ArmDisassemblerLib is used to pretty print the instruction that
triggered an unhandled exception, but it was never implemented for
AARCH64, and according to the existing file comment, Thumb2 support
(which is used predominantly when building EDK2 for 32-bit ARM due to
its smaller size) is incomplete.
The DEBUG diagnostics that are produced on an unhandled exception are
generally sufficient to dump the entire executable that triggered it,
and so this disassembly is of limited value, especially because it
doesn't work on AARCH64.
So let's start getting rid of it, by dropping references to it in code
and in the various .INF and .DSC files. Once out-of-tree platforms have
been allowed to catch up, we can remove the library implementation and
its class definition entirely.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
There were several bugs in the vector table relocation code which means
it can't really have been used by anyone on AArch64 in the last decade or
so. So delete the support code from the library, as well as the
ArmRelocateExceptionLib.inf file.
This gets rid of PcdDebuggerExceptionSupport (including a duff reference
in CpuDxe), PcdCpuVectorBaseAddress and PcdRelocateVectorTable.
Signed-off-by: Leif Lindholm <leif.lindholm@oss.qualcomm.com>
The GIC driver itself has intimate knowledge of the hardware, and so it
is the best suited to create the mappings of the MMIO control regions,
in case they have not been mapped yet by the platform code.
So call in the the CPU arch protocol to map the CPU interface,
distributor and redistributor regions as they are discovered by the GIC
driver startup code.
Note that creating these mappings has no effect if the regions in
question have already been mapped with the correct attributes.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
The GIC distributor and redistributor addresses that are passed into the
interrupt enable and disable routines are always the same, so just use
the global variables directly.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
The GIC DXE driver only runs on the boot CPU, and so there is really no
point in iterating over all the redistributor frames every time an
interrupt is enabled, disabled or its state tested. Instead, do this
only at load time.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Instead of relying on a protocol notification event to register the core IRQ
interrupt handler with CPU arch protocol once it becomes available, use
a DEPEX to ensure that the GIC driver is not dispatched at all until the
CPU arch protocol has turned up.
This will allow the GIC driver to use other CPU arch protocol methods,
such as the ones needed to map the GIC MMIO regions at driver startup.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Currently, ArmPkg's CpuDxe DEPEXes on the hardware interrupt protocol,
to ensure that it is not dispatched before the GIC driver. This way, the
CpuDxe driver is guaranteed not to enable interrupts on the CPU side
before the GIC driver has had the opportunity to configure the
interrupts on the distribution side.
However, this prevents the GIC driver from using any of the CPU arch
protocol interfaces, such as mapping memory, which it may need to do on
platforms where the GIC MMIO regions are not mapped yet when the driver
is started.
So instead, use a protocol notification on the hardware interrupt
protocol, which is installed by the GIC driver (as well as other
existing interrupt controller drivers for platforms that do not
implement a GIC) after it starts up and deasserts and disables all
incoming interrupts. Manipulate the interrupt state as usual only after
this notification has been received. Before that, keep track of the
caller's intent regarding the interrupt enabled state in a shadow
variable, but do not actually enable interrupt delivery to the CPU just
yet.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
There is some fossilized code in the CpuDxe driver startup code that
permits a vector table to be inherited from the PEI stage, but this code
is essentially dead on ARM platforms, given that the VectorInfo argument
passed to InitializeCpuExceptionHandlers() is ignored, and no code
appears to exist that would result in the gEfiVectorHandoffTableGuid
configuration table ever being populated.
Also, due to prior refactoring, the code that disables and re-enables
IRQs and FIQs is completely pointless, and can simply be removed. That,
in turn, allows the CPU arch protocol parameter to be dropped from the
prototype of InitializeExceptions().
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Use static linkage for variables and routines that are not referenced
from other objects. This is generally preferred, because it gives the
compiler more freedom for optimization.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Failure to install the CPU arch protocol is a fatal error, so treat it
as such, rather than ignore it, even though we won't get very far if
this driver fails to dispatch - at least, we will get an error in a
DEBUG build rather than a mysterious failure due to unsatisfied DEPEXes.
Failure to install the idle loop event handler is not a fatal error, and
it should not cause the driver to exit with an error, as this will
unload the driver and keep the installed CPU arch protocol pointer
dangling. So keep the ASSERT() on the return value, but return
EFI_SUCCESS once we're past the point where the CPU arch protocol has
been installed.
