Broadcom-s Trusted Firmware A https://git.openwrt.org/project/bcm63xx/atf/atom?h=master 2019-10-03T13:38:31Z 2019-10-03T13:38:31Z Imre Kis 2019-07-22T12:36:30Z urn:sha1:78f02ae2968dd0a78e0e686f8cf0886fa296f4eb Change-Id: I1ea2bf088f1e001cdbd377cbfb7c6a2866af0422 Signed-off-by: Imre Kis <imre.kis@arm.com> 2019-10-03T10:22:06Z Soby Mathew 2019-10-03T10:22:06Z urn:sha1:251b2643fc932a776466881d79f144daa5e905ad 2019-10-03T09:09:04Z Usama Arif 2019-09-26T15:07:53Z urn:sha1:59ffec157ca8d675165f122c901c1ff198a810bc a5ds only has always-on power domain and there is no power control present. However, without the pwr_domain_off handler, the kernel panics when the user will try to switch off secondary cores. The a5ds_pwr_domain_off handler will prevent kernel from crashing, i.e. the kernel will attempt but fail to shut down the secondary CPUs if the user tries to switch them offline. Change-Id: I3c2239a1b6f035113ddbdda063c8495000cbe30c Signed-off-by: Usama Arif <usama.arif@arm.com> 2019-10-02T16:12:28Z Imre Kis 2019-07-18T12:30:03Z urn:sha1:6ad216dca5e388f9aa1518a20a81c836c7eb2d21 Change-Id: I645442d52a295706948e2cac88c36c1a3cb0bc47 Signed-off-by: Imre Kis <imre.kis@arm.com> 2019-09-30T11:55:31Z Artsem Artsemenka 2019-09-16T14:11:21Z urn:sha1:a4668c36f1fca75bce99cb706ba7c27e0c16454d Not tested on FVP Model. Change-Id: Iedebc5c1fbc7ea577e94142b7feafa5546f1f4f9 Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> 2019-09-27T09:49:23Z Soby Mathew 2019-09-27T09:49:23Z urn:sha1:757d904b2f5ddde6e1537d04e6d1b87f541ba737 * changes: a5ds: add multicore support a5ds: Hold the secondary cpus in pen rather than panic 2019-09-27T09:42:37Z Soby Mathew 2019-09-27T09:42:37Z urn:sha1:41bda863305eae92db2e4e18cd057797765d261c * changes: Migrate ARM platforms to use the new GICv3 API Adding new optional PSCI hook pwr_domain_on_finish_late GICv3: Enable multi socket GIC redistributor frame discovery 2019-09-26T03:06:49Z Madhukar Pappireddy 2019-06-10T21:54:36Z urn:sha1:6806cd2381901d424b40ba3f17d23f5ffa4ca57e This patch invokes the new function gicv3_rdistif_probe() in the ARM platform specific gicv3 driver. Since this API modifies the shared GIC related data structure, it must be invoked coherently by using the platform specific pwr_domain_on_finish_late hook. Change-Id: I6efb17d5da61545a1c5a6641b8f58472b31e62a8 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com> 2019-09-25T07:33:40Z Sandrine Bailleux 2019-07-23T13:41:06Z urn:sha1:bd363d356f3d0f5c9d64e35eaee166a4c3fc7e5e The Fast Models provide a non-volatile counter component, which is used in the Trusted Board Boot implementation to protect against rollback attacks. This component comes in 2 versions (see [1]). - Version 0 is the default and models a locked non-volatile counter, whose value is fixed. - Version 1 of the counter may be incremented in a monotonic fashion. plat_set_nv_ctr() must cope with both versions. This is achieved by: 1) Attempting to write the new value in the counter. 2) Reading the value back. 3) If there is a mismatch, we know the counter upgrade failed. When using version 0 of the counter, no upgrade is possible so the function is expected to fail all the time. However, the code is missing a compiler barrier between the write operation and the next read. Thus, the compiler may optimize and remove the read operation on the basis that the counter value has not changed. With the default optimization level used in TF-A (-Os), this is what's happening. The fix introduced in this patch marks the write and subsequent read accesses to the counter as volatile, such that the compiler makes no assumption about the value of the counter. Note that the comment above plat_set_nv_ctr() was clearly stating that when using the read-only version of the non-volatile counter, "we expect the values in the certificates to always match the RO values so that this function is never called". However, the fact that the counter value was read back seems to contradict this comment, as it is implementing a counter-measure against misuse of the function. The comment has been reworded to avoid any confusion. Without this patch, this bug may be demonstrated on the Base AEM FVP: - Using version 0 of the non-volatile counter (default version). - With certificates embedding a revision number value of 32 (compiling TF-A with TFW_NVCTR_VAL=32). In this configuration, the non-volatile counter is tied to value 31 by default. When BL1 loads the Trusted Boot Firmware certificate, it notices that the two values do not match and tries to upgrade the non-volatile counter. This write operation is expected to fail (because the counter is locked) and the function is expected to return an error but it succeeds instead. As a result, the trusted boot does not abort as soon as it should and incorrectly boots BL2. The boot is finally aborted when BL2 verifies the BL31 image and figures out that the version of the SoC Firmware Key Certificate does not match. On Arm platforms, only certificates signed with the Root-of-Trust Key may trigger an upgrade of the non-volatile Trusted counter. [1] https://developer.arm.com/docs/100964/1160/fast-models-components/peripheral-components/nonvolatilecounter Change-Id: I9979f29c23b47b338b9b484013d1fb86c59db92f Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> 2019-09-23T16:08:05Z Usama Arif 2019-09-19T10:07:24Z urn:sha1:ec885bacb247e9a88c0e21406bdf42821eb340c7 Enable cores 1-3 using psci. On receiving the smc call from kernel, core 0 will bring the secondary cores out pen and signal an event for the cores. Currently on switching the cores is enabled i.e. it is not possible to suspend, switch cores off, etc. Change-Id: I6087e1d2ec650e1d587fd543efc1b08cbb50ae5f Signed-off-by: Usama Arif <usama.arif@arm.com>