Commit Graph

222 Commits

Author SHA1 Message Date
Gerald Lejeune
adb4fcfb4c Enable asynchronous abort exceptions during boot
Asynchronous abort exceptions generated by the platform during cold boot are
not taken in EL3 unless SCR_EL3.EA is set.

Therefore EA bit is set along with RES1 bits in early BL1 and BL31 architecture
initialisation. Further write accesses to SCR_EL3 preserve these bits during
cold boot.

A build flag controls SCR_EL3.EA value to keep asynchronous abort exceptions
being trapped by EL3 after cold boot or not.

For further reference SError Interrupts are also known as asynchronous external
aborts.

On Cortex-A53 revisions below r0p2, asynchronous abort exceptions are taken in
EL3 whatever the SCR_EL3.EA value is.

Fixes arm-software/tf-issues#368

Signed-off-by: Gerald Lejeune <gerald.lejeune@st.com>
2016-03-30 17:26:23 +02:00
Scott Branden
bda77010a7 Add support for %z in tf_print()
Add support for %z format specific in tf_printf() to support
printing data of type size_t

Fixes ARM-software/tf-issues#380

Signed-off-by Scott Branden <scott.branden@broadcom.com>
2016-03-23 13:40:36 -07:00
Antonio Nino Diaz
1c3ea103d2 Remove all non-configurable dead loops
Added a new platform porting function plat_panic_handler, to allow
platforms to handle unexpected error situations. It must be
implemented in assembly as it may be called before the C environment
is initialized. A default implementation is provided, which simply
spins.

Corrected all dead loops in generic code to call this function
instead. This includes the dead loop that occurs at the end of the
call to panic().

All unnecesary wfis from bl32/tsp/aarch64/tsp_exceptions.S have
been removed.

Change-Id: I67cb85f6112fa8e77bd62f5718efcef4173d8134
2016-03-14 16:41:18 +00:00
Antonio Nino Diaz
f0dd061ae6 Add support for %p in tf_printf()
This patch adds support for the `%p` format specifier in tf_printf()
following the example of the printf implementation of the stdlib used
in the trusted firmware.

Fixes ARM-software/tf-issues#292

Change-Id: I0b3230c783f735d3e039be25a9405f00023420da
2016-02-18 09:45:39 +00:00
Sandrine Bailleux
1645d3ee60 Miscellaneous doc fixes for v1.2
Change-Id: I6f49bd779f2a4d577c6443dd160290656cdbc59b
2015-12-21 18:10:12 +00:00
Juan Castillo
d178637d2b Remove dashes from image names: 'BL3-x' --> 'BL3x'
This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:

    https://github.com/ARM-software/arm-trusted-firmware/wiki

Changes apply to output messages, comments and documentation.

non-ARM platform files have been left unmodified.

Change-Id: Ic2a99be4ed929d52afbeb27ac765ceffce46ed76
2015-12-14 12:31:37 +00:00
Yatharth Kochar
bbf8f6f95b Move context management code to common location
The upcoming Firmware Update feature needs transitioning across
Secure/Normal worlds to complete the FWU process and hence requires
context management code to perform this task.

Currently context management code is part of BL31 stage only.
This patch moves the code from (include)/bl31 to (include)/common.
Some function declarations/definitions and macros have also moved
to different files to help code sharing.

Change-Id: I3858b08aecdb76d390765ab2b099f457873f7b0c
2015-12-09 17:41:18 +00:00
Achin Gupta
135c9ddd36 Merge pull request #423 from jcastillo-arm/jc/genfw/1211
Remove deprecated IO return definitions
2015-11-04 22:32:50 +00:00
Juan Castillo
e098e244a2 Remove deprecated IO return definitions
Patch 7e26fe1f deprecates IO specific return definitions in favour
of standard errno codes. This patch removes those definitions
and its usage from the IO framework, IO drivers and IO platform
layer. Following this patch, standard errno codes must be used
when checking the return value of an IO function.

Change-Id: Id6e0e9d0a7daf15a81ec598cf74de83d5768650f
2015-11-02 10:47:01 +00:00
Sandrine Bailleux
68a68c925f Introduce print_entry_point_info() function
This patch introduces a new function called 'print_entry_point_info'
that prints an entry_point_t structure for debugging purposes.
As such, it can be used to display the entry point address, SPSR and
arguments passed from a firmware image to the next one.

This function is now called in the following images transitions:
 - BL1 to BL2
 - BL1 to BL31
 - BL31 to the next image (typically BL32 or BL33)

The following changes have been introduced:

 - Fix the output format of the SPSR value : SPSR is a 32-bit value,
   not a 64-bit one.

 - Print all arguments values.
   The entry_point_info_t structure allows to pass up to 8 arguments.
   In most cases, only the first 2 arguments were printed.
   print_entry_point_info() now prints all of them as 'VERBOSE'
   traces.

Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
2015-11-02 09:23:05 +00:00
Juan Castillo
78460a05e4 Use standard errno definitions in load_auth_image()
This patch replaces custom definitions used as return values for
the load_auth_image() function with standard error codes defined
in errno.h. The custom definitions have been removed.

It also replaces the usage of IO framework error custom definitions,
which have been deprecated. Standard errno definitions are used
instead.

