- Hafnium - lists.trustedfirmware.org

Could you add a new gicd_set_ctlr() API to set GICD_CTLR to wait until RWP becomes zero?

by magicse7en＠outlook.com

Hi , Could you add below patch to gicv3_helpers.h? --- a/src/arch/aarch64/plat/interrupts/gicv3_helpers.h +++ b/src/arch/aarch64/plat/interrupts/gicv3_helpers.h @@ -203,6 +203,16 @@ static inline void gicd_wait_for_pending_write(uintptr_t gicd_base) } } +static inline void gicd_set_ctlr(uintptr_t base, + unsigned int bitmap, + unsigned int rwp) +{ + gicd_write_ctlr(base, gicd_read_ctlr(base) | bitmap); + if (rwp != 0U) { + gicd_wait_for_pending_write(base); + } +} + static inline uint32_t gicd_read_pidr2(uintptr_t base) { return io_read32(IO32_C(base + GICD_PIDR2_GICV3)); The existed gicd_write_ctlr() just write the GICD_CTLR, but from GIC spec, if write GICD_CTLR, it needs to wait the RWP bit becomes zero. Therefore, I think the gicd_set_ctlr() function of tf-a is a good choice. I tried to push this patch to https://review.trustedfirmware.org/, but I encountered below error. error: RPC failed; HTTP 403 curl 22 The requested URL returned error: 403

11 months

2
1
1 0

Trusted Firmware v2.10 Release Announcement

by Olivier Deprez

Hi All, We are pleased to announce the formal release of Trusted Firmware-A version 2.10 bundle of project deliverables. This includes Trusted Firmware-A, Trusted Firmware-A Tests, Hafnium, RMM and TF-A OpenCI Scripts/Jobs 2.10 releases involving the tagging of multiple repositories. These went live on 22nd November 2023. Please find references to tags and change logs at the end of this email. Many thanks to the community for the active engagement in delivering this release! Notable Features of the Version 2.10 Release are as follows: TF-A/EL3 Root World * New Features: * Firmware handoff library support * Improvements to BL31 runtime exception handling * Context management refactoring for RME/4 worlds * Gelas, Nevis & Travis CPUs support * V8.9 features enabled (FEAT_ HAFT, RPRFM, LRCPC3, MTE_PERM) TF-A Boot BL1/BL2 * New Features * Trusted Boot support for ECDSA (Elliptic Curve Digital Signature Algorithm) * Migrated to PSA crypto API’s * Improved the GUID Partition Table (GPT) parser. * Various security Improvements and threat Model updates for ARM CCA * Signer id extraction Implementation Hafnium/SEL2 SPM * New Features: * FF-A v1.2: FFA_YIELD with time-out; EL3 SPMDs LSPs communication; memory sharing updates. * Memory region relative base address field support in SP manifests. * Interrupt re-configuration hypervisor calls. * Memory management: S2 PT NS/S IPA split * SMCCCv1.2+ compliance fixes. * Feature parity test improvements, EL3 SPMC and Hafnium (S-EL2 SPMC) TF-RMM/REL2 * New Feature/Support * Fenimore v1.0 EAC5 aligned implementation. * TFTF Enhancements for RME testing * Initial CBMC support * NS SME support in RMM * BTI support for RMM Errata * Errata implemented (1xCortex-X2/ Matterhorn-ELP, 1xCortex-A710/Matterhorn, 1xNeoverse N2/Perseus, 2xNeoverse V2/Demeter, Makalu ELP/Cortex X3, Klein/Cortex-A510) * Fix some minor defects with version in a few errata that applies for some follow up revisions of the CPUs. (Neoverse V1, Cortex-X2, Cortex-A710) TF-A Tests * Core * Added errata management firmware interface tests. * Added firmware handoff tests. * Introduced RAS KFH support test. * SPM/FF-A * Support SMCCCv1.2 extended GP registers set. * Test SMCCC compliance at the non-secure physical instance. * Test secure eSPI interrupt handling. * Test FF-A v1.2 FFA_PARTITION_INFO_GET_REGS interface. * RMM * Added FPU/SVE/SME tests * Added multiple REC single CPU tests. * Added PAuth support in Realms tests. * Added PMU tests. Platform Support * New platforms added: * Aspeed AST2700, NXP IMX93, Intel Agilex5, Nuvoton NPCM845x, QTI MDM9607, MSM8909, MSM8939, ST STM32MP2 Release tags across repositories: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tag/?h=v2.10 https://git.trustedfirmware.org/TF-A/tf-a-tests.git/tag/?h=v2.10 https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/tag/?h=v2.10 https://git.trustedfirmware.org/ci/tf-a-job-configs.git/tag/?h=v2.10 https://git.trustedfirmware.org/hafnium/hafnium.git/tag/?h=v2.10 https://git.trustedfirmware.org/ci/hafnium-ci-scripts.git/tag/?h=v2.10 https://git.trustedfirmware.org/ci/hafnium-job-configs.git/tag/?h=v2.10 https://git.trustedfirmware.org/TF-RMM/tf-rmm.git/tag/?h=tf-rmm-v0.4.0 Change logs: https://trustedfirmware-a.readthedocs.io/en/v2.10/change-log.html#id1 https://trustedfirmware-a-tests.readthedocs.io/en/v2.10/change-log.html#ver… https://hafnium.readthedocs.io/en/latest/change-log.html#v2-10 https://tf-rmm.readthedocs.io/en/tf-rmm-v0.4.0/about/change-log.html#v0-4-0 Regards, Olivier.

