Merge "feat(imx8m): move the gpc reg & macro to a separate header file" into integration
diff --git a/docs/design/cpu-specific-build-macros.rst b/docs/design/cpu-specific-build-macros.rst
index bb12d7d..69d3722 100644
--- a/docs/design/cpu-specific-build-macros.rst
+++ b/docs/design/cpu-specific-build-macros.rst
@@ -117,7 +117,8 @@
- ``ERRATA_A53_836870``: This applies errata 836870 workaround to Cortex-A53
CPU. This needs to be enabled only for revision <= r0p3 of the CPU. From
- r0p4 and onwards, this errata is enabled by default in hardware.
+ r0p4 and onwards, this errata is enabled by default in hardware. Identical to
+ ``A53_DISABLE_NON_TEMPORAL_HINT``.
- ``ERRATA_A53_843419``: This applies erratum 843419 workaround at link time
to Cortex-A53 CPU. This needs to be enabled for some variants of revision
diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 71ec9b1..c50ed8e 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@@ -7,10 +7,7 @@
This document provides a generic threat model for TF-A firmware.
-.. note::
-
- This threat model doesn't consider Root and Realm worlds introduced by
- :ref:`Realm Management Extension (RME)`.
+.. _Target of Evaluation:
********************
Target of Evaluation
@@ -36,33 +33,12 @@
- There is no Secure-EL2. We don't consider threats that may come with
Secure-EL2 software.
+- There are no Root and Realm worlds. These are introduced by :ref:`Realm
+ Management Extension (RME)`.
+
- No experimental features are enabled. We do not consider threats that may come
from them.
-.. note::
-
- In the current Measured Boot design, BL1, BL2, and BL31, as well as the
- secure world components, form the |SRTM|. Measurement data is currently
- considered an asset to be protected against attack, and this is achieved
- by storing them in the Secure Memory.
- Beyond the measurements stored inside the TCG-compliant Event Log buffer,
- there are no other assets to protect or threats to defend against that
- could compromise |TF-A| execution environment's security.
-
- There are general security assets and threats associated with remote/delegated
- attestation. However, these are outside the |TF-A| security boundary and
- should be dealt with by the appropriate agent in the platform/system.
- Since current Measured Boot design does not use local attestation, there would
- be no further assets to protect(like unsealed keys).
-
- A limitation of the current Measured Boot design is that it is dependent upon
- Secure Boot as implementation of Measured Boot does not extend measurements
- into a discrete |TPM|, where they would be securely stored and protected
- against tampering. This implies that if Secure-Boot is compromised, Measured
- Boot may also be compromised.
-
- Platforms must carefully evaluate the security of the default implementation
- since the |SRTM| includes all secure world components.
Data Flow Diagram
=================
@@ -286,201 +262,16 @@
Also, some mitigations require enabling specific features, which must be
explicitly turned on via a build flag.
-These are highlighted in the ``Mitigations implemented?`` box.
-
-+------------------------+----------------------------------------------------+
-| ID | 01 |
-+========================+====================================================+
-| Threat | | **An attacker can mangle firmware images to |
-| | execute arbitrary code** |
-| | |
-| | | Some TF-A images are loaded from external |
-| | storage. It is possible for an attacker to access|
-| | the external flash memory and change its contents|
-| | physically, through the Rich OS, or using the |
-| | updating mechanism to modify the non-volatile |
-| | images to execute arbitrary code. |
-+------------------------+----------------------------------------------------+
-| Diagram Elements | DF1, DF4, DF5 |
-+------------------------+----------------------------------------------------+
-| Affected TF-A | BL2, BL31 |
-| Components | |
-+------------------------+----------------------------------------------------+
-| Assets | Code Execution |
-+------------------------+----------------------------------------------------+
-| Threat Agent | PhysicalAccess, NSCode, SecCode |
-+------------------------+----------------------------------------------------+
-| Threat Type | Tampering, Elevation of Privilege |
-+------------------------+------------------+-----------------+---------------+
-| Application | Server | IoT | Mobile |
-+------------------------+------------------+-----------------+---------------+
-| Impact | Critical (5) | Critical (5) | Critical (5) |
-+------------------------+------------------+-----------------+---------------+
-| Likelihood | Critical (5) | Critical (5) | Critical (5) |
-+------------------------+------------------+-----------------+---------------+
-| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
-+------------------------+------------------+-----------------+---------------+
-| Mitigations | | 1) Implement the `Trusted Board Boot (TBB)`_ |
-| | feature which prevents malicious firmware from |
-| | running on the platform by authenticating all |
-| | firmware images. |
-| | |
-| | | 2) Perform extra checks on unauthenticated data, |
-| | such as FIP metadata, prior to use. |
-+------------------------+----------------------------------------------------+
-| Mitigations | | 1) Yes, provided that the ``TRUSTED_BOARD_BOOT`` |
-| implemented? | build option is set to 1. |
-| | |
-| | | 2) Yes. |
-+------------------------+----------------------------------------------------+
-
-+------------------------+----------------------------------------------------+
-| ID | 02 |
-+========================+====================================================+
-| Threat | | **An attacker may attempt to boot outdated, |
-| | potentially vulnerable firmware image** |
-| | |
-| | | When updating firmware, an attacker may attempt |
-| | to rollback to an older version that has unfixed |
-| | vulnerabilities. |
-+------------------------+----------------------------------------------------+
-| Diagram Elements | DF1, DF4, DF5 |
-+------------------------+----------------------------------------------------+
-| Affected TF-A | BL2, BL31 |
-| Components | |
-+------------------------+----------------------------------------------------+
-| Assets | Code Execution |
-+------------------------+----------------------------------------------------+
-| Threat Agent | PhysicalAccess, NSCode, SecCode |
-+------------------------+----------------------------------------------------+
-| Threat Type | Tampering |
-+------------------------+------------------+-----------------+---------------+
-| Application | Server | IoT | Mobile |
-+------------------------+------------------+-----------------+---------------+
-| Impact | Critical (5) | Critical (5) | Critical (5) |
-+------------------------+------------------+-----------------+---------------+
-| Likelihood | Critical (5) | Critical (5) | Critical (5) |
-+------------------------+------------------+-----------------+---------------+
-| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
-+------------------------+------------------+-----------------+---------------+
-| Mitigations | Implement anti-rollback protection using |
-| | non-volatile counters (NV counters) as required |
-| | by `TBBR-Client specification`_. |
-+------------------------+----------------------------------------------------+
-| Mitigations | | Yes / Platform specific. |
-| implemented? | |
-| | | After a firmware image is validated, the image |
-| | revision number taken from a certificate |
-| | extension field is compared with the |
-| | corresponding NV counter stored in hardware to |
-| | make sure the new counter value is larger than |
-| | the current counter value. |
-| | |
-| | | **Platforms must implement this protection using |
-| | platform specific hardware NV counters.** |
-+------------------------+----------------------------------------------------+
+When such conditions must be met, these are highlighted in the ``Mitigations
+implemented?`` box.
-+------------------------+-------------------------------------------------------+
-| ID | 03 |
-+========================+=======================================================+
-| Threat | | **An attacker can use Time-of-Check-Time-of-Use |
-| | (TOCTOU) attack to bypass image authentication |
-| | during the boot process** |
-| | |
-| | | Time-of-Check-Time-of-Use (TOCTOU) threats occur |
-| | when the security check is produced before the time |
-| | the resource is accessed. If an attacker is sitting |
-| | in the middle of the off-chip images, they could |
-| | change the binary containing executable code right |
-| | after the integrity and authentication check has |
-| | been performed. |
-+------------------------+-------------------------------------------------------+
-| Diagram Elements | DF1 |
-+------------------------+-------------------------------------------------------+
-| Affected TF-A | BL1, BL2 |
-| Components | |
-+------------------------+-------------------------------------------------------+
-| Assets | Code Execution, Sensitive Data |
-+------------------------+-------------------------------------------------------+
-| Threat Agent | PhysicalAccess |
-+------------------------+-------------------------------------------------------+
-| Threat Type | Elevation of Privilege |
-+------------------------+---------------------+-----------------+---------------+
-| Application | Server | IoT | Mobile |
-+------------------------+---------------------+-----------------+---------------+
-| Impact | N/A | Critical (5) | Critical (5) |
-+------------------------+---------------------+-----------------+---------------+
-| Likelihood | N/A | Medium (3) | Medium (3) |
-+------------------------+---------------------+-----------------+---------------+
-| Total Risk Rating | N/A | High (15) | High (15) |
-+------------------------+---------------------+-----------------+---------------+
-| Mitigations | Copy image to on-chip memory before authenticating |
-| | it. |
-+------------------------+-------------------------------------------------------+
-| Mitigations | | Platform specific. |
-| implemented? | |
-| | | The list of images to load and their location is |
-| | platform specific. Platforms are responsible for |
-| | arranging images to be loaded in on-chip memory. |
-+------------------------+-------------------------------------------------------+
+As our :ref:`Target of Evaluation` is made of several, distinct firmware images,
+some threats are confined in specific images, while others apply to each of
+them. To help developers implement mitigations in the right place, threats below
+are categorized based on the firmware image that should mitigate them.
