This reduces sec_firmware_get_data to a single call to
fit_get_data_conf_prop. I think sec_firmware_check_copy_loadable could also
be converted, but it does not map as straightforwardly, so I have left it
for a future cleanup.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
The config to use for FIT images can be better specified by enabling
CONFIG_MULTI_DTB_FIT and implementing board_fit_config_name_match.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
By default the OCRAM is marked as secure. While the SPL runs in EL3 and
thus can access it, DMA devices cannot. Mark the whole OCRAM as
non-secure.
This will fix MMC and SD card boot on LS1028A when using SPL instead of
TF-A.
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
The *aqds* platforms have not been migrated to be able to enable
CONFIG_DM_ETH with CONFIG_FMAN_ENET. Disable CONFIG_FMAN_ENET on these
platforms.
Cc: Mingkai Hu <mingkai.hu@nxp.com>
Cc: Rajesh Bhagat <rajesh.bhagat@nxp.com>
Cc: Pramod Kumar <pramod.kumar_1@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
The Yocto project builds their aarch64 cross-compiler with the
configure knob --enable-standard-branch-protection, which means that
their gcc behaves as if -mbranch-protection=standard is passed; the
default (lacking that configure knob) is -mbranch-protection=none.
This means that when building U-Boot using the Yocto toolchain, most
functions end up containing paciasp/autiasp/bti instructions. However,
since U-Boot is not an ordinary userspace application, there's no OS
kernel which has set up the required authentication keys, so these
instructions do nothing at all (even on arm64 hardware that does have
the pointer authentication capability). They do however make the image
larger.
It is theoretically possible for U-Boot to make use of the pointer
authentication protection - cf. the linux kernel's
CONFIG_ARM64_PTR_AUTH_KERNEL - but it is far from trivial, and it's
hard to see just what threat model it would protect against in a
bootloader context. Regardless, we certainly have none of the required
infrastructure now, so explicitly pass -mbranch-protection=none to
ensure those useless instructions do not get emitted.
For a toolchain not configured with
--enable-standard-branch-protection, this changes nothing. For the
Yocto toolchain, this reduces the size of both SPL and U-Boot proper
by about 3% for my imx8mp target.
If you don't have a Yocto toolchain, the effect can easily be
reproduced by applying this patch and changing =none to =standard.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Simon Glass <sjg@chromium.org>
This converts the following to Kconfig:
CONFIG_FSL_NGPIXIS
CONFIG_SYS_FSL_QMAN_V3
CONFIG_SYS_FSL_RAID_ENGINE
CONFIG_SYS_FSL_RMU
CONFIG_SYS_FSL_SINGLE_SOURCE_CLK
CONFIG_SYS_FSL_SRIO_LIODN
CONFIG_SYS_FSL_TBCLK_DIV
CONFIG_SYS_FSL_USB1_PHY_ENABLE
CONFIG_SYS_FSL_USB2_PHY_ENABLE
CONFIG_SYS_FSL_USB_DUAL_PHY_ENABLE
CONFIG_SYS_FSL_USB_INTERNAL_UTMI_PHY
Signed-off-by: Tom Rini <trini@konsulko.com>
This converts the following to Kconfig:
CONFIG_SYS_FSL_DDR_MAIN_NUM_CTRLS
CONFIG_SYS_FSL_OTHER_DDR_NUM_CTRLS
And we remove the entries from the README for a number of already
converted items.
Signed-off-by: Tom Rini <trini@konsulko.com>
This converts the following to Kconfig:
CONFIG_SYS_FSL_CCSR_GUR_BE
CONFIG_SYS_FSL_CCSR_SCFG_BE
CONFIG_SYS_FSL_ESDHC_BE
CONFIG_SYS_FSL_IFC_BE
CONFIG_SYS_FSL_PEX_LUT_BE
CONFIG_SYS_FSL_CCSR_GUR_LE
CONFIG_SYS_FSL_CCSR_SCFG_LE
CONFIG_SYS_FSL_ESDHC_LE
CONFIG_SYS_FSL_IFC_LE
CONFIG_SYS_FSL_PEX_LUT_LE
Signed-off-by: Tom Rini <trini@konsulko.com>
Tighten up symbol dependencies in a number of places. Ensure that a SPL
specific option has at least a direct dependency on SPL. In places
where it's clear that we depend on something more specific, use that
dependency instead. This means in a very small number of places we can
drop redundant dependencies.
Reported-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Make all of the CHAIN_OF_TRUST options be under a single menu and add a
comment for the rest, so the resulting config file reads more clearly.
Remove duplicate CHAIN_OF_TRUST options from
board/congatec/common/Kconfig. Remove duplicate NXP_ESBC config
questions and move to arch/Kconfig.nxp.
