core: ffa: add missing field in memory access descriptor

FF-A v1.2 introduced a 16 byte implementation-defined field in the
endpoint memory access descriptor. Update all handling of struct
ffa_mem_a

core: ffa: add missing field in memory access descriptor

FF-A v1.2 introduced a 16 byte implementation-defined field in the
endpoint memory access descriptor. Update all handling of struct
ffa_mem_access to for correct access regardless of FF-A version.

With this patch, OP-TEE will use the updated memory access descriptor,
but ignore the impdef field.

Suggested-by: Olivier Deprez <olivier.deprez@arm.com>
Fixes: bef959c837fe ("core: arm: ffa: switch to FF-A version 1.2")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: guard sp_session field state with spinlock

Accesses to the state field in struct sp_session is often guarded with a
spinlock, but there are a few places with it's missing. So, add the
mis

core: ffa: guard sp_session field state with spinlock

Accesses to the state field in struct sp_session is often guarded with a
spinlock, but there are a few places with it's missing. So, add the
missing spinlocks.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by:

core: ffa: verify thread ID before resuming S-EL0 SP

Check that the thread ID for an S-EL0 SP is correct before trying to
resume it. This guards against resuming an unrelated thread.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: fix direct request error code for S-EL0 SP

Direct requests to S-EL0 SPs are delivered using a thread. If no thread
is available return FFA_BUSY, to let the caller know that it should try

core: ffa: fix direct request error code for S-EL0 SP

Direct requests to S-EL0 SPs are delivered using a thread. If no thread
is available return FFA_BUSY, to let the caller know that it should try
again. This should normally never happen, but let's do our best for a
corner case.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: ffa: update FFA_CONSOLE_LOG_64 for v1.2 SPs

Update FFA_CONSOLE_LOG_64 to handle the ABI extension for FF-A v1.2. The
extended ABI is only used for FF-A v1.2 SPs .

Signed-off-by: Jens Wiklande

core: ffa: update FFA_CONSOLE_LOG_64 for v1.2 SPs

Update FFA_CONSOLE_LOG_64 to handle the ABI extension for FF-A v1.2. The
extended ABI is only used for FF-A v1.2 SPs .

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers

core: arm: ffa: use SMC Calling Convention 1.2

Add struct thread_smc_1_2_regs as a replacement for struct
thread_smc_args when dealing with FF-A SMCs. struct thread_smc_1_2_regs
covers the registers x0-x17 to support passing arguments and results
according to SMC Calling Convention (SMCCC) version 1.2.

The difference is that before this change x8-x17 couldn't be used as
argument nor result and the content was preserved. With this patch are
x8-x17 returned as zeroes. New FF-A SMCs can take and return values in
the full range x0-x17.

64-bit SMCCC version 1.1 and earlier specified x4-x17 as unpredictable
or scratch registers. FF-A has specified x0-x7 as argument and result
registers, regardless of SMCCC. This has changed with SMCCC version 1.2
where the two standards harmonize on this.

struct thread_smc_1_2_regs is added in a 32-bit version for
compatibility, but it only covers r0-r7.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: handle VM availability messages for SPs

The VM availability messages sent by the hypervisor to an SP should be
forwarded to the SP, if the SP has subscribed for these based on the SP
mani

core: ffa: handle VM availability messages for SPs

The VM availability messages sent by the hypervisor to an SP should be
forwarded to the SP, if the SP has subscribed for these based on the SP
manifest.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: ffa: read S-EL0 SP properties from manifest

So far the properties of S-EL0 SPs have been hardcoded when queried by
FFA_PARTITION_INFO_GET. This was supposed to be a temporary workaround,
so re

core: ffa: read S-EL0 SP properties from manifest

So far the properties of S-EL0 SPs have been hardcoded when queried by
FFA_PARTITION_INFO_GET. This was supposed to be a temporary workaround,
so replace this with reading the properties from the SP's manifest which
is the proper solution.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: ffa: Improve FF-A memory sharing compliance

* Deny memory regions with zero pages
* Validate total page count field
* Validate total descriptor size including memory regions descriptors
* Fix

core: ffa: Improve FF-A memory sharing compliance

* Deny memory regions with zero pages
* Validate total page count field
* Validate total descriptor size including memory regions descriptors
* Fix incorrect FFA_ERROR status codes

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: Deny unsupported memory sharing operations

Fragmented memory sharing operations and memory sharing where the
transaction descriptors are forwarded in a custom buffer are not
supported for

core: ffa: Deny unsupported memory sharing operations

Fragmented memory sharing operations and memory sharing where the
transaction descriptors are forwarded in a custom buffer are not
supported for SP destinations. Return early FFA_ERROR if these
conditions are detected.
Add CFG_NS_VIRTUALIZATION condition for virt_unset_guest calls in
thread_spmc.c as a minor refactoring step.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: ffa: Return transaction type flag in retrieve response

Setting 'Memory management transaction type flag' in memory transaction
descriptor when returned in FFA_MEM_RETRIEVE_RESP.

