Merge "fix(spmd): revert workaround hafnium as hypervisor" into integration

fix(spmd): revert workaround hafnium as hypervisor

This change essentially reverts [1] by removing the BL31 workaround
forcing the dtb address when Hafnium is loaded as an Hypervisor.

[1] https://r

fix(spmd): revert workaround hafnium as hypervisor

This change essentially reverts [1] by removing the BL31 workaround
forcing the dtb address when Hafnium is loaded as an Hypervisor.

[1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9569

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I302161d027261448113c66b7fafa9c11620b54ef

show more ...

Merge changes from topic "za/feat_rme" into integration

* changes:
refactor(gpt): productize and refactor GPT library
feat(rme): disable Watchdog for Arm platforms if FEAT_RME enabled
docs(rme

Merge changes from topic "za/feat_rme" into integration

* changes:
refactor(gpt): productize and refactor GPT library
feat(rme): disable Watchdog for Arm platforms if FEAT_RME enabled
docs(rme): add build and run instructions for FEAT_RME
fix(plat/fvp): bump BL2 stack size
fix(plat/fvp): allow changing the kernel DTB load address
refactor(plat/arm): rename ARM_DTB_DRAM_NS region macros
refactor(plat/fvp): update FVP platform DTS for FEAT_RME
feat(plat/arm): add GPT initialization code for Arm platforms
feat(plat/fvp): add memory map for FVP platform for FEAT_RME
refactor(plat/arm): modify memory region attributes to account for FEAT_RME
feat(plat/fvp): add RMM image support for FVP platform
feat(rme): add GPT Library
feat(rme): add ENABLE_RME build option and support for RMM image
refactor(makefile): remove BL prefixes in build macros
feat(rme): add context management changes for FEAT_RME
feat(rme): add Test Realm Payload (TRP)
feat(rme): add RMM dispatcher (RMMD)
feat(rme): run BL2 in root world when FEAT_RME is enabled
feat(rme): add xlat table library changes for FEAT_RME
feat(rme): add Realm security state definition
feat(rme): add register definitions and helper functions for FEAT_RME

show more ...

refactor(gpt): productize and refactor GPT library

This patch updates and refactors the GPT library and fixes bugs.

- Support all combinations of PGS, PPS, and L0GPTSZ parameters.
- PPS and PGS are

refactor(gpt): productize and refactor GPT library

This patch updates and refactors the GPT library and fixes bugs.

- Support all combinations of PGS, PPS, and L0GPTSZ parameters.
- PPS and PGS are set at runtime, L0GPTSZ is read from GPCCR_EL3.
- Use compiler definitions to simplify code.
- Renaming functions to better suit intended uses.
- MMU enabled before GPT APIs called.
- Add comments to make function usage more clear in GPT library.
- Added _rme suffix to file names to differentiate better from the
GPT file system code.
- Renamed gpt_defs.h to gpt_rme_private.h to better separate private
and public code.
- Renamed gpt_core.c to gpt_rme.c to better conform to TF-A precedent.

Signed-off-by: John Powell <john.powell@arm.com>
Change-Id: I4cbb23b0f81e697baa9fb23ba458aa3f7d1ed919

show more ...

fix(plat/fvp): allow changing the kernel DTB load address

We currently use ARM_PRELOADED_DTB_BASE build
variable to pass the kernel DTB base address to
the kernel when using the ARM_LINUX_KERNEL_AS_

fix(plat/fvp): allow changing the kernel DTB load address

We currently use ARM_PRELOADED_DTB_BASE build
variable to pass the kernel DTB base address to
the kernel when using the ARM_LINUX_KERNEL_AS_BL33
option. However this variable doesn't actually
change the DTB load address.

The DTB load address is actually specified in the
FW_CONFIG DTS (fvp_fw_config.dts) as 'hw_config'.
This patch passes the hw_config value instead of
ARM_PRELOADED_DTB_BASE allowing us to change
the kernel DTB load address through
fvp_fw_config.dts.

