|Age||Commit message (Collapse)||Author|
Rework the "Memory layout on FVP platforms" section in the Firmware
Design document. Add information about where the TSP image fits
in the memory layout when present.
Add documentation for the base addresses of each bootloader image
in the porting guide.
The generic image loading and IO FIP code no longer forces the
platform to create BL3-2 (Secure-EL1 Payload) specific
definitions. The BL3-2 loading code in bl2/bl2main.c is wrapped
by a #ifdef BL32_BASE blocks, allowing the BL3-2 definitions to
be optional. Similarly for the name_uuid array defintion in
Also update the porting guide to reflect this change.
The BL3-2 platform definitions remain non-configurably present
in the FVP port.
This patch adds a common handler for FIQ and IRQ exceptions in the
BL3-1 runtime exception vector table. This function determines the
interrupt type and calls its handler. A crash is reported if an
inconsistency in the interrupt management framework is detected. In
the event of a spurious interrupt, execution resumes from the
instruction where the interrupt was generated.
This patch also removes 'cm_macros.S' as its contents have been moved
This patch introduces a framework for registering interrupts routed to
EL3. The interrupt routing model is governed by the SCR_EL3.IRQ and
FIQ bits and the security state an interrupt is generated in. The
framework recognizes three type of interrupts depending upon which
exception level and security state they should be handled in
i.e. Secure EL1 interrupts, Non-secure interrupts and EL3
interrupts. It provides an API and macros that allow a runtime service
to register an handler for a type of interrupt and specify the routing
model. The framework validates the routing model and uses the context
management framework to ensure that it is applied to the SCR_EL3 prior
to entry into the target security state. It saves the handler in
internal data structures. An API is provided to retrieve the handler
when an interrupt of a particular type is asserted. Registration is
expected to be done once by the primary CPU. The same handler and
routing model is used for all CPUs.
Support for EL3 interrupts will be added to the framework in the
future. A makefile flag has been added to allow the FVP port choose
between ARM GIC v2 and v3 support in EL3. The latter version is
A framework for handling interrupts in BL3-1 will be introduced in
subsequent patches. The default routing model in the absence of any
handlers expects no interrupts to be routed to EL3.
Add a section in the user guide explaining how to compile the TSP
image and include it into the FIP. This includes instructions to make
the TSP run from Trusted DRAM (rather than Trusted SRAM) on FVP.
The TSP's linker script used to assume that the TSP would
execute from secure DRAM. Although it is currently the case
on FVPs, platforms are free to use any secure memory they wish.
This patch introduces the flexibility to load the TSP into any
secure memory. The platform code gets to specify the extents of
this memory in the platform header file, as well as the BL3-2 image
limit address. The latter definition allows to check in a generic way
that the BL3-2 image fits in its bounds.
TZC-400 is configured to set the last 16MB of DRAM1 as secure memory and
the rest of DRAM as non-secure. Non-secure software must not attempt to
access the 16MB secure area.
Device tree files (sources and binaries) have been updated to match this
configuration, removing that memory from the Linux physical memory map.
To use UEFI and Linux with this patch, the latest version of UEFI and
the updated device tree files are required. Check the user guide in the
documentation for more details.
Replaced magic numbers with #define for memory region definition in the
platform security initialization function.
Improve BL3-0 documentation
Provide some information about the expected use of BL3-0.
At present, non-secure timer register contents are saved and restored as
part of world switch by BL3-1. This effectively means that the
non-secure timer stops, and non-secure timer interrupts are prevented
from asserting until BL3-1 switches back, introducing latency for
non-secure services. Often, secure world might depend on alternate
sources for secure interrupts (secure timer or platform timer) instead
of non-secure timers, in which case this save and restore is
This patch introduces a boolean build-time configuration NS_TIMER_SWITCH
to choose whether or not to save and restore non-secure timer registers
upon world switch. The default choice is made not to save and restore
This patch implements the register reporting when unhandled exceptions are
taken in BL3-1. Unhandled exceptions will result in a dump of registers
to the console, before halting execution by that CPU. The Crash Stack,
previously called the Exception Stack, is used for this activity.
