u-boot.git/arch/arm/cpu/u-boot.lds, branch u-boot-2016.09.y Unnamed repository; edit this file 'description' to name the repository. ARM: armv7: guard memory reserve for PSCI with #ifdef CONFIG_ARMV7_PSCI 2016-09-07T12:48:46+00:00 Masahiro Yamada yamada.masahiro@socionext.com 2016-08-30T07:22:21+00:00 5a3aae68c74e029ed29d22999ab6f22687382f2d If CONFIG_ARMV7_NONSEC is enabled, the linker script requires CONFIG_ARMV7_PSCI_NR_CPUS regardless of CONFIG_ARMV7_PSCI. Reviewed-by: Alexander Graf <agraf@suse.de> Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> 
If CONFIG_ARMV7_NONSEC is enabled, the linker script requires
CONFIG_ARMV7_PSCI_NR_CPUS regardless of CONFIG_ARMV7_PSCI.

Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
ARM: Add secure section for initialized data 2016-07-15T13:54:58+00:00 Chen-Yu Tsai wens@csie.org 2016-07-05T13:45:06+00:00 a5aa7ff33a942ce8ea38006fd5225a800827bb2c The secure monitor may need to store global or static values within the secure section of memory, such as target PC or CPU power status. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Signed-off-by: Hans de Goede <hdegoede@redhat.com> 
The secure monitor may need to store global or static values within the
secure section of memory, such as target PC or CPU power status.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
ARM: Add CONFIG_ARMV7_SECURE_MAX_SIZE and check size of secure section 2016-07-15T13:54:57+00:00 Chen-Yu Tsai wens@csie.org 2016-06-19T04:38:39+00:00 3eff681818e2c858175a7cc4e766f75e95827920 As the PSCI implementation grows, we might exceed the size of the secure memory that holds the firmware. Add a configurable CONFIG_ARMV7_SECURE_MAX_SIZE so platforms can define how much secure memory is available. The linker then checks the size of the whole secure section against this. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Signed-off-by: Hans de Goede <hdegoede@redhat.com> 
As the PSCI implementation grows, we might exceed the size of the secure
memory that holds the firmware.

Add a configurable CONFIG_ARMV7_SECURE_MAX_SIZE so platforms can define
how much secure memory is available. The linker then checks the size of
the whole secure section against this.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
ARM: Add an empty secure stack section 2016-07-15T13:54:57+00:00 Chen-Yu Tsai wens@csie.org 2016-06-19T04:38:36+00:00 980d6a55119f757ade4abed88bf4b2b7494c68e6 Until now we've been using memory beyond psci_text_end as stack space for the secure monitor or PSCI implementation, even if space was not allocated for it. This was partially fixed in ("ARM: allocate extra space for PSCI stack in secure section during link phase"). However, calculating stack space from psci_text_end in one place, while allocating the space in another is error prone. This patch adds a separate empty secure stack section, with space for CONFIG_ARMV7_PSCI_NR_CPUS stacks, each 1 KB. There's also __secure_stack_start and __secure_stack_end symbols. The linker script handles calculating the correct VMAs for the stack section. For platforms that relocate/copy the secure monitor before using it, the space is not allocated in the executable, saving space. For platforms that do not define CONFIG_ARMV7_PSCI_NR_CPUS, a whole page of stack space for 4 CPUs is allocated, matching the previous behavior. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Signed-off-by: Hans de Goede <hdegoede@redhat.com> 
Until now we've been using memory beyond psci_text_end as stack space
for the secure monitor or PSCI implementation, even if space was not
allocated for it.

This was partially fixed in ("ARM: allocate extra space for PSCI stack
in secure section during link phase"). However, calculating stack space
from psci_text_end in one place, while allocating the space in another
is error prone.

