Add support for stack protector for UBOOT, SPL, and TPL
as well as new pytest for stackprotector
Signed-off-by: Joel Peshkin <joel.peshkin@broadcom.com>
Adjust UEFI build flags.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Provide optimized versions of memcpy(), memmove(), memset() copied from
the Linux kernel.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
The value returned by setjmp must be nonzero. If zero is passed as
parameter it must be replaced by 1.
This patch reduces the code size a bit.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Driver model: Rename U_BOOT_DEVICE et al.
dtoc: Tidy up and add more tests
ns16550 code clean-up
x86 and sandbox minor fixes for of-platdata
dtoc prepration for adding build-time instantiation
-----BEGIN PGP SIGNATURE-----
iQFFBAABCgAvFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAl/09LURHHNqZ0BjaHJv
bWl1bS5vcmcACgkQfxc6PpAIrebjwwf/fHRjYsAY/Yj/+y1xgo3L3sphIvQUqTDF
KkLl+kHdV5r8W/HJULxLQcF2r7pcPEI6TAQxuj3qQ5SUvm2HviS8GHGPawDEwyht
HgBp9VD56+HUadMfnbG//DVS73ycbL4XSKlYqpkINEejtnlttsCIawUXX5cTyGM/
59VkgnKrKvJQRUXvYLa8MTugTs4fkPJGDqhActBk/7SP1SImj+rfalNSqA2/dx6y
2RnPCSzB1x2231KSj+B1NgGlR3Xb8P8zgh20ijcEU/hrlXBTZyi7K7f4SJR30Efu
LYkkuj4VbxcV/25RozR0fmknqCs0QyAI+/dql6TNtbTSPC/jAfj0jQ==
=9kN3
-----END PGP SIGNATURE-----
Merge tag 'dm-pull-5jan21' of git://git.denx.de/u-boot-dm into next
Driver model: make some udevice fields private
Driver model: Rename U_BOOT_DEVICE et al.
dtoc: Tidy up and add more tests
ns16550 code clean-up
x86 and sandbox minor fixes for of-platdata
dtoc prepration for adding build-time instantiation
In the spirit of using the same base name for all of these related macros,
rename this to have the operation at the end. This is not widely used so
the impact is fairly small.
Signed-off-by: Simon Glass <sjg@chromium.org>
RV32 should use PE32 format instead of PE32+ as the efi header format.
This requires following changes
1. A different header magic value
2. An additional parameter known as BaseOfData. Currently, it is set to
zero in absence of any usage.
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
If an exception occurs on ARM or x86, we call panic() which will try to
reset the board. Do the same on RISC-V.
To avoid -Werror=format-zero-length move a '\n' to the string passed to
panic. We don't need a message here as depending on CONFIG_PANIC_HANG we
will either see
### ERROR ### Please RESET the board ###
or
resetting ...
as next message.
Reviewed-by: Rick Chen <rick@andestech.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Half of this driver is a DM-based timer driver, and half is RISC-V-specific
IPI code. Move the timer portions in with the other timer drivers. The
KConfig is not moved, since it also enables IPIs. It could also be split
into two configs, but no boards use the timer but not the IPI atm, so I
haven't split it.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Rick Chen <rick@andestech.com>
This is a regular timer driver, and should live with the other timer
drivers.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Rick Chen <rick@andestech.com>
No timer drivers return an error from get_count. Instead of possibly
returning an error, just return the count directly.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This ensures constructs like `if (gd & gd->...) { ... }` work when
accessing the global data pointer. Without this change, it was possible for
a very early trap to cause _exit_trap to directly or indirectly (through
printf) to read arbitrary memory. This could cause a second trap,
preventing show_regs from being printed.
printf (and specifically puts) uses gd to determine what function to print
with. These functions in turn use gd to find the serial device, etc.
However, before accessing gd, puts first checks to see if it is non-NULL.
This indicates an existing (perhaps undocumented) assumption that either gd
is NULL or it is completely valid.