This stack is used to preserve the CPU context and runtime stack
contents for debugging and analysis.
This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3,
to provide easy access to some of BL3-1 per-cpu data structures.
Initially, this is used to provide a pointer to the Crash stack.
panic() now prints the the error file and line number in Debug mode
and prints the PC value in release mode.
The Exception Stack is renamed to Crash Stack with this patch.
The original intention of exception stack is no longer valid
since we intend to support several valid exceptions like IRQ
and FIQ in the trusted firmware context. This stack is now
utilized for dumping and reporting the system state when a
crash happens and hence the rename.
Fixes ARM-software/tf-issues#79 Improve reporting of unhandled exception
The TZC configuration on FVP was incorrectly allowing both secure
and non-secure accesses to the DRAM, which can cause aliasing
problems for software. It was also not enabling virtio access on
This patch fixes both of those issues. The patch also enabless
non-secure access to the DDR RAM for all devices with defined IDs.
The third region of DDR RAM has been removed from the configuration
as this is not used in any of the FVP models.
The BL images share common stack management code which provides
one coherent and one cacheable stack for every CPU. BL1 and BL2
just execute on the primary CPU during boot and do not require
the additional CPU stacks. This patch provides separate stack
support code for UP and MP images, substantially reducing the
RAM usage for BL1 and BL2 for the FVP platform.
This patch also provides macros for declaring stacks and
calculating stack base addresses to improve consistency where
this has to be done in the firmware.
The stack allocation source files are now included via
platform.mk rather than the common BLx makefiles. This allows
each platform to select the appropriate MP/UP stack support
for each BL image.
Each platform makefile must be updated when including this
BL3-1 architecture setup code programs the system counter frequency
into the CNTFRQ_EL0 register. This frequency is defined by the
platform, though. This patch introduces a new platform hook that
the architecture setup code can call to retrieve this information.
In the ARM FVP port, this returns the first entry of the frequency
modes table from the memory mapped generic timer.
All system counter setup code has been removed from BL1 as some
platforms may not have initialized the system counters at this stage.
The platform specific settings done exclusively in BL1 have been moved
to BL3-1. In the ARM FVP port, this consists in enabling and
initializing the System level generic timer. Also, the frequency change
request in the counter control register has been set to 0 to make it
explicit it's using the base frequency. The CNTCR_FCREQ() macro has been
fixed in this context to give an entry number rather than a bitmask.
In future, when support for firmware update is implemented, there
is a case where BL1 platform specific code will need to program
the counter frequency. This should be implemented at that time.
This patch also updates the relevant documentation.
It properly fixes ARM-software/tf-issues#24
This reverts commit 1c297bf015226c182b66498d5a64b8b51c7624f5
because it introduced a bug: the CNTFRQ_EL0 register was no
longer programmed by all CPUs. bl31_platform_setup() function
is invoked only in the cold boot path and consequently only
on the primary cpu.
A subsequent commit will correctly implement the necessary changes
to the counter frequency setup code.
This patch reworks the console driver to ensure that each bootloader stage
initializes it independently. As a result, both BL3-1 and BL2 platform code
now calls console_init() instead of relying on BL1 to perform console setup
This patch implements ARM Standard Service as a runtime service and adds
support for call count, UID and revision information SMCs. The existing
PSCI implementation is subsumed by the Standard Service calls and all
PSCI calls are therefore dispatched by the Standard Service to the PSCI
At present, PSCI is the only specification under Standard Service. Thus
call count returns the number of PSCI calls implemented. As this is the
initial implementation, a revision number of 0.1 is returned for call
At present, bl1_arch_setup() and bl31_arch_setup() program the counter
frequency using a value from the memory mapped generic timer. The
generic timer however is not necessarily present on all ARM systems
(although it is architected to be present on all server systems).
This patch moves the timer setup to platform-specific code and updates
the relevant documentation. Also, CNTR.FCREQ is set as the specification
requires the bit corresponding to the counter's frequency to be set when
enabling. Since we intend to use the base frequency, set bit 8.
If a platform doesn't specify a BLx_SOURCE variable, then building
of the corresponding bootloader isn't attempted. Also allow BL3-3 to
be omitted from the FIP.
