Merge changes from topic "db/deps" into integration
* changes:
feat(compiler-rt): update compiler-rt source files
fix(deps): add missing aeabi_memcpy.S
feat(zlib): update zlib source files
docs(changelog): add zlib and compiler-rt scope
feat(libfdt): upgrade libfdt source files
docs(prerequisites): upgrade to Mbed TLS 2.28.1
diff --git a/Makefile b/Makefile
index 2c3f23d..a14d4d8 100644
--- a/Makefile
+++ b/Makefile
@@ -149,7 +149,10 @@
CTX_INCLUDE_EL2_REGS := 1
CTX_INCLUDE_AARCH32_REGS := 0
ARM_ARCH_MAJOR := 8
-ARM_ARCH_MINOR := 6
+ARM_ARCH_MINOR := 5
+ENABLE_FEAT_ECV = 1
+ENABLE_FEAT_FGT = 1
+
endif
# USE_SPINLOCK_CAS requires AArch64 build
diff --git a/docs/components/el3-spmc.rst b/docs/components/el3-spmc.rst
new file mode 100644
index 0000000..1a2d427
--- /dev/null
+++ b/docs/components/el3-spmc.rst
@@ -0,0 +1,597 @@
+EL3 Secure Partition Manager
+****************************
+
+.. contents::
+
+Foreword
+========
+
+This document describes the design of the EL3 SPMC based on the FF-A specification.
+EL3 SPMC provides reference FF-A compliant implementation without S-EL2 virtualization support,
+to help adopt and migrate to FF-A early.
+EL3 SPMC implementation in TF-A:
+
+- Manages a single S-EL1 Secure Partition
+- Provides a standard protocol for communication and memory sharing between FF-A endpoints.
+- Provides support for EL3 Logical Partitions to support easy migration from EL3 to S-EL1.
+
+Sample reference stack
+======================
+
+The following diagram illustrates a possible configuration when the
+FEAT_SEL2 architecture extension is not implemented, showing the SPMD
+and SPMC at EL3, one S-EL1 secure partition, with an optional
+Hypervisor:
+
+.. image:: ../resources/diagrams/ff-a-spm-at-el3.png
+
+TF-A build options
+==================
+
+This section explains the TF-A build options involved in building
+an FF-A based SPM where the SPMD and SPMC are located at EL3:
+
+- **SPD=spmd**: this option selects the SPMD component to relay the FF-A
+ protocol from NWd to SWd back and forth. It is not possible to
+ enable another Secure Payload Dispatcher when this option is chosen.
+- **SPMC_AT_EL3**: this option adjusts the SPMC exception level to being
+ at EL3.
+- **ARM_SPMC_MANIFEST_DTS**: this option specifies a manifest file
+ providing SP description. It is required when
+ ``SPMC_AT_EL3`` is enabled, the secure partitions are loaded
+ by BL2 on behalf of the SPMC.
+
+Notes:
+
+- BL32 option is re-purposed to specify the S-EL1 TEE or SP image.
+ BL32 option can be omitted if using TF-A Test Secure Payload as SP.
+- BL33 option can specify the TFTF binary or a normal world loader
+ such as U-Boot or the UEFI framework payload.
+
+Sample TF-A build command line when the SPMC is located at EL3:
+
+.. code:: shell
+
+ make \
+ CROSS_COMPILE=aarch64-none-elf- \
+ SPD=spmd \
+ SPMD_SPM_AT_SEL2=0 \
+ SPMC_AT_EL3=1 \
+ BL32=<path-to-tee-binary> (opt for TSP) \
+ BL33=<path-to-bl33-binary> \
+ PLAT=fvp \
+ all fip
+
+FVP model invocation
+====================
+
+Sample FVP command line invocation:
+
+.. code:: shell
+
+ <path-to-fvp-model>/FVP_Base_RevC-2xAEMvA -C pctl.startup=0.0.0.0 \
+ -C cluster0.NUM_CORES=4 -C cluster1.NUM_CORES=4 -C bp.secure_memory=1 \
+ -C bp.secureflashloader.fname=trusted-firmware-a/build/fvp/debug/bl1.bin \
+ -C bp.flashloader0.fname=trusted-firmware-a/build/fvp/debug/fip.bin \
+ -C bp.pl011_uart0.out_file=fvp-uart0.log -C bp.pl011_uart1.out_file=fvp-uart1.log \
+ -C bp.pl011_uart2.out_file=fvp-uart2.log -C bp.vis.disable_visualisation=1
+
+
+Platform Guide
+==============
+
+- Platform Hooks See - `[4]`_
+
+ - plat_spmc_shmem_begin
+ - plat_spmc_shmem_reclaim
+
+SPMC provides platform hooks related to memory management interfaces.
+These hooks can be used for platform specific implementations like
+for managing access control, programming TZ Controller or MPUs.
+These hooks are called by SPMC before the initial share request completes,
+and after the final reclaim has been completed.
+
+- Datastore
+
+ - plat_spmc_shmem_datastore_get
+
+ EL3 SPMC uses datastore for tracking memory transaction descriptors.
+ On FVP platform datastore is allocated from TZC DRAM section.
+ Other platforms need to allocate a similar secure memory region
+ to be used as shared memory datastore.
+
+ The accessor function is used during SPMC initialization to obtain
+ address and size of the datastore.
+ SPMC will also zero out the provided memory region.
+
+- Platform Defines See - `[5]`_
+
+ - SECURE_PARTITION_COUNT
+ Number of Secure Partitions supported: must be 1.
+
+ - NS_PARTITION_COUNT
+ Number of NWd Partitions supported.
+
+ - MAX_EL3_LP_DESCS_COUNT
+ Number of Logical Partitions supported.
+
+Logical Secure Partition (LSP)
+==============================
+
+- The SPMC provides support for statically allocated EL3 Logical Secure Partitions
+ as per FF-A v1.1 specification.
+- The DECLARE_LOGICAL_PARTITION macro can be used to add a LSP.
+- For reference implementation See - `[2]`_
+
+.. image:: ../resources/diagrams/ff-a-lsp-at-el3.png
+
+SPMC boot
+=========
+
+The SPMD and SPMC are built into the BL31 image along with TF-A's runtime components.
+BL2 loads the BL31 image as a part of (secure) boot process.
+
+The SPMC manifest is loaded by BL2 as the ``TOS_FW_CONFIG`` image `[9]`_.
+
+BL2 passes the SPMC manifest address to BL31 through a register.
+
+At boot time, the SPMD in BL31 runs from the primary core, initializes the core
+contexts and launches the SPMC passing the following information through
+registers:
+
+- X0 holds the SPMC manifest blob address.
+- X4 holds the currently running core linear id.
+
+Parsing SP partition manifests
+------------------------------
+
+SPMC consumes the SP manifest, as defined in `[7]`_.
+SP manifest fields align with Hafnium SP manifest for easy porting.
+
+.. code:: shell
+
+ compatible = "arm,ffa-manifest-1.0";
+
+ ffa-version = <0x00010001>; /* 31:16 - Major, 15:0 - Minor */
+ id = <0x8001>;
+ uuid = <0x6b43b460 0x74a24b78 0xade24502 0x40682886>;
+ messaging-method = <0x3>; /* Direct Messaging Only */
+ exception-level = <0x2>; /* S-EL1 */
+ execution-state = <0>;
+ execution-ctx-count = <8>;
+ gp-register-num = <0>;
+ power-management-messages = <0x7>;
+
+
+Passing boot data to the SP
+---------------------------
+
+In `[1]`_ , the section "Boot information protocol" defines a method for passing
+data to the SPs at boot time. It specifies the format for the boot information
+descriptor and boot information header structures, which describe the data to be
+exchanged between SPMC and SP.
+The specification also defines the types of data that can be passed.
+The aggregate of both the boot info structures and the data itself is designated
+the boot information blob, and is passed to a Partition as a contiguous memory
+region.
+
+Currently, the SPM implementation supports the FDT type which is used to pass the
+partition's DTB manifest.
+
+The region for the boot information blob is statically allocated (4K) by SPMC.
+BLOB contains Boot Info Header, followed by SP Manifest contents.
+
+The configuration of the boot protocol is done in the SP manifest. As defined by
+the specification, the manifest field 'gp-register-num' configures the GP register
+which shall be used to pass the address to the partitions boot information blob when
+booting the partition.
+
+Supported interfaces
+====================
+
+The following interfaces are exposed to SPs only:
+
+- ``FFA_MSG_WAIT``
+- ``FFA_MEM_RETRIEVE_REQ``
+- ``FFA_MEM_RETRIEVE_RESP``
+- ``FFA_MEM_RELINQUISH``
+- ``FFA_SECONDARY_EP_REGISTER``
+
+The following interfaces are exposed to both NS Client and SPs:
+
+- ``FFA_VERSION``
+- ``FFA_FEATURES``
+- ``FFA_RX_RELEASE``
+- ``FFA_RXTX_MAP``
+- ``FFA_RXTX_UNMAP``
+- ``FFA_PARTITION_INFO_GET``
+- ``FFA_ID_GET``
+- ``FFA_MSG_SEND_DIRECT_REQ``
+- ``FFA_MSG_SEND_DIRECT_RESP``
+- ``FFA_MEM_FRAG_TX``
+- ``FFA_SPM_ID_GET``
+
+The following additional interfaces are forwarded from SPMD to support NS Client:
+
+- ``FFA_RUN``
+- ``FFA_MEM_LEND``
+- ``FFA_MEM_SHARE``
+- ``FFA_MEM_FRAG_RX``
+- ``FFA_MEM_RECLAIM``
+
+
+FFA_VERSION
+-----------
+
+``FFA_VERSION`` requires a *requested_version* parameter from the caller.
+SPMD forwards call to SPMC, the SPMC returns its own implemented version.
+SPMC asserts SP and SPMC are at same FF-A Version.
+
+FFA_FEATURES
+------------
+
+FF-A features supported by the SPMC may be discovered by secure partitions at
+boot (that is prior to NWd is booted) or run-time.
+
+The SPMC calling FFA_FEATURES at secure physical FF-A instance always get
+FFA_SUCCESS from the SPMD.
+
+The request made by an Hypervisor or OS kernel is forwarded to the SPMC and
+the response relayed back to the NWd.
+
+
+FFA_RXTX_MAP
+------------
+
+FFA_RXTX_UNMAP
+--------------
+
+When invoked from a secure partition FFA_RXTX_MAP maps the provided send and
+receive buffers described by their PAs to the EL3 translation regime
+as secure buffers in the MMU descriptors.
+
+When invoked from the Hypervisor or OS kernel, the buffers are mapped into the
+SPMC EL3 translation regime and marked as NS buffers in the MMU
+descriptors.
+
+The FFA_RXTX_UNMAP unmaps the RX/TX pair from the translation regime of the
+caller, either it being the Hypervisor or OS kernel, as well as a secure
+partition.
+
+FFA_PARTITION_INFO_GET
+----------------------
+
+Partition info get call can originate:
+
+- from SP to SPMC
+- from Hypervisor or OS kernel to SPMC. The request is relayed by the SPMD.
+
+The format (v1.0 or v1.1) of the populated data structure returned is based upon the
+FFA version of the calling entity.
+
+EL3 SPMC also supports returning only the count of partitions deployed.
+
+All LSPs and SP are discoverable from FFA_PARTITION_INFO_GET call made by
+either SP or NWd entities.
+
+FFA_ID_GET
+----------
+
+The FF-A ID space is split into a non-secure space and secure space:
+
+- FF-A ID with bit 15 clear relates to VMs.
+- FF-A ID with bit 15 set related to SPs or LSPs.
+- FF-A IDs 0, 0xffff, 0x8000 are assigned respectively to the Hypervisor
+ (or OS Kernel if Hyp is absent), SPMD and SPMC.
+
+This convention helps the SPM to determine the origin and destination worlds in
+an FF-A ABI invocation. In particular the SPM shall filter unauthorized
+transactions in its world switch routine. It must not be permitted for a VM to
+use a secure FF-A ID as origin world by spoofing:
+
+- A VM-to-SP direct request/response shall set the origin world to be non-secure
+ (FF-A ID bit 15 clear) and destination world to be secure (FF-A ID bit 15
+ set).
+- Similarly, an SP-to-LSP direct request/response shall set the FF-A ID bit 15
+ for both origin and destination IDs.
+
+An incoming direct message request arriving at SPMD from NWd is forwarded to
+SPMC without a specific check. The SPMC is resumed through eret and "knows" the
+message is coming from normal world in this specific code path. Thus the origin
+endpoint ID must be checked by SPMC for being a normal world ID.
+
+An SP sending a direct message request must have bit 15 set in its origin
+endpoint ID and this can be checked by the SPMC when the SP invokes the ABI.
+
+The SPMC shall reject the direct message if the claimed world in origin endpoint
+ID is not consistent:
+
+- It is either forwarded by SPMD and thus origin endpoint ID must be a "normal
+ world ID",
+- or initiated by an SP and thus origin endpoint ID must be a "secure world ID".
+
+
+FFA_MSG_SEND_DIRECT_REQ
+-----------------------
+
+FFA_MSG_SEND_DIRECT_RESP
+------------------------
+
+This is a mandatory interface for secure partitions participating in direct request
+and responses with the following rules:
+
+- An SP can send a direct request to LSP.
+- An LSP can send a direct response to SP.
+- An SP cannot send a direct request to an Hypervisor or OS kernel.
+- An Hypervisor or OS kernel can send a direct request to an SP or LSP.
+- An SP and LSP can send a direct response to an Hypervisor or OS kernel.
+- SPMD can send direct request to SPMC.
+
+FFA_SPM_ID_GET
+--------------
+
+Returns the FF-A ID allocated to an SPM component which can be one of SPMD
+or SPMC.
+
+At initialization, the SPMC queries the SPMD for the SPMC ID, using the
+FFA_ID_GET interface, and records it. The SPMC can also query the SPMD ID using
+the FFA_SPM_ID_GET interface at the secure physical FF-A instance.
+
+Secure partitions call this interface at the virtual FF-A instance, to which
+the SPMC returns the SPMC ID.
+
+The Hypervisor or OS kernel can issue the FFA_SPM_ID_GET call handled by the
+SPMD, which returns the SPMC ID.
+
+FFA_ID_GET
+----------
+
+Returns the FF-A ID of the calling endpoint.
+
+FFA_MEM_SHARE
+-------------
+
+FFA_MEM_LEND
+------------
+
+- If SP is borrower in the memory transaction, these calls are forwarded to SPMC.
+ SPMC performs Relayer responsibilities, caches the memory descriptors in the datastore,
+ and allocates FF-A memory handle.
+- If format of descriptor was v1.0, SPMC converts the descriptor to v1.1 before caching.
+ In case of fragmented sharing, conversion of memory descriptors happens after last
+ fragment has been received.
+- Multiple borrowers (including NWd endpoint) and fragmented memory sharing are supported.
+
+FFA_MEM_RETRIEVE_REQ
+--------------------
+
+FFA_MEM_RETRIEVE_RESP
+---------------------
+
+- Memory retrieve is supported only from SP.
+- SPMC fetches the cached memory descriptor from the datastore,
+- Performs Relayer responsiilities and sends FFA_MEM_RETRIEVE_RESP back to SP.
+- If descriptor size is more than RX buffer size, SPMC will send the descriptor in fragments.
+- SPMC will set NS Bit to 1 in memory descriptor response.
+
+FFA_MEM_FRAG_RX
+---------------
+
+FFA_MEM_FRAG_TX
+---------------
+
+FFA_MEM_FRAG_RX is to be used by:
+
+- SP if FFA_MEM_RETRIEVE_RESP returned descriptor with fragment length less than total length.
+- or by SPMC if FFA_MEM_SHARE/FFA_MEM_LEND is called with fragment length less than total length.
+
+SPMC validates handle and Endpoint ID and returns response with FFA_MEM_FRAG_TX.
+
+FFA_SECONDARY_EP_REGISTER
+-------------------------
+
+When the SPMC boots, secure partition is initialized on its primary
+Execution Context.
+
+The FFA_SECONDARY_EP_REGISTER interface is to be used by a secure partition
+from its first execution context, to provide the entry point address for
+secondary execution contexts.
+
+A secondary EC is first resumed either upon invocation of PSCI_CPU_ON from
+the NWd or by invocation of FFA_RUN.
+
+Power management
+================
+
+In platforms with or without secure virtualization:
+
+- The NWd owns the platform PM policy.
+- The Hypervisor or OS kernel is the component initiating PSCI service calls.
+- The EL3 PSCI library is in charge of the PM coordination and control
+ (eventually writing to platform registers).
+- While coordinating PM events, the PSCI library calls backs into the Secure
+ Payload Dispatcher for events the latter has statically registered to.
+
+When using the SPMD as a Secure Payload Dispatcher:
+
+- A power management event is relayed through the SPD hook to the SPMC.
+- In the current implementation CPU_ON (svc_on_finish), CPU_OFF
+ (svc_off), CPU_SUSPEND (svc_suspend) and CPU_SUSPEND_RESUME (svc_suspend_finish)
+ hooks are registered.