Since the protocol is never uninstalled, make the CPU handle function
local, as there is no point in keeping its value around.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
When re-entering EDK2 from a high level OS such as Linux, the GICv3 may
be configured to use split priority drop and deactivate (EOImode == 1),
whereas EDK2's GICv3 driver assumes the default setting of EOImode == 0.
So clear the EOImode bit explicitly when taking control of the GIC.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Now that ArmPkg/Drivers/ArmGic no longer carries a combination of
libraries and DXE drivers, rename the directory to the more idiomatic
ArmPkg/Drivers/ArmGicDxe
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Most platforms do not require the flexibility of the ordinary GIC
driver, which supports both GICv2 and GICv3+, and decides at runtime
which version to use.
So expose a GICv3+ version, which only supports a GICv3 or newer.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Most platforms do not require the flexibility of the ordinary GIC
driver, which supports both GICv2 and GICv3+, and decides at runtime
which version to use.
So expose a GICv2 only version, which only supports a GICv2.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Retire all implementations of the ArmGicLib library class, which are no
longer used. For now, retain the library header and library class
declaration: the header file only contains pre-processor defines derived
from the GIC architecture spec, and so this code should probably move
into MdePkg at a later moment.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Move the remaining code in ArmGicLib into ArmGicDxe, its only user, and
drop the dependency on ArmGicLib. Note that ArmGicDxe has an undeclared
dependency on ArmLib, so declare that instead.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmGicArchLib is no longer use so remove all remaining references and
implementations.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmGicArchLib implements a check on the accessibility of the GIC system
register interface, which is a prerequisite for using the GIC in v3
mode. It might be possible to use GICv2 compatibility mode on poorly
configured platforms where the GIC is v3 capable but not accessible, but
in most cases, the GIC is driven in its native mode.
This check is now only carried out in a single place, and there is not
really any reason to keep this in a separate library. Even though
ArmVirtPkg implements its own version, the basic check (and enablement
of the sysreg interface) is still needed.
So move this check into the DXE driver itself, and drop the dependency
on ArmGicArchLib. This allows it to be retired in a subsequent patch.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmGicDxe is the only remaining user of ArmGicLib, and so there is no
need for the abstraction, which is drawn at an arbitrary boundary
anyway. So remove the remaining V2 specific code into the DXE driver.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Move the remaining ArmGicLib code that is shared between the v2 and v3
GIC DXE drivers into ArmGicCommonDxe.c
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Split ArmGicEnableDistributor () into GICv2 and v3 specific versions,
and move them into their single respective callers, so that the original
can be dropped from ArmGicLib altogether.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmGicLib is agnostic about the difference between v2 and v3, but its
APIs are only called from code that is either v2-specific or
v3-specific. That makes the generic interface kind of pointless, and we
can just merge this code into the callers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmGicEndOfInterrupt () is never used: the v2 and v3 versions of the
driver call respective specific versions directly, and so this API can
be removed.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
ArmGicSendSgiTo () is never used, and is fundamentally tied to multi-CPU
operation which is no longer supported. So drop the implementation.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
The ArmGicLib API exposes ArmGicEnableInterruptInterface () and
ArmGicDisableInterruptInterface (), but only the former is actually
used, and only from the GICv2 driver. So drop the API entirely, and
invoke the v2 version of the underlying interface directly.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Support for GICv2 legacy mode was introduced to accommodate secure world
firmware that was lagging behind in terms of development, and was
running the GIC in v2 mode on the secure side for lack of a GICv3
driver.
As per the GIC architecture, the non-secure world can only run the GIC
in v3 mode if the secure world does so too.
At this point, there is no longer a need to for this fallback: GICv2
support it still needed for platforms such as Raspberry Pi 4 that do not
implement GICv3 at all. But on platforms that do implement it, falling
back to GICv2 is unnecessary.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
StandaloneMmCpu driver is only used for Arm architecture and
StandaloneMmCoreEntryPointLib for Arm has specific implementation with
StandaloneMmCpu driver.
Move StandaloneMmCpu Driver and StandaloneMmCoreEntryPointLib for Arm
to ArmPkg.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
A compiler warning was detected that 'IntId' could be used uninitialized
in the `else` branch.
Since there are no consumers of this function, it was decided to remove
this function completely.
