# Trusted Firmware Version
#
VERSION_MAJOR := 2
-VERSION_MINOR := 0
+VERSION_MINOR := 1
# Default goal is build all images
.DEFAULT_GOAL := all
lib \
include \
docs \
- %.md, \
+ %.rst, \
$(wildcard *)))
CHECK_PATHS := ${ROOT_DIRS_TO_CHECK} \
${INC_DIRS_TO_CHECK} \
FWU_FIP_DEPS += fwu_certificates
endif
+# Process BRANCH_PROTECTION value and set
+# Pointer Authentication and Branch Target Identification flags
+ifeq (${BRANCH_PROTECTION},0)
+ # Default value turns off all types of branch protection
+ BP_OPTION := none
+else ifneq (${ARCH},aarch64)
+ $(error BRANCH_PROTECTION requires AArch64)
+else ifeq (${BRANCH_PROTECTION},1)
+ # Enables all types of branch protection features
+ BP_OPTION := standard
+ ENABLE_BTI := 1
+ ENABLE_PAUTH := 1
+else ifeq (${BRANCH_PROTECTION},2)
+ # Return address signing to its standard level
+ BP_OPTION := pac-ret
+ ENABLE_PAUTH := 1
+else ifeq (${BRANCH_PROTECTION},3)
+ # Extend the signing to include leaf functions
+ BP_OPTION := pac-ret+leaf
+ ENABLE_PAUTH := 1
+else
+ $(error Unknown BRANCH_PROTECTION value ${BRANCH_PROTECTION})
+endif
################################################################################
# Toolchain
TF_CFLAGS_aarch32 += -mno-unaligned-access
TF_CFLAGS_aarch64 += -mgeneral-regs-only -mstrict-align
+ifneq (${BP_OPTION},none)
+TF_CFLAGS_aarch64 += -mbranch-protection=${BP_OPTION}
+endif
+
ASFLAGS_aarch32 = $(march32-directive)
ASFLAGS_aarch64 = $(march64-directive)
WARNING1 := -Wextra
-WARNING1 += -Wunused -Wno-unused-parameter
WARNING1 += -Wmissing-declarations
WARNING1 += -Wmissing-format-attribute
WARNING1 += -Wmissing-prototypes
WARNING1 += -Wold-style-definition
-WARNING1 += -Wunused-but-set-variable
WARNING1 += -Wunused-const-variable
WARNING2 := -Waggregate-return
WARNING2 += -Wcast-align
-WARNING2 += -Wdisabled-optimization
WARNING2 += -Wnested-externs
WARNING2 += -Wshadow
WARNING2 += -Wlogical-op
WARNING2 += -Wmissing-field-initializers
WARNING2 += -Wsign-compare
-WARNING2 += -Wmaybe-uninitialized
WARNING3 := -Wbad-function-cast
WARNING3 += -Wcast-qual
WARNING3 += -Wpointer-arith
WARNING3 += -Wredundant-decls
WARNING3 += -Wswitch-default
-WARNING3 += -Wpacked-bitfield-compat
-WARNING3 += -Wvla
ifeq (${W},1)
WARNINGS := $(WARNING1)
WARNINGS := $(WARNING1) $(WARNING2) $(WARNING3)
endif
+WARNINGS += -Wunused -Wno-unused-parameter \
+ -Wdisabled-optimization \
+ -Wvla
+
+ifeq ($(findstring clang,$(notdir $(CC))),)
+# not using clang
+WARNINGS += -Wunused-but-set-variable \
+ -Wmaybe-uninitialized \
+ -Wpacked-bitfield-compat \
+ -Wshift-overflow=2
+else
+# using clang
+WARNINGS += -Wshift-overflow -Wshift-sign-overflow
+endif
+
ifneq (${E},0)
ERRORS := -Werror
endif
CPPFLAGS = ${DEFINES} ${INCLUDES} ${MBEDTLS_INC} -nostdinc \
-Wmissing-include-dirs $(ERRORS) $(WARNINGS)
ASFLAGS += $(CPPFLAGS) $(ASFLAGS_$(ARCH)) \
