core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by:

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: sp_partition_info_get() takes uuid_words[]

Replace the TEE_UUID *ffa_uuid parameter with uint32_t ffa_uuid_words[4]
to simplify how sp_partition_info_get() is called.

Signed-off-by: Jens

core: ffa: sp_partition_info_get() takes uuid_words[]

Replace the TEE_UUID *ffa_uuid parameter with uint32_t ffa_uuid_words[4]
to simplify how sp_partition_info_get() is called.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Akshay Belsare <akshay.belsare@amd.com>

show more ...

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers x0-x17 to support passing arguments and results
according to SMC Calling Convention (SMCCC) version 1.2.

The difference is that before this change x8-x17 couldn't be used as
argument nor result and the content was preserved. With this patch are
x8-x17 returned as zeroes. New FF-A SMCs can take and return values in
the full range x0-x17.

64-bit SMCCC version 1.1 and earlier specified x4-x17 as unpredictable
or scratch registers. FF-A has specified x0-x7 as argument and result
registers, regardless of SMCCC. This has changed with SMCCC version 1.2
where the two standards harmonize on this.

struct thread_smc_1_2_regs is added in a 32-bit version for
compatibility, but it only covers r0-r7.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: read S-EL0 SP properties from manifest

So far the properties of S-EL0 SPs have been hardcoded when queried by
FFA_PARTITION_INFO_GET. This was supposed to be a temporary workaround,
so re

core: ffa: read S-EL0 SP properties from manifest

So far the properties of S-EL0 SPs have been hardcoded when queried by
FFA_PARTITION_INFO_GET. This was supposed to be a temporary workaround,
so replace this with reading the properties from the SP's manifest which
is the proper solution.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: spmc: implement boot-order support

Add support for boot-order property specified in the
SP manifest.

Signed-off-by: Gabor Ambrus <gabor.ambrus@arm.com>
Signed-off-by: Gabor Toth <gabor.toth2@

core: spmc: implement boot-order support

Add support for boot-order property specified in the
SP manifest.

Signed-off-by: Gabor Ambrus <gabor.ambrus@arm.com>
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sp: implement FF-A v1.1 boot protocol

Implement passing the boot info to Secure Partitions in the new format
defined by FF-A v1.1. The change is backwards compatible by keeping the
already exi

core: sp: implement FF-A v1.1 boot protocol

Implement passing the boot info to Secure Partitions in the new format
defined by FF-A v1.1. The change is backwards compatible by keeping the
already existing FF-A v1.0 format too. Which format to use is decided
based on the "ffa-version" field in the SP's manifest. The register to
use for passing the boot info blob's address is based on the
"gp-register-num" field.

Link: https://trustedfirmware-a.readthedocs.io/en/latest/components/ffa-manifest-binding.html#partition-properties
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: spmc: configure SP's NS interrupt action based on the manifest

Use mandatory ns-interrupts-action SP manifest property to configure
signaled or queued non-secure interrupt handling.

Signed-of

core: spmc: configure SP's NS interrupt action based on the manifest

Use mandatory ns-interrupts-action SP manifest property to configure
signaled or queued non-secure interrupt handling.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: spmc: support FF-A 1.1

Adds support for FF-A 1.1. Now OP-TEE will need to be able to work with
both version 1.0 and 1.1 depending on the other endpoint. The callee
supplies its implemented ver

core: spmc: support FF-A 1.1

Adds support for FF-A 1.1. Now OP-TEE will need to be able to work with
both version 1.0 and 1.1 depending on the other endpoint. The callee
supplies its implemented version and OP-TEE chooses the highest common
version and returns that. This is done per endpoint so some endpoint may
very well use version 1.0 while another uses version 1.1.

Two data structures, struct ffa_mem_transaction and struct
ffa_partition_info, are affected. Runtime conditionals are used to
select which version to use based on the negotiated FF-A version.

Reviewed-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: Allow multiple SPs with same UUID

The FF-A spec allows multiple SPs to have the same UUID. This makes
it possible to use the FF-A UUID as a identifier for the protocol on
top of the FF-A

core: ffa: Allow multiple SPs with same UUID

The FF-A spec allows multiple SPs to have the same UUID. This makes
it possible to use the FF-A UUID as a identifier for the protocol on
top of the FF-A layer.
To achieve this we have to make sure that the FFA_PARTITION_INFO_GET can
return more then one endpoint id if we pass a UUID.
To make sure that there is no collision between the SP binaries names,
we distinguish between the FF-A UUID and the SP UUID. The SP UUID is used
to identify the SP itself. While the FF-A UUID is used as part of the
FF-A protocol.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: spmc: fix FIP SP loading