+
+Secure partitions scheduling
+============================
+
+The FF-A specification `[1]`_ provides two ways to relinquinsh CPU time to
+secure partitions. For this a VM (Hypervisor or OS kernel), or SP invokes one of:
+
+- the FFA_MSG_SEND_DIRECT_REQ interface.
+- the FFA_RUN interface.
+
+Additionally a secure interrupt can pre-empt the normal world execution and give
+CPU cycles by transitioning to EL3.
+
+Partition Runtime State and Model
+=================================
+
+EL3 SPMC implements Partition runtime states are described in v1.1 FF-A specification `[1]`_
+
+An SP can be in one of the following state:
+
+- RT_STATE_WAITING
+- RT_STATE_RUNNING
+- RT_STATE_PREEMPTED
+- RT_STATE_BLOCKED
+
+An SP will transition to one of the following runtime model when not in waiting state:
+
+- RT_MODEL_DIR_REQ
+- RT_MODEL_RUN
+- RT_MODEL_INIT
+- RT_MODEL_INTR
+
+Platform topology
+=================
+
+SPMC only supports a single Pinned MP S-EL1 SP. The *execution-ctx-count*
+SP manifest field should match the number of physical PE.
+
+Interrupt handling
+==================
+
+Secure Interrupt handling
+-------------------------
+
+- SPMC is capable of forwarding Secure interrupt to S-EL1 SP
+ which has preempted the normal world.
+- Interrupt is forwarded to SP using FFA_INTERRUPT interface.
+- Interrupt Number is not passed, S-EL1 SP can access the GIC registers directly.
+- Upon completion of Interrupt handling SP is expected to return to
+ SPMC using FFA_MSG_WAIT interface.
+- SPMC returns to normal world after interrupt handling is completed.
+
+In the scenario when secure interrupt occurs while the secure partition is running,
+the SPMC is not involved and the handling is implementation defined in the TOS.
+
+Non-Secure Interrupt handling
+-----------------------------
+
+The 'managed exit' scenario is the responsibility of the TOS and the SPMC is not involved.
+
+Test Secure Payload (TSP)
+=========================
+
+- TSP provides reference implementation of FF-A programming model.
+- TSP has the following support:
+
+ - SP initialization on all CPUs.
+ - Consuming Power Messages including CPU_ON, CPU_OFF, CPU_SUSPEND, CPU_SUSPEND_RESUME.
+ - Event Loop to receive Direct Requests.
+ - Sending Direct Response.
+ - Memory Sharing helper library.
+ - Ability to handle secure interrupt (timer).
+
+TSP Tests in CI
+---------------
+
+- TSP Tests are exercised in the TF-A CI using prebuilt FF-A Linux Test driver in NWd.
+- Expected output:
+
+.. code:: shell
+
+ #ioctl 255
+ Test: Echo Message to SP.
+ Status: Completed Test Case: 1
+ Test Executed Successfully
+
+ Test: Message Relay vis SP to EL3 LSP.
+ Status: Completed Test Case: 2
+ Test Executed Successfully
+
+ Test: Memory Send.
+ Verified 1 constituents successfully
+ Status: Completed Test Case: 3
+ Test Executed Successfully
+
+ Test: Memory Send in Fragments.
+ Verified 256 constituents successfully
+ Status: Completed Test Case: 4
+ Test Executed Successfully
+
+ Test: Memory Lend.
+ Verified 1 constituents successfully
+ Status: Completed Test Case: 5
+ Test Executed Successfully
+
+ Test: Memory Lend in Fragments.
+ Verified 256 constituents successfully
+ Status: Completed Test Case: 6
+ Test Executed Successfully
+
+ Test: Memory Send with Multiple Endpoints.
+ random: fast init done
+ Verified 256 constituents successfully
+ Status: Completed Test Case: 7
+ Test Executed Successfully
+
+ Test: Memory Lend with Multiple Endpoints.
+ Verified 256 constituents successfully
+ Status: Completed Test Case: 8
+ Test Executed Successfully
+
+ Test: Ensure Duplicate Memory Send Requests are Rejected.
+ Status: Completed Test Case: 9
+ Test Executed Successfully
+
+ Test: Ensure Duplicate Memory Lend Requests are Rejected.
+ Status: Completed Test Case: 10
+ Test Executed Successfully
+
+ 0 Tests Failed
+
+ Exiting Test Application - Total Failures: 0
+
+
+References
+==========
+
+.. _[1]:
+
+[1] `Arm Firmware Framework for Arm A-profile <https://developer.arm.com/docs/den0077/latest>`__
+
+.. _[2]:
+
+[2] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/fvp_el3_spmc_logical_sp.c
+
+.. _[3]:
+
+[3] `Trusted Boot Board Requirements
+Client <https://developer.arm.com/documentation/den0006/d/>`__
+
+.. _[4]:
+
+[4] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/fvp_el3_spmc.c
+
+.. _[5]:
+
+[5] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/include/platform_def.h
+
+.. _[6]:
+
+[6] https://trustedfirmware-a.readthedocs.io/en/latest/components/ffa-manifest-binding.html
+
+.. _[7]:
+
+[7] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/fdts/fvp_tsp_sp_manifest.dts
+
+.. _[8]:
+
+[8] https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/thread/CFQFGU6H2D5GZYMUYGTGUSXIU3OYZP6U/
+
+.. _[9]:
+
+[9] https://trustedfirmware-a.readthedocs.io/en/latest/design/firmware-design.html#dynamic-configuration-during-cold-boot
+
+--------------
+
+*Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.*
diff --git a/docs/components/index.rst b/docs/components/index.rst
index 192773f..0972a68 100644
--- a/docs/components/index.rst
+++ b/docs/components/index.rst
@@ -20,6 +20,7 @@
romlib-design
sdei
secure-partition-manager
+ el3-spmc
secure-partition-manager-mm
xlat-tables-lib-v2-design
cot-binding
diff --git a/docs/design/cpu-specific-build-macros.rst b/docs/design/cpu-specific-build-macros.rst
index f736e2d..7ba79b9 100644
--- a/docs/design/cpu-specific-build-macros.rst
+++ b/docs/design/cpu-specific-build-macros.rst
@@ -495,6 +495,10 @@
Cortex-A710 CPU. This needs to be enabled for revisions r0p0, r1p0 and r2p0
of the CPU and is fixed in r2p1.
+- ``ERRATA_A710_2291219``: This applies errata 2291219 workaround to
+ Cortex-A710 CPU. This needs to be enabled for revisions r0p0, r1p0 and r2p0
+ of the CPU and is fixed in r2p1.
+
- ``ERRATA_A710_2008768``: This applies errata 2008768 workaround to
Cortex-A710 CPU. This needs to be enabled for revisions r0p0, r1p0 and r2p0
of the CPU and is fixed in r2p1.
@@ -535,6 +539,10 @@
- ``ERRATA_N2_2280757``: This applies errata 2280757 workaround to Neoverse-N2
CPU. This needs to be enabled for revision r0p0 of the CPU and is still open.
+- ``ERRATA_N2_2326639``: This applies errata 2326639 workaround to Neoverse-N2
+ CPU. This needs to be enabled for revision r0p0 of the CPU, it is fixed in
+ r0p1.
+
- ``ERRATA_N2_2376738``: This applies errata 2376738 workaround to Neoverse-N2
CPU. This needs to be enabled for revision r0p0 of the CPU, it is fixed in
r0p1.
@@ -576,6 +584,12 @@
Cortex-X2 CPU. This needs to be enabled for revisions r0p0, r1p0 and r2p0
of the CPU and is fixed in r2p1.
+For Cortex-X3, the following errata build flags are defined :
+
+- ``ERRATA_X3_2313909``: This applies errata 2313909 workaround to
+ Cortex-X3 CPU. This needs to be enabled only for revisions r0p0 and r1p0
+ of the CPU, it is fixed in r1p1.
+
For Cortex-A510, the following errata build flags are defined :
- ``ERRATA_A510_1922240``: This applies errata 1922240 workaround to
@@ -616,6 +630,10 @@
Cortex-A510 CPU. This needs to applied for revisions r0p0, r0p1, r0p2,
r0p3, r1p0, r1p1, and is fixed in r1p2.
+- ``ERRATA_A510_2666669``: This applies errata 2666669 workaround to
+ Cortex-A510 CPU. This needs to applied for revisions r0p0, r0p1, r0p2,
+ r0p3, r1p0, r1p1. It is fixed in r1p2.
+
DSU Errata Workarounds
----------------------
diff --git a/docs/getting_started/porting-guide.rst b/docs/getting_started/porting-guide.rst
index be4833b..6996c17 100644
--- a/docs/getting_started/porting-guide.rst
+++ b/docs/getting_started/porting-guide.rst
@@ -2769,7 +2769,8 @@
The ``target_state`` has a similar meaning as described in the ``pwr_domain_off()``
operation and it encodes the platform coordinated target local power states for
the CPU power domain and its parent power domain levels. This function must
-not return back to the caller.
+not return back to the caller (by calling wfi in an infinite loop to ensure
+some CPUs power down mitigations work properly).
If this function is not implemented by the platform, PSCI generic
implementation invokes ``psci_power_down_wfi()`` for power down.
diff --git a/docs/glossary.rst b/docs/glossary.rst
index e5d379c..e6b0239 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -98,6 +98,9 @@
A collaborative engineering organization consolidating
and optimizing open source software and tools for the Arm architecture.
+ LSP
+ A logical secure partition managed by SPM
+
MMU
Memory Management Unit
diff --git a/docs/plat/arm/arm-build-options.rst b/docs/plat/arm/arm-build-options.rst
index afe89b9..407c04b 100644
--- a/docs/plat/arm/arm-build-options.rst
+++ b/docs/plat/arm/arm-build-options.rst
@@ -92,7 +92,7 @@
SBROM library must be specified via ``CCSBROM_LIB_PATH`` flag.
- ``ARM_ETHOSN_NPU_DRIVER``: boolean option to enable a SiP service that can
- configure an Arm Ethos-N NPU. To use this service the target platform's
+ configure an Arm® Ethos™-N NPU. To use this service the target platform's
``HW_CONFIG`` must include the device tree nodes for the NPU. Currently, only
the Arm Juno platform has this included in its ``HW_CONFIG`` and the platform
only loads the ``HW_CONFIG`` in AArch64 builds. Default is 0.
diff --git a/docs/plat/arm/tc/index.rst b/docs/plat/arm/tc/index.rst
index ae2b836..df1847d 100644
--- a/docs/plat/arm/tc/index.rst
+++ b/docs/plat/arm/tc/index.rst
@@ -18,7 +18,7 @@
is the CPUs supported as below:
- TC0 has support for Cortex A510, Cortex A710 and Cortex X2.
-- TC1 has support for Cortex A510, Cortex Makalu and Cortex Makalu ELP.
+- TC1 has support for Cortex A510, Cortex Makalu and Cortex X3.
- TC2 has support for Hayes and Hunter Arm CPUs.
diff --git a/docs/plat/imx8m.rst b/docs/plat/imx8m.rst
index 101d52b..f8071f7 100644
--- a/docs/plat/imx8m.rst
+++ b/docs/plat/imx8m.rst
@@ -68,3 +68,46 @@
with a DTB overlay. The overlay will be put at PLAT_IMX8M_DTO_BASE with
maximum size PLAT_IMX8M_DTO_MAX_SIZE. Then in U-boot we can apply the DTB
overlay and let U-boot to parse the event log and update the PCRs.
+
+High Assurance Boot (HABv4)
+---------------------------
+
+All actively maintained platforms have a support for High Assurance
+Boot (HABv4), which is implemented via ROM Vector Table (RVT) API to
+extend the Root-of-Trust beyond the SPL. Those calls are done via SMC
+and are executed in EL3, with results returned back to original caller.
+
+Note on DRAM Memory Mapping
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+There is a special case of mapping the DRAM: entire DRAM available on the
+platform is mapped into the EL3 with MT_RW attributes.
+
+Mapping the entire DRAM allows the usage of 2MB block mapping in Level-2
+Translation Table entries, which use less Page Table Entries (PTEs). If
+Level-3 PTE mapping is used instead then additional PTEs would be required,
+which leads to the increase of translation table size.
+
+Due to the fact that the size of SRAM is limited on some platforms in the
+family it should rather be avoided creating additional Level-3 mapping and
+introduce more PTEs, hence the implementation uses Level-2 mapping which
+maps entire DRAM space.
+
+The reason for the MT_RW attribute mapping scheme is the fact that the SMC
+API to get the status and events is called from NS world passing destination
+pointers which are located in DRAM. Mapping DRAM without MT_RW permissions
+causes those locations not to be filled, which in turn causing EL1&0 software
+not to receive replies.
+
+Therefore, DRAM mapping is done with MT_RW attributes, as it is required for
+data exchange between EL3 and EL1&0 software.
+
+Reference Documentation
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Details on HABv4 usage and implementation could be found in following documents:
+
+- AN4581: "i.MX Secure Boot on HABv4 Supported Devices", Rev. 4 - June 2020
+- AN12263: "HABv4 RVT Guidelines and Recommendations", Rev. 1 - 06/2020
+- "HABv4 API Reference Manual". This document in the part of NXP Code Signing Tool (CST) distribution.
+
diff --git a/docs/resources/diagrams/ff-a-lsp-at-el3.png b/docs/resources/diagrams/ff-a-lsp-at-el3.png
new file mode 100644
index 0000000..7cff34f
--- /dev/null
+++ b/docs/resources/diagrams/ff-a-lsp-at-el3.png
Binary files differ
diff --git a/docs/resources/diagrams/ff-a-spm-at-el3.png b/docs/resources/diagrams/ff-a-spm-at-el3.png
new file mode 100644
index 0000000..3b263b0
--- /dev/null
+++ b/docs/resources/diagrams/ff-a-spm-at-el3.png
Binary files differ
diff --git a/docs/resources/diagrams/plantuml/el3_spm_dfd.puml b/docs/resources/diagrams/plantuml/el3_spm_dfd.puml
new file mode 100644
index 0000000..c716180
--- /dev/null
+++ b/docs/resources/diagrams/plantuml/el3_spm_dfd.puml
@@ -0,0 +1,78 @@
+/'
+ ' Copyright (c) 2022, Arm Limited. All rights reserved.
+ '
+ ' SPDX-License-Identifier: BSD-3-Clause
+ '/
+
+/'
+TF-A EL3 SPMC Data Flow Diagram
+'/
+
+@startuml
+digraph tfa_el3_dfd {
+
+ # Allow arrows to end on cluster boundaries
+ compound=true
+ concentrate=false
+ newrank=true
+
+ # Default settings for edges and nodes
+ edge [minlen=2 color="#8c1b07"]
+ node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]
+
+ # Nodes outside of the trust boundary
+ nsec [label="NS Client"]
+ ddr [label="External memory (DDR)"]
+
+ {rank="same" smmu, spmd}
+ # Trust boundary cluster
+ subgraph cluster_trusted {
+ graph [style=dashed color="#f22430"]
+ concentrate=false
+
+ # HW IPs cluster
+ subgraph cluster_ip {
+ label ="Hardware IPs";
+ graph [style=filled color="#000000" fillcolor="#ffd29e"]
+
+ rank="same"
+ gic [label="GIC" width=1.2 height=0.5]
+ smmu [label="SMMU" width=1.2 height=0.5]
+ uart [label="UART" width=1.2 height=0.5]
+ pe [label="PE" width=1.2 height=0.5]
+ }
+
+ # TF-A cluster
+ subgraph cluster_tfa {
+ label ="EL3 monitor";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+ {rank="same" spmc, bl31}
+ {rank="same" spmd, lsp}
+ spmc [label="SPMC" fillcolor="#ddffb3"]
+ bl31 [label="BL31" fillcolor="#ddffb3"];
+ spmd [label="SPMD" fillcolor="#ddffb3"]
+ lsp[label="LSP1" fillcolor="#ddffb3"]
+ }
+ bl2 [label="BL2" width=1.2 height=0.5]
+ }
+
+ # Secure Partitions cluster
+ subgraph cluster_sp {
+ label ="Secure Partitions";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ sp1 [label="SP1" fillcolor="#ddffb3"]
+ }
+
+ sp1 -> spmc [dir="both" label="DF1"]
+ lsp -> spmc [dir="both" label="DF4"]
+ spmc -> spmd [dir="both" label="DF2"]
+ spmd -> nsec [dir="both" label="DF3"]
+ spmc -> smmu [lhead=cluster_spmc label="DF5"]
+ bl2 -> spmc [lhead=cluster_spmc label="DF6"]
+ bl2 -> sp1 [lhead=cluster_spmc label="DF6"]
+ sp1 -> ddr [dir="both" label="DF7"]
+ spmc -> ddr [dir="both" label="DF7"]
+}
+
+@enduml
diff --git a/docs/security_advisories/security-advisory-tfv-9.rst b/docs/security_advisories/security-advisory-tfv-9.rst
index a4db17d..08bfdc4 100644
--- a/docs/security_advisories/security-advisory-tfv-9.rst
+++ b/docs/security_advisories/security-advisory-tfv-9.rst
@@ -71,12 +71,12 @@
+----------------------+
| Cortex-X2 |
+----------------------+
+| Cortex-X3 |
++----------------------+
| Cortex-A710 |
+----------------------+
| Cortex-Makalu |
+----------------------+
-| Cortex-Makalu-ELP |
-+----------------------+
| Cortex-Hunter |
+----------------------+
| Neoverse-N1 |
diff --git a/docs/threat_model/index.rst b/docs/threat_model/index.rst
index 335937e..9d84f5b 100644
--- a/docs/threat_model/index.rst
+++ b/docs/threat_model/index.rst
@@ -15,6 +15,7 @@
threat_model
threat_model_spm
+ threat_model_el3_spm
threat_model_fvp_r
--------------
diff --git a/docs/threat_model/threat_model_el3_spm.rst b/docs/threat_model/threat_model_el3_spm.rst
new file mode 100644
index 0000000..c3af7a2
--- /dev/null
+++ b/docs/threat_model/threat_model_el3_spm.rst
@@ -0,0 +1,650 @@
+EL3 SPMC Threat Model
+*********************
+
+************
+Introduction
+************
+This document provides a threat model for the TF-A `EL3 Secure Partition Manager`_
+(EL3 SPM) implementation. The EL3 SPM implementation is based on the
+`Arm Firmware Framework for Arm A-profile`_ specification.
