- TF-A - lists.trustedfirmware.org

New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware

by scan-admin＠coverity.com

Hi, Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 1 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 1 of 1 defect(s) ** CID 364146: Control flow issues (DEADCODE) /plat/mediatek/mt8195/plat_pm.c: 298 in plat_validate_power_state() ________________________________________________________________________________________________________ *** CID 364146: Control flow issues (DEADCODE) /plat/mediatek/mt8195/plat_pm.c: 298 in plat_validate_power_state() 292 { 293 unsigned int pstate = psci_get_pstate_type(power_state); 294 unsigned int aff_lvl = psci_get_pstate_pwrlvl(power_state); 295 unsigned int cpu = plat_my_core_pos(); 296 297 if (aff_lvl > PLAT_MAX_PWR_LVL) { >>> CID 364146: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return -2;". 298 return PSCI_E_INVALID_PARAMS; 299 } 300 301 if (pstate == PSTATE_TYPE_STANDBY) { 302 req_state->pwr_domain_state[0] = PLAT_MAX_RET_STATE; 303 } else { ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P…

4 years, 11 months

1
0
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by Joanna Farley

+ TF-A list that got dropped (again)! Joanna From: Joanna Farley <Joanna.Farley(a)arm.com> Date: Wednesday, 2 June 2021 at 15:29 To: Madhukar Pappireddy <Madhukar.Pappireddy(a)arm.com>, Okash Khawaja <okash.khawaja(a)gmail.com>, Simon Glass <sjg(a)chromium.org> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>, Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>, Ed Stuber <edstuber(a)amperecomputing.com>, Arjun Khare <akhare(a)amperecomputing.com>, U-Boot Mailing List <u-boot(a)lists.denx.de>, Paul Isaac's <paul.isaacs(a)linaro.org>, Ron Minnich <rminnich(a)google.com>, Moe Ammar <moe(a)amperecomputing.com> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages Hi Everyone, The Manish Pandy and Madhukar Pappireddy of the TF-A team are planning to host another TF-A Tech Forum this Thursday to continue the live discussion. Here is their agenda: On tech forum this week, we would like to continue discussions on HOB list design. The topics which we would like to cover is 1. Evaluate different proposals of passing information through boot phases. 2. If we don't get an agreement on one solution fit for all then we would try to get consensus for Infra segment platform(to solve original problem mentioned by Harb) 3. Try to get an agreement on size of tags and how "hybrid and tag only" HOB list can co-exist together? Details of the call are: ====================== TF-A Tech Forum When Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time Calendar tf-a(a)lists.trustedfirmware.org Who • Bill Fletcher- creator • tf-a(a)lists.trustedfirmware.org We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/ Trusted Firmware is inviting you to a scheduled Zoom meeting. Join Zoom Meeting https://zoom.us/j/9159704974 Meeting ID: 915 970 4974 One tap mobile +16465588656,,9159704974# US (New York) +16699009128,,9159704974# US (San Jose) Dial by your location +1 646 558 8656 US (New York) +1 669 900 9128 US (San Jose) 877 853 5247 US Toll-free 888 788 0099 US Toll-free Meeting ID: 915 970 4974 Find your local number: https://zoom.us/u/ad27hc6t7h ================ Joanna On 19/05/2021, 03:50, "Madhukar Pappireddy" <Madhukar.Pappireddy(a)arm.com> wrote: Attached slides presented by Manish in the TF-A tech forum. -----Original Message----- From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Madhukar Pappireddy via TF-A Sent: Tuesday, May 18, 2021 8:59 PM To: Joanna Farley <Joanna.Farley(a)arm.com>; Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; Ed Stuber <edstuber(a)amperecomputing.com>; Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <u-boot(a)lists.denx.de>; tf-a(a)lists.trustedfirmware.org; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages Hi, I tried to summarize the discussions in the previous TF-A tech forum regarding the proposal to adopt Hand-off Blocks (HOBs) for passing information along the boot chain. I am certain I could not capture all suggestions/concerns brought up during the call. I apologize if I missed and/or misinterpreted any comments and would appreciate it if everyone could share their thoughts in response to this email thread. The idea is to share information to other boot phases: > Dynamic information: Created during runtime. Shared in the form of a chain of blobs(built as a linked list of C structure objects i.e., HOB list). > Static information: Known at compile time. Historically, shared through the use of Device Tree/ACPI tables Both the above requirements are common in many ecosystems and need to co-exist. There are broadly 3 problems to solve: 1. Format of HOB structures: It looks like the consensus is that we could use existing mechanisms for this (BL_AUX_PARAM in TF-A or bloblist in u-boot). 2. Identification of HOB list entries: There is a debate about whether tags would suffice or if the HOB list producer and consumer would depend on UUID/GUIDs for identifying a specific HOB structure. Another suggestion was to use a hybrid approach. Reserve a single tag ID for identifying/constructing a HOB structure that further leverages UUID based identifier. This way, the generic HOB list doesn't need to support UUIDs and can work with tags. 3. The design contract for the static interface between two boot phases: The problem at hand is whether to pass a pointer to a HOB list or a device tree blob through the general-purpose registers for configuration hand-off between two boot phases. Some proposals that came up: > Proposal 1: Always pass a pointer to the device tree blob through the GP register and capture the pointer to the HOB list as a property of a node that is uniquely identifiable by the downstream boot phase. This needs to define a device tree binding such that producer and consumer agree on the information passed. > Proposal 2: Pass a pointer to a generic container through the GP register that can be interpreted appropriately by both boot loaders(i.e., producer and consumer of the boot info). This container can either be a dtb or a HOB list which can be simply inferred by checking for a magic header that indicates if the buffer appears to be a flattened device tree. > One another concern that was brought up offline is to make sure we don't break current design contracts between various boot loader phases in TF-A. Many of the general-purpose registers have a designated purpose such as to share configurations between BL images( such as firmware config dtb, SoC config dtb, Non trusted firmware config dtb, memory layout, entry point info, etc.). If I am not mistaken, a single design may not fit the needs of every segment(client, Infra, embedded) and the forum is open to solutions tailored for individual segments. Joanna will be sending a follow up email with more information about future TF-A tech forums that serves as a platform for further discussions. Thanks, Madhukar -----Original Message----- From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Joanna Farley via TF-A Sent: Sunday, May 16, 2021 5:19 AM To: Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; Ed Stuber <edstuber(a)amperecomputing.com>; Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages Apologies I failed with the recording. Manish/Madhu will reply early next week with the slides and some notes to help with a follow up session which we hope to hold this Thursday. Invite and agenda will also be sent out early next week. Thanks Joanna On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote: Hi, Do we have slides and video from last week's discussion? Thanks, Okash On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Hi Harb, > > Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be. > > So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use. > > This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use. > > Regards, > Simon > > On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote: >> >> Hey