This patch adds a separate empty secure stack section, with space for
CONFIG_ARMV7_PSCI_NR_CPUS stacks, each 1 KB. There's also
__secure_stack_start and __secure_stack_end symbols. The linker script
handles calculating the correct VMAs for the stack section. For
platforms that relocate/copy the secure monitor before using it, the
space is not allocated in the executable, saving space.

For platforms that do not define CONFIG_ARMV7_PSCI_NR_CPUS, a whole page
of stack space for 4 CPUs is allocated, matching the previous behavior.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
ARM: Page align secure section only when it is executed in situ 2016-07-15T13:54:57+00:00 Chen-Yu Tsai wens@csie.org 2016-06-19T04:38:34+00:00 a1274cc94a20a0fc6715522d021ab84969b6bf91 Targets that define CONFIG_ARMV7_SECURE_BASE will copy the secure section to another address before execution. Since the secure section in the u-boot image is only storage, there's no reason to page align it and increase the binary image size. Page align the secure section only when CONFIG_ARMV7_SECURE_BASE is not defined. And instead of just aligning the __secure_start symbol, align the whole .__secure_start section. This also makes the section empty, so we need to add KEEP() to the input entry to prevent the section from being garbage collected. Also use ld constant "COMMONPAGESIZE" instead of hardcoded page size. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Signed-off-by: Hans de Goede <hdegoede@redhat.com> 
Targets that define CONFIG_ARMV7_SECURE_BASE will copy the secure section
to another address before execution.

Since the secure section in the u-boot image is only storage, there's
no reason to page align it and increase the binary image size.

Page align the secure section only when CONFIG_ARMV7_SECURE_BASE is not
defined. And instead of just aligning the __secure_start symbol, align
the whole .__secure_start section. This also makes the section empty,
so we need to add KEEP() to the input entry to prevent the section from
being garbage collected.

Also use ld constant "COMMONPAGESIZE" instead of hardcoded page size.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
ARM: allocate extra space for PSCI stack in secure section during link phase 2016-06-20T20:43:59+00:00 Chen-Yu Tsai wens@csie.org 2016-06-07T02:54:27+00:00 b56e06d343ba4f9af3063d023032fdc00ba17944 The PSCI implementation expects at most 2 pages worth of space reserved at the end of the secure section for its stacks. If PSCI is relocated to secure SRAM, then everything is fine. If no secure SRAM is available, and PSCI remains in main memory, the reserved memory space doesn't cover the space used by the stack. If one accesses PSCI after Linux has fully booted, the memory that should have been reserved for the PSCI stacks may have been used by the kernel or userspace, and would be corrupted. Observed after effects include the system hanging or telinit core dumping when trying to reboot. It seems the init process gets hit the most on my test bed. This fix allocates the space used by the PSCI stacks in the secure section by skipping pages in the linker script, but only when there is no secure SRAM, to avoid bloating the binary. This fix is only a stop gap. It would be better to rework the stack allocation mechanism, maybe with proper usage of CONFIG_ macros and an explicit symbol. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Acked-by: Marc Zyngier <marc.zyngier@arm.com> Signed-off-by: Hans de Goede <hdegoede@redhat.com> 
The PSCI implementation expects at most 2 pages worth of space reserved
at the end of the secure section for its stacks. If PSCI is relocated to
secure SRAM, then everything is fine. If no secure SRAM is available,
and PSCI remains in main memory, the reserved memory space doesn't cover
the space used by the stack.

If one accesses PSCI after Linux has fully booted, the memory that should
have been reserved for the PSCI stacks may have been used by the kernel
or userspace, and would be corrupted. Observed after effects include the
system hanging or telinit core dumping when trying to reboot. It seems
the init process gets hit the most on my test bed.

This fix allocates the space used by the PSCI stacks in the secure
section by skipping pages in the linker script, but only when there is
no secure SRAM, to avoid bloating the binary.