With this change we don't need the ARM_PRELOADED_DTB_BASE
build variable if RESET_TO_BL31 is not set.
Note that the hw_config value needs to be within the
ARM_DTB_DRAM_NS region specified by FVP_DTB_DRAM_MAP_START
and FVP_DTB_DRAM_MAP_SIZE.

This patch also expands the ARM_DTB_DRAM_NS region to 32MB.

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: Idd74cdf5d2c649bb320644392ba5d69e175a53a9

show more ...

feat(plat/arm): add GPT initialization code for Arm platforms

When RME is enabled, during configuration of the TrustZone controller,
Root regions are initially configured as Secure regions, and Real

feat(plat/arm): add GPT initialization code for Arm platforms

When RME is enabled, during configuration of the TrustZone controller,
Root regions are initially configured as Secure regions, and Realm
regions as Non-secure regions. Then later these regions are configured
as Root and Realm regions respectively in the GPT. According to the RME
architecture reference manual, Root firmware must ensure that Granule
Protection Check is enabled before enabling any stage of translation.
Therefore initializations are done as follows when RME is enabled :

Initialize/enable the TrustZone controller (plat_arm_security_setup) -->
Initialize/enable GPC (arm_bl2_plat_gpt_setup) -->
enable MMU (enable_mmu_el3)

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I91094e8259079437bee02de1f65edb9ad51e43cf

show more ...

feat(plat/fvp): add memory map for FVP platform for FEAT_RME

When FEAT_RME is enabled, memory is divided into four Physical
Address Spaces (PAS): Root, Realm, Secure and Non-secure.
This patch intro

feat(plat/fvp): add memory map for FVP platform for FEAT_RME

When FEAT_RME is enabled, memory is divided into four Physical
Address Spaces (PAS): Root, Realm, Secure and Non-secure.
This patch introduces new carveouts for the Trusted SRAM and DRAM
for the FVP platform accordingly.

The following new regions are introduced with this change:

ARM_MAP_L0_GPT_REGION: Trusted SRAM region used to store Level 0
Granule Protection Table (GPT). This region resides in the Root PAS.

ARM_MAP_GPT_L1_DRAM: DRAM region used to store Level 1 GPT. It
resides in the Root PAS.

ARM_MAP_RMM_DRAM: DRAM region used to store RMM image. It
resides in the Realm PAS.

The L0 GPT is stored on Trusted SRAM next to firmware configuration
memory. The DRAM carveout when RME is enable is modified as follow:

--------------------
| |
| AP TZC (~28MB) |
--------------------
| |
| REALM (32MB) |
--------------------
| |
| EL3 TZC (3MB) |
--------------------
| L1 GPT + SCP TZC |
| (~1MB) |
0xFFFF_FFFF --------------------

During initialization of the TrustZone controller, Root regions
are configured as Secure regions. Then they are later reconfigured
to Root upon GPT initialization.

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: If2e257141d51f51f715b70d4a06f18af53607254

show more ...

refactor(plat/arm): modify memory region attributes to account for FEAT_RME

If FEAT_RME is enabled, EL3 runs in the Root world as opposed to
Secure world. This patch changes EL3 memory region attrib

refactor(plat/arm): modify memory region attributes to account for FEAT_RME

If FEAT_RME is enabled, EL3 runs in the Root world as opposed to
Secure world. This patch changes EL3 memory region attributes for
Arm platforms accordingly.

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: Ie176f8b440ff34330e4e44bd3bf8d9703b3892ff

show more ...

feat(plat/fvp): add RMM image support for FVP platform

This patch adds the necessary changes needed to build
and load RMM image for the FVP platform. RMM image is
loaded by BL2 after BL32 (if BL32 e

feat(plat/fvp): add RMM image support for FVP platform

This patch adds the necessary changes needed to build
and load RMM image for the FVP platform. RMM image is
loaded by BL2 after BL32 (if BL32 exists) and before BL33.

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I1ac9eade84c2e35c7479a322ca1d090b4e626819

show more ...

