fix(ras): restrict RAS support for NS world
Current RAS framework in TF-A only supports handling errors originating
from NS world but the HANDLE_EA_EL3_FIRST flag configures it for all
lower Els. To make the current design of RAS explicit, rename this macro
to HANDLE_EA_EL3_FIRST_NS and set EA bit in scr_el3 only when
switching to NS world.
Note: I am unaware of any platform which traps errors originating in
Secure world to EL3, if there is any such platform then it need to
be explicitly implemented in TF-A
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: If58eb201d8fa792c16325c85c26056e9b409b750
diff --git a/docs/components/ras.rst b/docs/components/ras.rst
index b435349..871be2d 100644
--- a/docs/components/ras.rst
+++ b/docs/components/ras.rst
@@ -6,10 +6,11 @@
later CPUs, and also an optional extension to the base Armv8.0 architecture.
In conjunction with the |EHF|, support for RAS extension enables firmware-first
-paradigm for handling platform errors: exceptions resulting from errors are
-routed to and handled in EL3. Said errors are Synchronous External Abort (SEA),
-Asynchronous External Abort (signalled as SErrors), Fault Handling and Error
-Recovery interrupts. The |EHF| document mentions various :ref:`error handling
+paradigm for handling platform errors: exceptions resulting from errors in
+Non-secure world are routed to and handled in EL3.
+Said errors are Synchronous External Abort (SEA), Asynchronous External Abort
+(signalled as SErrors), Fault Handling and Error Recovery interrupts.
+The |EHF| document mentions various :ref:`error handling
use-cases <delegation-use-cases>` .
For the description of Arm RAS extensions, Standard Error Records, and the
@@ -29,7 +30,7 @@
.. __: `Standard Error Record helpers`_
The build option ``RAS_EXTENSION`` when set to ``1`` includes the RAS in run
-time firmware; ``EL3_EXCEPTION_HANDLING`` and ``HANDLE_EA_EL3_FIRST`` must also
+time firmware; ``EL3_EXCEPTION_HANDLING`` and ``HANDLE_EA_EL3_FIRST_NS`` must also
be set ``1``. ``RAS_TRAP_NS_ERR_REC_ACCESS`` controls the access to the RAS
error record registers from Non-secure.
@@ -198,8 +199,8 @@
- ``EL3_EXCEPTION_HANDLING=1`` enables handling of exceptions at EL3. See
`Interaction with Exception Handling Framework`_;
-- ``HANDLE_EA_EL3_FIRST=1`` enables routing of External Aborts and SErrors to
- EL3.
+- ``HANDLE_EA_EL3_FIRST_NS=1`` enables routing of External Aborts and SErrors,
+ resulting from errors in NS world, to EL3.
The RAS support in |TF-A| introduces a default implementation of
``plat_ea_handler``, the External Abort handler in EL3. When ``RAS_EXTENSION``
diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst
index 5980050..26a54df 100644
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@@ -569,10 +569,11 @@
EL1 for handling. The default value of this option is ``0``, which means the
Group 0 interrupts are assumed to be handled by Secure EL1.
-- ``HANDLE_EA_EL3_FIRST``: When set to ``1``, External Aborts and SError
- Interrupts will be always trapped in EL3 i.e. in BL31 at runtime. When set to
- ``0`` (default), these exceptions will be trapped in the current exception
- level (or in EL1 if the current exception level is EL0).
+- ``HANDLE_EA_EL3_FIRST_NS``: When set to ``1``, External Aborts and SError
+ Interrupts, resulting from errors in NS world, will be always trapped in
+ EL3 i.e. in BL31 at runtime. When set to ``0`` (default), these exceptions
+ will be trapped in the current exception level (or in EL1 if the current
+ exception level is EL0).
- ``HW_ASSISTED_COHERENCY``: On most Arm systems to-date, platform-specific
software operations are required for CPUs to enter and exit coherency.
@@ -725,7 +726,7 @@
or later CPUs. This flag can take the values 0 to 2, to align with the
``FEATURE_DETECTION`` mechanism.
- When ``RAS_EXTENSION`` is set to ``1``, ``HANDLE_EA_EL3_FIRST`` must also be
+ When ``RAS_EXTENSION`` is set to ``1``, ``HANDLE_EA_EL3_FIRST_NS`` must also be
set to ``1``.
This option is disabled by default.
diff --git a/docs/plat/marvell/armada/build.rst b/docs/plat/marvell/armada/build.rst
index adb9603..ff7b573 100644
--- a/docs/plat/marvell/armada/build.rst
+++ b/docs/plat/marvell/armada/build.rst
@@ -165,14 +165,14 @@
Armada37x0 specific build options:
-- HANDLE_EA_EL3_FIRST
+- HANDLE_EA_EL3_FIRST_NS
- When ``HANDLE_EA_EL3_FIRST=1``, External Aborts and SError Interrupts will be always trapped
- in TF-A. TF-A in this case enables dirty hack / workaround for a bug found in U-Boot and
- Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks SError interrupt
- caused by AXI SLVERR on external access (syndrome 0xbf000002).
+ When ``HANDLE_EA_EL3_FIRST_NS=1``, External Aborts and SError Interrupts, resulting from errors
+ in NS world, will be always trapped in TF-A. TF-A in this case enables dirty hack / workaround for
+ a bug found in U-Boot and Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks
+ SError interrupt caused by AXI SLVERR on external access (syndrome 0xbf000002).
- Otherwise when ``HANDLE_EA_EL3_FIRST=0``, these exceptions will be trapped in the current
+ Otherwise when ``HANDLE_EA_EL3_FIRST_NS=0``, these exceptions will be trapped in the current
exception level (or in EL1 if the current exception level is EL0). So exceptions caused by
U-Boot will be trapped in U-Boot, exceptions caused by Linux kernel (or user applications)
will be trapped in Linux kernel.
@@ -185,8 +185,8 @@
recommended to not enable this workaround as it disallows propagating of all External Aborts
to running Linux kernel and makes correctable errors as fatal aborts.
- This option is now disabled by default. In past this option was enabled by default in
- TF-A versions v2.2, v2.3, v2.4 and v2.5.
+ This option is now disabled by default. In past this option has different name "HANDLE_EA_EL3_FIRST" and
+ was enabled by default in TF-A versions v2.2, v2.3, v2.4 and v2.5.
- CM3_SYSTEM_RESET