+
+********************
+Target of Evaluation
+********************
+In this threat model, the target of evaluation is the ``Secure Partition Manager Core``
+component (SPMC) within the EL3 firmware.
+The monitor and SPMD at EL3 are covered by the `Generic TF-A threat model`_.
+
+The scope for this threat model is:
+
+- The TF-A implementation for the EL3 SPMC
+- The implementation complies with the FF-A v1.1 specification.
+- Secure partition is statically provisioned at boot time.
+- Focus on the run-time part of the life-cycle (no specific emphasis on boot
+ time, factory firmware provisioning, firmware udpate etc.)
+- Not covering advanced or invasive physical attacks such as decapsulation,
+ FIB etc.
+
+Data Flow Diagram
+=================
+Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD
+and SPMC component at EL3. The SPMD mostly acts as a relayer/pass-through between
+the normal world and the secure world. It is assumed to expose small attack surface.
+
+A description of each diagram element is given in Table 1. In the diagram, the
+red broken lines indicate trust boundaries.
+
+Components outside of the broken lines are considered untrusted.
+
+.. uml:: ../resources/diagrams/plantuml/el3_spm_dfd.puml
+ :caption: Figure 1: EL3 SPMC Data Flow Diagram
+
+.. table:: Table 1: EL3 SPMC Data Flow Diagram Description
+
+ +---------------------+--------------------------------------------------------+
+ | Diagram Element | Description |
+ +=====================+========================================================+
+ | DF1 | SP to SPMC communication. FF-A function invocation or |
+ | | implementation-defined Hypervisor call. |
+ | | |
+ | | Note:- To communicate with LSP, SP1 performs a direct |
+ | | message request to SPMC targeting LSP as destination. |
+ +---------------------+--------------------------------------------------------+
+ | DF2 | SPMC to SPMD communication. |
+ +---------------------+--------------------------------------------------------+
+ | DF3 | SPMD to NS forwarding. |
+ +---------------------+--------------------------------------------------------+
+ | DF4 | SPMC to LSP communication. |
+ | | NWd to LSP communication happens through SPMC. |
+ | | LSP can send direct response SP1 or NWd through SPMC. |
+ +---------------------+--------------------------------------------------------+
+ | DF5 | HW control. |
+ +---------------------+--------------------------------------------------------+
+ | DF6 | Bootloader image loading. |
+ +---------------------+--------------------------------------------------------+
+ | DF7 | External memory access. |
+ +---------------------+--------------------------------------------------------+
+
+
+***************
+Threat Analysis
+***************
+
+This threat model follows a similar methodology to the `Generic TF-A threat model`_.
+The following sections define:
+
+- Trust boundaries
+- Assets
+- Theat agents
+- Threat types
+
+Trust boundaries
+================
+
+- Normal world is untrusted.
+- Secure world and normal world are separate trust boundaries.
+- EL3 monitor, SPMD and SPMC are trusted.
+- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
+ implicitely trusted by the usage of trusted boot.
+- EL3 monitor, SPMD, SPMC do not trust SPs.
+
+Assets
+======
+
+The following assets are identified:
+
+- SPMC state.
+- SP state.
+- Information exchange between endpoints (partition messages).
+- SPMC secrets (e.g. pointer authentication key when enabled)
+- SP secrets (e.g. application keys).
+- Scheduling cycles.
+- Shared memory.
+
+Threat Agents
+=============
+
+The following threat agents are identified:
+
+- Non-secure endpoint (referred NS-Endpoint later): normal world client at
+ NS-EL2 (Hypervisor) or NS-EL1 (VM or OS kernel).
+- Secure endpoint (referred as S-Endpoint later): typically a secure partition.
+- Hardware attacks (non-invasive) requiring a physical access to the device,
+ such as bus probing or DRAM stress.
+
+Threat types
+============
+
+The following threat categories as exposed in the `Generic TF-A threat model`_
+are re-used:
+
+- Spoofing
+- Tampering
+- Repudiation
+- Information disclosure
+- Denial of service
+- Elevation of privileges
+
+Similarly this threat model re-uses the same threat risk ratings. The risk
+analysis is evaluated based on the environment being ``Server`` or ``Mobile``.
+IOT is not evaluated as the EL3 SPMC is primarily meant for use in Client.
+
+Threat Assessment
+=================
+
+The following threats are identified by applying STRIDE analysis on each diagram
+element of the data flow diagram.
+
++------------------------+----------------------------------------------------+
+| ID | 01 |
++========================+====================================================+
+| Threat | **An endpoint impersonates the sender |
+| | FF-A ID in a direct request/response invocation.** |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMD, SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Spoofing |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------++------------------------+
+| Impact | Critical(5) | Critical(5) |
++------------------------+--------------------------++------------------------+
+| Likelihood | Critical(5) | Critical(5) |
++------------------------+--------------------------++------------------------+
+| Total Risk Rating | Critical(25) | Critical(25) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | SPMC must be able to correctly identify an |
+| | endpoint and enforce checks to disallow spoofing. |
++------------------------+----------------------------------------------------+
+| Mitigations | Yes. |
+| implemented? | The SPMC enforces checks in the direct message |
+| | request/response interfaces such an endpoint cannot|
+| | spoof the origin and destination worlds (e.g. a NWd|
+| | originated message directed to the SWd cannot use a|
+| | SWd ID as the sender ID). |
+| | Also enforces check for direct response being sent |
+| | only to originator of request. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 02 |
++========================+====================================================+
+| Threat | **An endpoint impersonates the receiver |
+| | FF-A ID in a direct request/response invocation.** |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMD, SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Spoofing, Denial of Service |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------++------------------------+
+| Impact | Critical(5) | Critical(5) |
++------------------------+--------------------------++------------------------+
+| Likelihood | Critical(5) | Critical(5) |
++------------------------+--------------------------++------------------------+
+| Total Risk Rating | Critical(25) | Critical(25) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Validate if endpoind has permission to send |
+| | request to other endpoint by implementation |
+| | defined means. |
++------------------------+----------------------------------------------------+
+| Mitigations | Platform specific. |
+| implemented? | |
+| | The guidance below is left for a system integrator |
+| | to implement as necessary. |
+| | |
+| | Additionally a software component residing in the |
+| | SPMC can be added for the purpose of direct |
+| | request/response filtering. |
+| | |
+| | It can be configured with the list of known IDs |
+| | and about which interaction can occur between one |
+| | and another endpoint (e.g. which NWd endpoint ID |
+| | sends a direct request to which SWd endpoint ID). |
+| | |
+| | This component checks the sender/receiver fields |
+| | for a legitimate communication between endpoints. |
+| | |
+| | A similar component can exist in the OS kernel |
+| | driver, or Hypervisor although it remains untrusted|
+| | by the SPMD/SPMC. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 03 |
++========================+====================================================+
+| Threat | **Tampering with memory shared between an endpoint |
+| | and the SPMC.** |
+| | |
+| | A malicious endpoint may attempt tampering with its|
+| | RX/TX buffer contents while the SPMC is processing |
+| | it (TOCTOU). |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF3, DF7 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | Shared memory, Information exchange |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Tampering |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | High (16) | High (16) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Validate all inputs, copy before use. |
++------------------------+----------------------------------------------------+
+| Mitigations | Yes. In context of FF-A v1.1 this is the case of |
+| implemented? | sharing the RX/TX buffer pair and usage in the |
+| | PARTITION_INFO_GET or memory sharing primitives. |
+| | |
+| | The SPMC copies the contents of the TX buffer |
+| | to an internal temporary buffer before processing |
+| | its contents. The SPMC implements hardened input |
+| | validation on data transmitted through the TX |
+| | buffer by an untrusted endpoint. |
+| | |
+| | The TF-A SPMC enforces |
+| | checks on data transmitted through RX/TX buffers. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 04 |
++========================+====================================================+
+| Threat | **An endpoint may tamper with its own state or the |
+| | state of another endpoint.** |
+| | |
+| | A malicious endpoint may attempt violating: |
+| | |
+| | - its own or another SP state by using an unusual |
+| | combination (or out-of-order) FF-A function |
+| | invocations. |
+| | This can also be an endpoint emitting FF-A |
+| | function invocations to another endpoint while |
+| | the latter in not in a state to receive it (e.g. |
+| | SP sends a direct request to the normal world |
+| | early while the normal world is not booted yet). |
+| | - the SPMC state itself by employing unexpected |
+| | transitions in FF-A memory sharing, direct |
+| | requests and responses, or handling of interrupts|
+| | This can be led by random stimuli injection or |
+| | fuzzing. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMD, SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Tampering |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | High (12) | High (12) |
++------------------------+------------------+-----------------+---------------+
+| Mitigations | Follow guidelines in FF-A v1.1 specification on |
+| | state transitions (run-time model). |
++------------------------+----------------------------------------------------+
+| Mitigations | Yes. The TF-A SPMC is hardened to follow this |
+| implemented? | guidance. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 05 |
++========================+====================================================+
+| Threat | **Replay fragments of past communication between |
+| | endpoints.** |
+| | |
+| | A malicious endpoint may replay a message exchange |
+| | that occurred between two legitimate endpoints as |
+| | a matter of triggering a malfunction or extracting |
+| | secrets from the receiving endpoint. In particular |
+| | the memory sharing operation with fragmented |
+| | messages between an endpoint and the SPMC may be |
+| | replayed by a malicious agent as a matter of |
+| | getting access or gaining permissions to a memory |
+| | region which does not belong to this agent. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | Information exchange |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Repudiation |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | High (12) | High (12) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Strict input validation and state tracking. |
++------------------------+----------------------------------------------------+
+| Mitigations | Platform specific. |
+| implemented? | |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 06 |
++========================+====================================================+
+| Threat | **A malicious endpoint may attempt to extract data |
+| | or state information by the use of invalid or |
+| | incorrect input arguments.** |
+| | |
+| | Lack of input parameter validation or side effects |
+| | of maliciously forged input parameters might affect|
+| | the SPMC. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMD, SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP secrets, SPMC secrets, SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Information discolure |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | High (12) | High (12) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | SPMC must be prepared to receive incorrect input |
+| | data from secure partitions and reject them |
+| | appropriately. |
+| | The use of software (canaries) or hardware |
+| | hardening techniques (XN, WXN, pointer |
+| | authentication) helps detecting and stopping |
+| | an exploitation early. |
++------------------------+----------------------------------------------------+
+| Mitigations | Yes. The TF-A SPMC mitigates this threat by |
+| implemented? | implementing stack protector, pointer |
+| | authentication, XN, WXN, security hardening |
+| | techniques. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 07 |
++========================+====================================================+
+| Threat | **A malicious endpoint may forge a direct message |
+| | request such that it reveals the internal state of |
+| | another endpoint through the direct message |
+| | response.** |
+| | |
+| | The secure partition or SPMC replies to a partition|
+| | message by a direct message response with |
+| | information which may reveal its internal state |
+| | (e.g. partition message response outside of |
+| | allowed bounds). |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SPMC or SP state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Information discolure |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Low (2) | Low (2) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | Medium (6) | Medium (6) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Follow FF-A specification about state transitions, |
+| | run time model, do input validation. |
++------------------------+----------------------------------------------------+
+| Mitigations | Yes. For the specific case of direct requests |
+| implemented? | targeting the SPMC, the latter is hardened to |
+| | prevent its internal state or the state of an SP |
+| | to be revealed through a direct message response. |
+| | Further FF-A v1.1 guidance about run time models |
+| | and partition states is followed. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 08 |
++========================+====================================================+
+| Threat | **Probing the FF-A communication between |
+| | endpoints.** |
+| | |
+| | SPMC and SPs are typically loaded to external |
+| | memory (protected by a TrustZone memory |
+| | controller). A malicious agent may use non invasive|
+| | methods to probe the external memory bus and |
+| | extract the traffic between an SP and the SPMC or |
+| | among SPs when shared buffers are held in external |
+| | memory. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF7 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP/SPMC state, SP/SPMC secrets |
++------------------------+----------------------------------------------------+
+| Threat Agent | Hardware attack |
++------------------------+----------------------------------------------------+
+| Threat Type | Information disclosure |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Low (2) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | Medium (6) | Medium (9) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Implement DRAM protection techniques using |
