Merge changes from topic "ahmed-azeem/rdaspen/enhancements" into integration

* changes:
feat(rdaspen): support configurable CPU topology in device tree
feat(rdaspen): add support for configurabl

Merge changes from topic "ahmed-azeem/rdaspen/enhancements" into integration

* changes:
feat(rdaspen): support configurable CPU topology in device tree
feat(rdaspen): add support for configurable platform's CPU topology
feat(rdaspen): scmi gracefully shutdown system
feat(scmi): support graceful system power set
fix(rdaspen): enable CPU feature runtime checking
fix(rdaspen): fix timer bus cells & fix ranges

show more ...

feat(rdaspen): support configurable CPU topology in device tree

Adjust the platform's CPU topology in the device tree file based on
the passed build time topology. If no build time topology was
prov

feat(rdaspen): support configurable CPU topology in device tree

Adjust the platform's CPU topology in the device tree file based on
the passed build time topology. If no build time topology was
provided, default topology will be used.

Change-Id: Ied48f27f32d8f7a7df138a98075848c59f7435c0
Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>

show more ...

feat(rdaspen): add support for configurable platform's CPU topology

- Add support for passing build time platform's CPU topology, which
defines the number of clusters and CPUs in the platform.
- A

feat(rdaspen): add support for configurable platform's CPU topology

- Add support for passing build time platform's CPU topology, which
defines the number of clusters and CPUs in the platform.
- Adjust the platform's power domain topology based on the passed
build time topology. If no build time topology was provided,
default topology will be used.

Change-Id: Ic80b308ab6d4c98139723021566d54be02b7d125
Signed-off-by: Amr Mohamed <amr.mohamed@arm.com>
Signed-off-by: David Hu <david.hu2@arm.com>

show more ...

feat(rdaspen): scmi gracefully shutdown system

In RD-Aspen, RSE shall be responsible for system shutdown. When TF-A
send a graceful SCMI system power set command to SCP, SCP will not
execute the shu

feat(rdaspen): scmi gracefully shutdown system

In RD-Aspen, RSE shall be responsible for system shutdown. When TF-A
send a graceful SCMI system power set command to SCP, SCP will not
execute the shutdown but notify RSE runtime.

RD-Aspen enable the graceful flag of css_scp_system_off in
platform.mk.

Change-Id: I80967e1d2e85193dd98f626e4c729ac722251a53
Signed-off-by: Jun Wu <jun.wu@arm.com>

show more ...

feat(scmi): support graceful system power set

Add conditional compiler to control the flags in css_scp_suspend and
css_scp_system_off. This enable each platform can decide to use
graceful or forcefu

feat(scmi): support graceful system power set

Add conditional compiler to control the flags in css_scp_suspend and
css_scp_system_off. This enable each platform can decide to use
graceful or forceful flag in SCMI system power set command per
their use cases.

Upstream-Status: Pending
Change-Id: I99129a680927b9401385fca6094b476126e2f8c7
Signed-off-by: Jun Wu <jun.wu@arm.com>

show more ...

fix(rdaspen): enable CPU feature runtime checking

Enable runtime feature detection for FEAT_AMU, FEAT_ECV, FEAT_FGT,
and FEAT_MTE2

These features were previously unconditionally enabled (=1) in the

fix(rdaspen): enable CPU feature runtime checking

Enable runtime feature detection for FEAT_AMU, FEAT_ECV, FEAT_FGT,
and FEAT_MTE2

These features were previously unconditionally enabled (=1) in the build
configuration, causing TF-A to initialize their contexts regardless of
actual CPU support in emulation implementations.

Set them to "2" to enable runtime feature detection instead.

With this change, TF-A checks the ID registers before accessing related
system registers or programming SCR_EL3 bits, avoiding register accesses
on CPUs that lack these features. This primarily addresses issues seen
in emulation environments with incomplete feature support.

Change-Id: I7f333245c60685544d925c24556358724a776082
Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>

show more ...

fix(rdaspen): fix timer bus cells & fix ranges

The timer node is a child bus that should expose frames via a
translating address space per the timer-with-frames binding.
The #size-cells were updated

fix(rdaspen): fix timer bus cells & fix ranges

The timer node is a child bus that should expose frames via a
translating address space per the timer-with-frames binding.
The #size-cells were updated to <1> from <2>, due to a
validation warning when running dt_validate:

/home/root/fdt/fdt: timer@1a810000: #size-cells: 1 was expected

Updating the cell-size to 1 fixes it, and another fix is also
applied to avoid an empty range property.

