TBB: add Trusted Watchdog support on ARM platforms

This patch adds watchdog support on ARM platforms (FVP and Juno).
A secure instance of SP805 is used as Trusted Watchdog. It is
entirely managed in

TBB: add Trusted Watchdog support on ARM platforms

This patch adds watchdog support on ARM platforms (FVP and Juno).
A secure instance of SP805 is used as Trusted Watchdog. It is
entirely managed in BL1, being enabled in the early platform setup
hook and disabled in the exit hook. By default, the watchdog is
enabled in every build (even when TBB is disabled).

A new ARM platform specific build option `ARM_DISABLE_TRUSTED_WDOG`
has been introduced to allow the user to disable the watchdog at
build time. This feature may be used for testing or debugging
purposes.

Specific error handlers for Juno and FVP are also provided in this
patch. These handlers will be called after an image load or
authentication error. On FVP, the Table of Contents (ToC) in the FIP
is erased. On Juno, the corresponding error code is stored in the
V2M Non-Volatile flags register. In both cases, the CPU spins until
a watchdog reset is generated after 256 seconds (as specified in
the TBBR document).

Change-Id: I9ca11dcb0fe15af5dbc5407ab3cf05add962f4b4

show more ...

TBB: add ARM OIDs

This patch adds ARM specific OIDs which will be used to extract
the extension data from the certificates. These OIDs are arranged
as a subtree whose root node has been specifically

TBB: add ARM OIDs

This patch adds ARM specific OIDs which will be used to extract
the extension data from the certificates. These OIDs are arranged
as a subtree whose root node has been specifically allocated for
ARM Ltd.

{ iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) 4128 }

Change-Id: Ice20b3c8a31ddefe9102f3bd42f7429986f3ac34

show more ...

Add basic NOR flash driver for ARM platforms

FVP and Juno platforms include a NOR flash memory to store and
load the FIP, the kernel or a ramdisk. This NOR flash is arranged
as 2 x 16 bit flash devi

Add basic NOR flash driver for ARM platforms

FVP and Juno platforms include a NOR flash memory to store and
load the FIP, the kernel or a ramdisk. This NOR flash is arranged
as 2 x 16 bit flash devices and can be programmed using CFI
standard commands.

This patch provides a basic API to write single 32 bit words of
data into the NOR flash. Functions to lock/unlock blocks against
erase or write operations are also provided.

Change-Id: I1da7ad3105b1ea409c976adc863954787cbd90d2

show more ...

CSS: Enable booting of EL3 payloads

This patch adds support for booting EL3 payloads on CSS platforms,
for example Juno. In this scenario, the Trusted Firmware follows
its normal boot flow up to the

CSS: Enable booting of EL3 payloads

This patch adds support for booting EL3 payloads on CSS platforms,
for example Juno. In this scenario, the Trusted Firmware follows
its normal boot flow up to the point where it would normally pass
control to the BL31 image. At this point, it jumps to the EL3
payload entry point address instead.

Before handing over to the EL3 payload, the data SCP writes for AP
at the beginning of the Trusted SRAM is restored, i.e. we zero the
first 128 bytes and restore the SCP Boot configuration. The latter
is saved before transferring the BL30 image to SCP and is restored
just after the transfer (in BL2). The goal is to make it appear that
the EL3 payload is the first piece of software to run on the target.

The BL31 entrypoint info structure is updated to make the primary
CPU jump to the EL3 payload instead of the BL31 image.

The mailbox is populated with the EL3 payload entrypoint address,
which releases the secondary CPUs out of their holding pen (if the
SCP has powered them on). The arm_program_trusted_mailbox() function
has been exported for this purpose.

The TZC-400 configuration in BL2 is simplified: it grants secure
access only to the whole DRAM. Other security initialization is
unchanged.

This alternative boot flow is disabled by default. A new build option
EL3_PAYLOAD_BASE has been introduced to enable it and provide the EL3
payload's entry point address. The build system has been modified
such that BL31 and BL33 are not compiled and/or not put in the FIP in
this case, as those images are not used in this boot flow.

Change-Id: Id2e26fa57988bbc32323a0effd022ab42f5b5077

show more ...

Merge pull request #418 from soby-mathew/sm/sys_suspend

Support SYSTEM SUSPEND on Juno

Include xlat_tables.h in plat_arm.h

This patch fixes a compilation issue for platforms that are aligned to ARM
Standard platforms and include the `plat_arm.h` header in their platform port.
The comp

Include xlat_tables.h in plat_arm.h

This patch fixes a compilation issue for platforms that are aligned to ARM
Standard platforms and include the `plat_arm.h` header in their platform port.
The compilation would fail for such a platform because `xlat_tables.h` which
has the definition for `mmap_region_t` is not included in `plat_arm.h`. This
patch fixes this by including `xlat_tables.h` in `plat_arm.h` header.

