diff options
Diffstat (limited to 'include/common')
-rw-r--r-- | include/common/aarch32/asm_macros.S | 159 | ||||
-rw-r--r-- | include/common/aarch32/assert_macros.S | 26 | ||||
-rw-r--r-- | include/common/aarch32/el3_common_macros.S | 314 | ||||
-rw-r--r-- | include/common/aarch64/asm_macros.S | 195 | ||||
-rw-r--r-- | include/common/aarch64/assert_macros.S | 29 | ||||
-rw-r--r-- | include/common/aarch64/el3_common_macros.S | 344 | ||||
-rw-r--r-- | include/common/asm_macros.S | 197 | ||||
-rw-r--r-- | include/common/asm_macros_common.S | 109 | ||||
-rw-r--r-- | include/common/assert_macros.S | 49 | ||||
-rw-r--r-- | include/common/auth.h | 88 | ||||
-rw-r--r-- | include/common/bl_common.h | 307 | ||||
-rw-r--r-- | include/common/debug.h | 66 | ||||
-rw-r--r-- | include/common/desc_image_load.h | 39 | ||||
-rw-r--r-- | include/common/ep_info.h | 123 | ||||
-rw-r--r-- | include/common/firmware_image_package.h | 92 | ||||
-rw-r--r-- | include/common/interrupt_props.h | 29 | ||||
-rw-r--r-- | include/common/param_header.h | 54 | ||||
-rw-r--r-- | include/common/runtime_svc.h | 130 | ||||
-rw-r--r-- | include/common/tbbr/cot_def.h | 14 | ||||
-rw-r--r-- | include/common/tbbr/tbbr_img_def.h | 63 |
20 files changed, 1814 insertions, 613 deletions
diff --git a/include/common/aarch32/asm_macros.S b/include/common/aarch32/asm_macros.S new file mode 100644 index 00000000..f5737449 --- /dev/null +++ b/include/common/aarch32/asm_macros.S @@ -0,0 +1,159 @@ +/* + * Copyright (c) 2016-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef __ASM_MACROS_S__ +#define __ASM_MACROS_S__ + +#include <arch.h> +#include <asm_macros_common.S> +#include <spinlock.h> + +#define WORD_SIZE 4 + + /* + * Co processor register accessors + */ + .macro ldcopr reg, coproc, opc1, CRn, CRm, opc2 + mrc \coproc, \opc1, \reg, \CRn, \CRm, \opc2 + .endm + + .macro ldcopr16 reg1, reg2, coproc, opc1, CRm + mrrc \coproc, \opc1, \reg1, \reg2, \CRm + .endm + + .macro stcopr reg, coproc, opc1, CRn, CRm, opc2 + mcr \coproc, \opc1, \reg, \CRn, \CRm, \opc2 + .endm + + .macro stcopr16 reg1, reg2, coproc, opc1, CRm + mcrr \coproc, \opc1, \reg1, \reg2, \CRm + .endm + + /* Cache line size helpers */ + .macro dcache_line_size reg, tmp + ldcopr \tmp, CTR + ubfx \tmp, \tmp, #CTR_DMINLINE_SHIFT, #CTR_DMINLINE_WIDTH + mov \reg, #WORD_SIZE + lsl \reg, \reg, \tmp + .endm + + .macro icache_line_size reg, tmp + ldcopr \tmp, CTR + and \tmp, \tmp, #CTR_IMINLINE_MASK + mov \reg, #WORD_SIZE + lsl \reg, \reg, \tmp + .endm + + /* + * Declare the exception vector table, enforcing it is aligned on a + * 32 byte boundary. + */ + .macro vector_base label + .section .vectors, "ax" + .align 5 + \label: + .endm + + /* + * This macro calculates the base address of the current CPU's multi + * processor(MP) stack using the plat_my_core_pos() index, the name of + * the stack storage and the size of each stack. + * Out: r0 = physical address of stack base + * Clobber: r14, r1, r2 + */ + .macro get_my_mp_stack _name, _size + bl plat_my_core_pos + ldr r2, =(\_name + \_size) + mov r1, #\_size + mla r0, r0, r1, r2 + .endm + + /* + * This macro calculates the base address of a uniprocessor(UP) stack + * using the name of the stack storage and the size of the stack + * Out: r0 = physical address of stack base + */ + .macro get_up_stack _name, _size + ldr r0, =(\_name + \_size) + .endm + + /* + * Helper macro to generate the best mov/movw/movt combinations + * according to the value to be moved. + */ + .macro mov_imm _reg, _val + .if ((\_val) & 0xffff0000) == 0 + mov \_reg, #(\_val) + .else + movw \_reg, #((\_val) & 0xffff) + movt \_reg, #((\_val) >> 16) + .endif + .endm + + /* + * Macro to mark instances where we're jumping to a function and don't + * expect a return. To provide the function being jumped to with + * additional information, we use 'bl' instruction to jump rather than + * 'b'. + * + * Debuggers infer the location of a call from where LR points to, which + * is usually the instruction after 'bl'. If this macro expansion + * happens to be the last location in a function, that'll cause the LR + * to point a location beyond the function, thereby misleading debugger + * back trace. We therefore insert a 'nop' after the function call for + * debug builds, unless 'skip_nop' parameter is non-zero. + */ + .macro no_ret _func:req, skip_nop=0 + bl \_func +#if DEBUG + .ifeq \skip_nop + nop + .endif +#endif + .endm + + /* + * Reserve space for a spin lock in assembly file. + */ + .macro define_asm_spinlock _name:req + .align SPINLOCK_ASM_ALIGN + \_name: + .space SPINLOCK_ASM_SIZE + .endm + + /* + * Helper macro to OR the bottom 32 bits of `_val` into `_reg_l` + * and the top 32 bits of `_val` into `_reg_h`. If either the bottom + * or top word of `_val` is zero, the corresponding OR operation + * is skipped. + */ + .macro orr64_imm _reg_l, _reg_h, _val + .if (\_val >> 32) + orr \_reg_h, \_reg_h, #(\_val >> 32) + .endif + .if (\_val & 0xffffffff) + orr \_reg_l, \_reg_l, #(\_val & 0xffffffff) + .endif + .endm + + /* + * Helper macro to bitwise-clear bits in `_reg_l` and + * `_reg_h` given a 64 bit immediate `_val`. The set bits + * in the bottom word of `_val` dictate which bits from + * `_reg_l` should be cleared. Similarly, the set bits in + * the top word of `_val` dictate which bits from `_reg_h` + * should be cleared. If either the bottom or top word of + * `_val` is zero, the corresponding BIC operation is skipped. + */ + .macro bic64_imm _reg_l, _reg_h, _val + .if (\_val >> 32) + bic \_reg_h, \_reg_h, #(\_val >> 32) + .endif + .if (\_val & 0xffffffff) + bic \_reg_l, \_reg_l, #(\_val & 0xffffffff) + .endif + .endm + +#endif /* __ASM_MACROS_S__ */ diff --git a/include/common/aarch32/assert_macros.S b/include/common/aarch32/assert_macros.S new file mode 100644 index 00000000..c9588106 --- /dev/null +++ b/include/common/aarch32/assert_macros.S @@ -0,0 +1,26 @@ +/* + * Copyright (c) 2016, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef __ASSERT_MACROS_S__ +#define __ASSERT_MACROS_S__ + + /* + * Assembler macro to enable asm_assert. We assume that the stack is + * initialized prior to invoking this macro. + */ +#define ASM_ASSERT(_cc) \ +.ifndef .L_assert_filename ;\ + .pushsection .rodata.str1.1, "aS" ;\ + .L_assert_filename: ;\ + .string __FILE__ ;\ + .popsection ;\ +.endif ;\ + b##_cc 300f ;\ + ldr r0, =.L_assert_filename ;\ + ldr r1, =__LINE__ ;\ + b asm_assert;\ +300: + +#endif /* __ASSERT_MACROS_S__ */ diff --git a/include/common/aarch32/el3_common_macros.S b/include/common/aarch32/el3_common_macros.S new file mode 100644 index 00000000..6fc00dd2 --- /dev/null +++ b/include/common/aarch32/el3_common_macros.S @@ -0,0 +1,314 @@ +/* + * Copyright (c) 2016-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __EL3_COMMON_MACROS_S__ +#define __EL3_COMMON_MACROS_S__ + +#include <arch.h> +#include <asm_macros.S> +#include <assert_macros.S> + + /* + * Helper macro to initialise EL3 registers we care about. + */ + .macro el3_arch_init_common _exception_vectors + /* --------------------------------------------------------------------- + * SCTLR has already been initialised - read current value before + * modifying. + * + * SCTLR.I: Enable the instruction cache. + * + * SCTLR.A: Enable Alignment fault checking. All instructions that load + * or store one or more registers have an alignment check that the + * address being accessed is aligned to the size of the data element(s) + * being accessed. + * --------------------------------------------------------------------- + */ + ldr r1, =(SCTLR_I_BIT | SCTLR_A_BIT) + ldcopr r0, SCTLR + orr r0, r0, r1 + stcopr r0, SCTLR + isb + + /* --------------------------------------------------------------------- + * Set the exception vectors (VBAR/MVBAR). + * --------------------------------------------------------------------- + */ + ldr r0, =\_exception_vectors + stcopr r0, VBAR + stcopr r0, MVBAR + isb + + /* --------------------------------------------------------------------- + * Initialise SCR, setting all fields rather than relying on the hw. + * + * SCR.SIF: Enabled so that Secure state instruction fetches from + * Non-secure memory are not permitted. + * --------------------------------------------------------------------- + */ + ldr r0, =(SCR_RESET_VAL | SCR_SIF_BIT) + stcopr r0, SCR + + /* ----------------------------------------------------- + * Enable the Asynchronous data abort now that the + * exception vectors have been setup. + * ----------------------------------------------------- + */ + cpsie a + isb + + /* --------------------------------------------------------------------- + * Initialise NSACR, setting all the fields, except for the + * IMPLEMENTATION DEFINED field, rather than relying on the hw. Some + * fields are architecturally UNKNOWN on reset. + * + * NSACR_ENABLE_FP_ACCESS: Represents NSACR.cp11 and NSACR.cp10. The + * cp11 field is ignored, but is set to same value as cp10. The cp10 + * field is set to allow access to Advanced SIMD and floating point + * features from both Security states. + * --------------------------------------------------------------------- + */ + ldcopr r0, NSACR + and r0, r0, #NSACR_IMP_DEF_MASK + orr r0, r0, #(NSACR_RESET_VAL | NSACR_ENABLE_FP_ACCESS) + stcopr r0, NSACR + isb + + /* --------------------------------------------------------------------- + * Initialise CPACR, setting all fields rather than relying on hw. Some + * fields are architecturally UNKNOWN on reset. + * + * CPACR.TRCDIS: Trap control for PL0 and PL1 System register accesses + * to trace registers. Set to zero to allow access. + * + * CPACR_ENABLE_FP_ACCESS: Represents CPACR.cp11 and CPACR.cp10. The + * cp11 field is ignored, but is set to same value as cp10. The cp10 + * field is set to allow full access from PL0 and PL1 to floating-point + * and Advanced SIMD features. + * --------------------------------------------------------------------- + */ + ldr r0, =((CPACR_RESET_VAL | CPACR_ENABLE_FP_ACCESS) & ~(TRCDIS_BIT)) + stcopr r0, CPACR + isb + + /* --------------------------------------------------------------------- + * Initialise FPEXC, setting all fields rather than relying on hw. Some + * fields are architecturally UNKNOWN on reset and are set to zero + * except for field(s) listed below. + * + * FPEXC.EN: Enable access to Advanced SIMD and floating point features + * from all exception levels. + * --------------------------------------------------------------------- + */ + ldr r0, =(FPEXC_RESET_VAL | FPEXC_EN_BIT) + vmsr FPEXC, r0 + isb + + /* --------------------------------------------------------------------- + * Initialise SDCR, setting all the fields rather than relying on hw. + * + * SDCR.SPD: Disable AArch32 privileged debug. Debug exceptions from + * Secure EL1 are disabled. + * --------------------------------------------------------------------- + */ + ldr r0, =(SDCR_RESET_VAL | SDCR_SPD(SDCR_SPD_DISABLE)) + stcopr r0, SDCR + + .endm + +/* ----------------------------------------------------------------------------- + * This is the super set of actions that need to be performed during a cold boot + * or a warm boot in EL3. This code is shared by BL1 and BL32 (SP_MIN). + * + * This macro will always perform reset handling, architectural initialisations + * and stack setup. The rest of the actions are optional because they might not + * be needed, depending on the context in which this macro is called. This is + * why this macro is parameterised ; each parameter allows to enable/disable + * some actions. + * + * _init_sctlr: + * Whether the macro needs to initialise the SCTLR register including + * configuring the endianness of data accesses. + * + * _warm_boot_mailbox: + * Whether the macro needs to detect the type of boot (cold/warm). The + * detection is based on the platform entrypoint address : if it is zero + * then it is a cold boot, otherwise it is a warm boot. In the latter case, + * this macro jumps on the platform entrypoint address. + * + * _secondary_cold_boot: + * Whether the macro needs to identify the CPU that is calling it: primary + * CPU or secondary CPU. The primary CPU will be allowed to carry on with + * the platform initialisations, while the secondaries will be put in a + * platform-specific state in the meantime. + * + * If the caller knows this macro will only be called by the primary CPU + * then this parameter can be defined to 0 to skip this step. + * + * _init_memory: + * Whether the macro needs to initialise the memory. + * + * _init_c_runtime: + * Whether the macro needs to initialise the C runtime environment. + * + * _exception_vectors: + * Address of the exception vectors to program in the VBAR_EL3 register. + * ----------------------------------------------------------------------------- + */ + .macro el3_entrypoint_common \ + _init_sctlr, _warm_boot_mailbox, _secondary_cold_boot, \ + _init_memory, _init_c_runtime, _exception_vectors + + /* Make sure we are in Secure Mode */ +#if ENABLE_ASSERTIONS + ldcopr r0, SCR + tst r0, #SCR_NS_BIT + ASM_ASSERT(eq) +#endif + + .if \_init_sctlr + /* ------------------------------------------------------------- + * This is the initialisation of SCTLR and so must ensure that + * all fields are explicitly set rather than relying on hw. Some + * fields reset to an IMPLEMENTATION DEFINED value. + * + * SCTLR.TE: Set to zero so that exceptions to an Exception + * Level executing at PL1 are taken to A32 state. + * + * SCTLR.EE: Set the CPU endianness before doing anything that + * might involve memory reads or writes. Set to zero to select + * Little Endian. + * + * SCTLR.V: Set to zero to select the normal exception vectors + * with base address held in VBAR. + * ------------------------------------------------------------- + */ + ldr r0, =(SCTLR_RESET_VAL & ~(SCTLR_TE_BIT | SCTLR_EE_BIT | SCTLR_V_BIT)) + stcopr r0, SCTLR + isb + .endif /* _init_sctlr */ + + /* Switch to monitor mode */ + cps #MODE32_mon + isb + + .if \_warm_boot_mailbox + /* ------------------------------------------------------------- + * This code will be executed for both warm and cold resets. + * Now is the time to distinguish between the two. + * Query the platform entrypoint address and if it is not zero + * then it means it is a warm boot so jump to this address. + * ------------------------------------------------------------- + */ + bl plat_get_my_entrypoint + cmp r0, #0 + bxne r0 + .endif /* _warm_boot_mailbox */ + + /* --------------------------------------------------------------------- + * It is a cold boot. + * Perform any processor specific actions upon reset e.g. cache, TLB + * invalidations etc. + * --------------------------------------------------------------------- + */ + bl reset_handler + + el3_arch_init_common \_exception_vectors + + .if \_secondary_cold_boot + /* ------------------------------------------------------------- + * Check if this is a primary or secondary CPU cold boot. + * The primary CPU will set up the platform while the + * secondaries are placed in a platform-specific state until the + * primary CPU performs the necessary actions to bring them out + * of that state and allows entry into the OS. + * ------------------------------------------------------------- + */ + bl plat_is_my_cpu_primary + cmp r0, #0 + bne do_primary_cold_boot + + /* This is a cold boot on a secondary CPU */ + bl plat_secondary_cold_boot_setup + /* plat_secondary_cold_boot_setup() is not supposed to return */ + no_ret plat_panic_handler + + do_primary_cold_boot: + .endif /* _secondary_cold_boot */ + + /* --------------------------------------------------------------------- + * Initialize memory now. Secondary CPU initialization won't get to this + * point. + * --------------------------------------------------------------------- + */ + + .if \_init_memory + bl platform_mem_init + .endif /* _init_memory */ + + /* --------------------------------------------------------------------- + * Init C runtime environment: + * - Zero-initialise the NOBITS sections. There are 2 of them: + * - the .bss section; + * - the coherent memory section (if any). + * - Relocate the data section from ROM to RAM, if required. + * --------------------------------------------------------------------- + */ + .if \_init_c_runtime +#ifdef IMAGE_BL32 + /* ----------------------------------------------------------------- + * Invalidate the RW memory used by the BL32 (SP_MIN) image. This + * includes the data and NOBITS sections. This is done to + * safeguard against possible corruption of this memory by + * dirty cache lines in a system cache as a result of use by + * an earlier boot loader stage. + * ----------------------------------------------------------------- + */ + ldr r0, =__RW_START__ + ldr r1, =__RW_END__ + sub r1, r1, r0 + bl inv_dcache_range +#endif /* IMAGE_BL32 */ + + ldr r0, =__BSS_START__ + ldr r1, =__BSS_SIZE__ + bl zeromem + +#if USE_COHERENT_MEM + ldr r0, =__COHERENT_RAM_START__ + ldr r1, =__COHERENT_RAM_UNALIGNED_SIZE__ + bl zeromem +#endif + +#ifdef IMAGE_BL1 + /* ----------------------------------------------------- + * Copy data from ROM to RAM. + * ----------------------------------------------------- + */ + ldr r0, =__DATA_RAM_START__ + ldr r1, =__DATA_ROM_START__ + ldr r2, =__DATA_SIZE__ + bl memcpy4 +#endif + .endif /* _init_c_runtime */ + + /* --------------------------------------------------------------------- + * Allocate a stack whose memory will be marked as Normal-IS-WBWA when + * the MMU is enabled. There is no risk of reading stale stack memory + * after enabling the MMU as only the primary CPU is running at the + * moment. + * --------------------------------------------------------------------- + */ + bl plat_set_my_stack + +#if STACK_PROTECTOR_ENABLED + .if \_init_c_runtime + bl update_stack_protector_canary + .endif /* _init_c_runtime */ +#endif + .endm + +#endif /* __EL3_COMMON_MACROS_S__ */ diff --git a/include/common/aarch64/asm_macros.S b/include/common/aarch64/asm_macros.S new file mode 100644 index 00000000..6d6989c2 --- /dev/null +++ b/include/common/aarch64/asm_macros.S @@ -0,0 +1,195 @@ +/* + * Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef __ASM_MACROS_S__ +#define __ASM_MACROS_S__ + +#include <arch.h> +#include <asm_macros_common.S> +#include <spinlock.h> + + + .macro func_prologue + stp x29, x30, [sp, #-0x10]! + mov x29,sp + .endm + + .macro func_epilogue + ldp x29, x30, [sp], #0x10 + .endm + + + .macro dcache_line_size reg, tmp + mrs \tmp, ctr_el0 + ubfx \tmp, \tmp, #16, #4 + mov \reg, #4 + lsl \reg, \reg, \tmp + .endm + + + .macro icache_line_size reg, tmp + mrs \tmp, ctr_el0 + and \tmp, \tmp, #0xf + mov \reg, #4 + lsl \reg, \reg, \tmp + .endm + + + .macro smc_check label + mrs x0, esr_el3 + ubfx x0, x0, #ESR_EC_SHIFT, #ESR_EC_LENGTH + cmp x0, #EC_AARCH64_SMC + b.ne $label + .endm + + /* + * Declare the exception vector table, enforcing it is aligned on a + * 2KB boundary, as required by the ARMv8 architecture. + * Use zero bytes as the fill value to be stored in the padding bytes + * so that it inserts illegal AArch64 instructions. This increases + * security, robustness and potentially facilitates debugging. + */ + .macro vector_base label + .section .vectors, "ax" + .align 11, 0 + \label: + .endm + + /* + * Create an entry in the exception vector table, enforcing it is + * aligned on a 128-byte boundary, as required by the ARMv8 architecture. + * Use zero bytes as the fill value to be stored in the padding bytes + * so that it inserts illegal AArch64 instructions. This increases + * security, robustness and potentially facilitates debugging. + */ + .macro vector_entry label + .cfi_sections .debug_frame + .section .vectors, "ax" + .align 7, 0 + .type \label, %function + .func \label + .cfi_startproc + \label: + .endm + + /* + * This macro verifies that the given vector doesn't exceed the + * architectural limit of 32 instructions. This is meant to be