+| | hardware countermeasures at platform or chip level.|
++------------------------+--------------------------+-------------------------+
+| Mitigations | Platform specific. |
+| implemented? | |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 09 |
++========================+====================================================+
+| Threat | **A malicious agent may attempt revealing the SPMC |
+| | state or secrets by the use of software-based cache|
+| | side-channel attack techniques.** |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF7 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP or SPMC state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Information disclosure |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Low (2) | Low (2) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | Medium (6) | Medium (6) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | The SPMC may be hardened further with SW |
+| | mitigations (e.g. speculation barriers) for the |
+| | cases not covered in HW. Usage of hardened |
+| | compilers and appropriate options, code inspection |
+| | are recommended ways to mitigate Spectre types of |
+| | attacks. |
++------------------------+----------------------------------------------------+
+| Mitigations | No. |
+| implemented? | |
++------------------------+----------------------------------------------------+
+
+
++------------------------+----------------------------------------------------+
+| ID | 10 |
++========================+====================================================+
+| Threat | **A malicious endpoint may attempt flooding the |
+| | SPMC with requests targeting a service within an |
+| | endpoint such that it denies another endpoint to |
+| | access this service.** |
+| | |
+| | Similarly, the malicious endpoint may target a |
+| | a service within an endpoint such that the latter |
+| | is unable to request services from another |
+| | endpoint. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SPMC state, Scheduling cycles |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Denial of service |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | Medium (9) | Medium (9) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Bounding the time for operations to complete can |
+| | be achieved by the usage of a trusted watchdog. |
+| | Other quality of service monitoring can be achieved|
+| | in the SPMC such as counting a number of operations|
+| | in a limited timeframe. |
++------------------------+----------------------------------------------------+
+| Mitigations | Platform specific. |
+| implemented? | |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 11 |
++========================+====================================================+
+| Threat | **Denying a lender endpoint to make progress if |
+| | borrower endpoint encountered a fatal exception. |
+| | Denying a new sender endpoint to make progress |
+| | if receiver encountered a fatal exception.** |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | Shared resources, Scheduling cycles. |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Denial of service |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | Medium (3) | Medium (3) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | Medium (9) | Medium (9) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | SPMC must be able to detect fatal error in SP and |
+| | take ownership of shared resources. It should |
+| | be able to relinquish the access to shared memory |
+| | regions to allow lender to proceed. |
+| | SPMC must return ABORTED if new direct requests are|
+| | targeted to SP which has had a fatal error. |
++------------------------+----------------------------------------------------+
+| Mitigations | Platform specific. |
+| implemented? | |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 12 |
++========================+====================================================+
+| Threat | **A malicious endpoint may attempt to donate, |
+| | share, lend, relinquish or reclaim unauthorized |
+| | memory region.** |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | SPMC |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | SP secrets, SPMC secrets, SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| Threat Agent | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| Threat Type | Elevation of Privilege |
++------------------------+--------------------------+-------------------------+
+| Application | Server | Mobile |
++------------------------+--------------------------+-------------------------+
+| Impact | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Likelihood | High (4) | High (4) |
++------------------------+--------------------------+-------------------------+
+| Total Risk Rating | High (16) | High (16) |
++------------------------+--------------------------+-------------------------+
+| Mitigations | Follow FF-A specification guidelines |
+| | on Memory management transactions. |
++------------------------+----------------------------------------------------+
+| Mitigations | Yes. The SPMC tracks ownership and access state |
+| implemented? | for memory transactions appropriately, and |
+| | validating the same for all operations. |
+| | SPMC follows FF-A v1.1 |
+| | guidance for memory transaction lifecycle. |
++------------------------+----------------------------------------------------+
+
+---------------
+
+*Copyright (c) 2022, Arm Limited. All rights reserved.*
+
+.. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest
+.. _EL3 Secure Partition Manager: ../components/el3-spmc.html
+.. _Generic TF-A threat model: ./threat_model.html#threat-analysis
+.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases
diff --git a/drivers/arm/ethosn/ethosn_smc.c b/drivers/arm/ethosn/ethosn_smc.c
index 60364cd..915a0d8 100644
--- a/drivers/arm/ethosn/ethosn_smc.c
+++ b/drivers/arm/ethosn/ethosn_smc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -12,18 +12,17 @@
#include <drivers/arm/ethosn.h>
#include <drivers/delay_timer.h>
#include <lib/mmio.h>
+#include <lib/utils_def.h>
#include <plat/arm/common/fconf_ethosn_getter.h>
/*
- * Number of Arm Ethos-N NPU (NPU) cores available for a
- * particular parent device
+ * Number of Arm(R) Ethos(TM)-N NPU (NPU) devices available
*/
-#define ETHOSN_NUM_CORES \
- FCONF_GET_PROPERTY(hw_config, ethosn_config, num_cores)
+#define ETHOSN_NUM_DEVICES \
+ FCONF_GET_PROPERTY(hw_config, ethosn_config, num_devices)
-/* Address to an NPU core */
-#define ETHOSN_CORE_ADDR(core_idx) \
- FCONF_GET_PROPERTY(hw_config, ethosn_core_addr, core_idx)
+#define ETHOSN_GET_DEVICE(dev_idx) \
+ FCONF_GET_PROPERTY(hw_config, ethosn_device, dev_idx)
/* NPU core sec registry address */
#define ETHOSN_CORE_SEC_REG(core_addr, reg_offset) \
@@ -40,9 +39,6 @@
#define SEC_SECCTLR_REG U(0x0010)
#define SEC_SECCTLR_VAL U(0x3)
-#define SEC_DEL_MMUSID_REG U(0x2008)
-#define SEC_DEL_MMUSID_VAL U(0x3FFFF)
-
#define SEC_DEL_ADDR_EXT_REG U(0x201C)
#define SEC_DEL_ADDR_EXT_VAL U(0x15)
@@ -50,17 +46,63 @@
#define SEC_SYSCTRL0_SOFT_RESET U(3U << 29)
#define SEC_SYSCTRL0_HARD_RESET U(1U << 31)
-static bool ethosn_is_core_addr_valid(uintptr_t core_addr)
+#define SEC_MMUSID_REG_BASE U(0x3008)
+#define SEC_MMUSID_OFFSET U(0x1000)
+
+static bool ethosn_get_device_and_core(uintptr_t core_addr,
+ const struct ethosn_device_t **dev_match,
+ const struct ethosn_core_t **core_match)
{
- for (uint32_t core_idx = 0U; core_idx < ETHOSN_NUM_CORES; core_idx++) {
- if (ETHOSN_CORE_ADDR(core_idx) == core_addr) {
- return true;
+ uint32_t dev_idx;
+ uint32_t core_idx;
+
+ for (dev_idx = 0U; dev_idx < ETHOSN_NUM_DEVICES; ++dev_idx) {
+ const struct ethosn_device_t *dev = ETHOSN_GET_DEVICE(dev_idx);
+
+ for (core_idx = 0U; core_idx < dev->num_cores; ++core_idx) {
+ const struct ethosn_core_t *core = &(dev->cores[core_idx]);
+
+ if (core->addr == core_addr) {
+ *dev_match = dev;
+ *core_match = core;
+ return true;
+ }
}
}
+ WARN("ETHOSN: Unknown core address given to SMC call.\n");
return false;
}
+static void ethosn_configure_smmu_streams(const struct ethosn_device_t *device,
+ const struct ethosn_core_t *core,
+ uint32_t asset_alloc_idx)
+{
+ const struct ethosn_main_allocator_t *main_alloc =
+ &(core->main_allocator);
+ const struct ethosn_asset_allocator_t *asset_alloc =
+ &(device->asset_allocators[asset_alloc_idx]);
+ const uint32_t streams[9] = {
+ main_alloc->firmware.stream_id,
+ main_alloc->working_data.stream_id,
+ asset_alloc->command_stream.stream_id,
+ 0U, /* Not used*/
+ main_alloc->firmware.stream_id,
+ asset_alloc->weight_data.stream_id,
+ asset_alloc->buffer_data.stream_id,
+ asset_alloc->intermediate_data.stream_id,
+ asset_alloc->buffer_data.stream_id
+ };
+ size_t i;
+
+ for (i = 0U; i < ARRAY_SIZE(streams); ++i) {
+ const uintptr_t reg_addr = SEC_MMUSID_REG_BASE +
+ (SEC_MMUSID_OFFSET * i);
+ mmio_write_32(ETHOSN_CORE_SEC_REG(core->addr, reg_addr),
+ streams[i]);
+ }
+}
+
static void ethosn_delegate_to_ns(uintptr_t core_addr)
{
mmio_setbits_32(ETHOSN_CORE_SEC_REG(core_addr, SEC_SECCTLR_REG),
@@ -69,9 +111,6 @@
mmio_setbits_32(ETHOSN_CORE_SEC_REG(core_addr, SEC_DEL_REG),
SEC_DEL_VAL);
- mmio_setbits_32(ETHOSN_CORE_SEC_REG(core_addr, SEC_DEL_MMUSID_REG),
- SEC_DEL_MMUSID_VAL);
-
mmio_setbits_32(ETHOSN_CORE_SEC_REG(core_addr, SEC_DEL_ADDR_EXT_REG),
SEC_DEL_ADDR_EXT_VAL);
}
@@ -112,7 +151,7 @@
uintptr_t ethosn_smc_handler(uint32_t smc_fid,
u_register_t core_addr,
- u_register_t x2,
+ u_register_t asset_alloc_idx,
u_register_t x3,
u_register_t x4,
void *cookie,
@@ -120,6 +159,8 @@
u_register_t flags)
{
int hard_reset = 0;
+ const struct ethosn_device_t *device = NULL;
+ const struct ethosn_core_t *core = NULL;
const uint32_t fid = smc_fid & FUNCID_NUM_MASK;
/* Only SiP fast calls are expected */
@@ -131,12 +172,14 @@
/* Truncate parameters to 32-bits for SMC32 */
if (GET_SMC_CC(smc_fid) == SMC_32) {
core_addr &= 0xFFFFFFFF;
- x2 &= 0xFFFFFFFF;
+ asset_alloc_idx &= 0xFFFFFFFF;
x3 &= 0xFFFFFFFF;
x4 &= 0xFFFFFFFF;
}
- if (!is_ethosn_fid(smc_fid)) {
+ if (!is_ethosn_fid(smc_fid) ||
+ (fid < ETHOSN_FNUM_VERSION || fid > ETHOSN_FNUM_SOFT_RESET)) {
+ WARN("ETHOSN: Unknown SMC call: 0x%x\n", smc_fid);
SMC_RET1(handle, SMC_UNK);
}
@@ -146,25 +189,41 @@
SMC_RET2(handle, ETHOSN_VERSION_MAJOR, ETHOSN_VERSION_MINOR);
}
- if (!ethosn_is_core_addr_valid(core_addr)) {
- WARN("ETHOSN: Unknown core address given to SMC call.\n");
+ if (!ethosn_get_device_and_core(core_addr, &device, &core)) {
SMC_RET1(handle, ETHOSN_UNKNOWN_CORE_ADDRESS);
}
- /* Commands that require a valid addr */
+ /* Commands that require a valid core address */
switch (fid) {
case ETHOSN_FNUM_IS_SEC:
- SMC_RET1(handle, ethosn_is_sec(core_addr));
+ SMC_RET1(handle, ethosn_is_sec(core->addr));
+ }
+
+ if (!device->has_reserved_memory &&
+ asset_alloc_idx >= device->num_allocators) {
+ WARN("ETHOSN: Unknown asset allocator index given to SMC call.\n");
+ SMC_RET1(handle, ETHOSN_UNKNOWN_ALLOCATOR_IDX);
+ }
+
+ /* Commands that require a valid device, core and asset allocator */
+ switch (fid) {
case ETHOSN_FNUM_HARD_RESET:
hard_reset = 1;
/* Fallthrough */
case ETHOSN_FNUM_SOFT_RESET:
- if (!ethosn_reset(core_addr, hard_reset)) {
+ if (!ethosn_reset(core->addr, hard_reset)) {
SMC_RET1(handle, ETHOSN_FAILURE);
}
- ethosn_delegate_to_ns(core_addr);
+
+ if (!device->has_reserved_memory) {
+ ethosn_configure_smmu_streams(device, core,
+ asset_alloc_idx);
+ }
+
+ ethosn_delegate_to_ns(core->addr);
SMC_RET1(handle, ETHOSN_SUCCESS);
default:
+ WARN("ETHOSN: Unimplemented SMC call: 0x%x\n", fid);
SMC_RET1(handle, SMC_UNK);
}
}
diff --git a/drivers/arm/gic/v3/gic600_multichip_private.h b/drivers/arm/gic/v3/gic600_multichip_private.h
index c7b15c1..414bd5b 100644
--- a/drivers/arm/gic/v3/gic600_multichip_private.h
+++ b/drivers/arm/gic/v3/gic600_multichip_private.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, ARM Limited. All rights reserved.
+ * Copyright (c) 2019-2022, ARM Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -74,7 +74,8 @@
* Multichip data assertion macros
*/
/* Set bits from 0 to ((spi_id_max + 1) / 32) */
-#define SPI_BLOCKS_TILL_MAX(spi_id_max) ((1 << (((spi_id_max) + 1) >> 5)) - 1)
+#define SPI_BLOCKS_TILL_MAX(spi_id_max) \
+ ((1ULL << (((spi_id_max) + 1) >> 5)) - 1)
/* Set bits from 0 to (spi_id_min / 32) */
#define SPI_BLOCKS_TILL_MIN(spi_id_min) ((1 << ((spi_id_min) >> 5)) - 1)
/* Set bits from (spi_id_min / 32) to ((spi_id_max + 1) / 32) */
diff --git a/fdts/juno-ethosn.dtsi b/fdts/juno-ethosn.dtsi
index e2f3355..4609524 100644
--- a/fdts/juno-ethosn.dtsi
+++ b/fdts/juno-ethosn.dtsi
@@ -1,12 +1,13 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/*
- * For examples of multi-core and multi-device NPU, refer to the examples given in the
- * Arm Ethos-N NPU driver stack.
+ * This device tree is only an example and some properties have been omitted.
+ *
+ * Refer to the Arm(R) Ethos(TM)-N driver stack for complete device tree examples.
* https://github.com/ARM-software/ethos-n-driver-stack
*/
@@ -14,14 +15,62 @@
#address-cells = <2>;
#size-cells = <2>;
- ethosn0: ethosn@6f300000 {
- compatible = "ethosn";
- reg = <0 0x6f300000 0 0x00100000>;
+ smmu_ethosn0: iommu@6f400000 {
+ compatible = "arm,smmu-v3";
+ reg = <0 0x6f400000 0 0x80000>;
status = "okay";
-
- core0 {
- compatible = "ethosn-core";
- status = "okay";
- };
+ /* msi-parent omitted */
+ #iommu-cells = <0x1>;
};
+
+ ethosn0: ethosn@6f300000 {
+ compatible = "ethosn";
+ reg = <0 0x6f300000 0 0x00100000>;
+ status = "okay";
+
+ core0 {
+ compatible = "ethosn-core";
+ status = "okay";
+
+ main_allocator {
+ compatible = "ethosn-main_allocator";
+ status = "okay";
+
+ firmware {
+ compatible = "ethosn-memory";
+ iommus = <&smmu_ethosn0 0>;
+ };
+
+ working_data {
+ compatible = "ethosn-memory";
+ iommus = <&smmu_ethosn0 1>;
+ };
+ };
+ };
+
+ asset_allocator {
+ compatible = "ethosn-asset_allocator";
+ status = "okay";
+
+ command_stream {
+ compatible = "ethosn-memory";
+ iommus = <&smmu_ethosn0 2>;
+ };
+
+ weight_data {
+ compatible = "ethosn-memory";
+ iommus = <&smmu_ethosn0 3>;
+ };
+
+ buffer_data {
+ compatible = "ethosn-memory";
+ iommus = <&smmu_ethosn0 4>;
+ };
+
+ intermediate_data {
+ compatible = "ethosn-memory";
+ iommus = <&smmu_ethosn0 5>;
+ };
+ };
+ };
};
diff --git a/fdts/stm32mp135f-dk.dts b/fdts/stm32mp135f-dk.dts
index e58be40..aa1dd01 100644
--- a/fdts/stm32mp135f-dk.dts
+++ b/fdts/stm32mp135f-dk.dts
@@ -228,13 +228,13 @@
frac = < 0x1400 >;
};
- pll3_vco_417_8Mhz: pll2-vco-417_8Mhz {
+ pll3_vco_417_8Mhz: pll3-vco-417_8Mhz {
src = < CLK_PLL3_HSE >;
divmn = < 1 33 >;
frac = < 0x1a04 >;
};
- pll4_vco_600Mhz: pll2-vco-600Mhz {
+ pll4_vco_600Mhz: pll4-vco-600Mhz {
src = < CLK_PLL4_HSE >;
divmn = < 1 49 >;
};
diff --git a/include/arch/aarch64/arch_features.h b/include/arch/aarch64/arch_features.h
index 9ec114c..932e885 100644
--- a/include/arch/aarch64/arch_features.h
+++ b/include/arch/aarch64/arch_features.h
@@ -100,7 +100,7 @@
static inline bool is_armv8_6_fgt_present(void)
{
return ((read_id_aa64mmfr0_el1() >> ID_AA64MMFR0_EL1_FGT_SHIFT) &
- ID_AA64MMFR0_EL1_FGT_MASK) == ID_AA64MMFR0_EL1_FGT_SUPPORTED;
+ ID_AA64MMFR0_EL1_FGT_MASK) != 0U;
}
static inline unsigned long int get_armv8_6_ecv_support(void)
diff --git a/include/arch/aarch64/asm_macros.S b/include/arch/aarch64/asm_macros.S
index 7706cd8..66c39e5 100644
--- a/include/arch/aarch64/asm_macros.S
+++ b/include/arch/aarch64/asm_macros.S
@@ -215,6 +215,19 @@
.endm
/*
+ * Macro for using speculation barrier instruction introduced by
+ * FEAT_SB, if it's enabled.
+ */
+ .macro speculation_barrier
+#if ENABLE_FEAT_SB
+ sb
+#else
+ dsb sy
+ isb
+#endif
+ .endm
+
+ /*
* Macro for mitigating against speculative execution beyond ERET. Uses the
* speculation barrier instruction introduced by FEAT_SB, if it's enabled.
