Currently get_tcr() takes an "el" parameter, to select the proper
version of the TCR_ELx system register.
This is problematic in case of the Apple M1, since it runs with
HCR_EL2.E2H fixed to 1, so TCR_EL2 is actually using the TCR_EL1 layout,
and we get the wrong version.
For U-Boot's purposes the only sensible choice here is the current
exception level, and indeed most callers treat it like that, so let's
remove that parameter and read the current EL inside the function.
This allows us to check for the E2H bit, and pretend it's EL1 in this
case.
There are two callers which don't care about the EL, and they pass 0,
which looks wrong, but is irrelevant in these two cases, since we don't
use the return value there. So the change cannot affect those two.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Tested-by: Mark Kettenis <kettenis@openbsd.org>
The AArch64 TCR_ELx register is a 64-bit register, and many newer
architecture features use bits in the upper half. So far U-Boot was
igorant of those bits, trying to leave them alone.
However, in an effort to set bit 31 to 1, it failed doing so, because
the compiler sign-extended "1 << 31", so that all bits[63:31] got set.
Older ARMv8.0 cores don't define anything dangerous up there, but newer
architecture revisions do, and setting all those bits will end badly:
=================
$ qemu-system-aarch64 -cpu max ....
U-Boot 2022.07-rc1 (May 09 2022 - 15:21:00 +0100)
DRAM: 1.5 GiB
================= (hangs here)
Defining TCR_ELx_RSVD to "1U << 31" avoids the sign-extension, so all
upper bits stay at a safe 0 value. This means no more surprises when
U-Boot runs on a more capable CPU core.
Reported-by: Balaji Anandapadmanaban <Balaji.Anandapadmanaban@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Tested-by: Peter Collingbourne <pcc@google.com>
Reviewed-by: Peter Collingbourne <pcc@google.com>
At present panic() is in the vsprintf.h header file. That does not seem
like an obvious choice for hang(), even though it relates to panic(). So
let's put hang() in its own header.
Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Migrate a few more files]
Signed-off-by: Tom Rini <trini@konsulko.com>
Drop the _AC and UL macros from common.h. Linux headers is the original
source of this macro, so keep its definition in the same header.
Update existing users of these macros to include const.h directly.
Cc: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Cc: Rick Chen <rick@andestech.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Signed-off-by: Stefan Roese <sr@denx.de>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
To page mapping the lowest 2 bits needs to be 0x3.
If not fix this, the final lowest 3 bits for page mapping is 0x1
which is marked as reserved.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Enable support for loadables in SEC firmware FIT image. Currently
support is added for single loadable image.
Brief description of implementation:
Add two more address pointers (loadable_h, loadable_l) as arguments to
sec_firmware_init() api.
Create new api: sec_firmware_checks_copy_loadable() to check if loadables
node is present in SEC firmware FIT image. If present, verify loadable
image and copies it to secure DDR memory.
Populate address pointers with secure DDR memory addresses where loadable
is copied.
Example use-case could be trusted OS (tee.bin) as loadables node in SEC
firmware FIT image.
Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Add space around operator "+", make it
match the coding style.
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Macro VA_BITS and PTE_BLOCK_BITS are not used
in the code, so remove them.
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: York Sun <york.sun@nxp.com>
kASLR support in kernel requires a random number to be passed via
chosen/kaslr-seed propert. sec_firmware generates this random seed
which can then be passed in the device tree node.
sec_firmware reserves JR3 for it's own usage. Node for JR3 is
removed from device-tree.
Signed-off-by: Ruchika Gupta <ruchika.gupta@nxp.com>
PSCI can be used on both multiple and single core socs. Current
implementation only allows PSCI to work on multiple core socs.
This patch removes this restriction so that PSCI can work on
single core socs as well.
Signed-off-by: Chenhui Zhao <chenhui.zhao@nxp.com>
Signed-off-by: Tang Yuantian <andy.tang@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Moved the ifdef into ppa.h and removed the duplicated macros.
Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Function mmu_change_region_attr() is added to change existing mapping
with updated PXN, UXN and memory type. This is a break-before-make
process during which the mapping becomes fault (invalid) before final
attributres are set.
Signed-off-by: York Sun <york.sun@nxp.com>
Moved the config FSL_PPA_ARMV8_PSCI from fsl-layerscape's Kconfig to
Kconfig under armv8 and renamed it to SEC_FIRMWARE_ARMV8_PSCI.
Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
The UL() macro is pretty useful in sharing constants between assembly
and C files while still being able to specify a type for C.
Move the macro from an armv8 specific header into a common header file
to be able to use it by arm code (for instance) as well.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Jagan Teki <jagan@openedev.com>
NXP/Freescale uses macro CONFIG_ARMV8_PSCI to enable their private PSCI
implementation in PPA firmware, but this macro naming too generic, so this
patch replaces it with a specic one CONFIG_FSL_PPA_ARMV8_PSCI.
And this macro CONFIG_ARMV8_PSCI will be used for a generic PSCI for ARMv8
which will be added in following patchs.
Signed-off-by: Hongbo Zhang <hongbo.zhang@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: York Sun <york.sun@nxp.com>
The FSL Primary Protected Application (PPA) is a software component
loaded during boot which runs in TrustZone and remains resident
after boot.
