Merge pull request #678 from soby-mathew/sm/PSCI_AArch32

Introduce AArch32 support for PSCI library

AArch32: Add support in TF libraries

This patch adds AArch32 support to cpu ops, context management,
per-cpu data and spinlock libraries. The `entrypoint_info`
structure is modified to add support f

AArch32: Add support in TF libraries

This patch adds AArch32 support to cpu ops, context management,
per-cpu data and spinlock libraries. The `entrypoint_info`
structure is modified to add support for AArch32 register
arguments. The CPU operations for AEM generic cpu in AArch32
mode is also added.

Change-Id: I1e52e79f498661d8f31f1e7b3a29e222bc7a4483

show more ...

Merge pull request #667 from soby-mathew/sm/PSCI_lib

Introduce PSCI library

Rework type usage in Trusted Firmware

This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as

Rework type usage in Trusted Firmware

This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:

* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
whether AArch64 or AArch32.
* Use generic C types where-ever possible.

In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.

Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8

show more ...

Merge pull request #662 from sandrine-bailleux-arm/sb/rodata-xn

Map read-only data as execute-never

Introduce SEPARATE_CODE_AND_RODATA build flag

At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sectio

Introduce SEPARATE_CODE_AND_RODATA build flag

At the moment, all BL images share a similar memory layout: they start
with their code section, followed by their read-only data section.
The two sections are contiguous in memory. Therefore, the end of the
code section and the beginning of the read-only data one might share
a memory page. This forces both to be mapped with the same memory
attributes. As the code needs to be executable, this means that the
read-only data stored on the same memory page as the code are
executable as well. This could potentially be exploited as part of
a security attack.

This patch introduces a new build flag called
SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data
on separate memory pages. This in turn allows independent control of
the access permissions for the code and read-only data.

This has an impact on memory footprint, as padding bytes need to be
introduced between the code and read-only data to ensure the
segragation of the two. To limit the memory cost, the memory layout
of the read-only section has been changed in this case.

- When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e.
the read-only section still looks like this (padding omitted):

| ... |
+-------------------+
| Exception vectors |
+-------------------+
| Read-only data |
+-------------------+
| Code |
+-------------------+ BLx_BASE

In this case, the linker script provides the limits of the whole
read-only section.

- When SEPARATE_CODE_AND_RODATA=1, the exception vectors and
read-only data are swapped, such that the code and exception
vectors are contiguous, followed by the read-only data. This
gives the following new layout (padding omitted):

| ... |
+-------------------+
| Read-only data |
+-------------------+
| Exception vectors |
+-------------------+
| Code |
+-------------------+ BLx_BASE

In this case, the linker script now exports 2 sets of addresses
instead: the limits of the code and the limits of the read-only
data. Refer to the Firmware Design guide for more details. This
provides platform code with a finer-grained view of the image
layout and allows it to map these 2 regions with the appropriate
access permissions.

Note that SEPARATE_CODE_AND_RODATA applies to all BL images.

Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49

show more ...

Introduce utils.h header file

This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, archit

Introduce utils.h header file

This patch introduces a new header file: include/lib/utils.h.
Its purpose is to provide generic macros and helper functions that
are independent of any BL image, architecture, platform and even
not specific to Trusted Firmware.

For now, it contains only 2 macros: ARRAY_SIZE() and
IS_POWER_OF_TWO(). These were previously defined in bl_common.h and
xlat_tables.c respectively.

bl_common.h includes utils.h to retain compatibility for platforms
that relied on bl_common.h for the ARRAY_SIZE() macro. Upstream
platform ports that use this macro have been updated to include
utils.h.

Change-Id: I960450f54134f25d1710bfbdc4184f12c049a9a9

show more ...

Merge pull request #533 from yatharth-arm/yk/genfw-1292

Fix the inconsistencies in bl1_tbbr_image_descs[]

Fix the inconsistencies in bl1_tbbr_image_descs[]

This patch fixes inconsistencies in bl1_tbbr_image_descs[]
and miscellaneous fixes in Firmware Update code.

Following are the changes:
* As part of

Fix the inconsistencies in bl1_tbbr_image_descs[]

This patch fixes inconsistencies in bl1_tbbr_image_descs[]
and miscellaneous fixes in Firmware Update code.

Following are the changes:
* As part of the original FWU changes, a `copied_size`
field was added to `image_info_t`. This was a subtle binary
compatibility break because it changed the size of the
`bl31_params_t` struct, which could cause problems if
somebody used different versions of BL2 or BL31, one with
the old `image_info_t` and one with the new version.
This patch put the `copied_size` within the `image_desc_t`.
* EXECUTABLE flag is now stored in `ep_info.h.attr` in place
of `image_info.h.attr`, associating it to an entrypoint.
* The `image_info.image_base` is only relevant for secure
images that are copied from non-secure memory into secure
memory. This patch removes initializing `image_base` for
non secure images in the bl1_tbbr_image_descs[].
* A new macro `SET_STATIC_PARAM_HEAD` is added for populating
bl1_tbbr_image_descs[].ep_info/image_info.h members statically.
The version, image_type and image attributes are now
populated using this new macro.
* Added PLAT_ARM_NVM_BASE and PLAT_ARM_NVM_SIZE to avoid direct
usage of V2M_FLASH0_XXX in plat/arm/common/arm_bl1_fwu.c.
* Refactoring of code/macros related to SECURE and EXECUTABLE flags.

