Merge "fix(cm): don't access a field that doesn't exist" into integration

Merge changes I86959e67,I0b0d1d36,I5b5267f4,I056c8710,I3474aa97 into integration

* changes:
chore: fix preprocessor checks
refactor: convert arm platforms to use the generic GIC driver
refacto

Merge changes I86959e67,I0b0d1d36,I5b5267f4,I056c8710,I3474aa97 into integration

* changes:
chore: fix preprocessor checks
refactor: convert arm platforms to use the generic GIC driver
refactor(gic): promote most of the GIC driver to common code
refactor: make arm_gicv2.c and arm_gicv3.c common
refactor(fvp): use more arm generic code for gicv3

show more ...

fix(libc): typecast expressions to match data type

This corrects the MISRA violation C2012-10.4:
Both operands of an operator in which the usual arithmetic conversions
are performed shall have the s

fix(libc): typecast expressions to match data type

This corrects the MISRA violation C2012-10.4:
Both operands of an operator in which the usual arithmetic conversions
are performed shall have the same essential type category.
The condition is explicitly checked against 0U, appending 'U' and
typecasting for unsigned comparison.

In spite of generic guidance for 3rd party libraries
(https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-style.html#misra-compliance)
libc contains some MISRA-C fixes done by commit d5ccb754af86
("libc: Fix some MISRA defects") in 2021.
Also from history it is not clear where libc is
coming from that's why there is no way to fix
violation in base library.

Change-Id: I44ff44bc636a2544eb92f48f2caed9b7ac9e0935
Signed-off-by: Nithin G <nithing@amd.com>
Signed-off-by: Maheedhar Bollapalli <maheedharsai.bollapalli@amd.com>

show more ...

fix(cm): don't access a field that doesn't exist

We save memory in the context struct by not defining certain fields. But
the feat_state accessors do not compile the code out, merely optimise it
awa

fix(cm): don't access a field that doesn't exist

We save memory in the context struct by not defining certain fields. But
the feat_state accessors do not compile the code out, merely optimise it
away later. Without an explicit #if compilation fails. Add it back.

Change-Id: I98a11abe357d2be4f5628495731c3aec45b1148c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(libc): explicitly check operators precedence" into integration

Merge "fix(libc): typecast operands to match data type" into integration

refactor(gic): promote most of the GIC driver to common code

More often than not, Arm based systems include some revision of a GIC.
There are two ways of adding support for them in platform code - c

refactor(gic): promote most of the GIC driver to common code

More often than not, Arm based systems include some revision of a GIC.
There are two ways of adding support for them in platform code - calling
the top-level helpers from plat/arm/common/arm_gicvX.c or by using the
driver directly. Both of these methods allow for a high degree of
customisation - most functions are defined to be weak and there are no
calls to any of them in generic code.

As it turns out, requirements around those GICs are largely the same.
Platforms that use arm_gicvX.c use the helpers identically among each
other. Platforms that use the driver directly tend to end up with calls
that look a lot like the arm_gicvX.c helpers and the weakness of the
functions are never exercised.

All of this results in a lot of code duplication to do what is
essentially the same thing. Even though it's not a lot of code, when
multiplied among many platforms it becomes significant and makes
refactoring it quite difficult. It's also bug prone since the steps are
a little convoluted and things are likely to work even with subtle
errors (see 50009f61177421118f42d6a000611ba0e613d54b).

So promote as much of the GIC to be called from common code. Do the
setup in bl31_main() and have every PSCI method do the state management
directly instead of delegating it to the platform hooks. We can base
this implementation on arm_gicvX.c since they already offer logical
names and have worked quite well so far with minimal changes.

The main benefit of doing this is reduced code duplication. If we assume
that, outside of some platform setup, GIC management is identical, then
a platform can add support by telling the build system, regardless of
GIC revision. The other benefit is performance - BL31 and PSCI already
know the core_pos and they can pass it as an argument instead of having
to call plat_my_core_pos(). Now, the only platform specific GIC actions
necessary are the saving and restoring of context on entering and
exiting a power domain. The PSCI library does not keep track of this so
it is unable perform it itself. The routines themselves are also
provided.

For compatibility all of this is hidden behind a build flag. Platforms
are encouraged to adopt this driver, but it would not be practical to
convert and validate every GIC based platform.

