diff options
| -rw-r--r-- | Makefile | 8 | ||||
| -rw-r--r-- | bl31/aarch64/bl31_entrypoint.S | 25 | ||||
| -rw-r--r-- | bl31/aarch64/runtime_exceptions.S | 3 | ||||
| -rw-r--r-- | docs/change-log.rst | 446 | ||||
| -rw-r--r-- | docs/contents.rst | 165 | ||||
| -rw-r--r-- | docs/firmware-design.rst | 7 | ||||
| -rw-r--r-- | docs/romlib-design.rst | 16 | ||||
| -rw-r--r-- | docs/user-guide.rst | 102 | ||||
| -rw-r--r-- | drivers/synopsys/emmc/dw_mmc.c | 3 | ||||
| -rw-r--r-- | include/lib/cpus/aarch64/neoverse_e1.h | 2 | ||||
| -rw-r--r-- | lib/cpus/aarch64/cortex_a76.S | 29 | ||||
| -rw-r--r-- | lib/el3_runtime/aarch64/context.S | 2 | ||||
| -rw-r--r-- | lib/romlib/Makefile | 15 | ||||
| -rwxr-xr-x | lib/romlib/genwrappers.sh | 6 | ||||
| -rw-r--r-- | lib/xlat_tables_v2/xlat_tables_core.c | 328 | ||||
| -rw-r--r-- | lib/xlat_tables_v2/xlat_tables_utils.c | 166 | ||||
| -rw-r--r-- | plat/arm/board/fvp/jmptbl.i | 32 | ||||
| -rw-r--r-- | plat/arm/board/juno/jmptbl.i | 32 | ||||
| -rw-r--r-- | plat/arm/common/aarch64/arm_pauth.c | 6 | ||||
| -rw-r--r-- | readme.rst | 100 |
20 files changed, 1022 insertions, 471 deletions
@@ -8,7 +8,7 @@ # Trusted Firmware Version # VERSION_MAJOR := 2 -VERSION_MINOR := 0 +VERSION_MINOR := 1 # Default goal is build all images .DEFAULT_GOAL := all @@ -478,6 +478,12 @@ endif ifeq ($(ENABLE_PAUTH),1) ifeq ($(CTX_INCLUDE_PAUTH_REGS),0) $(error ENABLE_PAUTH=1 requires CTX_INCLUDE_PAUTH_REGS=1) + else + $(info ENABLE_PAUTH and CTX_INCLUDE_PAUTH_REGS are experimental features) + endif +else + ifeq ($(CTX_INCLUDE_PAUTH_REGS),1) + $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature) endif endif diff --git a/bl31/aarch64/bl31_entrypoint.S b/bl31/aarch64/bl31_entrypoint.S index 065edffc..f24458c1 100644 --- a/bl31/aarch64/bl31_entrypoint.S +++ b/bl31/aarch64/bl31_entrypoint.S @@ -23,7 +23,6 @@ */ func bl31_entrypoint -#if !RESET_TO_BL31 /* --------------------------------------------------------------- * Stash the previous bootloader arguments x0 - x3 for later use. * --------------------------------------------------------------- @@ -33,6 +32,18 @@ func bl31_entrypoint mov x22, x2 mov x23, x3 + /* -------------------------------------------------------------------- + * If PIE is enabled, fixup the Global descriptor Table and dynamic + * relocations + * -------------------------------------------------------------------- + */ +#if ENABLE_PIE + mov_imm x0, BL31_BASE + mov_imm x1, BL31_LIMIT + bl fixup_gdt_reloc +#endif /* ENABLE_PIE */ + +#if !RESET_TO_BL31 /* --------------------------------------------------------------------- * For !RESET_TO_BL31 systems, only the primary CPU ever reaches * bl31_entrypoint() during the cold boot flow, so the cold/warm boot @@ -50,6 +61,7 @@ func bl31_entrypoint _init_c_runtime=1 \ _exception_vectors=runtime_exceptions #else + /* --------------------------------------------------------------------- * For RESET_TO_BL31 systems which have a programmable reset address, * bl31_entrypoint() is executed only on the cold boot path so we can @@ -77,17 +89,6 @@ func bl31_entrypoint #endif /* RESET_TO_BL31 */ /* -------------------------------------------------------------------- - * If PIE is enabled, fixup the Global descriptor Table and dynamic - * relocations - * -------------------------------------------------------------------- - */ -#if ENABLE_PIE - mov_imm x0, BL31_BASE - mov_imm x1, BL31_LIMIT - bl fixup_gdt_reloc -#endif /* ENABLE_PIE */ - - /* -------------------------------------------------------------------- * Perform BL31 setup * -------------------------------------------------------------------- */ diff --git a/bl31/aarch64/runtime_exceptions.S b/bl31/aarch64/runtime_exceptions.S index aa9d0079..c2951768 100644 --- a/bl31/aarch64/runtime_exceptions.S +++ b/bl31/aarch64/runtime_exceptions.S @@ -419,6 +419,9 @@ smc_unknown: */ mov x0, #SMC_UNK str x0, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0] +#if CTX_INCLUDE_PAUTH_REGS + bl pauth_context_save +#endif b restore_gp_registers_eret smc_prohibited: diff --git a/docs/change-log.rst b/docs/change-log.rst index b0ef4221..d652ff65 100644 --- a/docs/change-log.rst +++ b/docs/change-log.rst @@ -4,6 +4,450 @@ .. contents:: +Trusted Firmware-A - version 2.1 +================================ + +New Features +------------ + +- Architecture + - Support for ARMv8.3 pointer authentication in the normal and secure worlds + + The use of pointer authentication in the normal world is enabled whenever + architectural support is available, without the need for additional build + flags. + + Use of pointer authentication in the secure world remains an + experimental configuration at this time. Using both the ``ENABLE_PAUTH`` + and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be + enabled in EL3 and S-EL1/0. + + See the `Firmware Design`_ document for additional details on the use of + pointer authentication. + + - Enable Data Independent Timing (DIT) in EL3, where supported + +- Build System + - Support for BL-specific build flags + + - Support setting compiler target architecture based on ``ARM_ARCH_MINOR`` + build option. + + - New ``RECLAIM_INIT_CODE`` build flag: + + A significant amount of the code used for the initialization of BL31 is + not needed again after boot time. In order to reduce the runtime memory + footprint, the memory used for this code can be reclaimed after + initialization. + + Certain boot-time functions were marked with the ``__init`` attribute to + enable this reclamation. + +- CPU Support + - cortex-a76: Workaround for erratum 1073348 + - cortex-a76: Workaround for erratum 1220197 + - cortex-a76: Workaround for erratum 1130799 + + - cortex-a75: Workaround for erratum 790748 + - cortex-a75: Workaround for erratum 764081 + + - cortex-a73: Workaround for erratum 852427 + - cortex-a73: Workaround for erratum 855423 + + - cortex-a57: Workaround for erratum 817169 + - cortex-a57: Workaround for erratum 814670 + + - cortex-a55: Workaround for erratum 903758 + - cortex-a55: Workaround for erratum 846532 + - cortex-a55: Workaround for erratum 798797 + - cortex-a55: Workaround for erratum 778703 + - cortex-a55: Workaround for erratum 768277 + + - cortex-a53: Workaround for erratum 819472 + - cortex-a53: Workaround for erratum 824069 + - cortex-a53: Workaround for erratum 827319 + + - cortex-a17: Workaround for erratum 852423 + - cortex-a17: Workaround for erratum 852421 + + - cortex-a15: Workaround for erratum 816470 + - cortex-a15: Workaround for erratum 827671 + +- Documentation + - Exception Handling Framework documentation + + - Library at ROM (romlib) documentation + + - RAS framework documentation + + - Coding Guidelines document + +- Drivers + - ccn: Add API for setting and reading node registers + - Adds ``ccn_read_node_reg`` function + - Adds ``ccn_write_node_reg`` function + + - partition: Support MBR partition entries + + - scmi: Add ``plat_css_get_scmi_info`` function + + Adds a new API ``plat_css_get_scmi_info`` which lets the platform + register a platform-specific instance of ``scmi_channel_plat_info_t`` and + remove the default values + + - tzc380: Add TZC-380 TrustZone Controller driver + + - tzc-dmc620: Add driver to manage the TrustZone Controller within the + DMC-620 Dynamic Memory Controller + +- Library at ROM (romlib) + - Add platform-specific jump table list + + - Allow patching of romlib functions + + This change allows patching of functions in the romlib. This can be done by + adding "patch" at the end of the jump table entry for the function that + needs to be patched in the file jmptbl.i. + +- Library Code + - Support non-LPAE-enabled MMU tables in AArch32 + + - mmio: Add ``mmio_clrsetbits_16`` function + - 16-bit variant of ``mmio_clrsetbits`` + + - object_pool: Add Object Pool Allocator + - Manages object allocation using a fixed-size static array + - Adds ``pool_alloc`` and ``pool_alloc_n`` functions + - Does not provide any functions to free allocated objects (by design) + + - libc: Added ``strlcpy`` function + + - libc: Import ``strrchr`` function from FreeBSD + + - xlat_tables: Add support for ARMv8.4-TTST + + - xlat_tables: Support mapping regions without an explicitly specified VA + +- Math + - Added softudiv macro to support software division + +- Memory Partitioning And Monitoring (MPAM) + - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``) + +- Platforms + - amlogic: Add support for Meson S905 (GXBB) + + - arm/fvp_ve: Add support for FVP Versatile Express platform + + - arm/n1sdp: Add support for Neoverse N1 System Development platform + + - arm/rde1edge: Add support for Neoverse E1 platform + + - arm/rdn1edge: Add support for Neoverse N1 platform + + - arm: Add support for booting directly to Linux without an intermediate + loader (AArch32) + + - arm/juno: Enable new CPU errata workarounds for A53 and A57 + + - arm/juno: Add romlib support + + Building a combined BL1 and ROMLIB binary file with the correct page + alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set + for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to + be used instead of bl1.bin. + + - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform + + - marvell: Add support for Armada-37xx SoC platform + + - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms + + - renesas: Add support for R-Car Gen3 platform + + - xilinx: Add support for Versal ACAP platforms + +- Position-Independent Executable (PIE) + + PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is + used to enable or disable this functionality as required. + +- Secure Partition Manager + - New SPM implementation based on SPCI Alpha 1 draft specification + + A new version of SPM has been implemented, based on the SPCI (Secure + Partition Client Interface) and SPRT (Secure Partition Runtime) draft + specifications. + + The new implementation is a prototype that is expected to undergo intensive + rework as the specifications change. It has basic support for multiple + Secure Partitions and Resource Descriptions. + + The older version of SPM, based on MM (ARM Management Mode Interface + Specification), is still present in the codebase. A new build flag, + ``SPM_MM`` has been added to allow selection of the desired implementation. + This flag defaults to 1, selecting the MM-based implementation. + +- Security + - Spectre Variant-1 mitigations (``CVE-2017-5753``) + + - Use Speculation Store Bypass Safe (SSBS) functionality where available + + Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3 + registers can leak information from one Normal World SMC client to another) + + +Changed +------- + +- Build System + - Warning levels are now selectable with ``W=<1,2,3>`` + + - Removed unneeded include paths in PLAT_INCLUDES + + - "Warnings as errors" (Werror) can be disabled using ``E=0`` + + - Support totally quiet output with ``-s`` flag + + - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>`` + + - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS`` + + - Make device tree pre-processing similar to U-boot/Linux by: + - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler + options specific to it can be accommodated. + - Replacing ``CPP`` with ``PP`` for DT pre-processing + +- CPU Support + - Errata report function definition is now mandatory for CPU support files + + CPU operation files must now define a ``<name>_errata_report`` function to + print errata status. This is no longer a weak reference. + +- Documentation + - Migrated some content from GitHub wiki to ``docs/`` directory + + - Security advisories now have CVE links + + - Updated copyright guidelines + +- Drivers + - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C + + - console: Ported multi-console driver to AArch32 + + - gic: Remove 'lowest priority' constants + + Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``. + Platforms should define these if required, or instead determine the correct + priority values at runtime. + + - delay_timer: Check that the Generic Timer extension is present + + - mmc: Increase command reply timeout to 10 milliseconds + + - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion + + - mmc: Correctly check return code from ``mmc_fill_device_info`` + +- External Libraries + + - libfdt: Upgraded from 1.4.2 to 1.4.6-9 + + - mbed TLS: Upgraded from 2.12 to 2.16 + + This change incorporates fixes for security issues that should be reviewed + to determine if they are relevant for software implementations using + Trusted Firmware-A. See the `mbed TLS releases`_ page for details on + changes from the 2.12 to the 2.16 release. + +- Library Code + - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from + LLVM master branch (r345645) + + - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation + + - libc: Made setjmp and longjmp C standard compliant + + - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``) + + - libc: Moved setjmp and longjmp to the ``libc/`` directory + +- Platforms + - Removed Mbed TLS dependency from plat_bl_common.c + + - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro + + - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag + + - arm: Moved several components into ``drivers/`` directory + + This affects the SDS, SCP, SCPI, MHU and SCMI components + + - arm/juno: Increased maximum BL2 image size to ``0xF000`` + + This change was required to accommodate a larger ``libfdt`` library + +- SCMI + - Optimized bakery locks when hardware-assisted coherency is enabled using the + ``HW_ASSISTED_COHERENCY`` build flag + +- SDEI + - Added support for unconditionally resuming secure world execution after + SDEI event processing completes + + SDEI interrupts, although targeting EL3, occur on behalf of the non-secure + world, and may have higher priority than secure world + interrupts. Therefore they might preempt secure execution and yield + execution to the non-secure SDEI handler. Upon completion of SDEI event + handling, resume secure execution if it was preempted. + +- Translation Tables (XLAT) + - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit + + Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU + that does not implement all mandatory v8.2 features (and so must claim to + implement a lower architecture version). + + +Resolved Issues +--------------- + +- Architecture + - Incorrect check for SSBS feature detection + + - Unintentional register clobber in AArch32 reset_handler function + +- Build System + - Dependency issue during DTB image build + + - Incorrect variable expansion in Arm platform makefiles + + - Building on Windows with verbose mode (``V=1``) enabled is broken + + - AArch32 compilation flags is missing ``$(march32-directive)`` + +- BL-Specific Issues + - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined + + - bl2: Missing prototype warning in ``bl2_arch_setup`` + + - bl31: Omission of Global Offset Table (GOT) section + +- Code Quality Issues + - Multiple MISRA compliance issues + + - Potential NULL pointer dereference (Coverity-detected) + +- Drivers + - mmc: Local declaration of ``scr`` variable causes a cache issue when + invalidating after the read DMA transfer completes + + - mmc: ``ACMD41`` does not send voltage information during initialization, + resulting in the command being treated as a query. This prevents the + command from initializing the controller. + + - mmc: When checking device state using ``mmc_device_state()`` there are no + retries attempted in the event of an error + + - ccn: Incorrect Region ID calculation for RN-I nodes + + - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console + + - partition: Improper NULL checking in gpt.c + + - partition: Compilation failure in ``VERBOSE`` mode (``V=1``) + +- Library Code + - common: Incorrect check for Address Authentication support + + - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility + + The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h`` + and has been moved to a common folder. This header can be used to guarantee + compatibility, as it includes the correct header based on + ``XLAT_TABLES_LIB_V2``. + + - xlat: armclang unused-function warning on ``xlat_clean_dcache_range`` + + - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx`` + + - sdei: Missing ``context.h`` header + +- Platforms + - common: Missing prototype warning for ``plat_log_get_prefix`` + + - arm: Insufficient maximum BL33 image size + + - arm: Potential memory corruption during BL2-BL31 transition + + On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory + descriptors describing the list of executable images are created in BL2 + R/W memory, which could be possibly corrupted later on by BL31/BL32 due + to overlay. This patch creates a reserved location in SRAM for these + descriptors and are copied over by BL2 before handing over to next BL + image. + + - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set + + In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used + regardless of whether the build flag was set. The original behaviour has + been restored in the case where the build flag is not set. + +- Tools + - fiptool: Incorrect UUID parsing of blob parameters + + - doimage: Incorrect object rules in Makefile + + +Deprecations +------------ + +- Common Code + - ``plat_crash_console_init`` function + + - ``plat_crash_console_putc`` function + + - ``plat_crash_console_flush`` function + + - ``finish_console_register`` macro + +- AArch64-specific Code + - helpers: ``get_afflvl_shift`` + + - helpers: ``mpidr_mask_lower_afflvls`` + + - helpers: ``eret`` + +- Secure Partition Manager (SPM) + - Boot-info structure + + +Known Issues +------------ + +- Build System Issues + - dtb: DTB creation not supported when building on a Windows host. + + This step in the build process is skipped when running on a Windows host. A + known issue from the 1.6 release. + +- Platform Issues + - arm/juno: System suspend from Linux does not function as documented in the + user guide + + Following the instructions provided in the user guide document does not + result in the platform entering system suspend state as expected. A message + relating to the hdlcd driver failing to suspend will be emitted on the + Linux terminal. + + - arm/juno: The firmware update use-cases do not work with motherboard + firmware version < v1.5.0 (the reset reason is not preserved). The Linaro + 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10 + release. + + - mediatek/mt6795: This platform does not build in this release + Trusted Firmware-A - version 2.0 ================================ @@ -1983,3 +2427,5 @@ releases of TF-A. .. _OP-TEE Dispatcher: optee-dispatcher.rst .. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 .. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 +.. _mbed TLS releases: https://tls.mbed.org/tech-updates/releases +.. _Firmware Design: firmware-design.rst diff --git a/docs/contents.rst b/docs/contents.rst new file mode 100644 index 00000000..4b3f74fd --- /dev/null +++ b/docs/contents.rst @@ -0,0 +1,165 @@ +Trusted Firmware-A Documentation Contents +========================================= + +This document serves as a list of the documentation that is included with the +Trusted Firmware-A source. + +Introduction +------------ + +`About Trusted Firmware-A`_ + +Getting Started +--------------- + +`Frequently-Asked Questions (FAQ)`_ + +`Image Terminology`_ + +`Porting Guide`_ + +`User Guide`_ + +Contributing +------------ + +`Coding Style and Guidelines`_ + +`Contributor Acknowledgements`_ + +`Contributor's Guide`_ + +`License`_ + +`Maintainers`_ + +Processes and Policies +---------------------- + +`Platform Compatibility Policy`_ + +`Release Processes`_ + +Secure Payload Dispatch +----------------------- + +`OP-TEE Dispatcher`_ + +`Trusted Little Kernel (TLK) Dispatcher`_ + +`Trusty Dispatcher`_ + +System Design and Components +---------------------------- + +`Arm CPU Specific Build Macros`_ + +`Arm SiP Services`_ + +`Authentication Framework & Chain of Trust`_ + +`CPU Reset`_ + +`EL3 Runtime Service Writer’s Guide`_ + +`Exception Handling Framework`_ + +`Firmware Design Overview`_ + +`Firmware Update (FWU)`_ + +`Interrupt Management Framework`_ + +`Library at ROM`_ + +`Platform Interrupt Controller API`_ + +`PSCI Library Integration Guide for Armv8-A AArch32 systems`_ + +`PSCI Power Domain Tree design`_ + +`Reliability, Availability, and Serviceability (RAS) Extensions`_ + +`Secure Partition Manager`_ + +`Software Delegated Exception Interface`_ + +`Translation (XLAT) Tables Library`_ + +`Trusted Board Boot Design Guide`_ + +Performance and Testing +----------------------- + +`PSCI Performance Measurements on Arm Juno Development Platform`_ + +Security and Advisories +----------------------- + +`Security Processes`_ + +`TFV-1`_ + +`TFV-2`_ + +`TFV-3`_ + +`TFV-4`_ + +`TFV-5`_ + +`TFV-6`_ + +`TFV-7`_ + +`TFV-8`_ + +Other Documents +--------------- + +`Change Log`_ + +.. _About Trusted Firmware-A: ../readme.rst +.. _Frequently-Asked Questions (FAQ): ./frequently-asked-questions.rst +.. _Image Terminology: ./image-terminology.rst +.. _Porting Guide: ./porting-guide.rst +.. _User Guide: ./user-guide.rst +.. _Coding Style and Guidelines: ./coding-guidelines.rst +.. _Contributor Acknowledgements: ../acknowledgements.rst +.. _`Contributor's Guide`: ../contributing.rst +.. _License: ../license.rst +.. _Maintainers: ../maintainers.rst +.. _Platform Compatibility Policy: ./platform-compatibility-policy.rst +.. _Release Processes: ./release-information.rst +.. _Arm SiP Services: ./arm-sip-service.rst +.. _Exception Handling Framework: ./exception-handling.rst +.. _Firmware Update (FWU): ./firmware-update.rst +.. _Interrupt Management Framework: ./interrupt-framework-design.rst +.. _Library at ROM: ./romlib-design.rst +.. _Platform Interrupt Controller API: ./platform-interrupt-controller-API.rst +.. _`Reliability, Availability, and Serviceability (RAS) Extensions`: ./ras.rst +.. _Secure Partition Manager: ./secure-partition-manager-design.rst +.. _Software Delegated Exception Interface: ./sdei.rst +.. _Translation (XLAT) Tables Library: ./xlat-tables-lib-v2-design.rst +.. _OP-TEE Dispatcher: ./spd/optee-dispatcher.rst +.. _Trusted Little Kernel (TLK) Dispatcher: ./spd/tlk-dispatcher.rst +.. _Trusty Dispatcher: ./spd/trusty-dispatcher.rst +.. _Arm CPU Specific Build Macros: ./cpu-specific-build-macros.rst +.. _`Authentication Framework & Chain of Trust`: ./auth-framework.rst +.. _CPU Reset: ./reset-design.rst +.. _`EL3 Runtime Service Writer’s Guide`: ./rt-svc-writers-guide.rst +.. _Firmware Design Overview: ./firmware-design.rst +.. _PSCI Library Integration Guide for Armv8-A AArch32 systems: ./psci-lib-integration-guide.rst +.. _PSCI Power Domain Tree design: ./psci-pd-tree.rst +.. _Trusted Board Boot Design Guide: ./trusted-board-boot.rst +.. _PSCI Performance Measurements on Arm Juno Development Platform: ./psci-performance-juno.rst +.. _Security Processes: ./security-center.rst +.. _Change Log: ./change-log.rst +.. _TFV-1: ./security_advisories/security-advisory-tfv-1.rst +.. _TFV-2: ./security_advisories/security-advisory-tfv-2.rst +.. _TFV-3: ./security_advisories/security-advisory-tfv-3.rst +.. _TFV-4: ./security_advisories/security-advisory-tfv-4.rst +.. _TFV-5: ./security_advisories/security-advisory-tfv-5.rst +.. _TFV-6: ./security_advisories/security-advisory-tfv-6.rst +.. _TFV-7: ./security_advisories/security-advisory-tfv-7.rst +.. _TFV-8: ./security_advisories/security-advisory-tfv-8.rst diff --git a/docs/firmware-design.rst b/docs/firmware-design.rst index 52520ea1..66b16fa2 100644 --- a/docs/firmware-design.rst +++ b/docs/firmware-design.rst @@ -2565,11 +2565,16 @@ Armv8.3-A must be set to 1. This will add all pointer authentication system registers to the context that is saved when doing a world switch. - The Trusted Firmware itself has support for pointer authentication at runtime + The TF-A itself has support for pointer authentication at runtime that can be enabled by setting both options ``ENABLE_PAUTH`` and ``CTX_INCLUDE_PAUTH_REGS`` to 1. This enables pointer authentication in BL1, BL2, BL31, and the TSP if it is used. + These options are experimental features. + + Note that Pointer Authentication is enabled for Non-secure world irrespective + of the value of these build flags if the CPU supports it. + If ``ARM_ARCH_MAJOR == 8`` and ``ARM_ARCH_MINOR >= 3`` the code footprint of enabling PAuth is lower because the compiler will use the optimized PAuth instructions rather than the backwards-compatible ones. diff --git a/docs/romlib-design.rst b/docs/romlib-design.rst index 34a7980b..41957214 100644 --- a/docs/romlib-design.rst +++ b/docs/romlib-design.rst @@ -85,12 +85,12 @@ ROM" to work: 1. ``gentbl.sh`` - Generates the jump table by parsing the index file. 2. ``genvar.sh`` - Generates the jump table global variable (**not** the jump -table itself) with the absolute address in ROM. This global variable is, -basically, a pointer to the jump table. + table itself) with the absolute address in ROM. This global variable is, + basically, a pointer to the jump table. 3. ``genwrappers.sh`` - Generates a wrapper function for each entry in the index -file except for the ones that contain the keyword ``patch``. The generated -wrapper file is called ``<lib>_<fn_name>.S``. + file except for the ones that contain the keyword ``patch``. The generated + wrapper file is called ``<lib>_<fn_name>.S``. Patching of functions in library at ROM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -108,6 +108,8 @@ Build library at ROM ~~~~~~~~~~~~~~~~~~~~~ The environment variable ``CROSS_COMPILE`` must be set as per the user guide. +In the below example the usage of ROMLIB together with mbed TLS is demonstrated +to showcase the benefits of library at ROM - it's not mandatory. :: @@ -120,6 +122,12 @@ The environment variable ``CROSS_COMPILE`` must be set as per the user guide. USE_ROMLIB=1 \ all fip +Known issue +----------- +When building library at ROM, a clean build is always required. This is +necessary when changes are made to the index files, e.g. adding new functions, +patching existing ones etc. + -------------- *Copyright (c) 2019, Arm Limited. All rights reserved.