12 months

1
1
0 0

Firmware-A v2.10 release code freeze notification

by Olivier Deprez

Hi All, The next release of the Firmware-A bundle of projects tagged v2.10 has an expected code freeze date of Nov, 7th 2023. Refer to the Release Cadence section from TF-A documentation (https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/about…). Closing out the release takes around 6-10 working days after the code freeze. Preparations tasks for v2.10 release should start in coming month. We want to ensure that planned feature patches for the release are submitted in good time for the review process to conclude. As a kind recommendation and a matter of sharing CI resources, please launch CI jobs with care e.g.: -For simple platform, docs changes, or one liners, use Allow-CI+1 label (no need for a full Allow-CI+2 run). -For large patch stacks use Allow-CI+2 at top of the patch stack (and if required few individual Allow+CI+1 in the middle of the patch stack). -Carefully analyze results and fix the change if required, before launching new jobs on the same change. -If after issuing a Allow-CI+1 or Allow-CI+2 label a Build start notice is not added as a gerrit comment on the patch right away please be patient as under heavy load CI jobs can be queued and in extreme conditions it can be over an hour before the Build start notice is issued. Issuing another Allow-CI+1 or Allow-CI+2 label will just result in an additional job being queued. Thanks & Regards, Olivier.

1 year

1
3
0 0

Hafnium - number of PEs vs number of VCPU

by Pawandeep Oza (QUIC)

Hi, I have a question about hafnium executing PSCI_CPU_ON. So what I observe is, if I define single SP with 2 Physical CPUs & 2 VCPUS defined in SPMC manifest for hypervisor and secure partition, respectively. And when I do have > 2 cpus running in non-secure world, precisely at the moment when Linux brings up 3rd CPU with PSCI_CPU_ON, EL3 PSCI calls will be forwarded to hafnium running in secure EL2. And this is where it hits. And since hafnium doesn't find 3rd CPU defined in manifest it will hit "Dead stop here if no more CPU. */ .global cpu_entry cpu_entry: #if SECURE_WORLD == 1 /* Get number of cpus gathered from DT. */ adrp x3, cpu_count add x3, x3, :lo12:cpu_count ldr w3, [x3] /* Prevent number of CPUs to be higher than supported by platform. */ cmp w3, #MAX_CPUS bhi . /* x0 points to first cpu in cpus array. */ adrp x0, cpus add x0, x0, :lo12:cpus /* Get current core affinity. */ get_core_affinity x1, x2 /* Dead stop here if no more cpu. */ 0: cbz w3, 0b sub w3, w3, #1 /* Get cpu id pointed to by x0 in cpu array. */ ldr x2, [x0, CPU_ID] If I have defined this 3rd physical CPU in hafnium manifest then hafniu proceed further from above code. But then will hit plat_psci_cpu_resume and eventually it will abort with following check CHECK(vcpu_index < vm->vcpu_count); cpu_init: /* Call into C code, x0 holds the CPU pointer. */ bl cpu_main /* Run the vCPU returned by cpu_main. */ bl vcpu_restore_all_and_run it looks like hafnium expects >= the number of physical Pes running at non-secure side to be defined in SPMC manifest file. Also it expects the same number of VCPUs to be defined in manifest file. but my understanding is, there could be number of PEs running at non-secure side could be greater than number of Pes/VCPUs at secure side. But from the code flow of hafnium, I don't think it supports that. Regards, Oza.

