1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2015-2023, Linaro Limited 4 * Copyright (c) 2023, Arm Limited 5 * Copyright (c) 2025, NVIDIA Corporation & AFFILIATES. 6 */ 7 8 #include <arm.h> 9 #include <asan.h> 10 #include <assert.h> 11 #include <compiler.h> 12 #include <config.h> 13 #include <console.h> 14 #include <crypto/crypto.h> 15 #include <drivers/gic.h> 16 #include <dt-bindings/interrupt-controller/arm-gic.h> 17 #include <ffa.h> 18 #include <initcall.h> 19 #include <inttypes.h> 20 #include <io.h> 21 #include <keep.h> 22 #include <kernel/boot.h> 23 #include <kernel/dt.h> 24 #include <kernel/linker.h> 25 #include <kernel/misc.h> 26 #include <kernel/panic.h> 27 #include <kernel/tee_misc.h> 28 #include <kernel/thread.h> 29 #include <kernel/tpm.h> 30 #include <kernel/transfer_list.h> 31 #include <libfdt.h> 32 #include <malloc.h> 33 #include <memtag.h> 34 #include <mm/core_memprot.h> 35 #include <mm/core_mmu.h> 36 #include <mm/fobj.h> 37 #include <mm/page_alloc.h> 38 #include <mm/phys_mem.h> 39 #include <mm/tee_mm.h> 40 #include <mm/tee_pager.h> 41 #include <sm/psci.h> 42 #include <stdalign.h> 43 #include <trace.h> 44 #include <utee_defines.h> 45 #include <util.h> 46 47 #include <platform_config.h> 48 49 #if !defined(CFG_WITH_ARM_TRUSTED_FW) 50 #include <sm/sm.h> 51 #endif 52 53 #if defined(CFG_WITH_VFP) 54 #include <kernel/vfp.h> 55 #endif 56 57 /* 58 * In this file we're using unsigned long to represent physical pointers as 59 * they are received in a single register when OP-TEE is initially entered. 60 * This limits 32-bit systems to only use make use of the lower 32 bits 61 * of a physical address for initial parameters. 62 * 63 * 64-bit systems on the other hand can use full 64-bit physical pointers. 64 */ 65 #define PADDR_INVALID ULONG_MAX 66 67 #if defined(CFG_BOOT_SECONDARY_REQUEST) 68 struct ns_entry_context { 69 uintptr_t entry_point; 70 uintptr_t context_id; 71 }; 72 struct ns_entry_context ns_entry_contexts[CFG_TEE_CORE_NB_CORE]; 73 static uint32_t spin_table[CFG_TEE_CORE_NB_CORE]; 74 #endif 75 76 #ifdef CFG_BOOT_SYNC_CPU 77 /* 78 * Array used when booting, to synchronize cpu. 79 * When 0, the cpu has not started. 80 * When 1, it has started 81 */ 82 uint32_t sem_cpu_sync[CFG_TEE_CORE_NB_CORE]; 83 DECLARE_KEEP_PAGER(sem_cpu_sync); 84 #endif 85 86 /* 87 * Must not be in .bss since it's initialized and used from assembly before 88 * .bss is cleared. 89 */ 90 vaddr_t boot_cached_mem_end __nex_data = 1; 91 92 static unsigned long boot_arg_fdt __nex_bss; 93 unsigned long boot_arg_nsec_entry __nex_bss; 94 static unsigned long boot_arg_pageable_part __nex_bss; 95 static unsigned long boot_arg_transfer_list __nex_bss; 96 static struct transfer_list_header *mapped_tl __nex_bss; 97 98 #ifdef CFG_SECONDARY_INIT_CNTFRQ 99 static uint32_t cntfrq; 100 #endif 101 102 /* May be overridden in plat-$(PLATFORM)/main.c */ 103 __weak void plat_primary_init_early(void) 104 { 105 } 106 DECLARE_KEEP_PAGER(plat_primary_init_early); 107 108 /* May be overridden in plat-$(PLATFORM)/main.c */ 109 __weak void boot_primary_init_intc(void) 110 { 111 } 112 113 /* May be overridden in plat-$(PLATFORM)/main.c */ 114 __weak void boot_secondary_init_intc(void) 115 { 116 } 117 118 /* May be overridden in plat-$(PLATFORM)/main.c */ 119 __weak unsigned long plat_get_aslr_seed(void) 120 { 121 DMSG("Warning: no ASLR seed"); 122 123 return 0; 124 } 125 126 /* 127 * This function is called as a guard after each smc call which is not 128 * supposed to return. 