Merge pull request #669 from sandrine-bailleux-arm/sb/tf-hardening

Minor improvements to harden TF code

Fix use of stale power states in PSCI standby finisher

A PSCI CPU_SUSPEND request to place a CPU in retention states at power levels
higher than the CPU power level is subject to the same state coor

Fix use of stale power states in PSCI standby finisher

A PSCI CPU_SUSPEND request to place a CPU in retention states at power levels
higher than the CPU power level is subject to the same state coordination as a
power down state. A CPU could implement multiple retention states at a
particular power level. When exiting WFI, the non-CPU power levels may be in a
different retention state to what was initially requested, therefore each CPU
should refresh its view of the states of all power levels.

Previously, a CPU re-used the state of the power levels when it entered the
retention state. This patch fixes this issue by ensuring that a CPU upon exit
from retention reads the state of each power level afresh.

Change-Id: I93b5f5065c63400c6fd2598dbaafac385748f989

show more ...

Ensure addresses in is_mem_free() don't overflow

This patch adds some runtime checks to prevent some potential
pointer overflow issues in the is_mem_free() function. The overflow
could happen in the

Ensure addresses in is_mem_free() don't overflow

This patch adds some runtime checks to prevent some potential
pointer overflow issues in the is_mem_free() function. The overflow
could happen in the case where the end addresses, computed as the
sum of a base address and a size, results in a value large enough
to wrap around. This, in turn, could lead to unpredictable behaviour.

If such an overflow is detected, the is_mem_free() function will now
declare the memory region as not free. The overflow is detected using
a new macro, called check_uptr_overflow().

This patch also modifies all other places in the 'bl_common.c' file
where an end address was computed as the sum of a base address and a
size and instead keeps the two values separate. This avoids the need
to handle pointer overflows everywhere. The code doesn't actually need
to compute any end address before the is_mem_free() function is called
other than to print information message to the serial output.

This patch also introduces 2 slight changes to the reserve_mem()
function:

- It fixes the end addresses passed to choose_mem_pos(). It was
incorrectly passing (base + size) instead of (base + size - 1).

- When the requested allocation size is 0, the function now exits
straight away and says so using a warning message.
Previously, it used to actually reserve some memory. A zero-byte
allocation was not considered as a special case so the function
was using the same top/bottom allocation mechanism as for any
other allocation. As a result, the smallest area of memory starting
from the requested base address within the free region was
reserved.

Change-Id: I0e695f961e24e56ffe000718014e0496dc6e1ec6

show more ...

Make runtime_svc_init() function more robust

- Added some debug assertions checking that the runtime services
indexes computed by get_unique_oen() are sane.

- Do not print the name of the serv

Make runtime_svc_init() function more robust

- Added some debug assertions checking that the runtime services
indexes computed by get_unique_oen() are sane.

- Do not print the name of the service when its descriptor is
invalid. If the descriptor is corrupted then its name field
could be corrupted as well and we would end up reading an
arbitrary amount of invalid memory.

Change-Id: I16f61065277d01fe1555d5a9cf743f7b52ccaa60

show more ...

Improvements to runtime service init code

Light refactoring of the code in runtime_svc.c file.

- Declare validate_rt_svc_desc()'s argument as const.

- Remove 'goto' path in runtime_svc_init(). I

Improvements to runtime service init code

Light refactoring of the code in runtime_svc.c file.

- Declare validate_rt_svc_desc()'s argument as const.

- Remove 'goto' path in runtime_svc_init(). It was used in one
place only.

- Improve code readability by declaring a local variable holding the
service pointer.

Change-Id: I3b15c5adb9f37b786b5b993a9be70ea9dd017a83

show more ...

Validate psci_find_target_suspend_lvl() result

This patch adds a runtime check that psci_find_target_suspend_lvl()
returns a valid value back to psci_cpu_suspend() and psci_get_stat().
If it is inva

Validate psci_find_target_suspend_lvl() result

This patch adds a runtime check that psci_find_target_suspend_lvl()
returns a valid value back to psci_cpu_suspend() and psci_get_stat().
If it is invalid, BL31 will now panic.