Folks, >> >> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow. >> >> >> >> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform). >> >> >> >> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag. >> >> >> >> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call. >> >> >> >> Thanks, >> >> --Harb >> >> >> >> From: Manish Pandey2 <Manish.Pandey2(a)arm.com> >> Sent: Friday, April 30, 2021 8:14 AM >> To: François Ozog <francois.ozog(a)linaro.org> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Hi All, >> >> >> >> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others. >> >> >> >> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST). >> >> >> >> Agenda: >> >> Discussion Session: Static and Dynamic Information Handling in TF-A >> >> Lead by Manish Pandey and Madhukar Pappireddy >> >> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages. >> >> The requirement is two-fold: >> >> 1. Passing static information(config files) >> >> 2. Passing dynamic information (Hob list) >> >> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects. >> >> >> >> The two specific item which we would like to discuss are: >> >> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both? >> >> 2. Standardization on Physical register use to pass base of HoB data structure. >> >> References: >> >> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html >> >> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q% >> >> >> >> Thanks >> >> >> >> Joanna >> >> >> >> You have been invited to the following event. >> >> TF-A Tech Forum >> >> When >> >> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time >> >> Calendar >> >> tf-a(a)lists.trustedfirmware.org >> >> Who >> >> • >> >> Bill Fletcher- creator >> >> • >> >> tf-a(a)lists.trustedfirmware.org >> >> more details » >> >> >> >> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. >> >> >> >> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/ >> >> >> >> Trusted Firmware is inviting you to a scheduled Zoom meeting. >> >> >> >> Join Zoom Meeting >> >> https://zoom.us/j/9159704974 >> >> >> >> Meeting ID: 915 970 4974 >> >> >> >> One tap mobile >> >> +16465588656,,9159704974# US (New York) >> >> +16699009128,,9159704974# US (San Jose) >> >> >> >> Dial by your location >> >> +1 646 558 8656 US (New York) >> >> +1 669 900 9128 US (San Jose) >> >> 877 853 5247 US Toll-free >> >> 888 788 0099 US Toll-free >> >> Meeting ID: 915 970 4974 >> >> Find your local number: https://zoom.us/u/ad27hc6t7h >> >> >> >> ________________________________ >> >> From: François Ozog <francois.ozog(a)linaro.org> >> Sent: 08 April 2021 16:50 >> To: Manish Pandey2 <Manish.Pandey2(a)arm.com> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Hi >> >> >> >> here is the meeting recording: >> >> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z >> >> >> >> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page). >> >> >> >> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail. >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms. >> >> >> >> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed. >> >> >> >> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations. >> >> >> >> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.) >> >> >> >> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values. >> >> >> >> Looking forward to having further discussions on zoom call today. >> >> >> >> Thanks >> >> Manish P >> >> >> >> ________________________________ >> >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org> >> Sent: 25 March 2021 02:43 >> To: Simon Glass <sjg(a)chromium.org> >> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Just want to point out that TF-A currently already supports a (very simple) mechanism like this: >> >> >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> >> >> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. >> >> >> >> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. >> >> >> >> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi Harb, >> >> >> >> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote: >> >> Hello Folks, >> >> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic. >> >> >> >> I try to address the comments/feedback from Francois and Simon below…. >> >> >> >> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT. >> >> >> >> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases. >> >> >> >> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM). >> >> >> >> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model: >> >> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances >> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances. >> >> >> >> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code. >> >> >> >> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software. >> >> >> >> I understand the versatility of DT, but I see two major problems with DT: >> >> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained. >> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob) >> >> >> >> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs). >> >> >> >> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls. >> >> >> >> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call. >> >> >> >> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for. >> >> >> >> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about. >> >> >> >> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use. >> >> >> >> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors. >> >> >> >> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code: >> >> >> >> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ >> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ >> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) >> >> (etc.) >> >> >> >> static struct guid_name { >> efi_guid_t guid; >> const char *name; >> } guid_name[] = { >> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, >> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, >> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, >> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, >> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, >> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, >> >> (never figured out what those two are) >> >> >> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, >> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, >> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, >> { {}, "zero-guid" }, >> {} >> }; >> >> static const char *guid_to_name(const efi_guid_t *guid) >> { >> struct guid_name *entry; >> >> for (entry = guid_name; entry->name; entry++) { >> if (!guidcmp(guid, &entry->guid)) >> return entry->name; >> } >> >> return NULL; >> } >> >> >> >> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory. >> >> >> >> >> >> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB. >> >> >> >> Indeed. There is certainly value in both approaches. >> >> >> >> Regards, >> >> Simon >> >> >> >> >> >> Thanks, >> >> --Harb >> >> >> >> From: François Ozog <francois.ozog(a)linaro.org> >> Sent: Tuesday, March 23, 2021 10:00 AM >> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org> >> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> +Ron Minnich +Paul Isaac's >> >> >> >> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. >> >> >> >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET. >> >> >> >> The agenda: >> >> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions. >> >> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing. >> >> >> >> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB >> >> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. >> >> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains. >> >> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested). >> >> >> >> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2. >> >> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls). >> >> >> >> Requirements (to be validated): >> >> - ACPI and DT hardware descriptions. >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) >> >> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages) >> >> - support secure world device assignment >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> >> >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: >> >> Hi, >> >> Can I suggest using