*/
diff --git a/include/drivers/arm/ethosn.h b/include/drivers/arm/ethosn.h
index 9310733..dbaf16c 100644
--- a/include/drivers/arm/ethosn.h
+++ b/include/drivers/arm/ethosn.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -38,7 +38,7 @@
#define is_ethosn_fid(_fid) (((_fid) & ETHOSN_FID_MASK) == ETHOSN_FID_VALUE)
/* Service version */
-#define ETHOSN_VERSION_MAJOR U(1)
+#define ETHOSN_VERSION_MAJOR U(2)
#define ETHOSN_VERSION_MINOR U(0)
/* Return codes for function calls */
@@ -48,10 +48,11 @@
/* -3 Reserved for INVALID_PARAMETER */
#define ETHOSN_FAILURE -4
#define ETHOSN_UNKNOWN_CORE_ADDRESS -5
+#define ETHOSN_UNKNOWN_ALLOCATOR_IDX -6
uintptr_t ethosn_smc_handler(uint32_t smc_fid,
u_register_t core_addr,
- u_register_t x2,
+ u_register_t asset_alloc_idx,
u_register_t x3,
u_register_t x4,
void *cookie,
diff --git a/include/lib/cpus/aarch64/cortex_a510.h b/include/lib/cpus/aarch64/cortex_a510.h
index af38734..6af85a8 100644
--- a/include/lib/cpus/aarch64/cortex_a510.h
+++ b/include/lib/cpus/aarch64/cortex_a510.h
@@ -36,5 +36,6 @@
******************************************************************************/
#define CORTEX_A510_CPUACTLR_EL1 S3_0_C15_C1_0
#define CORTEX_A510_CPUACTLR_EL1_BIT_17 (ULL(1) << 17)
+#define CORTEX_A510_CPUACTLR_EL1_BIT_38 (ULL(1) << 38)
#endif /* CORTEX_A510_H */
\ No newline at end of file
diff --git a/include/lib/cpus/aarch64/cortex_a710.h b/include/lib/cpus/aarch64/cortex_a710.h
index e33b9d5..432e17a 100644
--- a/include/lib/cpus/aarch64/cortex_a710.h
+++ b/include/lib/cpus/aarch64/cortex_a710.h
@@ -36,6 +36,7 @@
******************************************************************************/
#define CORTEX_A710_CPUACTLR2_EL1 S3_0_C15_C1_1
#define CORTEX_A710_CPUACTLR2_EL1_BIT_40 (ULL(1) << 40)
+#define CORTEX_A710_CPUACTLR2_EL1_BIT_36 (ULL(1) << 36)
/*******************************************************************************
* CPU Auxiliary Control register 5 specific definitions.
diff --git a/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h b/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h
deleted file mode 100644
index 9ed5ee3..0000000
--- a/include/lib/cpus/aarch64/cortex_makalu_elp_arm.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef CORTEX_MAKALU_ELP_ARM_H
-#define CORTEX_MAKALU_ELP_ARM_H
-
-#define CORTEX_MAKALU_ELP_ARM_MIDR U(0x410FD4E0)
-
-/* Cortex Makalu ELP loop count for CVE-2022-23960 mitigation */
-#define CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT U(132)
-
-/*******************************************************************************
- * CPU Extended Control register specific definitions
- ******************************************************************************/
-#define CORTEX_MAKALU_ELP_ARM_CPUECTLR_EL1 S3_0_C15_C1_4
-
-/*******************************************************************************
- * CPU Power Control register specific definitions
- ******************************************************************************/
-#define CORTEX_MAKALU_ELP_ARM_CPUPWRCTLR_EL1 S3_0_C15_C2_7
-#define CORTEX_MAKALU_ELP_ARM_CPUPWRCTLR_EL1_CORE_PWRDN_BIT U(1)
-
-#endif /* CORTEX_MAKALU_ELP_ARM_H */
diff --git a/include/lib/cpus/aarch64/cortex_x3.h b/include/lib/cpus/aarch64/cortex_x3.h
new file mode 100644
index 0000000..076a87b
--- /dev/null
+++ b/include/lib/cpus/aarch64/cortex_x3.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CORTEX_X3_H
+#define CORTEX_X3_H
+
+#define CORTEX_X3_MIDR U(0x410FD4E0)
+
+/* Cortex-X3 loop count for CVE-2022-23960 mitigation */
+#define CORTEX_X3_BHB_LOOP_COUNT U(132)
+
+/*******************************************************************************
+ * CPU Extended Control register specific definitions
+ ******************************************************************************/
+#define CORTEX_X3_CPUECTLR_EL1 S3_0_C15_C1_4
+
+/*******************************************************************************
+ * CPU Power Control register specific definitions
+ ******************************************************************************/
+#define CORTEX_X3_CPUPWRCTLR_EL1 S3_0_C15_C2_7
+#define CORTEX_X3_CPUPWRCTLR_EL1_CORE_PWRDN_BIT U(1)
+
+/*******************************************************************************
+ * CPU Auxiliary Control register 2 specific definitions.
+ ******************************************************************************/
+#define CORTEX_X3_CPUACTLR2_EL1 S3_0_C15_C1_1
+#define CORTEX_X3_CPUACTLR2_EL1_BIT_36 (ULL(1) << 36)
+
+#endif /* CORTEX_X3_H */
diff --git a/include/lib/cpus/aarch64/neoverse_n2.h b/include/lib/cpus/aarch64/neoverse_n2.h
index 3ff817c..cb1be5b 100644
--- a/include/lib/cpus/aarch64/neoverse_n2.h
+++ b/include/lib/cpus/aarch64/neoverse_n2.h
@@ -39,6 +39,7 @@
#define NEOVERSE_N2_CPUACTLR2_EL1 S3_0_C15_C1_1
#define NEOVERSE_N2_CPUACTLR2_EL1_BIT_0 (ULL(1) << 0)
#define NEOVERSE_N2_CPUACTLR2_EL1_BIT_2 (ULL(1) << 2)
+#define NEOVERSE_N2_CPUACTLR2_EL1_BIT_36 (ULL(1) << 36)
#define NEOVERSE_N2_CPUACTLR2_EL1_BIT_40 (ULL(1) << 40)
/*******************************************************************************
diff --git a/include/plat/arm/common/arm_sip_svc.h b/include/plat/arm/common/arm_sip_svc.h
index 2eeed95..025d10e 100644
--- a/include/plat/arm/common/arm_sip_svc.h
+++ b/include/plat/arm/common/arm_sip_svc.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016-2019,2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2016-2019,2021-2022, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -26,7 +26,7 @@
/* DEBUGFS_SMC_64 0xC2000030U */
/*
- * Arm Ethos-N NPU SiP SMC function IDs
+ * Arm(R) Ethos(TM)-N NPU SiP SMC function IDs
* 0xC2000050-0xC200005F
* 0x82000050-0x8200005F
*/
diff --git a/include/plat/arm/common/fconf_ethosn_getter.h b/include/plat/arm/common/fconf_ethosn_getter.h
index fcdc31f..5b9a7ed 100644
--- a/include/plat/arm/common/fconf_ethosn_getter.h
+++ b/include/plat/arm/common/fconf_ethosn_getter.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -8,27 +8,52 @@
#define FCONF_ETHOSN_GETTER_H
#include <assert.h>
+#include <stdbool.h>
#include <lib/fconf/fconf.h>
#define hw_config__ethosn_config_getter(prop) ethosn_config.prop
-#define hw_config__ethosn_core_addr_getter(idx) __extension__ ({ \
- assert(idx < ethosn_config.num_cores); \
- ethosn_config.core[idx].addr; \
+#define hw_config__ethosn_device_getter(dev_idx) __extension__ ({ \
+ assert(dev_idx < ethosn_config.num_devices); \
+ ðosn_config.devices[dev_idx]; \
})
-#define ETHOSN_STATUS_DISABLED U(0)
-#define ETHOSN_STATUS_ENABLED U(1)
+#define ETHOSN_DEV_NUM_MAX U(2)
+#define ETHOSN_DEV_CORE_NUM_MAX U(8)
+#define ETHOSN_DEV_ASSET_ALLOCATOR_NUM_MAX U(16)
-#define ETHOSN_CORE_NUM_MAX U(64)
+struct ethosn_allocator_t {
+ uint32_t stream_id;
+};
+
+struct ethosn_main_allocator_t {
+ struct ethosn_allocator_t firmware;
+ struct ethosn_allocator_t working_data;
+};
+
+struct ethosn_asset_allocator_t {
+ struct ethosn_allocator_t command_stream;
+ struct ethosn_allocator_t weight_data;
+ struct ethosn_allocator_t buffer_data;
+ struct ethosn_allocator_t intermediate_data;
+};
struct ethosn_core_t {
uint64_t addr;
+ struct ethosn_main_allocator_t main_allocator;
+};
+
+struct ethosn_device_t {
+ bool has_reserved_memory;
+ uint32_t num_cores;
+ struct ethosn_core_t cores[ETHOSN_DEV_CORE_NUM_MAX];
+ uint32_t num_allocators;
+ struct ethosn_asset_allocator_t asset_allocators[ETHOSN_DEV_ASSET_ALLOCATOR_NUM_MAX];
};
struct ethosn_config_t {
- uint32_t num_cores;
- struct ethosn_core_t core[ETHOSN_CORE_NUM_MAX];
+ uint32_t num_devices;
+ struct ethosn_device_t devices[ETHOSN_DEV_NUM_MAX];
};
int fconf_populate_arm_ethosn(uintptr_t config);
diff --git a/lib/cpus/aarch64/cortex_a510.S b/lib/cpus/aarch64/cortex_a510.S
index 81a4a78..f7f8027 100644
--- a/lib/cpus/aarch64/cortex_a510.S
+++ b/lib/cpus/aarch64/cortex_a510.S
@@ -330,6 +330,37 @@
b cpu_rev_var_ls
endfunc check_errata_2371937
+ /* ------------------------------------------------------
+ * Errata Workaround for Cortex-A510 Errata #2666669
+ * This applies to revisions r1p1 and lower, and is fixed
+ * in r1p2.
+ * Inputs:
+ * x0: variant[4:7] and revision[0:3] of current cpu.
+ * Shall clobber: x0, x1, x17
+ * ------------------------------------------------------
+ */
+func errata_cortex_a510_2666669_wa
+ mov x17, x30
+ bl check_errata_2666669
+ cbz x0, 1f
+
+ /*
+ * Workaround will set IMP_CPUACTLR_EL1[38]
+ * to 0b1.
+ */
+ mrs x1, CORTEX_A510_CPUACTLR_EL1
+ orr x1, x1, CORTEX_A510_CPUACTLR_EL1_BIT_38
+ msr CORTEX_A510_CPUACTLR_EL1, x1
+1:
+ ret x17
+endfunc errata_cortex_a510_2666669_wa
+
+func check_errata_2666669
+ /* Applies to r1p1 and lower */
+ mov x1, #0x11
+ b cpu_rev_var_ls
+endfunc check_errata_2666669
+
/* ----------------------------------------------------
* HW will do the cache maintenance while powering down
* ----------------------------------------------------
@@ -361,14 +392,15 @@
* checking functions of each errata.
*/
report_errata ERRATA_A510_1922240, cortex_a510, 1922240
- report_errata ERRATA_A510_2288014, cortex_a510, 2288014
- report_errata ERRATA_A510_2042739, cortex_a510, 2042739
report_errata ERRATA_A510_2041909, cortex_a510, 2041909
- report_errata ERRATA_A510_2250311, cortex_a510, 2250311
- report_errata ERRATA_A510_2218950, cortex_a510, 2218950
+ report_errata ERRATA_A510_2042739, cortex_a510, 2042739
report_errata ERRATA_A510_2172148, cortex_a510, 2172148
+ report_errata ERRATA_A510_2218950, cortex_a510, 2218950
+ report_errata ERRATA_A510_2250311, cortex_a510, 2250311
+ report_errata ERRATA_A510_2288014, cortex_a510, 2288014
report_errata ERRATA_A510_2347730, cortex_a510, 2347730
report_errata ERRATA_A510_2371937, cortex_a510, 2371937
+ report_errata ERRATA_A510_2666669, cortex_a510, 2666669
report_errata ERRATA_DSU_2313941, cortex_a510, dsu_2313941
ldp x8, x30, [sp], #16
@@ -435,6 +467,11 @@
bl errata_cortex_a510_2347730_wa
#endif
+#if ERRATA_A510_2666669
+ mov x0, x18
+ bl errata_cortex_a510_2666669_wa
+#endif
+
isb
ret x19
endfunc cortex_a510_reset_func
diff --git a/lib/cpus/aarch64/cortex_a710.S b/lib/cpus/aarch64/cortex_a710.S
index 77f7a8d..fed3f33 100644
--- a/lib/cpus/aarch64/cortex_a710.S
+++ b/lib/cpus/aarch64/cortex_a710.S
@@ -383,6 +383,34 @@
b cpu_rev_var_ls
endfunc check_errata_2282622
+/* ------------------------------------------------------------------------
+ * Errata Workaround for Cortex-A710 Erratum 2291219 on power down request.
+ * This applies to revision <= r2p0 and is fixed in r2p1.
+ * Inputs:
+ * x0: variant[4:7] and revision[0:3] of current cpu.
+ * Shall clobber: x0-x1, x17
+ * ------------------------------------------------------------------------
+ */
+func errata_a710_2291219_wa
+ /* Check revision. */
+ mov x17, x30
+ bl check_errata_2291219
+ cbz x0, 1f
+
+ /* Set bit 36 in ACTLR2_EL1 */
+ mrs x1, CORTEX_A710_CPUACTLR2_EL1
+ orr x1, x1, #CORTEX_A710_CPUACTLR2_EL1_BIT_36
+ msr CORTEX_A710_CPUACTLR2_EL1, x1
+1:
+ ret x17
+endfunc errata_a710_2291219_wa
+
+func check_errata_2291219
+ /* Applies to <= r2p0. */
+ mov x1, #0x20
+ b cpu_rev_var_ls
+endfunc check_errata_2291219
+
/* ---------------------------------------------------------------
* Errata Workaround for Cortex-A710 Erratum 2008768.
* This applies to revision r0p0, r1p0 and r2p0.
@@ -476,6 +504,13 @@
mov x30, x4
#endif
+#if ERRATA_A710_2291219
+ mov x15, x30
+ bl cpu_get_rev_var
+ bl errata_a710_2291219_wa
+ mov x30, x15
+#endif /* ERRATA_A710_2291219 */
+
/* ---------------------------------------------------
* Enable CPU power down bit in power control register
* ---------------------------------------------------
@@ -513,6 +548,7 @@
report_errata ERRATA_A710_2008768, cortex_a710, 2008768
report_errata ERRATA_A710_2147715, cortex_a710, 2147715
report_errata ERRATA_A710_2216384, cortex_a710, 2216384
+ report_errata ERRATA_A710_2291219, cortex_a710, 2291219
report_errata ERRATA_A710_2371105, cortex_a710, 2371105
report_errata WORKAROUND_CVE_2022_23960, cortex_a710, cve_2022_23960
report_errata ERRATA_DSU_2313941, cortex_a710, dsu_2313941
diff --git a/lib/cpus/aarch64/cortex_x3.S b/lib/cpus/aarch64/cortex_x3.S
index f4d2df0..bf1b6ec 100644
--- a/lib/cpus/aarch64/cortex_x3.S
+++ b/lib/cpus/aarch64/cortex_x3.S
@@ -7,40 +7,47 @@
#include <arch.h>
#include <asm_macros.S>
#include <common/bl_common.h>
-#include <cortex_makalu_elp_arm.h>
+#include <cortex_x3.h>
#include <cpu_macros.S>
#include <plat_macros.S>
#include "wa_cve_2022_23960_bhb_vector.S"
/* Hardware handled coherency */
#if HW_ASSISTED_COHERENCY == 0
-#error "Cortex Makalu ELP must be compiled with HW_ASSISTED_COHERENCY enabled"
+#error "Cortex-X3 must be compiled with HW_ASSISTED_COHERENCY enabled"
#endif
/* 64-bit only core */
#if CTX_INCLUDE_AARCH32_REGS == 1
-#error "Cortex Makalu ELP supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
+#error "Cortex-X3 supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
#endif
#if WORKAROUND_CVE_2022_23960
- wa_cve_2022_23960_bhb_vector_table CORTEX_MAKALU_ELP_ARM_BHB_LOOP_COUNT, cortex_makalu_elp_arm
+ wa_cve_2022_23960_bhb_vector_table CORTEX_X3_BHB_LOOP_COUNT, cortex_x3
#endif /* WORKAROUND_CVE_2022_23960 */
/* ----------------------------------------------------
* HW will do the cache maintenance while powering down
* ----------------------------------------------------
*/
-func cortex_makalu_elp_arm_core_pwr_dwn
+func cortex_x3_core_pwr_dwn
+#if ERRATA_X3_2313909
+ mov x15, x30
+ bl cpu_get_rev_var
+ bl errata_cortex_x3_2313909_wa
+ mov x30, x15
+#endif /* ERRATA_X3_2313909 */
+
/* ---------------------------------------------------
* Enable CPU power down bit in power control register
* ---------------------------------------------------
*/
- mrs x0, CORTEX_MAKALU_ELP_ARM_CPUPWRCTLR_EL1
- orr x0, x0, #CORTEX_MAKALU_ELP_ARM_CPUPWRCTLR_EL1_CORE_PWRDN_BIT
- msr CORTEX_MAKALU_ELP_ARM_CPUPWRCTLR_EL1, x0
+ mrs x0, CORTEX_X3_CPUPWRCTLR_EL1
+ orr x0, x0, #CORTEX_X3_CPUPWRCTLR_EL1_CORE_PWRDN_BIT
+ msr CORTEX_X3_CPUPWRCTLR_EL1, x0
isb
ret
-endfunc cortex_makalu_elp_arm_core_pwr_dwn
+endfunc cortex_x3_core_pwr_dwn
func check_errata_cve_2022_23960
#if WORKAROUND_CVE_2022_23960
@@ -51,28 +58,56 @@
ret
endfunc check_errata_cve_2022_23960
-func cortex_makalu_elp_arm_reset_func
+func cortex_x3_reset_func
/* Disable speculative loads */
msr SSBS, xzr
#if IMAGE_BL31 && WORKAROUND_CVE_2022_23960
/*
- * The Cortex Makalu ELP generic vectors are overridden to apply
+ * The Cortex-X3 generic vectors are overridden to apply
* errata mitigation on exception entry from lower ELs.
*/
- adr x0, wa_cve_vbar_cortex_makalu_elp_arm
+ adr x0, wa_cve_vbar_cortex_x3
msr vbar_el3, x0
#endif /* IMAGE_BL31 && WORKAROUND_CVE_2022_23960 */
isb
ret
-endfunc cortex_makalu_elp_arm_reset_func
+endfunc cortex_x3_reset_func
+
+/* ----------------------------------------------------------------------
+ * Errata Workaround for Cortex-X3 Erratum 2313909 on power down request.
+ * This applies to revision r0p0 and r1p0 of Cortex-X3. Fixed in r1p1.
+ * Inputs:
+ * x0: variant[4:7] and revision[0:3] of current cpu.
