crash reporting's dependency on cpu_data
fix(el3-runtime): remove lower_el_panic()

feat(morello): add capability load/store/track support to MMU

Morello architecture adds additional bits to TCR_EL3 and uses the
HWU bits of page/block descriptors to provision permission for
loading

feat(morello): add capability load/store/track support to MMU

Morello architecture adds additional bits to TCR_EL3 and uses the
HWU bits of page/block descriptors to provision permission for
loading, storing and tracking of valid capability tags.

This patch reserves bit 31 of the existing translation table
attribute field which can be used by the user to enable capability
load/store/track permission for a given memory region.

This patch also enables this permission for BL31 region.

Signed-off-by: Manoj Kumar <manoj.kumar3@arm.com>
Signed-off-by: Varshit Pandya <varshit.pandya@arm.com>
Change-Id: I1939c70aac3585969d74b0956529681e840d6f63

show more ...

feat(morello): add Morello capability enablement changes

This patch adds a build macro ENABLE_FEAT_MORELLO which when set will
compile BL31 firmware with changes required to boot capability
aware so

feat(morello): add Morello capability enablement changes

This patch adds a build macro ENABLE_FEAT_MORELLO which when set will
compile BL31 firmware with changes required to boot capability
aware software.

It also adds helper function in c and assmbly to check if morello
hardware is present and if morello capability is enabled or not.

CE field, bits [23:20] in ID_AA64PFR1_EL1 defines whether morello
architecture is present or not, 0b0000 indicates that it is absent
and 0b0001 indicates that it is present. While whether capabilities
are enabled or not is decided at runtime with ENABLE_FEAT_MORELLO build
option.

Reference: https://developer.arm.com/documentation/ddi0606/latest/

Signed-off-by: Manoj Kumar <manoj.kumar3@arm.com>
Signed-off-by: Varshit Pandya <varshit.pandya@arm.com>
Change-Id: Ib16877acbfcb72c4bd8c08e97e44edc0a3e46089

show more ...

fix(cpufeat): enable access to extended BRPs/WRPs

Access to Extended Breakpoints(BRPs) and Watchpoints(WRPs) are enabled
through EBWE bit and this available from DebugV8P9. So enable access to
mode

fix(cpufeat): enable access to extended BRPs/WRPs

Access to Extended Breakpoints(BRPs) and Watchpoints(WRPs) are enabled
through EBWE bit and this available from DebugV8P9. So enable access to
mode select register default from lower EL's.

Though this bit RES0 when we have less than 16 BRPs/WRPs the Mode select
register is also RAZ/WI. So having EBWE write by default is harmless.
And will avoid trap to EL3 when enable access to bank selection when we
have more than 16 BRPs/WRPs.

Change-Id: Ib308be758c0beedde05a5558b0d24a161b79273a
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

refactor(aarch64): remove crash reporting's dependency on cpu_data

Crash reporting is useful as early as possible, even before most of the
runtime has been set up. This means that all of its depende

refactor(aarch64): remove crash reporting's dependency on cpu_data

Crash reporting is useful as early as possible, even before most of the
runtime has been set up. This means that all of its dependencies,
currently only cpu_data, must be set up as early as possible too. This
can be constraining as fiddling with the general EL3 runtime from the
early entrypoint is very difficult. So remove the cpu_data dependency.
Further benefits are that crash reporting will work even earlier (during
cpu reset functions!) and also in other BLs.

Change-Id: I92bb6b3921c6dec10560f8341b3bca5cdacfb492
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(cpufeat): prevent FEAT_AMU counters 2 and 3 from counting across worlds

FEAT_AMU has 4 architected counters. The lower 2, CPU_CYCLES and
CNT_CYCLES, are not considered to be side channels due to

fix(cpufeat): prevent FEAT_AMU counters 2 and 3 from counting across worlds

FEAT_AMU has 4 architected counters. The lower 2, CPU_CYCLES and
CNT_CYCLES, are not considered to be side channels due to their low
resolution and general availability of the data elsewhere. As such, they
are used for critical performance tuning and are expected to never be
turned off or context switched when switching worlds.