bloblist for this instead? It is lightweight, >> easier to parse, doesn't have GUIDs and is already used within U-Boot >> for passing info between SPL/U-Boot, etc. >> >> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist >> Header file describes the format: >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h >> >> Full set of unit tests: >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c >> >> Regards, >> Simon >> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote: >> > >> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> >> > >> > standardization is very much welcomed here and need to accommodate a very >> > diverse set of situations. >> > For example, TEE OS may need to pass memory reservations to BL33 or >> > "capture" a device for the secure world. >> > >> > I have observed a number of architectures: >> > 1) pass information from BLx to BLy in the form of a specific object >> > 2) BLx called by BLy by a platform specific SMC to get information >> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree >> > fixups >> > >> > I also imagined a standardized "broadcast" FF-A call so that any firmware >> > element can either provide information or "do something". >> > >> > My understanding of your proposal is about standardizing on architecture 1) >> > with the HOB format. >> > >> > The advantage of the HOB is simplicity but it may be difficult to implement >> > schemes such as pruning a DT because device assignment in the secure world. >> > >> > In any case, it looks feasible to have TF-A and OP-TEE complement the list >> > of HOBs to pass information downstream (the bootflow). >> > >> > It would be good to start with building the comprehensive list of >> > information that need to be conveyed between firmware elements: >> > >> > information. | authoritative entity | reporting entity | information >> > exchanged: >> > dram | TFA | TFA | >> > <format to be detailed, NUMA topology to build the SRAT table or DT >> > equivalent?> >> > PSCI | SCP | TFA? | >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?| >> > secure SRAM | TFA. | TFA. | >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | >> > other? | | >> > | >> > >> > Cheers >> > >> > FF >> > >> > >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < >> > tf-a(a)lists.trustedfirmware.org> wrote: >> > >> > > Hello Folks, >> > > >> > > >> > > >> > > I'm emailing to start an open discussion about the adoption of a concept >> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware >> > > Framework Architecture (FFA). This is something that is a pretty major >> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s >> > > designed to enable a broad range of highly configurable datacenter >> > > platforms. >> > > >> > > >> > > >> > > >> > > >> > > What is a HOB (Background)? >> > > >> > > --------------------------- >> > > >> > > UEFI PI spec describes a particular definition for how HOB may be used for >> > > transitioning between the PEI and DXE boot phases, which is a good >> > > reference point for this discussion, but not necessarily the exact solution >> > > appropriate for TF-A. >> > > >> > > >> > > >> > > A HOB is simply a dynamically generated data structure passed in between >> > > two boot phases. This is information that was obtained through discovery >> > > and needs to be passed forward to the next boot phase *once*, with no API >> > > needed to call back (e.g. no call back into previous firmware phase is >> > > needed to fetch this information at run-time - it is simply passed one time >> > > during boot). >> > > >> > > >> > > >> > > There may be one or more HOBs passed in between boot phases. If there are >> > > more than one HOB that needs to be passed, this can be in a form of a "HOB >> > > table", which (for example) could be a UUID indexed array of pointers to >> > > HOB structures, used to locate a HOB of interest (based on UUID). In such >> > > cases, instead of passing a single HOB, the boot phases may rely on passing >> > > the pointer to the HOB table. >> > > >> > > >> > > >> > > This has been extremely useful concept to employ on highly configurable >> > > systems that must rely on flexible discovery mechanisms to initialize and >> > > boot the system. This is especially helpful when you have multiple >> > > >> > > >> > > >> > > >> > > >> > > Why do we need HOBs in TF-A?: >> > > >> > > ----------------------------- >> > > >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in >> > > a way that is SoC specific *but* platform agnostic. This means that a >> > > single ARM SoC that a SiP may deliver to customers may provide a single >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad >> > > range of platform designs and configurations in order to boot a platform >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to >> > > achieve this, the platform configuration must be *discovered* instead of >> > > statically compiled as it is today in TF-A via device tree based >> > > enumeration. The mechanisms of discovery may differ broadly depending on >> > > the relevant industry standard, or in some cases may have rely on SiP >> > > specific discovery flows. >> > > >> > > >> > > >> > > For example: On server systems that support a broad range DIMM memory >> > > population/topologies, all the necessary information required to boot is >> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an >> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported >> > > with a single TF-A binary. Not only is this information required to >> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot >> > > phases will also need this SPD info to construct a system physical address >> > > map and properly initialize the MMU based on the memory present, and where >> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may >> > > need to generate standard firmware tables to the operating systems, such as >> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT, >> > > SRAT, even NFIT if NVDIMM's are present). >> > > >> > > >> > > >> > > In short, it all starts with a standardized or vendor specific discovery >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of >> > > information to the next boot stages (e.g. BL31/BL32/BL33). >> > > >> > > >> > > >> > > Today, every HOB may be a vendor specific structure, but in the future >> > > there may be benefit of defining standard HOBs. This may be useful for >> > > memory discovery, passing the system physical address map, enabling TPM >> > > measured boot, and potentially many other common HOB use-cases. >> > > >> > > >> > > >> > > It would be extremely beneficial to the datacenter market segment if the >> > > TF-A community would adopt this concept of information passing between all >> > > boot phases as opposed to rely solely on device tree enumeration. This is >> > > not intended to replace device tree, rather intended as an alternative way >> > > to describe the info that must be discovered and dynamically generated. >> > > >> > > >> > > >> > > >> > > >> > > Conclusion: >> > > >> > > ----------- >> > > >> > > We are proposing that the TF-A community begin pursuing the adoption of >> > > HOBs as a mechanism used for information exchange between each boot stage >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we >> > > want to explore standardizing some HOB structures for the BL33 phase (e.g. >> > > UEFI HOB structures), but initially would like to agree on this being a >> > > useful mechanism used to pass information between each boot stage. >> > > >> > > >> > > >> > > Thanks, >> > > >> > > --Harb >> > > >> > > >> > > >> > > >> > > >> > > >> > > -- >> > > TF-A mailing list >> > > TF-A(a)lists.trustedfirmware.org >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> > > >> > >> > >> > -- >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* >> > T: +33.67221.6485 >> > francois.ozog(a)linaro.org | Skype: ffozog >> > _______________________________________________ >> > boot-architecture mailing list >> > boot-architecture(a)lists.linaro.org >> > https://lists.linaro.org/mailman/listinfo/boot-architecture >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 11 months