Signed-off-by: Tom Rini <trini@konsulko.com>
We want to keep all of the default values for SPL_LDSCRIPT in the same
place both for overall clarity as well as not polluting unrelated config
files.
Signed-off-by: Tom Rini <trini@konsulko.com>
In arch/arm/lib/sections.c there is below code:
char __image_copy_start[0] __section(".__image_copy_start");
But actually 'objdump -t spl/u-boot-spl' not able to find out
symbol '__image_copy_start' for binman update image-pos/size.
So update link file
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
This patch adds support for the SHA-256 Secure Hash Algorithm for CPUs
that have support for the SHA-256 part of the ARM v8 Crypto Extensions.
It greatly improves sha-256 based operations, about 17x faster on iMX8M
evk board. ~12ms vs ~208ms for a 20MiB kernel sha-256 verification.
asm implementation is a simplified version of the Linux version (from
Ard Biesheuvel).
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
This patch adds support for the SHA-1 Secure Hash Algorithm for CPUs
that have support for the SHA-1 part of the ARM v8 Crypto Extensions.
It greatly improves sha-1 based operations, about 10x faster on iMX8M
evk board. ~12ms vs ~165ms for a 20MiB kernel sha-1 verification.
asm implementation is a simplified version of the Linux version (from
Ard Biesheuvel).
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Rename the sections used to implement linker lists so they begin with
'__u_boot_list' rather than '.u_boot_list'. The double underscore at the
start is still distinct from the single underscore used by the symbol
names.
Having a '.' in the section names conflicts with clang's ASAN
instrumentation which tries to add redzones between the linker list
elements, causing expected accesses to fail. However, clang doesn't try
to add redzones to user sections, which are names with all alphanumeric
and underscore characters.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
These frequency calculations depend on the RCW format, which is not
dependent on any particular board. Switch to using ARCH symbols instead
of TARGET.
This whole function could probably use less ifdefs, but for now just do
a minimal conversion.
Fixes: 24cb6f2295 ("fsl-layerscape: Add fsl_esdhc peripheral clock support")
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Currently get_tcr() takes an "el" parameter, to select the proper
version of the TCR_ELx system register.
This is problematic in case of the Apple M1, since it runs with
HCR_EL2.E2H fixed to 1, so TCR_EL2 is actually using the TCR_EL1 layout,
and we get the wrong version.
For U-Boot's purposes the only sensible choice here is the current
exception level, and indeed most callers treat it like that, so let's
remove that parameter and read the current EL inside the function.
This allows us to check for the E2H bit, and pretend it's EL1 in this
case.
There are two callers which don't care about the EL, and they pass 0,
which looks wrong, but is irrelevant in these two cases, since we don't
use the return value there. So the change cannot affect those two.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Tested-by: Mark Kettenis <kettenis@openbsd.org>
If probing caam_jr returns failure, the variable "dev" will not be
initialized, so we can't use dev->name for the error print.
Otherwise it will cause crash.
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Gaurav Jain <gaurav.jain@nxp.com>
NXP/Freescale Layerscape CPUs support high-speed serial interfaces (SERDES)
that can be configured for the application. Interfaces not used by the
application can be set to protocol 0 to turn them off and save power, but
U-Boot would emit a warning that 0 was invalid for a SERDES protocol on
boot. Replace the warning text with a notice that the SERDES is disabled.
Signed-off-by: Stephen Carlson <stcarlso@linux.microsoft.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
There is an user-selectable SYS_HAS_ARMV8_SECURE_BASE, which has the
same meaning but is just for the ls1043ardb board. As no in-tree config
uses this, drop it and replace it with something more sophiticated:
ARMV8_PSCI_RELOCATE. This option will then enable the ARMV8_SECURE_BASE
option which is used as the base to relocate the PSCI code (or any code
in the secure region, but that is only PSCI). A SoC (or board) can now
opt-in into having such a secure region by enabling
SYS_HAS_ARMV8_SECURE_BASE. Enable it for the LS1043A SoC, where it was
possible to relocate the PSCI code before as well as on the LS1028A SoC
where there will be PSCI support soon.
Additionally, make ARMV8_PSCI and SEC_FIRMWARE_ARMV8_PSCI exclusive.
Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
If we are running in EL2 skip PSCI implementation setup. This avoids an
exception if CONFIG_ARMV8_PSCI is set, but u-boot is started by TF-A.
Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
There are two different implementations to do a secure monitor call:
smc_call() and arm_smccc_smc(). The former is defined in fwcall.c and
seems to be an ad-hoc implementation. The latter is imported from linux.
smc_call() is also only available if CONFIG_ARMV8_PSCI is not defined.
This makes it impossible to have both PSCI calls and PSCI implementation
in one u-boot build. The layerscape SoC code decide at runtime via
check_psci() if there is a PSCI support. Therefore, this is a
prerequisite patch to add PSCI implementation support for the layerscape
SoCs.
