Merge changes from topic "tegra-downstream-092319" into integration
* changes:
Tegra194: remove L2 ECC parity protection setting
Tegra194: sip_calls: mark unused parameter as const
Tegra194: implement handler to retrieve power domain tree
Tegra194: mce: fix function declaration conflicts
Tegra194: add macros to read GPU reset status
Tegra194: skip notifying MCE in fake system suspend
Tegra194: Enable system suspend
diff --git a/common/bl_common.c b/common/bl_common.c
index e6f9802..b74225b 100644
--- a/common/bl_common.c
+++ b/common/bl_common.c
@@ -143,26 +143,45 @@
return io_result;
}
-static int load_auth_image_internal(unsigned int image_id,
+/*
+ * Load an image and flush it out to main memory so that it can be executed
+ * later by any CPU, regardless of cache and MMU state.
+ */
+static int load_image_flush(unsigned int image_id,
+ image_info_t *image_data)
+{
+ int rc;
+
+ rc = load_image(image_id, image_data);
+ if (rc == 0) {
+ flush_dcache_range(image_data->image_base,
+ image_data->image_size);
+ }
+
+ return rc;
+}
+
+
+#if TRUSTED_BOARD_BOOT
+/*
+ * This function uses recursion to authenticate the parent images up to the root
+ * of trust.
+ */
+static int load_auth_image_recursive(unsigned int image_id,
image_info_t *image_data,
int is_parent_image)
{
int rc;
+ unsigned int parent_id;
-#if TRUSTED_BOARD_BOOT
- if (dyn_is_auth_disabled() == 0) {
- unsigned int parent_id;
-
- /* Use recursion to authenticate parent images */
- rc = auth_mod_get_parent_id(image_id, &parent_id);
- if (rc == 0) {
- rc = load_auth_image_internal(parent_id, image_data, 1);
- if (rc != 0) {
- return rc;
- }
+ /* Use recursion to authenticate parent images */
+ rc = auth_mod_get_parent_id(image_id, &parent_id);
+ if (rc == 0) {
+ rc = load_auth_image_recursive(parent_id, image_data, 1);
+ if (rc != 0) {
+ return rc;
}
}
-#endif /* TRUSTED_BOARD_BOOT */
/* Load the image */
rc = load_image(image_id, image_data);
@@ -170,51 +189,58 @@
return rc;
}
-#if TRUSTED_BOARD_BOOT
- if (dyn_is_auth_disabled() == 0) {
- /* Authenticate it */
- rc = auth_mod_verify_img(image_id,
- (void *)image_data->image_base,
- image_data->image_size);
- if (rc != 0) {
- /* Authentication error, zero memory and flush it right away. */
- zero_normalmem((void *)image_data->image_base,
+ /* Authenticate it */
+ rc = auth_mod_verify_img(image_id,
+ (void *)image_data->image_base,
+ image_data->image_size);
+ if (rc != 0) {
+ /* Authentication error, zero memory and flush it right away. */
+ zero_normalmem((void *)image_data->image_base,
image_data->image_size);
- flush_dcache_range(image_data->image_base,
- image_data->image_size);
- return -EAUTH;
- }
+ flush_dcache_range(image_data->image_base,
+ image_data->image_size);
+ return -EAUTH;
}
-#endif /* TRUSTED_BOARD_BOOT */
/*
* Flush the image to main memory so that it can be executed later by
- * any CPU, regardless of cache and MMU state. If TBB is enabled, then
- * the file has been successfully loaded and authenticated and flush
- * only for child images, not for the parents (certificates).
+ * any CPU, regardless of cache and MMU state. This is only needed for
+ * child images, not for the parents (certificates).
