| c81b9cb9 | 04-Jul-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
fix(cm): remove unused macro
It is never referenced.
Change-Id: I538b1f3d8660426faf5bafa68ecda2d637b0bc50 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com> |
| a1032beb | 20-Aug-2025 |
John Powell <john.powell@arm.com> |
feat(cpufeat): enable FEAT_CPA2 for EL3
FEAT_CPA2 enables checked pointer arithmetic, which in the event of an arithmetic overflow in pointer generation will result in a non-canonical pointer being
feat(cpufeat): enable FEAT_CPA2 for EL3
FEAT_CPA2 enables checked pointer arithmetic, which in the event of an arithmetic overflow in pointer generation will result in a non-canonical pointer being generated and subsequent address fault.
Note that FEAT_CPA is a trivial implementation that exists in some hardware purely so it can run CPA2-enabled instructions without crashing but they don't actually have checked arithmetic, so FEAT_CPA is not explicitly enabled in TF-A.
Change-Id: I6d2ca7a7e4b986bb9e917aa8baf8091a271c168b Signed-off-by: John Powell <john.powell@arm.com>
show more ...
|
| 4779becd | 06-Aug-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(el3-runtime): streamline cpu_data assembly offsets using the cpu_ops template
The cpu_data structure, just like cpu_ops, is collection of disparate data that must be accessible from both C
refactor(el3-runtime): streamline cpu_data assembly offsets using the cpu_ops template
The cpu_data structure, just like cpu_ops, is collection of disparate data that must be accessible from both C and assembly. Achieving this is tricky as there is no way to export structure offsets from C directly so they must be manually recreated with `#define`s and asserts. However, the cpu_data structure is quite old and the assembly offsets are a patchwork of additions and extremely difficult to reason with and modify. In fact, certain currently unused builds with ENABLE_RUNTIME_INSTRUMENTATION=1 fail to build.
To untangle this, convert the assembly offsets to the pattern used for the cpu_ops structure. That is, first define the sizes of every member, as generically as possible, and then chain their offsets one after the other. To make sure this is always correct, add a CASSERT for the offset of every member. This makes it easy to modify the structure and fixes the build failures.
Change-Id: I61aeb55e9c494896663a3c719c10e3c072f56349 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| 34a22a02 | 05-Aug-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(el3-runtime): move context security states to context.h
The three security states (S, NS, RL) are architecturally quite consistent - anything that uses them has the same numerical assignmen
refactor(el3-runtime): move context security states to context.h
The three security states (S, NS, RL) are architecturally quite consistent - anything that uses them has the same numerical assignments (0, 1, 2) and they are quite convenient for indexing. However, we're not as consistent in tf-a and this is defined in a few places. Since cpu_data has a dependency on the context management library, use its security state convention in a few more places and take away this responsibility from cpu_data.
Change-Id: Iec73b2be2eef91975554767557de72424d0031f1 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| ccf67965 | 21-Aug-2025 |
Sumit Garg <sumit.garg@oss.qualcomm.com> |
fix(cm): deprecate use of NS_TIMER_SWITCH
On AArch64, secure world has it's own EL3 physical timer registers accessible to secure EL1 in absence of S-EL2. With S-EL2 there is virtualized view availa
fix(cm): deprecate use of NS_TIMER_SWITCH
On AArch64, secure world has it's own EL3 physical timer registers accessible to secure EL1 in absence of S-EL2. With S-EL2 there is virtualized view available for EL1 timer registers. So it is unreasonable for secure world to use non-secure EL1 physical timer registers. Moreover, the non-secure operating system (Linux in our case) relies heavily on these EL1 physical timer registers for scheduling decisions. If NS_TIMER_SWITCH is enabled, it simply breaks the preemption model of the non-secure world by disabling non-secure timer interrupts leading to RCU stalls being observed on long running secure world tasks.