The memory management in process_sp_pkg() function contains errors. It
tries to add new mappings for the SP packages that reside in the TA_RAM
PA range, but this range

core: spmc: fix FIP SP loading

The memory management in process_sp_pkg() function contains errors. It
tries to add new mappings for the SP packages that reside in the TA_RAM
PA range, but this range is already mapped so this is unnecessary and
wrong. Fix the code by simply using phys_to_virt() instead.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: ffa: Add support for FFA_MEM_PERM_GET/SET

Handle FFA_MEM_PERM_GET and FFA_MEM_PERM_SET interfaces for enabling
SPs to query and set the access rights of their memory regions. These
interfaces

core: ffa: Add support for FFA_MEM_PERM_GET/SET

Handle FFA_MEM_PERM_GET and FFA_MEM_PERM_SET interfaces for enabling
SPs to query and set the access rights of their memory regions. These
interfaces are only permitted in the initialization phase thus a new
state variable is being introduced in sp_session. SPs indicate the end
of their initialization phase through the FFA_MSG_WAIT interface.

Co-developed-by: Imre Kis <imre.kis@arm.com>
Signed-off-by: Imre Kis <imre.kis@arm.com>
Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ffa: Process manifest endpoint_id

The manifest can specify the endpoint ID for a SP. Process it and make
sure that 2 SPs don't have the same endpoint ID.
The sp_init_uuid() has been split into

core: ffa: Process manifest endpoint_id

The manifest can specify the endpoint ID for a SP. Process it and make
sure that 2 SPs don't have the same endpoint ID.
The sp_init_uuid() has been split into 2 functions (sp_init_uuid() and
sp_first_run()), this is needed to make sure that the SPs has the
correct endpoint ID during it's first run.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: sp: add support for SPs in the FIP

This commit introduces support for using SPs from the FIP. TF-A offers a
mechanism to encapsulate an SP image and its manifest into an SP package
and add tha

core: sp: add support for SPs in the FIP

This commit introduces support for using SPs from the FIP. TF-A offers a
mechanism to encapsulate an SP image and its manifest into an SP package
and add that to the FIP. During boot BL2 will load these packages into
memory and the SPMC manifest is used to pass the load addresses to the
SPMC. The SP package contains a header, the SP manifest and the SP image
itself [1].

For loading the SP packages the existing embedded SP handling code is
mostly reused. The only difference is that instead of a scattered array
that's created at build time the SP packages are discovered at runtime
and collected into a linked list.

Link: [1] https://trustedfirmware-a.readthedocs.io/en/v2.6/components/secure-partition-manager.html#secure-partition-packages
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: sp: Append fdt manifest to SP image

Sp use a manifest file that define information about the SP. A device
tree (fdt) will be used as a manifest file. This is in line with the
Hafnium SPMC mani

core: sp: Append fdt manifest to SP image

Sp use a manifest file that define information about the SP. A device
tree (fdt) will be used as a manifest file. This is in line with the
Hafnium SPMC manifest format.

The fdt will be appended to the SP image by adding a --manifest flag to
the scripts/ts_bin_to_c.py script.

Link: https://trustedfirmware-a.readthedocs.io/en/latest/components/ffa-manifest-binding.html
Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: FF-A: Add FFA_MEM_RELINQUISH

FFA_MEM_RELINQUISH is used by a SP to release a memory share that was
claimed by calling FFA_MEM_RETRIEVE_REQ_64 before.
The memory region will be unmapped from th

core: FF-A: Add FFA_MEM_RELINQUISH

FFA_MEM_RELINQUISH is used by a SP to release a memory share that was
claimed by calling FFA_MEM_RETRIEVE_REQ_64 before.
The memory region will be unmapped from the SPs memory once
FFA_MEM_RELINQUISH has been called the same amount of times as
FFA_MEM_RETRIEVE_REQ_64.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: FF-A: ADD FFA_MEM_RETRIEVE for SPs

FFA_MEM_RETRIEVE is used by a SP to retrieve a FF-A memory share with a
handle. Once the FFA_MEM_RETRIEVE message is handled correctly the
corresponding memo

core: FF-A: ADD FFA_MEM_RETRIEVE for SPs

FFA_MEM_RETRIEVE is used by a SP to retrieve a FF-A memory share with a
handle. Once the FFA_MEM_RETRIEVE message is handled correctly the
corresponding memory region is mapped into the SPs memory

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: FFA_SHARE: Process secure share

Process a FFA_SHARE command coming from a SP. When receiving a
FFA_SHARE message from a SP, we don't create any new mobj's. Instead we
retrieve the mobj's from

core: FFA_SHARE: Process secure share

Process a FFA_SHARE command coming from a SP. When receiving a
FFA_SHARE message from a SP, we don't create any new mobj's. Instead we
retrieve the mobj's from the SP list off already mapped mobj's via
vm_get_mobj(). For each FFA_SHARE we check that the memory regions are
mapped and not shared with any other endpoints.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Add FFA_PARTITION_INFO