Fixes ARM-Software/tf-issues#318

Change-Id: I75f990cfb4078b3996fc353c8cd37c9de61d555e

show more ...

Support PSCI SYSTEM SUSPEND on Juno

This patch adds the capability to power down at system power domain level
on Juno via the PSCI SYSTEM SUSPEND API. The CSS power management helpers
are modified t

Support PSCI SYSTEM SUSPEND on Juno

This patch adds the capability to power down at system power domain level
on Juno via the PSCI SYSTEM SUSPEND API. The CSS power management helpers
are modified to add support for power management operations at system
power domain level. A new helper for populating `get_sys_suspend_power_state`
handler in plat_psci_ops is defined. On entering the system suspend state,
the SCP powers down the SYSTOP power domain on the SoC and puts the memory
into retention mode. On wakeup from the power down, the system components
on the CSS will be reinitialized by the platform layer and the PSCI client
is responsible for restoring the context of these system components.

According to PSCI Specification, interrupts targeted to cores in PSCI CPU
SUSPEND should be able to resume it. On Juno, when the system power domain
is suspended, the GIC is also powered down. The SCP resumes the final core
to be suspend when an external wake-up event is received. But the other
cores cannot be woken up by a targeted interrupt, because GIC doesn't
forward these interrupts to the SCP. Due to this hardware limitation,
we down-grade PSCI CPU SUSPEND requests targeted to the system power domain
level to cluster power domain level in `juno_validate_power_state()`
and the CSS default `plat_arm_psci_ops` is overridden in juno_pm.c.

A system power domain resume helper `arm_system_pwr_domain_resume()` is
defined for ARM standard platforms which resumes/re-initializes the
system components on wakeup from system suspend. The security setup also
needs to be done on resume from system suspend, which means
`plat_arm_security_setup()` must now be included in the BL3-1 image in
addition to previous BL images if system suspend need to be supported.

Change-Id: Ie293f75f09bad24223af47ab6c6e1268f77bcc47

show more ...

CSS: Implement topology support for System power domain

This patch implements the necessary topology changes for supporting
system power domain on CSS platforms. The definition of PLAT_MAX_PWR_LVL a

CSS: Implement topology support for System power domain

This patch implements the necessary topology changes for supporting
system power domain on CSS platforms. The definition of PLAT_MAX_PWR_LVL and
PLAT_NUM_PWR_DOMAINS macros are removed from arm_def.h and are made platform
specific. In addition, the `arm_power_domain_tree_desc[]` and
`arm_pm_idle_states[]` are modified to support the system power domain
at level 2. With this patch, even though the power management operations
involving the system power domain will not return any error, the platform
layer will silently ignore any operations to the power domain. The actual
power management support for the system power domain will be added later.

Change-Id: I791867eded5156754fe898f9cdc6bba361e5a379

show more ...

Reorganise PSCI PM handler setup on ARM Standard platforms

This patch does the following reorganization to psci power management (PM)
handler setup for ARM standard platform ports :

1. The mailbox

Reorganise PSCI PM handler setup on ARM Standard platforms

This patch does the following reorganization to psci power management (PM)
handler setup for ARM standard platform ports :

1. The mailbox programming required during `plat_setup_psci_ops()` is identical
for all ARM platforms. Hence the implementation of this API is now moved
to the common `arm_pm.c` file. Each ARM platform now must define the
PLAT_ARM_TRUSTED_MAILBOX_BASE macro, which in current platforms is the same
as ARM_SHARED_RAM_BASE.

2. The PSCI PM handler callback structure, `plat_psci_ops`, must now be
exported via `plat_arm_psci_pm_ops`. This allows the common implementation
of `plat_setup_psci_ops()` to return a platform specific `plat_psci_ops`.
In the case of CSS platforms, a default weak implementation of the same is
provided in `css_pm.c` which can be overridden by each CSS platform.

3. For CSS platforms, the PSCI PM handlers defined in `css_pm.c` are now
made library functions and a new header file `css_pm.h` is added to export
these generic PM handlers. This allows the platform to reuse the
adequate CSS PM handlers and redefine others which need to be customized
when overriding the default `plat_arm_psci_pm_ops` in `css_pm.c`.

Change-Id: I277910f609e023ee5d5ff0129a80ecfce4356ede

show more ...

Merge pull request #390 from vikramkanigiri/at/unify_bakery_locks_v2

Re-design bakery lock allocation and algorithm

Update ARM platform ports to use new bakery lock apis.