This models the timer as a proper translating bus:
- Remove clock-frequency since it is already configured in firmware.
- Update #address-cells from <2> to <1>/
- Update #size-cells from <2> to <1>.
- Provide a non-empty ranges mapping the child space at
0x1a810000 over a 0x30000 window.
- Convert frame and reg values to offsets within the child space.

This removes the dtc warnings in dt_validate and aligns with the
dt-schema expectation for the timer-with-frames layout used by
ACS DT validation.

Change-Id: I6deb9ecc0946176b9f9992d80c95db4106eb5820
Signed-off-by: Ahmed Azeem <ahmed.azeem@arm.com>

show more ...

Merge "fix(css): don't require the GICC frame to be defined on GICv3" into integration

Merge "feat(arm): load config after GPT FIP offset" into integration

docs(build): update GCC toolchain requirement to 14.3.Rel1

Update documentation to reflect the use of GCC version 14.3.Rel1,
the latest production release available at:
https://developer.arm.com/dow

docs(build): update GCC toolchain requirement to 14.3.Rel1

Update documentation to reflect the use of GCC version 14.3.Rel1,
the latest production release available at:
https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads

Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>
Change-Id: I4387ccf519593b804d3e8541e8aaf9723a2aedeb

show more ...

feat(docs): update context management's threat model

Improperly configuring cpu features (ENABLE_FEAT_XYZ) can lead to broken
firmware or, in rare cases, panic at EL3. This makes Denial of service a

feat(docs): update context management's threat model

Improperly configuring cpu features (ENABLE_FEAT_XYZ) can lead to broken
firmware or, in rare cases, panic at EL3. This makes Denial of service a
valid threat on the Availability asset.

Since the original model, we've gained FEATURE_DETECTION which is meant
to help get platforms configured correctly.

Change-Id: I10f9870173fc4b24ea14a24197537d46ead9f789
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(el3-spmc): update FF-A version checks

Fixed several version checks that failed with FF-A 1.2.

Change-Id: Idb37795e25eaa6f38ac4f065f68f8c8183cd26ea
Signed-off-by: Jay Monkman <jmonkman@google.c

feat(el3-spmc): update FF-A version checks

Fixed several version checks that failed with FF-A 1.2.

Change-Id: Idb37795e25eaa6f38ac4f065f68f8c8183cd26ea
Signed-off-by: Jay Monkman <jmonkman@google.com>
Signed-off-by: Andrei Homescu <ahomescu@google.com>

show more ...

Merge "fix(el3-spmc): validate fragment offset" into integration

Merge changes from topic "gr/cov_fixes" into integration

* changes:
fix(dsu): fix illegal address Coverity finding
fix(sdei): fix coverity finding array index read

fix(fwu): fwu NV ctr upgraded on trial run

The NV ctr value should not upgraded on trial run.
The NV ctr value upgrade is done in BL1 while the detection
of trial run happens in BL2, so the value is

fix(fwu): fwu NV ctr upgraded on trial run

The NV ctr value should not upgraded on trial run.
The NV ctr value upgrade is done in BL1 while the detection
of trial run happens in BL2, so the value is always upgraded.
Fix the problem by setting the upgrade of NV ctr value in BL2
if the NV ctr is shared among components.

Change-Id: Id681fce0482e3000eaef4f4a8f7d8c1023ccaf1a
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7

feat(docs): platform hook for whether NV ctr is shared

Add documentation on platform hook for inquiry if the
NV ctr is shared across all secure images (BL1, BL2, BL31 etc.).

Change-Id: If0859fe1fb7a072b6e8fc25f77218785a4fc0da8
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

feat(fwu): add platform hook for shared NV ctr

The NV ctr should not update when it is shared among
Bl1 and BL2. This is platform specific, therefore add
a platform hook to query the platform for th

feat(fwu): add platform hook for shared NV ctr

The NV ctr should not update when it is shared among
Bl1 and BL2. This is platform specific, therefore add
a platform hook to query the platform for this infor-
mation.

Change-Id: Ib180c8e6a183f7aaa7586e3f008273860d55b414
Signed-off-by: Xialin Liu <xialin.liu@arm.com>

show more ...