Signed-off-by: Mike Maslenkin <mike.maslenkin@gmail.com>
Do not use the PCDs as only fixed when there is an option
to use them as dynamic that can be set per SKU.
Signed-off-by: Ashish Singhal <ashishsingha@nvidia.com>
The current implementation operates on 64bit value with implicit value
truncation.
This change updates the involved frequencies to use 64 bit based
operations.
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
The current code path supporting `PcdArmGicV3WithV2Legacy` will read 32
bit CPU target and try to program ARM_GIC_ICDIPTR. However, all these
operations are 32bit wide.
This change casts the CpuTarget variable to be UINT32 before calling
MMIO read.
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Makes changes to comply with alerts raised by CodeQL.
The issues here fall into the following category:
1. unsigned-comparison-zero
Signed-off-by: Raymond Diaz <raymonddiaz@microsoft.com>
As per the emailed RFC in
https://edk2.groups.io/g/devel/topic/rfc_move/107675828,
this patch moves CompilerIntrinsicsLib from ArmPkg to
MdePkg as this library provides compiler intrinsics, which
are industry standard.
This aligns with the goal of integrating ArmPkg into existing
packages: https://bugzilla.tianocore.org/show_bug.cgi?id=4121.
The newly placed CompilerIntrinsicsLib is added to MdeLibs.dsc.inc
as every DSC that builds ARM/AARCH64 needs this library added. The
old location is removed from every DSC in edk2 in this commit also
to not break bisectability with minimal hoop jumping.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
AsmMacroIoLib.h and AsmMacroIoLibV8.h are used by the
CompilerIntrinsicsLib, which is moving to MdePkg. These
functions provide standard definitions for ARM/AARCH64
assembly code, respectively, and so are moved to the arch
directories in MdePkg to avoid MdePkg having a
dependency on ArmPkg.
Now that the files are in Arm/ and AArch64/ directories,
the filenames are changed to AsmMacroLib.h as we can
distinguish the architecture from the path.
AsmMacroIoLib.inc is unused and so is removed.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
GetProcessorInfo copies CpuData instead of CpuData.Info. The OUT parameter
ProcessorInfoBuffer is of type EFI_PROCESSOR_INFORMATION, not CPU_AP_DATA.
Fix it to copy the correct member CpuData.Info.
Signed-off-by: Vishal Oliyil Kunnil <quic_vishalo@quicinc.com>
On AARCH64 systems, the GCD is not fully synced with the page table. On
x86 systems, the GCD is synced by adding `EFI_MEMORY_RO`,
`EFI_MEMORY_RP`, and `EFI_MEMORY_XP` to the current capabilities of the
GCD, then the page table attributes are set on the GCD attributes.
However, on AARCH64, the GCD capabilities do not get updated, instead
only the attributes from the page table are masked by the existing GCD
capabilities, which means that any new page table attribute which are
already set are dropped and the GCD does not reflect the state of the
system. This has been seen to cause issues where memory in the page
table that was marked `EFI_MEMORY_XP` had an additional attribute set
using the GCD capabilities, which did not include `EFI_MEMORY_XP`, this
caused the page table to be updated to lose `EFI_MEMORY_XP`, which is a
potential security issue.
The existing behavior on AARCH64 systems is an implementation error, it
assumes one of two things:
- The page table attributes must be a subset of the GCD capabilities
- The GCD does not need to have its capabilities synced to what the page
table attributes are
The first is incorrect as important attributes such as `EFI_MEMORY_XP`
do not get applied to the GCD capabilities by default and therefore must
be synced back. This comment from ArmPkg's CpuDxe driver helps explain:
```c
// The GCD implementation maintains its own copy of the state of memory
// space attributes. GCD needs to know what the initial memory space
// attributes are. The CPU Arch. Protocol does not provide a
// GetMemoryAttributes function for GCD to get this so we must resort to
// calling GCD (as if we were a client) to update its copy of the
// attributes. This is bad architecture and should be replaced with a
// way for GCD to query the CPU Arch. driver of the existing memory
// space attributes instead.
```
However, this comment misses that updating the capabilities is critical
to updating the attributes.
The second is incorrect because significant pieces of core code
reference the GCD attributes instead of the page table attributes. For
example, NonDiscoverablePciDeviceDxe uses the GCD capabilities and
attributes when interacting with a non-discoverable PCI device. When the
GCD is not synced to the page table, we get the errors and security
concerns listed above.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
This moves the WatchdogDisable() function before the installation of the
gEfiWatchdogTimerArchProtocolGuid protocol. It allows a platform to
promptly carry out platform specific configurations, such as UEFI boot
monitoring, by registering the protocol installation callback.