4
6
0 0

Re: [TF-A] Missing CPU workaround warning message

by Olivier Deprez

Hi, Is the question strictly related to this platform not implementing the mentioned errata (for which a platform change can be emitted)? Or is it more generally that those "missing errata warnings" are not printed in release mode? Assuming the latter, it looks to me it is the integrator mistake to not include the appropriate mitigations at development phase (hence while using debug mode for building TF-A). Then when the device is deployed (hence most often built for release mode), if this message is printed it is an indication for a malicious agent that such attack vector through mis-implemented errata is possible. So the consequence is possibly even worst than just "missing" to include the errata. Other TF-Aers (Bipin?) may have other opinions? Regards, Olivier. ________________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Pali Rohár via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 28 June 2021 15:36 To: tf-a(a)lists.trustedfirmware.org Cc: Konstantin Porotchkin; Marek Behún Subject: [TF-A] Missing CPU workaround warning message Hello! If TF-A for Marvell Armada 3720 platform is compiled in debug mode then at runtime it prints following warning messages: WARNING: BL1: cortex_a53: CPU workaround for 855873 was missing! WARNING: BL1: cortex_a53: CPU workaround for 1530924 was missing! These lines are not printed in non-debug mode. It is an issue? -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 11 months

2
2
0 0

v8-R64 Support Added to TF-A

by Gary Morrison

In the last Tech-Forum, Lauren Wehrmeister and I presented our work on adding Arm v8-R64 support to the TF-A codebase. Our presentation will be added to the Tech-Forum page (TF-A open Tech Forum regular call - Trusted Firmware<https://www.trustedfirmware.org/meetings/tf-a-technical-forum/>) shortly. In the meantime, however, there are more details about the patches here: https://developer.trustedfirmware.org/w/tf_a/rclasssupportdocs/