* diff --git a/docs/user-guide.rst b/docs/user-guide.rst index de4611cc..0848769b 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -56,11 +56,12 @@ Install the required packages to build TF-A with the following command: TF-A has been tested with Linaro Release 18.04. -Download and install the AArch32 or AArch64 little-endian GCC cross compiler. -The `Linaro Release Notes`_ documents which version of the compiler to use for a -given Linaro Release. Also, these `Linaro instructions`_ provide further -guidance and a script, which can be used to download Linaro deliverables -automatically. +Download and install the AArch32 or AArch64 little-endian GCC cross compiler. If +you would like to use the latest features available, download GCC 8.2-2019.01 +compiler from `arm Developer page`_. Otherwise, the `Linaro Release Notes`_ +documents which version of the compiler to use for a given Linaro Release. Also, +these `Linaro instructions`_ provide further guidance and a script, which can be +used to download Linaro deliverables automatically. Optionally, TF-A can be built using clang version 4.0 or newer or Arm Compiler 6. See instructions below on how to switch the default compiler. @@ -358,11 +359,12 @@ Common build options registers to be included when saving and restoring the CPU context. Default is 0. -- ``CTX_INCLUDE_PAUTH_REGS``: Boolean option that, when set to 1, will cause - the ARMv8.3-PAuth registers to be included when saving and restoring the CPU - context. Note that if the hardware supports this extension and this option is - set to 0 the value of the registers will be leaked between Secure and - Non-secure worlds if PAuth is used on both sides. The default is 0. +- ``CTX_INCLUDE_PAUTH_REGS``: Boolean option that, when set to 1, enables + Pointer Authentication for Secure world. This will cause the ARMv8.3-PAuth + registers to be included when saving and restoring the CPU context as + part of world switch. Default value is 0 and this is an experimental feature. + Note that Pointer Authentication is enabled for Non-secure world irrespective + of the value of this flag if the CPU supports it. - ``DEBUG``: Chooses between a debug and release build. It can take either 0 (release) or 1 (debug) as values. 0 is the default. @@ -412,11 +414,11 @@ Common build options and use partitions in EL3 as required. This option defaults to ``0``. - ``ENABLE_PAUTH``: Boolean option to enable ARMv8.3 Pointer Authentication - (``ARMv8.3-PAuth``) support in the Trusted Firmware itself. Note that this - option doesn't affect the saving of the registers introduced with this - extension, they are always saved if they are detected regardless of the value - of this option. If enabled, it is needed to use a compiler that supports the - option ``-msign-return-address``. It defaults to 0. + support for TF-A BL images itself. If enabled, it is needed to use a compiler + that supports the option ``-msign-return-address``. This flag defaults to 0 + and this is an experimental feature. + Note that Pointer Authentication is enabled for Non-secure world irrespective + of the value of this flag if the CPU supports it. - ``ENABLE_PIE``: Boolean option to enable Position Independent Executable(PIE) support within generic code in TF-A. This option is currently only supported @@ -741,6 +743,11 @@ Common build options (Coherent memory region is included) or 0 (Coherent memory region is excluded). Default is 1. +- ``USE_ROMLIB``: This flag determines whether library at ROM will be used. + This feature creates a library of functions to be placed in ROM and thus + reduces SRAM usage. Refer to `Library at ROM`_ for further details. Default + is 0. + - ``V``: Verbose build. If assigned anything other than 0, the build commands are printed. Default is 0. @@ -1008,18 +1015,13 @@ For AArch64: :: - make PLAT=fvp BL33=<path/to/bl33.bin> fip + make PLAT=fvp BL33=<path-to>/bl33.bin fip For AArch32: :: - make PLAT=fvp ARCH=aarch32 AARCH32_SP=sp_min BL33=<path/to/bl33.bin> fip - -Note that AArch32 support for Normal world boot loader (BL33), like U-boot or -UEFI, on FVP is not available upstream. Hence custom solutions are required to -allow Linux boot on FVP. These instructions assume such a custom boot loader -(BL33) is available. + make PLAT=fvp ARCH=aarch32 AARCH32_SP=sp_min BL33=<path-to>/bl33.bin fip The resulting FIP may be found in: @@ -1049,7 +1051,7 @@ The tool binary can be located in: ./tools/fiptool/fiptool -Invoking the tool with ``--help`` will print a help message with all available +Invoking the tool with ``help`` will print a help message with all available options. Example 1: create a new Firmware package ``fip.bin`` that contains BL2 and BL31: @@ -1270,8 +1272,7 @@ section for more info on selecting the right FDT to use. make [DEBUG=1] [V=1] fiptool # Unpack firmware images from Linaro FIP - ./tools/fiptool/fiptool unpack \ - <path/to/linaro/release>/fip.bin + ./tools/fiptool/fiptool unpack <path-to-linaro-release>/fip.bin The unpack operation will result in a set of binary images extracted to the current working directory. The SCP_BL2 image corresponds to @@ -1281,8 +1282,8 @@ section for more info on selecting the right FDT to use. exist in the current directory. If that is the case, either delete those files or use the ``--force`` option to overwrite. - Note: For AArch32, the instructions below assume that nt-fw.bin is a custom - Normal world boot loader that supports AArch32. + Note: For AArch32, the instructions below assume that nt-fw.bin is a normal + world boot loader that supports AArch32. #. Build TF-A images and create a new FIP for FVP @@ -1303,9 +1304,7 @@ section for more info on selecting the right FDT to use. :: - make PLAT=juno all fip \ - BL33=<path-to-juno-oe-uboot>/SOFTWARE/bl33-uboot.bin \ - SCP_BL2=<path-to-juno-busybox-uboot>/SOFTWARE/scp_bl2.bin + make PLAT=juno BL33=nt-fw.bin SCP_BL2=scp-fw.bin all fip For AArch32: @@ -1327,6 +1326,13 @@ section for more info on selecting the right FDT to use. make ARCH=aarch32 PLAT=juno AARCH32_SP=sp_min \ RESET_TO_SP_MIN=1 JUNO_AARCH32_EL3_RUNTIME=1 bl32 + - Save ``bl32.bin`` to a temporary location and clean the build products. + + :: + + cp <path-to-build>/bl32.bin <path-to-temporary> + make realclean + - Before building BL1 and BL2, the environment variable ``CROSS_COMPILE`` must point to the AArch64 Linaro cross compiler. @@ -1340,9 +1346,8 @@ section for more info on selecting the right FDT to use. :: make ARCH=aarch64 PLAT=juno JUNO_AARCH32_EL3_RUNTIME=1 \ - BL33=<path-to-juno32-oe-uboot>/SOFTWARE/bl33-uboot.bin \ - SCP_BL2=<path-to-juno32-oe-uboot>/SOFTWARE/scp_bl2.bin \ - BL32=<path-to-bl32>/bl32.bin all fip + BL33=nt-fw.bin SCP_BL2=scp-fw.bin \ + BL32=<path-to-temporary>/bl32.bin all fip The resulting BL1 and FIP images may be found in: @@ -1498,7 +1503,7 @@ used: :: - -C bp.flashloader1.fname="/path/to/el3-payload" + -C bp.flashloader1.fname="<path-to>/<el3-payload>" On Foundation FVP, there is no flash loader component and the EL3 payload may be programmed anywhere in flash using method 3 below. @@ -1508,15 +1513,15 @@ used: :: - load /path/to/el3-payload.elf + load <path-to>/el3-payload.elf #. The EL3 payload may be pre-loaded in volatile memory using the following model parameters: :: - --data cluster0.cpu0="/path/to/el3-payload"@address [Base FVPs] - --data="/path/to/el3-payload"@address [Foundation FVP] + --data cluster0.cpu0="<path-to>/el3-payload>"@address [Base FVPs] + --data="<path-to>/<el3-payload>"@address [Foundation FVP] The address provided to the FVP must match the ``EL3_PAYLOAD_BASE`` address used when building TF-A. @@ -1644,18 +1649,18 @@ The latest version of the AArch64 build of TF-A has been tested on the following Arm FVPs without shifted affinities, and that do not support threaded CPU cores (64-bit host machine only). -NOTE: Unless otherwise stated, the model version is Version 11.4 Build 37. +The FVP models used are Version 11.5 Build 33, unless otherwise stated. -- ``FVP_Base_Aresx4`` - ``FVP_Base_AEMv8A-AEMv8A`` - ``FVP_Base_AEMv8A-AEMv8A-AEMv8A-AEMv8A-CCN502`` -- ``FVP_Base_AEMv8A-AEMv8A`` - ``FVP_Base_RevC-2xAEMv8A`` - ``FVP_Base_Cortex-A32x4`` - ``FVP_Base_Cortex-A35x4`` - ``FVP_Base_Cortex-A53x4`` - ``FVP_Base_Cortex-A55x4+Cortex-A75x4`` - ``FVP_Base_Cortex-A55x4`` +- ``FVP_Base_Cortex-A57x1-A53x1`` +- ``FVP_Base_Cortex-A57x2-A53x4`` - ``FVP_Base_Cortex-A57x4-A53x4`` - ``FVP_Base_Cortex-A57x4`` - ``FVP_Base_Cortex-A72x4-A53x4`` @@ -1664,7 +1669,12 @@ NOTE: Unless otherwise stated, the model version is Version 11.4 Build 37. - ``FVP_Base_Cortex-A73x4`` - ``FVP_Base_Cortex-A75x4`` - ``FVP_Base_Cortex-A76x4`` -- ``FVP_CSS_SGI-575`` (Version 11.3 build 40) +- ``FVP_Base_Neoverse-N1x4`` (Tested with internal model) +- ``FVP_Base_Deimos`` +- ``FVP_CSS_SGI-575`` (Version 11.3 build 42) +- ``FVP_CSS_SGM-775`` (Version 11.3 build 42) +- ``FVP_RD_E1Edge`` (Version 11.3 build 42) +- ``FVP_RD_N1Edge`` (Version 11.3 build 42) - ``Foundation_Platform`` The latest version of the AArch32 build of TF-A has been tested on the following @@ -1826,6 +1836,9 @@ with 8 CPUs using the AArch64 build of TF-A. --data cluster0.cpu0="<path-to>/<kernel-binary>"@0x80080000 \ --data cluster0.cpu0="<path-to>/<ramdisk>"@0x84000000 +Note: The ``FVP_Base_RevC-2xAEMv8A`` has shifted affinities and requires a +specific DTS for all the CPUs to be loaded. + Running on the AEMv8 Base FVP (AArch32) with reset to BL1 entrypoint ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1922,7 +1935,7 @@ with 8 CPUs using the AArch64 build of TF-A. Notes: -- Since Position Independent Executable (PIE) support is enabled for BL31 +- If Position Independent Executable (PIE) support is enabled for BL31 in this config, it can be loaded at any valid address for execution. - Since a FIP is not loaded when using BL31 as reset entrypoint, the @@ -1933,6 +1946,9 @@ Notes: and loaded via the ``--data cluster0.cpu0="<path-to>/<fdt>"@0x82000000`` parameter. +- The ``FVP_Base_RevC-2xAEMv8A`` has shifted affinities and requires a + specific DTS for all the CPUs to be loaded. + - The ``-C cluster<X>.cpu<Y>.RVBAR=@<base-address-of-bl31>`` parameter, where X and Y are the cluster and CPU numbers respectively, is used to set the reset vector for each core. @@ -2077,6 +2093,7 @@ wakeup interrupt from RTC. *Copyright (c) 2013-2019, Arm Limited and Contributors. All rights reserved.