-+------------------------+-------------------------------------------------------+
-| ID | 04 |
-+========================+=======================================================+
-| Threat | | **An attacker with physical access can execute |
-| | arbitrary image by bypassing the signature |
-| | verification stage using glitching techniques** |
-| | |
-| | | Glitching (Fault injection) attacks attempt to put |
-| | a hardware into a undefined state by manipulating an|
-| | environmental variable such as power supply. |
-| | |
-| | | TF-A relies on a chain of trust that starts with the|
-| | ROTPK, which is the key stored inside the chip and |
-| | the root of all validation processes. If an attacker|
-| | can break this chain of trust, they could execute |
-| | arbitrary code on the device. This could be |
-| | achieved with physical access to the device by |
-| | attacking the normal execution flow of the |
-| | process using glitching techniques that target |
-| | points where the image is validated against the |
-| | signature. |
-+------------------------+-------------------------------------------------------+
-| Diagram Elements | DF1 |
-+------------------------+-------------------------------------------------------+
-| Affected TF-A | BL1, BL2 |
-| Components | |
-+------------------------+-------------------------------------------------------+
-| Assets | Code Execution |
-+------------------------+-------------------------------------------------------+
-| Threat Agent | PhysicalAccess |
-+------------------------+-------------------------------------------------------+
-| Threat Type | Tampering, Elevation of Privilege |
-+------------------------+---------------------+-----------------+---------------+
-| Application | Server | IoT | Mobile |
-+------------------------+---------------------+-----------------+---------------+
-| Impact | N/A | Critical (5) | Critical (5) |
-+------------------------+---------------------+-----------------+---------------+
-| Likelihood | N/A | Medium (3) | Medium (3) |
-+------------------------+---------------------+-----------------+---------------+
-| Total Risk Rating | N/A | High (15) | High (15) |
-+------------------------+---------------------+-----------------+---------------+
-| Mitigations | Mechanisms to detect clock glitch and power |
-| | variations. |
-+------------------------+-------------------------------------------------------+
-| Mitigations | | No. |
-| implemented? | |
-| | | The most effective mitigation is adding glitching |
-| | detection and mitigation circuit at the hardware |
-| | level. |
-| | |
-| | | However, software techniques, such as adding |
-| | redundant checks when performing conditional |
-| | branches that are security sensitive, can be used |
-| | to harden TF-A against such attacks. |
-| | **At the moment TF-A doesn't implement such |
-| | mitigations.** |
-+------------------------+-------------------------------------------------------+
+General Threats for All Firmware Images
+---------------------------------------
+------------------------+---------------------------------------------------+
| ID | 05 |
@@ -598,77 +389,34 @@
+------------------------+----------------------------------------------------+
+------------------------+------------------------------------------------------+
-| ID | 07 |
+| ID | 08 |
+========================+======================================================+
-| Threat | | **An attacker can perform a denial-of-service |
-| | attack by using a broken SMC call that causes the |
-| | system to reboot or enter into unknown state.** |
+| Threat | | **Memory corruption due to memory overflows and |
+| | lack of boundary checking when accessing resources |
+| | could allow an attacker to execute arbitrary code, |
+| | modify some state variable to change the normal |
+| | flow of the program, or leak sensitive |
+| | information** |
| | |
-| | | Secure and non-secure clients access TF-A services |
-| | through SMC calls. Malicious code can attempt to |
-| | place the TF-A runtime into an inconsistent state |
-| | by calling unimplemented SMC call or by passing |
-| | invalid arguments. |
+| | | Like in other software, TF-A has multiple points |
+| | where memory corruption security errors can arise. |
+| | |
+| | | Some of the errors include integer overflow, |
+| | buffer overflow, incorrect array boundary checks, |
+| | and incorrect error management. |
+| | Improper use of asserts instead of proper input |
+| | validations might also result in these kinds of |
+| | errors in release builds. |
+------------------------+------------------------------------------------------+
| Diagram Elements | DF4, DF5 |
+------------------------+------------------------------------------------------+
-| Affected TF-A | BL31 |
+| Affected TF-A | BL1, BL2, BL31 |
| Components | |
+------------------------+------------------------------------------------------+
-| Assets | Availability |
+| Assets | Code Execution, Sensitive Data |
+------------------------+------------------------------------------------------+
| Threat Agent | NSCode, SecCode |
+------------------------+------------------------------------------------------+
-| Threat Type | Denial of Service |
-+------------------------+-------------------+----------------+-----------------+
-| Application | Server | IoT | Mobile |
-+------------------------+-------------------+----------------+-----------------+
-| Impact | Medium (3) | Medium (3) | Medium (3) |
-+------------------------+-------------------+----------------+-----------------+
-| Likelihood | High (4) | High (4) | High (4) |
-+------------------------+-------------------+----------------+-----------------+
-| Total Risk Rating | High (12) | High (12) | High (12) |
-+------------------------+-------------------+----------------+-----------------+
-| Mitigations | Validate SMC function ids and arguments before using |
-| | them. |
-+------------------------+------------------------------------------------------+
-| Mitigations | | Yes / Platform specific. |
-| implemented? | |
-| | | For standard services, all input is validated. |
-| | |
-| | | Platforms that implement SiP services must also |
-| | validate SMC call arguments. |
-+------------------------+------------------------------------------------------+
-
-+------------------------+------------------------------------------------------+
-| ID | 08 |
-+========================+======================================================+
-| Threat | | **Memory corruption due to memory overflows and |
-| | lack of boundary checking when accessing resources |
-| | could allow an attacker to execute arbitrary code, |
-| | modify some state variable to change the normal |
-| | flow of the program, or leak sensitive |
-| | information** |
-| | |
-| | | Like in other software, TF-A has multiple points |
-| | where memory corruption security errors can arise. |
-| | |
-| | | Some of the errors include integer overflow, |
-| | buffer overflow, incorrect array boundary checks, |
-| | and incorrect error management. |
-| | Improper use of asserts instead of proper input |
-| | validations might also result in these kinds of |
-| | errors in release builds. |
-+------------------------+------------------------------------------------------+
-| Diagram Elements | DF4, DF5 |
-+------------------------+------------------------------------------------------+
-| Affected TF-A | BL1, BL2, BL31 |
-| Components | |
-+------------------------+------------------------------------------------------+
-| Assets | Code Execution, Sensitive Data |
-+------------------------+------------------------------------------------------+
-| Threat Agent | NSCode, SecCode |
-+------------------------+------------------------------------------------------+
| Threat Type | Tampering, Information Disclosure, |
| | Elevation of Privilege |
+------------------------+-------------------+-----------------+----------------+
@@ -712,6 +460,380 @@
| | platforms. |
+------------------------+------------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 11 |
++========================+====================================================+
+| Threat | | **Misconfiguration of the Memory Management Unit |
+| | (MMU) may allow a normal world software to |
+| | access sensitive data, execute arbitrary |
+| | code or access otherwise restricted HW |
+| | interface** |
+| | |
+| | | A misconfiguration of the MMU could |
+| | lead to an open door for software running in the |
+| | normal world to access sensitive data or even |
+| | execute code if the proper security mechanisms |
+| | are not in place. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF5, DF6 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | BL1, BL2, BL31 |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | Sensitive Data, Code execution |
++------------------------+----------------------------------------------------+
+| Threat Agent | NSCode |
++------------------------+----------------------------------------------------+
+| Threat Type | Information Disclosure, Elevation of Privilege |
++------------------------+-----------------+-----------------+----------------+
+| Application | Server | IoT | Mobile |
++------------------------+-----------------+-----------------+----------------+
+| Impact | Critical (5) | Critical (5) | Critical (5) |
++------------------------+-----------------+-----------------+----------------+
+| Likelihood | High (4) | High (4) | High (4) |
++------------------------+-----------------+-----------------+----------------+
+| Total Risk Rating | Critical (20) | Critical (20) | Critical (20) |
++------------------------+-----------------+-----------------+----------------+
+| Mitigations | When configuring access permissions, the |
+| | principle of least privilege ought to be |
+| | enforced. This means we should not grant more |
+| | privileges than strictly needed, e.g. code |
+| | should be read-only executable, read-only data |
+| | should be read-only execute-never, and so on. |
++------------------------+----------------------------------------------------+
+| Mitigations | | Platform specific. |
+| implemented? | |
+| | | MMU configuration is platform specific, |
+| | therefore platforms need to make sure that the |
+| | correct attributes are assigned to memory |
+| | regions. |
+| | |
+| | | TF-A provides a library which abstracts the |
+| | low-level details of MMU configuration. It |
+| | provides well-defined and tested APIs. |
+| | Platforms are encouraged to use it to limit the |
+| | risk of misconfiguration. |
++------------------------+----------------------------------------------------+
+
+
++------------------------+-----------------------------------------------------+
+| ID | 13 |
++========================+=====================================================+
+| Threat | | **Leaving sensitive information in the memory, |
+| | can allow an attacker to retrieve them.** |
+| | |
+| | | Accidentally leaving not-needed sensitive data in |
+| | internal buffers can leak them if an attacker |
+| | gains access to memory due to a vulnerability. |
++------------------------+-----------------------------------------------------+
+| Diagram Elements | DF4, DF5 |
++------------------------+-----------------------------------------------------+
+| Affected TF-A | BL1, BL2, BL31 |
+| Components | |
++------------------------+-----------------------------------------------------+
+| Assets | Sensitive Data |
++------------------------+-----------------------------------------------------+
+| Threat Agent | NSCode, SecCode |
++------------------------+-----------------------------------------------------+
+| Threat Type | Information Disclosure |
++------------------------+-------------------+----------------+----------------+
+| Application | Server | IoT | Mobile |
++------------------------+-------------------+----------------+----------------+
+| Impact | Critical (5) | Critical (5) | Critical (5) |
++------------------------+-------------------+----------------+----------------+
+| Likelihood | Medium (3) | Medium (3) | Medium (3) |
++------------------------+-------------------+----------------+----------------+
+| Total Risk Rating | High (15) | High (15) | High (15) |
++------------------------+-------------------+----------------+----------------+
+| Mitigations | Clear the sensitive data from internal buffers as |
+| | soon as they are not needed anymore. |
++------------------------+-----------------------------------------------------+
+| Mitigations | | Yes / Platform specific |
++------------------------+-----------------------------------------------------+
+
+
+Threats to be Mitigated by the Boot Firmware
+--------------------------------------------
+
+The boot firmware here refers to the boot ROM (BL1) and the trusted boot
+firmware (BL2). Typically it does not stay resident in memory and it is
+dismissed once execution has reached the runtime EL3 firmware (BL31). Thus, past
+that point in time, the threats below can no longer be exploited.
+
+Note, however, that this is not necessarily true on all platforms. Platform
+vendors should review these threats to make sure they cannot be exploited
+nonetheless once execution has reached the runtime EL3 firmware.
+
++------------------------+----------------------------------------------------+
+| ID | 01 |
++========================+====================================================+
+| Threat | | **An attacker can mangle firmware images to |
+| | execute arbitrary code** |
+| | |
+| | | Some TF-A images are loaded from external |
+| | storage. It is possible for an attacker to access|
+| | the external flash memory and change its contents|
+| | physically, through the Rich OS, or using the |
+| | updating mechanism to modify the non-volatile |
+| | images to execute arbitrary code. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF4, DF5 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | BL2, BL31 |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | Code Execution |
++------------------------+----------------------------------------------------+
+| Threat Agent | PhysicalAccess, NSCode, SecCode |
++------------------------+----------------------------------------------------+
+| Threat Type | Tampering, Elevation of Privilege |
++------------------------+------------------+-----------------+---------------+
+| Application | Server | IoT | Mobile |
++------------------------+------------------+-----------------+---------------+
+| Impact | Critical (5) | Critical (5) | Critical (5) |
++------------------------+------------------+-----------------+---------------+
+| Likelihood | Critical (5) | Critical (5) | Critical (5) |
++------------------------+------------------+-----------------+---------------+
+| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
++------------------------+------------------+-----------------+---------------+
+| Mitigations | | 1) Implement the `Trusted Board Boot (TBB)`_ |
+| | feature which prevents malicious firmware from |
+| | running on the platform by authenticating all |
+| | firmware images. |
+| | |
+| | | 2) Perform extra checks on unauthenticated data, |
+| | such as FIP metadata, prior to use. |
++------------------------+----------------------------------------------------+
+| Mitigations | | 1) Yes, provided that the ``TRUSTED_BOARD_BOOT`` |
+| implemented? | build option is set to 1. |
+| | |
+| | | 2) Yes. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 02 |
++========================+====================================================+
+| Threat | | **An attacker may attempt to boot outdated, |
+| | potentially vulnerable firmware image** |
+| | |
+| | | When updating firmware, an attacker may attempt |
+| | to rollback to an older version that has unfixed |
+| | vulnerabilities. |
++------------------------+----------------------------------------------------+
+| Diagram Elements | DF1, DF4, DF5 |
++------------------------+----------------------------------------------------+
+| Affected TF-A | BL2, BL31 |
+| Components | |
++------------------------+----------------------------------------------------+
+| Assets | Code Execution |
++------------------------+----------------------------------------------------+
+| Threat Agent | PhysicalAccess, NSCode, SecCode |
++------------------------+----------------------------------------------------+
+| Threat Type | Tampering |
++------------------------+------------------+-----------------+---------------+
+| Application | Server | IoT | Mobile |
++------------------------+------------------+-----------------+---------------+
+| Impact | Critical (5) | Critical (5) | Critical (5) |
++------------------------+------------------+-----------------+---------------+
+| Likelihood | Critical (5) | Critical (5) | Critical (5) |
++------------------------+------------------+-----------------+---------------+
+| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
++------------------------+------------------+-----------------+---------------+
+| Mitigations | Implement anti-rollback protection using |
+| | non-volatile counters (NV counters) as required |
+| | by `TBBR-Client specification`_. |
++------------------------+----------------------------------------------------+
+| Mitigations | | Yes / Platform specific. |
+| implemented? | |
+| | | After a firmware image is validated, the image |
+| | revision number taken from a certificate |
+| | extension field is compared with the |
+| | corresponding NV counter stored in hardware to |
+| | make sure the new counter value is larger than |
+| | the current counter value. |
+| | |
+| | | **Platforms must implement this protection using |
+| | platform specific hardware NV counters.** |
++------------------------+----------------------------------------------------+
+
+
++------------------------+-------------------------------------------------------+
+| ID | 03 |
++========================+=======================================================+
+| Threat | | **An attacker can use Time-of-Check-Time-of-Use |
+| | (TOCTOU) attack to bypass image authentication |
+| | during the boot process** |
+| | |
+| | | Time-of-Check-Time-of-Use (TOCTOU) threats occur |
+| | when the security check is produced before the time |
+| | the resource is accessed. If an attacker is sitting |
+| | in the middle of the off-chip images, they could |
+| | change the binary containing executable code right |
+| | after the integrity and authentication check has |
+| | been performed. |
++------------------------+-------------------------------------------------------+
+| Diagram Elements | DF1 |
++------------------------+-------------------------------------------------------+
+| Affected TF-A | BL1, BL2 |
+| Components | |
++------------------------+-------------------------------------------------------+
+| Assets | Code Execution, Sensitive Data |
++------------------------+-------------------------------------------------------+
+| Threat Agent | PhysicalAccess |
++------------------------+-------------------------------------------------------+
+| Threat Type | Elevation of Privilege |
++------------------------+---------------------+-----------------+---------------+
+| Application | Server | IoT | Mobile |
++------------------------+---------------------+-----------------+---------------+
+| Impact | N/A | Critical (5) | Critical (5) |
++------------------------+---------------------+-----------------+---------------+
+| Likelihood | N/A | Medium (3) | Medium (3) |
++------------------------+---------------------+-----------------+---------------+
+| Total Risk Rating | N/A | High (15) | High (15) |
++------------------------+---------------------+-----------------+---------------+
+| Mitigations | Copy image to on-chip memory before authenticating |
+| | it. |
++------------------------+-------------------------------------------------------+
+| Mitigations | | Platform specific. |
+| implemented? | |
+| | | The list of images to load and their location is |
+| | platform specific. Platforms are responsible for |
+| | arranging images to be loaded in on-chip memory. |
++------------------------+-------------------------------------------------------+
+
+
++------------------------+-------------------------------------------------------+
+| ID | 04 |
++========================+=======================================================+
+| Threat | | **An attacker with physical access can execute |
+| | arbitrary image by bypassing the signature |
+| | verification stage using glitching techniques** |
+| | |
+| | | Glitching (Fault injection) attacks attempt to put |
+| | a hardware into a undefined state by manipulating an|
+| | environmental variable such as power supply. |
+| | |
+| | | TF-A relies on a chain of trust that starts with the|
+| | ROTPK, which is the key stored inside the chip and |
+| | the root of all validation processes. If an attacker|
+| | can break this chain of trust, they could execute |
+| | arbitrary code on the device. This could be |
+| | achieved with physical access to the device by |
+| | attacking the normal execution flow of the |
+| | process using glitching techniques that target |
+| | points where the image is validated against the |
+| | signature. |
++------------------------+-------------------------------------------------------+
+| Diagram Elements | DF1 |
++------------------------+-------------------------------------------------------+
+| Affected TF-A | BL1, BL2 |
+| Components | |
++------------------------+-------------------------------------------------------+
+| Assets | Code Execution |
++------------------------+-------------------------------------------------------+
+| Threat Agent | PhysicalAccess |
++------------------------+-------------------------------------------------------+
+| Threat Type | Tampering, Elevation of Privilege |
++------------------------+---------------------+-----------------+---------------+
+| Application | Server | IoT | Mobile |
++------------------------+---------------------+-----------------+---------------+
+| Impact | N/A | Critical (5) | Critical (5) |
++------------------------+---------------------+-----------------+---------------+
+| Likelihood | N/A | Medium (3) | Medium (3) |
++------------------------+---------------------+-----------------+---------------+
+| Total Risk Rating | N/A | High (15) | High (15) |
++------------------------+---------------------+-----------------+---------------+
+| Mitigations | Mechanisms to detect clock glitch and power |
+| | variations. |
++------------------------+-------------------------------------------------------+
+| Mitigations | | No. |
+| implemented? | |
+| | | The most effective mitigation is adding glitching |
+| | detection and mitigation circuit at the hardware |
+| | level. |
+| | |
+| | | However, software techniques, such as adding |
+| | redundant checks when performing conditional |
+| | branches that are security sensitive, can be used |
+| | to harden TF-A against such attacks. |
+| | **At the moment TF-A doesn't implement such |
+| | mitigations.** |
++------------------------+-------------------------------------------------------+
+
+.. topic:: Measured Boot Threats (or lack of)
+
+ In the current Measured Boot design, BL1, BL2, and BL31, as well as the
+ secure world components, form the |SRTM|. Measurement data is currently
+ considered an asset to be protected against attack, and this is achieved
+ by storing them in the Secure Memory.