placed + * immediately after the last instruction in the vector. It takes the + * vector entry as the parameter + */ + .macro check_vector_size since + .endfunc + .cfi_endproc + .if (. - \since) > (32 * 4) + .error "Vector exceeds 32 instructions" + .endif + .endm + +#if ENABLE_PLAT_COMPAT + /* + * This macro calculates the base address of an MP stack using the + * platform_get_core_pos() index, the name of the stack storage and + * the size of each stack + * In: X0 = MPIDR of CPU whose stack is wanted + * Out: X0 = physical address of stack base + * Clobber: X30, X1, X2 + */ + .macro get_mp_stack _name, _size + bl platform_get_core_pos + ldr x2, =(\_name + \_size) + mov x1, #\_size + madd x0, x0, x1, x2 + .endm +#endif + + /* + * This macro calculates the base address of the current CPU's MP stack + * using the plat_my_core_pos() index, the name of the stack storage + * and the size of each stack + * Out: X0 = physical address of stack base + * Clobber: X30, X1, X2 + */ + .macro get_my_mp_stack _name, _size + bl plat_my_core_pos + ldr x2, =(\_name + \_size) + mov x1, #\_size + madd x0, x0, x1, x2 + .endm + + /* + * This macro calculates the base address of a UP stack using the + * name of the stack storage and the size of the stack + * Out: X0 = physical address of stack base + */ + .macro get_up_stack _name, _size + ldr x0, =(\_name + \_size) + .endm + + /* + * Helper macro to generate the best mov/movk combinations according + * the value to be moved. The 16 bits from '_shift' are tested and + * if not zero, they are moved into '_reg' without affecting + * other bits. + */ + .macro _mov_imm16 _reg, _val, _shift + .if (\_val >> \_shift) & 0xffff + .if (\_val & (1 << \_shift - 1)) + movk \_reg, (\_val >> \_shift) & 0xffff, LSL \_shift + .else + mov \_reg, \_val & (0xffff << \_shift) + .endif + .endif + .endm + + /* + * Helper macro to load arbitrary values into 32 or 64-bit registers + * which generates the best mov/movk combinations. Many base addresses + * are 64KB aligned the macro will eliminate updating bits 15:0 in + * that case + */ + .macro mov_imm _reg, _val + .if (\_val) == 0 + mov \_reg, #0 + .else + _mov_imm16 \_reg, (\_val), 0 + _mov_imm16 \_reg, (\_val), 16 + _mov_imm16 \_reg, (\_val), 32 + _mov_imm16 \_reg, (\_val), 48 + .endif + .endm + + /* + * Macro to mark instances where we're jumping to a function and don't + * expect a return. To provide the function being jumped to with + * additional information, we use 'bl' instruction to jump rather than + * 'b'. + * + * Debuggers infer the location of a call from where LR points to, which + * is usually the instruction after 'bl'. If this macro expansion + * happens to be the last location in a function, that'll cause the LR + * to point a location beyond the function, thereby misleading debugger + * back trace. We therefore insert a 'nop' after the function call for + * debug builds, unless 'skip_nop' parameter is non-zero. + */ + .macro no_ret _func:req, skip_nop=0 + bl \_func +#if DEBUG + .ifeq \skip_nop + nop + .endif +#endif + .endm + + /* + * Reserve space for a spin lock in assembly file. + */ + .macro define_asm_spinlock _name:req + .align SPINLOCK_ASM_ALIGN + \_name: + .space SPINLOCK_ASM_SIZE + .endm + +#endif /* __ASM_MACROS_S__ */ diff --git a/include/common/aarch64/assert_macros.S b/include/common/aarch64/assert_macros.S new file mode 100644 index 00000000..4567c69b --- /dev/null +++ b/include/common/aarch64/assert_macros.S @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2014-2016, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef __ASSERT_MACROS_S__ +#define __ASSERT_MACROS_S__ + + /* + * Assembler macro to enable asm_assert. Use this macro wherever + * assert is required in assembly. Please note that the macro makes + * use of label '300' to provide the logic and the caller + * should make sure that this label is not used to branch prior + * to calling this macro. + */ +#define ASM_ASSERT(_cc) \ +.ifndef .L_assert_filename ;\ + .pushsection .rodata.str1.1, "aS" ;\ + .L_assert_filename: ;\ + .string __FILE__ ;\ + .popsection ;\ +.endif ;\ + b._cc 300f ;\ + adr x0, .L_assert_filename ;\ + mov x1, __LINE__ ;\ + b asm_assert ;\ +300: + +#endif /* __ASSERT_MACROS_S__ */ diff --git a/include/common/aarch64/el3_common_macros.S b/include/common/aarch64/el3_common_macros.S new file mode 100644 index 00000000..34fdaee9 --- /dev/null +++ b/include/common/aarch64/el3_common_macros.S @@ -0,0 +1,344 @@ +/* + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __EL3_COMMON_MACROS_S__ +#define __EL3_COMMON_MACROS_S__ + +#include <arch.h> +#include <asm_macros.S> + + /* + * Helper macro to initialise EL3 registers we care about. + */ + .macro el3_arch_init_common _exception_vectors + /* --------------------------------------------------------------------- + * SCTLR_EL3 has already been initialised - read current value before + * modifying. + * + * SCTLR_EL3.I: Enable the instruction cache. + * + * SCTLR_EL3.SA: Enable Stack Aligment check. A SP alignment fault + * exception is generated if a load or store instruction executed at + * EL3 uses the SP as the base address and the SP is not aligned to a + * 16-byte boundary. + * + * SCTLR_EL3.A: Enable Alignment fault checking. All instructions that + * load or store one or more registers have an alignment check that the + * address being accessed is aligned to the size of the data element(s) + * being accessed. + * --------------------------------------------------------------------- + */ + mov x1, #(SCTLR_I_BIT | SCTLR_A_BIT | SCTLR_SA_BIT) + mrs x0, sctlr_el3 + orr x0, x0, x1 + msr sctlr_el3, x0 + isb + +#ifdef IMAGE_BL31 + /* --------------------------------------------------------------------- + * Initialise the per-cpu cache pointer to the CPU. + * This is done early to enable crash reporting to have access to crash + * stack. Since crash reporting depends on cpu_data to report the + * unhandled exception, not doing so can lead to recursive exceptions + * due to a NULL TPIDR_EL3. + * --------------------------------------------------------------------- + */ + bl init_cpu_data_ptr +#endif /* IMAGE_BL31 */ + + /* --------------------------------------------------------------------- + * Set the exception vectors. + * --------------------------------------------------------------------- + */ + adr x0, \_exception_vectors + msr vbar_el3, x0 + isb + + /* --------------------------------------------------------------------- + * Initialise SCR_EL3, setting all fields rather than relying on hw. + * All fields are architecturally UNKNOWN on reset. The following fields + * do not change during the TF lifetime. The remaining fields are set to + * zero here but are updated ahead of transitioning to a lower EL in the + * function cm_init_context_common(). + * + * SCR_EL3.TWE: Set to zero so that execution of WFE instructions at + * EL2, EL1 and EL0 are not trapped to EL3. + * + * SCR_EL3.TWI: Set to zero so that execution of WFI instructions at + * EL2, EL1 and EL0 are not trapped to EL3. + * + * SCR_EL3.SIF: Set to one to disable instruction fetches from + * Non-secure memory. + * + * SCR_EL3.SMD: Set to zero to enable SMC calls at EL1 and above, from + * both Security states and both Execution states. + * + * SCR_EL3.EA: Set to one to route External Aborts and SError Interrupts + * to EL3 when executing at any EL. + * --------------------------------------------------------------------- + */ + mov x0, #((SCR_RESET_VAL | SCR_EA_BIT | SCR_SIF_BIT) \ + & ~(SCR_TWE_BIT | SCR_TWI_BIT | SCR_SMD_BIT)) + msr scr_el3, x0 + + /* --------------------------------------------------------------------- + * Initialise MDCR_EL3, setting all fields rather than relying on hw. + * Some fields are architecturally UNKNOWN on reset. + * + * MDCR_EL3.SDD: Set to one to disable AArch64 Secure self-hosted debug. + * Debug exceptions, other than Breakpoint Instruction exceptions, are + * disabled from all ELs in Secure state. + * + * MDCR_EL3.SPD32: Set to 0b10 to disable AArch32 Secure self-hosted + * privileged debug from S-EL1. + * + * MDCR_EL3.NSPB (ARM v8.2): SPE enabled in non-secure state and + * disabled in secure state. Accesses to SPE registers at SEL1 generate + * trap exceptions to EL3. + * + * MDCR_EL3.TDOSA: Set to zero so that EL2 and EL2 System register + * access to the powerdown debug registers do not trap to EL3. + * + * MDCR_EL3.TDA: Set to zero to allow EL0, EL1 and EL2 access to the + * debug registers, other than those registers that are controlled by + * MDCR_EL3.TDOSA. + * + * MDCR_EL3.TPM: Set to zero so that EL0, EL1, and EL2 System register + * accesses to all Performance Monitors registers do not trap to EL3. + * --------------------------------------------------------------------- + */ + mov_imm x0, ((MDCR_EL3_RESET_VAL | MDCR_SDD_BIT | MDCR_SPD32(MDCR_SPD32_DISABLE)) \ + & ~(MDCR_TDOSA_BIT | MDCR_TDA_BIT | MDCR_TPM_BIT)) + +#if ENABLE_SPE_FOR_LOWER_ELS + /* Detect if SPE is implemented */ + mrs x1, id_aa64dfr0_el1 + ubfx x1, x1, #ID_AA64DFR0_PMS_SHIFT, #ID_AA64DFR0_PMS_LENGTH + cmp x1, #0x1 + b.ne 1f + + /* Enable SPE for use by normal world */ + orr x0, x0, #MDCR_NSPB(MDCR_NSPB_EL1) +1: +#endif + + msr mdcr_el3, x0 + + /* --------------------------------------------------------------------- + * Enable External Aborts and SError Interrupts now that the exception + * vectors have been setup. + * --------------------------------------------------------------------- + */ + msr daifclr, #DAIF_ABT_BIT + + /* --------------------------------------------------------------------- + * Initialise CPTR_EL3, setting all fields rather than relying on hw. + * All fields are architecturally UNKNOWN on reset. + * + * CPTR_EL3.TCPAC: Set to zero so that any accesses to CPACR_EL1, + * CPTR_EL2, CPACR, or HCPTR do not trap to EL3. + * + * CPTR_EL3.TTA: Set to zero so that System register accesses to the + * trace registers do not trap to EL3. + * + * CPTR_EL3.TFP: Set