Change-Id: I1228477346d3876151c05b470d9669c37fd231be
2015-10-23 16:57:52 +01:00
Vikram Kanigiri
a2f8b16650 Ensure BL2 security state is secure
BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to
run in secure world otherwise BL3-1/BL3-2 have to execute from
non-secure memory. Hence, This patch removes the change_security_state()
call in bl1_run_bl2() and replaces it with an assert to confirm
the BL2 as secure.

Fixes ARM-software/tf-issues#314

Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
2015-09-02 13:48:45 +01:00
Juan Castillo
fedbc0497b TBB: abort boot if BL3-2 cannot be authenticated
BL3-2 image (Secure Payload) is optional. If the image cannot be
loaded a warning message is printed and the boot process continues.
According to the TBBR document, this behaviour should not apply in
case of an authentication error, where the boot process should be
aborted.

This patch modifies the load_auth_image() function to distinguish
between a load error and an authentication error. The caller uses
the return value to abort the boot process or continue.

In case of authentication error, the memory region used to store
the image is wiped clean.

Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
2015-08-20 16:44:02 +01:00
Juan Castillo
962f7c512a TBB: delete deprecated PolarSSL authentication module
After updating the main authentication module to use the transport
and crypto modules and the CoT description, the PolarSSL
authentication module is no longer required. This patch deletes it.

Change-Id: I8ba1e13fc1cc7b2fa9df14ff59eb798f0460b878
2015-06-25 08:53:27 +01:00
Juan Castillo
1779ba6b97 TBB: switch to the new authentication framework
This patch modifies the Trusted Board Boot implementation to use
the new authentication framework, making use of the authentication
module, the cryto module and the image parser module to
authenticate the images in the Chain of Trust.

A new function 'load_auth_image()' has been implemented. When TBB
is enabled, this function will call the authentication module to
authenticate parent images following the CoT up to the root of
trust to finally load and authenticate the requested image.

The platform is responsible for picking up the right makefiles to
build the corresponding cryptographic and image parser libraries.
ARM platforms use the mbedTLS based libraries.

The platform may also specify what key algorithm should be used
to sign the certificates. This is done by declaring the 'KEY_ALG'
variable in the platform makefile. FVP and Juno use ECDSA keys.

On ARM platforms, BL2 and BL1-RW regions have been increased 4KB
each to accommodate the ECDSA code.

REMOVED BUILD OPTIONS:

  * 'AUTH_MOD'

Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
2015-06-25 08:53:27 +01:00
Juan Castillo
16948ae1d9 Use numbers to identify images instead of names
The Trusted firmware code identifies BL images by name. The platform
port defines a name for each image e.g. the IO framework uses this
mechanism in the platform function plat_get_image_source(). For
a given image name, it returns the handle to the image file which
involves comparing images names. In addition, if the image is
packaged in a FIP, a name comparison is required to find the UUID
for the image. This method is not optimal.

This patch changes the interface between the generic and platform
code with regard to identifying images. The platform port must now
allocate a unique number (ID) for every image. The generic code will
use the image ID instead of the name to access its attributes.

As a result, the plat_get_image_source() function now takes an image
ID as an input parameter. The organisation of data structures within
the IO framework has been rationalised to use an image ID as an index
into an array which contains attributes of the image such as UUID and
name. This prevents the name comparisons.

A new type 'io_uuid_spec_t' has been introduced in the IO framework
to specify images identified by UUID (i.e. when the image is contained
in a FIP file). There is no longer need to maintain a look-up table
[iname_name --> uuid] in the io_fip driver code.

Because image names are no longer mandatory in the platform port, the
debug messages in the generic code will show the image identifier
instead of the file name. The platforms that support semihosting to
load images (i.e. FVP) must provide the file names as definitions
private to the platform.

The ARM platform ports and documentation have been updated accordingly.
All ARM platforms reuse the image IDs defined in the platform common
code. These IDs will be used to access other attributes of an image in
subsequent patches.

IMPORTANT: applying this patch breaks compatibility for platforms that
use TF BL1 or BL2 images or the image loading code. The platform port
must be updated to match the new interface.

Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
2015-06-25 08:53:26 +01:00
Juan Castillo
d5e0a933b3 TBB: replace assert() with runtime checks in PolarSSL module
Using assert() to check the length of keys and hashes included in
a certificate is not a safe approach because assert() only applies
to debug builds. A malformed certificate could exploit security
flaws in release binaries due to buffer overflows.

This patch replaces assert() with runtime checkings in the PolarSSL
authentication module, so malformed certificates can not cause a
memory overflow.

Change-Id: I42ba912020595752c806cbd242fe3c74077d993b
2015-06-25 08:53:26 +01:00
Juan Castillo
c3da66b1bb TBB: use ASN.1 type DigestInfo to represent hashes
The cert_create tool calculates the hash of each BL image and includes
it as an ASN.1 OCTET STRING in the corresponding certificate extension.
Without additional information, the firmware running on the platform
has to know in advance the algorithm used to generate the hash.