129 */ 130 void __panic_at_smc_return(void) 131 { 132 panic(); 133 } 134 135 #if defined(CFG_WITH_ARM_TRUSTED_FW) 136 void init_sec_mon(unsigned long nsec_entry __maybe_unused) 137 { 138 assert(nsec_entry == PADDR_INVALID); 139 /* Do nothing as we don't have a secure monitor */ 140 } 141 #else 142 /* May be overridden in plat-$(PLATFORM)/main.c */ 143 __weak void init_sec_mon(unsigned long nsec_entry) 144 { 145 struct sm_nsec_ctx *nsec_ctx; 146 147 assert(nsec_entry != PADDR_INVALID); 148 149 /* Initialize secure monitor */ 150 nsec_ctx = sm_get_nsec_ctx(); 151 nsec_ctx->mon_lr = nsec_entry; 152 nsec_ctx->mon_spsr = CPSR_MODE_SVC | CPSR_I; 153 if (nsec_entry & 1) 154 nsec_ctx->mon_spsr |= CPSR_T; 155 } 156 #endif 157 158 #if defined(CFG_WITH_ARM_TRUSTED_FW) 159 static void init_vfp_nsec(void) 160 { 161 } 162 #else 163 static void init_vfp_nsec(void) 164 { 165 /* Normal world can use CP10 and CP11 (SIMD/VFP) */ 166 write_nsacr(read_nsacr() | NSACR_CP10 | NSACR_CP11); 167 } 168 #endif 169 170 static void check_crypto_extensions(void) 171 { 172 bool ce_supported = true; 173 174 if (!feat_aes_implemented() && 175 IS_ENABLED(CFG_CRYPTO_AES_ARM_CE)) { 176 EMSG("AES instructions are not supported"); 177 ce_supported = false; 178 } 179 180 if (!feat_sha1_implemented() && 181 IS_ENABLED(CFG_CRYPTO_SHA1_ARM_CE)) { 182 EMSG("SHA1 instructions are not supported"); 183 ce_supported = false; 184 } 185 186 if (!feat_sha256_implemented() && 187 IS_ENABLED(CFG_CRYPTO_SHA256_ARM_CE)) { 188 EMSG("SHA256 instructions are not supported"); 189 ce_supported = false; 190 } 191 192 /* Check aarch64 specific instructions */ 193 if (IS_ENABLED(CFG_ARM64_core)) { 194 if (!feat_sha512_implemented() && 195 IS_ENABLED(CFG_CRYPTO_SHA512_ARM_CE)) { 196 EMSG("SHA512 instructions are not supported"); 197 ce_supported = false; 198 } 199 200 if (!feat_sha3_implemented() && 201 IS_ENABLED(CFG_CRYPTO_SHA3_ARM_CE)) { 202 EMSG("SHA3 instructions are not supported"); 203 ce_supported = false; 204 } 205 206 if (!feat_sm3_implemented() && 207 IS_ENABLED(CFG_CRYPTO_SM3_ARM_CE)) { 208 EMSG("SM3 instructions are not supported"); 209 ce_supported = false; 210 } 211 212 if (!feat_sm4_implemented() && 213 IS_ENABLED(CFG_CRYPTO_SM4_ARM_CE)) { 214 EMSG("SM4 instructions are not supported"); 215 ce_supported = false; 216 } 217 } 218 219 if (!ce_supported) 220 panic("HW doesn't support CE instructions"); 221 } 222 223 #if defined(CFG_WITH_VFP) 224 225 #ifdef ARM32 226 static void init_vfp_sec(void) 227 { 228 uint32_t cpacr = read_cpacr(); 229 230 /* 231 * Enable Advanced SIMD functionality. 232 * Enable use of D16-D31 of the Floating-point Extension register 233 * file. 234 */ 235 cpacr &= ~(CPACR_ASEDIS | CPACR_D32DIS); 236 /* 237 * Enable usage of CP10 and CP11 (SIMD/VFP) (both kernel and user 238 * mode. 239 */ 240 cpacr |= CPACR_CP(10, CPACR_CP_ACCESS_FULL); 241 cpacr |= CPACR_CP(11, CPACR_CP_ACCESS_FULL); 242 write_cpacr(cpacr); 243 } 244 #endif /* ARM32 */ 245 246 #ifdef ARM64 247 static void init_vfp_sec(void) 248 { 249 /* Not using VFP until thread_kernel_enable_vfp() */ 250 vfp_disable(); 251 } 252 #endif /* ARM64 */ 253 254 #else /* CFG_WITH_VFP */ 255 256 static void init_vfp_sec(void) 257 { 258 /* Not using VFP */ 259 } 260 #endif 261 262 #ifdef CFG_SECONDARY_INIT_CNTFRQ 263 static void primary_save_cntfrq(void) 264 { 265 assert(cntfrq == 0); 266 267 /* 268 * CNTFRQ should be initialized on the primary CPU by a 269 * previous boot stage 270 */ 271 cntfrq = read_cntfrq(); 272 } 273 274 static void secondary_init_cntfrq(void) 275 { 276 assert(cntfrq != 0); 277 write_cntfrq(cntfrq); 278 } 279 #else /* CFG_SECONDARY_INIT_CNTFRQ */ 280 static void primary_save_cntfrq(void) 281 { 282 } 283 284 static void secondary_init_cntfrq(void) 285 { 286 } 287 #endif 288 289 #ifdef CFG_CORE_SANITIZE_KADDRESS 290 static void init_run_constructors(void) 291 { 292 const vaddr_t *ctor; 293 294 for (ctor = &__ctor_list; ctor < &__ctor_end; ctor++) 295 ((void (*)(void))(*ctor))(); 296 } 297 298 static void init_asan(void) 299 { 300 301 /* 302 * CFG_ASAN_SHADOW_OFFSET is also supplied as 303 * -fasan-shadow-offset=$(CFG_ASAN_SHADOW_OFFSET) to the compiler. 