to zero so that accesses to Advanced SIMD and + * floating-point functionality do not trap to EL3. + * --------------------------------------------------------------------- + */ + mov_imm x0, (CPTR_EL3_RESET_VAL & ~(TCPAC_BIT | TTA_BIT | TFP_BIT)) + msr cptr_el3, x0 + .endm + +/* ----------------------------------------------------------------------------- + * This is the super set of actions that need to be performed during a cold boot + * or a warm boot in EL3. This code is shared by BL1 and BL31. + * + * This macro will always perform reset handling, architectural initialisations + * and stack setup. The rest of the actions are optional because they might not + * be needed, depending on the context in which this macro is called. This is + * why this macro is parameterised ; each parameter allows to enable/disable + * some actions. + * + * _init_sctlr: + * Whether the macro needs to initialise SCTLR_EL3, including configuring + * the endianness of data accesses. + * + * _warm_boot_mailbox: + * Whether the macro needs to detect the type of boot (cold/warm). The + * detection is based on the platform entrypoint address : if it is zero + * then it is a cold boot, otherwise it is a warm boot. In the latter case, + * this macro jumps on the platform entrypoint address. + * + * _secondary_cold_boot: + * Whether the macro needs to identify the CPU that is calling it: primary + * CPU or secondary CPU. The primary CPU will be allowed to carry on with + * the platform initialisations, while the secondaries will be put in a + * platform-specific state in the meantime. + * + * If the caller knows this macro will only be called by the primary CPU + * then this parameter can be defined to 0 to skip this step. + * + * _init_memory: + * Whether the macro needs to initialise the memory. + * + * _init_c_runtime: + * Whether the macro needs to initialise the C runtime environment. + * + * _exception_vectors: + * Address of the exception vectors to program in the VBAR_EL3 register. + * ----------------------------------------------------------------------------- + */ + .macro el3_entrypoint_common \ + _init_sctlr, _warm_boot_mailbox, _secondary_cold_boot, \ + _init_memory, _init_c_runtime, _exception_vectors + + .if \_init_sctlr + /* ------------------------------------------------------------- + * This is the initialisation of SCTLR_EL3 and so must ensure + * that all fields are explicitly set rather than relying on hw. + * Some fields reset to an IMPLEMENTATION DEFINED value and + * others are architecturally UNKNOWN on reset. + * + * SCTLR.EE: Set the CPU endianness before doing anything that + * might involve memory reads or writes. Set to zero to select + * Little Endian. + * + * SCTLR_EL3.WXN: For the EL3 translation regime, this field can + * force all memory regions that are writeable to be treated as + * XN (Execute-never). Set to zero so that this control has no + * effect on memory access permissions. + * + * SCTLR_EL3.SA: Set to zero to disable Stack Aligment check. + * + * SCTLR_EL3.A: Set to zero to disable Alignment fault checking. + * ------------------------------------------------------------- + */ + mov_imm x0, (SCTLR_RESET_VAL & ~(SCTLR_EE_BIT | SCTLR_WXN_BIT \ + | SCTLR_SA_BIT | SCTLR_A_BIT)) + msr sctlr_el3, x0 + isb + .endif /* _init_sctlr */ + + .if \_warm_boot_mailbox + /* ------------------------------------------------------------- + * This code will be executed for both warm and cold resets. + * Now is the time to distinguish between the two. + * Query the platform entrypoint address and if it is not zero + * then it means it is a warm boot so jump to this address. + * ------------------------------------------------------------- + */ + bl plat_get_my_entrypoint + cbz x0, do_cold_boot + br x0 + + do_cold_boot: + .endif /* _warm_boot_mailbox */ + + /* --------------------------------------------------------------------- + * It is a cold boot. + * Perform any processor specific actions upon reset e.g. cache, TLB + * invalidations etc. + * --------------------------------------------------------------------- + */ + bl reset_handler + + el3_arch_init_common \_exception_vectors + + .if \_secondary_cold_boot + /* ------------------------------------------------------------- + * Check if this is a primary or secondary CPU cold boot. + * The primary CPU will set up the platform while the + * secondaries are placed in a platform-specific state until the + * primary CPU performs the necessary actions to bring them out + * of that state and allows entry into the OS. + * ------------------------------------------------------------- + */ + bl plat_is_my_cpu_primary + cbnz w0, do_primary_cold_boot + + /* This is a cold boot on a secondary CPU */ + bl plat_secondary_cold_boot_setup + /* plat_secondary_cold_boot_setup() is not supposed to return */ + bl el3_panic + + do_primary_cold_boot: + .endif /* _secondary_cold_boot */ + + /* --------------------------------------------------------------------- + * Initialize memory now. Secondary CPU initialization won't get to this + * point. + * --------------------------------------------------------------------- + */ + + .if \_init_memory + bl platform_mem_init + .endif /* _init_memory */ + + /* --------------------------------------------------------------------- + * Init C runtime environment: + * - Zero-initialise the NOBITS sections. There are 2 of them: + * - the .bss section; + * - the coherent memory section (if any). + * - Relocate the data section from ROM to RAM, if required. + * --------------------------------------------------------------------- + */ + .if \_init_c_runtime +#ifdef IMAGE_BL31 + /* ------------------------------------------------------------- + * Invalidate the RW memory used by the BL31 image. This + * includes the data and NOBITS sections. This is done to + * safeguard against possible corruption of this memory by + * dirty cache lines in a system cache as a result of use by + * an earlier boot loader stage. + * ------------------------------------------------------------- + */ + adr x0, __RW_START__ + adr x1, __RW_END__ + sub x1, x1, x0 + bl inv_dcache_range +#endif /* IMAGE_BL31 */ + + ldr x0, =__BSS_START__ + ldr x1, =__BSS_SIZE__ + bl zeromem + +#if USE_COHERENT_MEM + ldr x0, =__COHERENT_RAM_START__ + ldr x1, =__COHERENT_RAM_UNALIGNED_SIZE__ + bl zeromem +#endif + +#ifdef IMAGE_BL1 + ldr x0, =__DATA_RAM_START__ + ldr x1, =__DATA_ROM_START__ + ldr x2, =__DATA_SIZE__ + bl memcpy16 +#endif + .endif /* _init_c_runtime */ + + /* --------------------------------------------------------------------- + * Use SP_EL0 for the C runtime stack. + * --------------------------------------------------------------------- + */ + msr spsel, #0 + + /* --------------------------------------------------------------------- + * Allocate a stack whose memory will be marked as Normal-IS-WBWA when + * the MMU is enabled. There is no risk of reading stale stack memory + * after enabling the MMU as only the primary CPU is running at the + * moment. + * --------------------------------------------------------------------- + */ + bl plat_set_my_stack + +#if STACK_PROTECTOR_ENABLED + .if \_init_c_runtime + bl update_stack_protector_canary + .endif /* _init_c_runtime */ +#endif + .endm + +#endif /* __EL3_COMMON_MACROS_S__ */ diff --git a/include/common/asm_macros.S b/include/common/asm_macros.S deleted file mode 100644 index 238fa82a..00000000 --- a/include/common/asm_macros.S +++ /dev/null @@ -1,197 +0,0 @@ -/* - * Copyright (c) 2013-2014, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include <arch.h> - - - .macro func_prologue - stp x29, x30, [sp, #-0x10]! - mov x29,sp - .endm - - .macro func_epilogue - ldp x29, x30, [sp], #0x10 - .endm - - - .macro dcache_line_size reg, tmp - mrs \tmp, ctr_el0 - ubfx \tmp, \tmp, #16, #4 - mov \reg, #4 - lsl \reg, \reg, \tmp - .endm - - - .macro icache_line_size reg, tmp - mrs \tmp, ctr_el0 - and \tmp, \tmp, #0xf - mov \reg, #4 - lsl \reg, \reg, \tmp - .endm - - - .macro smc_check label - mrs x0, esr_el3 - ubfx x0, x0, #ESR_EC_SHIFT, #ESR_EC_LENGTH - cmp x0, #EC_AARCH64_SMC - b.ne $label - .endm - - - /* - * This macro verifies that the a given vector doesn't exceed the - * architectural limit of 32 instructions. This is meant to be placed - * immedately after the last instruction in the vector. It takes the - * vector entry as the parameter - */ - .macro check_vector_size since - .if (. - \since) > (32 * 4) - .error "Vector exceeds 32 instructions" - .endif - .endm - - /* - * This macro is used to create a function label and place the - * code into a separate text section based on the function name - * to enable elimination of unused code during linking - */ - .macro func _name - .section .text.