Broadcom-s Trusted Firmware A https://git.openwrt.org/project/bcm63xx/atf/atom?h=master 2021-12-24T12:15:12Z 2021-12-24T12:15:12Z Rafał Miłecki 2021-12-24T12:15:12Z urn:sha1:e6d46baf3fae79f693f90bf34f7284c3dfc64aef This includes all bcm63xx families (some of them don't follow that naming schema - like BCM4908). All that code has been extracted from the RAXE500_RAXE450-V1.0.8.70_GPL_release.zip . Signed-off-by: Rafał Miłecki <rafal@milecki.pl> 2019-09-13T15:54:21Z Andre Przywara 2019-07-15T08:00:23Z urn:sha1:3ef45dda88c83413c2c554212956d7966fab2807 If a firmware component like TF-A reserves special memory regions for its own or secure payload services, it should announce the location and size of those regions to the non-secure world. This will avoid disappointment when some rich OS tries to acccess this memory, which will likely end in a crash. The traditional way of advertising reserved memory using device tree is using the special memreserve feature of the device tree blob (DTB). However by definition those regions mentioned there do not prevent the rich OS to map this memory, which may lead to speculative accesses to this memory and hence spurious bus errors. A safer way of carving out memory is to use the /reserved-memory node as part of the normal DT structure. Besides being easier to setup, this also defines an explicit "no-map" property to signify the secure-only nature of certain memory regions, which avoids the rich OS to accidentally step on it. Add a helper function to allow platform ports to easily add a region. Change-Id: I2b92676cf48fd3bdacda05b5c6b1c7952ebed68c Signed-off-by: Andre Przywara <andre.przywara@arm.com> 2019-09-13T15:54:21Z Andre Przywara 2019-07-10T16:27:17Z urn:sha1:f240728b76c05ac507189a37375b120379eda650 The QEMU platform port scans its device tree to advertise PSCI as the CPU enable method. It does this by scanning *every* node in the DT and check whether its compatible string starts with "arm,cortex-a". Then it sets the enable-method to PSCI, if it doesn't already have one. Other platforms might want to use this functionality as well, so let's move it out of the QEMU platform directory and make it more robust by fixing some shortcomings: - A compatible string starting with a certain prefix is not a good way to find the CPU nodes. For instance a "arm,cortex-a72-pmu" node will match as well and is in turn favoured with an enable-method. - If the DT already has an enable-method, we won't change this to PSCI. Those two issues will for instance fail on the Raspberry Pi 4 DT. To fix those problems, we adjust the scanning method: The DT spec says that all CPU nodes are subnodes of the mandatory /cpus node, which is a subnode of the root node. Also each CPU node has to have a device_type = "cpu" property. So we find the /cpus node, then scan for a subnode with the proper device_type, forcing the enable-method to "psci". We have to restart this search after a property has been patched, as the node offsets might have changed meanwhile. This allows this routine to be reused for the Raspberry Pi 4 later. Change-Id: I00cae16cc923d9f8bb96a9b2a2933b9a79b06139 Signed-off-by: Andre Przywara <andre.przywara@arm.com> 2019-08-01T20:45:03Z Julius Werner 2019-07-09T21:02:43Z urn:sha1:402b3cf8766fe2cb4ae462f7ee7761d08a1ba56c NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__. All common C compilers pre-define the same macros to signal which architecture the code is being compiled for: __arm__ for AArch32 (or earlier versions) and __aarch64__ for AArch64. There's no need for TF-A to define its own custom macros for this. In order to unify code with the export headers (which use __aarch64__ to avoid another dependency), let's deprecate the AARCH32 and AARCH64 macros and switch the code base over to the pre-defined standard macro. (Since it is somewhat unintuitive that __arm__ only means AArch32, let's standardize on only using __aarch64__.) Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200 Signed-off-by: Julius Werner <jwerner@chromium.org> 2019-08-01T20:14:12Z Julius Werner 2019-07-09T20:49:11Z urn:sha1:d5dfdeb65ff5b7f24dded201d2945c7b74565ce8 NOTE: __ASSEMBLY__ macro is now deprecated in favor of __ASSEMBLER__. All common C compilers predefine a macro called __ASSEMBLER__ when preprocessing a .S file. There is no reason for TF-A to define it's own __ASSEMBLY__ macro for this purpose instead. To unify code with the export headers (which use __ASSEMBLER__ to avoid one extra dependency), let's deprecate __ASSEMBLY__ and switch the code base over to the predefined standard. Change-Id: Id7d0ec8cf330195da80499c68562b65cb5ab7417 