Merge "plat/arm: don't provide NT_FW_CONFIG when booting hafnium" into integration

plat/arm: don't provide NT_FW_CONFIG when booting hafnium

NT_FW_CONFIG file is meant to be passed from BL31 to be consumed by
BL33, fvp platforms use this to pass measured boot configuration and
the

plat/arm: don't provide NT_FW_CONFIG when booting hafnium

NT_FW_CONFIG file is meant to be passed from BL31 to be consumed by
BL33, fvp platforms use this to pass measured boot configuration and
the x0 register is used to pass the base address of it.

In case of hafnium used as hypervisor in normal world, hypervisor
manifest is expected to be passed from BL31 and its base address is
passed in x0 register.

As only one of NT_FW_CONFIG or hypervisor manifest base address can be
passed in x0 register and also measured boot is not required for SPM so
disable passing NT_FW_CONFIG.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ifad9d3658f55ba7d70f468a88997d5272339e53e

show more ...

Merge changes from topic "linux_as_bl33" into integration

* changes:
plat/arm: Remove ARM_LINUX_KERNEL_AS_BL33 relying on RESET_TO_BL31
plat/arm: Always allow ARM_LINUX_KERNEL_AS_BL33

plat/arm: Always allow ARM_LINUX_KERNEL_AS_BL33

At the moment we have the somewhat artifical limitation of
ARM_LINUX_KERNEL_AS_BL33 only being used together with RESET_TO_BL31.

However there does n

plat/arm: Always allow ARM_LINUX_KERNEL_AS_BL33

At the moment we have the somewhat artifical limitation of
ARM_LINUX_KERNEL_AS_BL33 only being used together with RESET_TO_BL31.

However there does not seem to be a good technical reason for that,
it was probably just to differentate between two different boot flows.

Move the initial register setup for ARM_LINUX_KERNEL_AS_BL33 out of the
RESET_TO_BL31 #ifdef, so that we initialise the registers in any case.

This allows to use a preloaded kernel image when using BL1 and FIP.

Change-Id: I832df272d3829f077661f4ee6d3dd9a276a0118f
Signed-off-by: Andre Przywara <andre.przywara@arm.com>

show more ...

Merge "Use constant stack size with RECLAIM_INIT_CODE" into integration

Use constant stack size with RECLAIM_INIT_CODE

Currently, when RECLAIM_INIT_CODE is set, the
stacks are scaled to ensure that the entirety
of the init section can be reclaimed as stack.

This causes

Use constant stack size with RECLAIM_INIT_CODE

Currently, when RECLAIM_INIT_CODE is set, the
stacks are scaled to ensure that the entirety
of the init section can be reclaimed as stack.

This causes an issue in lib/psci/aarch64/psci_helpers.S,
where the stack size is used for cache operations in
psci_do_pwrdown_cache_maintenance(). If the stacks
are scaled, then the PSCI code may fail to invalidate
some of the stack memory before power down.

Resizing stacks is also not good for stability in general,
since code that works with a small number of cores may
overflow the stack when the number of cores is increased.

Change to make every stack be PLATFORM_STACK_SIZE big,
and allow the total stack to be smaller than the
init section.

Any pages of the init section not reclaimed as
stack will be set to read-only and execute-never,
for security.

Change-Id: I10b3884981006431f2fcbec3864c81d4a8c246e8
Signed-off-by: David Horstmann <david.horstmann@arm.com>

show more ...

Merge "plat/arm: Reduce size of BL31 binary" into integration

plat/arm: Reduce size of BL31 binary

BL31 binary size is aligned to 4KB because of the
code in include\plat\arm\common\arm_reclaim_init.ld.S:
__INIT_CODE_UNALIGNED__ = .;
. = ALIGN(PAGE_SIZE

plat/arm: Reduce size of BL31 binary

BL31 binary size is aligned to 4KB because of the
code in include\plat\arm\common\arm_reclaim_init.ld.S:
__INIT_CODE_UNALIGNED__ = .;
. = ALIGN(PAGE_SIZE);
__INIT_CODE_END__ = .;
with all the zero data after the last instruction of
BL31 code to the end of the page.
This causes increase in size of BL31 binary stored in FIP
and its loading time by BL2.
This patch reduces the size of BL31 image by moving
page alignment from __INIT_CODE_END__ to __STACKS_END__
which also increases the stack size for secondary CPUs.