\_name, "ax" - .type \_name, %function - \_name: - .endm - - /* --------------------------------------------- - * Find the type of reset and jump to handler - * if present. If the handler is null then it is - * a cold boot. The primary cpu will set up the - * platform while the secondaries wait for - * their turn to be woken up - * --------------------------------------------- - */ - .macro wait_for_entrypoint -wait_for_entrypoint: - mrs x0, mpidr_el1 - bl platform_get_entrypoint - cbnz x0, do_warm_boot - mrs x0, mpidr_el1 - bl platform_is_primary_cpu - cbnz x0, do_cold_boot - - /* --------------------------------------------- - * Perform any platform specific secondary cpu - * actions - * --------------------------------------------- - */ - bl plat_secondary_cold_boot_setup - b wait_for_entrypoint - - do_warm_boot: - /* --------------------------------------------- - * Jump to BL31 for all warm boot init. - * --------------------------------------------- - */ - blr x0 - - do_cold_boot: - .endm - - /* - * This macro declares an array of 1 or more stacks, properly - * aligned and in the requested section - */ -#define STACK_ALIGN 6 - - .macro declare_stack _name, _section, _size, _count - .if ((\_size & ((1 << STACK_ALIGN) - 1)) <> 0) - .error "Stack size not correctly aligned" - .endif - .section \_section, "aw", %nobits - .align STACK_ALIGN - \_name: - .space ((\_count) * (\_size)), 0 - .endm - - /* - * This macro calculates the base address of an MP stack using the - * platform_get_core_pos() index, the name of the stack storage and - * the size of each stack - * In: X0 = MPIDR of CPU whose stack is wanted - * Out: X0 = physical address of stack base - * Clobber: X30, X1, X2 - */ - .macro get_mp_stack _name, _size - bl platform_get_core_pos - ldr x2, =(\_name + \_size) - mov x1, #\_size - madd x0, x0, x1, x2 - .endm - - /* - * This macro calculates the base address of a UP stack using the - * name of the stack storage and the size of the stack - * Out: X0 = physical address of stack base - */ - .macro get_up_stack _name, _size - ldr x0, =(\_name + \_size) - .endm - - /* - * Helper macro to generate the best mov/movk combinations according - * the value to be moved. The 16 bits from '_shift' are tested and - * if not zero, they are moved into '_reg' without affecting - * other bits. - */ - .macro _mov_imm16 _reg, _val, _shift - .if (\_val >> \_shift) & 0xffff - .if (\_val & (1 << \_shift - 1)) - movk \_reg, (\_val >> \_shift) & 0xffff, LSL \_shift - .else - mov \_reg, \_val & (0xffff << \_shift) - .endif - .endif - .endm - - /* - * Helper macro to load arbitrary values into 32 or 64-bit registers - * which generates the best mov/movk combinations. Many base addresses - * are 64KB aligned the macro will eliminate updating bits 15:0 in - * that case - */ - .macro mov_imm _reg, _val - .if (\_val) == 0 - mov \_reg, #0 - .else - _mov_imm16 \_reg, (\_val), 0 - _mov_imm16 \_reg, (\_val), 16 - _mov_imm16 \_reg, (\_val), 32 - _mov_imm16 \_reg, (\_val), 48 - .endif - .endm diff --git a/include/common/asm_macros_common.S b/include/common/asm_macros_common.S new file mode 100644 index 00000000..6a02e18e --- /dev/null +++ b/include/common/asm_macros_common.S @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef __ASM_MACROS_COMMON_S__ +#define __ASM_MACROS_COMMON_S__ + + /* + * This macro is used to create a function label and place the + * code into a separate text section based on the function name + * to enable elimination of unused code during linking. It also adds + * basic debug information to enable call stack printing most of the + * time. The optional _align parameter can be used to force a + * non-standard alignment (indicated in powers of 2). The default is + * _align=2 because both Aarch32 and Aarch64 instructions must be + * word aligned. Do *not* try to use a raw .align directive. Since func + * switches to a new section, this would not have the desired effect. + */ + .macro func _name, _align=2 + /* + * Add Call Frame Information entry in the .debug_frame section for + * debugger consumption. This enables callstack printing in debuggers. + * This does not use any space in the final loaded binary, only in the + * ELF file. + * Note that a function manipulating the CFA pointer location (i.e. the + * x29 frame pointer on AArch64) should declare it using the + * appropriate .cfi* directives, or be prepared to have a degraded + * debugging experience. + */ + .cfi_sections .debug_frame + .section .text.\_name, "ax" + .type \_name, %function + .func \_name + /* + * .cfi_startproc and .cfi_endproc are needed to output entries in + * .debug_frame + */ + .cfi_startproc + .align \_align + \_name: + .endm + + /* + * This macro is used to mark the end of a function. + */ + .macro endfunc _name + .endfunc + .cfi_endproc + .size \_name, . - \_name + .endm + + /* + * Theses macros are used to create function labels for deprecated + * APIs. If ERROR_DEPRECATED is non zero, the callers of these APIs + * will fail to link and cause build failure. + */ +#if ERROR_DEPRECATED + .macro func_deprecated _name + func deprecated\_name + .endm + + .macro endfunc_deprecated _name + endfunc deprecated\_name + .endm +#else + .macro func_deprecated _name + func \_name + .endm + + .macro endfunc_deprecated _name + endfunc \_name + .endm +#endif + + /* + * Helper assembler macro to count trailing zeros. The output is + * populated in the `TZ_COUNT` symbol. + */ + .macro count_tz _value, _tz_count + .if \_value + count_tz "(\_value >> 1)", "(\_tz_count + 1)" + .else + .equ TZ_COUNT, (\_tz_count - 1) + .endif + .endm + + /* + * This macro declares an array of 1 or more stacks, properly + * aligned and in the requested section + */ +#define DEFAULT_STACK_ALIGN (1 << 6) /* In case the caller doesnt provide alignment */ + + .macro declare_stack _name, _section, _size, _count, _align=DEFAULT_STACK_ALIGN + count_tz \_align, 0 + .if (\_align - (1 << TZ_COUNT)) + .error "Incorrect stack alignment specified (Must be a power of 2)." + .endif + .if ((\_size & ((1 << TZ_COUNT) - 1)) <> 0) + .error "Stack size not correctly aligned" + .endif + .section \_section, "aw", %nobits + .align TZ_COUNT + \_name: + .space ((\_count) * (\_size)), 0 + .endm + + +#endif /* __ASM_MACROS_COMMON_S__ */ diff --git a/include/common/assert_macros.S b/include/common/assert_macros.S deleted file mode 100644 index 807972f3..00000000 --- a/include/common/assert_macros.S +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2014, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - - /* - * Assembler macro to enable asm_assert. Use this macro wherever - * assert is required in assembly. Please note that the macro makes - * use of label '300' to provide the logic and the caller - * should make sure that this label is not used to branch prior - * to calling this macro. - */ -#define ASM_ASSERT(_cc) \ -.ifndef .L_assert_filename ;\ - .pushsection .rodata.str1.1, "aS" ;\ - .L_assert_filename: ;\ - .string __FILE__ ;\ - .popsection ;\ -.endif ;\ - b._cc 300f ;\ - adr x0, .L_assert_filename ;\ - mov x1, __LINE__ ;\ - b asm_assert ;\ -300: diff --git a/include/common/auth.h b/include/common/auth.h deleted file mode 100644 index 3c3a6bd0..00000000 --- a/include/common/auth.h +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef AUTH_H_ -#define AUTH_H_ - -#include <stddef.h> -#include <stdint.h> - -/* - * Authentication infrastructure for Trusted Boot - * - * This infrastructure provides an API to access the authentication module. This - * module will implement the required operations for Trusted Boot by creating an - * instance of the structure 'auth_mod_t'. This instance must be called - * 'auth_mod' and must provide the functions to initialize the module and - * verify the authenticity of the images. - */ - -/* Objects (images and certificates) involved in the TBB process */ -enum { - AUTH_BL2_IMG_CERT, - AUTH_BL2_IMG, - AUTH_TRUSTED_KEY_CERT, - AUTH_BL30_KEY_CERT, - AUTH_BL30_IMG_CERT, - AUTH_BL30_IMG, - AUTH_BL31_KEY_CERT, - AUTH_BL31_IMG_CERT, - AUTH_BL31_IMG, - AUTH_BL32_KEY_CERT, - AUTH_BL32_IMG_CERT, - AUTH_BL32_IMG, - AUTH_BL33_KEY_CERT, - AUTH_BL33_IMG_CERT, - AUTH_BL33_IMG, - AUTH_NUM_OBJ -}; - -/* Authentication module structure */ -typedef struct auth_mod_s { - /* [mandatory] Module name. Printed to the log during initialization */ - const char *name; - - /* [mandatory] Initialize the authentication module */ - int (*init)(void); - - /* [mandatory] This function will be called to authenticate a new - * object loaded into memory. The obj_id corresponds to one of the - * values in the enumeration above */ - int (*verify)(unsigned int obj_id, uintptr_t obj_buf, size_t len); -} auth_mod_t; - -/* This variable must be instantiated by the authentication module */ -extern const auth_mod_t auth_mod; - -/* Public functions */ -void auth_init(void); -int auth_verify_obj(unsigned int obj_id, uintptr_t obj_buf, size_t len); - -#endif /* AUTH_H_ */ diff --git a/include/common/bl_common.h b/include/common/bl_common.h index 0959c893..15ffc578 100644 --- a/include/common/bl_common.h +++ b/include/common/bl_common.h @@ -1,39 +1,14 @@ /* - * Copyright (c) 2013-2014, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef __BL_COMMON_H__ #define __BL_COMMON_H__ -#define SECURE 0x0 -#define NON_SECURE 0x1 -#define sec_state_is_valid(s) (((s) == SECURE) || ((s) == NON_SECURE)) +#include <ep_info.h> +#include <param_header.h> #define UP 1 #define DOWN 0 @@ -45,117 +20,91 @@ #define TOP 0x1 #define BOTTOM !TOP -/****************************************************************************** - * Opcode passed in x0 to tell next EL that we want to run an image. - * Corresponds to the function ID of the only SMC that the BL1 exception - * handlers service. That's why the chosen value is the first function ID of - * the ARM SMC64 range. - *****************************************************************************/ -#define RUN_IMAGE 0xC0000000 +/* + * The following are used for image state attributes. + * Image can only be in one of the following state. + */ +#define IMAGE_STATE_RESET 0 +#define IMAGE_STATE_COPIED 1 +#define IMAGE_STATE_COPYING 2 +#define IMAGE_STATE_AUTHENTICATED 3 +#define IMAGE_STATE_EXECUTED 4 +#define IMAGE_STATE_INTERRUPTED 5 -/******************************************************************************* - * Constants that allow assembler code to access members of and the - * 'entry_point_info' structure at their correct offsets. - ******************************************************************************/ -#define ENTRY_POINT_INFO_PC_OFFSET 0x08 -#define ENTRY_POINT_INFO_ARGS_OFFSET 0x18 - -#define PARAM_EP_SECURITY_MASK 0x1 -#define GET_SECURITY_STATE(x) (x & PARAM_EP_SECURITY_MASK) -#define SET_SECURITY_STATE(x, security) \ - ((x) = ((x) & ~PARAM_EP_SECURITY_MASK) | (security)) - -#define EP_EE_MASK 0x2 -#define EP_EE_LITTLE 0x0 -#define EP_EE_BIG 0x2 -#define EP_GET_EE(x) (x & EP_EE_MASK) -#define EP_SET_EE(x, ee) ((x) = ((x) & ~EP_EE_MASK) | (ee)) - -#define EP_ST_MASK 0x4 -#define EP_ST_DISABLE 0x0 -#define EP_ST_ENABLE 0x4 -#define EP_GET_ST(x) (x & EP_ST_MASK) -#define