Signed-off-by

core: ffa: Return transaction type flag in retrieve response

Setting 'Memory management transaction type flag' in memory transaction
descriptor when returned in FFA_MEM_RETRIEVE_RESP.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception

core: spmc, sp: cleanup FF-A ID handling

When OP-TEE implements the S-EL1 SPMC, from an FF-A point-of-view the
core OP-TEE functionality is running in a logical SP that resides at the
same exception level as the SPMC. This means that the SPMC and the SP
should have separate FF-A IDs, i.e. the SPMC ID and a normal endpoint ID
for the SP. The SPMC ID is described in the SPMC manifest which gets
parsed by the SPMD, so this ID should be queried from the SPMD. OP-TEE's
endpoint ID is assigned by the SPMC.

Currently OP-TEE's FF-A endpoint ID and the SPMC ID are mixed together
and hardcoded, this patch implements the correct ID handling mechanism
as described above.

Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: pta: drop benchmark

Drop Benchmark PTA as current implementation is non-function
and obsolete, and it's not supported anymore.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: E

core: pta: drop benchmark

Drop Benchmark PTA as current implementation is non-function
and obsolete, and it's not supported anymore.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>

show more ...

core: ffa: Clear FFA_MEM_RETRIEVE_RESP memory descriptor fields

Clear the memory descriptors in FFA_MEM_RETRIEVE_RESP calls in order to
set the reserved fields to zero. The caller might check if the

core: ffa: Clear FFA_MEM_RETRIEVE_RESP memory descriptor fields

Clear the memory descriptors in FFA_MEM_RETRIEVE_RESP calls in order to
set the reserved fields to zero. The caller might check if the reserved
fields are zero as it is stated in the FF-A spec. With FF-A v1.1 the
memory transaction descriptor's 4 byte field at offset 24 has changed
from reserved (MBZ) to Endpoint memory access descriptor size
(non-zero). With the reserved field not cleared in the v1.0 descriptor,
the caller cannot verify if it got the right version of the memory
transaction descriptor.

This issue only affects the FFA_MEM_RETRIEVE_RESP call at the
S-EL1 <-> S-EL0 interface, in all other cases the descriptors are
cleared properly.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sp: fix FFA_MEM_RECLAIM checks

Currently it is assumed that a NS endpoint's ID is always 0. This is not
true if multiple VMs are present in the NWd, so the check will fail when
reclaiming shar

core: sp: fix FFA_MEM_RECLAIM checks

Currently it is assumed that a NS endpoint's ID is always 0. This is not
true if multiple VMs are present in the NWd, so the check will fail when
reclaiming shared memory from an SP. Fix this by removing the owner ID
check if the reclaim call comes from NWd, in this case the necessary
checks are done by the hypervisor.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>

show more ...

core: spmc: Fix setting the destination of FFA_ERROR calls

Fixing multiple issues in the destination logic of FFA_ERROR messages.
ffa_handle_error extracted the destination FF-A ID from the lower 16

core: spmc: Fix setting the destination of FFA_ERROR calls

Fixing multiple issues in the destination logic of FFA_ERROR messages.
ffa_handle_error extracted the destination FF-A ID from the lower 16 bit
of W1. First of all this register should only be set at the NS virtual
FF-A instance. Secondly W1 was not set correctly when an error happened
in ffa_handle_sp_direct_req and ffa_handle_sp_direct_resp. This could
cause sending FFA_ERROR messages to the wrong FF-A endpoint. The patch
clears up the faulty destination handling across all these functions.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: spmc: Clear reserved registers in FFA_ERROR calls

Clear reserved registers in FFA_ERROR calls which are declared MBZ in
the FF-A specification. This also prevents potential information leaks.

core: spmc: Clear reserved registers in FFA_ERROR calls

Clear reserved registers in FFA_ERROR calls which are declared MBZ in
the FF-A specification. This also prevents potential information leaks.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: spmc: simplify using {high,low}32_from_64()

Simplify spmc_sp_handle_mem_share() using high32_from_64() and
low32_from_64() instead of reg_pair_from_64().