+ Beyond the measurements stored inside the TCG-compliant Event Log buffer,
+ there are no other assets to protect or threats to defend against that
+ could compromise |TF-A| execution environment's security.
+
+ There are general security assets and threats associated with remote/delegated
+ attestation. However, these are outside the |TF-A| security boundary and
+ should be dealt with by the appropriate agent in the platform/system.
+ Since current Measured Boot design does not use local attestation, there would
+ be no further assets to protect(like unsealed keys).
+
+ A limitation of the current Measured Boot design is that it is dependent upon
+ Secure Boot as implementation of Measured Boot does not extend measurements
+ into a discrete |TPM|, where they would be securely stored and protected
+ against tampering. This implies that if Secure-Boot is compromised, Measured
+ Boot may also be compromised.
+
+ Platforms must carefully evaluate the security of the default implementation
+ since the |SRTM| includes all secure world components.
+
+
+Threats to be Mitigated by the Runtime EL3 Firmware
+---------------------------------------------------
+
++------------------------+------------------------------------------------------+
+| ID | 07 |
++========================+======================================================+
+| Threat | | **An attacker can perform a denial-of-service |
+| | attack by using a broken SMC call that causes the |
+| | system to reboot or enter into unknown state.** |
+| | |
+| | | Secure and non-secure clients access TF-A services |
+| | through SMC calls. Malicious code can attempt to |
+| | place the TF-A runtime into an inconsistent state |
+| | by calling unimplemented SMC call or by passing |
+| | invalid arguments. |
++------------------------+------------------------------------------------------+
+| Diagram Elements | DF4, DF5 |
++------------------------+------------------------------------------------------+
+| Affected TF-A | BL31 |
+| Components | |
++------------------------+------------------------------------------------------+
+| Assets | Availability |
++------------------------+------------------------------------------------------+
+| Threat Agent | NSCode, SecCode |
++------------------------+------------------------------------------------------+
+| Threat Type | Denial of Service |
++------------------------+-------------------+----------------+-----------------+
+| Application | Server | IoT | Mobile |
++------------------------+-------------------+----------------+-----------------+
+| Impact | Medium (3) | Medium (3) | Medium (3) |
++------------------------+-------------------+----------------+-----------------+
+| Likelihood | High (4) | High (4) | High (4) |
++------------------------+-------------------+----------------+-----------------+
+| Total Risk Rating | High (12) | High (12) | High (12) |
++------------------------+-------------------+----------------+-----------------+
+| Mitigations | Validate SMC function ids and arguments before using |
+| | them. |
++------------------------+------------------------------------------------------+
+| Mitigations | | Yes / Platform specific. |
+| implemented? | |
+| | | For standard services, all input is validated. |
+| | |
+| | | Platforms that implement SiP services must also |
+| | validate SMC call arguments. |
++------------------------+------------------------------------------------------+
+
+
+------------------------+------------------------------------------------------+
| ID | 09 |
+========================+======================================================+
@@ -795,60 +917,6 @@
| | attacks. |
+------------------------+-----------------------------------------------------+
-+------------------------+----------------------------------------------------+
-| ID | 11 |
-+========================+====================================================+
-| Threat | | **Misconfiguration of the Memory Management Unit |
-| | (MMU) may allow a normal world software to |
-| | access sensitive data, execute arbitrary |
-| | code or access otherwise restricted HW |
-| | interface** |
-| | |
-| | | A misconfiguration of the MMU could |
-| | lead to an open door for software running in the |
-| | normal world to access sensitive data or even |
-| | execute code if the proper security mechanisms |
-| | are not in place. |
-+------------------------+----------------------------------------------------+
-| Diagram Elements | DF5, DF6 |
-+------------------------+----------------------------------------------------+
-| Affected TF-A | BL1, BL2, BL31 |
-| Components | |
-+------------------------+----------------------------------------------------+
-| Assets | Sensitive Data, Code execution |
-+------------------------+----------------------------------------------------+
-| Threat Agent | NSCode |
-+------------------------+----------------------------------------------------+
-| Threat Type | Information Disclosure, Elevation of Privilege |
-+------------------------+-----------------+-----------------+----------------+
-| Application | Server | IoT | Mobile |
-+------------------------+-----------------+-----------------+----------------+
-| Impact | Critical (5) | Critical (5) | Critical (5) |
-+------------------------+-----------------+-----------------+----------------+
-| Likelihood | High (4) | High (4) | High (4) |
-+------------------------+-----------------+-----------------+----------------+
-| Total Risk Rating | Critical (20) | Critical (20) | Critical (20) |
-+------------------------+-----------------+-----------------+----------------+
-| Mitigations | When configuring access permissions, the |
-| | principle of least privilege ought to be |
-| | enforced. This means we should not grant more |
-| | privileges than strictly needed, e.g. code |
-| | should be read-only executable, read-only data |
-| | should be read-only execute-never, and so on. |
-+------------------------+----------------------------------------------------+
-| Mitigations | | Platform specific. |
-| implemented? | |
-| | | MMU configuration is platform specific, |
-| | therefore platforms need to make sure that the |
-| | correct attributes are assigned to memory |
-| | regions. |
-| | |
-| | | TF-A provides a library which abstracts the |
-| | low-level details of MMU configuration. It |
-| | provides well-defined and tested APIs. |
-| | Platforms are encouraged to use it to limit the |
-| | risk of misconfiguration. |
-+------------------------+----------------------------------------------------+
+------------------------+-----------------------------------------------------+
| ID | 12 |
@@ -905,40 +973,9 @@
| | mitigated. |
+------------------------+-----------------------------------------------------+
-+------------------------+-----------------------------------------------------+
-| ID | 13 |
-+========================+=====================================================+
-| Threat | | **Leaving sensitive information in the memory, |
-| | can allow an attacker to retrieve them.** |
-| | |
-| | | Accidentally leaving not-needed sensitive data in |
-| | internal buffers can leak them if an attacker |
-| | gains access to memory due to a vulnerability. |
-+------------------------+-----------------------------------------------------+
-| Diagram Elements | DF4, DF5 |
-+------------------------+-----------------------------------------------------+
-| Affected TF-A | BL1, BL2, BL31 |
-| Components | |
-+------------------------+-----------------------------------------------------+
-| Assets | Sensitive Data |
-+------------------------+-----------------------------------------------------+
-| Threat Agent | NSCode, SecCode |
-+------------------------+-----------------------------------------------------+
-| Threat Type | Information Disclosure |
-+------------------------+-------------------+----------------+----------------+
-| Application | Server | IoT | Mobile |
-+------------------------+-------------------+----------------+----------------+
-| Impact | Critical (5) | Critical (5) | Critical (5) |
-+------------------------+-------------------+----------------+----------------+
-| Likelihood | Medium (3) | Medium (3) | Medium (3) |
-+------------------------+-------------------+----------------+----------------+
-| Total Risk Rating | High (15) | High (15) | High (15) |
-+------------------------+-------------------+----------------+----------------+
-| Mitigations | Clear the sensitive data from internal buffers as |
-| | soon as they are not needed anymore. |
-+------------------------+-----------------------------------------------------+
-| Mitigations | | Yes / Platform specific |
-+------------------------+-----------------------------------------------------+
+
+Threats to be Mitigated by an External Agent Outside of TF-A
+------------------------------------------------------------
+------------------------+-----------------------------------------------------+
| ID | 14 |
diff --git a/drivers/ufs/ufs.c b/drivers/ufs/ufs.c
index b8137c2..5ba5eb0 100644
--- a/drivers/ufs/ufs.c
+++ b/drivers/ufs/ufs.c
@@ -540,6 +540,7 @@
query_upiu->trans_type = QUERY_REQUEST_UPIU;
query_upiu->task_tag = utrd->task_tag;
+ query_upiu->data_segment_len = htobe16(length);
query_upiu->ts.desc.opcode = op;
query_upiu->ts.desc.idn = idn;
query_upiu->ts.desc.index = index;
diff --git a/include/arch/aarch64/arch.h b/include/arch/aarch64/arch.h
index 951f023..c10102a 100644
--- a/include/arch/aarch64/arch.h
+++ b/include/arch/aarch64/arch.h
@@ -1379,6 +1379,13 @@
#define HCRX_EL2_INIT_VAL ULL(0x0)
/*******************************************************************************
+ * FEAT_FGT - Definitions for Fine-Grained Trap registers
+ ******************************************************************************/
+#define HFGITR_EL2_INIT_VAL ULL(0x180000000000000)
+#define HFGRTR_EL2_INIT_VAL ULL(0xC4000000000000)
+#define HFGWTR_EL2_INIT_VAL ULL(0xC4000000000000)
+
+/*******************************************************************************
* FEAT_TCR2 - Extended Translation Control Register
******************************************************************************/
#define TCR2_EL2 S3_4_C2_C0_3
diff --git a/include/lib/cpus/aarch64/nevis.h b/include/lib/cpus/aarch64/nevis.h
new file mode 100644
index 0000000..7006a29
--- /dev/null
+++ b/include/lib/cpus/aarch64/nevis.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef NEVIS_H
+#define NEVIS_H
+
+#define NEVIS_MIDR U(0x410FD8A0)
+
+/*******************************************************************************
+ * CPU Extended Control register specific definitions
+ ******************************************************************************/
+#define NEVIS_CPUECTLR_EL1 S3_0_C15_C1_4
+
+/*******************************************************************************
+ * CPU Power Control register specific definitions
+ ******************************************************************************/
+#define NEVIS_IMP_CPUPWRCTLR_EL1 S3_0_C15_C2_7
+#define NEVIS_IMP_CPUPWRCTLR_EL1_CORE_PWRDN_EN_BIT U(1)
+
+#endif /* NEVIS_H */
diff --git a/lib/cpus/aarch32/cortex_a57.S b/lib/cpus/aarch32/cortex_a57.S
index 18ee1f9..1e5377b 100644
--- a/lib/cpus/aarch32/cortex_a57.S
+++ b/lib/cpus/aarch32/cortex_a57.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -86,6 +86,8 @@
b cpu_rev_var_ls
endfunc check_errata_806969
+add_erratum_entry cortex_a57, ERRATUM(806969), ERRATA_A57_806969
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #813419.