1 year, 1 month

2
1
0 0

Reminder: TrustedFirmware Discord Channel

by don.harbin＠linaro.org

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

1 year, 1 month

1
0
0 0

FFA_CONSOLE_LOG control characters filtering

by Olivier Deprez

Hi, I noticed Hafnium's FFA_CONSOLE_LOG implementation permits writing any ascii character to the UART. In particular the StMM/EDKII print library explicitly adds <CR> characters on any output string, however those are not interpreted by the implementation and directly sent to the UART driver (as opposed to <LF> https://review.trustedfirmware.org/plugins/gitiles/hafnium/hafnium/+/refs/h… ) . Is it fair adding filtering to omit control characters https://review.trustedfirmware.org/c/hafnium/hafnium/+/27265/2/src/api.c#44… ? Regards, Olivier.

1 year, 2 months

1
0
0 0

Secure interrupt while sending direct response

by Jens Wiklander

Hi all, I'm testing FF-A notifications with OP-TEE and Hafnium. I'm using interrupts from the secure uart as a trigger to set a notification for the normal world. Sometimes when testing I run into: VERBOSE: Secure virtual interrupt not yet serviced by SP 8001. FFA_MSG_SEND_DIRECT_RESP interrupted Hafnium then returns an FFA_ERROR (code -5) as a response to the FFA_MSG_SEND_DIRECT_RESP OP-TEE was just exiting with. After some digging in the code I find a comment at the top of plat_ffa_is_direct_response_interrupted() https://git.trustedfirmware.org/hafnium/hafnium.git/tree/src/arch/aarch64/p… /* * A secure interrupt might trigger while the target SP is currently * running to send a direct response. SPMC would then inject virtual * interrupt to vCPU of target SP and resume it. * However, it is possible that the S-EL1 SP could have its interrupts * masked and hence might not handle the virtual interrupt before * sending direct response message. In such a scenario, SPMC must * return an error with code FFA_INTERRUPTED to inform the S-EL1 SP of * a pending interrupt and allow it to be handled before sending the * direct response. */ The specification doesn't mention this as a valid error code for FFA_MSG_SEND_DIRECT_RESP. Is this something we can expect to be added to the specification or at least something OP-TEE has to be prepared to handle regardless? As far as I can tell there's no way of guaranteeing that Hafnium will not return this error for FFA_MSG_SEND_DIRECT_RESP. Even if we were able to execute the smc instruction with secure interrupts unmasked, what if the interrupt is raised just after the smc instruction has been trapped in Hafnium? It is a bit inconvenient as it means saving the registers passed to the smc instruction to be able to restart the smc instruction with the same arguments. It seems we may need to redesign the exit procedure. It would be nice with an example of how an S-EL1 SP is supposed to exit with FFA_MSG_SEND_DIRECT_RESP. Thoughts? Thanks, Jens

1 year, 5 months

3
7
0 0

scaling platform's spmc build

by Olivier Deprez

Hi, As of today, the way to build Hafnium is a single make command to build Hafnium binaries (e.g. SPMC) and tests for all platforms at once. This is an overhead for deployments or integrations downstream that are only interested in building a single platform SPMC image, and are not interested in running Hafnium tests. We have a proposal to help scaling to those deployments where only an SPMC binary for a given platform is required. On the benefits side, this greatly decreases the build time for said deployments and limits build dependencies (e.g. ones within the test framework). There are certainly more complex solutions that we thought about (like segregating individual project git trees beyond 'reference') . However, the proposed change remains simple and keeps the build system backwards compatible with existing deployments. Essentially this introduces a PLATFORM command line build option for the sake of building the SPMC for one given platform (omitting tests). If required it can be combined with the existing PROJECT variable. Example usages: * make [PROJECT=reference] : builds all platforms from 'reference' project including tests (same as today) * make PLATFORM=secure_aem_v8a_fvp_vhe : builds the SPMC targeting FVP from the 'reference' project (omitting tests) * Similarly for Arm solutions, make PLATFORM=secure_tc, make PLATFORM=secure_rd_fremont * make PROJECT=project1 : make all platforms from alternate project 'project1' * make PROJECT=project2 PLATFORM=platform1 : make a single 'platform1' hafnium binary from project 'project2' See the changes: https://review.trustedfirmware.org/c/hafnium/hafnium/+/24822 https://review.trustedfirmware.org/c/hafnium/project/reference/+/24821/ Let us know if the approach sounds reasonable. Regards, Olivier.

