Peer review fixes + ZynqMP robustness improvements

Squashes previous two work-in-progress commits and adds further hardening
discovered during large (>128 MB) signed FIT boot bring-up:

hal/zynq.c:
  - Route IOU_TAPDLY_BYPASS writes through pmu_request when running at
    EL <= 2 in the <=40 MHz and <=100 MHz branches; the upstream code
    only did this in the <=150 MHz branch, but the register is equally
    unwritable from EL2/EL1 at lower clocks.
  - Add qspi_flash_reset() (0x66 RESET_ENABLE + 0x99 RESET_MEMORY),
    called once per chip in dual-parallel during qspi_init so the flash
    starts from a known state regardless of what FSBL/BootROM left
    behind (e.g. XIP, 4-byte address, or auto-boot probing).
  - Remove unused 'reg' in csu_aes and 'ms' in csu_init so -Werror=unused-variable
    builds (OPTIMIZATION_LEVEL=0 / DEBUG=1) succeed.

hal/zynq.ld:
  - Move wolfBoot ORIGIN from 0x08000000 to 0x10000000. For FIT images
    whose kernel load address is 0x00200000 and whose payload approaches
    or exceeds ~126 MB, the kernel memcpy at handoff would sweep across
    0x08000000 and overwrite wolfBoot's own running code. 0x10000000
    leaves headroom below WOLFBOOT_LOAD_ADDRESS (0x18000000).

tools/scripts/zcu102/zcu102-ca53-qspi.cmm:
  - Full rewrite based on Lauterbach TRACE32 ZCU102 QSPI demo: adds
    PREPAREONLY entry mode, &dualqspi single/dual toggle, READ_ID_TEST
    subroutine for single-flash variants, and separate dialogs to flash
    BOOT.BIN at offset 0 and test-app/image_v1_signed.bin at the
    partition boot address.
  - Document TRACE32 temp-memory ceiling (~128 MB) near FLASHFILE.Create:
    Load buffers the entire source file into temp memory, so files
    larger than that must be split externally (e.g. via dd) and each
    chunk loaded in its own FLASHFILE.ReProgram ALL / off bracket.

config/examples/zynqmp_sdcard.config, docs/Targets.md, include/sdhci.h,
src/boot_aarch64.c: peer review feedback from PR662.

Author: dgarske

config/examples/zynqmp_sdcard.config

@@ -84,8 +84,11 @@ CFLAGS_EXTRA+=-DBOOT_PART_A=1
 CFLAGS_EXTRA+=-DBOOT_PART_B=2
 
 # Disk read chunk size for firmware loading (update_disk.c). 512KB gives the
-# best throughput (~1.4s for 32MB). The SDMA engine handles boundary crossings
-# every 4KB (SDHCI_DMA_THRESHOLD default) within each 512KB chunk.
+# best throughput (~1.4s for 32MB). The SDMA engine handles SDMA buffer
+# boundary crossings within each 512KB chunk; this boundary is 4KB by default
+# (auto-derived from SDHCI_DMA_THRESHOLD). To reduce boundary IRQs, override
+# SDHCI_DMA_BUFF_BOUNDARY independently, e.g.:
+#   CFLAGS_EXTRA+=-DSDHCI_DMA_BUFF_BOUNDARY=SDHCI_SRS01_DMA_BUFF_512KB
 CFLAGS_EXTRA+=-DDISK_BLOCK_SIZE=0x80000
 
 # Linux rootfs is on partition 4. Device naming depends on whether both

docs/Targets.md

@@ -2599,7 +2599,7 @@ qemu-system-aarch64 -machine xlnx-zcu102 -cpu cortex-a53 -serial stdio -display
 
 Use `config/examples/zynqmp_sdcard.config`. This uses the Arasan SDHCI controller (SD1 - external SD card slot on ZCU102) and an **MBR** partitioned SD card.
 
-wolfBoot unconditionally flushes the EL2 D-cache/I-cache and disables the EL2 MMU before handoff (see `el2_flush_and_disable_mmu` in `src/boot_aarch64_start.S`), satisfying the ARM64 Linux boot protocol with no extra config flag required.
+On the direct-jump handoff path, wolfBoot flushes the EL2 D-cache/I-cache and disables the EL2 MMU via `el2_flush_and_disable_mmu` in `src/boot_aarch64_start.S` when `BOOT_EL1` is not enabled and the current exception level is EL2. The ERET-to-EL1 handoff path is different, so this cleanup is not unconditional.
 