*/
if (is_parent_image == 0) {
flush_dcache_range(image_data->image_base,
image_data->image_size);
}
-
return 0;
}
+#endif /* TRUSTED_BOARD_BOOT */
+
+static int load_auth_image_internal(unsigned int image_id,
+ image_info_t *image_data)
+{
+#if TRUSTED_BOARD_BOOT
+ if (dyn_is_auth_disabled() == 0) {
+ return load_auth_image_recursive(image_id, image_data, 0);
+ }
+#endif
+
+ return load_image_flush(image_id, image_data);
+}
/*******************************************************************************
* Generic function to load and authenticate an image. The image is actually
* loaded by calling the 'load_image()' function. Therefore, it returns the
* same error codes if the loading operation failed, or -EAUTH if the
* authentication failed. In addition, this function uses recursion to
- * authenticate the parent images up to the root of trust.
+ * authenticate the parent images up to the root of trust (if TBB is enabled).
******************************************************************************/
int load_auth_image(unsigned int image_id, image_info_t *image_data)
{
int err;
do {
- err = load_auth_image_internal(image_id, image_data, 0);
+ err = load_auth_image_internal(image_id, image_data);
} while ((err != 0) && (plat_try_next_boot_source() != 0));
return err;
diff --git a/docs/components/romlib-design.rst b/docs/components/romlib-design.rst
index d8bc89c..e0a028e 100644
--- a/docs/components/romlib-design.rst
+++ b/docs/components/romlib-design.rst
@@ -111,6 +111,21 @@
BL image --> function
+Memory impact
+~~~~~~~~~~~~~
+
+Using library at ROM will modify the memory layout of the BL images:
+- The ROM library needs a page aligned RAM section to hold the RW data. This
+ section is defined by the ROMLIB_RW_BASE and ROMLIB_RW_END macros.
+ On Arm platforms a section of 1 page (0x1000) is allocated at the top of SRAM.
+ This will have for effect to shift down all the BL images by 1 page.
+- Depending on the functions moved to the ROM library, the size of the BL images
+ will be reduced.
+ For example: moving MbedTLS function into the ROM library reduces BL1 and
+ BL2, but not BL31.
+- This change in BL images size can be taken into consideration to optimize the
+ memory layout when defining the BLx_BASE macros.
+
Build library at ROM
~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/global_substitutions.txt b/docs/global_substitutions.txt
index fdca9c3..491b160 100644
--- a/docs/global_substitutions.txt
+++ b/docs/global_substitutions.txt
@@ -1,11 +1,13 @@
.. |AArch32| replace:: :term:`AArch32`
.. |AArch64| replace:: :term:`AArch64`
.. |API| replace:: :term:`API`
+.. |BTI| replace:: :term:`BTI`
.. |CoT| replace:: :term:`CoT`
.. |COT| replace:: :term:`COT`
.. |CSS| replace:: :term:`CSS`
.. |CVE| replace:: :term:`CVE`
.. |DS-5| replace:: :term:`DS-5`
+.. |DSU| replace:: :term:`DSU`
.. |DT| replace:: :term:`DT`
.. |EL| replace:: :term:`EL`
.. |EHF| replace:: :term:`EHF`
@@ -19,10 +21,12 @@
.. |MMU| replace:: :term:`MMU`
.. |MPAM| replace:: :term:`MPAM`
.. |MPIDR| replace:: :term:`MPIDR`
+.. |MTE| replace:: :term:`MTE`
.. |OEN| replace:: :term:`OEN`
.. |OP-TEE| replace:: :term:`OP-TEE`
.. |OTE| replace:: :term:`OTE`
.. |PDD| replace:: :term:`PDD`
+.. |PAUTH| replace:: :term:`PAUTH`
.. |PMF| replace:: :term:`PMF`
.. |PSCI| replace:: :term:`PSCI`
.. |RAS| replace:: :term:`RAS`
@@ -41,6 +45,7 @@
.. |SPCI| replace:: :term:`SPCI`
.. |SPD| replace:: :term:`SPD`
.. |SPM| replace:: :term:`SPM`
+.. |SSBS| replace:: :term:`SSBS`
.. |SVE| replace:: :term:`SVE`
.. |TBB| replace:: :term:`TBB`
.. |TBBR| replace:: :term:`TBBR`
@@ -51,6 +56,7 @@
.. |TLK| replace:: :term:`TLK`
.. |TSP| replace:: :term:`TSP`
.. |TZC| replace:: :term:`TZC`
+.. |UBSAN| replace:: :term:`UBSAN`
.. |UEFI| replace:: :term:`UEFI`
.. |WDOG| replace:: :term:`WDOG`
-.. |XLAT| replace:: :term:`XLAT`
\ No newline at end of file
+.. |XLAT| replace:: :term:`XLAT`
diff --git a/docs/glossary.rst b/docs/glossary.rst
index 45caf46..2f19df5 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -18,6 +18,10 @@
API
Application Programming Interface
+ BTI
+ Branch Target Identification. An Armv8.5 extension providing additional
+ control flow integrity around indirect branches and their targets.