Before this patch, gd either points to unexpected data (because it retains
the value it did from the prior-stage) or points to uninitialized data
(because it has not yet been initialized by board_init_f_init_reserve)
until the hart has acquired available_harts_lock. This can cause two
problems, depending on the value of gd->flags. If GD_FLG_SERIAL_READY is
unset, then some garbage data will be printed to stdout, but there will not
be a second trap. However, if GD_FLG_SERIAL_READY is set, then puts will
try to print with serial_puts, which will likely cause a second trap.
After this patch, gd is zero up until either a hart has set it in
wait_for_gd_init, or until it is set by arch_init_gd. This prevents its
usage before its data is initialized because both handle_trap and puts
ensure that gd is nonzero before using it. After gd has been set, it is OK
to access it because its data has been cleared (and so flags is valid).
XIP cannot use locks because flash is not writable. This leaves it
vulnerable to the same class of bugs regarding already-pending IPIs as
before this series. Fixing that would require finding another method of
synchronization, which is outside the scope of this series.
Fixes: 7c6ca03eae ("riscv: additional crash information")
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Some IPIs may already be pending when U-Boot is started. This could be a
problem if a secondary hart tries to handle an IPI before the boot hart has
initialized the IPI device.
To be specific, the Kendryte K210 ROM-based bootloader does not clear IPIs
before passing control to U-Boot. Without this patch, the secondary hart
jumps to address 0x0 as soon as it enters secondary_hart_loop, and then
hangs in its trap handler.
This commit introduces a valid bit so secondary harts know when and IPI
originates from U-Boot, and it is safe to use the IPI API. The valid bit is
initialized to 0 by board_init_f_init_reserve. Before this, secondary harts
wait in wait_for_gd_init.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Reviewed-by: Leo Liang <ycliang@andestech.com>
Without a matching barrier on the write side, the barrier in handle_ipi
does nothing. It was entirely possible for the boot hart to write to addr,
arg0, and arg1 *after* sending the IPI, because there was no barrier on the
sending side.
Fixes: 90ae281437 ("riscv: add option to wait for ack from secondary harts in smp functions")
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Reviewed-by: Leo Liang <ycliang@andestech.com>
This converts the clint driver from the riscv-specific interface to be a
DM-based UCLASS_TIMER driver. In addition, the SiFive DDR driver previously
implicitly depended on the CLINT to select REGMAP.
Unlike Andes's PLMT/PLIC (which AFAIK never have anything pass it a dtb),
the SiFive CLINT is part of the device tree passed in by qemu. This device
tree doesn't have a clocks or clock-frequency property on clint, so we need
to fall back on the timebase-frequency property. Perhaps in the future we
can get a clock-frequency property added to the qemu dtb.
Unlike with the Andes PLMT, the Sifive CLINT is also an IPI controller.
RISCV_SYSCON_CLINT is retained for this purpose.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Pragnesh Patel <pragnesh.patel@openfive.com>
This merges the PLIC initialization code from two functions into one.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
This converts the PLMT driver from the riscv-specific timer interface to be
a DM-based UCLASS_TIMER driver.
The clock-frequency/clocks properties are preferred over timebase-frequency
for two reasons. First, properties which affect a device should be located
near its binding in the device tree. Using timebase-frequency only really
makes sense when the cpu itself is the timer device. This is the case when
we read the time from a CSR, but not when there is a separate device.
Second, it lets the device use the clock subsystem which adds flexibility.
If the device is configured for a different clock speed, the timer can
adjust itself.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Rick Chen <rick@andestech.com>
The riscv-timer driver currently serves as a shim for several riscv timer
drivers. This is not too desirable because it bypasses the usual timer
selection via the driver model. There is no easy way to specify an
alternate timing driver, or have the tick rate depend on the cpu's
configured frequency. The timer drivers also do not have device structs,
and so have to rely on storing parameters in gd_t. Lastly, there is no
initialization call, so driver init is done in the same function which
reads the time. This can result in confusing error messages. To a user, it
looks like the driver failed when trying to read the time, whereas it may
have failed while initializing.
This patch removes the shim functionality from the riscv-timer driver, and
has it instead implement the former rdtime.c timer driver. This is because
existing u-boot users who pass in a device tree (e.g. qemu) do not create a
timer device for S-mode u-boot. The existing behavior of creating the
riscv-timer device in the riscv cpu driver must be kept. The actual reading
of the CSRs has been redone in the style of Linux's get_cycles64.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
The gp register is used to store U-Boot's global data pointer. We should
not assume that an UEFI application leaves the gp register unchanged as
the UEFI specifications does not define who is the owner of the gp and tp
registers.