NOTE: PLATFORM PORTS THAT RELY ON THE SIZE OF `image_info_t`
OR USE the "EXECUTABLE" BIT WITHIN `image_info_t.h.attr`
OR USE THEIR OWN `image_desc_t` ARRAY IN BL1, MAY BE
BROKEN BY THIS CHANGE. THIS IS CONSIDERED UNLIKELY.

Change-Id: Id4e5989af7bf0ed263d19d3751939da1169b561d

show more ...

Merge pull request #483 from soby-mathew/sm/rm_struct_padding

Rearrange fields in TF data structures to reduce padding

Rearrange fields in TF data structures to reduce padding

This patch rearranges fields of the `image_desc_t` & `auth_img_desc_t`
data structures to reduce padding between the fields and thereby
save

Rearrange fields in TF data structures to reduce padding

This patch rearranges fields of the `image_desc_t` & `auth_img_desc_t`
data structures to reduce padding between the fields and thereby
save memory.

NOTE: Platform ports which anonymously initialize these structures
should be aware of the rearrangement and do the required
modification.

Change-Id: I428b5429632797b31d5bd306174599c07e24c060

show more ...

Merge pull request #467 from jcastillo-arm/jc/tbb_oid

Apply new image terminology

Remove dashes from image names: 'BL3-x' --> 'BL3x'

This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

https://github.c

Remove dashes from image names: 'BL3-x' --> 'BL3x'

This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

https://github.com/ARM-software/arm-trusted-firmware/wiki

Changes apply to output messages, comments and documentation.

non-ARM platform files have been left unmodified.

Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76

show more ...

Merge pull request #453 from yatharth-arm/yk/fwu-6

Firmware Update patch stack

FWU: Add Generic BL2U FWU image support in BL2

The Firmware Update (FWU) feature needs support for an optional
secure world image, BL2U, to allow additional secure world
initialization required by F

FWU: Add Generic BL2U FWU image support in BL2

The Firmware Update (FWU) feature needs support for an optional
secure world image, BL2U, to allow additional secure world
initialization required by FWU, for example DDR initialization.

This patch adds generic framework support to create BL2U.

NOTE: A platform makefile must supply additional `BL2U_SOURCES`
to build the bl2u target. A subsequent patch adds bl2u
support for ARM platforms.

Change-Id: If2ce036199bb40b39b7f91a9332106bcd4e25413

show more ...

FWU: Add Generic Firmware Update framework support in BL1

Firmware update(a.k.a FWU) feature is part of the TBB architecture.
BL1 is responsible for carrying out the FWU process if platform
specific

FWU: Add Generic Firmware Update framework support in BL1

Firmware update(a.k.a FWU) feature is part of the TBB architecture.
BL1 is responsible for carrying out the FWU process if platform
specific code detects that it is needed.

This patch adds support for FWU feature support in BL1 which is
included by enabling `TRUSTED_BOARD_BOOT` compile time flag.

This patch adds bl1_fwu.c which contains all the core operations
of FWU, which are; SMC handler, image copy, authentication, execution
and resumption. It also adds bl1.h introducing #defines for all
BL1 SMCs.

Following platform porting functions are introduced:

int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size,
unsigned int flags);
This function can be used to add platform specific memory checks
for the provided base/size for the given security state.
The weak definition will invoke `assert()` and return -ENOMEM.

__dead2 void bl1_plat_fwu_done(void *cookie, void *reserved);
This function can be used to initiate platform specific procedure
to mark completion of the FWU process.
The weak definition waits forever calling `wfi()`.

plat_bl1_common.c contains weak definitions for above functions.

FWU process starts when platform detects it and return the image_id
other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in
`bl1_main()`.

NOTE: User MUST provide platform specific real definition for
bl1_plat_mem_check() in order to use it for Firmware update.

Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed

show more ...

Add descriptor based image management support in BL1

As of now BL1 loads and execute BL2 based on hard coded information
provided in BL1. But due to addition of support for upcoming Firmware
Update

Add descriptor based image management support in BL1

As of now BL1 loads and execute BL2 based on hard coded information
provided in BL1. But due to addition of support for upcoming Firmware
Update feature, BL1 now require more flexible approach to load and
run different images using information provided by the platform.

This patch adds new mechanism to load and execute images based on
platform provided image id's. BL1 now queries the platform to fetch
the image id of the next image to be loaded and executed. In order
to achieve this, a new struct image_desc_t was added which holds the
information about images, such as: ep_info and image_info.

This patch introduces following platform porting functions:

unsigned int bl1_plat_get_next_image_id(void);
This is used to identify the next image to be loaded
and executed by BL1.

struct image_desc *bl1_plat_get_image_desc(unsigned int image_id);
This is used to retrieve the image_desc for given image_id.

void bl1_plat_set_ep_info(unsigned int image_id,
struct entry_point_info *ep_info);
This function allows platforms to update ep_info for given
image_id.