This patch updates ARM platform ports to use the new unified bakery locks
API. The caller does not have to use a different bakery lock API depe

Update ARM platform ports to use new bakery lock apis.

This patch updates ARM platform ports to use the new unified bakery locks
API. The caller does not have to use a different bakery lock API depending upon
the value of the USE_COHERENT_MEM build option.

NOTE: THIS PATCH CAN BE USED AS A REFERENCE TO UPDATE OTHER PLATFORM PORTS.

Change-Id: I1b26afc7c9a9808a6040eb22f603d30192251da7

show more ...

Define the Non-Secure timer frame ID for ARM platforms

On Juno and FVP platforms, the Non-Secure System timer corresponds
to frame 1. However, this is a platform-specific decision and it
shouldn't b

Define the Non-Secure timer frame ID for ARM platforms

On Juno and FVP platforms, the Non-Secure System timer corresponds
to frame 1. However, this is a platform-specific decision and it
shouldn't be hard-coded. Hence, this patch introduces
PLAT_ARM_NSTIMER_FRAME_ID which should be used by all ARM platforms
to specify the correct non-secure timer frame.

Change-Id: I6c3a905d7d89200a2f58c20ce5d1e1d166832bba

show more ...

Re-factor definition of TZC-400 base address

This patch replaces the `ARM_TZC_BASE` constant with `PLAT_ARM_TZC_BASE` to
support different TrustZone Controller base addresses across ARM platforms.

Re-factor definition of TZC-400 base address

This patch replaces the `ARM_TZC_BASE` constant with `PLAT_ARM_TZC_BASE` to
support different TrustZone Controller base addresses across ARM platforms.

Change-Id: Ie4e1c7600fd7a5875323c7cc35e067de0c6ef6dd

show more ...

Configure all secure interrupts on ARM platforms

ARM TF configures all interrupts as non-secure except those which
are present in irq_sec_array. This patch updates the irq_sec_array
with the missing

Configure all secure interrupts on ARM platforms

ARM TF configures all interrupts as non-secure except those which
are present in irq_sec_array. This patch updates the irq_sec_array
with the missing secure interrupts for ARM platforms.

It also updates the documentation to be inline with the latest
implementation.

Fixes ARM-software/tf-issues#312

Change-Id: I39956c56a319086e3929d1fa89030b4ec4b01fcc

show more ...

Merge pull request #362 from jcastillo-arm/jc/inline

Fix build error with optimizations disabled (-O0)

PSCI: Validate non secure entrypoint on ARM platforms

This patch implements the platform power managment handler to verify
non secure entrypoint for ARM platforms. The handler ensures that the
entry

PSCI: Validate non secure entrypoint on ARM platforms

This patch implements the platform power managment handler to verify
non secure entrypoint for ARM platforms. The handler ensures that the
entry point specified by the normal world during CPU_SUSPEND, CPU_ON
or SYSTEM_SUSPEND PSCI API is a valid address within the non secure
DRAM.

Change-Id: I4795452df99f67a24682b22f0e0967175c1de429

show more ...

PSCI: Use a single mailbox for warm reset for FVP and Juno

Since there is a unique warm reset entry point, the FVP and Juno
port can use a single mailbox instead of maintaining one per core.
The mai

PSCI: Use a single mailbox for warm reset for FVP and Juno

Since there is a unique warm reset entry point, the FVP and Juno
port can use a single mailbox instead of maintaining one per core.
The mailbox gets programmed only once when plat_setup_psci_ops()
is invoked during PSCI initialization. This means mailbox is not
zeroed out during wakeup.

Change-Id: Ieba032a90b43650f970f197340ebb0ce5548d432

show more ...

PSCI: Demonstrate support for composite power states

This patch adds support to the Juno and FVP ports for composite power states
with both the original and extended state-id power-state formats. Bo

PSCI: Demonstrate support for composite power states

This patch adds support to the Juno and FVP ports for composite power states
with both the original and extended state-id power-state formats. Both the
platform ports use the recommended state-id encoding as specified in
Section 6.5 of the PSCI specification (ARM DEN 0022C). The platform build flag
ARM_RECOM_STATE_ID_ENC is used to include this support.

By default, to maintain backwards compatibility, the original power state
parameter format is used and the state-id field is expected to be zero.

Change-Id: Ie721b961957eaecaca5bf417a30952fe0627ef10

show more ...