The upper 2 counters, INST_RETIRED and STALL_BACKEND_MEM, are different.
The data they provide is non-critical and expose new information that
could be used as a timing side channel, especially of Secure world. This
patch adds context switching of these two counters to prevent any such
side channel.

This is not done for group 1 auxiliary counters as those are IMP DEF and
are inaccessible by default unless overriden by the platform (with
AMU_RESTRICT_COUNTERS).

Change-Id: Ib4b946abb810e36736cabb9b84cd837308b4e761
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(el3-runtime): translate EL3 handled exceptions to C and always call prepare_el3_entry

Exception handling in BL31 is tricky business and to satisfy the varying
requirements of the different code

feat(el3-runtime): translate EL3 handled exceptions to C and always call prepare_el3_entry

Exception handling in BL31 is tricky business and to satisfy the varying
requirements of the different code paths it has thus far largely been
written in assembly. However, assembly is extremely tedious to read and
modify. Similar to context management, it is desirable to have as much
as possible in C. C code is generally easier to follow and can enable
the compiler to do more optimisations on surrounding code.

Most exceptions that BL31 deals with are the synchronous exceptions and
those are processed within BL31. They already get prepared for EL3 entry
and after the initial dispatch end up in C. So the dispatch can also be
converted in C. Interrupt exceptions are very similar so are converted
too. Finally, asynchronous external aborts share some code with
synchronous external aborts and may end up being processed deeper in
BL31. So they can safely be prepared for EL3 entry too and converted to
C so that they can share code properly.

The IMP DEF exceptions are not part of this refactor as their speed may
be important. There is currently little that uses them, but they can be
converted to C too once their use expands and usage allows it.

This refactor allows to expand the responsibilities of
prepare_el3_entry(). Its role is already to prepare context for
executing within EL3 but with this patch EL3 execution is synonymous
with C runtime execution. So it's given the responsibility of saving
spsr and elr as well as putting the runtime stack in.

When a synchronous exception happens, the only possible paths are to
enter the C EL3 runtime, exiting via el3_exit(), or to panic. In the EL3
runtime case, we always need prepare_el3_entry() and the runtime stack,
whereas in the panic case, this doesn't matter as we will never return.
So hoist the prepare_el3_entry() call and the changing of the stacks as
early as possible and make the rest of the code agnostic of this.

This patch also gets rid of smc_prohibited. It is an optimisation by
skipping prepare_el3_entry() when a bad smc call happens. However, speed
doesn't matter in this case as this is an erroneous case.

Change-Id: I411af9d17ef4046a736b1f4f5f8fbc9c28e66106
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(cpus): workaround for C1-Pro erratum 3686597

C1-Pro erratum 3686597 is a Cat B erratum that applies
to revisions r0p0, r1p0 and is fixed in r1p1.

This erratum can be avoided by setting IMP_CPUE

fix(cpus): workaround for C1-Pro erratum 3686597

C1-Pro erratum 3686597 is a Cat B erratum that applies
to revisions r0p0, r1p0 and is fixed in r1p1.

This erratum can be avoided by setting IMP_CPUECTLR_EL1[57]
to 1.

SDEN documentation:
https://developer.arm.com/documentation/SDEN-3273080/1300/?lang=en

Change-Id: I59a5d9316bf66793eae5dac08102231d0e2640fb
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

feat(cpufeat): enable USE_SPINLOCK_CAS to FEAT_STATE_CHECKED

The FEAT_LSE enablement predates the FEAT_STATE framework and has never
been converted. Since the introduction of USE_SPINLOCK_CAS we've

feat(cpufeat): enable USE_SPINLOCK_CAS to FEAT_STATE_CHECKED

The FEAT_LSE enablement predates the FEAT_STATE framework and has never
been converted. Since the introduction of USE_SPINLOCK_CAS we've gained
lots of quality of life features that allow for better feature
enablement. This patch converts USE_SPINLOCK_CAS to tri-state and adds
it to FEATURE_DETECTION to align with all other features.

Instead of introducing the assembly checking for tri-state, this patch
translates all locking routines to C inline assembly and uses the
standard C helpers. The main benefit is that this gives greater
visibility to the compiler about what the functions are doing and lets
it optimise better. Namely, it is able to allocate registers itself and
inline the functions when LTO is enabled.