+
CoT
COT
Chain of Trust
@@ -32,6 +36,9 @@
DS-5
Arm Development Studio 5
+ DSU
+ DynamIQ Shared Unit
+
DT
Device Tree
@@ -72,6 +79,10 @@
MPIDR
Multiprocessor Affinity Register
+ MTE
+ Memory Tagging Extension. An optional Armv8.5 extension that enables
+ hardware-assisted memory tagging.
+
OEN
Owning Entity Number
@@ -84,6 +95,9 @@
PDD
Platform Design Document
+ PAUTH
+ Pointer Authentication. An optional extension introduced in Armv8.3.
+
PMF
Performance Measurement Framework
@@ -138,6 +152,11 @@
SPM
Secure Partition Manager
+ SSBS
+ Speculative Store Bypass Safe. Introduced in Armv8.5, this configuration
+ bit can be set by software to allow or prevent the hardware from
+ performing speculative operations.
+
SVE
Scalable Vector Extension
@@ -168,6 +187,9 @@
TZC
TrustZone Controller
+ UBSAN
+ Undefined Behavior Sanitizer
+
UEFI
Unified Extensible Firmware Interface
@@ -177,4 +199,4 @@
XLAT
Translation (abbr.). For example, "XLAT table".
-.. _`Arm Glossary`: https://developer.arm.com/support/arm-glossary
\ No newline at end of file
+.. _`Arm Glossary`: https://developer.arm.com/support/arm-glossary
diff --git a/drivers/arm/gic/v3/gic600.c b/drivers/arm/gic/v3/gic600.c
index 9cb2ab2..59652da 100644
--- a/drivers/arm/gic/v3/gic600.c
+++ b/drivers/arm/gic/v3/gic600.c
@@ -1,14 +1,14 @@
/*
- * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/*
- * Driver for GIC600-specific features. This driver only overrides APIs that are
- * different to those generic ones in GICv3 driver.
+ * Driver for GIC-600 specific features. This driver only overrides
+ * APIs that are different to those generic ones in GICv3 driver.
*
- * GIC600 supports independently power-gating redistributor interface.
+ * GIC-600 supports independently power-gating redistributor interface.
*/
#include <assert.h>
@@ -18,22 +18,28 @@
#include "gicv3_private.h"
-/* GIC600-specific register offsets */
+/* GIC-600 specific register offsets */
#define GICR_PWRR 0x24
/* GICR_PWRR fields */
#define PWRR_RDPD_SHIFT 0
+#define PWRR_RDAG_SHIFT 1
#define PWRR_RDGPD_SHIFT 2
#define PWRR_RDGPO_SHIFT 3
+#define PWRR_RDPD (1 << PWRR_RDPD_SHIFT)
+#define PWRR_RDAG (1 << PWRR_RDAG_SHIFT)
#define PWRR_RDGPD (1 << PWRR_RDGPD_SHIFT)
#define PWRR_RDGPO (1 << PWRR_RDGPO_SHIFT)
-/* Values to write to GICR_PWRR register to power redistributor */
+/*
+ * Values to write to GICR_PWRR register to power redistributor
+ * for operating through the core (GICR_PWRR.RDAG = 0)
+ */
#define PWRR_ON (0 << PWRR_RDPD_SHIFT)
#define PWRR_OFF (1 << PWRR_RDPD_SHIFT)
-/* GIC600-specific accessor functions */
+/* GIC-600 specific accessor functions */
static void gicr_write_pwrr(uintptr_t base, unsigned int val)
{
mmio_write_32(base + GICR_PWRR, val);
@@ -44,39 +50,46 @@
return mmio_read_32(base + GICR_PWRR);
}
-static int gicr_group_powering_down(uint32_t pwrr)
+static void gicr_wait_group_not_in_transit(uintptr_t base)
{
- /*
- * Whether the redistributor group power down operation is in transit:
- * i.e. it's intending to, but not finished yet.