+ * Shall clobber: x0-x1, x17
+ * ----------------------------------------------------------------------
+ */
+func errata_cortex_x3_2313909_wa
+ /* Check revision. */
+ mov x17, x30
+ bl check_errata_2313909
+ cbz x0, 1f
+
+ /* Set bit 36 in ACTLR2_EL1 */
+ mrs x1, CORTEX_X3_CPUACTLR2_EL1
+ orr x1, x1, #CORTEX_X3_CPUACTLR2_EL1_BIT_36
+ msr CORTEX_X3_CPUACTLR2_EL1, x1
+1:
+ ret x17
+endfunc errata_cortex_x3_2313909_wa
+
+func check_errata_2313909
+ /* Applies to r0p0 and r1p0 */
+ mov x1, #0x10
+ b cpu_rev_var_ls
+endfunc check_errata_2313909
#if REPORT_ERRATA
-/*
- * Errata printing function for Cortex Makalu ELP. Must follow AAPCS.
- */
-func cortex_makalu_elp_arm_errata_report
+ /*
+ * Errata printing function for Cortex-X3. Must follow AAPCS.
+ */
+func cortex_x3_errata_report
stp x8, x30, [sp, #-16]!
bl cpu_get_rev_var
@@ -82,15 +117,16 @@
* Report all errata. The revision-variant information is passed to
* checking functions of each errata.
*/
- report_errata WORKAROUND_CVE_2022_23960, cortex_makalu_elp_arm, cve_2022_23960
+ report_errata ERRATA_X3_2313909, cortex_x3, 2313909
+ report_errata WORKAROUND_CVE_2022_23960, cortex_x3, cve_2022_23960
ldp x8, x30, [sp], #16
ret
-endfunc cortex_makalu_elp_arm_errata_report
+endfunc cortex_x3_errata_report
#endif
/* ---------------------------------------------
- * This function provides Cortex Makalu ELP-
+ * This function provides Cortex-X3-
* specific register information for crash
* reporting. It needs to return with x6
* pointing to a list of register names in ascii
@@ -98,16 +134,16 @@
* reported.
* ---------------------------------------------
*/
-.section .rodata.cortex_makalu_elp_arm_regs, "aS"
-cortex_makalu_elp_arm_regs: /* The ascii list of register names to be reported */
+.section .rodata.cortex_x3_regs, "aS"
+cortex_x3_regs: /* The ascii list of register names to be reported */
.asciz "cpuectlr_el1", ""
-func cortex_makalu_elp_arm_cpu_reg_dump
- adr x6, cortex_makalu_elp_arm_regs
- mrs x8, CORTEX_MAKALU_ELP_ARM_CPUECTLR_EL1
+func cortex_x3_cpu_reg_dump
+ adr x6, cortex_x3_regs
+ mrs x8, CORTEX_X3_CPUECTLR_EL1
ret
-endfunc cortex_makalu_elp_arm_cpu_reg_dump
+endfunc cortex_x3_cpu_reg_dump
-declare_cpu_ops cortex_makalu_elp_arm, CORTEX_MAKALU_ELP_ARM_MIDR, \
- cortex_makalu_elp_arm_reset_func, \
- cortex_makalu_elp_arm_core_pwr_dwn
+declare_cpu_ops cortex_x3, CORTEX_X3_MIDR, \
+ cortex_x3_reset_func, \
+ cortex_x3_core_pwr_dwn
diff --git a/lib/cpus/aarch64/neoverse_n2.S b/lib/cpus/aarch64/neoverse_n2.S
index a807b63..5861dec 100644
--- a/lib/cpus/aarch64/neoverse_n2.S
+++ b/lib/cpus/aarch64/neoverse_n2.S
@@ -338,6 +338,34 @@
b cpu_rev_var_ls
endfunc check_errata_2280757
+/* --------------------------------------------------
+ * Errata Workaround for Neoverse N2 Erratum 2326639.
+ * This applies to revision r0p0 of Neoverse N2,
+ * fixed in r0p1.
+ * Inputs:
+ * x0: variant[4:7] and revision[0:3] of current cpu.
+ * Shall clobber: x0-x1, x17
+ * --------------------------------------------------
+ */
+func errata_n2_2326639_wa
+ /* Check revision. */
+ mov x17, x30
+ bl check_errata_2326639
+ cbz x0, 1f
+
+ /* Set bit 36 in ACTLR2_EL1 */
+ mrs x1, NEOVERSE_N2_CPUACTLR2_EL1
+ orr x1, x1, #NEOVERSE_N2_CPUACTLR2_EL1_BIT_36
+ msr NEOVERSE_N2_CPUACTLR2_EL1, x1
+1:
+ ret x17
+endfunc errata_n2_2326639_wa
+
+func check_errata_2326639
+ /* Applies to r0p0, fixed in r0p1 */
+ mov x1, #0x00
+ b cpu_rev_var_ls
+endfunc check_errata_2326639
/* --------------------------------------------------
* Errata Workaround for Neoverse N2 Erratum 2376738.
@@ -429,6 +457,10 @@
orr x0, x0, #NEOVERSE_N2_CPUACTLR2_EL1_BIT_2
msr NEOVERSE_N2_CPUACTLR2_EL1, x0
+ /* Get the CPU revision and stash it in x18. */
+ bl cpu_get_rev_var
+ mov x18, x0
+
#if ERRATA_DSU_2313941
bl errata_dsu_2313941_wa
#endif
@@ -510,9 +542,6 @@
msr NEOVERSE_N2_CPUECTLR_EL1, x0
#endif
- bl cpu_get_rev_var
- mov x18, x0
-
#if ERRATA_N2_2002655
mov x0, x18
bl errata_n2_2002655_wa
@@ -532,6 +561,13 @@
endfunc neoverse_n2_reset_func
func neoverse_n2_core_pwr_dwn
+#if ERRATA_N2_2326639
+ mov x15, x30
+ bl cpu_get_rev_var
+ bl errata_n2_2326639_wa
+ mov x30, x15
+#endif /* ERRATA_N2_2326639 */
+
/* ---------------------------------------------------
* Enable CPU power down bit in power control register
* No need to do cache maintenance here.
@@ -568,6 +604,7 @@
report_errata ERRATA_N2_2138958, neoverse_n2, 2138958
report_errata ERRATA_N2_2242400, neoverse_n2, 2242400
report_errata ERRATA_N2_2280757, neoverse_n2, 2280757
+ report_errata ERRATA_N2_2326639, neoverse_n2, 2326639
report_errata ERRATA_N2_2376738, neoverse_n2, 2376738
report_errata ERRATA_N2_2388450, neoverse_n2, 2388450
report_errata WORKAROUND_CVE_2022_23960, neoverse_n2, cve_2022_23960
diff --git a/lib/cpus/aarch64/neoverse_v1.S b/lib/cpus/aarch64/neoverse_v1.S
index 109b725..3282fbc 100644
--- a/lib/cpus/aarch64/neoverse_v1.S
+++ b/lib/cpus/aarch64/neoverse_v1.S
@@ -508,8 +508,8 @@
report_errata ERRATA_V1_1925756, neoverse_v1, 1925756
report_errata ERRATA_V1_1940577, neoverse_v1, 1940577
report_errata ERRATA_V1_1966096, neoverse_v1, 1966096
- report_errata ERRATA_V1_2139242, neoverse_v1, 2139242
report_errata ERRATA_V1_2108267, neoverse_v1, 2108267
+ report_errata ERRATA_V1_2139242, neoverse_v1, 2139242
report_errata ERRATA_V1_2216392, neoverse_v1, 2216392
report_errata ERRATA_V1_2294912, neoverse_v1, 2294912
report_errata ERRATA_V1_2372203, neoverse_v1, 2372203
@@ -527,6 +527,10 @@
msr SSBS, xzr
isb
+ /* Get the CPU revision and stash it in x18. */
+ bl cpu_get_rev_var
+ mov x18, x0
+
#if ERRATA_V1_1618635
mov x0, x18
bl errata_neoverse_v1_1618635_wa
diff --git a/lib/cpus/aarch64/wa_cve_2022_23960_bhb.S b/lib/cpus/aarch64/wa_cve_2022_23960_bhb.S
index e0e41cc..ceb93f1 100644
--- a/lib/cpus/aarch64/wa_cve_2022_23960_bhb.S
+++ b/lib/cpus/aarch64/wa_cve_2022_23960_bhb.S
@@ -9,11 +9,11 @@
#if WORKAROUND_CVE_2022_23960
/*
* This macro applies the mitigation for CVE-2022-23960.
- * The macro saves x2-x3 to the CPU context.
+ * The macro saves x2 to the CPU context.
* SP should point to the CPU context.
*/
.macro apply_cve_2022_23960_bhb_wa _bhb_loop_count
- stp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
+ str x2, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
/* CVE-BHB-NUM loop count */
mov x2, \_bhb_loop_count
@@ -24,8 +24,7 @@
2:
subs x2, x2, #1
bne 1b
- dsb sy
- isb
- ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
+ speculation_barrier
+ ldr x2, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2]
.endm
#endif /* WORKAROUND_CVE_2022_23960 */
diff --git a/lib/cpus/cpu-ops.mk b/lib/cpus/cpu-ops.mk
index 8b790bc..b4421dd 100644
--- a/lib/cpus/cpu-ops.mk
+++ b/lib/cpus/cpu-ops.mk
@@ -548,6 +548,10 @@
# to revision r0p0, r1p0 and r2p0 of the Cortex-A710 cpu and is fixed in r2p1.
ERRATA_A710_2282622 ?=0
+# Flag to apply erratum 2291219 workaround during reset. This erratum applies
+# to revision r0p0, r1p0 and r2p0 of the Cortex-A710 cpu and is fixed in r2p1.
+ERRATA_A710_2291219 ?=0
+
# Flag to apply erratum 2008768 workaround during reset. This erratum applies
# to revision r0p0, r1p0 and r2p0 of the Cortex-A710 cpu and is fixed in r2p1.
ERRATA_A710_2008768 ?=0
@@ -592,6 +596,10 @@
# to revision r0p0 of the Neoverse N2 cpu and is still open.
ERRATA_N2_2280757 ?=0
+# Flag to apply erraturm 2326639 workaroud during powerdown. This erratum
+# applies to revision r0p0 of the Neoverse N2 cpu and is fixed in r0p1.
+ERRATA_N2_2326639 ?=0
+
# Flag to apply erratum 2376738 workaround during reset. This erratum applies
# to revision r0p0 of the Neoverse N2 cpu, it is fixed in r0p1.
ERRATA_N2_2376738 ?=0
@@ -635,6 +643,10 @@
# to revision r0p0, r1p0 and r2p0 of the Cortex-X2 cpu and is fixed in r2p1.
ERRATA_X2_2371105 ?=0
+# Flag to apply erratum 2313909 workaround on powerdown. This erratum applies
+# to revisions r0p0 and r1p0 of the Cortex-X3 cpu, it is fixed in r1p1.
+ERRATA_X3_2313909 ?=0
+
# Flag to apply erratum 1922240 workaround during reset. This erratum applies
# to revision r0p0 of the Cortex-A510 cpu and is fixed in r0p1.
ERRATA_A510_1922240 ?=0
@@ -674,6 +686,10 @@
# to revisions r0p0, r0p1, r0p2, r0p3, r1p0, and r1p1. It is fixed in r1p2.
ERRATA_A510_2371937 ?=0
+# Flag to apply erratum 2666669 workaround during reset. This erratum applies
+# to revisions r0p0, r0p1, r0p2, r0p3, r1p0, and r1p1. It is fixed in r1p2.
+ERRATA_A510_2666669 ?=0
+
# Flag to apply DSU erratum 798953. This erratum applies to DSUs revision r0p0.
# Applying the workaround results in higher DSU power consumption on idle.
ERRATA_DSU_798953 ?=0
@@ -1152,6 +1168,10 @@
$(eval $(call assert_boolean,ERRATA_A710_2282622))
$(eval $(call add_define,ERRATA_A710_2282622))
+# Process ERRATA_A710_2291219 flag
+$(eval $(call assert_boolean,ERRATA_A710_2291219))
+$(eval $(call add_define,ERRATA_A710_2291219))
+
# Process ERRATA_A710_2008768 flag
$(eval $(call assert_boolean,ERRATA_A710_2008768))
$(eval $(call add_define,ERRATA_A710_2008768))
@@ -1196,6 +1216,10 @@
$(eval $(call assert_boolean,ERRATA_N2_2280757))
$(eval $(call add_define,ERRATA_N2_2280757))
+# Process ERRATA_N2_2326639 flag
+$(eval $(call assert_boolean,ERRATA_N2_2326639))
+$(eval $(call add_define,ERRATA_N2_2326639))
+
# Process ERRATA_N2_2376738 flag
$(eval $(call assert_boolean,ERRATA_N2_2376738))
$(eval $(call add_define,ERRATA_N2_2376738))
@@ -1236,6 +1260,10 @@
$(eval $(call assert_boolean,ERRATA_X2_2371105))
$(eval $(call add_define,ERRATA_X2_2371105))
+# Process ERRATA_X3_2313909 flag
+$(eval $(call assert_boolean,ERRATA_X3_2313909))
+$(eval $(call add_define,ERRATA_X3_2313909))
+
# Process ERRATA_A510_1922240 flag
$(eval $(call assert_boolean,ERRATA_A510_1922240))
$(eval $(call add_define,ERRATA_A510_1922240))
@@ -1272,7 +1300,11 @@
$(eval $(call assert_boolean,ERRATA_A510_2371937))
$(eval $(call add_define,ERRATA_A510_2371937))
-# Process ERRATA_DSU_798953 flag
+# Process ERRATA_A510_2666669 flag
+$(eval $(call assert_boolean,ERRATA_A510_2666669))
+$(eval $(call add_define,ERRATA_A510_2666669))
+
+#Process ERRATA_DSU_798953 flag
$(eval $(call assert_boolean,ERRATA_DSU_798953))
$(eval $(call add_define,ERRATA_DSU_798953))
diff --git a/lib/extensions/sme/sme.c b/lib/extensions/sme/sme.c
index 958b623..ec8cca8 100644
--- a/lib/extensions/sme/sme.c
+++ b/lib/extensions/sme/sme.c
@@ -58,6 +58,7 @@
/* Set CPTR_EL3.ESM bit so we can write SMCR_EL3 without trapping. */
cptr_el3 = read_cptr_el3();
write_cptr_el3(cptr_el3 | ESM_BIT);
+ isb();
/*
* Set the max LEN value and FA64 bit. This register is set up globally
@@ -73,6 +74,7 @@
/* Reset CPTR_EL3 value. */
write_cptr_el3(cptr_el3);
+ isb();
/* Enable SVE/FPU in addition to SME. */
sve_enable(context);
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 6f3b889..682a278 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -114,7 +114,7 @@
endif
endif
-# Arm Ethos-N NPU SiP service
+# Arm(R) Ethos(TM)-N NPU SiP service
ARM_ETHOSN_NPU_DRIVER := 0
$(eval $(call assert_boolean,ARM_ETHOSN_NPU_DRIVER))
$(eval $(call add_define,ARM_ETHOSN_NPU_DRIVER))
diff --git a/plat/arm/common/fconf/fconf_ethosn_getter.c b/plat/arm/common/fconf/fconf_ethosn_getter.c
index 0af1a20..0b48a98 100644
--- a/plat/arm/common/fconf/fconf_ethosn_getter.c
+++ b/plat/arm/common/fconf/fconf_ethosn_getter.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -12,107 +12,341 @@
#include <libfdt.h>
#include <plat/arm/common/fconf_ethosn_getter.h>
-struct ethosn_config_t ethosn_config = {.num_cores = 0};
+struct ethosn_config_t ethosn_config = {0};
-static uint8_t fdt_node_get_status(const void *fdt, int node)
+struct ethosn_sub_allocator_t {
+ const char *name;
+ size_t name_len;
+ uint32_t stream_id;
+};
+
+static bool fdt_node_is_enabled(const void *fdt, int node)
{
int len;
- uint8_t status = ETHOSN_STATUS_DISABLED;
const char *node_status;
node_status = fdt_getprop(fdt, node, "status", &len);
if (node_status == NULL ||
(len == 5 && /* Includes null character */
strncmp(node_status, "okay", 4U) == 0)) {
- status = ETHOSN_STATUS_ENABLED;
+ return true;
}
- return status;
+ return false;
+}
+
+static bool fdt_node_has_reserved_memory(const void *fdt, int dev_node)