The only arch timer register which will benefit from context management is cntkctl_el1: Counter-timer Kernel Control Register. This enables the secure and non-secure worlds to independently control accesses to EL0 for counter-timer registers. This is something that OP-TEE uses to enable ftrace feature for Trusted Applications and SPM_MM uses for EL0 access as well.
Lets enable context management of cntkctl_el1 by default and deprecate conditional context management of non-secure EL1 physical timer registers for whom there isn't any upstream user. With that deprecate this NS_TIMER_SWITCH build option which just adds confusion for the platform maintainers. It will be eventually dropped following deprecation policy of TF-A.
Reported-by: Stauffer Thomas MTANA <thomas.stauffer@mt.com> Reported-by: Andrew Davis <afd@ti.com> Change-Id: Ifb3a919dc0bf8c05c38895352de5fe94b4f4387e Signed-off-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
show more ...
|
| 63900851 | 11-Sep-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(aarch64): move BL31 specific setup out of the PSCI entrypoint
We've charged the PSCI entrypoint with doing BL31 specific things like setting up the EL3 context and doing feature detection.
refactor(aarch64): move BL31 specific setup out of the PSCI entrypoint
We've charged the PSCI entrypoint with doing BL31 specific things like setting up the EL3 context and doing feature detection. Well, this is irrelevant for sp_min and not really appropriate for PSCI. So move it to the bl31_warmboot() function to reflect this correctly and bring the feature detection a bit earlier, hopefully spotting more errors.
This allows for a pair of minor cleanups - we can pass the core_pos to psci_warmboot_entrypoint() without having to refetch it, and we can put the pauth enablement in cm_manage_extensions_el3() along with all others. The call of that function is kept after the MMU is turned on so that we have nicer (coherent) access to cpu_data.
Change-Id: Id031cfa0e1d8fe98919a14f9db73eb5bc9e00f67 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| 19e4312c | 02-Sep-2025 |
Govindraj Raja <govindraj.raja@arm.com> |
Merge "feat(cpufeat): enable FEAT_MPAM_PE_BW_CTRL support" into integration |
| aabab09e | 01-Sep-2025 |
Manish Pandey <manish.pandey2@arm.com> |
Merge changes Id38d6f1b,I5fcfe8dd,I7f3b50e5 into integration
* changes: fix(cpus): inform the compiler that struct cpu_ops is aligned refactor(el3-runtime): move the initialisation of the cpu_op
Merge changes Id38d6f1b,I5fcfe8dd,I7f3b50e5 into integration
* changes: fix(cpus): inform the compiler that struct cpu_ops is aligned refactor(el3-runtime): move the initialisation of the cpu_ops_ptr to C fix(aarch32): make get_cpu_ops_ptr() PCS compliant
show more ...
|
| 022fcb48 | 14-Aug-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(el3-runtime): move the initialisation of the cpu_ops_ptr to C
The difference between AArch32 and AArch64 is insignificant and the usage is identical. The only thing that required the use of
refactor(el3-runtime): move the initialisation of the cpu_ops_ptr to C
The difference between AArch32 and AArch64 is insignificant and the usage is identical. The only thing that required the use of assembly was that the get_cpu_ops_ptr() function was not PCS compliant and needed a wrapper to do that instead. That has now been fixed so move this to C so it's more readable and more optimise-able by the compiler.
Change-Id: I5fcfe8ddb122dd35d58adc6d44a7484c5c595815 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| c42aefd3 | 12-Aug-2025 |
Arvind Ram Prakash <arvind.ramprakash@arm.com> |
feat(cpufeat): enable FEAT_MPAM_PE_BW_CTRL support
Implement support for FEAT_MPAM_PE_BW_CTRL, allowing lower Exception Levels to access MPAM_PE_BW_CTRL control registers by disabling their traps to
feat(cpufeat): enable FEAT_MPAM_PE_BW_CTRL support
Implement support for FEAT_MPAM_PE_BW_CTRL, allowing lower Exception Levels to access MPAM_PE_BW_CTRL control registers by disabling their traps to EL3.
