|Age||Commit message (Collapse)||Author|
bl2_main() was overwriting any platform set X1 parameter for BL3-1
with the value zero.
This patch ensure that any platform set value is correctly passed
to BL3-1. The FVP port adds a check to verify this parameter is
being passed correctly.
At present the arguments for BL3-3 in the entry_point_info
structure are not being transferred to X0-X7 before starting
execution of this image
This patch saves the args for BL3-3 into cpu context used
for its entry
Rename the ic_* platform porting functions to plat_ic_* to be
consistent with the other functions in platform.h. Also rename
bl31_get_next_image_info() to bl31_plat_get_next_image_ep_info()
and remove the duplicate declaration in bl31.h.
Remove the FVP specific comments in platform.h since this file
is re-usable across all platforms.
This patch fixes a missed return and code alignment issues
in TSP_FID_RESUME handling.
Previously, the enable_mmu_elX() functions were implicitly part of
the platform porting layer since they were included by generic
code. These functions have been placed behind 2 new platform
functions, bl31_plat_enable_mmu() and bl32_plat_enable_mmu().
These are weakly defined so that they can be optionally overridden
by platform ports.
Also, the enable_mmu_elX() functions have been moved to
lib/aarch64/xlat_tables.c for optional re-use by platform ports.
These functions are tightly coupled with the translation table
FVP specific files and functions containing the word "plat" have been
renamed to use the word "fvp" to distinguish them from the common
platform functionality and porting functions.
Some platform porting functions were in BL specific header files.
These have been moved to platform.h so that all porting functions
are in the same place. The functions are now grouped by BL.
Obsolete BL headers files have been removed.
Also, the weak declaration of the init_bl2_mem_layout() function
has been moved out the header file and into the source file
(bl_common.c) using the more succinct #pragma syntax. This
mitigates the risk of 2 weak definitions being created and the
wrong one being picked up by the compiler.
Previously, platform.h contained many declarations and definitions
used for different purposes. This file has been split so that:
* Platform definitions used by common code that must be defined
by the platform are now in platform_def.h. The exact include
path is exported through $PLAT_INCLUDES in the platform makefile.
* Platform definitions specific to the FVP platform are now in
* Platform API declarations specific to the FVP platform are now
* The remaining platform API declarations that must be ported by
each platform are still in platform.h but this file has been
moved to /include/plat/common since this can be shared by all
Some data variables were declared but not used. These have been
Function declarations implicitly have external linkage so do not
need the extern keyword.
Rework the "Memory layout on FVP platforms" section in the Firmware
Design document. Add information about where the TSP image fits
in the memory layout when present.
Add documentation for the base addresses of each bootloader image
in the porting guide.
Currently the platform code gets to define the base address of each
boot loader image. However, the linker scripts couteract this
flexibility by enforcing a fixed overall layout of the different
images. For example, they require that the BL3-1 image sits below
the BL2 image. Choosing BL3-1 and BL2 base addresses in such a way
that it violates this constraint makes the build fail at link-time.
This patch requires the platform code to now define a limit address
for each image. The linker scripts check that the image fits within
these bounds so they don't rely anymore on the position of a given
image in regard to the others.
BL1 RO and RW base address used to be fixed, respectively to the first
address of the Trusted ROM and the first address of the Trusted RAM.
Introduce new platform defines to configure the BL1 RO and RW base
At present BL3-1 has access to all of the SRAM, including
regions that are mapped as read-only and non-cacheable by other
This patch restricts BL3-1 to only be able to read/write from
memory used for its own data sections
The TSP has a number of entrypoints used by the TSP on different
occasions. These were provided to the TSPD as a table of function
pointers, and required the TSPD to read the entry in the table,
which is in TSP memory, in order to program the exception return
Ideally, the TSPD has no access to the TSP memory.
This patch changes the table of function pointers into a vector
table of single instruction entrypoints. This allows the TSPD to
calculate the entrypoint address instead of read it.
Implements support for Non Secure Interrupts preempting the
Standard SMC call in EL1. Whenever an IRQ is trapped in the
Secure world we securely handover to the Normal world
to process the interrupt. The normal world then issues
"resume" smc call to resume the previous interrupted SMC call.
The generic image loading and IO FIP code no longer forces the
platform to create BL3-2 (Secure-EL1 Payload) specific
definitions. The BL3-2 loading code in bl2/bl2main.c is wrapped
by a #ifdef BL32_BASE blocks, allowing the BL3-2 definitions to
be optional. Similarly for the name_uuid array defintion in
Also update the porting guide to reflect this change.
The BL3-2 platform definitions remain non-configurably present
in the FVP port.
This patch enables secure physical timer during TSP initialisation and
maintains it across power management operations so that a timer
interrupt is generated every half second.
This patch adds support in the TSPD for registering a handler for
S-EL1 interrupts. This handler ferries the interrupts generated in the
non-secure state to the TSP at 'tsp_fiq_entry'. Support has been added
to the smc handler to resume execution in the non-secure state once
interrupt handling has been completed by the TSP.
There is also support for resuming execution in the normal world if
the TSP receives a EL3 interrupt. This code is currently unused.
This patch adds support in the TSP to handle FIQ interrupts that are
generated when execution is in the TSP. S-EL1 interrupt are handled
normally and execution resumes at the instruction where the exception
was originally taken. S-EL3 interrupts i.e. any interrupt not
recognized by the TSP are handed to the TSPD. Execution resumes
normally once such an interrupt has been handled at EL3.
This patch adds support in the TSP for handling S-EL1 interrupts
handed over by the TSPD. It includes GIC support in its platform port,
updates various statistics related to FIQ handling, exports an entry
point that the TSPD can use to hand over interrupts and defines the
handover protocol w.r.t what context is the TSP expected to preserve
and the state in which the entry point is invoked by the TSPD.
