Hi,
I would like to restart a discussion that we already had a few years
ago on a thread called "SMC to intentionally trigger a panic in TF-A"
(https://lists.trustedfirmware.org/archives/search?mlist=tf-a%40lists.truste…)
but that petered out without any real resolution (and resulted in me
ultimately not implementing the feature I was hoping to add).
Basically, we are repeatedly stumbling over the problem that we have a
use case for some platform-independent SMC API that we want to
implement in TF-A, but don't have an appropriate SMC FID range to put
it. My request from a few years ago was about implementing a call to
intentionally trigger a panic in TF-A for test-automation purposes.
Today we came up with a use case where a Trusted OS wants to query
BL31 about the location of a shared log buffer:
https://review.trustedfirmware.org/20478 .
Currently, the available SMC ranges are Arm, CPU, SiP, OEM, Standard,
Hypervisor, TA and TOS. The SiP, OEM and TOS ranges are all specific
to a single silicon vendor, OEM or trusted OS implementation, so they
are not good targets to implement APIs that would make sense to be
shared among multiple of these. In theory, the Standard range would
probably be the right target to implement calls that are independently
useful for multiple platforms / OSes... but as far as I understand,
adding a new call to that range requires petitioning Arm to update the
SMC calling convention itself, which is a ridiculously high bar to
implement a small utility API. In practice, the only choice we have
for implementing these kinds of calls is to let every OEM, SiP or TOS
assign its own (different) FID for it and then write separate SMC
handlers for each in TF-A that all end up calling the same underlying
function... which creates a lot of unnecessary code duplication and
identifier soup (especially in the case of SMCs for the non-secure OS
which would then be implemented by a platform-independent Linux driver
that needs a big mapping table to decide which FID to use on which
platform for the same API).
I think it would be very useful if there was another range of easily
allocatable FIDs that developers could just add to with a simple TF-A
CL without having to go through a huge specification update process.
There are still 41 OENs unused in the Arm SMCCC, and I don't think any
new ones were added in the 10 years that the specification existed...
so we are really not going to run out of them any time soon. If we
could get even one of those OENs for this purpose, we would have 64K
FIDs to use up for our small, simple platform-independent API needs,
which should last us a long while. We could maybe call it the "Secure
Monitor range" and say the FIDs are specific to a certain
implementation of Secure Monitor (e.g. TF-A). Then there could just be
a header file in the TF-A sources that serves as the authoritative FID
assignment table for TF-A, and anyone with a sufficiently useful idea
(subject to TF-A maintainer review) for a platform-independent API
like this could add it there by just uploading a patch.
I recently argued for a similar "simple tag allocation" concept on
https://github.com/FirmwareHandoff/firmware_handoff and it found
support there, so I hope I'll be able to convince you that it would be
useful for SMC FIDs as well?
Hi All,
The next release of the Firmware-A bundle of projects tagged v2.10 has an expected code freeze date of Nov, 7th 2023.
Refer to the Release Cadence section from TF-A documentation (https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/about…).
Closing out the release takes around 6-10 working days after the code freeze.
Preparations tasks for v2.10 release should start in coming month.
We want to ensure that planned feature patches for the release are submitted in good time for the review process to conclude. As a kind recommendation and a matter of sharing CI resources, please launch CI jobs with care e.g.:
-For simple platform, docs changes, or one liners, use Allow-CI+1 label (no need for a full Allow-CI+2 run).
-For large patch stacks use Allow-CI+2 at top of the patch stack (and if required few individual Allow+CI+1 in the middle of the patch stack).
-Carefully analyze results and fix the change if required, before launching new jobs on the same change.
-If after issuing a Allow-CI+1 or Allow-CI+2 label a Build start notice is not added as a gerrit comment on the patch right away please be patient as under heavy load CI jobs can be queued and in extreme conditions it can be over an hour before the Build start notice is issued. Issuing another Allow-CI+1 or Allow-CI+2 label will just result in an additional job being queued.
Thanks & Regards,
Olivier.
Hello,
In the file lib/xlat_tables/xlat_tables_common.c and other associated files, there are instances where if...else if constructs lack an else statement, resulting in violations during the Coverity MISRA-C analysis for the ZynqMP platform.
Addressing this issue added empty else statement to resolve the issue but it is related to core translational table logic function. Is it possible to address this issue? Please provide your suggestions.
Regards,
Nithin G
Hello,
In the file /plat/xilinx/zynqmp/aarch64/zynqmp_common.c, there is a function named plat_get_syscnt_freq2 with its definition. Simultaneously, the declaration of this function is included in include/plat/common/platform.h with the name plat_get_syscnt_freq2 and a different parameter type, leading to a violation when running the Coverity MISRA-C analysis for the Zynqmp platform. Declaration uses a different parameter type than the function Definition.
Addressing this issue by introducing a typedef for plat_get_syscnt_freq2 in platform.h and specifying its type as uint32_t resolves the violation. However, it introduces a challenge for other platforms, as this modification necessitates similar changes across various platforms, causing violations in those areas due to the adjusted typedef.
Is it possible to fix with the typedef? Please suggest.
Regards,
Nithin
Hi,
I was looking at imx_hab_handler, which forwards calls into the BootROM on i.MX SoCs
in response to secure monitor calls. The BootROM call (and thus the SiP call) accepts
two pointers as arguments, where it writes data.