4 years, 11 months

1
0
0 0

Re: [TF-A] PL011 clock handling between TF-A and Linux

by Mayur

Hi, I tend to agree with Soby here. If the normal world and EL3 share the console, EL3 error messages/debug prints exposed to the normal world could be another potential attack vector. From a functionality perspective, will there not be contention issues on multi-core platforms and hence garbled output? I understand that using two separate UARTS may not be possible for many platforms, in which case a single UART can be shared during cold boot between EL3 and the normal world, while EL3 runtime messages can be logged to a secure memory buffer. Once boot exists EL3, UART ownership can be transferred to the normal world. Thanks, Mayur On Wed, Jun 23, 2021 at 5:00 AM Soby Mathew via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > Hi Michal, > Sure, platform can choose to share but I was bringing up the potential > attack vector of Non Secure being able to hang up EL3 if EL3 has runtime > prints and the Non secure is able to disable or control the UART used by > EL3. Typically , runtime logs are disabled on production builds so this > might not be a problem anyway. > > Regarding crash console, the plat_crash_console_init() can initialize a > stack (either the EL3 runtime stack or a dedicated crash stack) and use C > runtime to control clocks for crash logs. So the current assembly > implementation should not be a gating factor for doing clock control if > required. > > Best Regards > Soby Mathew > > > -----Original Message----- > > From: Michal Simek <michal.simek(a)xilinx.com> > > Sent: Wednesday, June 23, 2021 9:16 AM > > To: Varun Wadekar <vwadekar(a)nvidia.com>; Soby Mathew > > <Soby.Mathew(a)arm.com>; Michal Simek <michal.simek(a)xilinx.com> > > Cc: tf-a(a)lists.trustedfirmware.org > > Subject: Re: [TF-A] PL011 clock handling between TF-A and Linux > > > > Hi, > > > > I agree with Varun. TF-A can use DCC console but it is not practical. > > Using second console is definitely an option but not all platforms and > also > > monitoring two consoles is problematic. > > > > Also OP-TEE is touching this primary console. Platform which are using > DT are > > looking for chosen node (as backup) and read information about OS console > > from it. > > > > Thanks, > > Michal > > > > On 6/22/21 8:47 PM, Varun Wadekar wrote: > > > Hi Soby, > > > > > > Even though in principle I agree with you, it is not practical to add > secure > > only UART port to a platform. It is shared for multiple reasons - e.g. > lower > > board cost. That is the case on all Tegra Jetson platforms. > > > > > > This means that the secure world never owns the console - not even > during > > cold boot. The crash console code is in assembly today. This makes > > implementing code to communicate to an external clock manager is not > > straight forward and platforms might choose to keep the code to toggle > > clock/reset out of TF-A. > > > > > > -Varun > > > > > > -----Original Message----- > > > From: Soby Mathew <Soby.Mathew(a)arm.com> > > > Sent: Tuesday, June 22, 2021 4:30 PM > > > To: Michal Simek <michal.simek(a)xilinx.com>; Varun Wadekar > > > <vwadekar(a)nvidia.com> > > > Cc: tf-a(a)lists.trustedfirmware.org > > > Subject: RE: [TF-A] PL011 clock handling between TF-A and Linux > > > > > > External email: Use caution opening links or attachments > > > > > > > > > Hi Michal, > > > The general security rule of thumb is, any UART `owned` by Secure > world ( > > including EL3) should not be accessible/or controlled by Non Secure and > this > > includes control of the clocks as well. Hence sharing of UART / > management > > of Secure world UART clocks by Linux seems problematic to me. > > > > > > There are 3 types of consoles needed in TF-A. The first one is the > cold boot > > console, the second one is runtime console and the 3rd is crash console. > The > > cold boot console is initially owned by Secure world as part boot > process and > > once execution is transferred to Non Secure, the ownership of the UART > also > > is transferred. > > > Regarding clock expectations, the runtime UART is always expected to be > > ON but then this depends on the TF-A build config as it is very rare to > have any > > runtime logs from Secure world and hence this config may be restricted to > > development builds of TF-A. For the crash console, the clocks don't need > to > > enabled all the time and any init needed can be performed as part of > > plat_crash_console_init(). > > > > > > HTH, > > > Best Regards > > > Soby Mathew > > > > > >> -----Original Message----- > > >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of > > >> Michal Simek via TF-A > > >> Sent: Tuesday, June 22, 2021 2:03 PM > > >> To: Varun Wadekar <vwadekar(a)nvidia.com>; Michal Simek > > >> <michal.simek(a)xilinx.com> > > >> Cc: tf-a(a)lists.trustedfirmware.org > > >> Subject: Re: [TF-A] PL011 clock handling between TF-A and Linux > > >> > > >> Hi Varun, > > >> > > >> do you have any links to that calls in Linux clk API? I expect the > > >> same hooks should be added also to reset. > > >> > > >> And