Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This changes to build system to use thin archives rather than
incremental linking for built-in.o, similar to recent change to Linux.
built-in.o is renamed to built-in.a, and is created as a thin archive
with no index, for speed and size. All built-in.a are aggregated into
a skiboot.tmp.a which is a thin archive built with an index, making it
suitable or linking. This is input into the final link.
The advantags of build size and linker code placement flexibility are
not as great with skiboot as a bigger project like Linux, but it's a
conceptually better way to build, and is more compatible with link
time optimisation in toolchains which might be interesting for skiboot
particularly for size reductions.
Size of build tree before this patch is 34.4MB, afterwards 23.1MB.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Print DSISR and DAR, to help with deciphering machine check exceptions,
and improve the output a bit, decode NIP symbol, improve alignment, etc.
Also print a specific header for machine check, because we do expect to
see these if there is a hardware failure.
Before:
[ 0.005968779,3] ***********************************************
[ 0.005974102,3] Unexpected exception 200 !
[ 0.005978696,3] SRR0 : 000000003002ad80 SRR1 : 9000000000001000
[ 0.005985239,3] HSRR0: 00000000300027b4 HSRR1: 9000000030001000
[ 0.005991782,3] LR : 000000003002ad80 CTR : 0000000000000000
[ 0.005998130,3] CFAR : 00000000300b58bc
[ 0.006002769,3] CR : 40000004 XER: 20000000
[ 0.006008069,3] GPR00: 000000003002ad80 GPR16: 0000000000000000
[ 0.006015170,3] GPR01: 0000000031c03bd0 GPR17: 0000000000000000
[...]
After:
[ 0.003287941,3] ***********************************************
[ 0.003561769,3] Fatal MCE at 000000003002ad80 .nvram_init+0x24
[ 0.003579628,3] CFAR : 00000000300b5964
[ 0.003584268,3] SRR0 : 000000003002ad80 SRR1 : 9000000000001000
[ 0.003590812,3] HSRR0: 00000000300027b4 HSRR1: 9000000030001000
[ 0.003597355,3] DSISR: 00000000 DAR : 0000000000000000
[ 0.003603480,3] LR : 000000003002ad68 CTR : 0000000030093d80
[ 0.003609930,3] CR : 40000004 XER : 20000000
[ 0.003615698,3] GPR00: 00000000300149e8 GPR16: 0000000000000000
[ 0.003622799,3] GPR01: 0000000031c03bc0 GPR17: 0000000000000000
[...]
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The current boot sequence inherits MSR[ME] from the IPL firmware, and
never changes it. Some environments disable MSR[ME] (e.g., mambo), and
others can enable it (hostboot).
This has two problems. First, MSR[ME] must be disabled while in the
process of taking over the interrupt vector from the previous
environment. Second, after installing our machine check handler,
MSR[ME] should be enabled to get some useful output rather than a
checkstop.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This gives us per-cpu guard values as well. For now I just
xor a magic constant with the CPU PIR value.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This imports tb_measure() from stb.c, but now it calls the CVC sha512
wrapper to calculate the sha512 hash of the firmware image provided.
In trustedboot.c, the tb_measure() is renamed to trustedboot_measure().
The new function, trustedboot_measure(), no longer checks if the
container payload hash calculated at boot time matches with the hash
found in the container header. A few reasons:
- If the system admin wants the container header to be
checked/validated, the secure boot jumper must be set. Otherwise,
the container header information may not be reliable.
- The container layout is expected to change over time. Skiboot
would need to maintain a parser for each container layout
change.
- Skiboot could be checking the hash against a container version that
is not supported by the Container-Verification-Code (CVC).
The tb_measure() calls are updated to trustedboot_measure() in a
subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This imports the sb_verify() function from stb.c, but now it calls the
CVC verify wrapper in order to verify signed firmware images. The
hw-key-hash and hw-key-hash-size initialized in secureboot.c are passed
to the CVC verify function wrapper.
In secureboot.c, the sb_verify() is renamed to secureboot_verify(). The
sb_verify() calls are updated in a subsequent patch.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Switch fast reboot to use quiescing rather than "wait for a while".
If firmware can not be quiesced, then fast reboot is skipped. This
significantly improves the robustness of fast reboot in the face of
bugs or unexpected latencies.
Complexity of synchronization in fast-reboot is reduced, because we
are guaranteed to be single-threaded when quiesce succeeds, so locks
can be removed.
In the case that firmware can be quiesced, then it will generally
reduce fast reboot times by nearly 200ms, because quiescing usually
takes very little time.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Move opal_check_token from asm to C.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Add entry and exit C functions that can do some more complex
checks before the opal proper call. This requires saving off
volatile registers that have arguments in them.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
cmpxchg will be used in a subsequent change, and this reduces the
amount of asm code.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
[stewart: fix some ifdef __TEST__ foo to ensure unittests work]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
We use the attn instruction to raise an error in early boot if OPAL
don't recognise the PVR. It's possible for hostboot to disable the
attn instruction before entering OPAL so add an extra busy loop after
the attn to prevent attempting to boot on an unknown processor.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
POWER7/8 use DSCR=0. POWER9 preferred value has "stride-N" enabled.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Add pm idle support to POWER9. IPIs are implemented with doorbells.