This patch modifies the cert_create tool so the certificate extensions
that include an image hash are generated according to the following
ASN.1 structure:

    DigestInfo ::= SEQUENCE {
        digestAlgorithm  AlgorithmIdentifier,
        digest           OCTET STRING
    }

    AlgorithmIdentifier ::=  SEQUENCE  {
        algorithm        OBJECT IDENTIFIER,
        parameters       ANY DEFINED BY algorithm OPTIONAL
    }

The PolarSSL module has been updated to extract the image hash
from the certificate extension according to this structure.

Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
2015-06-25 08:53:26 +01:00
Dan Handley
1b70db06ff Fix type mismatches in verbose logging
Commit dad2504 adds support for type checking in printf-like
functions. Some of the VERBOSE logging statements were not updated
at that time.

Fix the type mismatches in the verbose logging statements.

Change-Id: Idd9a49e41cc0dc31f7698e220819d934e3d2d10e
2015-04-27 18:05:06 +01:00
Kévin Petit
8b779620d3 Add support to indicate size and end of assembly functions
In order for the symbol table in the ELF file to contain the size of
functions written in assembly, it is necessary to report it to the
assembler using the .size directive.

To fulfil the above requirements, this patch introduces an 'endfunc'
macro which contains the .endfunc and .size directives. It also adds
a .func directive to the 'func' assembler macro.

The .func/.endfunc have been used so the assembler can fail if
endfunc is omitted.

Fixes ARM-Software/tf-issues#295

Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc
Signed-off-by: Kévin Petit <kevin.petit@arm.com>
2015-04-08 13:02:59 +01:00
Juan Castillo
81ee098327 TBB: remove PolarSSL SHA1 functions from the binary
Commit ea4ec3aad5 ("TBB: use SHA256 to generate the certificate
signatures") updated the cert_create tool to generate the
signatures using SHA256 instead of SHA1. Therefore, SHA1 is no
longer required.

This patch removes the SHA1 option from the PolarSSL configuration
file. The source file sha1.c is no longer needed and has been
excluded from the build. The SHA1 functions are no longer included
in the binary, reducing the memory footprint of BL1 and BL2 by
approximately 6 KB.

Change-Id: I72ea2cff03c0964c3eaadce148ec2ad2c6dde2e3
2015-03-11 11:44:15 +00:00
Sandrine Bailleux
ba592e2802 Fix violations to the coding style
All coding style violations have been fixed in a previous patch and
since then, each individual patch has been checked in this regard.
However, the latest version of the checkpatch.pl script from the Linux
kernel is more advanced and it is able to flag new errors in the
Trusted Firmware codebase. This patch fixes them.

Change-Id: I1f332f2440984be85d36b231bb83260368987077
2015-03-05 12:02:07 +00:00
Juan Castillo
40febc3ac8 TBB: add authentication module interface
This patch provides an API to access the authentication module that
will be used to verify the authenticity of the images loaded into
memory as part of the Trusted Board Boot process.

To include the authentication module as part of the build, set the
boolean build option TRUSTED_BOARD_BOOT. One single authentication
module must be registered at build time by setting the build option
AUTH_MOD=<mod_name>. All authentication modules will be located in
'common/auth/<mod_name>' and must present the <mod_name>.mk file that
will be included by the build system to compile the module sources.

To create an authentication module, an instance of auth_mod_t called
'auth_mod' must be declared in the module sources. The initialization
and verification functions provided by the module will be exported
through the function pointers specified when declaring this instance.

If an authentication module includes third party sources that do not
adhere to the C99 standard, the -pedantic option may be removed from
the build options by setting the flag DISABLE_PEDANTIC in the module
file <mod_name>.mk.

Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd
2015-01-28 18:27:54 +00:00
Juan Castillo
db6071c99b TBB: add PolarSSL based authentication module
This patch implements an authentication module based on the
PolarSSL library (v1.3.9) to verify the Chain of Trust when
Trusted Boot is enabled.

PolarSSL sources must be fetched separately. The POLARSSL_DIR
build option may be used to indicate the path to the PolarSSL
main directory (this directory must contain the 'include' and
'library' subdirectories).

To be able to build PolarSSL sources as a part of the Trusted
Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk
will tell the build system to remove the -pedantic option from
the CFLAGS.

Inclusion of PolarSSL increases the memory requirements of the BL1
and BL2 images. The following are the changes made to the FVP and
Juno platforms to cater for this when TRUSTED_BOARD_BOOT is
defined:

Changes on FVP:

  - BL1 and BL2 stacks have been increased to 4 KB
  - BL1(rw) section has been increased to 32 KB.
  - BL2 memory region has been increased to 112 KB

Changes on Juno:

  - BL1 and BL2 stacks have been increased to 4 KB
  - BL1(rw) section has been increased to 32 KB.
  - Trusted ROM region in Flash has been increased to 128 KB.
  - BL2 memory region has been increased to 116 KB

Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80
2015-01-28 18:27:54 +00:00
Juan Castillo
c5fb47c389 Skip reserving memory for non-executable and BL3-0 images
This patch adds support to not reserve the memory where an image is
loaded if the image is:

  1. A non-executable image e.g. a certificate
  2. An executable image which is not meant to run on the
     application CPU (e.g. BL3-0)

Both types of images are characterized by a NULL entrypoint argument
to the load_image() function. It is used to distinguish them from
other type of images.