* This applies only to revision r0p0 of Cortex A57.
@@ -101,6 +103,8 @@
bx lr
endfunc check_errata_813419
+add_erratum_entry cortex_a57, ERRATUM(813419), ERRATA_A57_813419
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #813420.
* This applies only to revision r0p0 of Cortex A57.
@@ -130,6 +134,8 @@
b cpu_rev_var_ls
endfunc check_errata_813420
+add_erratum_entry cortex_a57, ERRATUM(813420), ERRATA_A57_813420
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #814670.
* This applies only to revision r0p0 of Cortex A57.
@@ -159,6 +165,8 @@
b cpu_rev_var_ls
endfunc check_errata_814670
+add_erratum_entry cortex_a57, ERRATUM(814670), ERRATA_A57_814670
+
/* ----------------------------------------------------
* Errata Workaround for Cortex A57 Errata #817169.
* This applies only to revision <= r0p1 of Cortex A57.
@@ -173,6 +181,8 @@
bx lr
endfunc check_errata_817169
+add_erratum_entry cortex_a57, ERRATUM(817169), ERRATA_A57_817169
+
/* --------------------------------------------------------------------
* Disable the over-read from the LDNP instruction.
*
@@ -205,6 +215,8 @@
b cpu_rev_var_ls
endfunc check_errata_disable_ldnp_overread
+add_erratum_entry cortex_a57, ERRATUM(1), A57_DISABLE_NON_TEMPORAL_HINT, disable_ldnp_overread
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #826974.
* This applies only to revision <= r1p1 of Cortex A57.
@@ -234,6 +246,8 @@
b cpu_rev_var_ls
endfunc check_errata_826974
+add_erratum_entry cortex_a57, ERRATUM(826974), ERRATA_A57_826974
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #826977.
* This applies only to revision <= r1p1 of Cortex A57.
@@ -263,6 +277,8 @@
b cpu_rev_var_ls
endfunc check_errata_826977
+add_erratum_entry cortex_a57, ERRATUM(826977), ERRATA_A57_826977
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #828024.
* This applies only to revision <= r1p1 of Cortex A57.
@@ -298,6 +314,8 @@
b cpu_rev_var_ls
endfunc check_errata_828024
+add_erratum_entry cortex_a57, ERRATUM(828024), ERRATA_A57_828024
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #829520.
* This applies only to revision <= r1p2 of Cortex A57.
@@ -327,6 +345,8 @@
b cpu_rev_var_ls
endfunc check_errata_829520
+add_erratum_entry cortex_a57, ERRATUM(829520), ERRATA_A57_829520
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #833471.
* This applies only to revision <= r1p2 of Cortex A57.
@@ -356,6 +376,8 @@
b cpu_rev_var_ls
endfunc check_errata_833471
+add_erratum_entry cortex_a57, ERRATUM(833471), ERRATA_A57_833471
+
/* ---------------------------------------------------
* Errata Workaround for Cortex A57 Errata #859972.
* This applies only to revision <= r1p3 of Cortex A57.
@@ -382,11 +404,15 @@
b cpu_rev_var_ls
endfunc check_errata_859972
+add_erratum_entry cortex_a57, ERRATUM(859972), ERRATA_A57_859972
+
func check_errata_cve_2017_5715
mov r0, #ERRATA_MISSING
bx lr
endfunc check_errata_cve_2017_5715
+add_erratum_entry cortex_a57, CVE(2017, 5715), WORKAROUND_CVE_2017_5715
+
func check_errata_cve_2018_3639
#if WORKAROUND_CVE_2018_3639
mov r0, #ERRATA_APPLIES
@@ -396,11 +422,15 @@
bx lr
endfunc check_errata_cve_2018_3639
+add_erratum_entry cortex_a57, CVE(2018, 3639), WORKAROUND_CVE_2018_3639
+
func check_errata_cve_2022_23960
mov r0, #ERRATA_MISSING
bx lr
endfunc check_errata_cve_2022_23960
+add_erratum_entry cortex_a57, CVE(2022, 23960), WORKAROUND_CVE_2022_23960
+
/* -------------------------------------------------
* The CPU Ops reset function for Cortex-A57.
* Shall clobber: r0-r6
@@ -576,41 +606,7 @@
b cortex_a57_disable_ext_debug
endfunc cortex_a57_cluster_pwr_dwn
-#if REPORT_ERRATA
-/*
- * Errata printing function for Cortex A57. Must follow AAPCS.
- */
-func cortex_a57_errata_report
- push {r12, lr}
-
- bl cpu_get_rev_var
- mov r4, r0
-
- /*
- * Report all errata. The revision-variant information is passed to
- * checking functions of each errata.
- */
- report_errata ERRATA_A57_806969, cortex_a57, 806969
- report_errata ERRATA_A57_813419, cortex_a57, 813419
- report_errata ERRATA_A57_813420, cortex_a57, 813420
- report_errata ERRATA_A57_814670, cortex_a57, 814670
- report_errata ERRATA_A57_817169, cortex_a57, 817169
- report_errata A57_DISABLE_NON_TEMPORAL_HINT, cortex_a57, \
- disable_ldnp_overread
- report_errata ERRATA_A57_826974, cortex_a57, 826974
- report_errata ERRATA_A57_826977, cortex_a57, 826977
- report_errata ERRATA_A57_828024, cortex_a57, 828024
- report_errata ERRATA_A57_829520, cortex_a57, 829520
- report_errata ERRATA_A57_833471, cortex_a57, 833471
- report_errata ERRATA_A57_859972, cortex_a57, 859972
- report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715
- report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639
- report_errata WORKAROUND_CVE_2022_23960, cortex_a57, cve_2022_23960
-
- pop {r12, lr}
- bx lr
-endfunc cortex_a57_errata_report
-#endif
+errata_report_shim cortex_a57
declare_cpu_ops cortex_a57, CORTEX_A57_MIDR, \
cortex_a57_reset_func, \
diff --git a/lib/cpus/aarch64/cortex_a53.S b/lib/cpus/aarch64/cortex_a53.S
index ecaf422..e6fb08a 100644
--- a/lib/cpus/aarch64/cortex_a53.S
+++ b/lib/cpus/aarch64/cortex_a53.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2014-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -12,19 +12,12 @@
#include <plat_macros.S>
#include <lib/cpus/errata.h>
-#if A53_DISABLE_NON_TEMPORAL_HINT
-#undef ERRATA_A53_836870
-#define ERRATA_A53_836870 1
-#endif
-
/* ---------------------------------------------
* Disable L1 data cache and unified L2 cache
* ---------------------------------------------
*/
func cortex_a53_disable_dcache
- mrs x1, sctlr_el3
- bic x1, x1, #SCTLR_C_BIT
- msr sctlr_el3, x1
+ sysreg_bit_clear sctlr_el3, SCTLR_C_BIT
isb
ret
endfunc cortex_a53_disable_dcache
@@ -34,169 +27,38 @@
* ---------------------------------------------
*/
func cortex_a53_disable_smp
- mrs x0, CORTEX_A53_ECTLR_EL1
- bic x0, x0, #CORTEX_A53_ECTLR_SMP_BIT
- msr CORTEX_A53_ECTLR_EL1, x0
+ sysreg_bit_clear CORTEX_A53_ECTLR_EL1, CORTEX_A53_ECTLR_SMP_BIT
isb
dsb sy
ret
endfunc cortex_a53_disable_smp
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A53 Errata #819472.
- * This applies only to revision <= r0p1 of Cortex A53.
- * Due to the nature of the errata it is applied unconditionally
- * when built in, report it as applicable in this case
- * ---------------------------------------------------
- */
-func check_errata_819472
-#if ERRATA_A53_819472
- mov x0, #ERRATA_APPLIES
- ret
-#else
- mov x1, #0x01
- b cpu_rev_var_ls
-#endif
-endfunc check_errata_819472
+/* Due to the nature of the errata it is applied unconditionally when chosen */
+check_erratum_ls cortex_a53, ERRATUM(819472), CPU_REV(0, 1)
+/* erratum workaround is interleaved with generic code */
+add_erratum_entry cortex_a53, ERRATUM(819472), ERRATUM_ALWAYS_CHOSEN, NO_APPLY_AT_RESET
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A53 Errata #824069.
- * This applies only to revision <= r0p2 of Cortex A53.
- * Due to the nature of the errata it is applied unconditionally
- * when built in, report it as applicable in this case
- * ---------------------------------------------------
- */
-func check_errata_824069
-#if ERRATA_A53_824069
- mov x0, #ERRATA_APPLIES
- ret
-#else
- mov x1, #0x02
- b cpu_rev_var_ls
-#endif
-endfunc check_errata_824069
+/* Due to the nature of the errata it is applied unconditionally when chosen */
+check_erratum_ls cortex_a53, ERRATUM(824069), CPU_REV(0, 2)
+/* erratum workaround is interleaved with generic code */
+add_erratum_entry cortex_a53, ERRATUM(824069), ERRATUM_ALWAYS_CHOSEN, NO_APPLY_AT_RESET
- /* --------------------------------------------------
- * Errata Workaround for Cortex A53 Errata #826319.
- * This applies only to revision <= r0p2 of Cortex A53.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * --------------------------------------------------
- */
-func errata_a53_826319_wa
- /*
- * Compare x0 against revision r0p2
- */
- mov x17, x30
- bl check_errata_826319
- cbz x0, 1f
+workaround_reset_start cortex_a53, ERRATUM(826319), ERRATA_A53_826319
mrs x1, CORTEX_A53_L2ACTLR_EL1
bic x1, x1, #CORTEX_A53_L2ACTLR_ENABLE_UNIQUECLEAN
orr x1, x1, #CORTEX_A53_L2ACTLR_DISABLE_CLEAN_PUSH
msr CORTEX_A53_L2ACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a53_826319_wa
-
-func check_errata_826319
- mov x1, #0x02
- b cpu_rev_var_ls
-endfunc check_errata_826319
-
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A53 Errata #827319.
- * This applies only to revision <= r0p2 of Cortex A53.
- * Due to the nature of the errata it is applied unconditionally
- * when built in, report it as applicable in this case
- * ---------------------------------------------------
- */
-func check_errata_827319
-#if ERRATA_A53_827319
- mov x0, #ERRATA_APPLIES
- ret
-#else
- mov x1, #0x02
- b cpu_rev_var_ls
-#endif
-endfunc check_errata_827319
-
- /* ---------------------------------------------------------------------
- * Disable the cache non-temporal hint.
- *
- * This ignores the Transient allocation hint in the MAIR and treats
- * allocations the same as non-transient allocation types. As a result,
- * the LDNP and STNP instructions in AArch64 behave the same as the
- * equivalent LDP and STP instructions.
- *
- * This is relevant only for revisions <= r0p3 of Cortex-A53.
- * From r0p4 and onwards, the bit to disable the hint is enabled by
- * default at reset.
- *
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------------------------
- */
-func a53_disable_non_temporal_hint
- /*
- * Compare x0 against revision r0p3
- */
- mov x17, x30
- bl check_errata_disable_non_temporal_hint
- cbz x0, 1f
- mrs x1, CORTEX_A53_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A53_CPUACTLR_EL1_DTAH
- msr CORTEX_A53_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc a53_disable_non_temporal_hint
-
-func check_errata_disable_non_temporal_hint
- mov x1, #0x03
- b cpu_rev_var_ls
-endfunc check_errata_disable_non_temporal_hint
-
- /* --------------------------------------------------
- * Errata Workaround for Cortex A53 Errata #855873.
- *
- * This applies only to revisions >= r0p3 of Cortex A53.