POWER9 can use the EC=ESL=0 (lite) stop when sreset is not available.
EC=ESL=1 state with RL=3 is enabled when we have a sreset wakeup.
Deep idle states are not implemented.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Set POWER9 RPR SPR to 0x00000103070F1F3F. Same value as P8.
Without this, thread priorities inside a core don't work.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Uses broadcast TLBIE's to cleanup the TLB on all cores and on
the nest MMU
By default this works with older binutils but there is a version (in
#defines) that requires newer binutils and which documents what the
instructions are.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
It uses tlbiel and only cleans up the TLB of the calling core
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Update default TSCR value for P9 as recommended by HW folk.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Recent CPUs have introduced a lower SMT priority. This uses the
Linux pattern of executing priority nops in descending order to
get a simple portable way to put the CPU into lowest SMT priority.
Introduce smt_lowest() and use it in place of smt_very_low and
smt_low ; smt_very_low sequences.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Long existing typo of r5 rather than r6, meaning we were storing CTR
instead of LR.
Reported-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
When saving the CTR and LR registers the skiboot exception handlers use the
'stw' instruction which only saves the lower 32 bits of the register. Given
these are both 64 bit registers this leads to some strange register dumps,
for example:
***********************************************
Unexpected exception 200 !
SRR0 : 0000000030016968 SRR1 : 9000000000201000
HSRR0: 0000000000000180 HSRR1: 9000000000001000
LR : 3003438830823f50 CTR : 3003438800000018
CFAR : 00000000300168fc
CR : 40004208 XER: 00000000
In this dump the upper 32 bits of LR and CTR are actually stack gunk
which obscures the underlying issue.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Acked-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This register does not exist in ISAv3.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
For now, setup the HID and HMEER. We'll add more as we get
good default values from HW.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The bit doesn't exist
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
We have code to set DPFD to 4 in init_shared_sprs, from the original
commit, based on recommendations from HW.
However, we immediately override this in init_replicated_sprs with
the value 7.
So let's remove the former and update the latter to set the value
to 4.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Provide an experimental option to compile using ELFv2 ABI even on big
endian builds. ELFv2 + BE is not officially supported by the toolchain,
but it works quite well. It may be useful as a small step toward a
little-endian build.
This saves about 200kB of text/data.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The NACA now incorporates the entry points for the primary and secondary
threads.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Since a5721ba270, binutils does not support 3-operand cmp[l][i].
This adds (previously optional) parameter L.
Hre is the binutils commit:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=a5721ba270ddf860e0e5a45bba456214e8eac2be;hp=b82317dd347991288e4cca4772e951c672fca8cc
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Also moves some code around to ensure things are defined before they
are used.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Also changes the function name:
mambo_read/write() -> mambo_console_read/write()
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This is an experimental patch that implements "Fast reboot" on P8
machines.
The basic idea is that when the OS calls OPAL reboot, we gather all
the threads in the system using a combination of patching the reset
vector and soft-resetting them, then cleanup a few bits of hardware
(we do re-probe PCIe for example), and reload & restart the bootloader.
For Trusted Boot, this means we *add* measurements to the TPM, so you
will get *different* PCR values as compared to a full IPL. This makes
sense as if you want to be sure you are running something known then,
well, do a full IPL as soft reset should never be trusted to clear any
malicious code.
This is very experimental and needs a lot of testing and also auditing
code for other bits of HW that might need to be cleaned up.
BenH TODO: I also need to check if we are properly PERST'ing PCI devices.
This is partially based on old code I had to do that on P7. I only
support it on P8 though as there are issues with the PSI interrupts
on P7 that cannot be reliably solved.
Even though this should be considered somewhat experimental, we've had
a lot of success on a variety of machines. Dozens/hundreds of reboots
across Tuleta, Garrison and Habanero.
Currently, we've hidden it behind a NVRAM config option, which *is*
liable to change in the future (to ensure that only those who know
what they're doing enable it)
You can enable the experimental support via nvram option:
nvram -p ibm,skiboot --update-config experimental-fast-reset=feeling-lucky
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[stewart@linux.vnet.ibm.com: hide behind nvram option, include Mambo fixes
from Mikey]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This fixes the syntax of the parameters in rom_entry.S.