The plat_bl1_common.c file provides default weak implementations of
all above functions, the `bl1_plat_get_image_desc()` always return
BL2 image descriptor, the `bl1_plat_get_next_image_id()` always return
BL2 image ID and `bl1_plat_set_ep_info()` is empty and just returns.
These functions gets compiled into all BL1 platforms by default.

Platform setup in BL1, using `bl1_platform_setup()`, is now done
_after_ the initialization of authentication module. This change
provides the opportunity to use authentication while doing the
platform setup in BL1.

In order to store secure/non-secure context, BL31 uses percpu_data[]
to store context pointer for each core. In case of BL1 only the
primary CPU will be active hence percpu_data[] is not required to
store the context pointer.

This patch introduce bl1_cpu_context[] and bl1_cpu_context_ptr[] to
store the context and context pointers respectively. It also also
re-defines cm_get_context() and cm_set_context() for BL1 in
bl1/bl1_context_mgmt.c.

BL1 now follows the BL31 pattern of using SP_EL0 for the C runtime
environment, to support resuming execution from a previously saved
context.

NOTE: THE `bl1_plat_set_bl2_ep_info()` PLATFORM PORTING FUNCTION IS
NO LONGER CALLED BY BL1 COMMON CODE. PLATFORMS THAT OVERRIDE
THIS FUNCTION MAY NEED TO IMPLEMENT `bl1_plat_set_ep_info()`
INSTEAD TO MAINTAIN EXISTING BEHAVIOUR.

Change-Id: Ieee4c124b951c2e9bc1c1013fa2073221195d881

show more ...

Move context management code to common location

The upcoming Firmware Update feature needs transitioning across
Secure/Normal worlds to complete the FWU process and hence requires
context management

Move context management code to common location

The upcoming Firmware Update feature needs transitioning across
Secure/Normal worlds to complete the FWU process and hence requires
context management code to perform this task.

Currently context management code is part of BL31 stage only.
This patch moves the code from (include)/bl31 to (include)/common.
Some function declarations/definitions and macros have also moved
to different files to help code sharing.

Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c

show more ...

Remove `RUN_IMAGE` usage as opcode passed to next EL.

The primary usage of `RUN_IMAGE` SMC function id, used by BL2 is to
make a request to BL1 to execute BL31. But BL2 also uses it as
opcode to che

Remove `RUN_IMAGE` usage as opcode passed to next EL.

The primary usage of `RUN_IMAGE` SMC function id, used by BL2 is to
make a request to BL1 to execute BL31. But BL2 also uses it as
opcode to check if it is allowed to execute which is not the
intended usage of `RUN_IMAGE` SMC.

This patch removes the usage of `RUN_IMAGE` as opcode passed to
next EL to check if it is allowed to execute.

Change-Id: I6aebe0415ade3f43401a4c8a323457f032673657

show more ...

Merge pull request #421 from sandrine-bailleux/sb/improve-display_boot_progress

Improve images transitions debugging messages

Introduce print_entry_point_info() function

This patch introduces a new function called 'print_entry_point_info'
that prints an entry_point_t structure for debugging purposes.
As such, it can be use

Introduce print_entry_point_info() function

This patch introduces a new function called 'print_entry_point_info'
that prints an entry_point_t structure for debugging purposes.
As such, it can be used to display the entry point address, SPSR and
arguments passed from a firmware image to the next one.

This function is now called in the following images transitions:
- BL1 to BL2
- BL1 to BL31
- BL31 to the next image (typically BL32 or BL33)

The following changes have been introduced:

- Fix the output format of the SPSR value : SPSR is a 32-bit value,
not a 64-bit one.

- Print all arguments values.
The entry_point_info_t structure allows to pass up to 8 arguments.
In most cases, only the first 2 arguments were printed.
print_entry_point_info() now prints all of them as 'VERBOSE'
traces.

Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a

show more ...

Merge pull request #414 from jcastillo-arm/jc/io_ret_values

Use standard error code definitions

Use standard errno definitions in load_auth_image()

This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The

Use standard errno definitions in load_auth_image()

This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The custom definitions have been removed.

It also replaces the usage of IO framework error custom definitions,
which have been deprecated. Standard errno definitions are used
instead.

Change-Id: I1228477346d3876151c05b470d9669c37fd231be

show more ...

Merge pull request #383 from vikramkanigiri/vk/tf-issues-314-v1

Ensure BL2 security state is secure

Ensure BL2 security state is secure

BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
run in secure world otherwise BL3-1/BL3-2 have to execute from
non-secure memory. Hence, This patc

Ensure BL2 security state is secure

BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
run in secure world otherwise BL3-1/BL3-2 have to execute from
non-secure memory. Hence, This patch removes the change_security_state()
call in bl1_run_bl2() and replaces it with an assert to confirm
the BL2 as secure.

Fixes ARM-software/tf-issues#314

Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29

show more ...