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
The memory attribute protocol is primarily used by bootloaders
and there are many released bootloaders who use the protocol
incorrectly. It is challenging to debug these situations
because the bootloaders are generally black boxes and we
silently fail on the FW side.
This patch adds logging to some common memory attribute
protocol failures in CpuDxe.
Signed-off-by: Oliver Smith-Denny <osde@linux.microsoft.com>
Drop logic from the ARM architectural support libraries that can only
execute in EL3 on AArch64 or Monitor mode on 32-bit ARM. While early
32-bit ports (and even some early 64-bit code) included some monitor
logic in EDK2, UEFI per the spec runs in non-secure execution contexts
only, and secure monitor and other secure world duties are usually
delegated to TF-A (Trusted Firmware for the A profile).
Since there are no longer users of this code in EDK2 or the
edk2-platforms tree, let's remove it from the core support libraries.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Update GenericWatchdogDxe to disable watchdog interaction after exiting
boot services. Also, move the mEfiExitBootServicesEvent event to the top
of the file with the other static variables.
Signed-off-by: Rebecca Cran <rebecca@os.amperecomputing.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
The calculation of the timer period was broken. Introduce a global
mTimerPeriod so the calculation can be removed. Since mTimerFrequencyHz
is only used in one place, remove the global and make it a local
variable. Do the same with mNumTimerTicks.
Signed-off-by: Rebecca Cran <rebecca@os.amperecomputing.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
The generic watchdog offset register is 48 bits wide, and can be set by
performing two 32-bit writes.
Add support for writing the high 16 bits of the offset register and
update the signature of the WatchdogWriteOffsetRegister function to take
a UINT64 value.
Signed-off-by: Rebecca Cran <rebecca@os.amperecomputing.com>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
The PERFORMANCE_DESCRIBE_FASTCHANNEL Scmi command is available
since SCMI v2.0 and allows to query information about the supported
fast-channels of the Scmi performance protocol.
Add support for this command.
Also move SCMI_MESSAGE_ID_PERFORMANCE enum definition up in the file
to use it in SCMI_PERFORMANCE_DESCRIBE_FASTCHANNEL function
declaration.
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
GetNextEntryAttribute() is currently applying a 64-bit mask
(TT_ATTRIBUTES_MASK) to a 32-bit descriptor value (EntryType).
The original descriptor was 64 bits containing the upper and
lower attributes which are included in TT_ATTRIBUTES_MASK.
The PrevEntryAttribute parameter is also a UINT32, but passed to
PageAttributeToGcdAttribute() for a UINT64 parameter where the
function checks masks in the upper 32 bits of the integer value:
PageAttributeToGcdAttribute (*PrevEntryAttribute)
...
STATIC
UINT64
PageAttributeToGcdAttribute (
IN UINT64 PageAttributes
)
...
if ((PageAttributes & (TT_PXN_MASK | TT_UXN_MASK)) != 0) {
GcdAttributes |= EFI_MEMORY_XP;
}
...
#define TT_PXN_MASK BIT53
#define TT_UXN_MASK BIT54 // EL1&0
This change removes UINT32 intermediary values. For EntryType,
eliminating an unncessary cast. For EntryAttribute, preserving the
upper and lower attributes for evaluation in
PageAttributeToGcdAttribute().
This also resolves the following compiler warning previously present
on Visual Studio for the assignment to the previously 32-bit local
variables.
'=': conversion from 'UINT64' to 'UINT32', possible loss of data
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Add EFI_NOT_READY return if the CPU can not be enabled because the
processor is already on.
This can occur in normal use if the CPU is still being turned off from
a previous call when this is called again.
Signed-off-by: Jeff Brasen <jbrasen@nvidia.com>
Reviewed-by: Rebecca Cran <rebecca@bsdio.com>
Ard Biesheuvel
Leif Lindholm
Levi Yun
Mike Maslenkin
Ashish Singhal
Kun Qin
kuqin12
Oliver Smith-Denny
Vishal Oliyil Kunnil
Oliver Smith-Denny
Nhi Pham
Rebecca Cran
Pierre Gondois
Michael Kubacki
Jeff Brasen via groups.io