Note that on the PSCI CPU suspend path there is already a debug
assertion checking the validity of the target composite power state,
which effectively also checks the validity of the target suspend level.
Therefore, the error condition would already be caught in debug builds,
but in a release build this assertion would be compiled out.

On the PSCI stat path, there is currently no debug assertion checking
the validity of the power state before using it as an index into
the power domain state array.

Although BL31 platforms ports are responsible for validating the
power state parameter, the security impact (i.e. an out-of-bounds
array access) of a potential platform port bug in this code would
be quite high, given that this parameter comes from an untrusted
source. The cost of checking this in runtime generic code is low.

Change-Id: Icea85b8020e39928ac03ec0cd49805b5857b3906

show more ...

Merge pull request #667 from soby-mathew/sm/PSCI_lib

Introduce PSCI library

ARM platforms: Define common image sizes

Compile option `ARM_BOARD_OPTIMISE_MMAP` has been renamed to
`ARM_BOARD_OPTIMISE_MEM` because it now applies not only to defines
related to the translation t

ARM platforms: Define common image sizes

Compile option `ARM_BOARD_OPTIMISE_MMAP` has been renamed to
`ARM_BOARD_OPTIMISE_MEM` because it now applies not only to defines
related to the translation tables but to the image size as well.

The defines `PLAT_ARM_MAX_BL1_RW_SIZE`, `PLAT_ARM_MAX_BL2_SIZE` and
`PLAT_ARM_MAX_BL31_SIZE` have been moved to the file board_arm_def.h.
This way, ARM platforms no longer have to set their own values if
`ARM_BOARD_OPTIMISE_MEM=0` and they can specify optimized values
otherwise. The common sizes have been set to the highest values used
for any of the current build configurations.

This is needed because in some build configurations some images are
running out of space. This way there is a common set of values known
to work for all of them and it can be optimized for each particular
platform if needed.

The space reserved for BL2 when `TRUSTED_BOARD_BOOT=0` has been
increased. This is needed because when memory optimisations are
disabled the values for Juno of `PLAT_ARM_MMAP_ENTRIES` and
`MAX_XLAT_TABLES` are higher. If in this situation the code is
compiled in debug mode and with "-O0", the code won't fit.

Change-Id: I70a3d8d3a0b0cad1d6b602c01a7ea334776e718e

show more ...

Rearrange assembly helper macros

This patch moves assembler macros which are not architecture specific
to a new file `asm_macros_common.S` and moves the `el3_common_macros.S`
into `aarch64` specific

Rearrange assembly helper macros

This patch moves assembler macros which are not architecture specific
to a new file `asm_macros_common.S` and moves the `el3_common_macros.S`
into `aarch64` specific folder.

Change-Id: I444a1ee3346597bf26a8b827480cd9640b38c826

show more ...

Define `plat_get_syscnt_freq2()` unconditionally for ARM platforms

Previously the definition of `plat_get_syscnt_freq2()` in `arm_common.c` was
conditionally defined based on the ERROR_DEPRECATED fl

Define `plat_get_syscnt_freq2()` unconditionally for ARM platforms

Previously the definition of `plat_get_syscnt_freq2()` in `arm_common.c` was
conditionally defined based on the ERROR_DEPRECATED flag. This patch makes
this function available irrespective of the flag and removes the deprecated
`plat_get_syscnt_freq()` definition.

Change-Id: I250ca787ca1b5e867096c6ba8f2bb444db44c97b

show more ...

Cater for preloaded BL33 within plat_get_ns_image_entrypoint()

The PRELOADED_BL33_BASE build option allows to preload a BL33 and bypass its
loading by BL2. In ARM standard platforms, the conditional

Cater for preloaded BL33 within plat_get_ns_image_entrypoint()

The PRELOADED_BL33_BASE build option allows to preload a BL33 and bypass its
loading by BL2. In ARM standard platforms, the conditional behaviour of
PRELOADED_BL33_BASE is moved within the implementation of
`plat_get_ns_image_entrypoint()` so that all callers may benefit from this
feature.