This fix is only a stop gap. It would be better to rework the stack
allocation mechanism, maybe with proper usage of CONFIG_ macros and an
explicit symbol.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
arm: x86: Drop command-line code when CONFIG_CMDLINE is disabled 2016-03-22T16:16:09+00:00 Simon Glass sjg@chromium.org 2016-03-14T01:07:29+00:00 c1352119fd09a31ddb77710a0c3839d1af21fc65 Update the link script to drop this code when not needed. This is only done for two architectures at present. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Tom Rini <trini@konsulko.com> 
Update the link script to drop this code when not needed. This is only done
for two architectures at present.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
efi_loader: Add runtime services 2016-03-15T22:03:10+00:00 Alexander Graf agraf@suse.de 2016-03-04T00:10:01+00:00 50149ea37a21dcbed675297f1536c31a7db39c19 After booting has finished, EFI allows firmware to still interact with the OS using the "runtime services". These callbacks live in a separate address space, since they are available long after U-Boot has been overwritten by the OS. This patch adds enough framework for arbitrary code inside of U-Boot to become a runtime service with the right section attributes set. For now, we don't make use of it yet though. We could maybe in the future map U-boot environment variables to EFI variables here. Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Simon Glass <sjg@chromium.org> Tested-by: Simon Glass <sjg@chromium.org> 
After booting has finished, EFI allows firmware to still interact with the OS
using the "runtime services". These callbacks live in a separate address space,
since they are available long after U-Boot has been overwritten by the OS.

This patch adds enough framework for arbitrary code inside of U-Boot to become
a runtime service with the right section attributes set. For now, we don't make
use of it yet though.

We could maybe in the future map U-boot environment variables to EFI variables
here.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
ARM: Disable "DISCARD" for secure section if CONFIG_ARMV7_SECURE_BASE isn't defined 2016-01-31T15:32:56+00:00 Wang Dongsheng dongsheng.wang@nxp.com 2016-01-18T03:02:40+00:00 c5e954eccd473c1601d60d144bc18f90893cb3ac "DISCARD" will remove ._secure.text relocate, but PSCI framework has already used some absolute address those need to relocate. Use readelf -t -r u-boot show us: .__secure_start addr: 601408e4 .__secure_end addr: 60141460 60141140 00000017 R_ARM_RELATIVE 46 _secure_monitor: 47 #ifdef CONFIG_ARMV7_PSCI 48 ldr r5, =_psci_vectors 60141194 00000017 R_ARM_RELATIVE 6014119c 00000017 R_ARM_RELATIVE 601411a4 00000017 R_ARM_RELATIVE 601411ac 00000017 R_ARM_RELATIVE 64 _psci_table: 66 .word psci_cpu_suspend ... 72 .word psci_migrate 60141344 00000017 R_ARM_RELATIVE 6014145c 00000017 R_ARM_RELATIVE 202 ldr r5, =psci_text_end Solutions: 1. Change absolute address to RelAdr. Based on LDR (immediate, ARM), we only have 4K offset to jump. Now PSCI code size is close to 4K size that is LDR limit jump size, so even if the LDR is based on the current instruction address, there is also have a risk for RelAdr. If we use two jump steps I think we can fix this issue, but looks too hack, so give up this way. 2. Enable "DISCARD" only for CONFIG_ARMV7_SECURE_BASE has defined. If CONFIG_ARMV7_SECURE_BASE is defined in platform, all of secure will in the BASE address that is absolute. Signed-off-by: Wang Dongsheng <dongsheng.wang@nxp.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
"DISCARD" will remove ._secure.text relocate, but PSCI framework
has already used some absolute address those need to relocate.