Change-Id: Ie2ec503fc774c22c12ec506d74fd3ef2b0b183a9
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>

show more ...

Merge "plat/arm: spm: add support for RESET_TO_BL31" into integration

plat/arm: spm: add support for RESET_TO_BL31

SPM(BL32) and hafnium(BL33) expect their manifest base address in x0
register, which is updated during BL2 stage by parsing fw_config.
In case of RESET_T

plat/arm: spm: add support for RESET_TO_BL31

SPM(BL32) and hafnium(BL33) expect their manifest base address in x0
register, which is updated during BL2 stage by parsing fw_config.
In case of RESET_TO_BL31 it has to be updated while populating
entry point information.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: I6f4a97f3405029bd6ba25f0935e2d1f74bb95517

show more ...

Merge changes from topic "fw_config_handoff" into integration

* changes:
doc: Update memory layout for firmware configuration area
plat/arm: Increase size of firmware configuration area
plat/a

Merge changes from topic "fw_config_handoff" into integration

* changes:
doc: Update memory layout for firmware configuration area
plat/arm: Increase size of firmware configuration area
plat/arm: Load and populate fw_config and tb_fw_config
fconf: Handle error from fconf_load_config
plat/arm: Update the fw_config load call and populate it's information
fconf: Allow fconf to load additional firmware configuration
fconf: Clean confused naming between TB_FW and FW_CONFIG
tbbr/dualroot: Add fw_config image in chain of trust
cert_tool: Update cert_tool for fw_config image support
fiptool: Add fw_config in FIP
plat/arm: Rentroduce tb_fw_config device tree

show more ...

fconf: Clean confused naming between TB_FW and FW_CONFIG

Cleaned up confused naming between TB_FW and FW_CONFIG.

Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V B

fconf: Clean confused naming between TB_FW and FW_CONFIG

Cleaned up confused naming between TB_FW and FW_CONFIG.

Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I9e9f6e6ca076d38fee0388f97d370431ae067f08

show more ...

Merge "Read-only xlat tables for BL31 memory" into integration

Read-only xlat tables for BL31 memory

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who h

Read-only xlat tables for BL31 memory

This patch introduces a build flag which allows the xlat tables
to be mapped in a read-only region within BL31 memory. It makes it
much harder for someone who has acquired the ability to write to
arbitrary secure memory addresses to gain control of the
translation tables.

The memory attributes of the descriptors describing the tables
themselves are changed to read-only secure data. This change
happens at the end of BL31 runtime setup. Until this point, the
tables have read-write permissions. This gives a window of
opportunity for changes to be made to the tables with the MMU on
(e.g. reclaiming init code). No changes can be made to the tables
with the MMU turned on from this point onwards. This change is also
enabled for sp_min and tspd.

To make all this possible, the base table was moved to .rodata. The
penalty we pay is that now .rodata must be aligned to the size of
the base table (512B alignment). Still, this is better than putting
the base table with the higher level tables in the xlat_table
section, as that would cost us a full 4KB page.

Changing the tables from read-write to read-only cannot be done with
the MMU on, as the break-before-make sequence would invalidate the
descriptor which resolves the level 3 page table where that very
descriptor is located. This would make the translation required for
writing the changes impossible, generating an MMU fault.

The caches are also flushed.

Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com>
Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466

show more ...

Merge "Coverity: remove unnecessary header file includes" into integration

Merge changes from topic "mp/separate_nobits" into integration

* changes:
plat/arm: Add support for SEPARATE_NOBITS_REGION
Changes necessary to support SEPARATE_NOBITS_REGION feature