- * Earlier revisions of the core are affected as well, but don't
- * have the chicken bit in the CPUACTLR register. It is expected that
- * the rich OS takes care of that, especially as the workaround is
- * shared with other erratas in those revisions of the CPU.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * --------------------------------------------------
- */
-func errata_a53_855873_wa
- /*
- * Compare x0 against revision r0p3 and higher
- */
- mov x17, x30
- bl check_errata_855873
- cbz x0, 1f
+workaround_reset_end cortex_a53, ERRATUM(826319)
- mrs x1, CORTEX_A53_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A53_CPUACTLR_EL1_ENDCCASCI
- msr CORTEX_A53_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a53_855873_wa
+check_erratum_ls cortex_a53, ERRATUM(826319), CPU_REV(0, 2)
-func check_errata_855873
- mov x1, #0x03
- b cpu_rev_var_hs
-endfunc check_errata_855873
+/* Due to the nature of the errata it is applied unconditionally when chosen */
+check_erratum_ls cortex_a53, ERRATUM(827319), CPU_REV(0, 2)
+/* erratum workaround is interleaved with generic code */
+add_erratum_entry cortex_a53, ERRATUM(827319), ERRATUM_ALWAYS_CHOSEN, NO_APPLY_AT_RESET
-/*
- * Errata workaround for Cortex A53 Errata #835769.
- * This applies to revisions <= r0p4 of Cortex A53.
- * This workaround is statically enabled at build time.
- */
-func check_errata_835769
- cmp x0, #0x04
+check_erratum_custom_start cortex_a53, ERRATUM(835769)
+ cmp x0, CPU_REV(0, 4)
b.hi errata_not_applies
/*
* Fix potentially available for revisions r0p2, r0p3 and r0p4.
@@ -213,17 +75,29 @@
mov x0, #ERRATA_NOT_APPLIES
exit_check_errata_835769:
ret
-endfunc check_errata_835769
+check_erratum_custom_end cortex_a53, ERRATUM(835769)
-/*
- * Errata workaround for Cortex A53 Errata #843419.
- * This applies to revisions <= r0p4 of Cortex A53.
- * This workaround is statically enabled at build time.
- */
-func check_errata_843419
+/* workaround at build time */
+add_erratum_entry cortex_a53, ERRATUM(835769), ERRATA_A53_835769, NO_APPLY_AT_RESET
+
+ /*
+ * Disable the cache non-temporal hint.
+ *
+ * This ignores the Transient allocation hint in the MAIR and treats
+ * allocations the same as non-transient allocation types. As a result,
+ * the LDNP and STNP instructions in AArch64 behave the same as the
+ * equivalent LDP and STP instructions.
+ */
+workaround_reset_start cortex_a53, ERRATUM(836870), ERRATA_A53_836870 | A53_DISABLE_NON_TEMPORAL_HINT
+ sysreg_bit_set CORTEX_A53_CPUACTLR_EL1, CORTEX_A53_CPUACTLR_EL1_DTAH
+workaround_reset_end cortex_a53, ERRATUM(836870)
+
+check_erratum_ls cortex_a53, ERRATUM(836870), CPU_REV(0, 3)
+
+check_erratum_custom_start cortex_a53, ERRATUM(843419)
mov x1, #ERRATA_APPLIES
mov x2, #ERRATA_NOT_APPLIES
- cmp x0, #0x04
+ cmp x0, CPU_REV(0, 4)
csel x0, x1, x2, ls
/*
* Fix potentially available for revision r0p4.
@@ -237,58 +111,32 @@
mov x0, x2
exit_check_errata_843419:
ret
-endfunc check_errata_843419
+check_erratum_custom_end cortex_a53, ERRATUM(843419)
- /* --------------------------------------------------
- * Errata workaround for Cortex A53 Errata #1530924.
- * This applies to all revisions of Cortex A53.
- * --------------------------------------------------
- */
-func check_errata_1530924
-#if ERRATA_A53_1530924
- mov x0, #ERRATA_APPLIES
-#else
- mov x0, #ERRATA_MISSING
-#endif
- ret
-endfunc check_errata_1530924
+/* workaround at build time */
+add_erratum_entry cortex_a53, ERRATUM(843419), ERRATA_A53_843419, NO_APPLY_AT_RESET
- /* -------------------------------------------------
- * The CPU Ops reset function for Cortex-A53.
- * Shall clobber: x0-x19
- * -------------------------------------------------
+ /*
+ * Earlier revisions of the core are affected as well, but don't
+ * have the chicken bit in the CPUACTLR register. It is expected that
+ * the rich OS takes care of that, especially as the workaround is
+ * shared with other erratas in those revisions of the CPU.
*/
-func cortex_a53_reset_func
- mov x19, x30
- bl cpu_get_rev_var
- mov x18, x0
+workaround_reset_start cortex_a53, ERRATUM(855873), ERRATA_A53_855873
+ sysreg_bit_set CORTEX_A53_CPUACTLR_EL1, CORTEX_A53_CPUACTLR_EL1_ENDCCASCI
+workaround_reset_end cortex_a53, ERRATUM(855873)
+check_erratum_hs cortex_a53, ERRATUM(855873), CPU_REV(0, 3)
-#if ERRATA_A53_826319
- mov x0, x18
- bl errata_a53_826319_wa
-#endif
+check_erratum_chosen cortex_a53, ERRATUM(1530924), ERRATA_A53_1530924
-#if ERRATA_A53_836870
- mov x0, x18
- bl a53_disable_non_temporal_hint
-#endif
+/* erratum has no workaround in the cpu. Generic code must take care */
+add_erratum_entry cortex_a53, ERRATUM(1530924), ERRATA_A53_1530924, NO_APPLY_AT_RESET
-#if ERRATA_A53_855873
- mov x0, x18
- bl errata_a53_855873_wa
-#endif
-
- /* ---------------------------------------------
- * Enable the SMP bit.
- * ---------------------------------------------
- */
- mrs x0, CORTEX_A53_ECTLR_EL1
- orr x0, x0, #CORTEX_A53_ECTLR_SMP_BIT
- msr CORTEX_A53_ECTLR_EL1, x0
- isb
- ret x19
-endfunc cortex_a53_reset_func
+cpu_reset_func_start cortex_a53
+ /* Enable the SMP bit. */
+ sysreg_bit_set CORTEX_A53_ECTLR_EL1, CORTEX_A53_ECTLR_SMP_BIT
+cpu_reset_func_end cortex_a53
func cortex_a53_core_pwr_dwn
mov x18, x30
@@ -351,34 +199,7 @@
b cortex_a53_disable_smp
endfunc cortex_a53_cluster_pwr_dwn
-#if REPORT_ERRATA
-/*
- * Errata printing function for Cortex A53. Must follow AAPCS.
- */
-func cortex_a53_errata_report
- stp x8, x30, [sp, #-16]!
-
- bl cpu_get_rev_var
- mov x8, x0
-
- /*
- * Report all errata. The revision-variant information is passed to
- * checking functions of each errata.
- */
- report_errata ERRATA_A53_819472, cortex_a53, 819472
- report_errata ERRATA_A53_824069, cortex_a53, 824069
- report_errata ERRATA_A53_826319, cortex_a53, 826319
- report_errata ERRATA_A53_827319, cortex_a53, 827319
- report_errata ERRATA_A53_835769, cortex_a53, 835769
- report_errata ERRATA_A53_836870, cortex_a53, disable_non_temporal_hint
- report_errata ERRATA_A53_843419, cortex_a53, 843419
- report_errata ERRATA_A53_855873, cortex_a53, 855873
- report_errata ERRATA_A53_1530924, cortex_a53, 1530924
-
- ldp x8, x30, [sp], #16
- ret
-endfunc cortex_a53_errata_report
-#endif
+errata_report_shim cortex_a53
/* ---------------------------------------------
* This function provides cortex_a53 specific
diff --git a/lib/cpus/aarch64/cortex_a57.S b/lib/cpus/aarch64/cortex_a57.S
index 3766ec7..8fafaca 100644
--- a/lib/cpus/aarch64/cortex_a57.S
+++ b/lib/cpus/aarch64/cortex_a57.S
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2014-2023, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2020, NVIDIA Corporation. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
@@ -18,9 +18,7 @@
* ---------------------------------------------
*/
func cortex_a57_disable_dcache
- mrs x1, sctlr_el3
- bic x1, x1, #SCTLR_C_BIT
- msr sctlr_el3, x1
+ sysreg_bit_clear sctlr_el3, SCTLR_C_BIT
isb
ret
endfunc cortex_a57_disable_dcache
@@ -46,9 +44,7 @@
* ---------------------------------------------
*/
func cortex_a57_disable_smp
- mrs x0, CORTEX_A57_ECTLR_EL1
- bic x0, x0, #CORTEX_A57_ECTLR_SMP_BIT
- msr CORTEX_A57_ECTLR_EL1, x0
+ sysreg_bit_clear CORTEX_A57_ECTLR_EL1, CORTEX_A57_ECTLR_SMP_BIT
ret
endfunc cortex_a57_disable_smp
@@ -60,227 +56,66 @@
mov x0, #1
msr osdlr_el1, x0
isb
-#if ERRATA_A57_817169
- /*
- * Invalidate any TLB address
- */
- mov x0, #0
- tlbi vae3, x0
-#endif
+
+ apply_erratum cortex_a57, ERRATUM(817169), ERRATA_A57_817169
+
dsb sy
ret
endfunc cortex_a57_disable_ext_debug
- /* --------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #806969.
- * This applies only to revision r0p0 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * --------------------------------------------------
- */
-func errata_a57_806969_wa
- /*
- * Compare x0 against revision r0p0
- */
- mov x17, x30
- bl check_errata_806969
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_NO_ALLOC_WBWA
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_806969_wa
+/*
+ * Disable the over-read from the LDNP/STNP instruction. The SDEN doesn't
+ * provide and erratum number, so assign it an obvious 1
+ */
+workaround_reset_start cortex_a57, ERRATUM(1), A57_DISABLE_NON_TEMPORAL_HINT
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DIS_OVERREAD
+workaround_reset_end cortex_a57, ERRATUM(1)
-func check_errata_806969
- mov x1, #0x00
- b cpu_rev_var_ls
-endfunc check_errata_806969
+check_erratum_ls cortex_a57, ERRATUM(1), CPU_REV(1, 2)
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #813419.
- * This applies only to revision r0p0 of Cortex A57.
- * ---------------------------------------------------
- */
-func check_errata_813419
- /*
- * Even though this is only needed for revision r0p0, it
- * is always applied due to limitations of the current
- * errata framework.
- */
- mov x0, #ERRATA_APPLIES
- ret
-endfunc check_errata_813419
+workaround_reset_start cortex_a57, ERRATUM(806969), ERRATA_A57_806969
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_NO_ALLOC_WBWA
+workaround_reset_end cortex_a57, ERRATUM(806969)
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #813420.
- * This applies only to revision r0p0 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_813420_wa
- /*
- * Compare x0 against revision r0p0
- */
- mov x17, x30
- bl check_errata_813420
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_DCC_AS_DCCI
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_813420_wa
+check_erratum_ls cortex_a57, ERRATUM(806969), CPU_REV(0, 0)
-func check_errata_813420
- mov x1, #0x00
- b cpu_rev_var_ls
-endfunc check_errata_813420
+/* erratum always worked around, but report it correctly */
+check_erratum_ls cortex_a57, ERRATUM(813419), CPU_REV(0, 0)
+add_erratum_entry cortex_a57, ERRATUM(813419), ERRATUM_ALWAYS_CHOSEN, NO_APPLY_AT_RESET
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #814670.
- * This applies only to revision r0p0 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_814670_wa
- /*
- * Compare x0 against revision r0p0
- */
- mov x17, x30
- bl check_errata_814670
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_DIS_DMB_NULLIFICATION
- msr CORTEX_A57_CPUACTLR_EL1, x1
- isb
-1:
- ret x17
-endfunc errata_a57_814670_wa
+workaround_reset_start cortex_a57, ERRATUM(813420), ERRATA_A57_813420
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DCC_AS_DCCI
+workaround_reset_end cortex_a57, ERRATUM(813420)
-func check_errata_814670
- mov x1, #0x00
- b cpu_rev_var_ls
-endfunc check_errata_814670
+check_erratum_ls cortex_a57, ERRATUM(813420), CPU_REV(0, 0)
- /* ----------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #817169.
- * This applies only to revision <= r0p1 of Cortex A57.
- * ----------------------------------------------------
- */
-func check_errata_817169
- /*
- * Even though this is only needed for revision <= r0p1, it
- * is always applied because of the low cost of the workaround.
- */
- mov x0, #ERRATA_APPLIES
- ret
-endfunc check_errata_817169
+workaround_reset_start cortex_a57, ERRATUM(814670), ERRATA_A57_814670
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DIS_DMB_NULLIFICATION
+workaround_reset_end cortex_a57, ERRATUM(814670)
- /* --------------------------------------------------------------------
- * Disable the over-read from the LDNP instruction.
- *
- * This applies to all revisions <= r1p2. The performance degradation
- * observed with LDNP/STNP has been fixed on r1p3 and onwards.
