feat(tsp): cascade boot arguments to platforms

Enable platforms to receive boot arguments passed to the TSP, allowing
them to make use of these parameters.

This is in preparation for supporting Fir

feat(tsp): cascade boot arguments to platforms

Enable platforms to receive boot arguments passed to the TSP, allowing
them to make use of these parameters.

This is in preparation for supporting Firmware Handoff within the TSP.

BREAKING CHANGE: The prototype for `tsp_early_platform_setup` has been
redefined. Platforms must update their implementations to match the new
function signature.

Change-Id: I4b5c6493bb62846aaa0d9e330d8aa06e6a0525a8
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

feat(measured-boot): add fw handoff event log utils

Add utilities for handling an event log from a transfer list. These
handle initialisation, and extension of an existing event log.

Change-Id: I42

feat(measured-boot): add fw handoff event log utils

Add utilities for handling an event log from a transfer list. These
handle initialisation, and extension of an existing event log.

Change-Id: I42d8b65a7fa82fa866d8ac258d9eeb58af730a96
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

feat(cpufeat): add support for FEAT_PAUTH_LR

This patch enables FEAT_PAUTH_LR at EL3 on systems that support it when
the new ENABLE_FEAT_PAUTH_LR flag is set.

Currently, PAUTH_LR is only supported

feat(cpufeat): add support for FEAT_PAUTH_LR

This patch enables FEAT_PAUTH_LR at EL3 on systems that support it when
the new ENABLE_FEAT_PAUTH_LR flag is set.

Currently, PAUTH_LR is only supported by arm clang compiler and not GCC.

Change-Id: I7db1e34b661ed95cad75850b62878ac5d98466ea
Signed-off-by: John Powell <john.powell@arm.com>

show more ...

refactor(cpus): optimize CVE checking

This patch replaces the use of EXTRA functions
with using erratum entries check
to verify CVE mitigation application for some of
the SMCCC_ARCH_WORKAROUND_* cal

refactor(cpus): optimize CVE checking

This patch replaces the use of EXTRA functions
with using erratum entries check
to verify CVE mitigation application for some of
the SMCCC_ARCH_WORKAROUND_* calls.

Previously, EXTRA functions were individually implemented for
each SMCCC_ARCH_WORKAROUND_*, an approach that becomes unmanageable
with the increasing number of workarounds.
By looking up erratum entries for CVE check, the process is streamlined,
reducing overhead associated with creating and
maintaining EXTRA functions for each new workaround.

New Errata entries are created for SMC workarounds and
that is used to target cpus that are uniquely impacted
by SMC workarounds.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I873534e367a35c99461d0a616ff7bf856a0000af

show more ...

refactor(cpus): move errata check to common code

This patch centralizes some of the Errata ABI code
that could be used for checking if an Errata has been applied
to cpu library since the function is

refactor(cpus): move errata check to common code

This patch centralizes some of the Errata ABI code
that could be used for checking if an Errata has been applied
to cpu library since the function is mostly generic.

Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
Change-Id: I2c6d4468f7125d4d99ccdebc5ea8f9e4390360cc

show more ...

revert(rambus-trng): remove ip-76 driver

The Rambus TRNG IP-76 driver was ported from Linux kernel (omap-rng.c),
which was initially licensed under GPL-2.0. In term of the license
violation, remove

revert(rambus-trng): remove ip-76 driver

The Rambus TRNG IP-76 driver was ported from Linux kernel (omap-rng.c),
which was initially licensed under GPL-2.0. In term of the license
violation, remove this driver and the related SMC call that originally
added by the following two commits:

commit 57660d9d7945 ("plat/marvell/armada/a8k: support HW RNG by SMC")
commit 6aa9f5d164e8 ("drivers/rambus: add TRNG-IP-76 driver")

Change-Id: Id8c99db2e51b49623b3b034106c989a46f690b60
Signed-off-by: Wilson Ding <dingwei@marvell.com>

show more ...

Merge changes I86959e67,I0b0d1d36,I5b5267f4,I056c8710,I3474aa97 into integration

* changes:
chore: fix preprocessor checks
refactor: convert arm platforms to use the generic GIC driver
refacto

Merge changes I86959e67,I0b0d1d36,I5b5267f4,I056c8710,I3474aa97 into integration

* changes:
chore: fix preprocessor checks
refactor: convert arm platforms to use the generic GIC driver
refactor(gic): promote most of the GIC driver to common code
refactor: make arm_gicv2.c and arm_gicv3.c common
refactor(fvp): use more arm generic code for gicv3

show more ...