is TF-A informs your special firmware that for example serial > > >> driver is used by TF-A to increate refcount? > > >> > > >> Thanks, > > >> Michal > > >> > > >> On 6/22/21 2:03 PM, Varun Wadekar wrote: > > >>> Hi Michal, > > >>> > > >>> Tegra platforms manage clocks/resets by special firmware. The > > >>> firmware > > >> internally manages refcount of users as you described. > > >>> > > >>> AFAIR, we placed calls to the firmware in the linux clk APIs to > achieve this. > > >> There was an effort to leverage runtime_pm for this too. > > >>> > > >>> I think we wont be able to add guidance to TF-A for clock management > > >>> as > > >> most of it is platform dependent. We can add a generic guideline > > >> saying that a certain driver expects the platform to manage the > clock/reset > > for the IP. > > >>> > > >>> -Varun > > >>> > > >>> -----Original Message----- > > >>> From: Michal Simek <michal.simek(a)xilinx.com> > > >>> Sent: Tuesday, June 22, 2021 7:24 AM > > >>> To: Varun Wadekar <vwadekar(a)nvidia.com>; Michal Simek > > >>> <michal.simek(a)xilinx.com> > > >>> Cc: tf-a(a)lists.trustedfirmware.org > > >>> Subject: Re: [TF-A] PL011 clock handling between TF-A and Linux > > >>> > > >>> External email: Use caution opening links or attachments > > >>> > > >>> > > >>> Hi Varun, > > >>> > > >>> Xilinx is also managing it by special firmware. There is a concept > > >>> of > > >> protected-clocks documented via DT binding which is used by Qualcomm. > > >>> > > >>> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/ > > >>> tr > > >>> ee/Documentation/devicetree/bindings/clock/clock-bindings.txt?h=next > > >>> -2 > > >>> 0210621#n172 > > >>> > > >>> Are you also using this feature or simply don't let Linux know about > > >>> these > > >> clocks at all or simulate it via fixed-clock or so? > > >>> Or any registration is in place that firmware keep refcount of users > > >>> and > > >> don't let it change unless there is only one user of that clock? > > >>> > > >>> Thanks, > > >>> Michal > > >>> > > >>> On 6/21/21 6:41 PM, Varun Wadekar wrote: > > >>>> Hi Michal, > > >>>> > > >>>> AFAIK, TF-A does not publish guidelines for clocks/resets for > > >>>> shared IP. It > > >> is left to the platforms. > > >>>> > > >>>> For Tegra platforms, the clocks/reset are managed by a central > > >>>> entity. TF- > > >> A is expected to co-ordinate with this entity. Unfortunately, PL011 > > >> does not fall in this category and is expected to be kept on by the > previous > > bootloader. > > >>>> > > >>>> -Varun > > >>>> > > >>>> -----Original Message----- > > >>>> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of > > >>>> Michal Simek via TF-A > > >>>> Sent: Monday, June 21, 2021 2:24 PM > > >>>> To: tf-a(a)lists.trustedfirmware.org > > >>>> Subject: [TF-A] PL011 clock handling between TF-A and Linux > > >>>> > > >>>> External email: Use caution opening links or attachments > > >>>> > > >>>> > > >>>> Hi, > > >>>> > > >>>> recently we have hit the case where Linux has pl011 driver and > > >>>> using it as > > >> a console. The same console is also used by TF-A. If you look at > > >> implementation details Linux pl011 driver has in > > >> pl011_console_write() clk_enable/clk_disable calls. > > >>>> I can't see any clock handling for PL011 in TF-A that's why I guess > > >>>> that TF-A > > >> expectation is that clocks are enabled and must be enabled all the > > >> time because pl011 is also used as crashed console. > > >>>> That's why I would like to check with you what's the clock > > >>>> expectation in > > >> these shared IP cases. > > >>>> Do you have a requirement that firmware should keep refcount of IP > > >> users and never disable clock when only one requires it? > > >>>> > > >>>> Thanks, > > >>>> Michal > > >>>> -- > > >>>> TF-A mailing list > > >>>> TF-A(a)lists.trustedfirmware.org > > >>>> > > >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis > > >>>> t > > >>>> s.trustedfirmware.org%2Fmailman%2Flistinfo%2Ftf- > > >> a&data=04%7C01%7C > > >>>> > > >> > > vwadekar%40nvidia.com%7C9d5af04d3aba49b18cc808d935465267%7C4308 > > 3 > > >> d1572 > > >>>> > > >> > > 7340c1b7db39efd9ccc17a%7C0%7C0%7C637599398425726681%7CUnknow > > n% > > >> 7CTWFpb > > >>>> > > >> > > GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI > > >> 6Mn > > >>>> > > >> > > 0%3D%7C1000&sdata=%2BXFRPZTttom4rvT%2FmEcQnbgSa276PYuKbvo > > >> H4VujRk8 > > >>>> %3D&reserved=0 > > >>>> > > >> -- > > >> TF-A mailing list > > >> TF-A(a)lists.trustedfirmware.org > > >> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis > > >> t > > >> s.trustedfirmware.org%2Fmailman%2Flistinfo%2Ftf- > > a&data=04%7C01%7C > > >> v > > >> > > wadekar%40nvidia.com%7C957021cd030643da94bc08d935928f6b%7C4308 > > 3d15727 > > >> 3 > > >> > > 40c1b7db39efd9ccc17a%7C0%7C0%7C637599725858916982%7CUnknown% > > 7CTWFpbGZ > > >> s > > >> > > b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn > > 0%3 > > >> D > > >> > > %7C2000&sdata=S0D%2FZ5rk6Wr3xyIdCmol0eigIo%2FlGn%2B2WJODig > > %2FeDqU > > >> % > > >> 3D&reserved=0 > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >

4 years, 11 months

4
9
0 0

FF-A watchdog service

by François Ozog

Hi Following a discussion with Civil Infrastructure Project TSC, there is a watchdog protection issue with EFI: the time between the call to ExitBootService and Linux kernel takes over watchdog service is not covered by any watchdog protection. The EFI specification for BS.SetWatchdogTimer is very flexible as it states "perform a platform specific action that must eventually cause the platform to be reset.". So we could naively implement a solution that would arm platform hardware watchdog in addition to EFI timer. Assuming watchdog period is long enough that it cover the time for Linux to take over the hardware watchdog, there is nothing to be done in EFI Stub to benefit from the new protection. But this scheme fails to handle FF-A update capsules which can take a long time. So either the period is long enough to support that or we need a FF-A watchdog service. Based on Siemens feedback, time to update can last 20 minutes. StandAloneMM may also need such a protection so FF-A watchdog service seems desired. I'd be happy to receive feedback on the problem itself (watchdog in EFI) and on the possible solution (FF-A based). Cheers FF

4 years, 11 months

4
5
0 0

Tech Forum, Thursday 2021/07/01, 16:00-17:00 GMT: New FVP_R Platform

by Gary Morrison

Hello TF-A partners! As you may know, Arm recently announced the v8-R64 Architecture (AArch64 R-class cores), notably the Cortex R-82. v8-R64 has generated a lot of interest in the R-cores community, in part because of its vastly-increased address space and performance, and also because of its ability to run rich operating systems like Linux alongside more traditional RTOSes. Of course, great hardware requires great firmware to succeed! So, we are upstreaming a new platform into TF-A to support v8-R64, called "fvp_r." It's certainly reasonable to ask, "why support v8-R64 as a platform under the A-cores' trusted firmware?" The answer is simply that v8-R64 cores are far more similar with v8-A cores than different. Therefore, most of the trusted firmware code for v8-R64 cores is in-common with v8-A cores. If a separate trusted-firmware project were created for them, we would have a huge parallel-maintenance headache! Also, SystemReady IR certification for v8-R64 cores requires compliance with EBBR, and building from a TF-A framework puts us on the path toward that goal. The immediate firmware requirement for v8-R64, however, is not the entirety of TF-A. The immediate requirement for the fvp_r platform is to let the partner/customer dictate the nature of the run-time environment, and for TF to "trusted-boot" their environment. Therefore, the patch that we're upstreaming boots up only through BL1, and BL1 is adapted to load the customer/partner custom-defined run-time system. On 1 July, the Arm team who are upstreaming the fvp_r platform, will host a Tech Forum session wherein we'll provide an overview, and medium level of detail on: * The differences between v8-A and v8-R64 (again, more similar than different!), * The impacts of these differences upon BL1, and * Changes to BL1 to boot a partner/customer run-time system. * We'll then detail the nature of the patches involved - which patches provide what functionality. * Provide some suggestions for making the review of these patches easier. ________________________________ You have been invited to the following event. TF-A Tech Forum When Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time Calendar tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> Who * Bill Fletcher- creator * tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> more details ><https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/<https://www.google.com/url?q=https%3A%2F%2Fwww.trustedfirmware.org%2Fmeetin…> Trusted Firmware is inviting you to a scheduled Zoom meeting. Join Zoom Meeting https://zoom.us/j/9159704974<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fj%2F9159704974&sa=D&us…> Meeting ID: 915 970 4974

4 years, 11 months

1
0
0 0

Missing CPU workaround warning message

by Pali Rohár

Hello! If TF-A for Marvell Armada 3720 platform is compiled in debug mode then at runtime it prints following warning messages: WARNING: BL1: cortex_a53: CPU workaround for 855873 was missing! WARNING: BL1: cortex_a53: CPU workaround for 1530924 was missing! These lines are not printed in non-debug mode. It is an issue?