Use readelf -t -r u-boot show us:
.__secure_start		addr: 601408e4
.__secure_end		addr: 60141460

60141140  00000017 R_ARM_RELATIVE
46	_secure_monitor:
47	#ifdef CONFIG_ARMV7_PSCI
48      ldr     r5, =_psci_vectors

60141194  00000017 R_ARM_RELATIVE
6014119c  00000017 R_ARM_RELATIVE
601411a4  00000017 R_ARM_RELATIVE
601411ac  00000017 R_ARM_RELATIVE
64	_psci_table:
66	.word	psci_cpu_suspend
...
72	.word	psci_migrate

60141344  00000017 R_ARM_RELATIVE
6014145c  00000017 R_ARM_RELATIVE
202	ldr     r5, =psci_text_end

Solutions:
1. Change absolute address to RelAdr.
   Based on LDR (immediate, ARM), we only have 4K offset to jump.
Now PSCI code size is close to 4K size that is LDR limit jump size,
so even if the LDR is based on the current instruction address,
there is also have a risk for RelAdr. If we use two jump steps I
think we can fix this issue, but looks too hack, so give up this way.

2. Enable "DISCARD" only for CONFIG_ARMV7_SECURE_BASE has defined.
   If CONFIG_ARMV7_SECURE_BASE is defined in platform, all of secure
will in the BASE address that is absolute.

Signed-off-by: Wang Dongsheng <dongsheng.wang@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
arm: discard relocation entries for secure text 2015-11-12T16:31:02+00:00 Peng Fan Peng.Fan@freescale.com 2015-10-23T02:13:03+00:00 d47cb0b61aa9e268f140455b2bc4421ae9e0b4bc The code such as PSCI in section named secure is bundled with u-boot image, and when bootm, the code will be copied to their runtime address same to compliation/linking address - CONFIG_ARMV7_SECURE_BASE. When compile the PSCI code and link it into the u-boot image, there will be relocation entries in .rel.dyn section for PSCI. Actually, we do not needs these relocation entries. If still keep the relocation entries in .rel.dyn section, r0 at line 103 and 106 in arch/arm/lib/relocate.S may be an invalid address which may not support read/write for one SoC. 102 /* relative fix: increase location by offset */ 103 add r0, r0, r4 104 ldr r1, [r0] 105 add r1, r1, r4 106 str r1, [r0] So discard them to avoid touching the relocation entry in arch/arm/lib/relocate.S. Signed-off-by: Peng Fan <Peng.Fan@freescale.com> Cc: Tom Warren <twarren@nvidia.com> Cc: York Sun <yorksun@freescale.com> Cc: Hans De Goede <hdegoede@redhat.com> Cc: Ian Campbell <ijc@hellion.org.uk> Cc: Albert Aribaud <albert.u.boot@aribaud.net> Cc: Tom Rini <trini@konsulko.com> Cc: Jan Kiszka <jan.kiszka@siemens.com> Cc: Stefano Babic <sbabic@denx.de> Acked-by: Albert ARIBAUD <albert.u.boot@aribaud.net> 
The code such as PSCI in section named secure is bundled with
u-boot image, and when bootm, the code will be copied to their
runtime address same to compliation/linking address -
CONFIG_ARMV7_SECURE_BASE.

When compile the PSCI code and link it into the u-boot image,
there will be relocation entries in .rel.dyn section for PSCI.
Actually, we do not needs these relocation entries.

If still keep the relocation entries in .rel.dyn section,
r0 at line 103 and 106 in arch/arm/lib/relocate.S may be an invalid
address which may not support read/write for one SoC.
102         /* relative fix: increase location by offset */
103         add     r0, r0, r4
104         ldr     r1, [r0]
105         add     r1, r1, r4
106         str     r1, [r0]

So discard them to avoid touching the relocation entry in
arch/arm/lib/relocate.S.

Signed-off-by: Peng Fan <Peng.Fan@freescale.com>
Cc: Tom Warren <twarren@nvidia.com>
Cc: York Sun <yorksun@freescale.com>
Cc: Hans De Goede <hdegoede@redhat.com>
Cc: Ian Campbell <ijc@hellion.org.uk>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Tom Rini <trini@konsulko.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Stefano Babic <sbabic@denx.de>
Acked-by: Albert ARIBAUD <albert.u.boot@aribaud.net>