An unsuccessful attempt was made to use the instructions directly and
have even flow control in C. This, however, made code very complicated
and less efficient in the tight loops of the spinlock.

The last use of ARM_ARCH_AT_LEAST goes away with this change and so this
macro is removed. It has now been fully superseded by the FEAT_STATE
framework.

This change exposes a limitation - RME_GPT_BITLOCK_BLOCK requires
USE_SPINLOCK_CAS. This patch does not address this in any way but makes
the relationship explicit.

Change-Id: I580081549aceded2dca3e0f4564ee7510a7e56ae
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(cpufeat): add support for FEAT_UINJ

FEAT_UINJ allows higher ELs to inject Undefined Instruction exceptions
into lower ELs by setting SPSR_ELx.UINJ, which updates PSTATE.UINJ on
exception return

feat(cpufeat): add support for FEAT_UINJ

FEAT_UINJ allows higher ELs to inject Undefined Instruction exceptions
into lower ELs by setting SPSR_ELx.UINJ, which updates PSTATE.UINJ on
exception return. When PSTATE.UINJ is set, instruction execution at the
lower EL raises an Undefined Instruction exception (EC=0b000000).

This patch introduces support for FEAT_UINJ by updating the
inject_undef64() to use hardware undef injection if supported.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I48ad56a58eaab7859d508cfa8dfe81130b873b6b

show more ...

fix(cpufeat): update feature names and comments

Fix supported feature list for FEAT_CSV2_2/CSV2_3 and add clearer
descriptions for LS64_ACCDATA, AIE, and PFAR features.

Signed-off-by: Arvind Ram Pr

fix(cpufeat): update feature names and comments

Fix supported feature list for FEAT_CSV2_2/CSV2_3 and add clearer
descriptions for LS64_ACCDATA, AIE, and PFAR features.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I0073db4007b90e4a37c337af789a7f5c98677372

show more ...

feat(cpufeat): add support for FEAT_IDTE3

This patch adds support for FEAT_IDTE3, which introduces support
for handling the trapping of Group 3 and Group 5 (only GMID_EL1)
registers to EL3 (unless t

feat(cpufeat): add support for FEAT_IDTE3

This patch adds support for FEAT_IDTE3, which introduces support
for handling the trapping of Group 3 and Group 5 (only GMID_EL1)
registers to EL3 (unless trapped to EL2). IDTE3 allows EL3 to
modify the view of ID registers for lower ELs, and this capability
is used to disable fields of ID registers tied to disabled features.

The ID registers are initially read as-is and stored in context.
Then, based on the feature enablement status for each world, if a
particular feature is disabled, its corresponding field in the
cached ID register is set to Res0. When lower ELs attempt to read
an ID register, the cached ID register value is returned. This
allows EL3 to prevent lower ELs from accessing feature-specific
system registers that are disabled in EL3, even though the hardware
implements them.

The emulated ID register values are stored primarily in per-world
context, except for certain debug-related ID registers such as
ID_AA64DFR0_EL1 and ID_AA64DFR1_EL1, which are stored in the
cpu_data and are unique to each PE. This is done to support feature
asymmetry that is commonly seen in debug features.

FEAT_IDTE3 traps all Group 3 ID registers in the range
op0 == 3, op1 == 0, CRn == 0, CRm == {2–7}, op2 == {0–7} and the
Group 5 GMID_EL1 register. However, only a handful of ID registers
contain fields used to detect features enabled in EL3. Hence, we
only cache those ID registers, while the rest are transparently
returned as is to the lower EL.

This patch updates the CREATE_FEATURE_FUNCS macro to generate
update_feat_xyz_idreg_field() functions that disable ID register
fields on a per-feature basis. The enabled_worlds scope is used to
disable ID register fields for security states where the feature is
not enabled.