This patch adds support in the TSP to program the secure physical
generic timer to generate a EL-1 interrupt every half second. It also
adds support for maintaining the timer state across power management
operations. The TSPD ensures that S-EL1 can access the timer by
programming the SCR_EL3.ST bit.
This patch does not actually enable the timer. This will be done in a
subsequent patch once the complete framework for handling S-EL1
interrupts is in place.
This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.
This patch also removes 'cm_macros.S' as its contents have been moved
This patch introduces a set of functions which allow generic firmware
code e.g. the interrupt management framework to access the platform
interrupt controller. APIs for finding the type and id of the highest
pending interrupt, acknowledging and EOIing an interrupt and finding
the security state of an interrupt have been added. It is assumed that
the platform interrupt controller implements the v2.0 of the ARM GIC
architecture specification. Support for v3.0 of the specification for
managing interrupts in EL3 and the platform port will be added in the
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
This patch adds an API to write to any bit in the SCR_EL3 member of
the 'cpu_context' structure of the current CPU for a specified
security state. This API will be used in subsequent patches which
introduce interrupt management in EL3 to specify the interrupt routing
model when execution is not in EL3.
It also renames the cm_set_el3_elr() function to cm_set_elr_el3()
which is more in line with the system register name being targeted by
This patch lays the foundation for using the per-cpu 'state' field in
the 'tsp_context' structure for other flags apart from the power state
of the TSP.
It allocates 2 bits for the power state, introduces the necessary
macros to manipulate the power state in the 'state' field and
accordingly reworks all use of the TSP_STATE_* states.
It also allocates a flag bit to determine if the TSP is handling a
standard SMC. If this flag is set then the TSP was interrupted due to
non-secure or EL3 interupt depending upon the chosen routing
model. Macros to get, set and clear this flag have been added as
well. This flag will be used by subsequent patches.
Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.
The TSP used to execute from secure DRAM on the FVPs because there was
not enough space in Trusted SRAM to fit it in. Thanks to recent RAM
usage enhancements being implemented, we have made enough savings for
the TSP to execute in SRAM.
However, there is no contiguous free chunk of SRAM big enough to hold
the TSP. Therefore, the different bootloader images need to be moved
around to reduce memory fragmentation. This patch keeps the overall
memory layout (i.e. keeping BL1 R/W at the bottom, BL2 at the top and
BL3-1 in between) but moves the base addresses of all the bootloader
images in such a way that:
- memory fragmentation is reduced enough to fit BL3-2 in;
- new base addresses are suitable for release builds as well as debug
- each image has a few extra kilobytes for future growth.
BL3-1 and BL3-2 are the images which received the biggest slice
of the cake since they will most probably grow the most.
A few useful numbers for reference (valid at the time of this patch):
| image size (debug) | extra space for the future
BL1 R/W | 20 KB | 4 KB
BL2 | 44 KB | 4 KB
BL3-1 | 108 KB | 12 KB
BL3-2 | 56 KB | 8 KB
Total | 228 KB | 28 KB = 256 KB
Although on FVPs the TSP now executes from Trusted SRAM by default,
this patch keeps the option to execute it from Trusted DRAM. This is
controlled by the build configuration 'TSP_RAM_LOCATION'.
The TSP's linker script used to assume that the TSP would
execute from secure DRAM. Although it is currently the case
on FVPs, platforms are free to use any secure memory they wish.
This patch introduces the flexibility to load the TSP into any
secure memory. The platform code gets to specify the extents of
this memory in the platform header file, as well as the BL3-2 image
limit address. The latter definition allows to check in a generic way
that the BL3-2 image fits in its bounds.
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
This change adds optional reset vector support to BL3-1
which means BL3-1 entry point can detect cold/warm boot,
initialise primary cpu, set up cci and mail box.
When using BL3-1 as a reset vector it is assumed that
the BL3-1 platform code can determine the location of
the BL3-2 images, or load them as there are no parameters
that can be passed to BL3-1 at reset.
It also fixes the incorrect initialisation of mailbox
registers on the FVP platform
This feature can be enabled by building the code with
make variable RESET_TO_BL31 set as 1
The issues addressed in this patch are:
1. Remove meminfo_t from the common interfaces in BL3-x,
expecting that platform code will find a suitable mechanism
to determine the memory extents in these images and provide
it to the BL3-x images.
2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x
code as the images use link-time information to determine
meminfo_t is still used by common interface in BL1/BL2 for
This patch is based on spec published at
It rearranges the bl31_args struct into
bl31_params and bl31_plat_params which provide the
information needed for Trusted firmware and platform
specific data via x0 and x1
On the FVP platform BL3-1 params and BL3-1 plat params
and its constituents are stored at the start of TZDRAM.
The information about memory availability and size for
BL3-1, BL3-2 and BL3-3 is moved into platform specific data.
This patch reworks the handover interface from: BL1 to BL2 and
BL2 to BL3-1. It removes the raise_el(), change_el(), drop_el()
and run_image() functions as they catered for code paths that were
BL1 calls bl1_run_bl2() to jump into BL2 instead of doing the same
by calling run_image(). Similarly, BL2 issues the SMC to transfer
execution to BL3-1 through BL1 directly. Only x0 and x1 are used
to pass arguments to BL31. These arguments and parameters for
running BL3-1 are passed through a reference to a
'el_change_info_t' structure. They were being passed value in
general purpose registers earlier.
This patch introduces macros (SPSR_64 and SPSR_32) to
create a SPSR for both aarch32 and aarch64 execution
states. These macros allow the user to set fields
in the SPSR depending upon its format.
The make_spsr() function which did not allow
manipulation of all the fields in the aarch32 SPSR
has been replaced by these new macros.