When INIT_UNUSED_NS_EL2=1, configure MPAMBW2_EL2 in EL3 so that MPAM_PE_BW_CTRL accesses from EL0/EL1 do not trap to EL2.
At this stage, PE-side MPAM bandwidth controls remain disabled in EL3.
Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com> Change-Id: I8e359b0eb912cff3bdda109b21727a627cac3a7e
show more ...
|
| ea5a4e98 | 11-Apr-2025 |
Saivardhan Thatikonda <saivardhan.thatikonda@amd.com> |
fix(cm): use safe casting in memcpy
This corrects the MISRA violation C2012-21.15: Both gp_regs and ep->args were cast to the correct pointer types to avoid incompatible argument types in memcpy().
fix(cm): use safe casting in memcpy
This corrects the MISRA violation C2012-21.15: Both gp_regs and ep->args were cast to the correct pointer types to avoid incompatible argument types in memcpy(). This fix ensures type compatibility and adheres to MISRA 21.15, which disallows implicit casting between unrelated types
Change-Id: Iad1d78574e423b46934a5978bdcbe2d5fb78e910 Signed-off-by: Saivardhan Thatikonda <saivardhan.thatikonda@amd.com>
show more ...
|
| 985b6a6b | 17-Jul-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
fix(cm): disable SPE/TRBE correctly
SPE and TRBE are unusual features. They have multi-bit enables whose function is not immediately apparent and disabling them is not straightforward.
While attemp
fix(cm): disable SPE/TRBE correctly
SPE and TRBE are unusual features. They have multi-bit enables whose function is not immediately apparent and disabling them is not straightforward.
While attempting to figure this out, the disables were made a mess of. Patch fc7dca72b began changing the owning security state of SPE and TRBE. This was first used in patch 79c0c7fac0 with calls to spe_disable() and trbe_disbale(). However, patch 13f4a2525 reverted the security state ownership, making the spe_disable() and trbe_disable() redundant and their comments incorrect - the DoS protection is achieved by the psb/tsb barriers on context switch, introduces separately in f80887337 and 73d98e375.
Those patches got the behaviour full circle to what it was in fc7dca72b so the disables can be fully removed for clarity.
However, the original method for disabling these features is not fully correct - letting the "disabled" state be all zeroes made the features seem enabled for secure world but they would trap. That is not a problem while secure world doesn't use them, but could lead to some confusing debugging in the future. NS and Realm worlds were not affected. This patch fully establishes the pattern for SPE and TRBE's enablement, documents it, and implements it such.
The description comments in the features boil down to 2 rules. There is a third rule possible: 3. To enable TRBE/SPE for world X with a dirty buffer: * world X owns the buffer * trapping enabled This is not listed as it would not work correctly with SMCCC_ARCH_FEATURE_AVAILABILITY which relies on trapping to be disabled to report correctly. If that is ever implemented, the SMCCC implementation should be considered too.
Change-Id: I5588a3d5fc074c2445470954d8c3b172bec77d43 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| 284c01c6 | 04-Mar-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(cm): unify RMM context
setup_realm_context() is the de facto place to put any code that relates to the RMM's context. It is frequently updated and contains the vast majority of code. manage
refactor(cm): unify RMM context
setup_realm_context() is the de facto place to put any code that relates to the RMM's context. It is frequently updated and contains the vast majority of code. manage_extensions_realm() on the other hand is out of date and obscure.
So absorb manage_extensions_realm() and rmm_el2_context_init() into setup_realm_context().
We can also combine the write to sctlr_el2 for all worlds as they should all observe the RES1 values.
Finally, the SPSR_EL2.PAN comment in the realm copy is updated.
Change-Id: I21dccad0c13301e3249db6f6e292beb5d853563e Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| 4274b526 | 23-Jun-2025 |
Arvind Ram Prakash <arvind.ramprakash@arm.com> |
feat(cpufeat): add support for FEAT_FGWTE3
Enable write traps for key EL3 system registers as per FEAT_FGWTE3, ensuring their values remain unchanged after boot.