This EXPERIMENTAL feature is controlled by the ENABLE_FEAT_IDTE3
build flag and is currently disabled by default.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I5f998eeab81bb48c7595addc5595313a9ebb96d5

show more ...

feat(cpufeat): include enabled security state scope

This patch adds a security state scope to feature function creation.
The scope defines the set of worlds (Secure, Non-secure, and Realm)
for which

feat(cpufeat): include enabled security state scope

This patch adds a security state scope to feature function creation.
The scope defines the set of worlds (Secure, Non-secure, and Realm)
for which a given feature is enabled. This allows finer-grained
control of feature visibility and ensures that ID register are
updated based on feature's enablement status for that world.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: Ia4ba4ea7c0b020a398785a28e7ce25b00ab1f4ec

show more ...

feat(cpufeat): add ID register defines and read helpers

Add system register encodings and read helper functions for
both AArch32 and AArch64 ID registers.

These additions complete the set of archit

feat(cpufeat): add ID register defines and read helpers

Add system register encodings and read helper functions for
both AArch32 and AArch64 ID registers.

These additions complete the set of architectural ID registers that
may be trapped as part of FEAT_IDTE3, which enables EL3 to intercept
ID register accesses from lower exception levels.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I5d73b78e80d56a0b78ce026dcf70373c8aabd857

show more ...

Merge changes from topic "NUMA_AWARE_PER_CPU" into integration

* changes:
docs(maintainers): add per-cpu framework into maintainers.rst
feat(per-cpu): add documentation for per-cpu framework
f

Merge changes from topic "NUMA_AWARE_PER_CPU" into integration

* changes:
docs(maintainers): add per-cpu framework into maintainers.rst
feat(per-cpu): add documentation for per-cpu framework
feat(rdv3): enable numa aware per-cpu for RD-V3-Cfg2
feat(per-cpu): migrate amu_ctx to per-cpu framework
feat(per-cpu): migrate spm_core_context to per-cpu framework
feat(per-cpu): migrate psci_ns_context to per-cpu framework
feat(per-cpu): migrate psci_cpu_pd_nodes to per-cpu framework
feat(per-cpu): migrate rmm_context to per-cpu framework
feat(per-cpu): integrate per-cpu framework into BL31/BL32
feat(per-cpu): introduce framework accessors/definers
feat(per-cpu): introduce linker changes for NUMA aware per-cpu framework
docs(changelog): add scope for per-cpu framework

show more ...

feat(per-cpu): integrate per-cpu framework into BL31/BL32

Integrate per-cpu support into BL31/BL32 by extending the following
areas:

Zero-initialization: Treats per-cpu sections like .bss and clear

feat(per-cpu): integrate per-cpu framework into BL31/BL32

Integrate per-cpu support into BL31/BL32 by extending the following
areas:

Zero-initialization: Treats per-cpu sections like .bss and clears them
during early C runtime initialization. For platforms that enable
NUMA_AWARE_PER_CPU, invokes a platform hook to zero-initialize
node-specific per-cpu regions.

Cache maintenance: Extends the BL31 exit path to clean dcache lines
covering the per-cpu region, ensuring data written by the primary core
is visible to secondary cores.

tpidr_el3 setup: Initializes tpidr_el3 with the base address of the
current CPU’s per-cpu section. This allows per-cpu framework to
resolve local cpu accesses efficiently.

The percpu_data object is currently stored in tpidr_el3. Since the
per-cpu framework will use tpidr_el3 for this-cpu access, percpu_data
must be migrated to avoid conflict. This commit moves percpu_data to
the per-cpu framework.

Signed-off-by: Sammit Joshi <sammit.joshi@arm.com>
Signed-off-by: Rohit Mathew <rohit.mathew@arm.com>
Change-Id: Iff0c2e1f8c0ebd25c4bb0b09bfe15dd4fbe20561

show more ...

fix(cpufeat): remove unused FEAT_NV feature functions

The FEAT_NV feature functions were introduced in a8d5d3d54
but never used. This patch cleans up this dead code.

Signed-off-by: Arvind Ram Praka

fix(cpufeat): remove unused FEAT_NV feature functions

The FEAT_NV feature functions were introduced in a8d5d3d54
but never used. This patch cleans up this dead code.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I05fae1bd187782e5de6074a7b265fcdd4b473a68

show more ...