fix(ras): restrict RAS support for NS world

Current RAS framework in TF-A only supports handling errors originating
from NS world but the HANDLE_EA_EL3_FIRST flag configures it for all
lower Els. To make the current design of RAS explicit, rename this macro
to HANDLE_EA_EL3_FIRST_NS and set EA bit in scr_el3 only when
switching to NS world.

Note: I am unaware of any platform which traps errors originating in
Secure world to EL3, if there is any such platform then it need to
be explicitly implemented in TF-A

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: If58eb201d8fa792c16325c85c26056e9b409b750
This commit is contained in:
Manish Pandey 2022-10-10 11:43:08 +01:00
parent 0ae4a3a3f0
commit 46cc41d559
15 changed files with 44 additions and 46 deletions

View File

@ -715,8 +715,8 @@ endif
# For RAS_EXTENSION, require that EAs are handled in EL3 first
ifeq ($(RAS_EXTENSION),1)
ifneq ($(HANDLE_EA_EL3_FIRST),1)
$(error For RAS_EXTENSION, HANDLE_EA_EL3_FIRST must also be 1)
ifneq ($(HANDLE_EA_EL3_FIRST_NS),1)
$(error For RAS_EXTENSION, HANDLE_EA_EL3_FIRST_NS must also be 1)
endif
endif
@ -1033,7 +1033,7 @@ $(eval $(call assert_booleans,\
FAULT_INJECTION_SUPPORT \
GENERATE_COT \
GICV2_G0_FOR_EL3 \
HANDLE_EA_EL3_FIRST \
HANDLE_EA_EL3_FIRST_NS \
HW_ASSISTED_COHERENCY \
INVERTED_MEMMAP \
MEASURED_BOOT \
@ -1172,7 +1172,7 @@ $(eval $(call add_defines,\
ERROR_DEPRECATED \
FAULT_INJECTION_SUPPORT \
GICV2_G0_FOR_EL3 \
HANDLE_EA_EL3_FIRST \
HANDLE_EA_EL3_FIRST_NS \
HW_ASSISTED_COHERENCY \
LOG_LEVEL \
MEASURED_BOOT \

View File

@ -168,7 +168,7 @@ func do_panic
mrs x0, currentel
ubfx x0, x0, #MODE_EL_SHIFT, #MODE_EL_WIDTH
cmp x0, #MODE_EL3
#if !HANDLE_EA_EL3_FIRST
#if !HANDLE_EA_EL3_FIRST_NS
ldr x0, [sp], #0x10
b.eq el3_panic
#else
@ -184,7 +184,7 @@ func do_panic
to_panic_common:
ldr x0, [sp], #0x10
#endif /* HANDLE_EA_EL3_FIRST */
#endif /* HANDLE_EA_EL3_FIRST_NS */
#endif /* CRASH_REPORTING */
panic_common:

View File

@ -6,10 +6,11 @@ Serviceability (RAS) extensions. RAS is a mandatory extension for Armv8.2 and
later CPUs, and also an optional extension to the base Armv8.0 architecture.
In conjunction with the |EHF|, support for RAS extension enables firmware-first
paradigm for handling platform errors: exceptions resulting from errors are
routed to and handled in EL3. Said errors are Synchronous External Abort (SEA),
Asynchronous External Abort (signalled as SErrors), Fault Handling and Error
Recovery interrupts. The |EHF| document mentions various :ref:`error handling
paradigm for handling platform errors: exceptions resulting from errors in
Non-secure world are routed to and handled in EL3.
Said errors are Synchronous External Abort (SEA), Asynchronous External Abort
(signalled as SErrors), Fault Handling and Error Recovery interrupts.
The |EHF| document mentions various :ref:`error handling
use-cases <delegation-use-cases>` .
For the description of Arm RAS extensions, Standard Error Records, and the
@ -29,7 +30,7 @@ introduced by the RAS extensions.
.. __: `Standard Error Record helpers`_
The build option ``RAS_EXTENSION`` when set to ``1`` includes the RAS in run
time firmware; ``EL3_EXCEPTION_HANDLING`` and ``HANDLE_EA_EL3_FIRST`` must also
time firmware; ``EL3_EXCEPTION_HANDLING`` and ``HANDLE_EA_EL3_FIRST_NS`` must also
be set ``1``. ``RAS_TRAP_NS_ERR_REC_ACCESS`` controls the access to the RAS
error record registers from Non-secure.
@ -198,8 +199,8 @@ related, build options:
- ``EL3_EXCEPTION_HANDLING=1`` enables handling of exceptions at EL3. See
`Interaction with Exception Handling Framework`_;
- ``HANDLE_EA_EL3_FIRST=1`` enables routing of External Aborts and SErrors to
EL3.
- ``HANDLE_EA_EL3_FIRST_NS=1`` enables routing of External Aborts and SErrors,
resulting from errors in NS world, to EL3.
The RAS support in |TF-A| introduces a default implementation of
``plat_ea_handler``, the External Abort handler in EL3. When ``RAS_EXTENSION``