+{
+ return fdt_get_property(fdt, dev_node, "memory-region", NULL) != NULL;
+}
+
+static int fdt_node_get_iommus_stream_id(const void *fdt, int node, uint32_t *stream_id)
+{
+ int err;
+ uint32_t iommus_array[2] = {0U};
+
+ err = fdt_read_uint32_array(fdt, node, "iommus", 2U, iommus_array);
+ if (err) {
+ return err;
+ }
+
+ *stream_id = iommus_array[1];
+ return 0;
+}
+
+static int fdt_node_populate_sub_allocators(const void *fdt,
+ int alloc_node,
+ struct ethosn_sub_allocator_t *sub_allocators,
+ size_t num_allocs)
+{
+ int sub_node;
+ size_t i;
+ int err = -FDT_ERR_NOTFOUND;
+ uint32_t found_sub_allocators = 0U;
+
+ fdt_for_each_subnode(sub_node, fdt, alloc_node) {
+ const char *node_name;
+
+ if (!fdt_node_is_enabled(fdt, sub_node)) {
+ /* Ignore disabled node */
+ continue;
+ }
+
+ if (fdt_node_check_compatible(fdt, sub_node, "ethosn-memory") != 0) {
+ continue;
+ }
+
+ node_name = fdt_get_name(fdt, sub_node, NULL);
+ for (i = 0U; i < num_allocs; ++i) {
+ if (strncmp(node_name, sub_allocators[i].name,
+ sub_allocators[i].name_len) != 0) {
+ continue;
+ }
+
+ err = fdt_node_get_iommus_stream_id(fdt, sub_node,
+ &sub_allocators[i].stream_id);
+ if (err) {
+ ERROR("FCONF: Failed to get stream ID from sub-allocator %s\n",
+ node_name);
+ return err;
+ }
+
+ ++found_sub_allocators;
+ /* Nothing more to do for this node */
+ break;
+ }
+
+ /* Check that at least one of the sub-allocators matched */
+ if (i == num_allocs) {
+ ERROR("FCONF: Unknown sub-allocator %s\n", node_name);
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+ }
+
+ if ((sub_node < 0) && (sub_node != -FDT_ERR_NOTFOUND)) {
+ ERROR("FCONF: Failed to parse sub-allocators\n");
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ if (err == -FDT_ERR_NOTFOUND) {
+ ERROR("FCONF: No matching sub-allocator found\n");
+ return err;
+ }
+
+ if (found_sub_allocators != num_allocs) {
+ ERROR("FCONF: Not all sub-allocators were found\n");
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ return 0;
+}
+
+static int fdt_node_populate_main_allocator(const void *fdt,
+ int alloc_node,
+ struct ethosn_main_allocator_t *allocator)
+{
+ int err;
+ struct ethosn_sub_allocator_t sub_allocators[] = {
+ {.name = "firmware", .name_len = 8U},
+ {.name = "working_data", .name_len = 12U}
+ };
+
+ err = fdt_node_populate_sub_allocators(fdt, alloc_node, sub_allocators,
+ ARRAY_SIZE(sub_allocators));
+ if (err) {
+ return err;
+ }
+
+ allocator->firmware.stream_id = sub_allocators[0].stream_id;
+ allocator->working_data.stream_id = sub_allocators[1].stream_id;
+
+ return 0;
+}
+
+static int fdt_node_populate_asset_allocator(const void *fdt,
+ int alloc_node,
+ struct ethosn_asset_allocator_t *allocator)
+{
+ int err;
+ struct ethosn_sub_allocator_t sub_allocators[] = {
+ {.name = "command_stream", .name_len = 14U},
+ {.name = "weight_data", .name_len = 11U},
+ {.name = "buffer_data", .name_len = 11U},
+ {.name = "intermediate_data", .name_len = 17U}
+ };
+
+ err = fdt_node_populate_sub_allocators(fdt, alloc_node, sub_allocators,
+ ARRAY_SIZE(sub_allocators));
+ if (err) {
+ return err;
+ }
+
+
+ allocator->command_stream.stream_id = sub_allocators[0].stream_id;
+ allocator->weight_data.stream_id = sub_allocators[1].stream_id;
+ allocator->buffer_data.stream_id = sub_allocators[2].stream_id;
+ allocator->intermediate_data.stream_id = sub_allocators[3].stream_id;
+ return 0;
+}
+
+static int fdt_node_populate_core(const void *fdt,
+ int device_node,
+ int core_node,
+ bool has_reserved_memory,
+ uint32_t core_index,
+ struct ethosn_core_t *core)
+{
+ int err;
+ int sub_node;
+ uintptr_t core_addr;
+
+ err = fdt_get_reg_props_by_index(fdt, device_node, core_index,
+ &core_addr, NULL);
+ if (err < 0) {
+ ERROR("FCONF: Failed to read reg property for NPU core %u\n",
+ core_index);
+ return err;
+ }
+
+ err = -FDT_ERR_NOTFOUND;
+ fdt_for_each_subnode(sub_node, fdt, core_node) {
+
+ if (!fdt_node_is_enabled(fdt, sub_node)) {
+ continue;
+ }
+
+ if (fdt_node_check_compatible(fdt,
+ sub_node,
+ "ethosn-main_allocator") != 0) {
+ continue;
+ }
+
+ if (has_reserved_memory) {
+ ERROR("FCONF: Main allocator not supported when using reserved memory\n");
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ if (err != -FDT_ERR_NOTFOUND) {
+ ERROR("FCONF: NPU core 0x%lx has more than one main allocator\n",
+ core_addr);
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ err = fdt_node_populate_main_allocator(fdt, sub_node, &core->main_allocator);
+ if (err) {
+ ERROR("FCONF: Failed to parse main allocator for NPU core 0x%lx\n",
+ core_addr);
+ return err;
+ }
+ }
+
+ if ((sub_node < 0) && (sub_node != -FDT_ERR_NOTFOUND)) {
+ ERROR("FCONF: Failed to parse core sub nodes\n");
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ if (!has_reserved_memory && err) {
+ ERROR("FCONF: Main allocator not found for NPU core 0x%lx\n",
+ core_addr);
+ return err;
+ }
+
+ core->addr = core_addr;
+
+ return 0;
}
int fconf_populate_ethosn_config(uintptr_t config)
{
int ethosn_node;
+ uint32_t dev_count = 0U;
const void *hw_conf_dtb = (const void *)config;
- /* Find offset to node with 'ethosn' compatible property */
- INFO("Probing Arm Ethos-N NPU\n");
- uint32_t total_core_count = 0U;
+ INFO("Probing Arm(R) Ethos(TM)-N NPU\n");
fdt_for_each_compatible_node(hw_conf_dtb, ethosn_node, "ethosn") {
+ struct ethosn_device_t *dev = ðosn_config.devices[dev_count];
+ uint32_t dev_asset_alloc_count = 0U;
+ uint32_t dev_core_count = 0U;
+ bool has_reserved_memory;
int sub_node;
- uint8_t ethosn_status;
- uint32_t device_core_count = 0U;
- /* If the Arm Ethos-N NPU is disabled the core check can be skipped */
- ethosn_status = fdt_node_get_status(hw_conf_dtb, ethosn_node);
- if (ethosn_status == ETHOSN_STATUS_DISABLED) {
+ if (!fdt_node_is_enabled(hw_conf_dtb, ethosn_node)) {
continue;
}
+ if (dev_count >= ETHOSN_DEV_NUM_MAX) {
+ ERROR("FCONF: Reached max number of NPUs\n");
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ has_reserved_memory = fdt_node_has_reserved_memory(hw_conf_dtb, ethosn_node);
fdt_for_each_subnode(sub_node, hw_conf_dtb, ethosn_node) {
int err;
- uintptr_t core_addr;
- uint8_t core_status;
- if (total_core_count >= ETHOSN_CORE_NUM_MAX) {
- ERROR("FCONF: Reached max number of Arm Ethos-N NPU cores\n");
- return -FDT_ERR_BADSTRUCTURE;
+ if (!fdt_node_is_enabled(hw_conf_dtb, sub_node)) {
+ /* Ignore disabled sub node */
+ continue;
}
- /* Check that the sub node is "ethosn-core" compatible */
if (fdt_node_check_compatible(hw_conf_dtb,
sub_node,
- "ethosn-core") != 0) {
- /* Ignore incompatible sub node */
- continue;
- }
+ "ethosn-core") == 0) {
- core_status = fdt_node_get_status(hw_conf_dtb, sub_node);
- if (core_status == ETHOSN_STATUS_DISABLED) {
- continue;
- }
+ if (dev_core_count >= ETHOSN_DEV_CORE_NUM_MAX) {
+ ERROR("FCONF: Reached max number of NPU cores for NPU %u\n",
+ dev_count);
+ return -FDT_ERR_BADSTRUCTURE;
+ }
- err = fdt_get_reg_props_by_index(hw_conf_dtb,
- ethosn_node,
- device_core_count,
- &core_addr,
- NULL);
- if (err < 0) {
- ERROR(
- "FCONF: Failed to read reg property for Arm Ethos-N NPU core %u\n",
- device_core_count);
- return err;
- }
+ err = fdt_node_populate_core(hw_conf_dtb,
+ ethosn_node,
+ sub_node,
+ has_reserved_memory,
+ dev_core_count,
+ &(dev->cores[dev_core_count]));
+ if (err) {
+ return err;
+ }
+ ++dev_core_count;
+ } else if (fdt_node_check_compatible(hw_conf_dtb,
+ sub_node,
+ "ethosn-asset_allocator") == 0) {
- INFO("NPU core probed at address 0x%lx\n", core_addr);
- ethosn_config.core[total_core_count].addr = core_addr;
- total_core_count++;
- device_core_count++;
+ if (dev_asset_alloc_count >=
+ ETHOSN_DEV_ASSET_ALLOCATOR_NUM_MAX) {
+ ERROR("FCONF: Reached max number of asset allocators for NPU %u\n",
+ dev_count);
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ if (has_reserved_memory) {
+ ERROR("FCONF: Asset allocator not supported when using reserved memory\n");
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ err = fdt_node_populate_asset_allocator(hw_conf_dtb,
+ sub_node,
+ &(dev->asset_allocators[dev_asset_alloc_count]));
+ if (err) {
+ ERROR("FCONF: Failed to parse asset allocator for NPU %u\n",
+ dev_count);
+ return err;
+ }
+ ++dev_asset_alloc_count;
+ }
}
if ((sub_node < 0) && (sub_node != -FDT_ERR_NOTFOUND)) {
- ERROR("FCONF: Failed to parse sub nodes\n");
+ ERROR("FCONF: Failed to parse sub nodes for NPU %u\n",
+ dev_count);
return -FDT_ERR_BADSTRUCTURE;
}
- if (device_core_count == 0U) {
- ERROR(
- "FCONF: Enabled Arm Ethos-N NPU device must have at least one enabled core\n");
+ if (dev_core_count == 0U) {
+ ERROR("FCONF: NPU %u must have at least one enabled core\n",
+ dev_count);
return -FDT_ERR_BADSTRUCTURE;
}
+
+ if (!has_reserved_memory && dev_asset_alloc_count == 0U) {
+ ERROR("FCONF: NPU %u must have at least one asset allocator\n",
+ dev_count);
+ return -FDT_ERR_BADSTRUCTURE;
+ }
+
+ dev->num_cores = dev_core_count;
+ dev->num_allocators = dev_asset_alloc_count;
+ dev->has_reserved_memory = has_reserved_memory;
+ ++dev_count;
}
- if (total_core_count == 0U) {
+ if (dev_count == 0U) {
ERROR("FCONF: Can't find 'ethosn' compatible node in dtb\n");
return -FDT_ERR_BADSTRUCTURE;
}
- ethosn_config.num_cores = total_core_count;
-
- INFO("%d NPU core%s probed\n",
- ethosn_config.num_cores,
- ethosn_config.num_cores > 1 ? "s" : "");
+ ethosn_config.num_devices = dev_count;
return 0;
}
diff --git a/plat/imx/common/imx_sip_svc.c b/plat/imx/common/imx_sip_svc.c
index fae9750..11d02f3 100644
--- a/plat/imx/common/imx_sip_svc.c
+++ b/plat/imx/common/imx_sip_svc.c
@@ -60,6 +60,11 @@
SMC_RET1(handle, imx_src_handler(smc_fid, x1, x2, x3, handle));
break;
#endif
+#if defined(PLAT_imx8mm) || defined(PLAT_imx8mn) || defined(PLAT_imx8mp)
+ case IMX_SIP_HAB:
+ SMC_RET1(handle, imx_hab_handler(smc_fid, x1, x2, x3, x4));
+ break;
+#endif
case IMX_SIP_BUILDINFO:
SMC_RET1(handle, imx_buildinfo_handler(smc_fid, x1, x2, x3, x4));
default:
diff --git a/plat/imx/common/include/imx_sip_svc.h b/plat/imx/common/include/imx_sip_svc.h
index c6e9879..1f45985 100644
--- a/plat/imx/common/include/imx_sip_svc.h
+++ b/plat/imx/common/include/imx_sip_svc.h
@@ -27,6 +27,17 @@
#define IMX_SIP_GET_SOC_INFO 0xC2000006
+#define IMX_SIP_HAB 0xC2000007
+#define IMX_SIP_HAB_AUTH_IMG 0x00
+#define IMX_SIP_HAB_ENTRY 0x01
+#define IMX_SIP_HAB_EXIT 0x02
+#define IMX_SIP_HAB_REPORT_EVENT 0x03
+#define IMX_SIP_HAB_REPORT_STATUS 0x04
+#define IMX_SIP_HAB_FAILSAFE 0x05
+#define IMX_SIP_HAB_CHECK_TARGET 0x06
+#define IMX_SIP_HAB_GET_VERSION 0x07
+#define IMX_SIP_HAB_AUTH_IMG_NO_DCD 0x08
+
#define IMX_SIP_WAKEUP_SRC 0xC2000009
#define IMX_SIP_WAKEUP_SRC_SCU 0x1
#define IMX_SIP_WAKEUP_SRC_IRQSTEER 0x2
@@ -58,6 +69,11 @@
u_register_t x2, u_register_t x3, void *handle);
#endif
+#if defined(PLAT_imx8mm) || defined(PLAT_imx8mn) || defined(PLAT_imx8mp)
+int imx_hab_handler(uint32_t smc_fid, u_register_t x1,
+ u_register_t x2, u_register_t x3, u_register_t x4);
+#endif
+
#if (defined(PLAT_imx8qm) || defined(PLAT_imx8qx))
int imx_cpufreq_handler(uint32_t smc_fid, u_register_t x1,
u_register_t x2, u_register_t x3);
diff --git a/plat/imx/imx8m/imx8m_psci_common.c b/plat/imx/imx8m/imx8m_psci_common.c
index 4df4f8e..d396902 100644
--- a/plat/imx/imx8m/imx8m_psci_common.c
+++ b/plat/imx/imx8m/imx8m_psci_common.c
@@ -229,8 +229,11 @@
void __dead2 imx_system_off(void)
{
- mmio_write_32(IMX_SNVS_BASE + SNVS_LPCR, SNVS_LPCR_SRTC_ENV |
- SNVS_LPCR_DP_EN | SNVS_LPCR_TOP);
+ uint32_t val;
+
+ val = mmio_read_32(IMX_SNVS_BASE + SNVS_LPCR);
+ val |= SNVS_LPCR_SRTC_ENV | SNVS_LPCR_DP_EN | SNVS_LPCR_TOP;
+ mmio_write_32(IMX_SNVS_BASE + SNVS_LPCR, val);
while (1)
;
diff --git a/plat/imx/imx8m/imx8mm/imx8mm_bl31_setup.c b/plat/imx/imx8m/imx8mm/imx8mm_bl31_setup.c
index 1667baf..38fac92 100644
--- a/plat/imx/imx8m/imx8mm/imx8mm_bl31_setup.c
+++ b/plat/imx/imx8m/imx8mm/imx8mm_bl31_setup.c
@@ -32,12 +32,22 @@
#define TRUSTY_PARAMS_LEN_BYTES (4096*2)
+/*
+ * Note: DRAM region is mapped with entire size available and uses MT_RW
+ * attributes.
+ * See details in docs/plat/imx8m.rst "High Assurance Boot (HABv4)" section
+ * for explanation of this mapping scheme.