EP_SET_ST(x, ee) ((x) = ((x) & ~EP_ST_MASK) | (ee)) - -#define PARAM_EP 0x01 -#define PARAM_IMAGE_BINARY 0x02 -#define PARAM_BL31 0x03 - -#define VERSION_1 0x01 - -#define SET_PARAM_HEAD(_p, _type, _ver, _attr) do { \ - (_p)->h.type = (uint8_t)(_type); \ - (_p)->h.version = (uint8_t)(_ver); \ - (_p)->h.size = (uint16_t)sizeof(*_p); \ - (_p)->h.attr = (uint32_t)(_attr) ; \ - } while (0) +#define IMAGE_ATTRIB_SKIP_LOADING 0x02 +#define IMAGE_ATTRIB_PLAT_SETUP 0x04 + +#define INVALID_IMAGE_ID (0xFFFFFFFF) /******************************************************************************* - * Constant that indicates if this is the first version of the reset handler - * contained in an image. This will be the case when the image is BL1 or when - * its BL3-1 and RESET_TO_BL31 is true. This constant enables a subsequent - * version of the reset handler to perform actions that override the ones - * performed in the first version of the code. This will be required when the - * first version exists in an un-modifiable image e.g. a BootROM image. + * Constants to indicate type of exception to the common exception handler. ******************************************************************************/ -#if IMAGE_BL1 || (IMAGE_BL31 && RESET_TO_BL31) -#define FIRST_RESET_HANDLER_CALL -#endif +#define SYNC_EXCEPTION_SP_EL0 0x0 +#define IRQ_SP_EL0 0x1 +#define FIQ_SP_EL0 0x2 +#define SERROR_SP_EL0 0x3 +#define SYNC_EXCEPTION_SP_ELX 0x4 +#define IRQ_SP_ELX 0x5 +#define FIQ_SP_ELX 0x6 +#define SERROR_SP_ELX 0x7 +#define SYNC_EXCEPTION_AARCH64 0x8 +#define IRQ_AARCH64 0x9 +#define FIQ_AARCH64 0xa +#define SERROR_AARCH64 0xb +#define SYNC_EXCEPTION_AARCH32 0xc +#define IRQ_AARCH32 0xd +#define FIQ_AARCH32 0xe +#define SERROR_AARCH32 0xf #ifndef __ASSEMBLY__ -#include <cdefs.h> /* For __dead2 */ #include <cassert.h> -#include <stdint.h> #include <stddef.h> +#include <stdint.h> +#include <types.h> +#include <utils_def.h> /* To retain compatibility */ + +/* + * Declarations of linker defined symbols to help determine memory layout of + * BL images + */ +#if SEPARATE_CODE_AND_RODATA +extern uintptr_t __TEXT_START__; +extern uintptr_t __TEXT_END__; +extern uintptr_t __RODATA_START__; +extern uintptr_t __RODATA_END__; +#else +extern uintptr_t __RO_START__; +extern uintptr_t __RO_END__; +#endif + +#if defined(IMAGE_BL2) +extern uintptr_t __BL2_END__; +#elif defined(IMAGE_BL2U) +extern uintptr_t __BL2U_END__; +#elif defined(IMAGE_BL31) +extern uintptr_t __BL31_END__; +#elif defined(IMAGE_BL32) +extern uintptr_t __BL32_END__; +#endif /* IMAGE_BLX */ + +#if USE_COHERENT_MEM +extern uintptr_t __COHERENT_RAM_START__; +extern uintptr_t __COHERENT_RAM_END__; +#endif /******************************************************************************* * Structure used for telling the next BL how much of a particular type of * memory is available for its use and how much is already used. ******************************************************************************/ typedef struct meminfo { - uint64_t total_base; + uintptr_t total_base; size_t total_size; - uint64_t free_base; +#if !LOAD_IMAGE_V2 + uintptr_t free_base; size_t free_size; +#endif } meminfo_t; -typedef struct aapcs64_params { - unsigned long arg0; - unsigned long arg1; - unsigned long arg2; - unsigned long arg3; - unsigned long arg4; - unsigned long arg5; - unsigned long arg6; - unsigned long arg7; -} aapcs64_params_t; - -/*************************************************************************** - * This structure provides version information and the size of the - * structure, attributes for the structure it represents - ***************************************************************************/ -typedef struct param_header { - uint8_t type; /* type of the structure */ - uint8_t version; /* version of this structure */ - uint16_t size; /* size of this structure in bytes */ - uint32_t attr; /* attributes: unused bits SBZ */ -} param_header_t; - -/***************************************************************************** - * This structure represents the superset of information needed while - * switching exception levels. The only two mechanisms to do so are - * ERET & SMC. Security state is indicated using bit zero of header - * attribute - * NOTE: BL1 expects entrypoint followed by spsr while processing - * SMC to jump to BL31 from the start of entry_point_info - *****************************************************************************/ -typedef struct entry_point_info { - param_header_t h; - uintptr_t pc; - uint32_t spsr; - aapcs64_params_t args; -} entry_point_info_t; - /***************************************************************************** * Image info binary provides information from the image loader that * can be used by the firmware to manage available trusted RAM. @@ -167,20 +116,72 @@ typedef struct image_info { param_header_t h; uintptr_t image_base; /* physical address of base of image */ uint32_t image_size; /* bytes read from image file */ +#if LOAD_IMAGE_V2 + uint32_t image_max_size; +#endif } image_info_t; +/***************************************************************************** + * The image descriptor struct definition. + *****************************************************************************/ +typedef struct image_desc { + /* Contains unique image id for the image. */ + unsigned int image_id; + /* + * This member contains Image state information. + * Refer IMAGE_STATE_XXX defined above. + */ + unsigned int state; + uint32_t copied_size; /* image size copied in blocks */ + image_info_t image_info; + entry_point_info_t ep_info; +} image_desc_t; + +#if LOAD_IMAGE_V2 +/* BL image node in the BL image loading sequence */ +typedef struct bl_load_info_node { + unsigned int image_id; + image_info_t *image_info; + struct bl_load_info_node *next_load_info; +} bl_load_info_node_t; + +/* BL image head node in the BL image loading sequence */ +typedef struct bl_load_info { + param_header_t h; + bl_load_info_node_t *head; +} bl_load_info_t; + +/* BL image node in the BL image execution sequence */ +typedef struct bl_params_node { + unsigned int image_id; + image_info_t *image_info; + entry_point_info_t *ep_info; + struct bl_params_node *next_params_info; +} bl_params_node_t; + +/* + * BL image head node in the BL image execution sequence + * It is also used to pass information to next BL image. + */ +typedef struct bl_params { + param_header_t h; + bl_params_node_t *head; +} bl_params_t; + +#else /* LOAD_IMAGE_V2 */ + /******************************************************************************* * This structure represents the superset of information that can be passed to * BL31 e.g. while passing control to it from BL2. The BL32 parameters will be * populated only if BL2 detects its presence. A pointer to a structure of this - * type should be passed in X3 to BL31's cold boot entrypoint + * type should be passed in X0 to BL31's cold boot entrypoint. * - * Use of this structure and the X3 parameter is not mandatory: the BL3-1 + * Use of this structure and the X0 parameter is not mandatory: the BL31 * platform code can use other mechanisms to provide the necessary information - * about BL3-2 and BL3-3 to the common and SPD code. + * about BL32 and BL33 to the common and SPD code. * - * BL3-1 image information is mandatory if this structure is used. If either of - * the optional BL3-2 and BL3-3 image information is not provided, this is + * BL31 image information is mandatory if this structure is used. If either of + * the optional BL32 and BL33 image information is not provided, this is * indicated by the respective image_info pointers being zero. ******************************************************************************/ typedef struct bl31_params { @@ -192,41 +193,43 @@ typedef struct bl31_params { image_info_t *bl33_image_info; } bl31_params_t; - -/* - * Compile time assertions related to the 'entry_point_info' structure to - * ensure that the assembler and the compiler view of the offsets of - * the structure members is the same. - */ -CASSERT(ENTRY_POINT_INFO_PC_OFFSET == - __builtin_offsetof(entry_point_info_t, pc), \ - assert_BL31_pc_offset_mismatch); - -CASSERT(ENTRY_POINT_INFO_ARGS_OFFSET == \ - __builtin_offsetof(entry_point_info_t, args), \ - assert_BL31_args_offset_mismatch); - -CASSERT(sizeof(unsigned long) == - __builtin_offsetof(entry_point_info_t, spsr) - \ - __builtin_offsetof(entry_point_info_t, pc), \ - assert_entrypoint_and_spsr_should_be_adjacent); +#endif /* LOAD_IMAGE_V2 */ /******************************************************************************* * Function & variable prototypes ******************************************************************************/ -unsigned long page_align(unsigned long, unsigned); -void change_security_state(unsigned int); -unsigned long image_size(const char *); +size_t image_size(unsigned int image_id); + +int is_mem_free(uintptr_t free_base, size_t free_size, + uintptr_t addr, size_t size); + +#if LOAD_IMAGE_V2 + +int load_image(unsigned int image_id, image_info_t *image_data); +int load_auth_image(unsigned int image_id, image_info_t *image_data); + +#else + +uintptr_t page_align(uintptr_t, unsigned); int load_image(meminfo_t *mem_layout, - const char *image_name, - uint64_t image_base, + unsigned int image_id, + uintptr_t image_base, image_info_t *image_data, entry_point_info_t *entry_point_info); +int load_auth_image(meminfo_t *mem_layout, + unsigned int image_id, + uintptr_t image_base, + image_info_t *image_data, + entry_point_info_t *entry_point_info); +void reserve_mem(uintptr_t *free_base, size_t *free_size, + uintptr_t addr, size_t size); + +#endif /* LOAD_IMAGE_V2 */ + extern const char build_message[]; extern const char version_string[]; -void reserve_mem(uint64_t *free_base, size_t *free_size, - uint64_t addr, size_t size); +void print_entry_point_info(const entry_point_info_t *ep_info); #endif /*__ASSEMBLY__*/ diff --git a/include/common/debug.h b/include/common/debug.h