4 years, 11 months

1
0
0 0

Re: [TF-A] PL011 clock handling between TF-A and Linux

by Soby Mathew

Hi Michal, The general security rule of thumb is, any UART `owned` by Secure world ( including EL3) should not be accessible/or controlled by Non Secure and this includes control of the clocks as well. Hence sharing of UART / management of Secure world UART clocks by Linux seems problematic to me. There are 3 types of consoles needed in TF-A. The first one is the cold boot console, the second one is runtime console and the 3rd is crash console. The cold boot console is initially owned by Secure world as part boot process and once execution is transferred to Non Secure, the ownership of the UART also is transferred. Regarding clock expectations, the runtime UART is always expected to be ON but then this depends on the TF-A build config as it is very rare to have any runtime logs from Secure world and hence this config may be restricted to development builds of TF-A. For the crash console, the clocks don’t need to enabled all the time and any init needed can be performed as part of plat_crash_console_init(). HTH, Best Regards Soby Mathew > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Michal > Simek via TF-A > Sent: Tuesday, June 22, 2021 2:03 PM > To: Varun Wadekar <vwadekar(a)nvidia.com>; Michal Simek > <michal.simek(a)xilinx.com> > Cc: tf-a(a)lists.trustedfirmware.org > Subject: Re: [TF-A] PL011 clock handling between TF-A and Linux > > Hi Varun, > > do you have any links to that calls in Linux clk API? I expect the same hooks > should be added also to reset. > > And is TF-A informs your special firmware that for example serial driver is > used by TF-A to increate refcount? > > Thanks, > Michal > > On 6/22/21 2:03 PM, Varun Wadekar wrote: > > Hi Michal, > > > > Tegra platforms manage clocks/resets by special firmware. The firmware > internally manages refcount of users as you described. > > > > AFAIR, we placed calls to the firmware in the linux clk APIs to achieve this. > There was an effort to leverage runtime_pm for this too. > > > > I think we wont be able to add guidance to TF-A for clock management as > most of it is platform dependent. We can add a generic guideline saying that > a certain driver expects the platform to manage the clock/reset for the IP. > > > > -Varun > > > > -----Original Message----- > > From: Michal Simek <michal.simek(a)xilinx.com> > > Sent: Tuesday, June 22, 2021 7:24 AM > > To: Varun Wadekar <vwadekar(a)nvidia.com>; Michal Simek > > <michal.simek(a)xilinx.com> > > Cc: tf-a(a)lists.trustedfirmware.org > > Subject: Re: [TF-A] PL011 clock handling between TF-A and Linux > > > > External email: Use caution opening links or attachments > > > > > > Hi Varun, > > > > Xilinx is also managing it by special firmware. There is a concept of > protected-clocks documented via DT binding which is used by Qualcomm. > > > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tr > > ee/Documentation/devicetree/bindings/clock/clock-bindings.txt?h=next-2 > > 0210621#n172 > > > > Are you also using this feature or simply don't let Linux know about these > clocks at all or simulate it via fixed-clock or so? > > Or any registration is in place that firmware keep refcount of users and > don't let it change unless there is only one user of that clock? > > > > Thanks, > > Michal > > > > On 6/21/21 6:41 PM, Varun Wadekar wrote: > >> Hi Michal, > >> > >> AFAIK, TF-A does not publish guidelines for clocks/resets for shared IP. It > is left to the platforms. > >> > >> For Tegra platforms, the clocks/reset are managed by a central entity. TF- > A is expected to co-ordinate with this entity. Unfortunately, PL011 does not > fall in this category and is expected to be kept on by the previous bootloader. > >> > >> -Varun > >> > >> -----Original Message----- > >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of > >> Michal Simek via TF-A > >> Sent: Monday, June 21, 2021 2:24 PM > >> To: tf-a(a)lists.trustedfirmware.org > >> Subject: [TF-A] PL011 clock handling between TF-A and Linux > >> > >> External email: Use caution opening links or attachments > >> > >> > >> Hi, > >> > >> recently we have hit the case where Linux has pl011 driver and using it as > a console. The same console is also used by TF-A. If you look at > implementation details Linux pl011 driver has in pl011_console_write() > clk_enable/clk_disable calls. > >> I can't see any clock handling for PL011 in TF-A that's why I guess that TF-A > expectation is that clocks are enabled and must be enabled all the time > because pl011 is also used as crashed console. > >> That's why I would like to check with you what's the clock expectation in > these shared IP cases. > >> Do you have a requirement that firmware should keep refcount of IP > users and never disable clock when only one requires it? > >> > >> Thanks, > >> Michal > >> -- > >> TF-A mailing list > >> TF-A(a)lists.trustedfirmware.org > >> > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis > >> t > >> s.trustedfirmware.org%2Fmailman%2Flistinfo%2Ftf- > a&data=04%7C01%7C > >> > vwadekar%40nvidia.com%7C9d5af04d3aba49b18cc808d935465267%7C43083 > d1572 > >> > 7340c1b7db39efd9ccc17a%7C0%7C0%7C637599398425726681%7CUnknown% > 7CTWFpb > >> > GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI > 6Mn > >> > 0%3D%7C1000&sdata=%2BXFRPZTttom4rvT%2FmEcQnbgSa276PYuKbvo > H4VujRk8 > >> %3D&reserved=0 > >> > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 12 months

3
3
0 0

Re: [TF-A] SP manifest: avoid manual updates to "entrypoint-offset"

by Olivier Deprez

Hi, See few comments inline [OD] Regards, Olivier. ________________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Varun Wadekar via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 16 June 2021 11:41 To: tf-a(a)lists.trustedfirmware.org Cc: Raghupathy Krishnamurthy; Nicolas Benech Subject: [TF-A] SP manifest: avoid manual updates to "entrypoint-offset" Hello, We (Nico/Raghu) have been implementing SEL0 partitions for Tegra platforms [OD] Just to be clear, is this about SEL0 partitions using an SEL1 shim (as per https://review.trustedfirmware.org/q/topic:%22db%252Fsel0%22+(status:open%2… )? and recently hit an issue, where the “entrypoint-offset” field of the SP manifest [1] cannot cope with increasing manifest blobs. The way the SP manifest is created today, the “entrypoint-offset” field is set to a value *statically* by the implementer. Down the line if the manifest grows past the value written in the “entrypoint-offset”, we must manually update it. This needs to be fixed. We believe there is an opportunity to upgrade the sptool to handle this situation during SP package creation, where sptool calculates the manifest size and bumps the “entrypoint-offset” past the end of the manifest. There are other ways of patching the SP manifest at runtime, but they seem sub-optimal. Please let me know if there are other ideas to solve this problem. I will post a patch to update the sptool shortly but wanted to get the ball rolling. [OD] We had an attempt (https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/8536) to move the entry point farther in the image such that we can support 64KB granules in the Stage-1 translation regime. This does not relate exactly to your problem but the effect is the "same" (aka there is more room for the manifest dtb). Agree this still requires hard-coding the entry point. At this stage I had thought of pushing the entry point even farther at a reasonably large 64KB aligned offset such that it helps with both problems. Cheers. [1] 14. FF-A manifest binding to device tree — Trusted Firmware-A documentation<https://trustedfirmware-a.readthedocs.io/en/latest/components/ffa-manifest-…>

4 years, 12 months

2
8
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

TF-A