This patch renames the functions in question to follow the
gic_<function>() convention. This allows the names to be version
agnostic.

Finally, drop the weak definitions - they are unused, likely to remain
so, and can be added back if the need arises.

Change-Id: I5b5267f4b72f633fb1096400ec8e4b208694135f
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(cpus): add missing add_erratum_entry

Errata 1286807 and 1165522 are missing an add_erratum_entry, which is required by the Errata ABI to report whether the errata are implemented or not.

Change

fix(cpus): add missing add_erratum_entry

Errata 1286807 and 1165522 are missing an add_erratum_entry, which is required by the Errata ABI to report whether the errata are implemented or not.

Change-Id: I19a484c73ac31a90b3ff1b219f647c88a1c81c6e
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

chore(cpus): remove in-order checks

Remove runtime in-order checks for Erratum and CVE's.
Fix out-of-order issues in CPU files found with CPU Erratum and CVE
static checker script run on entire fold

chore(cpus): remove in-order checks

Remove runtime in-order checks for Erratum and CVE's.
Fix out-of-order issues in CPU files found with CPU Erratum and CVE
static checker script run on entire folder `lib/cpus/aarch64/`.

Change-Id: Iee5a8cb49834e9f35c6c2f2a84065430ca1ec8a6
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>

show more ...

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving

Merge changes Id942c20c,Idd286bea,I8917a26e,Iec8c3477,If3c25dcd, ... into integration

* changes:
feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED
perf(cpufeat): centralise PAuth key saving
refactor(cpufeat): convert FEAT_PAuth setup to C
refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION
chore(cpufeat): remove PAuth presence checks
feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

show more ...

feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED

FEAT_PAuth is the second to last feature to be a boolean choice - it's
either unconditionally compiled in and must be present in hardware or
it

feat(cpufeat): enable FEAT_PAuth to FEAT_STATE_CHECKED

FEAT_PAuth is the second to last feature to be a boolean choice - it's
either unconditionally compiled in and must be present in hardware or
it's not compiled in. FEAT_PAuth is architected to be backwards
compatible - a subset of the branch guarding instructions (pacia/autia)
execute as NOPs when PAuth is not present. That subset is used with
`-mbranch-protection=standard` and -march pre-8.3. This patch adds the
necessary logic to also check accesses of the non-backward compatible
registers and allow a fully checked implementation.

Note that a checked support requires -march to be pre 8.3, as otherwise
the compiler will include branch protection instructions that are not
NOPs without PAuth (eg retaa) which cannot be checked.

Change-Id: Id942c20cae9d15d25b3d72b8161333642574ddaa
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

perf(cpufeat): centralise PAuth key saving

prepare_el3_entry() is meant to be the one-stop shop for all the context
we must fiddle with to enter EL3 proper. However, PAuth is the one
exception, happ

perf(cpufeat): centralise PAuth key saving

prepare_el3_entry() is meant to be the one-stop shop for all the context
we must fiddle with to enter EL3 proper. However, PAuth is the one
exception, happening right after. Absorb it into prepare_el3_entry(),
handling the BL1/BL31 difference.

This is a good time to also move the key saving into the enable
function, also to centralise. With this it becomes apparent that saving
keys just before CPU_SUSPEND is redundant as they will be reinitialised
when the core wakes up.

Note that the key loading, now in save_gp_pmcr_pauth_regs, does not end
in an isb. The effects of the key change are not needed until the isb
in the caller, so this isb is not needed.

Change-Id: Idd286bea91140c106ab4c933c5c44b0bc2050ca2
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

refactor(cpufeat): convert FEAT_PAuth setup to C

An oversimplified view of FEAT_PAuth is that it's a symmetric encryption
of the LR. PAC instructions execute as NOPs until explicitly turned on.
So i

refactor(cpufeat): convert FEAT_PAuth setup to C

An oversimplified view of FEAT_PAuth is that it's a symmetric encryption
of the LR. PAC instructions execute as NOPs until explicitly turned on.
So in a function that turns PAuth on, the signing would have executed as
a NOP and the authentication will encrypt the address, leading to a
failure. That's why enablement is in assembly - we have full control of
when pointer authentications happen.

However, assembly is hard to read, is opaque to the compiler for
optimisations, and we need to call into C anyway for the platform hook
to get the key. So convert it to C. We can instruct the compiler to not
generate branch protection for the enable function only and as long as
the caller doesn't do branch protection (and all callers are entrypoints
written in assembly) everything will work.