 **Partition layout**
 | Partition | Name   | Size      | Type                          | Contents                                   |
@@ -2705,8 +2705,11 @@ The ZynqMP uses an Arasan SDHCI v3.0 controller. Key considerations:
   level. `SDHCI_FORCE_CARD_DETECT` is set in the config since FSBL already booted from
   the same SD card.
 - **`DISK_BLOCK_SIZE`**: Controls the firmware read chunk size in `update_disk.c` (default
-  64KB). This determines the per-read size passed to the SDHCI driver. Must be less than
-  the SDMA buffer boundary (4KB with the default threshold).
+  64KB). This determines the per-read size passed to the SDHCI driver. It does not need
+  to be smaller than `SDHCI_DMA_BUFF_BOUNDARY`; if a read crosses one or more SDMA buffer
+  boundaries, the SDHCI driver handles that via the normal SDMA boundary interrupt path.
+  In practice, this setting is a tradeoff: larger reads may trigger boundary IRQs more
+  often, while smaller reads reduce crossings but increase request overhead.
 
 **Debug**
 

hal/zynq.c

@@ -504,7 +504,6 @@ static int csu_dma_config(int ch, int doSwap)
 int csu_aes(int enc, const uint8_t* iv, const uint8_t* in, uint8_t* out, uint32_t sz)
 {
     int ret;
-    uint32_t reg;
 
     /* Flush data cache for variables used */
     flush_dcache_range((unsigned long)iv,  (unsigned long)iv + AES_GCM_TAG_SZ);
@@ -601,7 +600,6 @@ int csu_init(void)
 #endif
     uint32_t reg1 = pmu_mmio_read(CSU_IDCODE);
     uint32_t reg2 = pmu_mmio_read(CSU_VERSION);
-    uint64_t ms;
 
     wolfBoot_printf("CSU ID 0x%08x, Ver 0x%08x\n",
         reg1, reg2 & CSU_VERSION_MASK);
@@ -1361,6 +1359,36 @@ static int qspi_exit_4byte_addr(QspiDev_t* dev)
 }
 #endif
 
+/* Soft-reset the flash to a known idle state.
+ * FSBL / BootROM may leave the flash in an unexpected mode (XIP enabled,
+ * 4-byte addr set, auto-boot probing, etc.). Issue RESET_ENABLE (0x66) +
+ * RESET_MEMORY (0x99) to bring it back to defaults before first transaction.
+ * Per Micron MT25Q datasheet: t_SHSL2 ~ 40 us max after RESET_MEMORY. */
+static int qspi_flash_reset(QspiDev_t* dev)
+{
+    int ret;
+    uint8_t cmd[4]; /* size multiple of uint32_t */
+
+    memset(cmd, 0, sizeof(cmd));
+    cmd[0] = RESET_ENABLE_CMD;
+    ret = qspi_transfer(dev, cmd, 1, NULL, 0, NULL, 0, 0,
+        GQSPI_GEN_FIFO_MODE_SPI);
+#if defined(DEBUG_ZYNQ) && DEBUG_ZYNQ >= 2
+    wolfBoot_printf("Flash Reset Enable: Ret %d\n", ret);
+#endif
+    if (ret == GQSPI_CODE_SUCCESS) {
+        cmd[0] = RESET_MEMORY_CMD;
+        ret = qspi_transfer(dev, cmd, 1, NULL, 0, NULL, 0, 0,
+            GQSPI_GEN_FIFO_MODE_SPI);
+    #if defined(DEBUG_ZYNQ) && DEBUG_ZYNQ >= 2
+        wolfBoot_printf("Flash Reset Memory: Ret %d\n", ret);
+    #endif
+    }
+    /* Allow flash time to complete the reset and become ready. */
+    hal_delay_ms(1);
+    return ret;
+}
+
 /* QSPI functions */
 void qspi_init(void)
 {
@@ -1444,13 +1472,29 @@ void qspi_init(void)
 #if (GQSPI_CLK_REF / (2 << GQSPI_CLK_DIV)) <= 40000000 /* 40MHz */
     /* At <40 MHz, the Quad-SPI controller should be in non-loopback mode with
      * the clock and data tap delays bypassed. */
-    IOU_TAPDLY_BYPASS |= IOU_TAPDLY_BYPASS_LQSPI_RX;
+    /* IOU_TAPDLY_BYPASS is not writable from EL2/EL1 without going through PMU. */
+    if (current_el() <= 2) {
+        pmu_request(PM_MMIO_WRITE, IOU_TAPDLY_BYPASS_ADDR,
+                    IOU_TAPDLY_BYPASS_LQSPI_RX, IOU_TAPDLY_BYPASS_LQSPI_RX,
+                    0, NULL);
+    }
+    else {
+        IOU_TAPDLY_BYPASS |= IOU_TAPDLY_BYPASS_LQSPI_RX;
+    }
     GQSPI_LPBK_DLY_ADJ = 0;
     GQSPI_DATA_DLY_ADJ = 0;
 #elif (GQSPI_CLK_REF / (2 << GQSPI_CLK_DIV)) <= 100000000 /* 100MHz */
     /* At <100 MHz, the Quad-SPI controller should be in clock loopback mode
      * with the clock tap delay bypassed, but the data tap delay enabled. */
-    IOU_TAPDLY_BYPASS |= IOU_TAPDLY_BYPASS_LQSPI_RX;
+    /* IOU_TAPDLY_BYPASS is not writable from EL2/EL1 without going through PMU. */
+    if (current_el() <= 2) {
+        pmu_request(PM_MMIO_WRITE, IOU_TAPDLY_BYPASS_ADDR,
+                    IOU_TAPDLY_BYPASS_LQSPI_RX, IOU_TAPDLY_BYPASS_LQSPI_RX,
+                    0, NULL);
+    }
+    else {
+        IOU_TAPDLY_BYPASS |= IOU_TAPDLY_BYPASS_LQSPI_RX;
+    }
     GQSPI_LPBK_DLY_ADJ = GQSPI_LPBK_DLY_ADJ_USE_LPBK;
     GQSPI_DATA_DLY_ADJ = (GQSPI_DATA_DLY_ADJ_USE_DATA_DLY |
                           GQSPI_DATA_DLY_ADJ_DATA_DLY_ADJ(2));
@@ -1485,6 +1529,19 @@ void qspi_init(void)
     (void)reg_cfg;
     (void)reg_isr;
 