Merge changes from topic "hm/evlog" into integration

* changes:
refactor(measured-boot): refine event log lib docs
refactor(fvp): explicitly handle event log errors
feat(measured-boot): make e

Merge changes from topic "hm/evlog" into integration

* changes:
refactor(measured-boot): refine event log lib docs
refactor(fvp): explicitly handle event log errors
feat(measured-boot): make event log lib standalone

show more ...

refactor(gic): promote most of the GIC driver to common code

More often than not, Arm based systems include some revision of a GIC.
There are two ways of adding support for them in platform code - c

refactor(gic): promote most of the GIC driver to common code

More often than not, Arm based systems include some revision of a GIC.
There are two ways of adding support for them in platform code - calling
the top-level helpers from plat/arm/common/arm_gicvX.c or by using the
driver directly. Both of these methods allow for a high degree of
customisation - most functions are defined to be weak and there are no
calls to any of them in generic code.

As it turns out, requirements around those GICs are largely the same.
Platforms that use arm_gicvX.c use the helpers identically among each
other. Platforms that use the driver directly tend to end up with calls
that look a lot like the arm_gicvX.c helpers and the weakness of the
functions are never exercised.

All of this results in a lot of code duplication to do what is
essentially the same thing. Even though it's not a lot of code, when
multiplied among many platforms it becomes significant and makes
refactoring it quite difficult. It's also bug prone since the steps are
a little convoluted and things are likely to work even with subtle
errors (see 50009f61177421118f42d6a000611ba0e613d54b).

So promote as much of the GIC to be called from common code. Do the
setup in bl31_main() and have every PSCI method do the state management
directly instead of delegating it to the platform hooks. We can base
this implementation on arm_gicvX.c since they already offer logical
names and have worked quite well so far with minimal changes.

The main benefit of doing this is reduced code duplication. If we assume
that, outside of some platform setup, GIC management is identical, then
a platform can add support by telling the build system, regardless of
GIC revision. The other benefit is performance - BL31 and PSCI already
know the core_pos and they can pass it as an argument instead of having
to call plat_my_core_pos(). Now, the only platform specific GIC actions
necessary are the saving and restoring of context on entering and
exiting a power domain. The PSCI library does not keep track of this so
it is unable perform it itself. The routines themselves are also
provided.

For compatibility all of this is hidden behind a build flag. Platforms
are encouraged to adopt this driver, but it would not be practical to
convert and validate every GIC based platform.

This patch renames the functions in question to follow the
gic_<function>() convention. This allows the names to be version
agnostic.

Finally, drop the weak definitions - they are unused, likely to remain
so, and can be added back if the need arises.

Change-Id: I5b5267f4b72f633fb1096400ec8e4b208694135f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving
refactor(cpufeat): convert FEAT_PAuth setup to C
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
chore(cpufeat): remove PAuth presence checks
feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

show more ...

feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED

FEAT_PAuth is the second to last feature to be a boolean choice - it's
either unconditionally compiled in and must be present in hardware or
it

feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED

FEAT_PAuth is the second to last feature to be a boolean choice - it's
either unconditionally compiled in and must be present in hardware or
it's not compiled in. FEAT_PAuth is architected to be backwards
compatible - a subset of the branch guarding instructions (pacia/autia)
execute as NOPs when PAuth is not present. That subset is used with
`-mbranch-protection=standard` and -march pre-8.3. This patch adds the
necessary logic to also check accesses of the non-backward compatible
registers and allow a fully checked implementation.

Note that a checked support requires -march to be pre 8.3, as otherwise
the compiler will include branch protection instructions that are not
NOPs without PAuth (eg retaa) which cannot be checked.

Change-Id: Id942c20cae9d15d25b3d72b8161333642574ddaa
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "sm/rpkm" into integration

* changes:
docs(rmmd): document the EL3-RMM IDE KM Interface
feat(trp): test el3-rmm ide km interface
feat(rmmd): el3-rmm ide key management

Merge changes from topic "sm/rpkm" into integration

* changes:
docs(rmmd): document the EL3-RMM IDE KM Interface
feat(trp): test el3-rmm ide km interface
feat(rmmd): el3-rmm ide key management interface

show more ...

refactor(measured-boot): refine event log lib docs

Add comments for all exported functions and move these descriptions to
the header file. Moving the descriptions to the header file allows the
docum

refactor(measured-boot): refine event log lib docs

Add comments for all exported functions and move these descriptions to
the header file. Moving the descriptions to the header file allows the
documentation to be easily accessible to any code that includes the
header file, without having to look through the source file where the
function implementation is located.