Note, for the TFA part, this is only compile time tested with
(ls1028ardb_tfa_defconfig).
Signed-off-by: Michael Walle <michael@walle.cc>
[Rebased]
Signed-off-by: Priyanka Jain <priyanka.jain@nxp.com>
psci_update_dt() is also required if CONFIG_ARMV8_PSCI is set, that is,
if u-boot is the PSCI provider.
Guard the check which is intended to call into the PSCI implementation
in the secure firmware, by the proper macro SEC_FIRMWARE_ARMV8_PSCI.
Mark the function as weak because - unfortunately - there is already
a stub of the same function in arch/arm/mach-rmobile/psci-r8a779a0.c
which does not the same as the common one.
Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
There is a Kconfig for this erratum, but it is ignored for armv8.
Respect it.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
Since COUNTER_FREQUENCY is obselete, so set cntfrq_el0 if
CONFIG_COUNTER_FREQUENCY is valid
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Implement arch_env_get_location() instead of env_get_location(), so that
the env_get_location() can be implemented on board level and override the
arch_env_get_location() architecture defaults.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Adam Ford <aford173@gmail.com>
Cc: Fabio Estevam <festevam@denx.de>
Cc: Marek Behún <marek.behun@nic.cz>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Tim Harvey <tharvey@gateworks.com>
Cc: Tom Rini <trini@konsulko.com>
Cc: Tommaso Merciai <tomm.merciai@gmail.com>
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
LS(1021/1012/1028/1043/1046/1088/2088), LX2160, LX2162
platforms are enabled with JR driver model.
removed sec_init() call from board files.
sec is initialized based on job ring information processed
from device tree.
Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
Reviewed-by: Michael Walle <michael@walle.cc>
Based on current usage, migrate a number of DP-DDR related options to
Kconfig.
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Cc: Rajesh Bhagat <rajesh.bhagat@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Use the semihosting_enabled function to determine whether or not to
enable semihosting devices. This allows for graceful fallback in the
event a debugger is not attached.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
This register holds "pstate" which includes (among other things) the
instruction mode the CPU was in when the exception was taken. This is
necessary to correctly interpret instructions at elr.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
To avoid passing around an extra register everywhere, save esr in
pt_regs like the rest. For proper alignment we need to have a second
(unused) register. All the printfs have to be adjusted, since
it's now an unsigned long and not an int.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
This adds support for booting entirely from JTAG while using a
hard-coded RCW. With these steps, it is not necessary to program a
"good" RCW using CodeWarrior. The method here can be performed with any
JTAG adapter supported by OpenOCD, including the on-board CMSIS-DAP
(albeit very slowly).
These steps require LS1046A support in OpenOCD, which was added in [1].
[1] 5b70c1f679/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
[trini: Add reference to doc/board/nxp/ls1046ardb.rst]
This converts the following to Kconfig:
CONFIG_ARMV8_SWITCH_TO_EL1
Cc: Alex Nemirovsky <alex.nemirovsky@cortina-access.com>
Cc: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Michal Simek <michal.simek@xilinx.com>
Cc: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Cc: Tien Fong Chee <tien.fong.chee@intel.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
This converts the following to Kconfig:
CONFIG_CHIP_SELECTS_PER_CTRL
Cc: Alison Wang <alison.wang@nxp.com>
Cc: Pramod Kumar <pramod.kumar_1@nxp.com>
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Cc: Rajesh Bhagat <rajesh.bhagat@nxp.com>
Cc: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
The branch_if_master macro jumps to a label if the CPU is the "master"
core, which we define as having all affinity levels set to 0. To check
for this condition, we need to mask off some bits from the MPIDR
register, then compare the remaining register value against zero.
The implementation of this was slighly broken (it preserved the upper
RES0 bits), overly complicated and hard to understand, especially since
it lacked comments. The same was true for the very similar
branch_if_slave macro.
Use a much shorter assembly sequence for those checks, use the same
masking for both macros (just negate the final branch), and put some
comments on them, to make it clear what the code does.
This allows to drop the second temporary register for branch_if_master,
so we adjust all call sites as well.
Also use the opportunity to remove a misleading comment: the macro
works fine on SoCs with multiple clusters. Judging by the commit
message, the original problem with the Juno SoC stems from the fact that
the master CPU *can* be configured to be from cluster 1, so the
assumption that the master CPU has all affinity values set to 0 does not
hold there. But this is already mentioned above in a comment, so remove
the extra comment.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
In ARMv8 we have the choice between two stack pointers to use: SP_EL0 or
SP_ELx, which is banked per exception level. This choice is stored in
the SP field of PState, and can be read and set via the SPSel special
register. When the CPU takes an exception, it automatically switches to
the SP_ELx stack pointer.