So the following sequence should be followed in the trap handler:
* save the caller's gp register
* restore the global data pointer
* serve interrupts or print crash dump and reset
* restore the caller's gp register
Cc: Abner Chang <abner.chang@hpe.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Add boolean input argument @no_map to helper function
fdtdec_add_reserved_memory() to add or not "no-map" property
for an added reserved memory node.
Property no-map is used by the Linux kernel to not not map memory
in its static memory mapping. It is needed for example for the|
consistency of system non-cached memory and to prevent speculative
accesses to some firewalled memory.
No functional change. A later change will update to OPTEE library to
add no-map property to OP-TEE reserved memory nodes.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Provide a command to display information about the SBI implementation.
The output might look like:
=> sbi
SBI 0.2
OpenSBI
Extensions:
sbi_set_timer
sbi_console_putchar
sbi_console_getchar
sbi_clear_ipi
sbi_send_ipi
sbi_remote_fence_i
sbi_remote_sfence_vma
sbi_remote_sfence_vma_asid
sbi_shutdown
SBI Base Functionality
Timer Extension
IPI Extension
RFENCE Extension
Hart State Management Extension
The command can be used to construct a unit test checking that the
communication with the SEE is working.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Tested-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Pragnesh Patel <pragnesh.patel@openfive.com>
Tested-by: Pragnesh Patel <pragnesh.patel@openfive.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Tested-by: Rick Chen <rick@andestech.com>
Building with CONFIG_SPL_SMP=n results in:
arch/riscv/lib/spl.c: In function ‘jump_to_image_no_args’:
arch/riscv/lib/spl.c:33:6:
error: unused variable ‘ret’ [-Werror=unused-variable]
33 | int ret;
| ^~~
Define the variable ret as __maybe_unused.
Fixes: 191636e448 ("riscv: Introduce SPL_SMP Kconfig option for U-Boot SPL")
Fixes: 8c59f2023c ("riscv: add SPL support")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Rick Chen <rick@andestech.com>
Reviewed-by: Pragnesh Patel <pragnesh.patel@openfive.com>
If an exception occurs, the relocated program counter and return address
are required for an analysis.
With this patch you get:
=> exception undefined
Unhandled exception: Illegal instruction
EPC: 0000000080595908 RA: 000000008059c0c6 TVAL: 000000008030c01e
EPC: 0000000080007908 RA: 000000008000e0c6 reloc adjusted
We can use the relocated addresses to find the involved functions in
u.boot.map:
.text.do_undefined
0x0000000080007908 0x8 cmd/built-in.o
.text.cmd_process
0x000000008000dfcc 0x11a common/built-in.o
0x000000008000dfcc cmd_process
If an exception occurs in an UEFI binary additionally the load addresses of
the UEFI binaries are needed. With this patch:
=> setenv efi_selftest exception
=> bootefi selftest
Unhandled exception: Illegal instruction
EPC: 000000008042e18a RA: 000000008042e18a TVAL: 000000008030c01e
EPC: 000000007fea018a RA: 000000007fea018a reloc adjusted
UEFI image [0x0000000000000000:0xffffffffffffffff] '/\selftest'
UEFI image [0x000000008042e000:0x000000008042e43f] pc=0x18a '/bug.efi'
The value pc=0x18a matches the position of the illegal instruction in
efi_selftest_miniapp_exception.efi (loaded as /bug.efi);
asm volatile (".word 0xffffffff\n");
00000180 93 85 C5 11 1C 64 22 85 82 97 FF FF FF FF 1C 64
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Tested-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
After
if (ret) return ret;
we know that ret is zero. Don't check it again.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
The generic SPL version of board_init_f() should give a call to
board specific codes to initialize board in the SPL phase.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Reviewed-by: Pragnesh Patel <pragnesh.patel@sifive.com>
Tested-by: Pragnesh Patel <pragnesh.patel@sifive.com>
This reverts commit 958a3f464c.