View File

@ -569,10 +569,11 @@ Common build options
EL1 for handling. The default value of this option is ``0``, which means the
Group 0 interrupts are assumed to be handled by Secure EL1.
- ``HANDLE_EA_EL3_FIRST``: When set to ``1``, External Aborts and SError
Interrupts will be always trapped in EL3 i.e. in BL31 at runtime. When set to
``0`` (default), these exceptions will be trapped in the current exception
level (or in EL1 if the current exception level is EL0).
- ``HANDLE_EA_EL3_FIRST_NS``: When set to ``1``, External Aborts and SError
Interrupts, resulting from errors in NS world, will be always trapped in
EL3 i.e. in BL31 at runtime. When set to ``0`` (default), these exceptions
will be trapped in the current exception level (or in EL1 if the current
exception level is EL0).
- ``HW_ASSISTED_COHERENCY``: On most Arm systems to-date, platform-specific
software operations are required for CPUs to enter and exit coherency.
@ -725,7 +726,7 @@ Common build options
or later CPUs. This flag can take the values 0 to 2, to align with the
``FEATURE_DETECTION`` mechanism.
When ``RAS_EXTENSION`` is set to ``1``, ``HANDLE_EA_EL3_FIRST`` must also be
When ``RAS_EXTENSION`` is set to ``1``, ``HANDLE_EA_EL3_FIRST_NS`` must also be
set to ``1``.
This option is disabled by default.

View File

@ -165,14 +165,14 @@ Globalscale MOCHAbin specific build options:
Armada37x0 specific build options:
- HANDLE_EA_EL3_FIRST
- HANDLE_EA_EL3_FIRST_NS
When ``HANDLE_EA_EL3_FIRST=1``, External Aborts and SError Interrupts will be always trapped
in TF-A. TF-A in this case enables dirty hack / workaround for a bug found in U-Boot and
Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks SError interrupt
caused by AXI SLVERR on external access (syndrome 0xbf000002).
When ``HANDLE_EA_EL3_FIRST_NS=1``, External Aborts and SError Interrupts, resulting from errors
in NS world, will be always trapped in TF-A. TF-A in this case enables dirty hack / workaround for
a bug found in U-Boot and Linux kernel PCIe controller driver pci-aardvark.c, traps and then masks
SError interrupt caused by AXI SLVERR on external access (syndrome 0xbf000002).
Otherwise when ``HANDLE_EA_EL3_FIRST=0``, these exceptions will be trapped in the current
Otherwise when ``HANDLE_EA_EL3_FIRST_NS=0``, these exceptions will be trapped in the current
exception level (or in EL1 if the current exception level is EL0). So exceptions caused by
U-Boot will be trapped in U-Boot, exceptions caused by Linux kernel (or user applications)
will be trapped in Linux kernel.
@ -185,8 +185,8 @@ Armada37x0 specific build options:
recommended to not enable this workaround as it disallows propagating of all External Aborts
to running Linux kernel and makes correctable errors as fatal aborts.
This option is now disabled by default. In past this option was enabled by default in
TF-A versions v2.2, v2.3, v2.4 and v2.5.
This option is now disabled by default. In past this option has different name "HANDLE_EA_EL3_FIRST" and
was enabled by default in TF-A versions v2.2, v2.3, v2.4 and v2.5.
- CM3_SYSTEM_RESET

View File

@ -206,6 +206,11 @@ static void setup_ns_context(cpu_context_t *ctx, const struct entry_point_info *
/* Allow access to Allocation Tags when MTE is implemented. */
scr_el3 |= SCR_ATA_BIT;
#if HANDLE_EA_EL3_FIRST_NS
/* SCR_EL3.EA: Route External Abort and SError Interrupt to EL3. */
scr_el3 |= SCR_EA_BIT;
#endif
#if RAS_TRAP_NS_ERR_REC_ACCESS
/*
* SCR_EL3.TERR: Trap Error record accesses. Accesses to the RAS ERR
@ -279,7 +284,7 @@ static void setup_context_common(cpu_context_t *ctx, const entry_point_info_t *e
* Security state and entrypoint attributes of the next EL.
*/
scr_el3 = read_scr();
scr_el3 &= ~(SCR_NS_BIT | SCR_RW_BIT | SCR_FIQ_BIT | SCR_IRQ_BIT |
scr_el3 &= ~(SCR_NS_BIT | SCR_RW_BIT | SCR_EA_BIT | SCR_FIQ_BIT | SCR_IRQ_BIT |
SCR_ST_BIT | SCR_HCE_BIT | SCR_NSE_BIT);
/*
@ -317,15 +322,6 @@ static void setup_context_common(cpu_context_t *ctx, const entry_point_info_t *e
scr_el3 |= SCR_TRNDR_BIT;
#endif
#if !HANDLE_EA_EL3_FIRST
/*
* SCR_EL3.EA: Do not route External Abort and SError Interrupt External
* to EL3 when executing at a lower EL. When executing at EL3, External
* Aborts are taken to EL3.
*/
scr_el3 &= ~SCR_EA_BIT;
#endif
#if FAULT_INJECTION_SUPPORT
/* Enable fault injection from lower ELs */
scr_el3 |= SCR_FIEN_BIT;