FFA_PARTITION_INFO is used to query all the Secure Partitions loaded in
the system.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Etienne Carriere <etienne.c

core: Add FFA_PARTITION_INFO

FFA_PARTITION_INFO is used to query all the Secure Partitions loaded in
the system.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: Add FF-A rxtx buffer for SPs

Rx/Rx buffers are used for SPs and the SPMC to exchange information.
This change implements the following FF-A messages for SPs:
FFA_RXTX_MAP_64 and FFA_RXTX_

core: arm: Add FF-A rxtx buffer for SPs

Rx/Rx buffers are used for SPs and the SPMC to exchange information.
This change implements the following FF-A messages for SPs:
FFA_RXTX_MAP_64 and FFA_RXTX_MAP_32 to have a SP map a rxtx buffer
FFA_RXTX_UNMAP to unmap the rxtx buffer
FFA_RX_RELEASE to release have the SP release the rx buffer

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Add ffa_msg_send_req and ffa_msg_send_resp

Add FF-A message handling of FFA_MSG_SEND_DIRECT_REQ_32 and
FFA_MSG_SEND_DIRECT_RESP_32 messages.
The FFA_MSG_SEND_DIRECT_RESP_32 message is used to

core: Add ffa_msg_send_req and ffa_msg_send_resp

Add FF-A message handling of FFA_MSG_SEND_DIRECT_REQ_32 and
FFA_MSG_SEND_DIRECT_RESP_32 messages.
The FFA_MSG_SEND_DIRECT_RESP_32 message is used to send a message from
one FF-A endpoint to a second FF-A endpoint. FFA_MSG_SEND_DIRECT_RESP_32
is used to send a response message from the callee to the caller.

A separate abstraction is made (spmc_sp_handler) for handling FF-A
messages received from secure endpoints (SP).
thread_spmc_msg_recv() is still used for handling all FF-A messages
coming from the Normal World. When a FFA_MSG_SEND_DIRECT_REQ_32 message
is received for the Normal World a new kernel thread is started and
spmc_sp_msg_handler() is run. spmc_sp_msg_handler() is used as the main
message handler for handling the FF-A messages coming from SPs.

Whenever a message is sent to the normal world the thread is finished
and the FF-A message is forwarded to the Normal World.

Whenever a SVC exception is received from an SP, the whole context is
saved and executions is resumed in S-EL1. The first 8 register (FF-A
registers x0-x7) contain the FF-A message and are used to handle the
message by the SPMC.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: Initiate and load Secure Partitions

Secure Partitions (SP) are S-El0 execution service defined in the Arm
FF-A specification.
The Secure Partitions are loaded as the last part of the boot proc

core: Initiate and load Secure Partitions

Secure Partitions (SP) are S-El0 execution service defined in the Arm
FF-A specification.
The Secure Partitions are loaded as the last part of the boot process.
A Secure Partitions can be added to image using the SP_PATHS build
option. The SPs are loaded using ldelf.

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add secure partitions store

SPs need to be started as part of the initialisation process of the
OP-TEE kernel. The secure partition store uses the embedded_ts store to
load SPs

Signed-off-by:

core: add secure partitions store

SPs need to be started as part of the initialisation process of the
OP-TEE kernel. The secure partition store uses the embedded_ts store to
load SPs

Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: remove struct tee_ta_ctx from struct user_mode_ctx

Removes struct tee_ta_ctx from struct user_mode_ctx allowing a user mode
entity to be independent of the TA concept, that is, making room for

core: remove struct tee_ta_ctx from struct user_mode_ctx

Removes struct tee_ta_ctx from struct user_mode_ctx allowing a user mode
entity to be independent of the TA concept, that is, making room for SPs
in user mode.

A pointer to a struct user_mode_ctx is passed to many memory management
functions where a pointer to a struct ts_ctx is needed too. Prior to
this patch it was possible to calculate that address of corresponding
struct ts_ctx with help of the container_of() macro, that is no longer
possible. Instead is a struct ts_ctx *ts_ctx field added to struct
user_mode_ctx in order to allow such lookups.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add struct ts_ops

Adds struct ts_ops replacing the previous struct tee_ta_ops.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro

core: add struct ts_ops

Adds struct ts_ops replacing the previous struct tee_ta_ops.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add generic struct ts_ctx

Adds the generic struct ts_ctx to be used instead of struct tee_ta_ctx
where generic context operations are performed.

struct tee_ta_ctx adds a field with struct ts_

core: add generic struct ts_ctx

Adds the generic struct ts_ctx to be used instead of struct tee_ta_ctx
where generic context operations are performed.

struct tee_ta_ctx adds a field with struct ts_ctx for conversion to
struct ts_ctx where needed.

The struct ts_session is updated to keep a pointer to a struct ts_ctx
instead of the previous struct tee_ta_ctx.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...