- */
- return ((pwrr & PWRR_RDGPD) && !(pwrr & PWRR_RDGPO));
+ /* Check group not transitioning: RDGPD == RDGPO */
+ while (((gicr_read_pwrr(base) & PWRR_RDGPD) >> PWRR_RDGPD_SHIFT) !=
+ ((gicr_read_pwrr(base) & PWRR_RDGPO) >> PWRR_RDGPO_SHIFT))
+ ;
}
static void gic600_pwr_on(uintptr_t base)
{
- /* Power on redistributor */
- gicr_write_pwrr(base, PWRR_ON);
+ do { /* Wait until group not transitioning */
+ gicr_wait_group_not_in_transit(base);
- /* Wait until the power on state is reflected */
- while (gicr_read_pwrr(base) & PWRR_RDGPO)
- ;
+ /* Power on redistributor */
+ gicr_write_pwrr(base, PWRR_ON);
+
+ /*
+ * Wait until the power on state is reflected.
+ * If RDPD == 0 then powered on.
+ */
+ } while ((gicr_read_pwrr(base) & PWRR_RDPD) != PWRR_ON);
}
static void gic600_pwr_off(uintptr_t base)
{
+ /* Wait until group not transitioning */
+ gicr_wait_group_not_in_transit(base);
+
/* Power off redistributor */
gicr_write_pwrr(base, PWRR_OFF);
/*
* If this is the last man, turning this redistributor frame off will
- * result in the group itself being powered off. In that case, wait as
- * long as it's in transition, or has aborted the transition altogether
- * for any reason.
+ * result in the group itself being powered off and RDGPD = 1.
+ * In that case, wait as long as it's in transition, or has aborted
+ * the transition altogether for any reason.
*/
- if (gicr_read_pwrr(base) & PWRR_RDGPD) {
- while (gicr_group_powering_down(gicr_read_pwrr(base)))
- ;
+ if ((gicr_read_pwrr(base) & PWRR_RDGPD) != 0) {
+ /* Wait until group not transitioning */
+ gicr_wait_group_not_in_transit(base);
}
}
@@ -91,7 +104,7 @@
}
/*
- * Power off GIC600 redistributor
+ * Power off GIC-600 redistributor
*/
void gicv3_rdistif_off(unsigned int proc_num)
{
@@ -109,7 +122,7 @@
}
/*
- * Power on GIC600 redistributor
+ * Power on GIC-600 redistributor
*/
void gicv3_rdistif_on(unsigned int proc_num)
{
diff --git a/drivers/delay_timer/delay_timer.c b/drivers/delay_timer/delay_timer.c
index 8c2996e..a3fd7bf 100644
--- a/drivers/delay_timer/delay_timer.c
+++ b/drivers/delay_timer/delay_timer.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -27,23 +27,32 @@
(timer_ops->clk_div != 0U) &&
(timer_ops->get_timer_value != NULL));
- uint32_t start, delta, total_delta;
+ uint32_t start, delta;
+ uint64_t total_delta;
- assert(usec < (UINT32_MAX / timer_ops->clk_div));
+ assert(usec < (UINT64_MAX / timer_ops->clk_div));
start = timer_ops->get_timer_value();
/* Add an extra tick to avoid delaying less than requested. */
total_delta =
- div_round_up(usec * timer_ops->clk_div,
+ div_round_up((uint64_t)usec * timer_ops->clk_div,
timer_ops->clk_mult) + 1U;
+ /*
+ * Precaution for the total_delta ~ UINT32_MAX and the fact that we
+ * cannot catch every tick of the timer.