View File

@ -216,9 +216,9 @@ GENERATE_COT := 0
# default, they are for Secure EL1.
GICV2_G0_FOR_EL3 := 0
# Route External Aborts to EL3. Disabled by default; External Aborts are handled
# Route NS External Aborts to EL3. Disabled by default; External Aborts are handled
# by lower ELs.
HANDLE_EA_EL3_FIRST := 0
HANDLE_EA_EL3_FIRST_NS := 0
# Secure hash algorithm flag, accepts 3 values: sha256, sha384 and sha512.
# The default value is sha256.

View File

@ -21,7 +21,7 @@ SDEI_SUPPORT := 0
EL3_EXCEPTION_HANDLING := 0
HANDLE_EA_EL3_FIRST := 0
HANDLE_EA_EL3_FIRST_NS := 0
# System coherency is managed in hardware
HW_ASSISTED_COHERENCY := 1

View File

@ -14,7 +14,7 @@ SDEI_SUPPORT := 0
EL3_EXCEPTION_HANDLING := 0
HANDLE_EA_EL3_FIRST := 0
HANDLE_EA_EL3_FIRST_NS := 0
CSS_SGI_CHIP_COUNT := 1

View File

@ -93,7 +93,7 @@ void plat_default_ea_handler(unsigned int ea_reason, uint64_t syndrome, void *co
ERROR("Unhandled External Abort received on 0x%lx from %s\n",
read_mpidr_el1(), get_el_str(level));
ERROR("exception reason=%u syndrome=0x%" PRIx64 "\n", ea_reason, syndrome);
#if HANDLE_EA_EL3_FIRST
#if HANDLE_EA_EL3_FIRST_NS
/* Skip backtrace for lower EL */
if (level != MODE_EL3) {
console_flush();

View File

@ -62,7 +62,7 @@ BL31_SOURCES += lib/cpus/aarch64/cortex_a53.S \
$(PLAT_COMMON_BASE)/a3700_sip_svc.c \
$(MARVELL_DRV)
ifeq ($(HANDLE_EA_EL3_FIRST),1)
ifeq ($(HANDLE_EA_EL3_FIRST_NS),1)
BL31_SOURCES += $(PLAT_COMMON_BASE)/a3700_ea.c
endif

View File

@ -18,7 +18,7 @@
/*
* This source file with custom plat_ea_handler function is compiled only when
* building TF-A with compile option HANDLE_EA_EL3_FIRST=1
* building TF-A with compile option HANDLE_EA_EL3_FIRST_NS=1
*/
void plat_ea_handler(unsigned int ea_reason, uint64_t syndrome, void *cookie,
void *handle, uint64_t flags)

View File

@ -33,7 +33,7 @@ MAX_MMAP_REGIONS := 30
$(eval $(call add_define,MAX_MMAP_REGIONS))
# enable RAS handling
HANDLE_EA_EL3_FIRST := 1
HANDLE_EA_EL3_FIRST_NS := 1
RAS_EXTENSION := 1
# platform files

View File

@ -15,7 +15,7 @@ ENABLE_SVE_FOR_NS := 0
MULTI_CONSOLE_API := 1
CRASH_REPORTING := 1
HANDLE_EA_EL3_FIRST := 1
HANDLE_EA_EL3_FIRST_NS := 1
# This option gets enabled automatically if the TRUSTED_BOARD_BOOT
# is set via root Makefile, but Renesas support Trusted-Boot without

View File

@ -27,7 +27,7 @@ ERRATA_A72_859971 := 1
ERRATA_A72_1319367 := 1
CRASH_REPORTING := 1
HANDLE_EA_EL3_FIRST := 1
HANDLE_EA_EL3_FIRST_NS := 1
# Split out RO data into a non-executable section
SEPARATE_CODE_AND_RODATA := 1