+    /* Issue flash soft reset so we start from a known state regardless of
+     * whatever mode FSBL/BootROM left the device in. Send to each chip in
+     * dual-parallel configurations by targeting both chip selects. */
+    mDev.mode = GQSPI_GEN_FIFO_MODE_SPI;
+    mDev.bus = GQSPI_GEN_FIFO_BUS_LOW;
+    mDev.cs = GQSPI_GEN_FIFO_CS_LOWER;
+    (void)qspi_flash_reset(&mDev);
+#if GQPI_USE_DUAL_PARALLEL == 1
+    mDev.bus = GQSPI_GEN_FIFO_BUS_UP;
+    mDev.cs = GQSPI_GEN_FIFO_CS_UPPER;
+    (void)qspi_flash_reset(&mDev);
+#endif
+
     /* ------ Flash Read ID (retry) ------ */
     timeout = 0;
     while (++timeout < QSPI_FLASH_READY_TRIES) {
@@ -1577,6 +1634,10 @@ void hal_init(void)
     wolfBoot_printf(bootMsg);
     wolfBoot_printf("Current EL: %d\n", current_el());
 
+#ifndef WOLFBOOT_REPRODUCIBLE_BUILD
+    wolfBoot_printf("Build: %s %s\n", __DATE__, __TIME__);
+#endif
+
 #if defined(EXT_FLASH) && (EXT_FLASH == 1)
     qspi_init();
 #endif
@@ -1810,14 +1871,23 @@ void RAMFUNCTION ext_flash_unlock(void)
 }
 
 #if defined(MMU) && defined(__WOLFBOOT)
+/* Fallback timer frequency if CNTFRQ_EL0 is not configured (e.g. boot path
+ * that did not run ATF/BL31). ZynqMP system counter is 100 MHz. */
+#ifndef ZYNQMP_TIMER_CLK_FREQ
+#define ZYNQMP_TIMER_CLK_FREQ 100000000ULL
+#endif
+
 /* Get current time in microseconds using ARMv8 generic timer */
 uint64_t hal_get_timer_us(void)
 {
     uint64_t count, freq;
     __asm__ volatile("mrs %0, CNTPCT_EL0" : "=r"(count));
     __asm__ volatile("mrs %0, CNTFRQ_EL0" : "=r"(freq));
+    /* Fall back to a known frequency rather than returning 0, so udelay()
+     * callers that spin on hal_get_timer_us() advancing remain monotonic
+     * (matches hal/versal.c). */
     if (freq == 0)
-        return 0;
+        freq = ZYNQMP_TIMER_CLK_FREQ;
     /* Use __uint128_t to avoid overflow of (count * 1e6) at long uptimes
      * (would overflow uint64_t after ~51h at 100MHz). */
     return (uint64_t)(((__uint128_t)count * 1000000ULL) / freq);