Change-Id: I8917a26e1293033c910e3058664e3ca9207359b7
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION

Convert the old style is_armv8_3_pauth_present() to the new style
is_feat_pauth_{present, supported}() helpers and hook FEATURE_DETECTION

refactor(cpufeat): prepare FEAT_PAuth for FEATURE_DETECTION

Convert the old style is_armv8_3_pauth_present() to the new style
is_feat_pauth_{present, supported}() helpers and hook FEATURE_DETECTION
into it. This is in preparation for converting FEAT_PAuth to FEAT_STATE.

Change-Id: Iec8c3477fafb2cdae67d39ae4da2cca76a67511a
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "feat(psci): remove cpu context init by index" into integration

feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

Introduce the is_feat_bti_{supported, present}() helpers and replace
checks for ENABLE_BTI with it. Also factor out the setting of
SCTLR_EL3.BT o

feat(cpufeat): enable FEAT_BTI to FEAT_STATE_CHECKED

Introduce the is_feat_bti_{supported, present}() helpers and replace
checks for ENABLE_BTI with it. Also factor out the setting of
SCTLR_EL3.BT out of the PAuth enablement and place it in the respective
entrypoints where we initialise SCTLR_EL3. This makes PAuth
self-contained and SCTLR_EL3 initialisation centralised.

Change-Id: I0c0657ff1e78a9652cd2cf1603478283dc01f17b
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "perf(libc): use builtin implementations where possible" into integration

feat(psci): remove cpu context init by index

Currently, the calling core (meaning the core which received the call to
CPU_ON or the powerdown path of CPU_SUSPEND on the same core) is in
charge of in

feat(psci): remove cpu context init by index

Currently, the calling core (meaning the core which received the call to
CPU_ON or the powerdown path of CPU_SUSPEND on the same core) is in
charge of initialising the context for the waking core (the warmboot
entrypoint for both). This is convenient because the calling core can
write the context while in coherency and the waking core will only need
the context after its entered coherency. This avoids any cache
maintenance and makes communication simple.

However, this has 3 main problems:
a) asymmetric feature support is problematic - the calling core has no
way of knowing the feature set of the waking core. If the two
diverge, the architectural feature discovery via ID registers breaks
down. We've thus far "fixed" this on a case by case basis which
doesn't scale and introduces redundancy.

b) powerdown abandon (pabandon) introduces a contradiction - the calling
core has to initialise the context for when the core wakes up, but
should the core not powerdown it needs its old context intact. The only
way to work around this is by keeping two copies of context which
incurs a runtime and memory overhead.

c) cm_prepare_el3_exit[_ns]() doesn't have access to the entrypoint but needs
it to make initialisation decisions. We can infer some of this from
registers that have already been written but this is awkwardly
limiting for what we can do. This also necessitates the split from
the context initialisation.

We can solve all three by a making a core be in full ownership of its
own context. The calling core then only writes entrypoint information
and nothing else. The waking core then initialises its own context as it
sees fit with full knowledge of the whole picture.

The only tricky bit is cache coherency - the waking core has to be able
to coherently observe its new entrypoint. Calling cores will write to
the shared region with coherent caches on. If we make sure to read the
context only after the waking core has entered coherency, then we can
avoid cache operations and let hardware handle everything.

We can skip the spsr check for FEAT_TCR2 as it doesn't make a
difference. We can also skip enabling it twice from generic code.

Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I86e7fe8b698191fc3b469e5ced1fd010f8754b0e

show more ...

fix(psci): initialise variables

When building with LTO, GCC is uncomfortable that these variables are
uninitialised and complains that they may be used before they are
initialised. Set them to 0 as

fix(psci): initialise variables

When building with LTO, GCC is uncomfortable that these variables are
uninitialised and complains that they may be used before they are
initialised. Set them to 0 as there are plenty of asserts to make sure
these branches cannot be taken.

Change-Id: Ic1f05e77252e93bdafab033dcb24ad42856ebf9a
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(xlat): remove xlat_mpu

The only platform to use this is fvp_r. As this platform is now gone, so
is the need for this library. Support for it never went out of
"experimental" so it does not appea

fix(xlat): remove xlat_mpu

The only platform to use this is fvp_r. As this platform is now gone, so
is the need for this library. Support for it never went out of
"experimental" so it does not appear to be finished.