Note, this change also removes support for PLAT=all and the 'fip' target
from the 'all' recipe.
Signed-off-by: Jon Medhurst <firstname.lastname@example.org>
Update the readme.md and change-log.md with release information.
Also, remove the "Detailed changes since last release" section of
the change-log.md since the same information can be found in the
GIT commit messages. Fixes ARM-software/tf-issues#22.
Consolidate firmware-design.md and porting-guide.pm so
that recently added sections fit better with
pre-existing sections. Make the documentation more
consistent in use of terminology.
1. Add design information on EL3 runtime services and
Secure-EL1 Payload Dispatchers (SPD) to
2. Create new EL3 runtime service writer's guide
(rt-svc-writers-guide.md) to ease creation of new
Move the firmware design documentation out of user-guide.md
and into a new file - firmware-design.md. Reformat the
1. Update user-guide.md with the latest versions of dependent
components required by the tested configurations of ARM Trusted
Firmware. This includes the tested versions of Fixed Virtual
Platforms (FVPs), toolchain, EFI Development Kit 2(EDK2),
Linux kernel and Linux file system.
2. Remove the instructions to configure the Cortex Base FVP
with the legacy GICv2 memory map as this is no longer supported
since version 5.3 of the Base FVPs.
3. General tidyup of "Using the software" section.
The UART used to be initialised in bl1_platform_setup(). This is too
late because there are some calls to the assert() macro, which needs
to print some messages on the console, before that.
This patch moves the UART initialisation code to
This patch adds the following support to the BL3-1 stage:
1. BL3-1 allows runtime services to specify and determine the security
state of the next image after BL3-1. This has been done by adding
the `bl31_set_next_image_type()` & `bl31_get_next_image_type()`
apis. The default security state is non-secure. The platform api
`bl31_get_next_image_info()` has been modified to let the platform
decide which is the next image in the desired security state.
2. BL3-1 exports the `bl31_prepare_next_image_entry()` function to
program entry into the target security state. It uses the apis
introduced in 1. to do so.
3. BL3-1 reads the information populated by BL2 about the BL3-2 image
into its internal data structures.
4. BL3-1 introduces a weakly defined reference `bl32_init()` to allow
initialisation of a BL3-2 image. A runtime service like the Secure
payload dispatcher will define this function if present.
This patch adds support for loading a BL3-2 image in BL2. In case a
BL3-2 image is found, it also passes information to BL3-1 about where it
is located and the extents of memory available to it. Information about
memory extents is populated by platform specific code.
The documentation has also been updated to reflect the above changes.
Co-authored-by: Jeenu Viswambharan <email@example.com>
This patch reworks BL2 to BL3-1 hand over interface by introducing a
composite structure (bl31_args) that holds the superset of information
that needs to be passed from BL2 to BL3-1.
- The extents of secure memory available to BL3-1
- The extents of memory available to BL3-2 (not yet implemented) and
- Information to execute BL3-2 (not yet implemented) and BL3-3 images
This patch also introduces a new platform API (bl2_get_bl31_args_ptr)
that needs to be implemented by the platform code to export reference to
bl31_args structure which has been allocated in platform-defined memory.
The platform will initialize the extents of memory available to BL3-3
during early platform setup in bl31_args structure. This obviates the
need for bl2_get_ns_mem_layout platform API.
BL2 calls the bl2_get_bl31_args_ptr function to get a reference to
bl31_args structure. It uses the 'bl33_meminfo' field of this structure
to load the BL3-3 image. It sets the entry point information for the
BL3-3 image in the 'bl33_image_info' field of this structure. The
reference to this structure is passed to the BL3-1 image.
Also fixes issue ARM-software/tf-issues#25
This fixes ARM-software/tf-issues#9
New phony Makefile targets have been added:
The checkcodebase target will run a Linux style compliance check over the
entire codebase, and honours the V=1 Makefile verbose setting and so will
show more information when this is enabled.
If the local directory is a git checkout then the output of git ls-files is
used to decide which files to test for compliance. If the local directory
is not under git control then a 'best attempt' is made, but in this case it
should be noted that it is possible for additional non-codebase files to be
tested, so care should be taken when parsing the output.