+ * For example 100MHz timer over 25MHz APB will miss at least 4 ticks.
+ * 1000U is an arbitrary big number which is believed to be sufficient.
+ */
+ assert(total_delta < (UINT32_MAX - 1000U));
do {
/*
* If the timer value wraps around, the subtraction will
* overflow and it will still give the correct result.
+ * delta is decreasing counter
*/
- delta = start - timer_ops->get_timer_value(); /* Decreasing counter */
+ delta = start - timer_ops->get_timer_value();
} while (delta < total_delta);
}
@@ -54,6 +63,7 @@
***********************************************************/
void mdelay(uint32_t msec)
{
+ assert((msec * 1000UL) < UINT32_MAX);
udelay(msec * 1000U);
}
diff --git a/lib/xlat_tables/aarch32/nonlpae_tables.c b/lib/xlat_tables/aarch32/nonlpae_tables.c
index bd6b152..b8c2686 100644
--- a/lib/xlat_tables/aarch32/nonlpae_tables.c
+++ b/lib/xlat_tables/aarch32/nonlpae_tables.c
@@ -284,10 +284,10 @@
}
/* map all memory as shared/global/domain0/no-usr access */
-static unsigned long mmap_desc(unsigned attr, unsigned long addr_pa,
- unsigned int level)
+static uint32_t mmap_desc(unsigned attr, unsigned int addr_pa,
+ unsigned int level)
{
- unsigned long desc;
+ uint32_t desc;
switch (level) {
case 1:
@@ -380,14 +380,14 @@
}
static mmap_region_t *init_xlation_table_inner(mmap_region_t *mm,
- unsigned long base_va,
- unsigned long *table,
+ unsigned int base_va,
+ uint32_t *table,
unsigned int level)
{
unsigned int level_size_shift = (level == 1) ?
ONE_MB_SHIFT : FOUR_KB_SHIFT;
unsigned int level_size = 1 << level_size_shift;
- unsigned long level_index_mask = (level == 1) ?
+ unsigned int level_index_mask = (level == 1) ?
(NUM_1MB_IN_4GB - 1) << ONE_MB_SHIFT :
(NUM_4K_IN_1MB - 1) << FOUR_KB_SHIFT;
@@ -396,7 +396,7 @@
VERBOSE("init xlat table at %p (level%1d)\n", (void *)table, level);
do {
- unsigned long desc = MMU32B_UNSET_DESC;
+ uint32_t desc = MMU32B_UNSET_DESC;
if (mm->base_va + mm->size <= base_va) {
/* Area now after the region so skip it */
@@ -427,7 +427,7 @@
}
if (desc == MMU32B_UNSET_DESC) {
- unsigned long xlat_table;
+ uintptr_t xlat_table;
/*
* Area not covered by a region so need finer table
@@ -443,7 +443,7 @@
~(MMU32B_L1_TABLE_ALIGN - 1);
desc = *table;
} else {
- xlat_table = (unsigned long)mmu_l2_base +
+ xlat_table = (uintptr_t)mmu_l2_base +
next_xlat * MMU32B_L2_TABLE_SIZE;
next_xlat++;
assert(next_xlat <= MAX_XLAT_TABLES);
@@ -456,7 +456,7 @@
}
/* Recurse to fill in new table */
mm = init_xlation_table_inner(mm, base_va,
- (unsigned long *)xlat_table,
+ (uint32_t *)xlat_table,
level + 1);
}
#if LOG_LEVEL >= LOG_LEVEL_VERBOSE
@@ -480,7 +480,7 @@
memset(mmu_l1_base, 0, MMU32B_L1_TABLE_SIZE);
- init_xlation_table_inner(mmap, 0, (unsigned long *)mmu_l1_base, 1);
+ init_xlation_table_inner(mmap, 0, (uint32_t *)mmu_l1_base, 1);