PSCI: Migrate ARM reference platforms to new platform API

This patch migrates ARM reference platforms, Juno and FVP, to the new platform
API mandated by the new PSCI power domain topology and compos

PSCI: Migrate ARM reference platforms to new platform API

This patch migrates ARM reference platforms, Juno and FVP, to the new platform
API mandated by the new PSCI power domain topology and composite power state
frameworks. The platform specific makefiles now exports the build flag
ENABLE_PLAT_COMPAT=0 to disable the platform compatibility layer.

Change-Id: I3040ed7cce446fc66facaee9c67cb54a8cd7ca29

show more ...

Fix build error with optimizations disabled (-O0)

If Trusted Firmware is built with optimizations disabled (-O0), the
linker throws the following error:

undefined reference to 'xxx'

Where 'xxx

Fix build error with optimizations disabled (-O0)

If Trusted Firmware is built with optimizations disabled (-O0), the
linker throws the following error:

undefined reference to 'xxx'

Where 'xxx' is a raw inline function defined in a header file. The
reason is that, with optimizations disabled, GCC may decide to skip
the inlining. If that is the case, an external definition to the
compilation unit must be provided. Because no external definition
is present, the linker throws the error.

This patch fixes the problem by declaring the following inline
functions static, so the internal definition is used:

inline void soc_css_security_setup(void)
inline const arm_config_t *get_arm_config(void)

Change-Id: Id650d6be1b1396bdb48af1ac8a4c7900d212e95f

show more ...

Use uintptr_t as base address type in ARM driver APIs

This patch changes the type of the base address parameter in the
ARM device driver APIs to uintptr_t (GIC, CCI, TZC400, PL011). The
uintptr_t ty

Use uintptr_t as base address type in ARM driver APIs

This patch changes the type of the base address parameter in the
ARM device driver APIs to uintptr_t (GIC, CCI, TZC400, PL011). The
uintptr_t type allows coverage of the whole memory space and to
perform arithmetic operations on the addresses. ARM platform code
has also been updated to use uintptr_t as GIC base address in the
configuration.

Fixes ARM-software/tf-issues#214

Change-Id: I1b87daedadcc8b63e8f113477979675e07d788f1

show more ...

TBB: switch to the new authentication framework

This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto

TBB: switch to the new authentication framework

This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.

A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.

The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.

The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.

On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.

REMOVED BUILD OPTIONS:

* 'AUTH_MOD'

Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867

show more ...

TBB: add TBBR Chain of Trust

This patch adds a CoT based on the Trusted Board Boot Requirements
document*. The CoT consists of an array of authentication image
descriptors indexed by the image ident

TBB: add TBBR Chain of Trust

This patch adds a CoT based on the Trusted Board Boot Requirements
document*. The CoT consists of an array of authentication image
descriptors indexed by the image identifiers.

A new header file with TBBR image identifiers has been added.
Platforms that use the TBBR (i.e. ARM platforms) may reuse these
definitions as part of their platform porting.

PLATFORM PORT - IMPORTANT:

Default image IDs have been removed from the platform common
definitions file (common_def.h). As a consequence, platforms that
used those common definitons must now either include the IDs
provided by the TBBR header file or define their own IDs.

*The NVCounter authentication method has not been implemented yet.

Change-Id: I7c4d591863ef53bb0cd4ce6c52a60b06fa0102d5

show more ...

TBB: add platform API to read the ROTPK information

This patch extends the platform port by adding an API that returns
either the Root of Trust public key (ROTPK) or its hash. This is
usually stored

TBB: add platform API to read the ROTPK information

This patch extends the platform port by adding an API that returns
either the Root of Trust public key (ROTPK) or its hash. This is
usually stored in ROM or eFUSE memory. The ROTPK returned must be
encoded in DER format according to the following ASN.1 structure:

SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}

In case the platform returns a hash of the key:

DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
keyDigest OCTET STRING
}

An implementation for ARM development platforms is provided in this
patch. When TBB is enabled, the ROTPK hash location must be specified
using the build option 'ARM_ROTPK_LOCATION'. Available options are:

- 'regs' : return the ROTPK hash stored in the Trusted
root-key storage registers.

- 'devel_rsa' : return a ROTPK hash embedded in the BL1 and
BL2 binaries. This hash has been obtained from the development
RSA public key located in 'plat/arm/board/common/rotpk'.

On FVP, the number of MMU tables has been increased to map and
access the ROTPK registers.

A new file 'board_common.mk' has been added to improve code sharing
in the ARM develelopment platforms.

Change-Id: Ib25862e5507d1438da10773e62bd338da8f360bf

show more ...

Use numbers to identify images instead of names

The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in t

Use numbers to identify images instead of names

The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.

This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.

As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.

A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.

Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.

The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.

IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.

Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5

show more ...