- *
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------------------------
- */
-func a57_disable_ldnp_overread
- /*
- * Compare x0 against revision r1p2
- */
- mov x17, x30
- bl check_errata_disable_ldnp_overread
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_DIS_OVERREAD
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc a57_disable_ldnp_overread
+check_erratum_ls cortex_a57, ERRATUM(814670), CPU_REV(0, 0)
-func check_errata_disable_ldnp_overread
- mov x1, #0x12
- b cpu_rev_var_ls
-endfunc check_errata_disable_ldnp_overread
+workaround_runtime_start cortex_a57, ERRATUM(817169), ERRATA_A57_817169, CORTEX_A57_MIDR
+ /* Invalidate any TLB address */
+ mov x0, #0
+ tlbi vae3, x0
+workaround_runtime_end cortex_a57, ERRATUM(817169), NO_ISB
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #826974.
- * This applies only to revision <= r1p1 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_826974_wa
- /*
- * Compare x0 against revision r1p1
- */
- mov x17, x30
- bl check_errata_826974
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_DMB
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_826974_wa
+check_erratum_ls cortex_a57, ERRATUM(817169), CPU_REV(0, 1)
-func check_errata_826974
- mov x1, #0x11
- b cpu_rev_var_ls
-endfunc check_errata_826974
+workaround_reset_start cortex_a57, ERRATUM(826974), ERRATA_A57_826974
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_DMB
+workaround_reset_end cortex_a57, ERRATUM(826974)
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #826977.
- * This applies only to revision <= r1p1 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_826977_wa
- /*
- * Compare x0 against revision r1p1
- */
- mov x17, x30
- bl check_errata_826977
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_GRE_NGRE_AS_NGNRE
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_826977_wa
+check_erratum_ls cortex_a57, ERRATUM(826974), CPU_REV(1, 1)
-func check_errata_826977
- mov x1, #0x11
- b cpu_rev_var_ls
-endfunc check_errata_826977
+workaround_reset_start cortex_a57, ERRATUM(826977), ERRATA_A57_826977
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_GRE_NGRE_AS_NGNRE
+workaround_reset_end cortex_a57, ERRATUM(826977)
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #828024.
- * This applies only to revision <= r1p1 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_828024_wa
- /*
- * Compare x0 against revision r1p1
- */
- mov x17, x30
- bl check_errata_828024
- cbz x0, 1f
+check_erratum_ls cortex_a57, ERRATUM(826977), CPU_REV(1, 1)
+
+workaround_reset_start cortex_a57, ERRATUM(828024), ERRATA_A57_828024
mrs x1, CORTEX_A57_CPUACTLR_EL1
/*
* Setting the relevant bits in CPUACTLR_EL1 has to be done in 2
@@ -291,234 +126,64 @@
orr x1, x1, #(CORTEX_A57_CPUACTLR_EL1_DIS_L1_STREAMING | \
CORTEX_A57_CPUACTLR_EL1_DIS_STREAMING)
msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_828024_wa
-
-func check_errata_828024
- mov x1, #0x11
- b cpu_rev_var_ls
-endfunc check_errata_828024
-
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #829520.
- * This applies only to revision <= r1p2 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_829520_wa
- /*
- * Compare x0 against revision r1p2
- */
- mov x17, x30
- bl check_errata_829520
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_DIS_INDIRECT_PREDICTOR
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_829520_wa
-
-func check_errata_829520
- mov x1, #0x12
- b cpu_rev_var_ls
-endfunc check_errata_829520
-
- /* ---------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #833471.
- * This applies only to revision <= r1p2 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber: x0-x17
- * ---------------------------------------------------
- */
-func errata_a57_833471_wa
- /*
- * Compare x0 against revision r1p2
- */
- mov x17, x30
- bl check_errata_833471
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_FORCE_FPSCR_FLUSH
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_833471_wa
-
-func check_errata_833471
- mov x1, #0x12
- b cpu_rev_var_ls
-endfunc check_errata_833471
-
- /* --------------------------------------------------
- * Errata Workaround for Cortex A57 Errata #859972.
- * This applies only to revision <= r1p3 of Cortex A57.
- * Inputs:
- * x0: variant[4:7] and revision[0:3] of current cpu.
- * Shall clobber:
- * --------------------------------------------------
- */
-func errata_a57_859972_wa
- mov x17, x30
- bl check_errata_859972
- cbz x0, 1f
- mrs x1, CORTEX_A57_CPUACTLR_EL1
- orr x1, x1, #CORTEX_A57_CPUACTLR_EL1_DIS_INSTR_PREFETCH
- msr CORTEX_A57_CPUACTLR_EL1, x1
-1:
- ret x17
-endfunc errata_a57_859972_wa
-
-func check_errata_859972
- mov x1, #0x13
- b cpu_rev_var_ls
-endfunc check_errata_859972
-
-func check_errata_cve_2017_5715
-#if WORKAROUND_CVE_2017_5715
- mov x0, #ERRATA_APPLIES
-#else
- mov x0, #ERRATA_MISSING
-#endif
- ret
-endfunc check_errata_cve_2017_5715
+workaround_reset_end cortex_a57, ERRATUM(828024)
-func check_errata_cve_2018_3639
-#if WORKAROUND_CVE_2018_3639
- mov x0, #ERRATA_APPLIES
-#else
- mov x0, #ERRATA_MISSING
-#endif
- ret
-endfunc check_errata_cve_2018_3639
+check_erratum_ls cortex_a57, ERRATUM(828024), CPU_REV(1, 1)
- /* --------------------------------------------------
- * Errata workaround for Cortex A57 Errata #1319537.
- * This applies to all revisions of Cortex A57.
- * --------------------------------------------------
- */
-func check_errata_1319537
-#if ERRATA_A57_1319537
- mov x0, #ERRATA_APPLIES
-#else
- mov x0, #ERRATA_MISSING
-#endif
- ret
-endfunc check_errata_1319537
+workaround_reset_start cortex_a57, ERRATUM(829520), ERRATA_A57_829520
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DIS_INDIRECT_PREDICTOR
+workaround_reset_end cortex_a57, ERRATUM(829520)
- /* -------------------------------------------------
- * The CPU Ops reset function for Cortex-A57.
- * Shall clobber: x0-x19
- * -------------------------------------------------
- */
-func cortex_a57_reset_func
- mov x19, x30
- bl cpu_get_rev_var
- mov x18, x0
+check_erratum_ls cortex_a57, ERRATUM(829520), CPU_REV(1, 2)
-#if ERRATA_A57_806969
- mov x0, x18
- bl errata_a57_806969_wa
-#endif
+workaround_reset_start cortex_a57, ERRATUM(833471), ERRATA_A57_833471
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_FORCE_FPSCR_FLUSH
+workaround_reset_end cortex_a57, ERRATUM(833471)
-#if ERRATA_A57_813420
- mov x0, x18
- bl errata_a57_813420_wa
-#endif
+check_erratum_ls cortex_a57, ERRATUM(833471), CPU_REV(1, 2)
-#if ERRATA_A57_814670
- mov x0, x18
- bl errata_a57_814670_wa
-#endif
+workaround_reset_start cortex_a57, ERRATUM(859972), ERRATA_A57_859972
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DIS_INSTR_PREFETCH
+workaround_reset_end cortex_a57, ERRATUM(859972)
-#if A57_DISABLE_NON_TEMPORAL_HINT
- mov x0, x18
- bl a57_disable_ldnp_overread
-#endif
+check_erratum_ls cortex_a57, ERRATUM(859972), CPU_REV(1, 3)
-#if ERRATA_A57_826974
- mov x0, x18
- bl errata_a57_826974_wa
-#endif
+check_erratum_chosen cortex_a57, ERRATUM(1319537), ERRATA_A57_1319537
+/* erratum has no workaround in the cpu. Generic code must take care */
+add_erratum_entry cortex_a57, ERRATUM(1319537), ERRATA_A57_1319537, NO_APPLY_AT_RESET
-#if ERRATA_A57_826977
- mov x0, x18
- bl errata_a57_826977_wa
+workaround_reset_start cortex_a57, CVE(2017, 5715), WORKAROUND_CVE_2017_5715
+#if IMAGE_BL31
+ override_vector_table wa_cve_2017_5715_mmu_vbar
#endif
+workaround_reset_end cortex_a57, CVE(2017, 5715)
-#if ERRATA_A57_828024
- mov x0, x18
- bl errata_a57_828024_wa
-#endif
+check_erratum_chosen cortex_a57, CVE(2017, 5715), WORKAROUND_CVE_2017_5715
-#if ERRATA_A57_829520
- mov x0, x18
- bl errata_a57_829520_wa
-#endif
-
-#if ERRATA_A57_833471
- mov x0, x18
- bl errata_a57_833471_wa
-#endif
-
-#if ERRATA_A57_859972
- mov x0, x18
- bl errata_a57_859972_wa
-#endif
-
-#if IMAGE_BL31 && ( WORKAROUND_CVE_2017_5715 || WORKAROUND_CVE_2022_23960 )
- /* ---------------------------------------------------------------
- * Override vector table & enable existing workaround if either of
- * the build flags are enabled
- * ---------------------------------------------------------------
- */
- adr x0, wa_cve_2017_5715_mmu_vbar
- msr vbar_el3, x0
- /* isb will be performed before returning from this function */
-#endif
-
-#if WORKAROUND_CVE_2018_3639
- mrs x0, CORTEX_A57_CPUACTLR_EL1
- orr x0, x0, #CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_STORE
- msr CORTEX_A57_CPUACTLR_EL1, x0
+workaround_reset_start cortex_a57, CVE(2018, 3639), WORKAROUND_CVE_2018_3639
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_DIS_LOAD_PASS_STORE
isb
dsb sy
-#endif
+workaround_reset_end cortex_a57, CVE(2018, 3639)
-#if A57_ENABLE_NONCACHEABLE_LOAD_FWD
- /* ---------------------------------------------
- * Enable higher performance non-cacheable load
- * forwarding
- * ---------------------------------------------
- */
- mrs x0, CORTEX_A57_CPUACTLR_EL1
- orr x0, x0, #CORTEX_A57_CPUACTLR_EL1_EN_NC_LOAD_FWD
- msr CORTEX_A57_CPUACTLR_EL1, x0
+check_erratum_chosen cortex_a57, CVE(2018, 3639), WORKAROUND_CVE_2018_3639
+
+workaround_reset_start cortex_a57, CVE(2022, 23960), WORKAROUND_CVE_2022_23960
+#if IMAGE_BL31
+ override_vector_table wa_cve_2017_5715_mmu_vbar
#endif
+workaround_reset_end cortex_a57, CVE(2022, 23960)
- /* ---------------------------------------------
- * Enable the SMP bit.
- * ---------------------------------------------
- */
- mrs x0, CORTEX_A57_ECTLR_EL1
- orr x0, x0, #CORTEX_A57_ECTLR_SMP_BIT
- msr CORTEX_A57_ECTLR_EL1, x0
- isb
- ret x19
-endfunc cortex_a57_reset_func
+check_erratum_chosen cortex_a57, CVE(2022, 23960), WORKAROUND_CVE_2022_23960
-func check_errata_cve_2022_23960
-#if WORKAROUND_CVE_2022_23960
- mov x0, #ERRATA_APPLIES
-#else
- mov x0, #ERRATA_MISSING
+cpu_reset_func_start cortex_a57
+#if A57_ENABLE_NONCACHEABLE_LOAD_FWD
+ /* Enable higher performance non-cacheable load forwarding */
+ sysreg_bit_set CORTEX_A57_CPUACTLR_EL1, CORTEX_A57_CPUACTLR_EL1_EN_NC_LOAD_FWD
#endif
- ret
-endfunc check_errata_cve_2022_23960
+ /* Enable the SMP bit. */
+ sysreg_bit_set CORTEX_A57_ECTLR_EL1, CORTEX_A57_ECTLR_SMP_BIT
+cpu_reset_func_end cortex_a57
func check_smccc_arch_workaround_3
mov x0, #ERRATA_APPLIES
@@ -619,42 +284,7 @@
b cortex_a57_disable_ext_debug
endfunc cortex_a57_cluster_pwr_dwn
-#if REPORT_ERRATA
-/*
- * Errata printing function for Cortex A57. Must follow AAPCS.
- */
-func cortex_a57_errata_report
- stp x8, x30, [sp, #-16]!
-
- bl cpu_get_rev_var
- mov x8, x0
-
- /*
- * Report all errata. The revision-variant information is passed to
- * checking functions of each errata.