* +.. _arm Developer page: https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads .. _Linaro: `Linaro Release Notes`_ .. _Linaro Release: `Linaro Release Notes`_ .. _Linaro Release Notes: https://community.arm.com/dev-platforms/w/docs/226/old-release-notes @@ -2101,3 +2118,4 @@ wakeup interrupt from RTC. .. _PSCI: http://infocenter.arm.com/help/topic/com.arm.doc.den0022d/Power_State_Coordination_Interface_PDD_v1_1_DEN0022D.pdf .. _Secure Partition Manager Design guide: secure-partition-manager-design.rst .. _`Trusted Firmware-A Coding Guidelines`: coding-guidelines.rst + _`Library at ROM`: romlib-design.rst diff --git a/drivers/synopsys/emmc/dw_mmc.c b/drivers/synopsys/emmc/dw_mmc.c index 4cd1226a..b0dcaa73 100644 --- a/drivers/synopsys/emmc/dw_mmc.c +++ b/drivers/synopsys/emmc/dw_mmc.c @@ -426,8 +426,7 @@ void dw_mmc_init(dw_mmc_params_t *params, struct mmc_device_info *info) memcpy(&dw_params, params, sizeof(dw_mmc_params_t)); mmio_write_32(dw_params.reg_base + DWMMC_FIFOTH, 0x103ff); + dw_params.mmc_dev_type = info->mmc_dev_type; mmc_init(&dw_mmc_ops, params->clk_rate, params->bus_width, params->flags, info); - - dw_params.mmc_dev_type = info->mmc_dev_type; } diff --git a/include/lib/cpus/aarch64/neoverse_e1.h b/include/lib/cpus/aarch64/neoverse_e1.h index 70846048..96b4661d 100644 --- a/include/lib/cpus/aarch64/neoverse_e1.h +++ b/include/lib/cpus/aarch64/neoverse_e1.h @@ -9,7 +9,7 @@ #include <lib/utils_def.h> -#define NEOVERSE_E1_MIDR U(0x410FD060) +#define NEOVERSE_E1_MIDR U(0x410FD4A0) /******************************************************************************* * CPU Extended Control register specific definitions. diff --git a/lib/cpus/aarch64/cortex_a76.S b/lib/cpus/aarch64/cortex_a76.S index ac513432..e544018c 100644 --- a/lib/cpus/aarch64/cortex_a76.S +++ b/lib/cpus/aarch64/cortex_a76.S @@ -13,20 +13,17 @@ #include <plat_macros.S> #include <services/arm_arch_svc.h> -#if !DYNAMIC_WORKAROUND_CVE_2018_3639 -#error Cortex A76 requires DYNAMIC_WORKAROUND_CVE_2018_3639=1 -#endif - #define ESR_EL3_A64_SMC0 0x5e000000 #define ESR_EL3_A32_SMC0 0x4e000000 +#if DYNAMIC_WORKAROUND_CVE_2018_3639 /* * This macro applies the mitigation for CVE-2018-3639. - * It implements a fash path where `SMCCC_ARCH_WORKAROUND_2` + * It implements a fast path where `SMCCC_ARCH_WORKAROUND_2` * SMC calls from a lower EL running in AArch32 or AArch64 * will go through the fast and return early. * - * The macro saves x2-x3 to the context. In the fast path + * The macro saves x2-x3 to the context. In the fast path * x0-x3 registers do not need to be restored as the calling * context will have saved them. */ @@ -63,7 +60,7 @@ * When the calling context wants mitigation disabled, * we program the mitigation disable function in the * CPU context, which gets invoked on subsequent exits from - * EL3 via the `el3_exit` function. Otherwise NULL is + * EL3 via the `el3_exit` function. Otherwise NULL is * programmed in the CPU context, which results in caller's * inheriting the EL3 mitigation state (enabled) on subsequent * `el3_exit`. @@ -82,7 +79,7 @@ .endif 1: /* - * Always enable v4 mitigation during EL3 execution. This is not + * Always enable v4 mitigation during EL3 execution. This is not * required for the fast path above because it does not perform any * memory loads. */ @@ -188,6 +185,7 @@ vector_entry cortex_a76_serror_aarch32 apply_cve_2018_3639_wa _is_sync_exception=0 _esr_el3_val=ESR_EL3_A32_SMC0 b serror_aarch32 end_vector_entry cortex_a76_serror_aarch32 +#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */ /* -------------------------------------------------- * Errata Workaround for Cortex A76 Errata #1073348. @@ -319,9 +317,13 @@ func cortex_a76_reset_func /* If the PE implements SSBS, we don't need the dynamic workaround */ mrs x0, id_aa64pfr1_el1 lsr x0, x0, #ID_AA64PFR1_EL1_SSBS_SHIFT - and x0, x0, #ID_AA64PFR1_EL1_SSBS_MASK + and x0, x0, #ID_AA64PFR1_EL1_SSBS_MASK +#if !DYNAMIC_WORKAROUND_CVE_2018_3639 && ENABLE_ASSERTIONS + cmp x0, 0 + ASM_ASSERT(ne) +#endif +#if DYNAMIC_WORKAROUND_CVE_2018_3639 cbnz x0, 1f - mrs x0, CORTEX_A76_CPUACTLR2_EL1 orr x0, x0, #CORTEX_A76_CPUACTLR2_EL1_DISABLE_LOAD_PASS_STORE msr CORTEX_A76_CPUACTLR2_EL1, x0 @@ -330,16 +332,17 @@ func cortex_a76_reset_func #ifdef IMAGE_BL31 /* * The Cortex-A76 generic vectors are overwritten to use the vectors - * defined above. This is required in order to apply mitigation + * defined above. This is required in order to apply mitigation * against CVE-2018-3639 on exception entry from lower ELs. */ adr x0, cortex_a76_wa_cve_2018_3639_a76_vbar msr vbar_el3, x0 isb -#endif +#endif /* IMAGE_BL31 */ 1: -#endif +#endif /* DYNAMIC_WORKAROUND_CVE_2018_3639 */ +#endif /* WORKAROUND_CVE_2018_3639 */ #if ERRATA_DSU_936184 bl errata_dsu_936184_wa diff --git a/lib/el3_runtime/aarch64/context.S b/lib/el3_runtime/aarch64/context.S index 4371cb2b..e6ab19bc 100644 --- a/lib/el3_runtime/aarch64/context.S +++ b/lib/el3_runtime/aarch64/context.S @@ -356,7 +356,7 @@ func pauth_context_restore msr APIAKeyLo_EL1, x9 msr APIAKeyHi_EL1, x10 - ldp x9, x10, [x11, #CTX_PACIAKEY_LO] + ldp x9, x10, [x11, #CTX_PACIBKEY_LO] msr APIBKeyLo_EL1, x9 msr APIBKeyHi_EL1, x10 diff --git a/lib/romlib/Makefile b/lib/romlib/Makefile index 0e5d4475..12fdfa8e 100644 --- a/lib/romlib/Makefile +++ b/lib/romlib/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -58,18 +58,15 @@ $(WRAPPER_DIR)/jmpvar.s: $(BUILD_DIR)/romlib.elf @echo " VAR $@" $(Q)./genvar.sh -o $@ $(BUILD_DIR)/romlib.elf -$(LIB_DIR)/libwrappers.a: jmptbl.i $(WRAPPER_DIR)/jmpvar.o +$(LIB_DIR)/libwrappers.a: $(BUILD_DIR)/jmptbl.i $(WRAPPER_DIR)/jmpvar.o @echo " AR $@" $(Q)./genwrappers.sh -b $(WRAPPER_DIR) -o $@ $(BUILD_DIR)/jmptbl.i -$(BUILD_DIR)/jmptbl.s: jmptbl.i +$(BUILD_DIR)/jmptbl.i: $(BUILD_DIR)/jmptbl.s + +$(BUILD_DIR)/jmptbl.s: ../../$(PLAT_DIR)/jmptbl.i @echo " TBL $@" - if [ -e "../../$(PLAT_DIR)/jmptbl.i" ] ; \ - then \ - $(Q)./gentbl.sh -o $@ -b $(BUILD_DIR) ../../$(PLAT_DIR)/jmptbl.i; \ - else \ - @echo "USE_ROMLIB=1 requires jump table list file: jmptbl.i in platform directory"; \ - fi + $(Q)./gentbl.sh -o $@ -b $(BUILD_DIR) ../../$(PLAT_DIR)/jmptbl.i clean: @rm -f $(BUILD_DIR)/* diff --git a/lib/romlib/genwrappers.sh b/lib/romlib/genwrappers.sh index 746e4ba9..07d59ac4 100755 --- a/lib/romlib/genwrappers.sh +++ b/lib/romlib/genwrappers.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause @@ -31,7 +31,7 @@ do done awk '{sub(/[:blank:]*#.*/,"")} -!/^$/ && !/\\tpatch$/ !/\\treserved$/ {print $1*4, $2, $3}' "$@" | +!/^$/ && $NF != "patch" && $NF != "reserved" {print $1*4, $2, $3}' "$@" | while read idx lib sym do file=$build/${lib}_$sym @@ -41,7 +41,7 @@ do $sym: ldr x17, =jmptbl ldr x17, [x17] - mov x16, $idx + mov x16, #$idx add x16, x16, x17 br x16 EOF diff --git a/lib/xlat_tables_v2/xlat_tables_core.c b/lib/xlat_tables_v2/xlat_tables_core.c index 7957b61a..0e6a6fa8 100644 --- a/lib/xlat_tables_v2/xlat_tables_core.c +++ b/lib/xlat_tables_v2/xlat_tables_core.c @@ -325,9 +325,8 @@ static action_t xlat_tables_unmap_region_action(const mmap_region_t *mm, return action; } - /* - * Function that writes to the translation tables and unmaps the + * Recursive function that writes to the translation tables and unmaps the * specified region. */ static void xlat_tables_unmap_region(xlat_ctx_t *ctx, mmap_region_t *mm, @@ -338,137 +337,70 @@ static void xlat_tables_unmap_region(xlat_ctx_t *ctx, mmap_region_t *mm, { assert((level >= ctx->base_level) && (level <= XLAT_TABLE_LEVEL_MAX)); - /* - * data structure to track DESC_TABLE entry before iterate into subtable - * of next translation level. it will be used to restore previous level - * after finish subtable iteration. - */ - struct desc_table_unmap { - uint64_t *table_base; - uintptr_t table_idx_va; - unsigned int idx; - } desc_tables[XLAT_TABLE_LEVEL_MAX + 1] = { - {NULL, 0U, XLAT_TABLE_ENTRIES}, }; - - unsigned int this_level = level; - uint64_t *this_base = table_base; - unsigned int max_entries = table_entries; - size_t level_size = XLAT_BLOCK_SIZE(this_level); - unsigned int table_idx; + uint64_t *subtable; + uint64_t desc; + uintptr_t table_idx_va; + uintptr_t table_idx_end_va; /* End VA of this entry */ uintptr_t region_end_va = mm->base_va + mm->size - 1U; + unsigned int table_idx; + table_idx_va = xlat_tables_find_start_va(mm, table_base_va, level); table_idx = xlat_tables_va_to_index(table_base_va, table_idx_va, level); - while (this_base != NULL) { - - uint64_t desc; - uint64_t desc_type; - uintptr_t table_idx_end_va; /* End VA of this entry */ - action_t action; - - /* finish current xlat level iteration. */ - if (table_idx >= max_entries) { - if (this_level > ctx->base_level) { - xlat_table_dec_regions_count(ctx, this_base); - } - - if (this_level > level) { - uint64_t *subtable; - - /* back from subtable iteration, restore - * previous DESC_TABLE entry. - */ - this_level--; - this_base = desc_tables[this_level].table_base; - table_idx = desc_tables[this_level].idx; - table_idx_va = - desc_tables[this_level].table_idx_va; - level_size = XLAT_BLOCK_SIZE(this_level); - - if (this_level == level) { - max_entries = table_entries; - } else { - max_entries = XLAT_TABLE_ENTRIES; - } - - desc = this_base[table_idx]; - subtable = (uint64_t *)(uintptr_t)(desc & TABLE_ADDR_MASK); - /* - * If the subtable is now empty, remove its reference. - */ - if (xlat_table_is_empty(ctx, subtable)) { - this_base[table_idx] = INVALID_DESC; - xlat_arch_tlbi_va(table_idx_va, - ctx->xlat_regime); - } - table_idx++; - table_idx_va += level_size; - - } else { - /* reached end of top level, exit.