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This adds the Hostboot rom_entry.S used to jump into the verification code copied to RAM.
https://github.com/open-power/hostboot/blob/master/src/usr/secureboot/base/rom_entry.S
Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
master_cpu is used to determine the ChipTOD master if no ChipTOD
information is available in the HDAT. However, it is set to zero at every
skiboot entry point (fdt_entry, the 0x180 FSP entry and
opal_boot_trampoline) and is otherwise unused. This patch removes this
passing around and uses the boot CPU PIR to find the ChipTOD master rather
than zero.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Make it clearer that it's suitable for all forms of wakeup
from a reset handler.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Move them to the C code so that rvwinkle_restore() is more generic
and suitable for use for nap mode wakeup as well
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
The patch code itself is unchanged (for now...). Install it during
boot so we will be able to use power management instructions. We
can't just have a proper exception code built at 0x100 as this is
otherwise one of our entry points.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
And add an argument to specify whether to enter nap or rvwinkle
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
If we aren't loaded at 0 before relocation, we have no exception
handlers. This is annoying when debugging, but will be deadly
when we start using NAP mode which wakes up via the system reset
interrupt at 0x100.
So instead, let's copy the whole vectors block down. We are careful
to avoid 0..0x100 since that contains the boot flags which are
still "hot" as secondaries might still be entering skiboot.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
On P7 machines OPAL can be loaded as a replacement for PHYP or in an
OPAL specific mode. In OPAL mode 0x0 contains a pointer to the OPAL
specific variant of the NACA which defines the entrypoint to OPAL, etc.
Later machines use the same load method for for PHYP and OPAL and do not
need the OPAL specific NACA, but this needs to be kept around for backwards
compatibility.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
If we take an unknown exception at boot time we attempt to put the
exception vector in the back trace, The result looks like this (when
we take an 0x700):
S: 0000000031e838a0 R: 000000003001365c .backtrace+0x38
S: 0000000031e83930 R: 00000000300186cc ._abort+0x4c
S: 0000000031e839b0 R: 0000000030023a78 .exception_entry+0x114
S: 0000000031e83a40 R: 0000000000001f04 * +0x1f04
S: 0000000031e83c10 R: 0000000000000700 * +0x700
S: 0000000031e83e30 R: 0000000030014444 .main_cpu_entry+0x444
S: 0000000031e83f00 R: 000000003000259c boot_entry+0x19c
We overwrite link address in the current stack frame with the
exception vector (ie. 0x700 in the above example). Unfortunately this
overrides the location that caused the exception, which is much more
useful information in debugging the problem.
This patch removes the writing link register in the current stack
frame, so the back trace now looks like this:
S: 0000000031da38a0 R: 000000003001365c .backtrace+0x38
S: 0000000031da3930 R: 00000000300186cc ._abort+0x4c
S: 0000000031da39b0 R: 0000000030023a78 .exception_entry+0x114
S: 0000000031da3a40 R: 0000000000001f00 * +0x1f00
S: 0000000031da3c10 R: 00000000300323f8 .psi_init+0x1f4
S: 0000000031da3e30 R: 0000000030014444 .main_cpu_entry+0x444
S: 0000000031da3f00 R: 000000003000259c boot_entry+0x19c
This loses the exception vector from the back trace, but this
information is already available in the exception dump just above it
Suggestion by benh.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Acked-by: Balbir Singh <bsingharora@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Some were missing
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Add PVR detection, chip id and other misc bits for POWER9.
POWER9 changes the location of the HILE and attn enable bits in the
HID0 register, so add these definitions also.
Signed-off-by: Michael Neuling <mikey@neuling.org>
[stewart@linux.vnet.ibm.com: Fix Numbus typo, hdata_to_dt build fixes]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
This changes trigger_attn() to also enable attn via HID0, so callers
don't have to do it themselves.
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
Update the SPIRA-H pointer in the NACA so that the FSP can build and pass
the SPIRA-S structure to OPAL instead of the legacy SPIRA. Older systems
(which does not support SPIRA-H) ignores SPIRA-H pointer and continue to
pass legacy SPIRA.
"spira" is a global structure and referred everywhere inside hdata dir. Once
we enable SPIRA-H we get data in SPIRA-S area, not in legacy spira. Hence
fixup spira structure, so that we don't break building device tree.
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|
|
In very early boot, skiboot places secondary threads in holding loop
until the primary thread has finished relocating skiboot. The secondary
threads wait until a flag at INITAL_OFFSET + offsetof(boot_flag) is set
to one before continuing. After relocating the skiboot image and
applying ELF relocations the sets this flag and continues booting.
To avoid having to copy skiboot at runtime within the simulation e605691e
introduced a change to have the skiboot.tcl mambo script load skiboot at
it's preferred location of 0x30000000 rather than 0x00000000.
Unfortunately, the relocation code path is also responsible for saving the
inital offset pointer (into r15). When not taken this results in the main
thread writing to r15 + offsetof(boot_flag) instead, which leaves the
secondary threads stuck waiting for boot_flag and the main thread stuck
when trying to call-in the secondary threads during CPU initialisation.
This patch fixes the bug by saving the inital offset before checking if
relocation is necessary and adds a few comments to better document the
relocation process.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
|