Change-Id: I76499b92ca4368651330f17dc80803991158cc36
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(cpufeat): add support for PMUv3p9

Armv8.9 introduced the FEAT_PMUV3P9 extension, which allows finer
grained control over EL0 usage of PMU registers. This is controlled by
the new PMUACR_EL1 sys

feat(cpufeat): add support for PMUv3p9

Armv8.9 introduced the FEAT_PMUV3P9 extension, which allows finer
grained control over EL0 usage of PMU registers. This is controlled by
the new PMUACR_EL1 system register, access to which is guarded by the
MDCR_EL3.EnPM2 bit. We should set this bit to avoid a trap into EL3 when
lower ELs access this register.

Add the required bits and pieces to make this feature usable:
- Add the CPUID and MDCR_EL3 bit definitions associated with
FEAT_PMUV3P9.
- Extend the existing PMU feature check to allow v9 now as well. This
is fine since we don't context switch PMU registers at all, so we
don't need to do much except to flip the MDCR bit:
- Set the EnPM2 bit in pmuv3_enable, so the feature is usuable in
non-secure world (and there only).
- Handle the MDCR bit for the ARCH_FEATURE_AVAILABILITY feature.

Please note that MDCR_EL3.EnPM2 guards other system registers as well,
for other PMU related new architecture features.

Change-Id: I288ca15f5c9efd336c64477d1c6fe9543613e238
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

fix(plat): remove fvp_r

The platform has not been maintained for some years and is generally
broken. Remove it to avoid confusion.

Change-Id: I93d832d51e114689ec79969af5d96071a03f4a88
Signed-off-by

fix(plat): remove fvp_r

The platform has not been maintained for some years and is generally
broken. Remove it to avoid confusion.

Change-Id: I93d832d51e114689ec79969af5d96071a03f4a88
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

perf(libc): use builtin implementations where possible

When conditions are right, eg a small memcpy of a known size and
alignment, the compiler may know of a sequence that is optimal for the
given c

perf(libc): use builtin implementations where possible

When conditions are right, eg a small memcpy of a known size and
alignment, the compiler may know of a sequence that is optimal for the
given constraints and inline it. If the compiler doesn't find one, it
will emit a call to the generic function (in the libc) which will
implement this in the most generic and unconstrained manner. That
generic function is rarely the most optimal when constraints are known.

So give the compiler a chance to do this. Replace calls to libc
functions that have builtins to the builtin and keep the generic
implementation if it decides to emit a call anyway.

And example of this in action is usage of FEAT_MOPS. When the compiler
is aware of the feature (-march=armv8.8-a) then it will emit the 3 MOPS
instructions instead of calls to our memcpy() and memset()
implementations.

Change-Id: I9860cfada1d941b613ebd4da068e9992c387952e
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge changes from topic "xlnx_fix_gen_uniq_var" into integration

* changes:
fix(psci): avoid altering function parameters
fix(services): avoid altering function parameters
fix(common): ignore

Merge changes from topic "xlnx_fix_gen_uniq_var" into integration

* changes:
fix(psci): avoid altering function parameters
fix(services): avoid altering function parameters
fix(common): ignore the unused function return value
fix(psci): modify variable conflicting with external function
fix(delay-timer): create unique variable name

show more ...

fix(libc): typecast operands to match data type

This corrects the MISRA violation C2012-10.3:
The value of an expression shall not be assigned to an object with a
narrower essential type or of a diff

fix(libc): typecast operands to match data type

This corrects the MISRA violation C2012-10.3:
The value of an expression shall not be assigned to an object with a
narrower essential type or of a different essential type category.
The condition is explicitly checked against 0U, appending 'U' and
typecasting for unsigned comparison.

In spite of generic guidance for 3rd party libraries
(https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-style.html#misra-compliance)
libc contains some MISRA-C fixes done by commit d5ccb754af86
("libc: Fix some MISRA defects") in 2021.
Also from history it is not clear where libc is
coming from that's why there is no way to fix
violation in base library.

Change-Id: Ibad03a758001b3a7779b488ee5e19c9ceee51134
Signed-off-by: Nithin G <nithing@amd.com>
Signed-off-by: Maheedhar Bollapalli <maheedharsai.bollapalli@amd.com>

show more ...