Important: Use this feature carefully. The caller is responsible for
providing a valid entrypoint while loading images which will execute
on the application CPU to prevent a potential overwrite of the
corresponding memory region.

Change-Id: Ied482280d9db714c529ec12c33a6c1d918d77a4e
2015-01-28 18:24:31 +00:00
Soby Mathew
aecc084080 Rework use of labels in assembly macros.
This patch provides a workaround for the ASM_ASSERT label issue
and also reworks the use of labels in assembly macros.
If the caller of the ASM_ASSERT macro happened to use the
label '1' to jump past the ASM_ASSERT macro, it would not have
worked since the ASM_ASSERT macro internally used the same label.
Hence, as a workaround, this patch makes the label a high
number in the expectation that the caller will never use it.

Also updated the other assembly macros using numerical labels to
named lables.

Change-Id: Iec892359db84f2391ad2a83a92141c4d7049776a
2014-08-19 14:42:35 +01:00
Dan Handley
6ad2e461f0 Rationalize console log output
Fix the following issues with the console log output:

* Make sure the welcome string is the first thing in the log output
(during normal boot).
* Prefix each message with the BL image name so it's clear which
BL the output is coming from.
* Ensure all output is wrapped in one of the log output macros so it can
be easily compiled out if necessary. Change some of the INFO() messages
to VERBOSE(), especially in the TSP.
* Create some extra NOTICE() and INFO() messages during cold boot.
* Remove all usage of \r in log output.

Fixes ARM-software/tf-issues#231

Change-Id: Ib24f7acb36ce64bbba549f204b9cde2dbb46c8a3
2014-08-12 16:51:18 +01:00
danh-arm
dd2bdee616 Merge pull request #177 from jcastillo-arm/jc/tf-issues/096
Rework incorrect use of assert() and panic() in codebase
2014-07-28 14:33:44 +01:00
Juan Castillo
d3280beb70 Rework incorrect use of assert() and panic() in codebase
Assert a valid security state using the macro sec_state_is_valid().
Replace assert() with panic() in those cases that might arise
because of runtime errors and not programming errors.
Replace panic() with assert() in those cases that might arise
because of programming errors.

Fixes ARM-software/tf-issues#96

Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
2014-07-28 12:20:16 +01:00
Soby Mathew
626ed510f1 Rework the crash reporting in BL3-1 to use less stack
This patch reworks the crash reporting mechanism to further
optimise the stack and code size. The reporting makes use
of assembly console functions to avoid calling C Runtime
to report the CPU state. The crash buffer requirement is
reduced to 64 bytes with this implementation. The crash
buffer is now part of per-cpu data which makes retrieving
the crash buffer trivial.

Also now panic() will use crash reporting if
invoked from BL3-1.

Fixes ARM-software/tf-issues#199

Change-Id: I79d27a4524583d723483165dc40801f45e627da5
2014-07-28 11:03:20 +01:00
Soby Mathew
bc9201289c Implement an assert() callable from assembly code
The patch implements a macro ASM_ASSERT() which can
be invoked from assembly code. When assertion happens,
file name and line number of the check is written
to the crash console.

Fixes ARM-software/tf-issues#95

Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
2014-07-28 11:01:49 +01:00
Soby Mathew
b79af93445 Implement a leaner printf for Trusted Firmware
This patch implements a "tf_printf" which supports only the commonly
used format specifiers in Trusted Firmware, which uses a lot less
stack space than the stdlib printf function.

Fixes ARM-software/tf-issues#116

Change-Id: I7dfa1944f4c1e634b3e2d571f49afe02d109a351
2014-07-25 12:18:33 +01:00
Sandrine Bailleux
8f55dfb4ba Remove concept of top/bottom image loading
This concept is no longer required since we now support loading of
images at fixed addresses only.

The image loader now automatically detects the position of the image
inside the current memory layout and updates the layout such that
memory fragmentation is minimised.

The 'attr' field of the meminfo data structure, which used to hold
the bottom/top loading information, has been removed. Also the 'next'
field has been removed as it wasn't used anywhere.

The 'init_bl2_mem_layout()' function has been moved out of common
code and put in BL1-specific code. It has also been renamed into
'bl1_init_bl2_mem_layout'.

Fixes ARM-software/tf-issues#109

Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
2014-07-01 10:59:43 +01:00
Sandrine Bailleux
63db7ba293 Make the entry point argument optional in load_image()
There are cases where the entry point information is useless to the
caller, e.g. when an image just needs to be loaded in memory but won't
ever be executed.

This patch allows load_image() function to take a NULL pointer as the
entry point argument. In this case, it won't be populated.

Change-Id: Ie9394b054457706c6699926c5e0206e0c3851c56
2014-06-05 14:33:30 +01:00
Dan Handley
dec5e0d1da Move BL porting functions into platform.h
Some platform porting functions were in BL specific header files.
These have been moved to platform.h so that all porting functions
are in the same place. The functions are now grouped by BL.
Obsolete BL headers files have been removed.

Also, the weak declaration of the init_bl2_mem_layout() function
has been moved out the header file and into the source file
(bl_common.c) using the more succinct #pragma syntax. This
mitigates the risk of 2 weak definitions being created and the
wrong one being picked up by the compiler.

