|Age||Commit message (Collapse)||Author|
This patch adds the functionality needed for platforms to provide
Branch Target Identification (BTI) extension, introduced to AArch64
in Armv8.5-A by adding BTI instruction used to mark valid targets
for indirect branches. The patch sets new GP bit  to the stage 1
Translation Table Block and Page entries to denote guarded EL3 code
pages which will cause processor to trap instructions in protected
pages trying to perform an indirect branch to any instruction other
BTI feature is selected by BRANCH_PROTECTION option which supersedes
the previous ENABLE_PAUTH used for Armv8.3-A Pointer Authentication
and is disabled by default. Enabling BTI requires compiler support
and was tested with GCC versions 9.0.0, 9.0.1 and 10.0.0.
The assembly macros and helpers are modified to accommodate the BTI
This is an experimental feature.
Note. The previous ENABLE_PAUTH build option to enable PAuth in EL3
is now made as an internal flag and BRANCH_PROTECTION flag should be
used instead to enable Pointer Authentication.
Note. USE_LIBROM=1 option is currently not supported.
Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
The size increase after enabling options related to ARMv8.3-PAuth is:
| | text | bss | data | rodata |
| CTX_INCLUDE_PAUTH_REGS = 1 | +40 | +0 | +0 | +0 |
| | 0.4% | | | |
| ENABLE_PAUTH = 1 | +352 | +0 | +16 | +0 |
| | 3.1% | | 15.8% | |
Results calculated with the following build configuration:
make PLAT=fvp SPD=tspd DEBUG=1 \
Signed-off-by: Antonio Nino Diaz <email@example.com>
To make software license auditing simpler, use SPDX license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
Signed-off-by: dp-arm <firstname.lastname@example.org>
This patch moves the assembly exclusive lock library code
`spinlock.S` into architecture specific folder `aarch64`.
A stub file which includes the file from new location is
retained at the original location for compatibility. The BL
makefiles are also modified to include the file from the new
As an initial stage of making Trusted Firmware build environment more
portable, we remove most uses of the $(shell ) function and replace them
with more portable make function based solutions.
Note that the setting of BUILD_STRING still uses $(shell ) since it's
not possible to reimplement this as a make function. Avoiding invocation
of this on incompatible host platforms will be implemented separately.
This patch removes the dash character from the image name, to
follow the image terminology in the Trusted Firmware Wiki page:
Changes apply to output messages, comments and documentation.
non-ARM platform files have been left unmodified.
Update the top level makefile to allow platform ports to exist in
subdirectories at any level instead of one level under `plat/`. The
makefile recursively searches for all files called `platform.mk` in
all subdirectories of `plat/`. The directory containing
`platform.mk` is the platform name. Platform names must be unique
across the codebase.
Replace usage of HELP_PLATFORMS in the Makefile with PLATFORMS since
these are both used to report the same information back to the user.
Update the TSP and cert_create tool makefiles in a similar way
to support a deeper platform port directory structure.
Also add PLAT_<plat_name> as a define passed through the top level
makefile to the source files, to allow build time variation in common
* Move TSP platform porting functions to new file:
* Create new TSP_IRQ_SEC_PHY_TIMER definition for use by the generic
TSP interrupt handling code, instead of depending on the FVP
specific definition IRQ_SEC_PHY_TIMER.
* Rename TSP platform porting functions from bl32_* to tsp_*, and
definitions from BL32_* to TSP_*.
* Update generic TSP code to use new platform porting function names
* Update FVP port accordingly and move all TSP source files to:
* Update porting guide with above changes.
Note: THIS CHANGE REQUIRES ALL PLATFORM PORTS OF THE TSP TO
This patch adds support for BL3-2 initialization by asynchronous
method where BL3-1 transfers control to BL3-2 using world switch.
After BL3-2 initialization, it transfers control to BL3-3 via SPD
service handler. The SPD service handler initializes the CPU context
to BL3-3 entrypoint depending on the return function indentifier from
This patch adds support in the TSP to handle FIQ interrupts that are
generated when execution is in the TSP. S-EL1 interrupt are handled
normally and execution resumes at the instruction where the exception
was originally taken. S-EL3 interrupts i.e. any interrupt not
recognized by the TSP are handed to the TSPD. Execution resumes
normally once such an interrupt has been handled at EL3.
This patch adds support in the TSP for handling S-EL1 interrupts
handed over by the TSPD. It includes GIC support in its platform port,
updates various statistics related to FIQ handling, exports an entry
point that the TSPD can use to hand over interrupts and defines the
handover protocol w.r.t what context is the TSP expected to preserve
and the state in which the entry point is invoked by the TSPD.