Change-Id: Iea060e204ec72f8081087837854535c4e320da4e

show more ...

Move `arm_common.c` out of aarch64 folder

This patch moves the `arm_common.c` file from `plat/arm/common/aarch64/`
to the parent directory since the functions implemented in the file are
not AArch64

Move `arm_common.c` out of aarch64 folder

This patch moves the `arm_common.c` file from `plat/arm/common/aarch64/`
to the parent directory since the functions implemented in the file are
not AArch64 specific. The platform makefiles are also modified for this
change.

Change-Id: I776d2e4958f59041476cf2f53a9adb5b2d304ee0

show more ...

Include `plat_psci_common.c` from the new location

The `plat_psci_common.c` was moved to the new location `plat/common`
and a stub file was retained at previous location for compatibility. This
patc

Include `plat_psci_common.c` from the new location

The `plat_psci_common.c` was moved to the new location `plat/common`
and a stub file was retained at previous location for compatibility. This
patch modifies the platform makefiles to include the file from the new
location.

Change-Id: Iabddeeb824e9a5d72d176d7c644735966c8c0699

show more ...

Introduce PSCI Library Interface

This patch introduces the PSCI Library interface. The major changes
introduced are as follows:

* Earlier BL31 was responsible for Architectural initialization durin

Introduce PSCI Library Interface

This patch introduces the PSCI Library interface. The major changes
introduced are as follows:

* Earlier BL31 was responsible for Architectural initialization during cold
boot via bl31_arch_setup() whereas PSCI was responsible for the same during
warm boot. This functionality is now consolidated by the PSCI library
and it does Architectural initialization via psci_arch_setup() during both
cold and warm boots.

* Earlier the warm boot entry point was always `psci_entrypoint()`. This was
not flexible enough as a library interface. Now PSCI expects the runtime
firmware to provide the entry point via `psci_setup()`. A new function
`bl31_warm_entrypoint` is introduced in BL31 and the previous
`psci_entrypoint()` is deprecated.

* The `smc_helpers.h` is reorganized to separate the SMC Calling Convention
defines from the Trusted Firmware SMC helpers. The former is now in a new
header file `smcc.h` and the SMC helpers are moved to Architecture specific
header.

* The CPU context is used by PSCI for context initialization and
restoration after power down (PSCI Context). It is also used by BL31 for SMC
handling and context management during Normal-Secure world switch (SMC
Context). The `psci_smc_handler()` interface is redefined to not use SMC
helper macros thus enabling to decouple the PSCI context from EL3 runtime
firmware SMC context. This enables PSCI to be integrated with other runtime
firmware using a different SMC context.

NOTE: With this patch the architectural setup done in `bl31_arch_setup()`
is done as part of `psci_setup()` and hence `bl31_platform_setup()` will be
invoked prior to architectural setup. It is highly unlikely that the platform
setup will depend on architectural setup and cause any failure. Please be
be aware of this change in sequence.

Change-Id: I7f497a08d33be234bbb822c28146250cb20dab73

show more ...

Introduce `el3_runtime` and `PSCI` libraries

This patch moves the PSCI services and BL31 frameworks like context
management and per-cpu data into new library components `PSCI` and
`el3_runtime` resp

Introduce `el3_runtime` and `PSCI` libraries

This patch moves the PSCI services and BL31 frameworks like context
management and per-cpu data into new library components `PSCI` and
`el3_runtime` respectively. This enables PSCI to be built independently from
BL31. A new `psci_lib.mk` makefile is introduced which adds the relevant
PSCI library sources and gets included by `bl31.mk`. Other changes which
are done as part of this patch are:

* The runtime services framework is now moved to the `common/` folder to
enable reuse.
* The `asm_macros.S` and `assert_macros.S` helpers are moved to architecture
specific folder.
* The `plat_psci_common.c` is moved from the `plat/common/aarch64/` folder
to `plat/common` folder. The original file location now has a stub which
just includes the file from new location to maintain platform compatibility.