hal/zynq.ld

@@ -13,10 +13,16 @@ MEMORY
 {
    /* psu_ddr_0_MEM_0 : ORIGIN = 0x0, LENGTH = 0x80000000 */
    /* wolfBoot DDR location (2MB reserved):
-    *   Loaded by FSBL/BL31 to DDR at 0x8000000 (128MB)
-    *   Same address used for both QSPI and SD card boot
+    *   Loaded by FSBL/BL31 to DDR at 0x10000000 (256MB).
+    *   Must be above the OS kernel load region. For FIT images whose "load"
+    *   address is 0x00200000 (typical for AArch64 kernels) and whose payload
+    *   approaches or exceeds ~126MB, the kernel memcpy into 0x00200000..
+    *   sweeps across 0x08000000 and would clobber wolfBoot's own running code
+    *   if linked there. 0x10000000 leaves headroom below
+    *   WOLFBOOT_LOAD_ADDRESS (0x18000000) where the signed image is staged
+    *   for verification. Same address used for QSPI and SD card boot.
     */
-   psu_ddr_0_MEM_0 : ORIGIN = 0x8000000, LENGTH = 0x200000
+   psu_ddr_0_MEM_0 : ORIGIN = 0x10000000, LENGTH = 0x200000
    psu_ddr_1_MEM_0 : ORIGIN = 0x800000000, LENGTH = 0x80000000
    psu_ocm_ram_0_MEM_0 : ORIGIN = 0xFFFC0000, LENGTH = 0x40000
    psu_qspi_linear_0_MEM_0 : ORIGIN = 0xC0000000, LENGTH = 0x20000000

include/sdhci.h

@@ -57,7 +57,13 @@
 #define DISK_TEST_BLOCK_ADDR    149504  /* ~76MB offset */
 #endif
 
-/* Auto-select DMA buffer boundary based on threshold */
+/* DMA buffer boundary: how often the SDMA engine pauses to refresh its
+ * address pointer (handled by sdhci_irq_handler() via SDHCI_SRS12_DMAINT).
+ * This is a throughput knob and is independent of SDHCI_DMA_THRESHOLD
+ * (which controls when to switch from PIO to SDMA). Override in target
+ * .config to match the largest expected single transfer for fewer
+ * boundary IRQs; otherwise auto-select based on the threshold. */
+#ifndef SDHCI_DMA_BUFF_BOUNDARY
 #if (SDHCI_DMA_THRESHOLD > (256U * 1024U))
     #define SDHCI_DMA_BUFF_BOUNDARY   SDHCI_SRS01_DMA_BUFF_512KB
     #if (SDHCI_DMA_THRESHOLD != (512U * 1024U))
@@ -99,6 +105,7 @@
         #warning "SDHCI_DMA_THRESHOLD rounded up to 4KB (minimum)"
     #endif
 #endif
+#endif /* !SDHCI_DMA_BUFF_BOUNDARY */
 
 /* Timeouts */
 #ifndef SDHCI_INIT_TIMEOUT_US

src/boot_aarch64.c

@@ -34,7 +34,7 @@
 #include "hal/versal.h"
 #elif defined(TARGET_zynq)
 #include "hal/zynq.h"
-#elif defined(TARGET_ls1028a)
+#elif defined(TARGET_nxp_ls1028a)
 #include "hal/nxp_ls1028a.h"
 #endif
 

tools/scripts/nxp_t1040/t1040_debug.cmm

@@ -18,8 +18,10 @@
 ;   3. wolfBoot runs from DDR (0x7FF00000)
 ; ------------------------------------------------------------------------------
 
-; Base directory for wolfBoot build output (adjust to match your build path)
-&basedir="/home/davidgarske/GitHub/wolfboot-alt"
+; Base directory for wolfBoot build output. "." means the TRACE32 current
+; working directory - set this to your wolfBoot checkout path if running
+; TRACE32 from elsewhere (e.g. "C:/src/wolfBoot" or "/home/user/wolfBoot").
+&basedir="."
 
 PRINT "========================================"
 PRINT "T1040 wolfBoot Debug Session"

tools/scripts/nxp_t1040/t1040_flash.cmm

@@ -25,11 +25,15 @@
 ;   0xEFFFC000: Stage 1 loader (16 KB, includes reset vector)
 ; ------------------------------------------------------------------------------
 
-; Base directory for wolfBoot build output (adjust to match your build path)
-&basedir="/home/davidgarske/GitHub/wolfboot-alt"
-
-; Persistent backup directory (survives make clean)
-&backupdir="/home/davidgarske/Projects/NXP/t1040rdb"
+; Base directory for wolfBoot build output. "." means the TRACE32 current
+; working directory - set this to your wolfBoot checkout path if running
+; TRACE32 from elsewhere (e.g. "C:/src/wolfBoot" or "/home/user/wolfBoot").
+&basedir="."
+
+; Persistent backup directory (survives make clean). Leave as "." to keep
+; artifacts alongside the build tree, or point elsewhere to preserve
+; signed/backup images across source cleans.
+&backupdir="."
 
 ; FLASH Number of banks
 ; The JS28F00AM29EWHA is a single 128MB NOR chip. CPLD virtual banking