+ */
static const mmap_region_t imx_mmap[] = {
MAP_REGION_FLAT(IMX_GIC_BASE, IMX_GIC_SIZE, MT_DEVICE | MT_RW),
MAP_REGION_FLAT(IMX_AIPS_BASE, IMX_AIPS_SIZE, MT_DEVICE | MT_RW), /* AIPS map */
MAP_REGION_FLAT(OCRAM_S_BASE, OCRAM_S_SIZE, MT_DEVICE | MT_RW), /* OCRAM_S */
MAP_REGION_FLAT(IMX_DDRPHY_BASE, IMX_DDR_IPS_SIZE, MT_DEVICE | MT_RW), /* DDRMIX */
MAP_REGION_FLAT(IMX_VPUMIX_BASE, IMX_VPUMIX_SIZE, MT_DEVICE | MT_RW), /* VPUMIX */
+ MAP_REGION_FLAT(IMX_CAAM_RAM_BASE, IMX_CAAM_RAM_SIZE, MT_MEMORY | MT_RW), /* CAMM RAM */
+ MAP_REGION_FLAT(IMX_NS_OCRAM_BASE, IMX_NS_OCRAM_SIZE, MT_MEMORY | MT_RW), /* NS OCRAM */
+ MAP_REGION_FLAT(IMX_ROM_BASE, IMX_ROM_SIZE, MT_MEMORY | MT_RO), /* ROM code */
+ MAP_REGION_FLAT(IMX_DRAM_BASE, IMX_DRAM_SIZE, MT_MEMORY | MT_RW | MT_NS), /* DRAM */
{0},
};
diff --git a/plat/imx/imx8m/imx8mm/include/platform_def.h b/plat/imx/imx8m/imx8mm/include/platform_def.h
index 84d86b9..930372f 100644
--- a/plat/imx/imx8m/imx8mm/include/platform_def.h
+++ b/plat/imx/imx8m/imx8mm/include/platform_def.h
@@ -107,9 +107,16 @@
#define IMX_DDRPHY_BASE U(0x3c000000)
#define IMX_DDR_IPS_BASE U(0x3d000000)
#define IMX_DDR_IPS_SIZE U(0x1800000)
+#define IMX_VPUMIX_BASE U(0x38330000)
+#define IMX_VPUMIX_SIZE U(0x100000)
#define IMX_ROM_BASE U(0x0)
-#define IMX_VPUMIX_BASE U(0x38330000)
-#define IMX_VPUMIX_SIZE U(0x100000)
+#define IMX_ROM_SIZE U(0x40000)
+#define IMX_NS_OCRAM_BASE U(0x900000)
+#define IMX_NS_OCRAM_SIZE U(0x20000)
+#define IMX_CAAM_RAM_BASE U(0x100000)
+#define IMX_CAAM_RAM_SIZE U(0x10000)
+#define IMX_DRAM_BASE U(0x40000000)
+#define IMX_DRAM_SIZE U(0xc0000000)
#define GPV_BASE U(0x32000000)
#define GPV_SIZE U(0x800000)
diff --git a/plat/imx/imx8m/imx8mm/platform.mk b/plat/imx/imx8m/imx8mm/platform.mk
index e3e5c0c..ebf5c7b 100644
--- a/plat/imx/imx8m/imx8mm/platform.mk
+++ b/plat/imx/imx8m/imx8mm/platform.mk
@@ -32,6 +32,7 @@
BL31_SOURCES += plat/imx/common/imx8_helpers.S \
plat/imx/imx8m/gpc_common.c \
+ plat/imx/imx8m/imx_hab.c \
plat/imx/imx8m/imx_aipstz.c \
plat/imx/imx8m/imx_rdc.c \
plat/imx/imx8m/imx8m_csu.c \
diff --git a/plat/imx/imx8m/imx8mn/imx8mn_bl31_setup.c b/plat/imx/imx8m/imx8mn/imx8mn_bl31_setup.c
index 464c87d..de30967 100644
--- a/plat/imx/imx8m/imx8mn/imx8mn_bl31_setup.c
+++ b/plat/imx/imx8m/imx8mn/imx8mn_bl31_setup.c
@@ -32,7 +32,9 @@
#define TRUSTY_PARAMS_LEN_BYTES (4096*2)
static const mmap_region_t imx_mmap[] = {
- GIC_MAP, AIPS_MAP, OCRAM_S_MAP, DDRC_MAP, {0},
+ GIC_MAP, AIPS_MAP, OCRAM_S_MAP, DDRC_MAP,
+ CAAM_RAM_MAP, NS_OCRAM_MAP, ROM_MAP, DRAM_MAP,
+ {0},
};
static const struct aipstz_cfg aipstz[] = {
diff --git a/plat/imx/imx8m/imx8mn/include/platform_def.h b/plat/imx/imx8m/imx8mn/include/platform_def.h
index dbb4416..d4b1717 100644
--- a/plat/imx/imx8m/imx8mn/include/platform_def.h
+++ b/plat/imx/imx8m/imx8mn/include/platform_def.h
@@ -94,6 +94,13 @@
#define IMX_DDR_IPS_BASE U(0x3d000000)
#define IMX_DDR_IPS_SIZE U(0x1800000)
#define IMX_ROM_BASE U(0x0)
+#define IMX_ROM_SIZE U(0x40000)
+#define IMX_NS_OCRAM_BASE U(0x900000)
+#define IMX_NS_OCRAM_SIZE U(0x60000)
+#define IMX_CAAM_RAM_BASE U(0x100000)
+#define IMX_CAAM_RAM_SIZE U(0x10000)
+#define IMX_DRAM_BASE U(0x40000000)
+#define IMX_DRAM_SIZE U(0xc0000000)
#define IMX_GIC_BASE PLAT_GICD_BASE
#define IMX_GIC_SIZE U(0x200000)
@@ -140,5 +147,16 @@
#define AIPS_MAP MAP_REGION_FLAT(IMX_AIPS_BASE, IMX_AIPS_SIZE, MT_DEVICE | MT_RW) /* AIPS map */
#define OCRAM_S_MAP MAP_REGION_FLAT(OCRAM_S_BASE, OCRAM_S_SIZE, MT_DEVICE | MT_RW) /* OCRAM_S */
#define DDRC_MAP MAP_REGION_FLAT(IMX_DDRPHY_BASE, IMX_DDR_IPS_SIZE, MT_DEVICE | MT_RW) /* DDRMIX */
+#define CAAM_RAM_MAP MAP_REGION_FLAT(IMX_CAAM_RAM_BASE, IMX_CAAM_RAM_SIZE, MT_MEMORY | MT_RW) /* CAMM RAM */
+#define NS_OCRAM_MAP MAP_REGION_FLAT(IMX_NS_OCRAM_BASE, IMX_NS_OCRAM_SIZE, MT_MEMORY | MT_RW) /* NS OCRAM */
+#define ROM_MAP MAP_REGION_FLAT(IMX_ROM_BASE, IMX_ROM_SIZE, MT_MEMORY | MT_RO) /* ROM code */
+
+/*
+ * Note: DRAM region is mapped with entire size available and uses MT_RW
+ * attributes.
+ * See details in docs/plat/imx8m.rst "High Assurance Boot (HABv4)" section
+ * for explanation of this mapping scheme.
+ */
+#define DRAM_MAP MAP_REGION_FLAT(IMX_DRAM_BASE, IMX_DRAM_SIZE, MT_MEMORY | MT_RW | MT_NS) /* DRAM */
#endif /* platform_def.h */
diff --git a/plat/imx/imx8m/imx8mn/platform.mk b/plat/imx/imx8m/imx8mn/platform.mk
index 0f3ad1a..c70f3a1 100644
--- a/plat/imx/imx8m/imx8mn/platform.mk
+++ b/plat/imx/imx8m/imx8mn/platform.mk
@@ -27,6 +27,7 @@
BL31_SOURCES += plat/imx/common/imx8_helpers.S \
plat/imx/imx8m/gpc_common.c \
+ plat/imx/imx8m/imx_hab.c \
plat/imx/imx8m/imx_aipstz.c \
plat/imx/imx8m/imx_rdc.c \
plat/imx/imx8m/imx8m_caam.c \
diff --git a/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c b/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
index 34631b8..70dd8c8 100644
--- a/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
+++ b/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
@@ -33,7 +33,9 @@
static const mmap_region_t imx_mmap[] = {
GIC_MAP, AIPS_MAP, OCRAM_S_MAP, DDRC_MAP,
- NOC_MAP, {0},
+ NOC_MAP, CAAM_RAM_MAP, NS_OCRAM_MAP,
+ ROM_MAP, DRAM_MAP,
+ {0},
};
static const struct aipstz_cfg aipstz[] = {
diff --git a/plat/imx/imx8m/imx8mp/include/platform_def.h b/plat/imx/imx8m/imx8mp/include/platform_def.h
index 8807f5d..1c58f48 100644
--- a/plat/imx/imx8m/imx8mp/include/platform_def.h
+++ b/plat/imx/imx8m/imx8mp/include/platform_def.h
@@ -111,6 +111,13 @@
#define IMX_DDR_IPS_BASE U(0x3d000000)
#define IMX_DDR_IPS_SIZE U(0x1800000)
#define IMX_ROM_BASE U(0x0)
+#define IMX_ROM_SIZE U(0x40000)
+#define IMX_NS_OCRAM_BASE U(0x900000)
+#define IMX_NS_OCRAM_SIZE U(0x60000)
+#define IMX_CAAM_RAM_BASE U(0x100000)
+#define IMX_CAAM_RAM_SIZE U(0x10000)
+#define IMX_DRAM_BASE U(0x40000000)
+#define IMX_DRAM_SIZE U(0xc0000000)
#define IMX_GIC_BASE PLAT_GICD_BASE
#define IMX_GIC_SIZE U(0x200000)
@@ -178,5 +185,16 @@
#define OCRAM_S_MAP MAP_REGION_FLAT(OCRAM_S_BASE, OCRAM_S_SIZE, MT_MEMORY | MT_RW) /* OCRAM_S */
#define DDRC_MAP MAP_REGION_FLAT(IMX_DDRPHY_BASE, IMX_DDR_IPS_SIZE, MT_DEVICE | MT_RW) /* DDRMIX */
#define NOC_MAP MAP_REGION_FLAT(IMX_NOC_BASE, IMX_NOC_SIZE, MT_DEVICE | MT_RW) /* NOC QoS */
+#define CAAM_RAM_MAP MAP_REGION_FLAT(IMX_CAAM_RAM_BASE, IMX_CAAM_RAM_SIZE, MT_MEMORY | MT_RW) /* CAMM RAM */
+#define NS_OCRAM_MAP MAP_REGION_FLAT(IMX_NS_OCRAM_BASE, IMX_NS_OCRAM_SIZE, MT_MEMORY | MT_RW) /* NS OCRAM */
+#define ROM_MAP MAP_REGION_FLAT(IMX_ROM_BASE, IMX_ROM_SIZE, MT_MEMORY | MT_RO) /* ROM code */
+
+/*
+ * Note: DRAM region is mapped with entire size available and uses MT_RW
+ * attributes.
+ * See details in docs/plat/imx8m.rst "High Assurance Boot (HABv4)" section
+ * for explanation of this mapping scheme.
+ */
+#define DRAM_MAP MAP_REGION_FLAT(IMX_DRAM_BASE, IMX_DRAM_SIZE, MT_MEMORY | MT_RW | MT_NS) /* DRAM */
#endif /* platform_def.h */
diff --git a/plat/imx/imx8m/imx8mp/platform.mk b/plat/imx/imx8m/imx8mp/platform.mk
index e8669e5..09f9ee9 100644
--- a/plat/imx/imx8m/imx8mp/platform.mk
+++ b/plat/imx/imx8m/imx8mp/platform.mk
@@ -28,6 +28,7 @@
BL31_SOURCES += plat/imx/common/imx8_helpers.S \
plat/imx/imx8m/gpc_common.c \
+ plat/imx/imx8m/imx_hab.c \
plat/imx/imx8m/imx_aipstz.c \
plat/imx/imx8m/imx_rdc.c \
plat/imx/imx8m/imx8m_caam.c \
diff --git a/plat/imx/imx8m/imx_hab.c b/plat/imx/imx8m/imx_hab.c
new file mode 100644
index 0000000..222046f
--- /dev/null
+++ b/plat/imx/imx8m/imx_hab.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2017-2020 NXP
+ * Copyright 2022 Leica Geosystems AG
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <common/runtime_svc.h>
+#include <imx_sip_svc.h>
+
+#define HAB_CID_ATF U(2) /* TF-A Caller ID */
+
+/* HAB Status definitions */
+enum hab_status {
+ HAB_STS_ANY = 0x00, /* Match any status in report_event() */
+ HAB_FAILURE = 0x33, /* Operation failed */
+ HAB_WARNING = 0x69, /* Operation completed with warning */
+ HAB_SUCCESS = 0xf0 /* Operation completed successfully */
+};
+
+/* HAB Configuration definitions */
+enum hab_config {
+ HAB_CFG_RETURN = 0x33, /* Field Return IC */
+ HAB_CFG_OPEN = 0xf0, /* Non-secure IC */
+ HAB_CFG_CLOSED = 0xcc /* Secure IC */
+};
+
+/* HAB State definitions */
+enum hab_state {
+ HAB_STATE_INITIAL = 0x33, /* Initializing state (transitory) */
+ HAB_STATE_CHECK = 0x55, /* Check state (non-secure) */
+ HAB_STATE_NONSECURE = 0x66, /* Non-secure state */
+ HAB_STATE_TRUSTED = 0x99, /* Trusted state */
+ HAB_STATE_SECURE = 0xaa, /* Secure state */
+ HAB_STATE_FAIL_SOFT = 0xcc, /* Soft fail state */
+ HAB_STATE_FAIL_HARD = 0xff, /* Hard fail state (terminal) */
+ HAB_STATE_NONE = 0xf0 /* No security state machine */
+};
+
+/* HAB Verification Target definitions */
+enum hab_target {
+ HAB_TGT_MEMORY = 0x0f, /* Check memory allowed list */
+ HAB_TGT_PERIPHERAL = 0xf0, /* Check peripheral allowed list */
+ HAB_TGT_ANY = 0x55 /* Check memory & peripheral allowed list */
+};
+
+/* Authenticate Image Loader Callback prototype */
+typedef enum hab_status hab_loader_callback_f_t(void **, size_t *, const void *);
+
+/*
+ * HAB Rom VectorTable (RVT) structure.
+ * This table provides function pointers into the HAB library in ROM for
+ * use by post-ROM boot sequence components.
+ * Functions are ordered in the structure below based on the offsets in ROM
+ * image, and shall not be changed!
+ * Details on API allocation offsets and function description could be
+ * found in following documents from NXP:
+ * - High Assurance Boot Version 4 Application Programming Interface
+ * Reference Manual (available in CST package)
+ * - HABv4 RVT Guidelines and Recommendations (AN12263)
+ */
+struct hab_rvt_api {
+ uint64_t hdr;
+ enum hab_status (*entry)(void);
+ enum hab_status (*exit)(void);
+ enum hab_status (*check_target)(enum hab_target type, const void *start, size_t bytes);
+ void* (*authenticate_image)(uint8_t cid, long ivt_offset, void **start,
+ size_t *bytes, hab_loader_callback_f_t loader);
+ enum hab_status (*run_dcd)(const uint8_t *dcd);
+ enum hab_status (*run_csf)(const uint8_t *csf, uint8_t cid, uint32_t srkmask);
+ enum hab_status (*assert)(long type, const void *data, uint32_t count);
+ enum hab_status (*report_event)(enum hab_status status, uint32_t index,
+ uint8_t *event, size_t *bytes);
+ enum hab_status (*report_status)(enum hab_config *config, enum hab_state *state);
+ void (*failsafe)(void);
+ void* (*authenticate_image_no_dcd)(uint8_t cid, long ivt_offset, void **start,
+ size_t *bytes, hab_loader_callback_f_t loader);
+ uint32_t (*get_version)(void);
+ enum hab_status (*authenticate_container)(uint8_t cid, long ivt_offset, void **start,
+ size_t *bytes, hab_loader_callback_f_t loader, uint32_t srkmask, int skip_dcd);
+};
+
+struct hab_rvt_api *g_hab_rvt_api = (struct hab_rvt_api *)HAB_RVT_BASE;
+
+/*******************************************************************************
+ * Handler for servicing HAB SMC calls
+ ******************************************************************************/
+int imx_hab_handler(uint32_t smc_fid,
+ u_register_t x1,
+ u_register_t x2,
+ u_register_t x3,
+ u_register_t x4)
+{
+ switch (x1) {
+ case IMX_SIP_HAB_ENTRY:
+ return g_hab_rvt_api->entry();
+ case IMX_SIP_HAB_EXIT:
+ return g_hab_rvt_api->exit();
+ case IMX_SIP_HAB_CHECK_TARGET:
+ return g_hab_rvt_api->check_target((enum hab_target)x2,
+ (const void *)x3, (size_t)x4);
+ case IMX_SIP_HAB_AUTH_IMG:
+ return (unsigned long)g_hab_rvt_api->authenticate_image(HAB_CID_ATF,
+ x2, (void **)x3, (size_t *)x4, NULL);
+ case IMX_SIP_HAB_REPORT_EVENT:
+ return g_hab_rvt_api->report_event(HAB_FAILURE,
+ (uint32_t)x2, (uint8_t *)x3, (size_t *)x4);
+ case IMX_SIP_HAB_REPORT_STATUS:
+ return g_hab_rvt_api->report_status((enum hab_config *)x2,
+ (enum hab_state *)x3);
+ case IMX_SIP_HAB_FAILSAFE:
+ g_hab_rvt_api->failsafe();
+ break;
+ case IMX_SIP_HAB_AUTH_IMG_NO_DCD:
+ return (unsigned long)g_hab_rvt_api->authenticate_image_no_dcd(
+ HAB_CID_ATF, x2, (void **)x3, (size_t *)x4, NULL);
+ case IMX_SIP_HAB_GET_VERSION:
+ return g_hab_rvt_api->get_version();
+ default:
+ return SMC_UNK;
+ };
+
+ return SMC_OK;
+}
diff --git a/plat/rpi/common/rpi3_pm.c b/plat/rpi/common/rpi3_pm.c
index 2f86279..d98ac66 100644
--- a/plat/rpi/common/rpi3_pm.c
+++ b/plat/rpi/common/rpi3_pm.c
@@ -187,8 +187,9 @@
write_rmr_el3(RMR_EL3_RR_BIT | RMR_EL3_AA64_BIT);
- while (1)
- ;
+ while (1) {
+ wfi();
+ }
}
/*******************************************************************************