Change-Id: I78ad777cb3de1707f9e9df59c721cd6370317c05
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

feat(measured-boot): make event log lib standalone

Remove dependencies on TF-A so the library can be conveniently exported
by other projets. The main changes are to remove explicit error
handling, a

feat(measured-boot): make event log lib standalone

Remove dependencies on TF-A so the library can be conveniently exported
by other projets. The main changes are to remove explicit error
handling, and ensure that functions instead return errno codes that
consumers can rely on instead. Some work has also been done to make the
function naming a little more consistent.

Change-Id: Ic182dfe7dd6f56a4b73e0da4c9051813938cfe44
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>

show more ...

perf(cpufeat): centralise PAuth key saving

prepare_el3_entry() is meant to be the one-stop shop for all the context
we must fiddle with to enter EL3 proper. However, PAuth is the one
exception, happ

perf(cpufeat): centralise PAuth key saving

prepare_el3_entry() is meant to be the one-stop shop for all the context
we must fiddle with to enter EL3 proper. However, PAuth is the one
exception, happening right after. Absorb it into prepare_el3_entry(),
handling the BL1/BL31 difference.

This is a good time to also move the key saving into the enable
function, also to centralise. With this it becomes apparent that saving
keys just before CPU_SUSPEND is redundant as they will be reinitialised
when the core wakes up.

Note that the key loading, now in save_gp_pmcr_pauth_regs, does not end
in an isb. The effects of the key change are not needed until the isb
in the caller, so this isb is not needed.

Change-Id: Idd286bea91140c106ab4c933c5c44b0bc2050ca2
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

refactor(cpufeat): convert FEAT_PAuth setup to C

An oversimplified view of FEAT_PAuth is that it's a symmetric encryption
of the LR. PAC instructions execute as NOPs until explicitly turned on.
So i

refactor(cpufeat): convert FEAT_PAuth setup to C

An oversimplified view of FEAT_PAuth is that it's a symmetric encryption
of the LR. PAC instructions execute as NOPs until explicitly turned on.
So in a function that turns PAuth on, the signing would have executed as
a NOP and the authentication will encrypt the address, leading to a
failure. That's why enablement is in assembly - we have full control of
when pointer authentications happen.

However, assembly is hard to read, is opaque to the compiler for
optimisations, and we need to call into C anyway for the platform hook
to get the key. So convert it to C. We can instruct the compiler to not
generate branch protection for the enable function only and as long as
the caller doesn't do branch protection (and all callers are entrypoints
written in assembly) everything will work.

Change-Id: I8917a26e1293033c910e3058664e3ca9207359b7
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION

Convert the old style is_armv8_3_pauth_present() to the new style
is_feat_pauth_{present, supported}() helpers and hook FEATURE_DETECTION

refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION

Convert the old style is_armv8_3_pauth_present() to the new style
is_feat_pauth_{present, supported}() helpers and hook FEATURE_DETECTION
into it. This is in preparation for converting FEAT_PAuth to FEAT_STATE.

Change-Id: Iec8c3477fafb2cdae67d39ae4da2cca76a67511a
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "hm/handoff-aarch32" into integration

* changes:
feat(fvp): support AArch32 booting with handoff
feat(arm): support AArch32 booting with handoff

Merge "feat(psci): remove cpu context init by index" into integration

feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

Introduce the is_feat_bti_{supported, present}() helpers and replace
checks for ENABLE_BTI with it. Also factor out the setting of
SCTLR_EL3.BT o

feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

Introduce the is_feat_bti_{supported, present}() helpers and replace
checks for ENABLE_BTI with it. Also factor out the setting of
SCTLR_EL3.BT out of the PAuth enablement and place it in the respective
entrypoints where we initialise SCTLR_EL3. This makes PAuth
self-contained and SCTLR_EL3 initialisation centralised.