*/ - this_base = NULL; - break; - } - - } - - /* If reached the end of the region, stop iterating entries in - * current xlat level. - */ - if (region_end_va <= table_idx_va) { - table_idx = max_entries; - continue; - } + while (table_idx < table_entries) { + table_idx_end_va = table_idx_va + XLAT_BLOCK_SIZE(level) - 1U; - table_idx_end_va = table_idx_va + XLAT_BLOCK_SIZE(this_level) - 1U; + desc = table_base[table_idx]; + uint64_t desc_type = desc & DESC_MASK; - desc = this_base[table_idx]; - desc_type = desc & DESC_MASK; - - action = xlat_tables_unmap_region_action(mm, table_idx_va, - table_idx_end_va, - this_level, - desc_type); + action_t action = xlat_tables_unmap_region_action(mm, + table_idx_va, table_idx_end_va, level, + desc_type); if (action == ACTION_WRITE_BLOCK_ENTRY) { - this_base[table_idx] = INVALID_DESC; + + table_base[table_idx] = INVALID_DESC; xlat_arch_tlbi_va(table_idx_va, ctx->xlat_regime); - table_idx++; - table_idx_va += level_size; } else if (action == ACTION_RECURSE_INTO_TABLE) { - uint64_t *subtable; - uintptr_t base_va; - subtable = (uint64_t *)(uintptr_t)(desc & TABLE_ADDR_MASK); - desc_tables[this_level].table_base = this_base; - desc_tables[this_level].table_idx_va = table_idx_va; - base_va = table_idx_va; - desc_tables[this_level].idx = table_idx; - - this_base = subtable; - this_level++; - - max_entries = XLAT_TABLE_ENTRIES; - level_size = XLAT_BLOCK_SIZE(this_level); + /* Recurse to write into subtable */ + xlat_tables_unmap_region(ctx, mm, table_idx_va, + subtable, XLAT_TABLE_ENTRIES, + level + 1U); +#if !(HW_ASSISTED_COHERENCY || WARMBOOT_ENABLE_DCACHE_EARLY) + xlat_clean_dcache_range((uintptr_t)subtable, + XLAT_TABLE_ENTRIES * sizeof(uint64_t)); +#endif + /* + * If the subtable is now empty, remove its reference. + */ + if (xlat_table_is_empty(ctx, subtable)) { + table_base[table_idx] = INVALID_DESC; + xlat_arch_tlbi_va(table_idx_va, + ctx->xlat_regime); + } - table_idx_va = xlat_tables_find_start_va(mm, - base_va, this_level); - table_idx = xlat_tables_va_to_index(base_va, - table_idx_va, this_level); } else { assert(action == ACTION_NONE); - - table_idx++; - table_idx_va += level_size; } + + table_idx++; + table_idx_va += XLAT_BLOCK_SIZE(level); + + /* If reached the end of the region, exit */ + if (region_end_va <= table_idx_va) + break; } + + if (level > ctx->base_level) + xlat_table_dec_regions_count(ctx, table_base); } #endif /* PLAT_XLAT_TABLES_DYNAMIC */ @@ -605,169 +537,105 @@ static action_t xlat_tables_map_region_action(const mmap_region_t *mm, } /* - * Function that writes to the translation tables and maps the + * Recursive function that writes to the translation tables and maps the * specified region. On success, it returns the VA of the last byte that was * successfully mapped. On error, it returns the VA of the next entry that * should have been mapped. */ static uintptr_t xlat_tables_map_region(xlat_ctx_t *ctx, mmap_region_t *mm, - const uintptr_t table_base_va, + uintptr_t table_base_va, uint64_t *const table_base, unsigned int table_entries, unsigned int level) { - assert((level >= ctx->base_level) && (level <= XLAT_TABLE_LEVEL_MAX)); - /* - * data structure to track DESC_TABLE entry before iterate into subtable - * of next translation level. it will be used to restore previous level - * after finish subtable iteration. - */ - struct desc_table_map { - uint64_t *table_base; - uintptr_t table_idx_va; - unsigned int idx; - } desc_tables[XLAT_TABLE_LEVEL_MAX + 1] = { - {NULL, 0U, XLAT_TABLE_ENTRIES}, }; - - unsigned int this_level = level; - uint64_t *this_base = table_base; - unsigned int max_entries = table_entries; - size_t level_size = XLAT_BLOCK_SIZE(this_level); uintptr_t mm_end_va = mm->base_va + mm->size - 1U; uintptr_t table_idx_va; + unsigned long long table_idx_pa; + + uint64_t *subtable; + uint64_t desc; + unsigned int table_idx; table_idx_va = xlat_tables_find_start_va(mm, table_base_va, level); table_idx = xlat_tables_va_to_index(table_base_va, table_idx_va, level); - while (this_base != NULL) { - - uint64_t desc; - uint64_t desc_type; - unsigned long long table_idx_pa; - action_t action; - - /* finish current xlat level iteration. */ - if (table_idx >= max_entries) { - if (this_level <= level) { - this_base = NULL; - break; - } else { - - /* back from subtable iteration, restore - * previous DESC_TABLE entry. - */ - this_level--; - level_size = XLAT_BLOCK_SIZE(this_level); - this_base = desc_tables[this_level].table_base; - table_idx = desc_tables[this_level].idx; - if (this_level == level) { - max_entries = table_entries; - } else { - max_entries = XLAT_TABLE_ENTRIES; - } -#if !(HW_ASSISTED_COHERENCY || WARMBOOT_ENABLE_DCACHE_EARLY) - uintptr_t subtable; - desc = this_base[table_idx]; - subtable = (uintptr_t)(desc & TABLE_ADDR_MASK); - xlat_clean_dcache_range(subtable, - XLAT_TABLE_ENTRIES * sizeof(uint64_t)); +#if PLAT_XLAT_TABLES_DYNAMIC + if (level > ctx->base_level) + xlat_table_inc_regions_count(ctx, table_base); #endif - table_idx++; - table_idx_va = - desc_tables[this_level].table_idx_va + - level_size; - } - } + while (table_idx < table_entries) { - desc = this_base[table_idx]; - desc_type = desc & DESC_MASK; + desc = table_base[table_idx]; table_idx_pa = mm->base_pa + table_idx_va - mm->base_va; - /* If reached the end of the region, simply exit since we - * already write all BLOCK entries and create all required - * subtables. - */ - if (mm_end_va <= table_idx_va) { - this_base = NULL; - break; - } - - action = xlat_tables_map_region_action(mm, desc_type, - table_idx_pa, table_idx_va, this_level); + action_t action = xlat_tables_map_region_action(mm, + (uint32_t)(desc & DESC_MASK), table_idx_pa, + table_idx_va, level); if (action == ACTION_WRITE_BLOCK_ENTRY) { - this_base[table_idx] = xlat_desc(ctx, mm->attr, - table_idx_pa, this_level); - table_idx++; - table_idx_va += level_size; - } else if (action == ACTION_CREATE_NEW_TABLE) { - uintptr_t base_va; + table_base[table_idx] = + xlat_desc(ctx, (uint32_t)mm->attr, table_idx_pa, + level); + + } else if (action == ACTION_CREATE_NEW_TABLE) { + uintptr_t end_va; - uint64_t *subtable = xlat_table_get_empty(ctx); + subtable = xlat_table_get_empty(ctx); if (subtable == NULL) { - /* Not enough free tables to map this region. */ + /* Not enough free tables to map this region */ return table_idx_va; } /* Point to new subtable from this one. */ - this_base[table_idx] = TABLE_DESC | (unsigned long)subtable; - - desc_tables[this_level].table_base = this_base; - desc_tables[this_level].table_idx_va = table_idx_va; - desc_tables[this_level].idx = table_idx; - base_va = table_idx_va; - - this_level++; - this_base = subtable; - level_size = XLAT_BLOCK_SIZE(this_level); - table_idx_va = xlat_tables_find_start_va(mm, base_va, - this_level); - table_idx = xlat_tables_va_to_index(base_va, - table_idx_va, this_level); - max_entries = XLAT_TABLE_ENTRIES; + table_base[table_idx] = TABLE_DESC | (unsigned long)subtable; -#if PLAT_XLAT_TABLES_DYNAMIC - if (this_level > ctx->base_level) { - xlat_table_inc_regions_count(ctx, subtable); - } + /* Recurse to write into subtable */ + end_va = xlat_tables_map_region(ctx, mm, table_idx_va, + subtable, XLAT_TABLE_ENTRIES, + level + 1U); +#if !