Most of the changes wouldn't affect platform builds as they just involve
changes to the generic bl1.mk and bl31.mk makefiles.

NOTE: THE `plat_psci_common.c` FILE HAS MOVED LOCATION AND THE STUB FILE AT
THE ORIGINAL LOCATION IS NOW DEPRECATED. PLATFORMS SHOULD MODIFY THEIR
MAKEFILES TO INCLUDE THE FILE FROM THE NEW LOCATION.

Change-Id: I6bd87d5b59424995c6a65ef8076d4fda91ad5e86

show more ...

Fix coding guideline warnings

This patch fixes some coding guideline warnings reported by the checkpatch
script. Only files related to upcoming feature development have been fixed.

Change-Id: I26fb

Fix coding guideline warnings

This patch fixes some coding guideline warnings reported by the checkpatch
script. Only files related to upcoming feature development have been fixed.

Change-Id: I26fbce75c02ed62f00493ed6c106fe7c863ddbc5

show more ...

Rework type usage in Trusted Firmware

This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as

Rework type usage in Trusted Firmware

This patch reworks type usage in generic code, drivers and ARM platform files
to make it more portable. The major changes done with respect to
type usage are as listed below:

* Use uintptr_t for storing address instead of uint64_t or unsigned long.
* Review usage of unsigned long as it can no longer be assumed to be 64 bit.
* Use u_register_t for register values whose width varies depending on
whether AArch64 or AArch32.
* Use generic C types where-ever possible.

In addition to the above changes, this patch also modifies format specifiers
in print invocations so that they are AArch64/AArch32 agnostic. Only files
related to upcoming feature development have been reworked.

Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8

show more ...

Merge pull request #666 from Xilinx/zynqmp/rodata-xn

zynqmp: Map read-only data as execute-never

Merge pull request #654 from rockchip-linux/rk3399-suspend-resume

rockchip: support the suspend/resume for rk3399

Merge pull request #653 from rockchip-linux/support-rockchip-sip-runtime-service

rockchip: support plat SIP runtime service for rk3399

rockchip: support the suspend/resume for rk3399

1.Fixes the suspend/resume some bugs.
2.Add the power domain for saving power consumption.
3.Add cpu clusters suspend for rk3399 SoCs

Change-Id: Id60

rockchip: support the suspend/resume for rk3399

1.Fixes the suspend/resume some bugs.
2.Add the power domain for saving power consumption.
3.Add cpu clusters suspend for rk3399 SoCs

Change-Id: Id602779016b41d6281f4ba40a20229d909b28e46

show more ...

rockchip: support plat SIP runtime service

Software executing in the normal world and in the trusted world at
exception levels lower than EL3 will request runtime services using the
SMC instruction.

rockchip: support plat SIP runtime service

Software executing in the normal world and in the trusted world at
exception levels lower than EL3 will request runtime services using the
SMC instruction.

See the documentation here:
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/
rt-svc-writers-guide.md

This to be implemented as an EL3 Runtime Service in rockchip BL31
platform port, using the "SiP Service Call" range as specified in the
SMC Calling Convention.
This doesn't support any SMC yet, we will support it in later.

Change-Id: I0a638dd0b653c28b08f79d89f77ed7c69864017d

show more ...

Merge pull request #662 from sandrine-bailleux-arm/sb/rodata-xn

Map read-only data as execute-never

Merge pull request #659 from soby-mathew/sm/declare_stack

Derive stack alignment from CACHE_WRITEBACK_GRANULE

Merge pull request #658 from soby-mathew/sm/init_spi_ppi_gic

GIC: Ensure SGIs and PPIs are Group0 before setup