Excluded Registers: MDCR_EL3 and MP
feat(cpufeat): add support for FEAT_FGWTE3
Enable write traps for key EL3 system registers as per FEAT_FGWTE3, ensuring their values remain unchanged after boot.
Excluded Registers: MDCR_EL3 and MPAM3_EL3: Not trapped as they are part of the EL3 context. SCTLR_EL3: Not trapped since it is overwritten during powerdown sequence(Included when HW_ASSISTED_COHERENCY=1)
TPIDR_EL3: Excluded due to its use in crash reporting(It is included when CRASH_REPORTING=0)
Reference: https://developer.arm.com/documentation/ddi0601/2025-06/AArch64-Registers/FGWTE3-EL3--Fine-Grained-Write-Traps-EL3
Change-Id: Idcb32aaac7d65a0b0e5c90571af00e01a4e9edb1 Signed-off-by: Arvind Ram Prakash <arvind.ramprakash@arm.com>
show more ...
|
| f05b4894 | 24-Apr-2024 |
Maheedhar Bollapalli <maheedharsai.bollapalli@amd.com> |
fix(el3-runtime): typecast operands to match data type
This corrects the MISRA violation C2012-10.3: The value of an expression shall not be assigned to an object with a narrower essential type or o
fix(el3-runtime): typecast operands to match data type
This corrects the MISRA violation C2012-10.3: The value of an expression shall not be assigned to an object with a narrower essential type or of a different essential type category. Replaced usage of 'unsigned int' with 'size_t' to ensure type consistency and prevent assignment to a narrower or different essential type.
Change-Id: I79501e216a04753ebd005d64375357b9332440d9 Signed-off-by: Nithin G <nithing@amd.com> Signed-off-by: Maheedhar Bollapalli <maheedharsai.bollapalli@amd.com>
show more ...
|
| 6eafc060 | 04-Mar-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(cm): gather per-world context management to the same place
The per-world calls are disparate - they get called in different places, are guarded in different ways, and the code is apart.
Si
refactor(cm): gather per-world context management to the same place
The per-world calls are disparate - they get called in different places, are guarded in different ways, and the code is apart.
Since they just need to be called once at boot, add a function that we can call from BL31 and be done with it.
Change-Id: Id0ade302e35f2b00ca37c552a53038942ab7b58e Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| e493b522 | 19-Jun-2025 |
Manish Pandey <manish.pandey2@arm.com> |
Merge "perf(bl31): convert cpu_data fetching to C" into integration |
| d43b2ea6 | 18-Mar-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
perf(bl31): convert cpu_data fetching to C
The assembly routines are opaque to the compiler and it can't inline them. There is also no requirement for them to be called without a stack - each of the
perf(bl31): convert cpu_data fetching to C
The assembly routines are opaque to the compiler and it can't inline them. There is also no requirement for them to be called without a stack - each of their calls has a stack available. So convert them to C so that the compiler can do its inlining magic.
On AArch32 we need to be able to call _cpu_data from the entrypoint so it has to stay as a slight exception.
We can also straighten out the type of the cpu_ops_ptr member so we don't have to cast it everywhere.
Change-Id: I9c2939a955b396edf26b99ef36318eebeaab13e6 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| a3effe0a | 10-Jun-2025 |
Javier Almansa Sobrino <javier.almansasobrino@arm.com> |
fix(rme): enable support for FEAT_D128 on Realm world
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com> Change-Id: I9a4431038968a260e1a4998d8a4f84a07768db74 |
| 600717fe | 17-Apr-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
fix(cm): don't access a field that doesn't exist
We save memory in the context struct by not defining certain fields. But the feat_state accessors do not compile the code out, merely optimise it awa
fix(cm): don't access a field that doesn't exist
We save memory in the context struct by not defining certain fields. But the feat_state accessors do not compile the code out, merely optimise it away later. Without an explicit #if compilation fails. Add it back.