Signed-off-by: Julius Werner <jwerner@chromium.org> 2019-07-24T03:25:34Z Julius Werner 2019-05-30T00:01:46Z urn:sha1:d9af1f7b6f4ec29d42d15936f254215ad061569f BL31 used to take a single bl31_params_t parameter structure with entry point information in arg0. In commit 726002263 (Add new version of image loading.) this API was changed to a more flexible linked list approach, and the old parameter structure was copied into all platforms that still used the old format. This duplicated code unnecessarily among all these platforms. This patch adds a helper function that platforms can optionally link to outsource the task of interpreting arg0. Many platforms are just interested in the BL32 and BL33 entry point information anyway. Since some platforms still need to support the old version 1 parameters, the helper will support both formats when ERROR_DEPRECATED == 0. This allows those platforms to drop a bunch of boilerplate code and asynchronously update their BL2 implementation to the newer format. Change-Id: I9e6475adb1a7d4bccea666118bd1c54962e9fc38 Signed-off-by: Julius Werner <jwerner@chromium.org> 2019-07-24T03:25:34Z Julius Werner 2019-05-29T04:03:58Z urn:sha1:57bf6057721306d1ad1af1122a831789ded92885 This patch adds a new include/export/ directory meant for inclusion in third-party code. This is useful for cases where third-party code needs to interact with TF-A interfaces and data structures (such as a custom BL2-implementation like coreboot handing off to BL31). Directly including headers from the TF-A repository avoids having to duplicate all these definitions (and risk them going stale), but with the current header structure this is not possible because handoff API definitions are too deeply intertwined with other TF code/headers and chain-include other headers that will not be available in the other environment. The new approach aims to solve this by separating only the parts that are really needed into these special headers that are self-contained and will not chain-include other (non-export) headers. TF-A code should never include them directly but should instead always include the respective wrapper header, which will include the required prerequisites (like <stdint.h>) before including the export header. Third-party code can include the export headers via its own wrappers that make sure the necessary definitions are available in whatever way that environment can provide them. Change-Id: Ifd769320ba51371439a8e5dd5b79c2516c3b43ab Signed-off-by: Julius Werner <jwerner@chromium.org> 2019-07-24T03:25:34Z Julius Werner 2019-07-24T03:00:13Z urn:sha1:9352be88033900f89aa50dfbb13a13d40d698a9e It's not a good idea to use u_register_t for the members of aapcs64_params_t and aapcs32_params_t, since the width of that type always depends on the current execution environment. This would cause problems if e.g. we used this structure to set up the entry point of an AArch32 program from within an AArch64 program. (It doesn't seem like any code is doing that today, but it's probably still a good idea to write this defensively. Also, it helps with my next patch.) Change-Id: I12c04a85611f2b6702589f3362bea3e6a7c9f776 Signed-off-by: Julius Werner <jwerner@chromium.org> 2019-05-24T13:44:45Z Alexei Fedorov 2019-05-24T11:17:09Z urn:sha1:9fc59639e649f614318f78ae2ca103fe102405ec This patch adds the functionality needed for platforms to provide Branch Target Identification (BTI) extension, introduced to AArch64 in Armv8.5-A by adding BTI instruction used to mark valid targets for indirect branches. The patch sets new GP bit [50] to the stage 1 Translation Table Block and Page entries to denote guarded EL3 code pages which will cause processor to trap instructions in protected pages trying to perform an indirect branch to any instruction other than BTI. BTI feature is selected by BRANCH_PROTECTION option which supersedes the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication and is disabled by default. Enabling BTI requires compiler support and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0. The assembly macros and helpers are modified to accommodate the BTI instruction. This is an experimental feature. Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3 is now made as an internal flag and BRANCH_PROTECTION flag should be used instead to enable Pointer Authentication. Note. USE_LIBROM=1 option is currently not supported. Change-Id: Ifaf4438609b16647dc79468b70cd1f47a623362e Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com> 2019-03-01T11:23:58Z Antonio Niño Díaz 2019-03-01T11:23:58Z urn:sha1:a4acc7f16500d7856f3317f8412665249da7e947 Tegra scatter file support