- -D__ASSEMBLY__ -ffreestanding \
- -Wa,--fatal-warnings
+ -ffreestanding -Wa,--fatal-warnings
TF_CFLAGS += $(CPPFLAGS) $(TF_CFLAGS_$(ARCH)) \
-ffreestanding -fno-builtin -Wall -std=gnu99 \
-Os -ffunction-sections -fdata-sections
+ifeq (${SANITIZE_UB},on)
+TF_CFLAGS += -fsanitize=undefined -fno-sanitize-recover
+endif
+ifeq (${SANITIZE_UB},trap)
+TF_CFLAGS += -fsanitize=undefined -fno-sanitize-recover \
+ -fsanitize-undefined-trap-on-error
+endif
+
GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
ifneq ($(findstring armlink,$(notdir $(LD))),)
BL_COMMON_SOURCES += lib/${ARCH}/armclang_printf.S
endif
+ifeq (${SANITIZE_UB},on)
+BL_COMMON_SOURCES += plat/common/ubsan.c
+endif
+
INCLUDES += -Iinclude \
-Iinclude/arch/${ARCH} \
-Iinclude/lib/cpus/${ARCH} \
${PLAT_INCLUDES} \
${SPD_INCLUDES}
-ifeq (${ERROR_DEPRECATED},0)
-INCLUDES += -Iinclude/bl1 \
- -Iinclude/bl2 \
- -Iinclude/bl2u \
- -Iinclude/bl31 \
- -Iinclude/drivers \
- -Iinclude/drivers/arm \
- -Iinclude/drivers/auth \
- -Iinclude/drivers/io \
- -Iinclude/drivers/ti/uart \
- -Iinclude/lib \
- -Iinclude/lib/cpus \
- -Iinclude/lib/el3_runtime \
- -Iinclude/lib/extensions \
- -Iinclude/lib/pmf \
- -Iinclude/lib/psci \
- -Iinclude/lib/xlat_tables \
- -Iinclude/plat/common \
- -Iinclude/services \
- -Iinclude/tools_share
-endif
-
include common/backtrace/backtrace.mk
################################################################################
endif
# If pointer authentication is used in the firmware, make sure that all the
-# registers associated to it are also saved and restored. Not doing it would
-# leak the value of the key used by EL3 to EL1 and S-EL1.
+# registers associated to it are also saved and restored.
+# Not doing it would leak the value of the keys used by EL3 to EL1 and S-EL1.
ifeq ($(ENABLE_PAUTH),1)
ifeq ($(CTX_INCLUDE_PAUTH_REGS),0)
- $(error ENABLE_PAUTH=1 requires CTX_INCLUDE_PAUTH_REGS=1)
+ $(error Pointer Authentication requires CTX_INCLUDE_PAUTH_REGS=1)
+ endif
+endif
+
+ifeq ($(CTX_INCLUDE_PAUTH_REGS),1)
+ ifneq (${ARCH},aarch64)
+ $(error CTX_INCLUDE_PAUTH_REGS requires AArch64)
+ else
+ $(info CTX_INCLUDE_PAUTH_REGS is an experimental feature)
+ endif
+endif
+
+ifeq ($(ENABLE_PAUTH),1)
+ $(info Pointer Authentication is an experimental feature)
+endif
+
+ifeq ($(ENABLE_BTI),1)
+ $(info Branch Protection is an experimental feature)
+endif
+
+ifeq ($(CTX_INCLUDE_MTE_REGS),1)
+ ifneq (${ARCH},aarch64)
+ $(error CTX_INCLUDE_MTE_REGS requires AArch64)
+ else
+ $(info CTX_INCLUDE_MTE_REGS is an experimental feature)
endif
endif
# Process platform overrideable behaviour
################################################################################
-# Using the ARM Trusted Firmware BL2 implies that a BL33 image also needs to be
-# supplied for the FIP and Certificate generation tools. This flag can be
-# overridden by the platform.