index a8dcb8da..3f0f84a1 100644 --- a/include/common/debug.h +++ b/include/common/debug.h @@ -1,38 +1,12 @@ /* - * Copyright (c) 2013-2014, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. + * SPDX-License-Identifier: BSD-3-Clause */ #ifndef __DEBUG_H__ #define __DEBUG_H__ -#include <stdio.h> - /* The log output macros print output to the console. These macros produce * compiled log output only if the LOG_LEVEL defined in the makefile (or the * make command line) is greater or equal than the level required for that @@ -49,41 +23,63 @@ #define LOG_LEVEL_INFO 40 #define LOG_LEVEL_VERBOSE 50 +#ifndef __ASSEMBLY__ +#include <stdarg.h> +#include <stdio.h> + +/* + * Define Log Markers corresponding to each log level which will + * be embedded in the format string and is expected by tf_log() to determine + * the log level. + */ +#define LOG_MARKER_ERROR "\xa" /* 10 */ +#define LOG_MARKER_NOTICE "\x14" /* 20 */ +#define LOG_MARKER_WARNING "\x1e" /* 30 */ +#define LOG_MARKER_INFO "\x28" /* 40 */ +#define LOG_MARKER_VERBOSE "\x32" /* 50 */ #if LOG_LEVEL >= LOG_LEVEL_NOTICE -# define NOTICE(...) tf_printf("NOTICE: " __VA_ARGS__) +# define NOTICE(...) tf_log(LOG_MARKER_NOTICE __VA_ARGS__) #else # define NOTICE(...) #endif #if LOG_LEVEL >= LOG_LEVEL_ERROR -# define ERROR(...) tf_printf("ERROR: " __VA_ARGS__) +# define ERROR(...) tf_log(LOG_MARKER_ERROR __VA_ARGS__) #else # define ERROR(...) #endif #if LOG_LEVEL >= LOG_LEVEL_WARNING -# define WARN(...) tf_printf("WARNING: " __VA_ARGS__) +# define WARN(...) tf_log(LOG_MARKER_WARNING __VA_ARGS__) #else # define WARN(...) #endif #if LOG_LEVEL >= LOG_LEVEL_INFO -# define INFO(...) tf_printf("INFO: " __VA_ARGS__) +# define INFO(...) tf_log(LOG_MARKER_INFO __VA_ARGS__) #else # define INFO(...) #endif #if LOG_LEVEL >= LOG_LEVEL_VERBOSE -# define VERBOSE(...) tf_printf("VERBOSE: " __VA_ARGS__) +# define VERBOSE(...) tf_log(LOG_MARKER_VERBOSE __VA_ARGS__) #else # define VERBOSE(...) #endif - void __dead2 do_panic(void); #define panic() do_panic() -void tf_printf(const char *fmt, ...); +/* Function called when stack protection check code detects a corrupted stack */ +void __dead2 __stack_chk_fail(void); + +void tf_log(const char *fmt, ...) __printflike(1, 2); +void tf_printf(const char *fmt, ...) __printflike(1, 2); +int tf_snprintf(char *s, size_t n, const char *fmt, ...) __printflike(3, 4); +void tf_vprintf(const char *fmt, va_list args); +void tf_string_print(const char *str); +void tf_log_set_max_level(unsigned int log_level); +#endif /* __ASSEMBLY__ */ #endif /* __DEBUG_H__ */ diff --git a/include/common/desc_image_load.h b/include/common/desc_image_load.h new file mode 100644 index 00000000..79f2bd7b --- /dev/null +++ b/include/common/desc_image_load.h @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2016, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +#ifndef __DESC_IMAGE_LOAD_H__ +#define __DESC_IMAGE_LOAD_H__ + +#include <bl_common.h> + +#if LOAD_IMAGE_V2 +/* Following structure is used to store BL ep/image info. */ +typedef struct bl_mem_params_node { + unsigned int image_id; + image_info_t image_info; + entry_point_info_t ep_info; + unsigned int next_handoff_image_id; + bl_load_info_node_t load_node_mem; + bl_params_node_t params_node_mem; +} bl_mem_params_node_t; + +/* + * Macro to register list of BL image descriptors, + * defined as an array of bl_mem_params_node_t. + */ +#define REGISTER_BL_IMAGE_DESCS(_img_desc) \ + bl_mem_params_node_t *bl_mem_params_desc_ptr = &_img_desc[0]; \ + unsigned int bl_mem_params_desc_num = ARRAY_SIZE(_img_desc); + +/* BL image loading utility functions */ +void flush_bl_params_desc(void); +int get_bl_params_node_index(unsigned int image_id); +bl_mem_params_node_t *get_bl_mem_params_node(unsigned int image_id); +bl_load_info_t *get_bl_load_info_from_mem_params_desc(void); +bl_params_t *get_next_bl_params_from_mem_params_desc(void); + + +#endif /* LOAD_IMAGE_V2 */ +#endif /* __DESC_IMAGE_LOAD_H__ */ diff --git a/include/common/ep_info.h b/include/common/ep_info.h new file mode 100644 index 00000000..3f6213f0 --- /dev/null +++ b/include/common/ep_info.h @@ -0,0 +1,123 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __EP_INFO_H__ +#define __EP_INFO_H__ + +#include <param_header.h> +#include <utils_def.h> + +#define SECURE U(0x0) +#define NON_SECURE U(0x1) +#define sec_state_is_valid(s) (((s) == SECURE) || ((s) == NON_SECURE)) + +/******************************************************************************* + * Constants that allow assembler code to access members of and the + * 'entry_point_info' structure at their correct offsets. + ******************************************************************************/ +#define ENTRY_POINT_INFO_PC_OFFSET U(0x08) +#ifdef AARCH32 +#define ENTRY_POINT_INFO_ARGS_OFFSET U(0x10) +#else +#define ENTRY_POINT_INFO_ARGS_OFFSET U(0x18) +#endif + +/* The following are used to set/get image attributes. */ +#define PARAM_EP_SECURITY_MASK U(0x1) + +#define GET_SECURITY_STATE(x) (x & PARAM_EP_SECURITY_MASK) +#define SET_SECURITY_STATE(x, security) \ + ((x) = ((x) & ~PARAM_EP_SECURITY_MASK) | (security)) + +#define EP_EE_MASK U(0x2) +#define EP_EE_SHIFT 1 +#define EP_EE_LITTLE U(0x0) +#define EP_EE_BIG U(0x2) +#define EP_GET_EE(x) (x & EP_EE_MASK) +#define EP_SET_EE(x, ee) ((x) = ((x) & ~EP_EE_MASK) | (ee)) + +#define EP_ST_MASK U(0x4) +#define EP_ST_DISABLE U(0x0) +#define EP_ST_ENABLE U(0x4) +#define EP_GET_ST(x) (x & EP_ST_MASK) +#define EP_SET_ST(x, ee) ((x) = ((x) & ~EP_ST_MASK) | (ee)) + +#define EP_EXE_MASK U(0x8) +#define NON_EXECUTABLE U(0x0) +#define EXECUTABLE U(0x8) +#define EP_GET_EXE(x) (x & EP_EXE_MASK) +#define EP_SET_EXE(x, ee) ((x) = ((x) & ~EP_EXE_MASK) | (ee)) + +#define EP_FIRST_EXE_MASK U(0x10) +#define EP_FIRST_EXE U(0x10) +#define EP_GET_FIRST_EXE(x) ((x) & EP_FIRST_EXE_MASK) +#define EP_SET_FIRST_EXE(x, ee) ((x) = ((x) & ~EP_FIRST_EXE_MASK) | (ee)) + +#ifndef __ASSEMBLY__ + +#include <cassert.h> +#include <types.h> + +typedef struct aapcs64_params { + u_register_t arg0; + u_register_t arg1; + u_register_t arg2; + u_register_t arg3; + u_register_t arg4; + u_register_t arg5; + u_register_t arg6; + u_register_t arg7; +} aapcs64_params_t; + +typedef struct aapcs32_params { + u_register_t arg0; + u_register_t arg1; + u_register_t arg2; + u_register_t arg3; +} aapcs32_params_t; + +/***************************************************************************** + * This structure represents the superset of information needed while + * switching exception levels. The only two mechanisms to do so are + * ERET & SMC. Security state is indicated using bit zero of header + * attribute + * NOTE: BL1 expects entrypoint followed by spsr at an offset from the start + * of this structure defined by the macro `ENTRY_POINT_INFO_PC_OFFSET` while + * processing SMC to jump to BL31. + *****************************************************************************/ +typedef struct entry_point_info { + param_header_t h; + uintptr_t pc; + uint32_t spsr; +#ifdef AARCH32 + aapcs32_params_t args; +#else + aapcs64_params_t args; +#endif +} entry_point_info_t; + +/* + * Compile time assertions related to the 'entry_point_info' structure to + * ensure that the assembler and the compiler view of the offsets of + * the structure members is the same. + */ +CASSERT(ENTRY_POINT_INFO_PC_OFFSET == + __builtin_offsetof(entry_point_info_t, pc), \ + assert_BL31_pc_offset_mismatch); + +CASSERT(ENTRY_POINT_INFO_ARGS_OFFSET == \ + __builtin_offsetof(entry_point_info_t, args), \ + assert_BL31_args_offset_mismatch); + +CASSERT(sizeof(uintptr_t) == + __builtin_offsetof(entry_point_info_t, spsr) - \ + __builtin_offsetof(entry_point_info_t, pc), \ + assert_entrypoint_and_spsr_should_be_adjacent); + +#endif /*__ASSEMBLY__*/ + +#endif /* __EP_INFO_H__ */ + diff --git a/include/common/firmware_image_package.h b/include/common/firmware_image_package.h deleted file mode 100644 index 8fb669e3..00000000 --- a/include/common/firmware_image_package.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2014, ARM Limited and Contributors. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of ARM nor the names of its contributors may be used - * to endorse or promote products derived from this software without specific - * prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef __FIRMWARE_IMAGE_PACKAGE_H__ -#define __FIRMWARE_IMAGE_PACKAGE_H__ - -#include <stdint.h> -#include <uuid.h> - -/* This is used as a signature to validate the blob header */ -#define TOC_HEADER_NAME 0xAA640001 - - -/* ToC Entry UUIDs */ -#define UUID_TRUSTED_BOOT_FIRMWARE_BL2 \ - {0x0becf95f, 0x224d, 0x4d3e, 0xa5, 0x44, {0xc3, 0x9d, 0x81, 0xc7, 0x3f, 0x0a} } -#define UUID_SCP_FIRMWARE_BL30 \ - {0x3dfd6697, 0xbe89, 0x49e8, 0xae, 0x5d, {0x78, 0xa1, 0x40, 0x60, 0x82, 0x13} } -#define UUID_EL3_RUNTIME_FIRMWARE_BL31 \ - {0x6d08d447, 0xfe4c, 0x4698, 0x9b, 0x95, {0x29, 0x50, 0xcb, 0xbd, 0x5a, 0x00} } -#define UUID_SECURE_PAYLOAD_BL32 \ - {0x89e1d005, 0xdc53, 0x4713, 0x8d, 0x2b, {0x50, 0x0a, 0x4b, 0x7a, 0x3e, 0x38} } -#define UUID_NON_TRUSTED_FIRMWARE_BL33 \ - {0xa7eed0d6, 0xeafc, 0x4bd5, 0x97, 0x82, {0x99, 0x34, 0xf2, 0x34, 0xb6, 0xe4} } -/* Key certificates */ -#define UUID_ROT_KEY_CERT \ - {0x721d2d86, 0x60f8, 0x11e4, 0x92, 0x0b, {0x8b, 0xe7, 0x62, 0x16, 0x0f, 0x24} } -#define UUID_TRUSTED_KEY_CERT \ - {0x90e87e82, 0x60f8, 0x11e4, 0xa1, 0xb4, {0x77, 0x7a, 0x21, 0xb4, 0xf9, 0x4c} } -#define UUID_NON_TRUSTED_WORLD_KEY_CERT \ - {0x3d87671c, 0x635f, 0x11e4, 0x97, 0x8d, {0x27, 0xc0, 0xc7, 0x14, 0x8a, 0xbd} } -#define UUID_SCP_FIRMWARE_BL30_KEY_CERT \ - {0xa1214202, 0x60f8, 0x11e4, 0x8d, 0x9b, {0xf3, 0x3c, 0x0e, 0x15, 0xa0, 0x14} } -#define UUID_EL3_RUNTIME_FIRMWARE_BL31_KEY_CERT \ - {0xccbeb88a, 0x60f9, 0x11e4, 0x9a, 0xd0, {0xeb, 0x48, 0x22, 0xd8, 0xdc, 0xf8} } -#define UUID_SECURE_PAYLOAD_BL32_KEY_CERT \ - {0x03d67794, 0x60fb, 0x11e4, 0x85, 0xdd, {0xb7, 0x10, 0x5b, 0x8c, 0xee, 0x04} } -#define UUID_NON_TRUSTED_FIRMWARE_BL33_KEY_CERT \ - {0x2a83d58a, 0x60fb, 0x11e4, 0x8a, 0xaf, {0xdf, 0x30, 0xbb, 0xc4, 0x98, 0x59} } -/* Content certificates */ -#define UUID_TRUSTED_BOOT_FIRMWARE_BL2_CERT \ - {0xea69e2d6, 0x635d, 0x11e4, 0x8d, 0x8c, {0x9f, 0xba, 0xbe, 0x99, 0x56, 0xa5} } -#define UUID_SCP_FIRMWARE_BL30_CERT \ - {0x046fbe44, 0x635e, 0x11e4, 0xb2, 0x8b, {0x73, 0xd8, 0xea, 0xae, 0x96, 0x56} } -#define UUID_EL3_RUNTIME_FIRMWARE_BL31_CERT \ - {0x200cb2e2, 0x635e, 0x11e4, 0x9c, 0xe8, {0xab, 0xcc, 0xf9, 0x2b, 0xb6, 0x66} } -#define UUID_SECURE_PAYLOAD_BL32_CERT \ - {0x11449fa4, 0x635e, 0x11e4, 0x87, 0x28, {0x3f, 0x05, 0x72, 0x2a, 0xf3, 0x3d} } -#define UUID_NON_TRUSTED_FIRMWARE_BL33_CERT \ - {0xf3c1c48e, 0x635d, 0x11e4, 0xa7, 0xa9, {0x87, 0xee, 0x40, 0xb2, 0x3f, 0xa7} } - -typedef struct fip_toc_header { - uint32_t name; - uint32_t serial_number; - uint64_t flags; -} fip_toc_header_t; - -typedef struct fip_toc_entry { - uuid_t uuid; - uint64_t offset_address; - uint64_t size; - uint64_t flags; -} fip_toc_entry_t; - -#endif /* __FIRMWARE_IMAGE_PACKAGE_H__ */ diff --git a/include/common/interrupt_props.h b/include/common/interrupt_props.h new file mode 100644 index 00000000..9786b40c --- /dev/null +++ b/include/common/interrupt_props.