Trusted Firmware enters U-Boot typically with SPSel set to 1, so we use
SP_ELx all along as our sole stack pointer, both for normal operation and
for exceptions.
But if we now for some reason enter U-Boot with SPSel cleared, we will
setup and use SP_EL0, which is fine, but leaves SP_ELx uninitialised.
When we now take an exception, we try to save the GPRs to some undefined
location, which will usually end badly.
To make sure we always have SP_ELx pointing to some memory, set SPSel
to 1 in the early boot code, to ensure safe operation at all times.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The ARMv8 architecture describes the "SError interrupt" as the fourth
kind of exception, next to synchronous exceptions, IRQs, and FIQs.
Those SErrors signal exceptional conditions from which the system might
not easily recover, and are normally generated by the interconnect as a
response to some bus error. A typical situation is access to a
non-existing memory address or device, but it might be deliberately
triggered by a device as well.
The SError interrupt replaces the Armv7 asynchronous abort.
Trusted Firmware enters U-Boot (BL33) typically with SErrors masked,
and we never enable them. However any SError condition still triggers
the SError interrupt, and this condition stays pending, it just won't be
handled. If now later on the Linux kernel unmasks the "A" bit in PState,
it will immediately take the exception, leading to a kernel crash.
This leaves many people scratching their head about the reason for
this, and leads to long debug sessions, possibly looking at the wrong
places (the kernel, but not U-Boot).
To avoid the situation, just unmask SErrors early in the ARMv8 boot
process, so that the U-Boot exception handlers reports them in a timely
manner. As SErrors are typically asynchronous, the register dump does
not need to point at the actual culprit, but it should happen very
shortly after the condition.
For those exceptions to be taken, we also need to route them to EL2,
if U-Boot is running in this exception level.
This removes the respective code snippet from the Freescale lowlevel
routine, as this is now handled in generic ARMv8 code.
Reported-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
This is the promised second part of the sunxi PR for 2022.04, albeit
technially outside of the merge window. We were working on this full
steam since the beginning of the year, and it deserves to be merged,
I think.
The main attraction is support for the F1C100s SoC, which sports a
venerable ARM926 core. Support for this SoC and the LicheePi Nano board
has been in Linux for years, and U-Boot patches were posted mid last
year already.
The new SoC using ARMv5 also means that the bulk of the new code should
not touch any existing boards, although we did some refactorings first,
of course, which actually cleans up some existing sunxi code.
Compile tested for all 160 sunxi boards, and briefly tested on BananaPi M1,
OrangePi Zero, Pine64 and Pine-H64. Tested by others on their boards,
including F1C100s and F1C200s devices.
When we added Allwinner SoC support to ARMv8, we needed to pull in an
implementation of lowlevel_init() calling the C function s_init(), as
sunxi required it as this time.
The last few patches got rid of this bogus requirement, and as sunxi was
still the only user, we can now remove this lowlevel_init.S from ARMv8
altogether.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
There is some code that tries to "reset" the SCTLR_ELx register early in
the boot process. The idea seems to be to guarantee some sane settings
that U-Boot actually relies on, for instance running in little-endian
mode, with the MMU off initially.
However the current code has multiple problems:
- For a start, no platform or config defines the symbol that would
enable that code.
- The code itself really only works if the bits that it tries to clear
are already cleared:
- If we run in big-endian mode initially, any previous loads would have
been wrong already. That applies to the (optional) relocation code,
but more prominently to the mask that it uses to clear those bits:
"ldr x1, =0xfdfffffa" looks innocent, but actually involves a memory
access to the literal pool, using the current endianness.
- If we run with the MMU enabled, we are probably doomed already. We
*could* hope that we are running with an identity mapping, but would
need to do some cache maintenance to avoid losing dirty cache lines.
- The idea of doing a read-modify-write of SCTLR is somewhat
questionable to begin with, because as the owner of the current
exception level we should initialise all bits of this register with a
certain fixed value.
- The code is unnecessarily complicated, and the function name is
misspelled.
While those problems *could* admittedly be fixed, the point that is does
not seem to be used at all at the moment tells me we should just remove
this code, and be it to not give a bad example.
If people care, I could introduce some proper SCTLR initialisation code.
We are about to work this out for the boot-wrapper[1] as we speak, but
apparently we got away without doing this in U-Boot ever since, so it
might not be worth the potential trouble.
[1] https://lore.kernel.org/linux-arm-kernel/20220114105653.3003399-7-mark.rutland@arm.com/
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Setting LINUX_KERNEL_IMAGE_HEADER=y attempts to include an ARM64 Linux
kernel image header at the start of both U-Boot proper and SPL binaries.
However, some definitions that the image header uses are not included by
the SPL linker script, resulting in a build error. Include them the way
they are included in U-Boot proper's linker script to fix the error.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>