Change-Id: I98a11abe357d2be4f5628495731c3aec45b1148c Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| ee656609 | 16-Apr-2025 |
André Przywara <andre.przywara@arm.com> |
Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration
* changes: feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED perf(cpufeat): centralise PAuth key saving
Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration
* changes: feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED perf(cpufeat): centralise PAuth key saving refactor(cpufeat): convert FEAT_PAuth setup to C refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION chore(cpufeat): remove PAuth presence checks feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED
show more ...
|
| 8d9f5f25 | 02-Apr-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
FEAT_PAuth is the second to last feature to be a boolean choice - it's either unconditionally compiled in and must be present in hardware or it
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
FEAT_PAuth is the second to last feature to be a boolean choice - it's either unconditionally compiled in and must be present in hardware or it's not compiled in. FEAT_PAuth is architected to be backwards compatible - a subset of the branch guarding instructions (pacia/autia) execute as NOPs when PAuth is not present. That subset is used with `-mbranch-protection=standard` and -march pre-8.3. This patch adds the necessary logic to also check accesses of the non-backward compatible registers and allow a fully checked implementation.
Note that a checked support requires -march to be pre 8.3, as otherwise the compiler will include branch protection instructions that are not NOPs without PAuth (eg retaa) which cannot be checked.
Change-Id: Id942c20cae9d15d25b3d72b8161333642574ddaa Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| 51997e3d | 02-Apr-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
perf(cpufeat): centralise PAuth key saving
prepare_el3_entry() is meant to be the one-stop shop for all the context we must fiddle with to enter EL3 proper. However, PAuth is the one exception, happ
perf(cpufeat): centralise PAuth key saving
prepare_el3_entry() is meant to be the one-stop shop for all the context we must fiddle with to enter EL3 proper. However, PAuth is the one exception, happening right after. Absorb it into prepare_el3_entry(), handling the BL1/BL31 difference.
This is a good time to also move the key saving into the enable function, also to centralise. With this it becomes apparent that saving keys just before CPU_SUSPEND is redundant as they will be reinitialised when the core wakes up.
Note that the key loading, now in save_gp_pmcr_pauth_regs, does not end in an isb. The effects of the key change are not needed until the isb in the caller, so this isb is not needed.
Change-Id: Idd286bea91140c106ab4c933c5c44b0bc2050ca2 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| f8138056 | 02-Apr-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(cpufeat): convert FEAT_PAuth setup to C
An oversimplified view of FEAT_PAuth is that it's a symmetric encryption of the LR. PAC instructions execute as NOPs until explicitly turned on. So i
refactor(cpufeat): convert FEAT_PAuth setup to C
An oversimplified view of FEAT_PAuth is that it's a symmetric encryption of the LR. PAC instructions execute as NOPs until explicitly turned on. So in a function that turns PAuth on, the signing would have executed as a NOP and the authentication will encrypt the address, leading to a failure. That's why enablement is in assembly - we have full control of when pointer authentications happen.
However, assembly is hard to read, is opaque to the compiler for optimisations, and we need to call into C anyway for the platform hook to get the key. So convert it to C. We can instruct the compiler to not generate branch protection for the enable function only and as long as the caller doesn't do branch protection (and all callers are entrypoints written in assembly) everything will work.
Change-Id: I8917a26e1293033c910e3058664e3ca9207359b7 Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|
| b0b7609e | 01-Apr-2025 |
Boyan Karatotev <boyan.karatotev@arm.com> |
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
Convert the old style is_armv8_3_pauth_present() to the new style is_feat_pauth_{present, supported}() helpers and hook FEATURE_DETECTION
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
Convert the old style is_armv8_3_pauth_present() to the new style is_feat_pauth_{present, supported}() helpers and hook FEATURE_DETECTION into it. This is in preparation for converting FEAT_PAuth to FEAT_STATE.
Change-Id: Iec8c3477fafb2cdae67d39ae4da2cca76a67511a Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
show more ...
|