The plat/imx/imx8m/imx8m*/imx8m*_bl31_setup.c files map the RAM as MT_MEMORY | MT_RW,
which would mean that not only is it writable from TF-A side, but it's also mapped
cacheable.
I see no explicit cache maintenance in the i.MX SiP code for these two pointer
arguments and haven't been successful to find where in TF-A core code if at all,
complete D-Cache is flushed on SMC exit. Therefore I ask:
- Don't shared non-secure memory buffers between EL3 and lower EL require
explicit cache maintenance?
- Did I miss the place where this cache maintenance is done?
- How did it work so far? barebox does explicit flushing before HAB SiP,
invalidation after. U-Boot doesn't do cache maintenance.
Both apparently work...
Thanks,
Ahmad
---
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
1. misra_c_2012_rule_15_1_violation: Using "goto" statement.
In the file common/bl_common.c and other related files, getting misra_c_2012_rule_15_1_violation: Using "goto" statement. during the Coverity MISRA-C analysis.
if (...) {
goto exit;
}
exit:
some operation
Resolution: goto statement is replaced with exit_func() and new variable is introduced to store the return value of exit_func().
exit_func()
some operation
int ret;
if (...) {
ret = return value of exit func()
}
return ret;
Is it possible to fix MISRA 15.1 like this in open source? Please suggest.
2. misra_c_2012_rule_15_5_violation: This return statement is not the final statement in the compound statement that forms the body of the function.
In the file common/bl_common.c, lib/xlat_tables/aarch64/xlat_tables.c and other related files, getting misra_c_2012_rule_15_5_violation: This return statement is not the final statement in the compound statement that forms the body of the function. during the Coverity MISRA-C analysis.
if (...) {
return <something>
}
if (...) {
return <something>
}
return;
Resolution: Taken new variable and assign the return result to new variable and calling only one return statement in end of the function.
int result;
if (...) {
result = <something>
} else {
if (...) {
result = <something>
}
}
return result;
Is it possible to fix MISRA 15.5 like this in open source? Please suggest.
Thanks & Regards,
Nithin G
Hello TF-A and TF-M communities,
I've done 2 minor updates to the generic tf.org project maintenance
process, which TF-A and TF-M both use. Please see the pull request here:
https://github.com/TrustedFirmware/tf_docs/pull/1
Please provide your feedback on the pull request, if any.
Happy end-of-year celebrations to all!
Best regards,
Sandrine
Dear all,
we want analyze stack usage details when we build TF-A for armclang compiler but we are not able generate stack usage details.
sorry for long thread and question please go through and suggest way forward to perform stack analysis with TF-A armclang build.
as per https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/initial-… (section 2.3)
when CC is set to armclang, GCC linker is used default (since the TF-A build system doesn’t currently support Arm Scatter files)
So when we try to generate stack usage details we will not be able to use GCC -fstack-usage and -fdump-ipa-calgraph since CC is set to armclang and these flags will be un-recognized.
Since we are building this for armclang we attempted to use following armlinker flags along with -g compiler flag (refer link:https://developer.arm.com/documentation/100748/0607/writing-optimized-…).
--info=stack, --calgrapth, --calgraph_output=text
But we end up with unrecognized options error for --info=stack, --calgrapth, --calgraph_output=text
This error occurs because GCC linker is used default as per above link section 2.3 (since the TF-A build system doesn’t currently support Arm Scatter files)
So we end up with not having stack usage details generated.
Q1: Any suggestion to generate stack usage when CC=armclang and GCC linker is used by default.
Q2: if we attempt to change LD with armlink we will end up with "Fatal error: L6031U: Could not open scatter description file."
https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/initial-… section 2.3 suggest that "that the default linker may be manually overridden using the LD variable" can you please let us know how to override LD with armlinker without getting scatter issue.
Using: armclang 6.6.2 version.
Thank you
Shivakumar Diggi
This event has been canceled with a note:
"Hi, Cancelling the TF-A Tech Forum as no topic planned. Thanks & Regards,
Olivier. "
TF-A Tech Forum
Thursday Dec 14, 2023 ⋅ 5pm – 6pm
Central European Time - Paris
We run an open technical forum call for anyone to participate and it is not
restricted to Trusted Firmware project members. It will operate under the
guidance of the TF TSC. Feel free to forward this invite to
colleagues. Invites are via the TF-A mailing list and also published on the
Trusted Firmware website. Details are
here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/Tr…
Firmware is inviting you to a scheduled Zoom meeting.Join Zoom
Meetinghttps://zoom.us/j/9159704974Meeting ID: 915 970 4974One tap
mobile+16465588656,,9159704974# US (New York)+16699009128,,9159704974# US
(San Jose)Dial by your location +1 646 558
8656 US (New York) +1 669 900
9128 US (San Jose) 877 853 5247 US
Toll-free 888 788 0099 US Toll-freeMeeting ID:
915 970 4974Find your local
number: https://zoom.us/u/ad27hc6t7h
Guests
marek.bykowski(a)gmail.com
okash.khawaja(a)gmail.com
tf-a(a)lists.trustedfirmware.org
~~//~~
Invitation from Google Calendar: https://calendar.google.com/calendar/
You are receiving this email because you are an attendee on the event. To
stop receiving future updates for this event, decline this event.
Forwarding this invitation could allow any recipient to send a response to
the organizer, be added to the guest list, invite others regardless of
their own invitation status, or modify your RSVP.
Learn more https://support.google.com/calendar/answer/37135#forwarding