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __INTERRUPT_PROPS_H__ +#define __INTERRUPT_PROPS_H__ + +#ifndef __ASSEMBLY__ + +/* Create an interrupt property descriptor from various interrupt properties */ +#define INTR_PROP_DESC(num, pri, grp, cfg) \ + { \ + .intr_num = num, \ + .intr_pri = pri, \ + .intr_grp = grp, \ + .intr_cfg = cfg, \ + } + +typedef struct interrupt_prop { + unsigned int intr_num:10; + unsigned int intr_pri:8; + unsigned int intr_grp:2; + unsigned int intr_cfg:2; +} interrupt_prop_t; + +#endif /* __ASSEMBLY__ */ +#endif /* __INTERRUPT_PROPS_H__ */ diff --git a/include/common/param_header.h b/include/common/param_header.h new file mode 100644 index 00000000..90d59b3a --- /dev/null +++ b/include/common/param_header.h @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __PARAM_HEADER_H__ +#define __PARAM_HEADER_H__ + +/* Param header types */ +#define PARAM_EP 0x01 +#define PARAM_IMAGE_BINARY 0x02 +#define PARAM_BL31 0x03 +#define PARAM_BL_LOAD_INFO 0x04 +#define PARAM_BL_PARAMS 0x05 +#define PARAM_PSCI_LIB_ARGS 0x06 + +/* Param header version */ +#define VERSION_1 0x01 +#define VERSION_2 0x02 + +#define SET_PARAM_HEAD(_p, _type, _ver, _attr) do { \ + (_p)->h.type = (uint8_t)(_type); \ + (_p)->h.version = (uint8_t)(_ver); \ + (_p)->h.size = (uint16_t)sizeof(*_p); \ + (_p)->h.attr = (uint32_t)(_attr) ; \ + } while (0) + +/* Following is used for populating structure members statically. */ +#define SET_STATIC_PARAM_HEAD(_p, _type, _ver, _p_type, _attr) \ + ._p.h.type = (uint8_t)(_type), \ + ._p.h.version = (uint8_t)(_ver), \ + ._p.h.size = (uint16_t)sizeof(_p_type), \ + ._p.h.attr = (uint32_t)(_attr) + +#ifndef __ASSEMBLY__ + +#include <types.h> + +/*************************************************************************** + * This structure provides version information and the size of the + * structure, attributes for the structure it represents + ***************************************************************************/ +typedef struct param_header { + uint8_t type; /* type of the structure */ + uint8_t version; /* version of this structure */ + uint16_t size; /* size of this structure in bytes */ + uint32_t attr; /* attributes: unused bits SBZ */ +} param_header_t; + +#endif /*__ASSEMBLY__*/ + +#endif /* __PARAM_HEADER_H__ */ + diff --git a/include/common/runtime_svc.h b/include/common/runtime_svc.h new file mode 100644 index 00000000..e179e4ba --- /dev/null +++ b/include/common/runtime_svc.h @@ -0,0 +1,130 @@ +/* + * Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __RUNTIME_SVC_H__ +#define __RUNTIME_SVC_H__ + +#include <bl_common.h> /* to include exception types */ +#include <smcc_helpers.h> /* to include SMCC definitions */ + + +/******************************************************************************* + * Structure definition, typedefs & constants for the runtime service framework + ******************************************************************************/ + +/* + * Constants to allow the assembler access a runtime service + * descriptor + */ +#ifdef AARCH32 +#define RT_SVC_SIZE_LOG2 4 +#define RT_SVC_DESC_INIT 8 +#define RT_SVC_DESC_HANDLE 12 +#else +#define RT_SVC_SIZE_LOG2 5 +#define RT_SVC_DESC_INIT 16 +#define RT_SVC_DESC_HANDLE 24 +#endif /* AARCH32 */ +#define SIZEOF_RT_SVC_DESC (1 << RT_SVC_SIZE_LOG2) + + +/* + * The function identifier has 6 bits for the owning entity number and + * single bit for the type of smc call. When taken together these + * values limit the maximum number of runtime services to 128. + */ +#define MAX_RT_SVCS 128 + +#ifndef __ASSEMBLY__ + +/* Prototype for runtime service initializing function */ +typedef int32_t (*rt_svc_init_t)(void); + +/* + * Prototype for runtime service SMC handler function. x0 (SMC Function ID) to + * x4 are as passed by the caller. Rest of the arguments to SMC and the context + * can be accessed using the handle pointer. The cookie parameter is reserved + * for future use + */ +typedef uintptr_t (*rt_svc_handle_t)(uint32_t smc_fid, + u_register_t x1, + u_register_t x2, + u_register_t x3, + u_register_t x4, + void *cookie, + void *handle, + u_register_t flags); +typedef struct rt_svc_desc { + uint8_t start_oen; + uint8_t end_oen; + uint8_t call_type; + const char *name; + rt_svc_init_t init; + rt_svc_handle_t handle; +} rt_svc_desc_t; + +/* + * Convenience macro to declare a service descriptor + */ +#define DECLARE_RT_SVC(_name, _start, _end, _type, _setup, _smch) \ + static const rt_svc_desc_t __svc_desc_ ## _name \ + __section("rt_svc_descs") __used = { \ + .start_oen = _start, \ + .end_oen = _end, \ + .call_type = _type, \ + .name = #_name, \ + .init = _setup, \ + .handle = _smch } + +/* + * Compile time assertions related to the 'rt_svc_desc' structure to: + * 1. ensure that the assembler and the compiler view of the size + * of the structure are the same. + * 2. ensure that the assembler and the compiler see the initialisation + * routine at the same offset. + * 3. ensure that the assembler and the compiler see the handler + * routine at the same offset. + */ +CASSERT((sizeof(rt_svc_desc_t) == SIZEOF_RT_SVC_DESC), \ + assert_sizeof_rt_svc_desc_mismatch); +CASSERT(RT_SVC_DESC_INIT == __builtin_offsetof(rt_svc_desc_t, init), \ + assert_rt_svc_desc_init_offset_mismatch); +CASSERT(RT_SVC_DESC_HANDLE == __builtin_offsetof(rt_svc_desc_t, handle), \ + assert_rt_svc_desc_handle_offset_mismatch); + + +/* + * This macro combines the call type and the owning entity number corresponding + * to a runtime service to generate a unique owning entity number. This unique + * oen is used to access an entry in the 'rt_svc_descs_indices' array. The entry + * contains the index of the service descriptor in the 'rt_svc_descs' array. + */ +#define get_unique_oen(oen, call_type) ((oen & FUNCID_OEN_MASK) | \ + ((call_type & FUNCID_TYPE_MASK) \ + << FUNCID_OEN_WIDTH)) + +/* + * This macro generates the unique owning entity number from the SMC Function + * ID. This unique oen is used to access an entry in the + * 'rt_svc_descs_indices' array to invoke the corresponding runtime service + * handler during SMC handling. + */ +#define get_unique_oen_from_smc_fid(fid) \ + get_unique_oen(((fid) >> FUNCID_OEN_SHIFT), \ + ((fid) >> FUNCID_TYPE_SHIFT)) + +/******************************************************************************* + * Function & variable prototypes + ******************************************************************************/ +void runtime_svc_init(void); +uintptr_t handle_runtime_svc(uint32_t smc_fid, void *cookie, void *handle, + unsigned int flags); +extern uintptr_t __RT_SVC_DESCS_START__; +extern uintptr_t __RT_SVC_DESCS_END__; +void init_crash_reporting(void); + +#endif /*__ASSEMBLY__*/ +#endif /* __RUNTIME_SVC_H__ */ diff --git a/include/common/tbbr/cot_def.h b/include/common/tbbr/cot_def.h new file mode 100644 index 00000000..4a2a8ef5 --- /dev/null +++ b/include/common/tbbr/cot_def.h @@ -0,0 +1,14 @@ +/* + * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __COT_DEF_H__ +#define __COT_DEF_H__ + +/* TBBR CoT definitions */ + +#define COT_MAX_VERIFIED_PARAMS 4 + +#endif /* __COT_DEF_H__ */ diff --git a/include/common/tbbr/tbbr_img_def.h b/include/common/tbbr/tbbr_img_def.h new file mode 100644 index 00000000..3e68b648 --- /dev/null +++ b/include/common/tbbr/tbbr_img_def.h @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef __TBBR_IMG_DEF_H__ +#define __TBBR_IMG_DEF_H__ + +/* Firmware Image Package */ +#define FIP_IMAGE_ID 0 + +/* Trusted Boot Firmware BL2 */ +#define BL2_IMAGE_ID 1 + +/* SCP Firmware SCP_BL2 */ +#define SCP_BL2_IMAGE_ID 2 + +/* EL3 Runtime Firmware BL31 */ +#define BL31_IMAGE_ID 3 + +/* Secure Payload BL32 (Trusted OS) */ +#define BL32_IMAGE_ID 4 + +/* Non-Trusted Firmware BL33 */ +#define BL33_IMAGE_ID 5 + +/* Certificates */ +#define TRUSTED_BOOT_FW_CERT_ID 6 +#define TRUSTED_KEY_CERT_ID 7 + +#define SCP_FW_KEY_CERT_ID 8 +#define SOC_FW_KEY_CERT_ID 9 +#define TRUSTED_OS_FW_KEY_CERT_ID 10 +#define NON_TRUSTED_FW_KEY_CERT_ID 11 + +#define SCP_FW_CONTENT_CERT_ID 12 +#define SOC_FW_CONTENT_CERT_ID 13 +#define TRUSTED_OS_FW_CONTENT_CERT_ID 14 +#define NON_TRUSTED_FW_CONTENT_CERT_ID 15 + +/* Non-Trusted ROM Firmware NS_BL1U */ +#define NS_BL1U_IMAGE_ID 16 + +/* Trusted FWU Certificate */ +#define FWU_CERT_ID 17 + +/* Trusted FWU SCP Firmware SCP_BL2U */ +#define SCP_BL2U_IMAGE_ID 18 + +/* Trusted FWU Boot Firmware BL2U */ +#define BL2U_IMAGE_ID 19 + +/* Non-Trusted FWU Firmware NS_BL2U */ +#define NS_BL2U_IMAGE_ID 20 + +/* Secure Payload BL32_EXTRA1 (Trusted OS Extra1) */ +#define BL32_EXTRA1_IMAGE_ID 21 + +/* Secure Payload BL32_EXTRA2 (Trusted OS Extra2) */ +#define BL32_EXTRA2_IMAGE_ID 22 + +#endif /* __TBBR_IMG_DEF_H__ */ |