Change-Id: Ib19934939fd755f3e5a5a5bceec88da684308a83
2014-05-23 17:18:54 +01:00
Vikram Kanigiri
6871c5d3a2 Rework memory information passing to BL3-x images
The issues addressed in this patch are:

1. Remove meminfo_t from the common interfaces in BL3-x,
expecting that platform code will find a suitable mechanism
to determine the memory extents in these images and provide
it to the BL3-x images.

2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x
code as the images use link-time information to determine
memory extents.

meminfo_t is still used by common interface in BL1/BL2 for
loading images

Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f
2014-05-22 16:19:32 +01:00
Vikram Kanigiri
4112bfa0c2 Populate BL31 input parameters as per new spec
This patch is based on spec published at
https://github.com/ARM-software/tf-issues/issues/133

It rearranges the bl31_args struct into
bl31_params and bl31_plat_params which provide the
information needed for Trusted firmware and platform
specific data via x0 and x1

On the FVP platform BL3-1 params and BL3-1 plat params
and its constituents are stored at the start of TZDRAM.

The information about memory availability and size for
BL3-1, BL3-2 and BL3-3 is moved into platform specific data.

Change-Id: I8b32057a3d0dd3968ea26c2541a0714177820da9
2014-05-22 16:14:19 +01:00
Vikram Kanigiri
29fb905d5f Rework handover interface between BL stages
This patch reworks the handover interface from: BL1 to BL2 and
BL2 to BL3-1. It removes the raise_el(), change_el(), drop_el()
and run_image() functions as they catered for code paths that were
never exercised.
BL1 calls bl1_run_bl2() to jump into BL2 instead of doing the same
by calling run_image(). Similarly, BL2 issues the SMC to transfer
execution to BL3-1 through BL1 directly. Only x0 and x1 are used
to pass arguments to BL31. These arguments and parameters for
running BL3-1 are passed through a reference to a
'el_change_info_t' structure. They were being passed value in
general purpose registers earlier.

Change-Id: Id4fd019a19a9595de063766d4a66295a2c9307e1
2014-05-22 15:43:23 +01:00
Vikram Kanigiri
23ff9baa7e Introduce macros to manipulate the SPSR
This patch introduces macros (SPSR_64 and SPSR_32) to
create a SPSR for both aarch32 and aarch64 execution
states. These macros allow the user to set fields
in the SPSR depending upon its format.
The make_spsr() function which did not allow
manipulation of all the fields in the aarch32 SPSR
has been replaced by these new macros.

Change-Id: I9425dda0923e8d5f03d03ddb8fa0e28392c4c61e
2014-05-22 15:42:09 +01:00
Soby Mathew
a43d431b80 Rework BL3-1 unhandled exception handling and reporting
This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.

This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.

panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.

The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.

Fixes ARM-software/tf-issues#79 Improve reporting of unhandled exception

Change-Id: I260791dc05536b78547412d147193cdccae7811a
2014-05-16 14:51:00 +01:00
Sandrine Bailleux
b3254e8547 Introduce IS_IN_ELX() macros
The goal of these macros is to improve code readability by providing
a concise way to check whether we are running in the expected
exception level.

Change-Id: If9aebadfb6299a5196e9a582b442f0971d9909b1
2014-05-09 11:23:11 +01:00
Dan Handley
625de1d4f0 Remove variables from .data section
Update code base to remove variables from the .data section,
mainly by using const static data where possible and adding
the const specifier as required. Most changes are to the IO
subsystem, including the framework APIs. The FVP power
management code is also affected.

Delay initialization of the global static variable,
next_image_type in bl31_main.c, until it is realy needed.
Doing this moves the variable from the .data to the .bss
section.

Also review the IO interface for inconsistencies, using
uintptr_t where possible instead of void *. Remove the
io_handle and io_dev_handle typedefs, which were
unnecessary, replacing instances with uintptr_t.

Fixes ARM-software/tf-issues#107.

Change-Id: I085a62197c82410b566e4698e5590063563ed304
2014-05-06 17:55:38 +01:00
Dan Handley
97043ac98e Reduce deep nesting of header files
Reduce the number of header files included from other header
files as much as possible without splitting the files. Use forward
declarations where possible. This allows removal of some unnecessary
"#ifndef __ASSEMBLY__" statements.

Also, review the .c and .S files for which header files really need
including and reorder the #include statements alphabetically.

Fixes ARM-software/tf-issues#31

Change-Id: Iec92fb976334c77453e010b60bcf56f3be72bd3e
2014-05-06 13:57:48 +01:00
Dan Handley
fb037bfb7c Always use named structs in header files
Add tag names to all unnamed structs in header files. This
allows forward declaration of structs, which is necessary to
reduce header file nesting (to be implemented in a subsequent
commit).

Also change the typedef names across the codebase to use the _t
suffix to be more conformant with the Linux coding style. The
coding style actually prefers us not to use typedefs at all but
this is considered a step too far for Trusted Firmware.

Also change the IO framework structs defintions to use typedef'd
structs to be consistent with the rest of the codebase.