- */
- report_errata ERRATA_A57_806969, cortex_a57, 806969
- report_errata ERRATA_A57_813419, cortex_a57, 813419
- report_errata ERRATA_A57_813420, cortex_a57, 813420
- report_errata ERRATA_A57_814670, cortex_a57, 814670
- report_errata ERRATA_A57_817169, cortex_a57, 817169
- report_errata A57_DISABLE_NON_TEMPORAL_HINT, cortex_a57, \
- disable_ldnp_overread
- report_errata ERRATA_A57_826974, cortex_a57, 826974
- report_errata ERRATA_A57_826977, cortex_a57, 826977
- report_errata ERRATA_A57_828024, cortex_a57, 828024
- report_errata ERRATA_A57_829520, cortex_a57, 829520
- report_errata ERRATA_A57_833471, cortex_a57, 833471
- report_errata ERRATA_A57_859972, cortex_a57, 859972
- report_errata ERRATA_A57_1319537, cortex_a57, 1319537
- report_errata WORKAROUND_CVE_2017_5715, cortex_a57, cve_2017_5715
- report_errata WORKAROUND_CVE_2018_3639, cortex_a57, cve_2018_3639
- report_errata WORKAROUND_CVE_2022_23960, cortex_a57, cve_2022_23960
-
- ldp x8, x30, [sp], #16
- ret
-endfunc cortex_a57_errata_report
-#endif
+errata_report_shim cortex_a57
/* ---------------------------------------------
* This function provides cortex_a57 specific
@@ -679,7 +309,7 @@
declare_cpu_ops_wa cortex_a57, CORTEX_A57_MIDR, \
cortex_a57_reset_func, \
- check_errata_cve_2017_5715, \
+ check_erratum_cortex_a57_5715, \
CPU_NO_EXTRA2_FUNC, \
check_smccc_arch_workaround_3, \
cortex_a57_core_pwr_dwn, \
diff --git a/lib/cpus/aarch64/nevis.S b/lib/cpus/aarch64/nevis.S
new file mode 100644
index 0000000..36830a9
--- /dev/null
+++ b/lib/cpus/aarch64/nevis.S
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <arch.h>
+#include <asm_macros.S>
+#include <common/bl_common.h>
+#include <nevis.h>
+#include <cpu_macros.S>
+#include <plat_macros.S>
+
+/* Hardware handled coherency */
+#if HW_ASSISTED_COHERENCY == 0
+#error "Nevis must be compiled with HW_ASSISTED_COHERENCY enabled"
+#endif
+
+/* 64-bit only core */
+#if CTX_INCLUDE_AARCH32_REGS == 1
+#error "Nevis supports only AArch64. Compile with CTX_INCLUDE_AARCH32_REGS=0"
+#endif
+
+cpu_reset_func_start nevis
+ /* ----------------------------------------------------
+ * Disable speculative loads
+ * ----------------------------------------------------
+ */
+ msr SSBS, xzr
+cpu_reset_func_end nevis
+
+func nevis_core_pwr_dwn
+ /* ---------------------------------------------------
+ * Enable CPU power down bit in power control register
+ * ---------------------------------------------------
+ */
+ sysreg_bit_set NEVIS_IMP_CPUPWRCTLR_EL1, \
+ NEVIS_IMP_CPUPWRCTLR_EL1_CORE_PWRDN_EN_BIT
+ isb
+ ret
+endfunc nevis_core_pwr_dwn
+
+errata_report_shim nevis
+
+.section .rodata.nevis_regs, "aS"
+nevis_regs: /* The ASCII list of register names to be reported */
+ .asciz "cpuectlr_el1", ""
+
+func nevis_cpu_reg_dump
+ adr x6, nevis_regs
+ mrs x8, NEVIS_CPUECTLR_EL1
+ ret
+endfunc nevis_cpu_reg_dump
+
+declare_cpu_ops nevis, NEVIS_MIDR, \
+ nevis_reset_func, \
+ nevis_core_pwr_dwn
diff --git a/lib/el3_runtime/aarch64/context_mgmt.c b/lib/el3_runtime/aarch64/context_mgmt.c
index 0ac2d6e..b16c113 100644
--- a/lib/el3_runtime/aarch64/context_mgmt.c
+++ b/lib/el3_runtime/aarch64/context_mgmt.c
@@ -279,6 +279,20 @@
write_ctx_reg(get_el2_sysregs_ctx(ctx), CTX_HCRX_EL2,
HCRX_EL2_INIT_VAL);
}
+
+ if (is_feat_fgt_supported()) {
+ /*
+ * Initialize HFG*_EL2 registers with a default value so legacy
+ * systems unaware of FEAT_FGT do not get trapped due to their lack
+ * of initialization for this feature.
+ */
+ write_ctx_reg(get_el2_sysregs_ctx(ctx), CTX_HFGITR_EL2,
+ HFGITR_EL2_INIT_VAL);
+ write_ctx_reg(get_el2_sysregs_ctx(ctx), CTX_HFGRTR_EL2,
+ HFGRTR_EL2_INIT_VAL);
+ write_ctx_reg(get_el2_sysregs_ctx(ctx), CTX_HFGWTR_EL2,
+ HFGWTR_EL2_INIT_VAL);
+ }
#endif /* CTX_INCLUDE_EL2_REGS */
manage_extensions_nonsecure(ctx);
@@ -829,8 +843,27 @@
if (is_feat_hcx_supported()) {
write_hcrx_el2(HCRX_EL2_INIT_VAL);
}
+
+ /*
+ * Initialize Fine-grained trap registers introduced
+ * by FEAT_FGT so all traps are initially disabled when
+ * switching to EL2 or a lower EL, preventing undesired
+ * behavior.
+ */
+ if (is_feat_fgt_supported()) {
+ /*
+ * Initialize HFG*_EL2 registers with a default
+ * value so legacy systems unaware of FEAT_FGT
+ * do not get trapped due to their lack of
+ * initialization for this feature.
+ */
+ write_hfgitr_el2(HFGITR_EL2_INIT_VAL);
+ write_hfgrtr_el2(HFGRTR_EL2_INIT_VAL);
+ write_hfgwtr_el2(HFGWTR_EL2_INIT_VAL);
+ }
}
+
if ((scr_el3 & SCR_HCE_BIT) != 0U) {
/* Use SCTLR_EL1.EE value to initialise sctlr_el2 */
sctlr_elx = read_ctx_reg(get_el1_sysregs_ctx(ctx),
diff --git a/make_helpers/build_macros.mk b/make_helpers/build_macros.mk
index 3bce3a5..a5c93a6 100644
--- a/make_helpers/build_macros.mk
+++ b/make_helpers/build_macros.mk
@@ -334,10 +334,10 @@
$(eval OBJ := $(1)/$(patsubst %.c,%.o,$(notdir $(2))))
$(eval DEP := $(patsubst %.o,%.d,$(OBJ)))
-$(eval BL_DEFINES := $($(call uppercase,$(3))_DEFINES))
-$(eval BL_INCLUDE_DIRS := $($(call uppercase,$(3))_INCLUDE_DIRS))
-$(eval BL_CPPFLAGS := $($(call uppercase,$(3))_CPPFLAGS) -DIMAGE_$(call uppercase,$(3)) $(addprefix -D,$(BL_DEFINES)) $(addprefix -I,$(BL_INCLUDE_DIRS)))
-$(eval BL_CFLAGS := $($(call uppercase,$(3))_CFLAGS))
+$(eval BL_DEFINES := IMAGE_$(call uppercase,$(3)) $($(call uppercase,$(3))_DEFINES) $(PLAT_BL_COMMON_DEFINES))
+$(eval BL_INCLUDE_DIRS := $($(call uppercase,$(3))_INCLUDE_DIRS) $(PLAT_BL_COMMON_INCLUDE_DIRS))
+$(eval BL_CPPFLAGS := $($(call uppercase,$(3))_CPPFLAGS) $(addprefix -D,$(BL_DEFINES)) $(addprefix -I,$(BL_INCLUDE_DIRS)) $(PLAT_BL_COMMON_CPPFLAGS))
+$(eval BL_CFLAGS := $($(call uppercase,$(3))_CFLAGS) $(PLAT_BL_COMMON_CFLAGS))
$(OBJ): $(2) $(filter-out %.d,$(MAKEFILE_LIST)) | $(3)_dirs
$$(ECHO) " CC $$<"
@@ -357,10 +357,10 @@
$(eval OBJ := $(1)/$(patsubst %.S,%.o,$(notdir $(2))))
$(eval DEP := $(patsubst %.o,%.d,$(OBJ)))
-$(eval BL_DEFINES := $($(call uppercase,$(3))_DEFINES))
-$(eval BL_INCLUDE_DIRS := $($(call uppercase,$(3))_INCLUDE_DIRS))
-$(eval BL_CPPFLAGS := $($(call uppercase,$(3))_CPPFLAGS) -DIMAGE_$(call uppercase,$(3)) $(addprefix -D,$(BL_DEFINES)) $(addprefix -I,$(BL_INCLUDE_DIRS)))
-$(eval BL_ASFLAGS := $($(call uppercase,$(3))_ASFLAGS))
+$(eval BL_DEFINES := IMAGE_$(call uppercase,$(3)) $($(call uppercase,$(3))_DEFINES) $(PLAT_BL_COMMON_DEFINES))
+$(eval BL_INCLUDE_DIRS := $($(call uppercase,$(3))_INCLUDE_DIRS) $(PLAT_BL_COMMON_INCLUDE_DIRS))
+$(eval BL_CPPFLAGS := $($(call uppercase,$(3))_CPPFLAGS) $(addprefix -D,$(BL_DEFINES)) $(addprefix -I,$(BL_INCLUDE_DIRS)) $(PLAT_BL_COMMON_CPPFLAGS))
+$(eval BL_ASFLAGS := $($(call uppercase,$(3))_ASFLAGS) $(PLAT_BL_COMMON_ASFLAGS))
$(OBJ): $(2) $(filter-out %.d,$(MAKEFILE_LIST)) | $(3)_dirs
$$(ECHO) " AS $$<"
@@ -379,9 +379,9 @@
$(eval DEP := $(1).d)
-$(eval BL_DEFINES := $($(call uppercase,$(3))_DEFINES))
-$(eval BL_INCLUDE_DIRS := $($(call uppercase,$(3))_INCLUDE_DIRS))
-$(eval BL_CPPFLAGS := $($(call uppercase,$(3))_CPPFLAGS) -DIMAGE_$(call uppercase,$(3)) $(addprefix -D,$(BL_DEFINES)) $(addprefix -I,$(BL_INCLUDE_DIRS)))
+$(eval BL_DEFINES := IMAGE_$(call uppercase,$(3)) $($(call uppercase,$(3))_DEFINES) $(PLAT_BL_COMMON_DEFINES))
+$(eval BL_INCLUDE_DIRS := $($(call uppercase,$(3))_INCLUDE_DIRS) $(PLAT_BL_COMMON_INCLUDE_DIRS))
+$(eval BL_CPPFLAGS := $($(call uppercase,$(3))_CPPFLAGS) $(addprefix -D,$(BL_DEFINES)) $(addprefix -I,$(BL_INCLUDE_DIRS)) $(PLAT_BL_COMMON_CPPFLAGS))
$(1): $(2) $(filter-out %.d,$(MAKEFILE_LIST)) | $(3)_dirs
$$(ECHO) " PP $$<"
@@ -504,7 +504,7 @@
define MAKE_BL
$(eval BUILD_DIR := ${BUILD_PLAT}/$(1))
$(eval BL_SOURCES := $($(call uppercase,$(1))_SOURCES))
- $(eval SOURCES := $(BL_SOURCES) $(BL_COMMON_SOURCES) $(PLAT_BL_COMMON_SOURCES))
+ $(eval SOURCES := $(sort $(BL_SOURCES) $(BL_COMMON_SOURCES) $(PLAT_BL_COMMON_SOURCES)))
$(eval OBJS := $(addprefix $(BUILD_DIR)/,$(call SOURCES_TO_OBJS,$(SOURCES))))
$(eval MAPFILE := $(call IMG_MAPFILE,$(1)))
$(eval ELF := $(call IMG_ELF,$(1)))
diff --git a/plat/arm/board/arm_fpga/platform.mk b/plat/arm/board/arm_fpga/platform.mk
index c31697e..bd56f30 100644
--- a/plat/arm/board/arm_fpga/platform.mk
+++ b/plat/arm/board/arm_fpga/platform.mk
@@ -33,7 +33,17 @@
FPGA_PRELOADED_CMD_LINE := 0x1000
$(eval $(call add_define,FPGA_PRELOADED_CMD_LINE))
-ENABLE_FEAT_AMU := 2
+ENABLE_BRBE_FOR_NS := 2