Use the secure firmware framework to integrate FSL PPA into U-Boot.
Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
This framework is introduced for ARMv8 secure monitor mode firmware.
The main functions of the framework are, on EL3, verify the firmware,
load it to the secure memory and jump into it, and while it returned
to U-Boot, do some necessary setups at the 'target exception level'
that is determined by the respective secure firmware.
So far, the framework support only FIT format image, and need to define
the name of which config node should be used in 'configurations' and
the name of property for the raw secure firmware image in that config.
The FIT image should be stored in Byte accessing memory, such as NOR
Flash, or else it should be copied to main memory to use this framework.
Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Introduce virtual and physical addresses in the mapping table. This change
have no impact on existing boards because they all use idential mapping.
Signed-off-by: York Sun <york.sun@nxp.com>
Make setup_pgtages() and get_tcr() available for platform code to
customize MMU tables.
Remove unintentional call of create_table().
Signed-off-by: York Sun <york.sun@nxp.com>
By now the code to only have a single page table level with 64k page
size and 42 bit address space is no longer used by any board in tree,
so we can safely remove it.
To clean up code, move the layerscape mmu code to the new defines,
removing redundant field definitions.
Signed-off-by: Alexander Graf <agraf@suse.de>
The MMU range table can vary depending on things we may only find
out at runtime. While the very simple ThunderX variant does not
change, other boards will, so move the definition from a static
entry in a header file to the board file.
Signed-off-by: Alexander Graf <agraf@suse.de>
The idea to generate our pages tables from an array of memory ranges
is very sound. However, instead of hard coding the code to create up
to 2 levels of 64k granule page tables, we really should just create
normal 4k page tables that allow us to set caching attributes on 2M
or 4k level later on.
So this patch moves the full_va mapping code to 4k page size and
makes it fully flexible to dynamically create as many levels as
necessary for a map (including dynamic 1G/2M pages). It also adds
support to dynamically split a large map into smaller ones when
some code wants to set dcache attributes.
With all this in place, there is very little reason to create your
own page tables in board specific files.
Signed-off-by: Alexander Graf <agraf@suse.de>
When running in EL1, AArch64 knows two page table maps. One with addresses
that start with all zeros (TTBR0) and one with addresses that start with all
ones (TTBR1).
In U-Boot we don't care about the high up maps, so just disable them to ensure
we don't walk an invalid page table by accident.
Reported-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Based on the memory map we can determine a lot of hard coded fields of
TCR, like the maximum VA and max PA we want to support. Calculate those
dynamically to reduce the chance for pit falls.
Signed-off-by: Alexander Graf <agraf@suse.de>
This patch adds code which sets up 2-level page tables on ARM64 thus
extending available VA space. CPUs implementing 64k translation
granule are able to use direct PA-VA mapping of the whole 48 bit
address space.
It also adds the ability to reset the SCTRL register at the very beginning
of execution to avoid interference from stale mappings set up by early
firmware/loaders/etc.
Signed-off-by: Sergey Temerkhanov <s.temerkhanov@gmail.com>
Signed-off-by: Radha Mohan Chintakuntla <rchintakuntla@cavium.com>
For most device addresses excution shouldn't be allowed. Revise
the MMU table to enforce execute-never bits. OCRAM, DDR and IFC
are allowed for excution.
Signed-off-by: York Sun <yorksun@freescale.com>
Signed-off-by: Alison Wang <alison.wang@freescale.com>
Reported-by: Zhichun Hua <zhichun.hua@freescale.com>
Freescale LayerScape with Chassis Generation 2 is a set of SoCs with
ARMv8 cores and 2rd generation of Chassis.
Signed-off-by: Li Yang <leoli@freescale.com>
Signed-off-by: Hou Zhiqiang <B48286@freescale.com>
Signed-off-by: Mingkai Hu <Mingkai.Hu@freescale.com>
Signed-off-by: Gong Qianyu <Qianyu.Gong@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>
For EL3 and EL2, the documentation says that bits 31 and 23 are reserved
but should be written as 1.
For EL1, only bit 23 is not reserved, so only write bit 31 as 1.
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Use the inner shareable attribute for memory, which makes more sense
considering that this code is called when caches are being enabled.
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
This patch rewrites MMU translation table entries. To start, all table
entries are written as "invalid", then "device-ngnrnr" and "normal" are
written to the entries to enable access to specific addresses.
Signed-off-by: Alison Wang <alison.wang@freescale.com>
Signed-off-by: York Sun <yorksun@freescale.com>
For ARMv8, outer shareable is 0b10, inner shareable is 0b11 at bit
position [13:12] of TCR_ELx register.
Signed-off-by: Zhichun Hua <zhichun.hua@freescale.com>
Signed-off-by: York Sun <yorksun@freescale.com>
According to hardware implementation, a single outer shareable global
coherence group is defined. Inner shareable has not bee enabled.
Signed-off-by: York Sun <yorksun@freescale.com>
Make MMU function reusable. Platform code can setup its own MMU tables.
Signed-off-by: York Sun <yorksun@freescale.com>
CC: David Feng <fenghua@phytium.com.cn>
Relocation code based on a patch by Scott Wood, which is:
Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: David Feng <fenghua@phytium.com.cn>