Change-Id: I722b2c86fc0d92e4da3b15e5cab20373dd26786f
2014-05-06 13:57:48 +01:00
Dan Handley
35e98e5588 Make use of user/system includes more consistent
Make codebase consistent in its use of #include "" syntax for
user includes and #include <> syntax for system includes.

Fixes ARM-software/tf-issues#65

Change-Id: If2f7c4885173b1fd05ac2cde5f1c8a07000c7a33
2014-05-06 12:35:02 +01:00
Dan Handley
4ecca33988 Move include and source files to logical locations
Move almost all system include files to a logical sub-directory
under ./include. The only remaining system include directories
not under ./include are specific to the platform. Move the
corresponding source files to match the include directory
structure.

Also remove pm.h as it is no longer used.

Change-Id: Ie5ea6368ec5fad459f3e8a802ad129135527f0b3
2014-05-06 12:35:02 +01:00
Sandrine Bailleux
6c595b3d11 Separate out BL2, BL3-1 and BL3-2 early exception vectors from BL1
bl1/aarch64/early_exceptions.S used to be re-used by BL2, BL3-1 and
BL3-2.  There was some early SMC handling code in there that was not
required by the other bootloader stages.  Therefore this patch
introduces an even simpler exception vector source file for BL2,
BL3-1 and BL3-2.

Fixes ARM-software/tf-issues#38

Change-Id: I0244b80e9930b0f8035156a0bf91cc3e9a8f995d
2014-03-26 17:36:36 +00:00
Vikram Kanigiri
6ba0b6d674 Remove partially qualified asm helper functions
Each ARM Trusted Firmware image should know in which EL it is running
and it should use the corresponding register directly instead of reading
currentEL and knowing which asm register to read/write

Change-Id: Ief35630190b6f07c8fbb7ba6cb20db308f002945
2014-03-21 17:17:48 +00:00
Ryan Harkin
ee9ad7856c bl_common: add image_size()
Fixes ARM-software/tf-issues#42

Some callers of load_image() may need to get the size of the image
before/after loading it.

Change-Id: I8dc067b69fc711433651a560ba5a8c3519445857
Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
2014-03-05 16:21:14 +00:00
Jeenu Viswambharan
090630e4bc Tolerate runtime service initialization failure
At present, the firmware panics if a runtime service fails to
initialize. An earlier patch had implemented late binding for all
runtime service handlers.

With that in place, this patch allows the firmware to proceed even when
a service fails to initialize.

Change-Id: I6cf4de2cecea9719f4cd48272a77cf459b080d4e
2014-02-26 19:53:48 +00:00
Jeenu Viswambharan
08c28d5385 Report recoverable errors as warnings
At present many recoverable failures are reported as errors. This patch
modifies all such failures to be reported as warnings instead.

Change-Id: I5141653c82498defcada9b90fdf7498ba496b2f2
2014-02-20 19:06:34 +00:00
Achin Gupta
0a9f747379 Move PSCI to runtime services directory
This patch creates a 'services' directory and moves the PSCI under
it. Other runtime services e.g. the Secure Payload Dispatcher service
will be placed under the same directory in the future.

Also fixes issue ARM-software/tf-issues#12

Change-Id: I187f83dcb660b728f82155d91882e961d2255068
2014-02-20 19:06:34 +00:00
Achin Gupta
e4d084ea96 Rework BL2 to BL3-1 hand over interface
This patch reworks BL2 to BL3-1 hand over interface by introducing a
composite structure (bl31_args) that holds the superset of information
that needs to be passed from BL2 to BL3-1.

  - The extents of secure memory available to BL3-1
  - The extents of memory available to BL3-2 (not yet implemented) and
    BL3-3
  - Information to execute BL3-2 (not yet implemented) and BL3-3 images

This patch also introduces a new platform API (bl2_get_bl31_args_ptr)
that needs to be implemented by the platform code to export reference to
bl31_args structure which has been allocated in platform-defined memory.

The platform will initialize the extents of memory available to BL3-3
during early platform setup in bl31_args structure. This obviates the
need for bl2_get_ns_mem_layout platform API.

BL2 calls the bl2_get_bl31_args_ptr function to get a reference to
bl31_args structure. It uses the 'bl33_meminfo' field of this structure
to load the BL3-3 image. It sets the entry point information for the
BL3-3 image in the 'bl33_image_info' field of this structure. The
reference to this structure is passed to the BL3-1 image.

Also fixes issue ARM-software/tf-issues#25

Change-Id: Ic36426196dd5ebf89e60ff42643bed01b3500517
2014-02-20 19:06:34 +00:00
Jeenu Viswambharan
caa84939a4 Add support for handling runtime service requests
This patch uses the reworked exception handling support to handle
runtime service requests through SMCs following the SMC calling
convention. This is a giant commit since all the changes are
inter-related. It does the following:

1. Replace the old exception handling mechanism with the new one
2. Enforce that SP_EL0 is used C runtime stacks.
3. Ensures that the cold and warm boot paths use the 'cpu_context'
   structure to program an ERET into the next lower EL.
4. Ensures that SP_EL3 always points to the next 'cpu_context'
   structure prior to an ERET into the next lower EL
5. Introduces a PSCI SMC handler which completes the use of PSCI as a
   runtime service

Change-Id: I661797f834c0803d2c674d20f504df1b04c2b852
Co-authored-by: Achin Gupta <achin.gupta@arm.com>
2014-02-17 18:51:44 +00:00
Achin Gupta
07f4e078b6 Introduce new exception handling framework
This patch introduces the reworked exception handling logic which lays
the foundation for accessing runtime services in later patches. The
type of an exception has a greater say in the way it is
handled. SP_EL3 is used as the stack pointer for:

1. Determining the type of exception and handling the unexpected ones
   on the exception stack

2. Saving and restoring the essential general purpose and system
   register state after exception entry and prior to exception exit.