+ENABLE_TRBE_FOR_NS := 2
+ENABLE_FEAT_AMU := 2
+ENABLE_FEAT_AMUv1p1 := 2
+ENABLE_FEAT_CSV2_2 := 2
+ENABLE_FEAT_ECV := 2
+ENABLE_FEAT_FGT := 2
+ENABLE_FEAT_HCX := 2
+ENABLE_MPAM_FOR_LOWER_ELS := 2
+ENABLE_SYS_REG_TRACE_FOR_NS := 2
+ENABLE_TRF_FOR_NS := 2
# Treating this as a memory-constrained port for now
USE_COHERENT_MEM := 0
diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk
index 9104838..4803f35 100644
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk
@@ -214,7 +214,8 @@
lib/cpus/aarch64/neoverse_v1.S \
lib/cpus/aarch64/neoverse_e1.S \
lib/cpus/aarch64/cortex_x2.S \
- lib/cpus/aarch64/cortex_gelas.S
+ lib/cpus/aarch64/cortex_gelas.S \
+ lib/cpus/aarch64/nevis.S
endif
# AArch64/AArch32 cores
FVP_CPU_LIBS += lib/cpus/aarch64/cortex_a55.S \
diff --git a/plat/aspeed/ast2700/include/platform_def.h b/plat/aspeed/ast2700/include/platform_def.h
index 3f2468f..8be26c3 100644
--- a/plat/aspeed/ast2700/include/platform_def.h
+++ b/plat/aspeed/ast2700/include/platform_def.h
@@ -41,13 +41,13 @@
#define MAX_MMAP_REGIONS U(32)
/* BL31 region */
-#define BL31_BASE ULL(0x400000000)
-#define BL31_SIZE ULL(0x400000)
+#define BL31_BASE ULL(0x430000000)
+#define BL31_SIZE SZ_512K
#define BL31_LIMIT (BL31_BASE + BL31_SIZE)
/* BL32 region */
#define BL32_BASE BL31_LIMIT
-#define BL32_SIZE ULL(0x400000)
+#define BL32_SIZE SZ_16M
#define BL32_LIMIT (BL32_BASE + BL32_SIZE)
/* console */
diff --git a/plat/imx/imx8m/ddr/clock.c b/plat/imx/imx8m/ddr/clock.c
index 8b132d2..31f2f56 100644
--- a/plat/imx/imx8m/ddr/clock.c
+++ b/plat/imx/imx8m/ddr/clock.c
@@ -91,6 +91,10 @@
case 4000:
mmio_write_32(DRAM_PLL_CTRL + 0x4, (250 << 12) | (3 << 4) | 1);
break;
+ case 3733:
+ case 3732:
+ mmio_write_32(DRAM_PLL_CTRL + 0x4, (311 << 12) | (4 << 4) | 1);
+ break;
case 3200:
mmio_write_32(DRAM_PLL_CTRL + 0x4, (200 << 12) | (3 << 4) | 1);
break;
diff --git a/plat/nuvoton/npcm845x/npcm845x_bl31_setup.c b/plat/nuvoton/npcm845x/npcm845x_bl31_setup.c
index 26ddb4b..08448db 100644
--- a/plat/nuvoton/npcm845x/npcm845x_bl31_setup.c
+++ b/plat/nuvoton/npcm845x/npcm845x_bl31_setup.c
@@ -47,27 +47,12 @@
BL31_END - BL31_START, \
MT_MEMORY | MT_RW | EL3_PAS)
-#if RECLAIM_INIT_CODE
-IMPORT_SYM(unsigned long, __INIT_CODE_START__, BL_INIT_CODE_BASE);
-IMPORT_SYM(unsigned long, __INIT_CODE_END__, BL_CODE_END_UNALIGNED);
-
-#define BL_INIT_CODE_END ((BL_CODE_END_UNALIGNED + PAGE_SIZE - 1) & \
- ~(PAGE_SIZE - 1))
-
-#define MAP_BL_INIT_CODE MAP_REGION_FLAT( \
- BL_INIT_CODE_BASE, \
- BL_INIT_CODE_END - \
- BL_INIT_CODE_BASE, \
- MT_CODE | MT_SECURE)
-#endif /* RECLAIM_INIT_CODE */
-
#if SEPARATE_NOBITS_REGION
#define MAP_BL31_NOBITS MAP_REGION_FLAT( \
BL31_NOBITS_BASE, \
BL31_NOBITS_LIMIT - \
BL31_NOBITS_BASE, \
MT_MEMORY | MT_RW | EL3_PAS)
-
#endif /* SEPARATE_NOBITS_REGION */
/******************************************************************************
@@ -324,9 +309,6 @@
{
const mmap_region_t bl_regions[] = {
MAP_BL31_TOTAL,
-#if RECLAIM_INIT_CODE
- MAP_BL_INIT_CODE,
-#endif /* RECLAIM_INIT_CODE */
#if SEPARATE_NOBITS_REGION
MAP_BL31_NOBITS,
#endif /* SEPARATE_NOBITS_REGION */
diff --git a/plat/nuvoton/npcm845x/platform.mk b/plat/nuvoton/npcm845x/platform.mk
index f38ae29..5120cc6 100644
--- a/plat/nuvoton/npcm845x/platform.mk
+++ b/plat/nuvoton/npcm845x/platform.mk
@@ -9,7 +9,7 @@
# This is a debug flag for bring-up. It allows reducing CPU numbers
# SECONDARY_BRINGUP := 1
RESET_TO_BL31 := 1
-PMD_SPM_AT_SEL2 := 0
+SPMD_SPM_AT_SEL2 := 0
#temporary until the RAM size is reduced
USE_COHERENT_MEM := 1
@@ -21,29 +21,12 @@
# Trusted DRAM (if available) or the TZC secured area of DRAM.
# TZC secured DRAM is the default.
-ARM_TSP_RAM_LOCATION ?= dram
-
-ifeq (${ARM_TSP_RAM_LOCATION}, tsram)
-ARM_TSP_RAM_LOCATION_ID = ARM_TRUSTED_SRAM_ID
-else ifeq (${ARM_TSP_RAM_LOCATION}, tdram)
-ARM_TSP_RAM_LOCATION_ID = ARM_TRUSTED_DRAM_ID
-else ifeq (${ARM_TSP_RAM_LOCATION}, dram)
-ARM_TSP_RAM_LOCATION_ID = ARM_DRAM_ID
-else
-$(error "Unsupported ARM_TSP_RAM_LOCATION value")
-endif
-
-# Process flags
# Process ARM_BL31_IN_DRAM flag
ARM_BL31_IN_DRAM := 0
$(eval $(call assert_boolean,ARM_BL31_IN_DRAM))
$(eval $(call add_define,ARM_BL31_IN_DRAM))
-else
-ARM_TSP_RAM_LOCATION_ID = ARM_TRUSTED_SRAM_ID
endif
-$(eval $(call add_define,ARM_TSP_RAM_LOCATION_ID))
-
# For the original power-state parameter format, the State-ID can be encoded
# according to the recommended encoding or zero. This flag determines which
# State-ID encoding to be parsed.
@@ -316,8 +299,7 @@
# Pointer Authentication sources
ifeq (${ENABLE_PAUTH}, 1)
-PLAT_BL_COMMON_SOURCES += plat/arm/common/aarch64/arm_pauth.c \
- lib/extensions/pauth/pauth_helpers.S
+PLAT_BL_COMMON_SOURCES += plat/arm/common/aarch64/arm_pauth.c
endif
ifeq (${SPD},spmd)
@@ -370,12 +352,6 @@
include ${IMG_PARSER_LIB_MK}
endif
-ifeq (${RECLAIM_INIT_CODE}, 1)
-ifeq (${ARM_XLAT_TABLES_LIB_V1}, 1)
-$(error "To reclaim init code xlat tables v2 must be used")
-endif
-endif
-
ifeq (${MEASURED_BOOT},1)
MEASURED_BOOT_MK := drivers/measured_boot/measured_boot.mk
$(info Including ${MEASURED_BOOT_MK})
@@ -392,6 +368,3 @@
DEBUG_CONSOLE ?= 0
$(eval $(call add_define,DEBUG_CONSOLE))
-
-$(eval $(call add_define,ARM_TSP_RAM_LOCATION_ID))
-
diff --git a/plat/ti/k3/common/drivers/ti_sci/ti_sci.c b/plat/ti/k3/common/drivers/ti_sci/ti_sci.c
index dacef74..495f0c7 100644
--- a/plat/ti/k3/common/drivers/ti_sci/ti_sci.c
+++ b/plat/ti/k3/common/drivers/ti_sci/ti_sci.c
@@ -413,7 +413,7 @@
struct ti_sci_xfer xfer;
int ret;
- ret = ti_sci_setup_one_xfer(TI_SCI_MSG_GET_DEVICE_STATE, 0,
+ ret = ti_sci_setup_one_xfer(TI_SCI_MSG_SET_DEVICE_STATE, 0,
&req, sizeof(req),
NULL, 0,
&xfer);
@@ -1389,7 +1389,7 @@
struct ti_sci_xfer xfer;
int ret;
- ret = ti_sci_setup_one_xfer(TI_SCI_MSG_GET_DEVICE_STATE, 0,
+ ret = ti_sci_setup_one_xfer(TISCI_MSG_SET_PROC_BOOT_CTRL, 0,
&req, sizeof(req),
NULL, 0,
&xfer);
@@ -1623,7 +1623,7 @@
struct ti_sci_xfer xfer;
int ret;
- ret = ti_sci_setup_one_xfer(TI_SCI_MSG_GET_DEVICE_STATE, 0,
+ ret = ti_sci_setup_one_xfer(TISCI_MSG_WAIT_PROC_BOOT_STATUS, 0,
&req, sizeof(req),
NULL, 0,
&xfer);
@@ -1669,7 +1669,7 @@
struct ti_sci_xfer xfer;
int ret;
- ret = ti_sci_setup_one_xfer(TI_SCI_MSG_GET_DEVICE_STATE, 0,
+ ret = ti_sci_setup_one_xfer(TI_SCI_MSG_ENTER_SLEEP, 0,
&req, sizeof(req),
NULL, 0,
&xfer);
diff --git a/plat/xilinx/common/plat_fdt.c b/plat/xilinx/common/plat_fdt.c
index dc3e893..7f93340 100644
--- a/plat/xilinx/common/plat_fdt.c
+++ b/plat/xilinx/common/plat_fdt.c
@@ -12,11 +12,17 @@
#include <plat_fdt.h>
#include <platform_def.h>
-#if (defined(XILINX_OF_BOARD_DTB_ADDR) && !IS_TFA_IN_OCM(BL31_BASE))
void prepare_dtb(void)
{
- void *dtb = (void *)XILINX_OF_BOARD_DTB_ADDR;
+ void *dtb;
int ret;
+#if !defined(XILINX_OF_BOARD_DTB_ADDR)
+ return;
+#else
+ dtb = (void *)XILINX_OF_BOARD_DTB_ADDR;
+#endif
+ if (IS_TFA_IN_OCM(BL31_BASE))
+ return;
/* Return if no device tree is detected */
if (fdt_check_header(dtb) != 0) {
@@ -45,8 +51,3 @@
clean_dcache_range((uintptr_t)dtb, fdt_blob_size(dtb));
INFO("Changed device tree to advertise PSCI and reserved memories.\n");
}
-#else
-void prepare_dtb(void)
-{
-}
-#endif
diff --git a/plat/xilinx/versal/include/platform_def.h b/plat/xilinx/versal/include/platform_def.h
index 4c0df4f..4c02402 100644
--- a/plat/xilinx/versal/include/platform_def.h
+++ b/plat/xilinx/versal/include/platform_def.h
@@ -79,7 +79,7 @@
#define XILINX_OF_BOARD_DTB_MAX_SIZE U(0x200000)
-#define PLAT_OCM_BSE U(0xFFFE0000)
+#define PLAT_OCM_BASE U(0xFFFE0000)
#define PLAT_OCM_LIMIT U(0xFFFFFFFF)
#define IS_TFA_IN_OCM(x) ((x >= PLAT_OCM_BASE) && (x < PLAT_OCM_LIMIT))
diff --git a/poetry.lock b/poetry.lock
index 07cd572..12d546a 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -68,13 +68,13 @@
[[package]]
name = "certifi"
-version = "2022.12.7"
+version = "2023.7.22"
description = "Python package for providing Mozilla's CA Bundle."
optional = false
python-versions = ">=3.6"
files = [
- {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
- {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
+ {file = "certifi-2023.7.22-py3-none-any.whl", hash = "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9"},
+ {file = "certifi-2023.7.22.tar.gz", hash = "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"},
]
[[package]]