Change-Id: I0c0657ff1e78a9652cd2cf1603478283dc01f17b
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(mmc): fix the length of the response type

All MMC_RSP_* macros use BIT macro, which generates uint64_t types,
while the 'resp_type' member in 'struct mmc_cmd' is of type unsigned
int. Therefore,

fix(mmc): fix the length of the response type

All MMC_RSP_* macros use BIT macro, which generates uint64_t types,
while the 'resp_type' member in 'struct mmc_cmd' is of type unsigned
int. Therefore, the BIT_32 macro should be used instead.
Additionally, the JEDEC restricts the length of the Request/Response
Type to two bytes (16 bits).

Change-Id: I1d50f830786bcf9b9ed5c343217175cdeb03b243
Signed-off-by: Ghennadi Procopciuc <ghennadi.procopciuc@nxp.com>

show more ...

fix(mmc): fix the length of the ocr defines

All OCR_* macros use the BIT and GENMASK macros, which generate uint64_t
types. However, the 'ocr_voltage' member in 'struct mmc_device_info' is
of type u

fix(mmc): fix the length of the ocr defines

All OCR_* macros use the BIT and GENMASK macros, which generate uint64_t
types. However, the 'ocr_voltage' member in 'struct mmc_device_info' is
of type unsigned int. Therefore, the BIT_32 and GENMASK_32 macros should
be used instead. Additionally, JEDEC specifies that the length of the
OCR register is 32 bits.

Change-Id: I56eb1e60c7d514038b647bce498d0c10929d6b8d
Signed-off-by: Ghennadi Procopciuc <ghennadi.procopciuc@nxp.com>

show more ...

Merge "perf(libc): use builtin implementations where possible" into integration

feat(psci): remove cpu context init by index

Currently, the calling core (meaning the core which received the call to
CPU_ON or the powerdown path of CPU_SUSPEND on the same core) is in
charge of in

feat(psci): remove cpu context init by index

Currently, the calling core (meaning the core which received the call to
CPU_ON or the powerdown path of CPU_SUSPEND on the same core) is in
charge of initialising the context for the waking core (the warmboot
entrypoint for both). This is convenient because the calling core can
write the context while in coherency and the waking core will only need
the context after its entered coherency. This avoids any cache
maintenance and makes communication simple.

However, this has 3 main problems:
a) asymmetric feature support is problematic - the calling core has no
way of knowing the feature set of the waking core. If the two
diverge, the architectural feature discovery via ID registers breaks
down. We've thus far "fixed" this on a case by case basis which
doesn't scale and introduces redundancy.

b) powerdown abandon (pabandon) introduces a contradiction - the calling
core has to initialise the context for when the core wakes up, but
should the core not powerdown it needs its old context intact. The only
way to work around this is by keeping two copies of context which
incurs a runtime and memory overhead.

c) cm_prepare_el3_exit[_ns]() doesn't have access to the entrypoint but needs
it to make initialisation decisions. We can infer some of this from
registers that have already been written but this is awkwardly
limiting for what we can do. This also necessitates the split from
the context initialisation.

We can solve all three by a making a core be in full ownership of its
own context. The calling core then only writes entrypoint information
and nothing else. The waking core then initialises its own context as it
sees fit with full knowledge of the whole picture.

The only tricky bit is cache coherency - the waking core has to be able
to coherently observe its new entrypoint. Calling cores will write to
the shared region with coherent caches on. If we make sure to read the
context only after the waking core has entered coherency, then we can
avoid cache operations and let hardware handle everything.

We can skip the spsr check for FEAT_TCR2 as it doesn't make a
difference. We can also skip enabling it twice from generic code.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I86e7fe8b698191fc3b469e5ced1fd010f8754b0e

show more ...

feat(trp): test el3-rmm ide km interface

This patch introduces test functions to the Test Realm Payload (TRP)
for performing basic sanity checks on the RMM-EL3 IDE KM support added
to EL3.

The prim

feat(trp): test el3-rmm ide km interface

This patch introduces test functions to the Test Realm Payload (TRP)
for performing basic sanity checks on the RMM-EL3 IDE KM support added
to EL3.

The primary goal of this patch is to only to verify the basic
functionality and ensure the implemented functions return the
correct return values.

The test uses random values for the ecam address, rootport ID,
IDE stream info, keys, and IV values.

Change-Id: Icf47627da9a6a7dd0d6e40e20ac94cc977072177
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>

show more ...