SP_EL0 is used as the stack pointer for handling runtime service
requests e.g. SMCs. A new structure for preserving general purpose
register state has been added to the 'cpu_context' structure. All
assembler ensures that it does not use callee saved registers
(x19-x29). The C runtime preserves them across functions calls. Hence
EL3 code does not have to save and restore them explicitly.

Since the exception handling framework has undergone substantial change,
the changes have been kept in separate files to aid readability. These
files will replace the existing ones in subsequent patches.

Change-Id: Ice418686592990ff7a4260771e8d6676e6c8c5ef
2014-02-17 18:51:44 +00:00
Achin Gupta
7421b4653d Add runtime services framework
This patch introduces the framework to enable registration and
initialisation of runtime services. PSCI is registered and initialised
as a runtime service. Handling of runtime service requests will be
implemented in subsequent patches.

Change-Id: Id21e7ddc5a33d42b7d6e455b41155fc5441a9547
2014-02-17 18:51:44 +00:00
Achin Gupta
ef7a28c92b psci: Use context library for preserving EL3 state
This patch uses the context library to save and restore EL3 state on
the 'cpu_context' data structures allocated by PSCI for managing
non-secure state context on each cpu.

Change-Id: I19c1f26578204a7cd9e0a6c582ced0d97ee4cf80
2014-02-17 18:51:44 +00:00
Achin Gupta
b739f22a99 Setup VBAR_EL3 incrementally
This patch ensures that VBAR_EL3 points to the simple stack-less
'early_exceptions' when the C runtime stack is not correctly setup to
use the more complex 'runtime_exceptions'. It is initialised to
'runtime_exceptions' once this is done.

This patch also moves all exception vectors into a '.vectors' section
and modifies linker scripts to place all such sections together. This
will minimize space wastage from alignment restrictions.

Change-Id: I8c3e596ea3412c8bd582af9e8d622bb1cb2e049d
2014-02-17 18:51:44 +00:00
James Morrissey
9d72b4ea9c Implement load_image in terms of IO abstraction
The modified implementation uses the IO abstraction rather than
making direct semi-hosting calls.  The semi-hosting driver is now
registered for the FVP platform during initialisation of each boot
stage where it is used.  Additionally, the FVP platform includes a
straightforward implementation of 'plat_get_image_source' which
provides a generic means for the 'load_image' function to determine
how to access the image data.

Change-Id: Ia34457b471dbee990c7b3c79de7aee4ceea51aa6
2014-02-17 18:51:43 +00:00
James Morrissey
40a6f64795 Fix asserts appearing in release builds
Also fix warnings generated in release builds when assert code
is absent.

Change-Id: I45b9173d3888f9e93e98eb5b4fdc06727ba5cbf4
2014-02-17 18:51:43 +00:00
Achin Gupta
75f7367b4c psci: fix affinity level upgrade issue
The psci implementation does not track target affinity level requests
specified during cpu_suspend calls correctly as per the following
example.

1. cpu0.cluster0 calls cpu_suspend with the target affinity level as 0
2. Only the cpu0.cluster0 is powered down while cluster0 remains
   powered up
3. cpu1.cluster0 calls cpu_off to power itself down to highest
   possible affinity level
4. cluster0 will be powered off even though cpu0.cluster0 does not
   allow cluster shutdown

This patch introduces reference counts at affinity levels > 0 to track
the number of cpus which want an affinity instance at level X to
remain powered up. This instance can be turned off only if its
reference count is 0. Cpus still undergo the normal state transitions
(ON, OFF, ON_PENDING, SUSPEND) but the higher levels can only be
either ON or OFF depending upon their reference count.

The above issue is thus fixed as follows:

1. cluster0's reference count is incremented by two when cpu0 and cpu1
   are initially powered on.

2. cpu0.cluster0 calls cpu_suspend with the target affinity level as
   0. This does not affect the cluster0 reference count.

3. Only the cpu0.cluster0 is powered down while cluster0 remains
   powered up as it has a non-zero reference count.

4. cpu1.cluster0 call cpu_off to power itself down to highest possible
   affinity level. This decrements the cluster0 reference count.

5. cluster0 is still not powered off since its reference count will at
   least be 1 due to the restriction placed by cpu0.

Change-Id: I433dfe82b946f5f6985b1602c2de87800504f7a9
2014-01-20 18:45:04 +00:00
Achin Gupta
a45e39738b psci: preserve target affinity level during suspend
This patch adds support to save and restore the target affinity level
specified during a cpu_suspend psci call. This ensures that we
traverse only through the affinity levels that we originally intended
to after resuming from suspend.