VERBOSE("init xlat - max_va=%p, max_pa=%llx\n",
(void *)xlat_max_va, xlat_max_pa);
diff --git a/lib/xlat_tables_v2/xlat_tables_core.c b/lib/xlat_tables_v2/xlat_tables_core.c
index 4f62f46..3c0865b 100644
--- a/lib/xlat_tables_v2/xlat_tables_core.c
+++ b/lib/xlat_tables_v2/xlat_tables_core.c
@@ -607,7 +607,8 @@
}
/* Point to new subtable from this one. */
- table_base[table_idx] = TABLE_DESC | (unsigned long)subtable;
+ table_base[table_idx] =
+ TABLE_DESC | (uintptr_t)subtable;
/* Recurse to write into subtable */
end_va = xlat_tables_map_region(ctx, mm, table_idx_va,
diff --git a/plat/arm/board/fvp/include/platform_def.h b/plat/arm/board/fvp/include/platform_def.h
index 4f26277..98dd0a9 100644
--- a/plat/arm/board/fvp/include/platform_def.h
+++ b/plat/arm/board/fvp/include/platform_def.h
@@ -94,9 +94,11 @@
#if USE_ROMLIB
#define PLAT_ARM_MAX_ROMLIB_RW_SIZE UL(0x1000)
#define PLAT_ARM_MAX_ROMLIB_RO_SIZE UL(0xe000)
+#define FVP_BL2_ROMLIB_OPTIMIZATION UL(0x6000)
#else
#define PLAT_ARM_MAX_ROMLIB_RW_SIZE UL(0)
#define PLAT_ARM_MAX_ROMLIB_RO_SIZE UL(0)
+#define FVP_BL2_ROMLIB_OPTIMIZATION UL(0)
#endif
/*
@@ -104,9 +106,9 @@
* little space for growth.
*/
#if TRUSTED_BOARD_BOOT
-# define PLAT_ARM_MAX_BL2_SIZE UL(0x1D000)
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1D000) - FVP_BL2_ROMLIB_OPTIMIZATION)
#else
-# define PLAT_ARM_MAX_BL2_SIZE UL(0x11000)
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0x11000) - FVP_BL2_ROMLIB_OPTIMIZATION)
#endif
/*
diff --git a/plat/arm/board/juno/include/platform_def.h b/plat/arm/board/juno/include/platform_def.h
index 83aeeb4..16bb33d 100644
--- a/plat/arm/board/juno/include/platform_def.h
+++ b/plat/arm/board/juno/include/platform_def.h
@@ -60,9 +60,11 @@
#if USE_ROMLIB
#define PLAT_ARM_MAX_ROMLIB_RW_SIZE UL(0x1000)
#define PLAT_ARM_MAX_ROMLIB_RO_SIZE UL(0xe000)
+#define JUNO_BL2_ROMLIB_OPTIMIZATION UL(0x8000)
#else
#define PLAT_ARM_MAX_ROMLIB_RW_SIZE UL(0)
#define PLAT_ARM_MAX_ROMLIB_RO_SIZE UL(0)
+#define JUNO_BL2_ROMLIB_OPTIMIZATION UL(0)
#endif
/*
@@ -127,14 +129,14 @@
*/
#if TRUSTED_BOARD_BOOT
#if TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
-# define PLAT_ARM_MAX_BL2_SIZE UL(0x1F000)
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1F000) - JUNO_BL2_ROMLIB_OPTIMIZATION)
#elif TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA
-# define PLAT_ARM_MAX_BL2_SIZE UL(0x1D000)
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1D000) - JUNO_BL2_ROMLIB_OPTIMIZATION)
#else
-# define PLAT_ARM_MAX_BL2_SIZE UL(0x1D000)
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1D000) - JUNO_BL2_ROMLIB_OPTIMIZATION)
#endif
#else
-# define PLAT_ARM_MAX_BL2_SIZE UL(0xF000)
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0xF000) - JUNO_BL2_ROMLIB_OPTIMIZATION)
#endif
/*