The checkpatch target will compare local changes against the git origin/master
to allow issues with the last set of changes to be identified. To override
the change comparision location, set the BASE_COMMIT variable to your
desired git branch.
Both targets rely on the Linux source tree script checkpatch.pl to do the
syntax checking, and expects that the CHECKPATCH environment variable points
to the location of this file.
Notes on the usage of these targets have been added to the contributing.md
and docs/user-guide.md text files.
The psci implementation does not track target affinity level requests
specified during cpu_suspend calls correctly as per the following
1. cpu0.cluster0 calls cpu_suspend with the target affinity level as 0
2. Only the cpu0.cluster0 is powered down while cluster0 remains
3. cpu1.cluster0 calls cpu_off to power itself down to highest
possible affinity level
4. cluster0 will be powered off even though cpu0.cluster0 does not
allow cluster shutdown
This patch introduces reference counts at affinity levels > 0 to track
the number of cpus which want an affinity instance at level X to
remain powered up. This instance can be turned off only if its
reference count is 0. Cpus still undergo the normal state transitions
(ON, OFF, ON_PENDING, SUSPEND) but the higher levels can only be
either ON or OFF depending upon their reference count.
The above issue is thus fixed as follows:
1. cluster0's reference count is incremented by two when cpu0 and cpu1
are initially powered on.
2. cpu0.cluster0 calls cpu_suspend with the target affinity level as
0. This does not affect the cluster0 reference count.
3. Only the cpu0.cluster0 is powered down while cluster0 remains
powered up as it has a non-zero reference count.
4. cpu1.cluster0 call cpu_off to power itself down to highest possible
affinity level. This decrements the cluster0 reference count.
5. cluster0 is still not powered off since its reference count will at
least be 1 due to the restriction placed by cpu0.
The FVP platform has a few filenames that begin with fvp_. These are
renamed to plat_ to make it easier to use the FVP port as a template.
Signed-off-by: Ryan Harkin <firstname.lastname@example.org>
Move all explicit platform or architecture specific references
into a new platform.mk file that is defined for each platform.
Signed-off-by: Ryan Harkin <email@example.com>
The GICv3 distributor can have more ports than CPUs are available in
the system. Probe all re-distributors and use the matching affinity
levels as specified by each core and re-distributor to decide which
re-distributor to use with which CPU core.
If a core cannot be matched with a re-distributor, the core panics and
is placed in an endless loop.
Traps when accessing architectural features are disabled by clearing bits
in CPTR_EL3 during early boot, including accesses to floating point
registers. The value of this register was previously undetermined, causing
unwanted traps to EL3. Future EL3 code (for example, context save/restore
code) may use floating point registers, although they are not used by current
Also, the '-mgeneral-regs-only' flag is enabled in the GCC settings to
prevent generation of code that uses floating point registers.
Update documentation to refer to separate issue tracking
In order to reduce the software dependency on the compiler, the project
is now compiled with the '-ffreestanding' flag. This is to prevent GCC
from replacing functions with more optimised versions. An example is
where GCC replaces a simple printf() with a puts().
- Update porting guide to describe where files live and how to get
FreeBSD source code.
- Update change-log to describe relocation and new functions.
Platform setup code has to reserve some memory for storing the
memory layout information. It is populated in early platform setup
blx_get_sec_mem_layout() functions used to return a copy of this
structure. This patch modifies blx_get_sec_mem_layout() functions
so that they now directly return a pointer to their memory layout
structure. It ensures that the memory layout returned by
blx_get_sec_mem_layout() is always up-to-date and also avoids a
useless copy of the meminfo structure.
Also rename blx_get_sec_mem_layout() to blx_plat_sec_mem_layout()
to make it clear those functions are platform specific.
This patch makes changes to the documents to reflect the current
state of play of the psci cpu_suspend function.
In fvp_affinst_on/suspend, the non-secure entrypoint is always
expected to lie in the DRAM. This check will not be valid if
non-secure code executes directly out of flash e.g. a baremetal
test. This patch removes this check.