Change-Id: I0900ae49a50b496da137cfec8f158da0397ec56c
2014-01-20 18:45:04 +00:00
Achin Gupta
a59caa4cbd psci: replace secure context with suspend context
The secure context saved and restored across a cpu_suspend operation
can be more than just the state of the secure system registers e.g. we
also need to save the affinity level till which the cpu is being
powered down. This patch creates a suspend_context data structure
which includes the system register context. This will allow other bits
to be saved and restored as well in subsequent patches.

Change-Id: I1c1f7d25497388b54b7d6ee4fab77e8c6a9992c4
2014-01-20 18:45:04 +00:00
Dan Handley
e83b0cadc6 Update year in copyright text to 2014
Change-Id: Ic7fb61aabae1d515b9e6baf3dd003807ff42da60
2014-01-17 10:27:53 +00:00
Sandrine Bailleux
ba6980a8db Move RUN_IMAGE constant from bl1.h to bl_common.h
RUN_IMAGE constant is used by all bootloader stages.

Change-Id: I1b4e28d8fcf3ad1363f202c859f5efab0f320efe
2013-12-12 16:06:48 +00:00
Achin Gupta
0959db5c99 psci: rectify and homogenise generic code
This patch performs a major rework of the psci generic implementation
to achieve the following:

1. replace recursion with iteration where possible to aid code
   readability e.g. affinity instance states are changed iteratively
   instead of recursively.

2. acquire pointers to affinity instance nodes at the beginning of a
   psci operation. All subsequent actions use these pointers instead
   of calling psci_get_aff_map_node() repeatedly e.g. management of
   locks has been abstracted under functions which use these pointers
   to ensure correct ordering. Helper functions have been added to
   create these abstractions.

3. assertions have been added to cpu level handlers to ensure correct
   state transition

4. the affinity level extents specified to various functions have the
   same meaning i.e. start level is always less than the end level.

Change-Id: If0508c3a7b20ea3ddda2a66128429382afc3dfc8
2013-12-05 12:28:50 +00:00
Achin Gupta
3140a9e5c7 psci: rework cpu_off assertion and minor cleanups
This patch:

1. removes a duplicate assertion to check that the only error
   condition that can be returned while turning a cpu off is
   PSCI_E_DENIED. Having this assertion after calling
   psci_afflvl_off() is sufficient.

2. corrects some incorrect usage of 'its' vs 'it is'

3. removes some unwanted white spaces

Change-Id: Icf014e269b54f5be5ce0b9fbe6b41258e4ebf403
2013-12-05 12:28:50 +00:00
Achin Gupta
c8afc78919 psci: fix error due to a non zero context id
In the previous psci implementation, the psci_afflvl_power_on_finish()
function would run into an error condition if the value of the context
id parameter in the cpu_on and cpu_suspend psci calls was != 0. The
parameter was being restored as the return value of the affinity level
0 finisher function. A non zero context id would be treated as an
error condition. This would prevent successful wake up of the cpu from
a power down state. Also, the contents of the general purpose
registers were not being cleared upon return to the non-secure world
after a cpu power up. This could potentially allow the non-secure
world to view secure data.

This patch ensures that all general purpose registers are set to ~0
prior to the final eret that drops the execution to the non-secure
world. The context id is used to initialize the general purpose
register x0 prior to re-entry into the non-secure world and is no
longer restored as a function return value. A platform helper
(platform_get_stack()) has been introduced to facilitate this change.

Change-Id: I2454911ffd75705d6aa8609a5d250d9b26fa097c
2013-12-05 12:28:50 +00:00
Dan Handley
ab2d31edbd Enable third party contributions
- Add instructions for contributing to ARM Trusted Firmware.

- Update copyright text in all files to acknowledge contributors.

Change-Id: I9311aac81b00c6c167d2f8c889aea403b84450e5
2013-12-05 11:34:09 +00:00
Sandrine Bailleux
8d69a03f6a Various improvements/cleanups on the linker scripts
- Check at link-time that bootloader images will fit in memory
    at run time and that they won't overlap each other.
  - Remove text and rodata orphan sections.
  - Define new linker symbols to remove the need for platform setup
    code to know the order of sections.
  - Reduce the size of the raw binary images by cutting some sections
    out of the disk image and allocating them at load time, whenever
    possible.
  - Rework alignment constraints on sections.
  - Remove unused linker symbols.
  - Homogenize linker symbols names across all BLs.
  - Add some comments in the linker scripts.

Change-Id: I47a328af0ccc7c8ab47fcc0dc6e7dd26160610b9
2013-12-05 11:33:15 +00:00
Sandrine Bailleux
3738274dc1 Unmask SError and Debug exceptions.
Any asynchronous exception caused by the firmware should be handled
in the firmware itself.  For this reason, unmask SError exceptions
(and Debug ones as well) on all boot paths.  Also route external
abort and SError interrupts to EL3, otherwise they will target EL1.

Change-Id: I9c191d2d0dcfef85f265641c8460dfbb4d112092
2013-11-27 15:31:06 +00:00
Achin Gupta
4f6ad66ae9 ARMv8 Trusted Firmware release v0.2 2013-10-25 09:37:16 +01:00