A more appropriate change below is already in mainline.
Commit fd31e4fd18 ("riscv: Do not build reset.c if SYSRESET is on")
Revert this patch, so that U-Boot can be built successfully for
SiFive Fu540 board.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Leo Liang <ycliang@andestech.com>
Commit 40686c394e ("riscv: Clean up IPI initialization code")
caused U-Boot failed to boot on SiFive HiFive Unleashed board.
The codes inside arch_cpu_init_dm() may call U-Boot timer APIs
before the call to riscv_init_ipi(). At that time the timer register
base (e.g.: the SiFive CLINT device in this case) is unknown yet.
It might be the name riscv_init_ipi() that misleads people to only
consider it is related to IPI, but in fact the timer capability is
provided by the same SiFive CLINT device that provides the IPI.
Timer capability is needed for both UP and SMP.
Considering that the original refactor does have benefits, that it
makes the IPI code more similar to U-Boot initialization idioms.
It also removes some quite ugly macros. Let's do the minimal revert
instead of a complete revert, plus a fixes to arch_cpu_init_dm() to
consider the SPL case.
Fixes: 40686c394e ("riscv: Clean up IPI initialization code")
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Tested-by: Leo Liang <ycliang@andestech.com>
Replace printf() and debug() by log_err() and log_debug().
"No reserved memory region found in source FDT\n" is not an error but a
debug information.
%s/can not/cannot/ - use the more common spelling.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Atish Patra <atish.patra@wdc.com>
fdtdec_get_addr_size_no_parent is not an optimized version if parent
node is already available with the caller.
Use fdtdec_get_addr_size_auto_parent to read the "reg" property
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Not all errors are fatal. If a reserved memory node already exists in the
destination device tree, we can continue to boot without failing.
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
The FDT blob might not have sufficient space to hold a copy of
reserved memory node. Expand it before the copy.
Reported-by: Rick Chen <rick@andestech.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Rick Chen <rick@andestech.com>
The copy of reserved memory node from source dtb to destination dtb
can be avoided if they point to the same place. This is useful when
OF_PRIOR_STAGE is used.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Reviewed-by: Atish Patra <atish.patra@wdc.com>
Currently, one cannot use a reset driver on RISC-V. Follow the MIPS
example, and disable the default reset handler when the sysreset driver is
enabled.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The previous IPI code initialized the device whenever the first call was
made to a riscv_*_ipi function. This made it difficult to determine when
the IPI device was initialized. This patch introduces a new function
riscv_init_ipi. It is called once during arch_cpu_init_dm. In SPL, it is
called in spl_invoke_opensbi. Before this point, no riscv_*_ipi functions
should be called.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Rick Chen <rick@andestech.com>
sbi_probe_extension() is an API defined in SBI v0.2, not v0.1.
Fixes 7e249bc13a: ("riscv: Move all SMP related SBI calls to SBI_v01")
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
U-Boot defaults to use SBI v0.2. Howerver there is a global variable
sbi_spec_version that stills refers to v0.1. Since it is not used
anywhere, let's remove it.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Rick Chen <rick@andestech.com>
SMP support for S-mode U-Boot is enabled only if SBI_V01 is enabled.
There is no point in supporting SMP related (IPI and fences) SBI calls
when SBI_V02 is enabled.
Modify all the SMP related SBI calls to be defined only for SBI_V01.
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
We should not use typedefs in U-Boot. They cannot be used as forward
declarations which means that header files must include the full header to
access them.
Drop the typedef and rename the struct to remove the _s suffix which is
now not useful.
This requires quite a few header-file additions.
Signed-off-by: Simon Glass <sjg@chromium.org>
Keep all the fdt fixups together for better code management.
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The DT used by U-Boot may be different from the DT being passed to
the OS if the DT is loaded from external media such as network or
mmc. In that case, the reserved-memory node needs to be copied to
the DT passed to the OS.
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
FU540 uses OF_SEPARATE instead of OF_PRIOR_STAGE.
Enable OF_BOARD_FIXUP to update the DT with reserved-memory node.
Signed-off-by: Atish Patra <atish.patra@wdc.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>