+# Using BL2 implies that a BL33 image also needs to be supplied for the FIP and
+# Certificate generation tools. This flag can be overridden by the platform.
ifdef BL2_SOURCES
ifdef EL3_PAYLOAD_BASE
# If booting an EL3 payload there is no need for a BL33 image
$(eval $(call assert_boolean,CTX_INCLUDE_AARCH32_REGS))
$(eval $(call assert_boolean,CTX_INCLUDE_FPREGS))
$(eval $(call assert_boolean,CTX_INCLUDE_PAUTH_REGS))
+$(eval $(call assert_boolean,CTX_INCLUDE_MTE_REGS))
$(eval $(call assert_boolean,DEBUG))
$(eval $(call assert_boolean,DYN_DISABLE_AUTH))
$(eval $(call assert_boolean,EL3_EXCEPTION_HANDLING))
$(eval $(call assert_boolean,ENABLE_AMU))
$(eval $(call assert_boolean,ENABLE_ASSERTIONS))
$(eval $(call assert_boolean,ENABLE_MPAM_FOR_LOWER_ELS))
-$(eval $(call assert_boolean,ENABLE_PAUTH))
$(eval $(call assert_boolean,ENABLE_PIE))
$(eval $(call assert_boolean,ENABLE_PMF))
$(eval $(call assert_boolean,ENABLE_PSCI_STAT))
$(eval $(call assert_boolean,GICV2_G0_FOR_EL3))
$(eval $(call assert_boolean,HANDLE_EA_EL3_FIRST))
$(eval $(call assert_boolean,HW_ASSISTED_COHERENCY))
-$(eval $(call assert_boolean,MULTI_CONSOLE_API))
$(eval $(call assert_boolean,NS_TIMER_SWITCH))
$(eval $(call assert_boolean,OVERRIDE_LIBC))
$(eval $(call assert_boolean,PL011_GENERIC_UART))
$(eval $(call assert_boolean,WARMBOOT_ENABLE_DCACHE_EARLY))
$(eval $(call assert_boolean,BL2_AT_EL3))
$(eval $(call assert_boolean,BL2_IN_XIP_MEM))
+$(eval $(call assert_boolean,BL2_INV_DCACHE))
$(eval $(call assert_numeric,ARM_ARCH_MAJOR))
$(eval $(call assert_numeric,ARM_ARCH_MINOR))
+$(eval $(call assert_numeric,BRANCH_PROTECTION))
+
+ifdef KEY_SIZE
+ $(eval $(call assert_numeric,KEY_SIZE))
+endif
+
+ifeq ($(filter $(SANITIZE_UB), on off trap),)
+ $(error "Invalid value for SANITIZE_UB: can be one of on, off, trap")
+endif
################################################################################
# Add definitions to the cpp preprocessor based on the current build options.
$(eval $(call add_define,CTX_INCLUDE_FPREGS))
$(eval $(call add_define,CTX_INCLUDE_PAUTH_REGS))
$(eval $(call add_define,EL3_EXCEPTION_HANDLING))
+$(eval $(call add_define,CTX_INCLUDE_MTE_REGS))
$(eval $(call add_define,ENABLE_AMU))
$(eval $(call add_define,ENABLE_ASSERTIONS))
+$(eval $(call add_define,ENABLE_BTI))
$(eval $(call add_define,ENABLE_MPAM_FOR_LOWER_ELS))
$(eval $(call add_define,ENABLE_PAUTH))
$(eval $(call add_define,ENABLE_PIE))
$(eval $(call add_define,HANDLE_EA_EL3_FIRST))
$(eval $(call add_define,HW_ASSISTED_COHERENCY))
$(eval $(call add_define,LOG_LEVEL))
-$(eval $(call add_define,MULTI_CONSOLE_API))
$(eval $(call add_define,NS_TIMER_SWITCH))
$(eval $(call add_define,PL011_GENERIC_UART))
$(eval $(call add_define,PLAT_${PLAT}))
$(eval $(call add_define,WARMBOOT_ENABLE_DCACHE_EARLY))
$(eval $(call add_define,BL2_AT_EL3))
$(eval $(call add_define,BL2_IN_XIP_MEM))
+$(eval $(call add_define,BL2_INV_DCACHE))
+
+ifeq (${SANITIZE_UB},trap)
+ $(eval $(call add_define,MONITOR_TRAPS))