(HW_ASSISTED_COHERENCY || WARMBOOT_ENABLE_DCACHE_EARLY) + xlat_clean_dcache_range((uintptr_t)subtable, + XLAT_TABLE_ENTRIES * sizeof(uint64_t)); #endif + if (end_va != + (table_idx_va + XLAT_BLOCK_SIZE(level) - 1U)) + return end_va; } else if (action == ACTION_RECURSE_INTO_TABLE) { + uintptr_t end_va; - uintptr_t base_va; - uint64_t *subtable = (uint64_t *)(uintptr_t)(desc & TABLE_ADDR_MASK); - - desc_tables[this_level].table_base = this_base; - desc_tables[this_level].table_idx_va = table_idx_va; - desc_tables[this_level].idx = table_idx; - base_va = table_idx_va; - - this_level++; - level_size = XLAT_BLOCK_SIZE(this_level); - table_idx_va = xlat_tables_find_start_va(mm, base_va, - this_level); - table_idx = xlat_tables_va_to_index(base_va, - table_idx_va, this_level); - this_base = subtable; - max_entries = XLAT_TABLE_ENTRIES; - -#if PLAT_XLAT_TABLES_DYNAMIC - if (this_level > ctx->base_level) { - xlat_table_inc_regions_count(ctx, subtable); - } + subtable = (uint64_t *)(uintptr_t)(desc & TABLE_ADDR_MASK); + /* Recurse to write into subtable */ + end_va = xlat_tables_map_region(ctx, mm, table_idx_va, + subtable, XLAT_TABLE_ENTRIES, + level + 1U); +#if !(HW_ASSISTED_COHERENCY || WARMBOOT_ENABLE_DCACHE_EARLY) + xlat_clean_dcache_range((uintptr_t)subtable, + XLAT_TABLE_ENTRIES * sizeof(uint64_t)); #endif + if (end_va != + (table_idx_va + XLAT_BLOCK_SIZE(level) - 1U)) + return end_va; + } else { + assert(action == ACTION_NONE); - table_idx++; - table_idx_va += level_size; + } + + table_idx++; + table_idx_va += XLAT_BLOCK_SIZE(level); + + /* If reached the end of the region, exit */ + if (mm_end_va <= table_idx_va) + break; } return table_idx_va - 1U; diff --git a/lib/xlat_tables_v2/xlat_tables_utils.c b/lib/xlat_tables_v2/xlat_tables_utils.c index 7d0449af..f5848a25 100644 --- a/lib/xlat_tables_v2/xlat_tables_utils.c +++ b/lib/xlat_tables_v2/xlat_tables_utils.c @@ -109,7 +109,7 @@ static const char *invalid_descriptors_ommited = "%s(%d invalid descriptors omitted)\n"; /* - * Function that reads the translation tables passed as an argument + * Recursive function that reads the translation tables passed as an argument * and prints their status. */ static void xlat_tables_print_internal(xlat_ctx_t *ctx, uintptr_t table_base_va, @@ -118,23 +118,10 @@ static void xlat_tables_print_internal(xlat_ctx_t *ctx, uintptr_t table_base_va, { assert(level <= XLAT_TABLE_LEVEL_MAX); - /* - * data structure to track DESC_TABLE entry before iterate into subtable - * of next translation level. it will be restored after return from - * subtable iteration. - */ - struct desc_table { - const uint64_t *table_base; - uintptr_t table_idx_va; - unsigned int idx; - } desc_tables[XLAT_TABLE_LEVEL_MAX + 1] = { - {NULL, 0U, XLAT_TABLE_ENTRIES}, }; - unsigned int this_level = level; - const uint64_t *this_base = table_base; - unsigned int max_entries = table_entries; - size_t level_size = XLAT_BLOCK_SIZE(this_level); - unsigned int table_idx = 0U; + uint64_t desc; uintptr_t table_idx_va = table_base_va; + unsigned int table_idx = 0U; + size_t level_size = XLAT_BLOCK_SIZE(level); /* * Keep track of how many invalid descriptors are counted in a row. @@ -144,110 +131,67 @@ static void xlat_tables_print_internal(xlat_ctx_t *ctx, uintptr_t table_base_va, */ int invalid_row_count = 0; - while (this_base != NULL) { - /* finish current xlat level */ - if (table_idx >= max_entries) { + while (table_idx < table_entries) { + + desc = table_base[table_idx]; + + if ((desc & DESC_MASK) == INVALID_DESC) { + + if (invalid_row_count == 0) { + printf("%sVA:0x%lx size:0x%zx\n", + level_spacers[level], + table_idx_va, level_size); + } + invalid_row_count++; + + } else { + if (invalid_row_count > 1) { printf(invalid_descriptors_ommited, - level_spacers[this_level], - invalid_row_count - 1); + level_spacers[level], + invalid_row_count - 1); } invalid_row_count = 0; - /* no parent level to iterate. */ - if (this_level <= level) { - this_base = NULL; - table_idx = max_entries + 1; - } else { - /* retore previous DESC_TABLE entry and start - * to iterate. - */ - this_level--; - level_size = XLAT_BLOCK_SIZE(this_level); - this_base = desc_tables[this_level].table_base; - table_idx = desc_tables[this_level].idx; - table_idx_va = - desc_tables[this_level].table_idx_va; - if (this_level == level) { - max_entries = table_entries; - } else { - max_entries = XLAT_TABLE_ENTRIES; - } - - assert(this_base != NULL); - } - } else { - uint64_t desc = this_base[table_idx]; - - if ((desc & DESC_MASK) == INVALID_DESC) { - if (invalid_row_count == 0) { - printf("%sVA:0x%lx size:0x%zx\n", - level_spacers[this_level], - table_idx_va, level_size); - } - invalid_row_count++; - table_idx++; - table_idx_va += level_size; - } else { - if (invalid_row_count > 1) { - printf(invalid_descriptors_ommited, - level_spacers[this_level], - invalid_row_count - 1); - } - invalid_row_count = 0; + /* + * Check if this is a table or a block. Tables are only + * allowed in levels other than 3, but DESC_PAGE has the + * same value as DESC_TABLE, so we need to check. + */ + if (((desc & DESC_MASK) == TABLE_DESC) && + (level < XLAT_TABLE_LEVEL_MAX)) { /* - * Check if this is a table or a block. Tables - * are only allowed in levels other than 3, but - * DESC_PAGE has the same value as DESC_TABLE, - * so we need to check. + * Do not print any PA for a table descriptor, + * as it doesn't directly map physical memory + * but instead points to the next translation + * table in the translation table walk. */ + printf("%sVA:0x%lx size:0x%zx\n", + level_spacers[level], + table_idx_va, level_size); + + uintptr_t addr_inner = desc & TABLE_ADDR_MASK; - if (((desc & DESC_MASK) == TABLE_DESC) && - (this_level < XLAT_TABLE_LEVEL_MAX)) { - uintptr_t addr_inner; - - /* - * Do not print any PA for a table - * descriptor, as it doesn't directly - * map physical memory but instead - * points to the next translation - * table in the translation table walk. - */ - printf("%sVA:0x%lx size:0x%zx\n", - level_spacers[this_level], - table_idx_va, level_size); - - addr_inner = desc & TABLE_ADDR_MASK; - /* save current xlat level */ - desc_tables[this_level].table_base = - this_base; - desc_tables[this_level].idx = - table_idx + 1; - desc_tables[this_level].table_idx_va = - table_idx_va + level_size; - - /* start iterating next level entries */ - this_base = (uint64_t *)addr_inner; - max_entries = XLAT_TABLE_ENTRIES; - this_level++; - level_size = - XLAT_BLOCK_SIZE(this_level); - table_idx = 0U; - } else { - printf("%sVA:0x%lx PA:0x%llx size:0x%zx ", - level_spacers[this_level], - table_idx_va, - (uint64_t)(desc & TABLE_ADDR_MASK), - level_size); - xlat_desc_print(ctx, desc); - printf("\n"); - - table_idx++; - table_idx_va += level_size; - - } + xlat_tables_print_internal(ctx, table_idx_va, + (uint64_t *)addr_inner, + XLAT_TABLE_ENTRIES, level + 1U); + } else { + printf("%sVA:0x%lx PA:0x%llx size:0x%zx ", + level_spacers[level], table_idx_va, + (uint64_t)(desc & TABLE_ADDR_MASK), + level_size); + xlat_desc_print(ctx, desc); + printf("\n"); } } + + table_idx++; + table_idx_va += level_size; + } + + if (invalid_row_count > 1) { + printf(invalid_descriptors_ommited, + level_spacers[level], invalid_row_count - 1); } } diff --git a/plat/arm/board/fvp/jmptbl.i b/plat/arm/board/fvp/jmptbl.i index 8d232d58..bfa9b561 100644 --- a/plat/arm/board/fvp/jmptbl.i +++ b/plat/arm/board/fvp/jmptbl.i @@ -1,5 +1,5 @@ # -# Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -14,4 +14,32 @@ # rom rom_lib_init # fdt fdt_getprop_namelen patch -include ../../lib/romlib/jmptbl.i +rom rom_lib_init +fdt fdt_getprop_namelen +fdt fdt_setprop_inplace +fdt fdt_check_header +fdt fdt_node_offset_by_compatible +mbedtls mbedtls_asn1_get_alg +mbedtls mbedtls_asn1_get_alg_null +mbedtls mbedtls_asn1_get_bitstring_null +mbedtls mbedtls_asn1_get_bool +mbedtls mbedtls_asn1_get_int +mbedtls mbedtls_asn1_get_tag +mbedtls mbedtls_free +mbedtls mbedtls_md +mbedtls mbedtls_md_get_size +mbedtls mbedtls_memory_buffer_alloc_init +mbedtls mbedtls_oid_get_md_alg +mbedtls mbedtls_oid_get_numeric_string +mbedtls mbedtls_oid_get_pk_alg +mbedtls mbedtls_oid_get_sig_alg +mbedtls mbedtls_pk_free +mbedtls mbedtls_pk_init +mbedtls mbedtls_pk_parse_subpubkey +mbedtls mbedtls_pk_verify_ext +mbedtls mbedtls_platform_set_snprintf +mbedtls mbedtls_x509_get_rsassa_pss_params +mbedtls mbedtls_x509_get_sig_alg +mbedtls mbedtls_md_info_from_type +c exit +c atexit diff --git a/plat/arm/board/juno/jmptbl.i b/plat/arm/board/juno/jmptbl.i index 8d232d58..bfa9b561 100644 --- a/plat/arm/board/juno/jmptbl.i +++ b/plat/arm/board/juno/jmptbl.i @@ -1,5 +1,5 @@ # -# Copyright (c) 2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2018-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -14,4 +14,32 @@ # rom rom_lib_init # fdt fdt_getprop_namelen patch -include ../../lib/romlib/jmptbl.i +rom rom_lib_init +fdt fdt_getprop_namelen +fdt fdt_setprop_inplace +fdt fdt_check_header +fdt fdt_node_offset_by_compatible +mbedtls mbedtls_asn1_get_alg +mbedtls mbedtls_asn1_get_alg_null +mbedtls mbedtls_asn1_get_bitstring_null +mbedtls mbedtls_asn1_get_bool +mbedtls mbedtls_asn1_get_int +mbedtls mbedtls_asn1_get_tag +mbedtls mbedtls_free +mbedtls mbedtls_md +mbedtls mbedtls_md_get_size +mbedtls mbedtls_memory_buffer_alloc_init +mbedtls mbedtls_oid_get_md_alg +mbedtls mbedtls_oid_get_numeric_string +mbedtls mbedtls_oid_get_pk_alg +mbedtls mbedtls_oid_get_sig_alg +mbedtls mbedtls_pk_free +mbedtls mbedtls_pk_init +mbedtls mbedtls_pk_parse_subpubkey +mbedtls mbedtls_pk_verify_ext +mbedtls mbedtls_platform_set_snprintf +mbedtls mbedtls_x509_get_rsassa_pss_params +mbedtls mbedtls_x509_get_sig_alg +mbedtls mbedtls_md_info_from_type +c exit +c atexit diff --git a/plat/arm/common/aarch64/arm_pauth.c b/plat/arm/common/aarch64/arm_pauth.c index c8471190..a685c319 100644 --- a/plat/arm/common/aarch64/arm_pauth.c +++ b/plat/arm/common/aarch64/arm_pauth.c @@ -9,11 +9,9 @@ /* * Instruction pointer authentication key A. The low 64-bit are at [0], and the - * high bits at [1]. They are run-time constants so they are placed in the - * rodata section. They are written before MMU is turned on and the permissions - * are effective. + * high bits at [1]. */ -uint64_t plat_apiakey[2] __section("rodata.apiakey"); +uint64_t plat_apiakey[2]; /* * This is only a toy implementation to generate a seemingly random 128-bit key @@ -1,4 +1,4 @@ -Trusted Firmware-A - version 2.0 +Trusted Firmware-A - version 2.1 ================================ Trusted Firmware-A (TF-A) provides a reference implementation of secure world @@ -15,6 +15,13 @@ such as: Where possible, the code is designed for reuse or porting to other Armv7-A and Armv8-A model and hardware platforms. +This release provides a suitable starting point for productization of secure +world boot and runtime firmware, in either the AArch32 or AArch64 execution +states. + +Users are encouraged to do their own security validation, including penetration +testing, on any secure world code derived from TF-A. + Arm will continue development in collaboration with interested parties to provide a full reference implementation of Secure Monitor code and Arm standards to the benefit of all developers working with Armv7-A and Armv8-A TrustZone @@ -53,18 +60,8 @@ license text is included in those source files. BSD-3-Clause license. Any contributions to this code must be made under the terms of both licenses. -This release ------------- - -This release provides a suitable starting point for productization of secure -world boot and runtime firmware, in either the AArch32 or AArch64 execution -states. - -Users are encouraged to do their own security validation, including penetration -testing, on any secure world code derived from TF-A. - Functionality -~~~~~~~~~~~~~ +------------- - Initialization of the secure world, for example exception vectors, control registers and interrupts for the platform. @@ -136,37 +133,50 @@ Functionality - Support for the GCC, LLVM and Arm Compiler 6 toolchains. -- Support for combining several libraries into a self-called "romlib" image - that may be shared across images to reduce memory footprint. The romlib image - is stored in ROM but is accessed through a jump-table that may be stored +- Support for combining several libraries into a "romlib" image that may be + shared across images to reduce memory footprint. The romlib image is stored + in ROM but is accessed through a jump-table that may be stored in read-write memory, allowing for the library code to be patched. +- A prototype implementation of a Secure Partition Manager (SPM) that is based + on the SPCI Alpha 1 and SPRT draft specifications. + +- Support for ARMv8.3 pointer authentication in the normal and secure worlds. + The use of pointer authentication in the normal world is enabled whenever + architectural support is available, without the need for additional build + flags. Use of pointer authentication in the secure world remains an + experimental configuration at this time and requires the ``ENABLE_PAUTH`` + build flag to be set. + +- Position-Independent Executable (PIE) support. Initially for BL31 only, with + further support to be added in a future release. + For a full description of functionality and implementation details, please see the `Firmware Design`_ and supporting documentation. The `Change Log`_ provides details of changes made since the last release. Platforms -~~~~~~~~~ +--------- Various AArch32 and AArch64 builds of this release have been tested on r0, r1 and r2 variants of the `Juno Arm Development Platform`_. -Various AArch64 builds of this release have been tested on the following Arm -Fixed Virtual Platforms (`FVP`_) without shifted affinities that do not -support threaded CPU cores (64-bit host machine only): +The latest version of the AArch64 build of TF-A has been tested on the following +Arm FVPs without shifted affinities, and that do not support threaded CPU cores +(64-bit host machine only). -NOTE: Unless otherwise stated, the model version is Version 11.4 Build 37. +The FVP models used are Version 11.5 Build 33, unless otherwise stated. -- ``FVP_Base_Aresx4`` - ``FVP_Base_AEMv8A-AEMv8A`` - ``FVP_Base_AEMv8A-AEMv8A-AEMv8A-AEMv8A-CCN502`` -- ``FVP_Base_AEMv8A-AEMv8A`` - ``FVP_Base_RevC-2xAEMv8A`` - ``FVP_Base_Cortex-A32x4`` - ``FVP_Base_Cortex-A35x4`` - ``FVP_Base_Cortex-A53x4`` - ``FVP_Base_Cortex-A55x4+Cortex-A75x4`` - ``FVP_Base_Cortex-A55x4`` +- ``FVP_Base_Cortex-A57x1-A53x1`` +- ``FVP_Base_Cortex-A57x2-A53x4`` - ``FVP_Base_Cortex-A57x4-A53x4`` - ``FVP_Base_Cortex-A57x4`` - ``FVP_Base_Cortex-A72x4-A53x4`` @@ -175,16 +185,23 @@ NOTE: Unless otherwise stated, the model version is Version 11.4 Build 37. - ``FVP_Base_Cortex-A73x4`` - ``FVP_Base_Cortex-A75x4`` - ``FVP_Base_Cortex-A76x4`` -- ``FVP_CSS_SGI-575`` (Version 11.3 build 40) +- ``FVP_Base_Neoverse-N1x4`` (Tested with internal model) +- ``FVP_Base_Deimos`` +- ``FVP_CSS_SGI-575`` (Version 11.3 build 42) +- ``FVP_CSS_SGM-775`` (Version 11.3 build 42) +- ``FVP_RD_E1Edge`` (Version 11.3 build 42) +- ``FVP_RD_N1Edge`` (Version 11.3 build 42) - ``Foundation_Platform`` The latest version of the AArch32 build of TF-A has been tested on the following -Arm FVPs without shifted affinities that do not support threaded CPU cores +Arm FVPs without shifted affinities, and that do not support threaded CPU cores (64-bit host machine only). - ``FVP_Base_AEMv8A-AEMv8A`` - ``FVP_Base_Cortex-A32x4`` +NOTE: The ``FVP_Base_RevC-2xAEMv8A`` FVP only supports shifted affinities. + The Foundation FVP can be downloaded free of charge. The Base FVPs can be licensed from Arm. See the `Arm FVP website`_. @@ -192,18 +209,23 @@ All the above platforms have been tested with `Linaro Release 18.04`_. This release also contains the following platform support: -- Allwinner sun50i_64 and sun50i_h6 +- Allwinner sun50i_a64 and sun50i_h6 - Amlogic Meson S905 (GXBB) -- Arm SGI-575, RDN1Edge, RDE1Edge and SGM-775 -- Arm Neoverse N1 System Development Platform +- Arm Juno Software Development Platform +- Arm Neoverse N1 System Development Platform (N1SDP) +- Arm Neoverse Reference Design N1 Edge (RD-N1-Edge) FVP +- Arm Neoverse Reference Design E1 Edge (RD-E1-Edge) FVP +- Arm SGI-575 and SGM-775 +- Arm Versatile Express FVP - HiKey, HiKey960 and Poplar boards +- Intel Stratix 10 SoC FPGA - Marvell Armada 3700 and 8K - MediaTek MT6795 and MT8173 SoCs - NVIDIA T132, T186 and T210 SoCs -- NXP QorIQ LS1043A, i.MX8MQ, i.MX8QX, i.MX8QM and i.MX7Solo WaRP7 +- NXP QorIQ LS1043A, i.MX8MM, i.MX8MQ, i.MX8QX, i.MX8QM and i.MX7Solo WaRP7 - QEMU - Raspberry Pi 3 -- R-Car Generation 3 +- Renesas R-Car Generation 3 - RockChip RK3328, RK3368 and RK3399 SoCs - Socionext UniPhier SoC family and SynQuacer SC2A11 SoCs - STMicroelectronics STM32MP1 @@ -211,11 +233,16 @@ This release also contains the following platform support: - Xilinx Versal and Zynq UltraScale + MPSoC Still to come -~~~~~~~~~~~~~ +------------- + +- Support for additional platforms. -- More platform support. +- Refinements to Position Independent Executable (PIE) support. -- Position independent executable (PIE) support. +- Refinements to the SPCI-based SPM implementation as the draft SPCI and SPRT + specifications continue to evolve. + +- Documentation enhancements. - Ongoing support for new architectural features, CPUs and System IP. @@ -243,6 +270,12 @@ See the `Contributing Guidelines`_ for information on how to contribute to this project and the `Acknowledgments`_ file for a list of contributors to the project. +Documentation contents +~~~~~~~~~~~~~~~~~~~~~~ + +The `Trusted Firmware-A Documentation Contents`_ page contains an overview of +the documentation that is available, with links to facilitate easier browsing. + IRC channel ~~~~~~~~~~~ @@ -261,7 +294,7 @@ vulnerability, please report this using the process defined in the TF-A Arm licensees may contact Arm directly via their partner managers. Security advisories -~~~~~~~~~~~~~~~~~~~ +------------------- - `Security Advisory TFV-1`_ - `Security Advisory TFV-2`_ @@ -313,3 +346,4 @@ Security advisories .. _Security Advisory TFV-6: ./docs/security_advisories/security-advisory-tfv-6.rst .. _Security Advisory TFV-7: ./docs/security_advisories/security-advisory-tfv-7.rst .. _Security Advisory TFV-8: ./docs/security_advisories/security-advisory-tfv-8.rst +.. _Trusted Firmware-A Documentation Contents: ./docs/contents.rst |