This patch adds support in the TSP to program the secure physical
generic timer to generate a EL-1 interrupt every half second. It also
adds support for maintaining the timer state across power management
operations. The TSPD ensures that S-EL1 can access the timer by
programming the SCR_EL3.ST bit.
This patch does not actually enable the timer. This will be done in a
subsequent patch once the complete framework for handling S-EL1
interrupts is in place.
Remove all usage of the vpath keyword in makefiles as it was prone
to mistakes. Specify the relative paths to source files instead.
Also reorder source files in makefiles alphabetically.
Move almost all system include files to a logical sub-directory
under ./include. The only remaining system include directories
not under ./include are specific to the platform. Move the
corresponding source files to match the include directory
Also remove pm.h as it is no longer used.
bl1/aarch64/early_exceptions.S used to be re-used by BL2, BL3-1 and
BL3-2. There was some early SMC handling code in there that was not
required by the other bootloader stages. Therefore this patch
introduces an even simpler exception vector source file for BL2,
BL3-1 and BL3-2.
The Test Secure-EL1 Payload implementation should always have a
platform-specific component. Therefore, there should always
be a platform-specific sub-makefile for the TSP. If there is
none then assume TSP is not supported on this specific platform
and throw an error at build time if the user tries to compile it.
At present, the entry point for each BL image is specified via the
Makefiles and provided on the command line to the linker. When using a
link script the entry point should rather be specified via the ENTRY()
directive in the link script.
This patch updates linker scripts of all BL images to specify the entry
point using the ENTRY() directive. It also removes the --entry flag
passed to the linker through Makefile.
Fixes issue ARM-software/tf-issues#66
This change requires all platforms to now specify a list of source files
rather than object files.
New source files should preferably be specified by using the path as
well and we should add this in the future for all files so we can remove
use of vpath. This is desirable because vpath hides issues like the fact
that BL2 currently pulls in a BL1 file bl1/aarch64/early_exceptions.S
and if in the future we added bl2/aarch64/early_exceptions.S then it's
likely only one of the two version would be used for both bootloaders.
This change also removes the 'dump' build target and simply gets
bootloaders to always generate a dump file. At the same time the -x
option is added so the section headers and symbols table are listed.
Signed-off-by: Jon Medhurst <email@example.com>
This patch adds the TSPD service which is responsible for managing
communication between the non-secure state and the Test Secure Payload
(TSP) executing in S-EL1.
The TSPD does the following:
1. Determines the location of the TSP (BL3-2) image and passes control
to it for initialization. This is done by exporting the 'bl32_init()'
2. Receives a structure containing the various entry points into the TSP
image as a response to being initialized. The TSPD uses this
information to determine how the TSP should be entered depending on
the type of operation.
3. Implements a synchronous mechanism for entering into and returning
from the TSP image. This mechanism saves the current C runtime
context on top of the current stack and jumps to the TSP through an
ERET instruction. The TSP issues an SMC to indicate completion of the
previous request. The TSPD restores the saved C runtime context and
resumes TSP execution.
This patch also introduces a Make variable 'SPD' to choose the specific
SPD to include in the build. By default, no SPDs are included in the
Co-authored-by: Jeenu Viswambharan <firstname.lastname@example.org>
This patch adds a simple TSP as the BL3-2 image. The secure payload
executes in S-EL1. It paves the way for the addition of the TSP
dispatcher runtime service to BL3-1. The TSP and the dispatcher service
will serve as an example of the runtime firmware's ability to toggle
execution between the non-secure and secure states in response to SMC
request from the non-secure state. The TSP will be replaced by a
Trusted OS in a real system.
The TSP also exports a set of handlers which should be called in
response to a PSCI power management event e.g a cpu being suspended or
turned off. For now it runs out of Secure DRAM on the ARM FVP port and
will be moved to Secure SRAM later. The default translation table setup
code assumes that the caller is executing out of secure SRAM. Hence the
TSP exports its own translation table setup function.
The TSP only services Fast SMCs, is non-reentrant and non-interruptible.
It does arithmetic operations on two sets of four operands, one set
supplied by the non-secure client, and the other supplied by the TSP
dispatcher in EL3. It returns the result according to the Secure Monitor
Calling convention standard.
This TSP has two functional entry points:
- An initial, one-time entry point through which the TSP is initialized
and prepares for receiving further requests from secure
- A fast SMC service entry point through which the TSP dispatcher
requests secure services on behalf of the non-secure client
Co-authored-by: Jeenu Viswambharan <email@example.com>