1 year, 6 months

2
2
0 0

Manifest bindings

by Jens Wiklander

Hi, https://hafnium.readthedocs.io/en/latest/design/ffa-manifest-binding.html has a nice description of the manifest bindings. The intention is obviously to match the fields in the FF-A specification. However, the "pages-count" field in the bindings is called "page count" in the specification. Any chance of fixing this so the two fields have the same name? Thanks, Jens

1 year, 8 months

2
2
0 0

Compile errors when building Hafnium on Arm devices

by Chenxu Wang

Hi All, I try to build Hafnium v2.8 on Armv8-A device, but I got some compile errors. Here are my building scripts: ``` cd hafnium PATH=$PWD/prebuilts/linux-x64/clang/bin:$PWD/prebuilts/linux-x64/dtc:$PATH make PROJECT=reference ``` Here are some compile errors (The remainings are similar.) ``` [66/3042] CC aem_v8a_fvp_clang/obj/test/arch/arch_test.elf.dlog_test.o FAILED: aem_v8a_fvp_clang/obj/test/arch/arch_test.elf.dlog_test.o clang -MMD -MF aem_v8a_fvp_clang/obj/test/arch/arch_test.elf.dlog_test.o.d -DVM_TOOLCHAIN=0 -DGIC_VERSION=3 -DGICD_BASE=0x2f000000 -DGICR_BASE=0x2f100000 -DGICR_FRAMES=8 -DHEAP_PAGES=180 -DMAX_CPUS=8 -DMAX_VMS=16 -DLOG_LEVEL=LOG_LEVEL_INFO -DENABLE_ASSERTIONS=1 -DPARTITION_MAX_MEMORY_REGIONS=8 -DPARTITION_MAX_DEVICE_REGIONS=8 -DPARTITION_MAX_INTERRUPTS_PER_DEVICE=4 -DPARTITION_MAX_STREAMS_PER_DEVICE=4 -DHF_NUM_INTIDS=64 -DSECURE_WORLD=0 -DENABLE_VHE=0 -I../../inc -I../../inc/vmapi -I../../src/arch/aarch64/inc -Iaem_v8a_fvp_clang/gen/offset_size_header -I../../test/inc -ffunction-sections -fdata-sections -flto -fno-builtin -ffreestanding -fpic -mcpu=cortex-a57+nofp -mstrict-align -mgeneral-regs-only -target aarch64-none-eabi -fcolor-diagnostics -nostdinc -isystem /include -isystem hafnium/inc/system -g -Wall -O2 -Wpedantic -Werror -fstack-protector-all -std=c11 -c ../../test/arch/dlog_test.c -o aem_v8a_fvp_clang/obj/test/arch/arch_test.elf.dlog_test.o In file included from ../../test/arch/dlog_test.c:9: ../../inc/hf/dlog.h:11:10: fatal error: 'stdarg.h' file not found #include <stdarg.h> ^~~~~~~~~~ 1 error generated. [67/3042] CC aem_v8a_fvp_clang/obj/src/vm.vm.o FAILED: aem_v8a_fvp_clang/obj/src/vm.vm.o clang -MMD -MF aem_v8a_fvp_clang/obj/src/vm.vm.o.d -DVM_TOOLCHAIN=0 -DGIC_VERSION=3 -DGICD_BASE=0x2f000000 -DGICR_BASE=0x2f100000 -DGICR_FRAMES=8 -DHEAP_PAGES=180 -DMAX_CPUS=8 -DMAX_VMS=16 -DLOG_LEVEL=LOG_LEVEL_INFO -DENABLE_ASSERTIONS=1 -DPARTITION_MAX_MEMORY_REGIONS=8 -DPARTITION_MAX_DEVICE_REGIONS=8 -DPARTITION_MAX_INTERRUPTS_PER_DEVICE=4 -DPARTITION_MAX_STREAMS_PER_DEVICE=4 -DHF_NUM_INTIDS=64 -DSECURE_WORLD=0 -DENABLE_VHE=0 -I../../inc -I../../inc/vmapi -I../../src/arch/aarch64/inc -Iaem_v8a_fvp_clang/gen/offset_size_header -ffunction-sections -fdata-sections -flto -fno-builtin -ffreestanding -fpic -mcpu=cortex-a57+nofp -mstrict-align -mgeneral-regs-only -target aarch64-none-eabi -fcolor-diagnostics -nostdinc -isystem /include -isystem hafnium/inc/system -g -Wall -O2 -Wpedantic -Werror -fstack-protector-all -std=c11 -c ../../src/vm.c -o aem_v8a_fvp_clang/obj/src/vm.vm.o In file included from ../../src/vm.c:9: ../../inc/hf/vm.h:11:10: fatal error: 'stdatomic.h' file not found #include <stdatomic.h> ^~~~~~~~~~~~~ 1 error generated. ``` Can someone help me? Sincerely, WANG Chenxu

1 year, 8 months

2
2
0 0

2025

2024

2023

2022

2021

2020

Hafnium