Merge "fix(tc): force specifying TARGET_PLATFORM" into integration

Merge "fix(smccc): fixed define when ENABLE_FEAT_FPMR is disabled" into integration

fix(build): set ERRATA_SPECULATIVE_AT after platform.mk

This was introduced in
289737419: fix(build): align the cpu-ops flags with all others

That patch reduced cpu-ops.mk to an elaborate defaults.

fix(build): set ERRATA_SPECULATIVE_AT after platform.mk

This was introduced in
289737419: fix(build): align the cpu-ops flags with all others

That patch reduced cpu-ops.mk to an elaborate defaults.mk and moved it
before platform.mk was evaluated. However, that patch missed the
ERRATA_SPECULATIVE_AT setting which must happen after platform.mk,
otherwise its value will not reflect errata state. So put it in the main
Makefile with other similar flag settings after platform.mk.

Change-Id: I221dab39c417531c5a148886d3e29709ba8b51a8
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

feat(arm): load config after GPT FIP offset

When ARM_GPT_SUPPORT is enabled and the FIP resides inside a GPT
partition, arm_bl2_el3_plat_config_load() may try to load a random
FIP at base address 0,

feat(arm): load config after GPT FIP offset

When ARM_GPT_SUPPORT is enabled and the FIP resides inside a GPT
partition, arm_bl2_el3_plat_config_load() may try to load a random
FIP at base address 0, failing to find the actual FIP.

Resolve the FIP from the GPT partition table first and compute the
offset when ARM_GPT_SUPPORT is set, before calling
arm_bl2_el3_plat_config_load() to load the platform config from
the FIP itself.

Change-Id: I5c9a461961c5167b816d5fb632cceb76f1439d83
Signed-off-by: Ahmed Azeem <ahmed.azeem@arm.com>

show more ...

Merge "feat(mbedtls): update mbedtls to version 3.6.5" into integration

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the M

fix(cpufeat): don't overwrite PAuth keys with an erroneous cache clean

Accessing cpu_data when TF-A is built with HW_ASSISTED_COHERENCY=1 is
simple. Caching (SCTLR_EL3.C) is enabled along with the MMU and we can
rely on all accesses being coherent. However, this is not the case when
HW_ASSISTED_COHERENCY=0. Most of EL3's initialisation (especially on
warm boot) happens with the MMU on but with caching being off. Caches
are only enabled deep into CPU_ON processing when we can be certain the
core has entered coherency. This latter case is the subject of this
patch.

Prior to this patch, the way to work around that was to clean the
apiakey cpu_data storage right after writing it. The write would have
gone straight to memory as caches were off and the clean asserted that
nothing would be in the caches which were assumed to be invalid since
we've just came out of reset.

The problem with this is that we cannot assume that ALL caches are
invalid when coming out of reset. We can reasonably assume those private
to the core to be (so the L1 and/or the L2; those are guaranteed to be
invalidated out of reset for every Arm core) but that is not the case
for shared caches (eg an L2/L3 DSU cache) which can be on when a core
powers down. So the old keys could still be live in the shared cache, we
write new ones to memory and clean the old to memory too, undoing the
work.

So the correct thing to do is to clean and invalidate the cache prior to
writing the keys to memory and invalidate it after. This ensures that if
there is any other data after the apiakey, which shares the cache line,
it will be safely forwarded to memory and the caches will be invalid
when caching is turned on.

It is important to note at this point that this was never observed in
practice - every known configuration that uses PAuth has the apiakey as
the very last member of the cpu_data struct which is padded up to a
cache line and the usage of the apiakey is such that it was never
allocated into the shared caches. So the clean would effectively perform
an invalidate of only the apiakey and all worked well. This was only
spotted with a proposed patch that added data after the apiakey
(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/39698/7).

Change-Id: I8493221dff53114c5c56dd73fbfd2a3301e2542c
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

fix(css): don't require the GICC frame to be defined on GICv3

It's used for GICv2 operation, which won't happen with v3. CSS will
always use USE_GIC_DRIVER with the correct version so we can rely on

fix(css): don't require the GICC frame to be defined on GICv3

It's used for GICv2 operation, which won't happen with v3. CSS will
always use USE_GIC_DRIVER with the correct version so we can rely on
that to skip passing the GICC frame.

Change-Id: I358b99646f98bd7c6ea398bc8d8900cc80ca15bb
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>

show more ...

Merge "fix(common): error out if image load size is zero" into integration