+endif
# Define the EL3_PAYLOAD_BASE flag only if it is provided.
ifdef EL3_PAYLOAD_BASE
$(eval $(call add_define,PRELOADED_BL33_BASE))
endif
endif
-# Define the AARCH32/AARCH64 flag based on the ARCH flag
-ifeq (${ARCH},aarch32)
- $(eval $(call add_define,AARCH32))
-else
- $(eval $(call add_define,AARCH64))
-endif
# Define the DYN_DISABLE_AUTH flag only if set.
ifeq (${DYN_DISABLE_AUTH},1)
msg_start:
@echo "Building ${PLAT}"
-# Check if deprecated declarations and cpp warnings should be treated as error or not.
ifeq (${ERROR_DEPRECATED},0)
+# Check if deprecated declarations and cpp warnings should be treated as error or not.
ifneq ($(findstring clang,$(notdir $(CC))),)
CPPFLAGS += -Wno-error=deprecated-declarations
else
CPPFLAGS += -Wno-error=deprecated-declarations -Wno-error=cpp
endif
+# __ASSEMBLY__ is deprecated in favor of the compiler-builtin __ASSEMBLER__.
+ASFLAGS += -D__ASSEMBLY__
+# AARCH32/AARCH64 macros are deprecated in favor of the compiler-builtin __aarch64__.
+ifeq (${ARCH},aarch32)
+ $(eval $(call add_define,AARCH32))
+else
+ $(eval $(call add_define,AARCH64))
endif
+endif # !ERROR_DEPRECATED
$(eval $(call MAKE_LIB_DIRS))
$(eval $(call MAKE_LIB,c))
checkcodebase: locate-checkpatch
@echo " CHECKING STYLE"
@if test -d .git ; then \
- git ls-files | grep -E -v 'libfdt|libc|docs|\.md' | \
+ git ls-files | grep -E -v 'libfdt|libc|docs|\.rst' | \
while read GIT_FILE ; \
do ${CHECKPATCH} ${CHECKCODE_ARGS} -f $$GIT_FILE ; \
done ; \
-not -iwholename "*libfdt*" \
-not -iwholename "*libc*" \
-not -iwholename "*docs*" \
- -not -iwholename "*.md" \
+ -not -iwholename "*.rst" \
-exec ${CHECKPATCH} ${CHECKCODE_ARGS} -f {} \; ; \
fi
.PHONY: libraries
romlib.bin: libraries
- ${Q}${MAKE} PLAT_DIR=${PLAT_DIR} BUILD_PLAT=${BUILD_PLAT} INCLUDES='${INCLUDES}' DEFINES='${DEFINES}' --no-print-directory -C ${ROMLIBPATH} all
+ ${Q}${MAKE} PLAT_DIR=${PLAT_DIR} BUILD_PLAT=${BUILD_PLAT} ENABLE_BTI=${ENABLE_BTI} ARM_ARCH_MINOR=${ARM_ARCH_MINOR} INCLUDES='${INCLUDES}' DEFINES='${DEFINES}' --no-print-directory -C ${ROMLIBPATH} all
cscope:
@echo " CSCOPE"
${Q}cscope -b -q -k
help:
- @echo "usage: ${MAKE} PLAT=<${PLATFORM_LIST}> [OPTIONS] [TARGET]"
+ @echo "usage: ${MAKE} [PLAT=<platform>] [OPTIONS] [TARGET]"
@echo ""
@echo "PLAT is used to specify which platform you wish to build."
@echo "If no platform is specified, PLAT defaults to: ${DEFAULT_PLAT}"
@echo ""
+ @echo "platform = ${PLATFORM_LIST}"
+ @echo ""
@echo "Please refer to the User Guide for a list of all supported options."
@echo "Note that the build system doesn't track dependencies for build "
@echo "options. Therefore, if any of the build options are changed "