Signed-off-by: Jens Wiklander <jens.w

core: spmc: simplify using {high,low}32_from_64()

Simplify spmc_sp_handle_mem_share() using high32_from_64() and
low32_from_64() instead of reg_pair_from_64().

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: implement FFA_CONSOLE_LOG

Add FFA_CONSOLE_LOG interface support for enabling debug messages from
SPs as defined in FF-A v1.2. The message string is packed into the
registers of the call

core: spmc: implement FFA_CONSOLE_LOG

Add FFA_CONSOLE_LOG interface support for enabling debug messages from
SPs as defined in FF-A v1.2. The message string is packed into the
registers of the call so it doesn't require the existence of a shared
memory between the SPMC and the SPs. This makes it ideal for early debug
messages, however the length of the message is limited.
The received messages are forwarded to OP-TEE's trace output.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: spmc: handle non-secure interrupts

Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure
interrupts and for resuming to the secure world. If a secure partition
is preempted by a non-s

core: spmc: handle non-secure interrupts

Add FFA_INTERRUPT and FFA_RUN support for signaling non-secure
interrupts and for resuming to the secure world. If a secure partition
is preempted by a non-secure interrupt OP-TEE saves the SP's state and
sends an FFA_INTERRUPT to the normal world. After handling the interrupt
the normal world should send an FFA_RUN to OP-TEE so it can continue
running the SP.
If OP-TEE is the active FF-A endpoint (i.e. it is running TAs) the
non-secure interrupts are signaled by the existing
OPTEE_FFA_YIELDING_CALL_RETURN_INTERRUPT message instead of
FFA_INTERRUPT.

Signed-off-by: Imre Kis <imre.kis@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: support FFA_VERSION from S-EL0 SPs only

FFA_VERSION using ERET as conduit is not permitted in the FF-A
specification. So remove support for it in thread_spmc_msg_recv() but
keep it in spm

core: ffa: support FFA_VERSION from S-EL0 SPs only

FFA_VERSION using ERET as conduit is not permitted in the FF-A
specification. So remove support for it in thread_spmc_msg_recv() but
keep it in spmc_sp_msg_handler() for S-EL0 SPs where the conduit is SVC.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: support FFA_SPM_ID_GET

Supports the FFA_SPM_ID_GET function introduced with FF-A v1.1.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Balint Dobszay <balint.dobsza

core: ffa: support FFA_SPM_ID_GET

Supports the FFA_SPM_ID_GET function introduced with FF-A v1.1.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: spmc: support FF-A 1.1

Adds support for FF-A 1.1. Now OP-TEE will need to be able to work with
both version 1.0 and 1.1 depending on the other endpoint. The callee
supplies its implemented ver

core: spmc: support FF-A 1.1

Adds support for FF-A 1.1. Now OP-TEE will need to be able to work with
both version 1.0 and 1.1 depending on the other endpoint. The callee
supplies its implemented version and OP-TEE chooses the highest common
version and returns that. This is done per endpoint so some endpoint may
very well use version 1.0 while another uses version 1.1.

Two data structures, struct ffa_mem_transaction and struct
ffa_partition_info, are affected. Runtime conditionals are used to
select which version to use based on the negotiated FF-A version.

Reviewed-by: Balint Dobszay <balint.dobszay@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ffa: Add support for FFA_MEM_PERM_GET/SET

Handle FFA_MEM_PERM_GET and FFA_MEM_PERM_SET interfaces for enabling
SPs to query and set the access rights of their memory regions. These
interfaces

core: ffa: Add support for FFA_MEM_PERM_GET/SET

Handle FFA_MEM_PERM_GET and FFA_MEM_PERM_SET interfaces for enabling
SPs to query and set the access rights of their memory regions. These
interfaces are only permitted in the initialization phase thus a new
state variable is being introduced in sp_session. SPs indicate the end
of their initialization phase through the FFA_MSG_WAIT interface.

Co-developed-by: Imre Kis <imre.kis@arm.com>
Signed-off-by: Imre Kis <imre.kis@arm.com>
Signed-off-by: Jelle Sels <jelle.sels@arm.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ffa: Enable handling 64-bit direct messages

Enable using the 64-bit version of the FF-A direct request and response
calls.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Et

core: ffa: Enable handling 64-bit direct messages

Enable using the 64-bit version of the FF-A direct request and response
calls.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jelle Sels <jelle.sels@arm.com>

show more ...