304 * Since all the needed values to calculate the value of 305 * CFG_ASAN_SHADOW_OFFSET isn't available in to make we need to 306 * calculate it in advance and hard code it into the platform 307 * conf.mk. Here where we have all the needed values we double 308 * check that the compiler is supplied the correct value. 309 */ 310 311 #define __ASAN_SHADOW_START \ 312 ROUNDUP(TEE_RAM_START + (TEE_RAM_VA_SIZE * 8) / 9 - 8, 8) 313 assert(__ASAN_SHADOW_START == (vaddr_t)&__asan_shadow_start); 314 #define __CFG_ASAN_SHADOW_OFFSET \ 315 (__ASAN_SHADOW_START - (TEE_RAM_START / 8)) 316 COMPILE_TIME_ASSERT(CFG_ASAN_SHADOW_OFFSET == __CFG_ASAN_SHADOW_OFFSET); 317 #undef __ASAN_SHADOW_START 318 #undef __CFG_ASAN_SHADOW_OFFSET 319 320 /* 321 * Assign area covered by the shadow area, everything from start up 322 * to the beginning of the shadow area. 323 */ 324 asan_add_shadowed((void *)TEE_LOAD_ADDR, &__asan_shadow_start, 325 ASAN_REG_NO_TYPE); 326 327 /* 328 * Add access to areas that aren't opened automatically by a 329 * constructor. 330 */ 331 boot_mem_init_asan(); 332 asan_tag_access(&__ctor_list, &__ctor_end); 333 asan_tag_access(__rodata_start, __rodata_end); 334 #ifdef CFG_WITH_PAGER 335 asan_tag_access(__pageable_start, __pageable_end); 336 #endif /*CFG_WITH_PAGER*/ 337 asan_tag_access(__nozi_start, __nozi_end); 338 #ifdef ARM32 339 asan_tag_access(__exidx_start, __exidx_end); 340 asan_tag_access(__extab_start, __extab_end); 341 #endif 342 343 init_run_constructors(); 344 345 /* Everything is tagged correctly, let's start address sanitizing. */ 346 asan_start(); 347 } 348 #else /*CFG_CORE_SANITIZE_KADDRESS*/ 349 static void init_asan(void) 350 { 351 } 352 #endif /*CFG_CORE_SANITIZE_KADDRESS*/ 353 354 #if defined(CFG_MEMTAG) 355 /* Called from entry_a64.S only when MEMTAG is configured */ 356 void boot_init_memtag(void) 357 { 358 memtag_init_ops(feat_mte_implemented()); 359 } 360 361 static TEE_Result mmap_clear_memtag(struct tee_mmap_region *map, 362 void *ptr __unused) 363 { 364 switch (map->type) { 365 case MEM_AREA_NEX_RAM_RO: 366 case MEM_AREA_SEC_RAM_OVERALL: 367 DMSG("Clearing tags for VA %#"PRIxVA"..%#"PRIxVA, 368 map->va, map->va + map->size - 1); 369 memtag_set_tags((void *)map->va, map->size, 0); 370 break; 371 default: 372 break; 373 } 374 375 return TEE_SUCCESS; 376 } 377 378 /* Called from entry_a64.S only when MEMTAG is configured */ 379 void boot_clear_memtag(void) 380 { 381 core_mmu_for_each_map(NULL, mmap_clear_memtag); 382 } 383 #endif 384 385 #ifdef CFG_WITH_PAGER 386 387 #ifdef CFG_CORE_SANITIZE_KADDRESS 388 static void carve_out_asan_mem(void) 389 { 390 nex_phys_mem_partial_carve_out(ASAN_MAP_PA, ASAN_MAP_SZ); 391 } 392 #else 393 static void carve_out_asan_mem(void) 394 { 395 } 396 #endif 397 398 static void print_pager_pool_size(void) 399 { 400 struct tee_pager_stats __maybe_unused stats; 401 402 tee_pager_get_stats(&stats); 403 IMSG("Pager pool size: %zukB", 404 stats.npages_all * SMALL_PAGE_SIZE / 1024); 405 } 406 407 static void init_virt_pool(tee_mm_pool_t *virt_pool) 408 { 409 const vaddr_t begin = VCORE_START_VA; 410 size_t size = TEE_RAM_VA_SIZE; 411 412 #ifdef CFG_CORE_SANITIZE_KADDRESS 413 /* Carve out asan memory, flat maped after core memory */ 414 if (begin + size > ASAN_SHADOW_PA) 415 size = ASAN_MAP_PA - begin; 416 #endif 417 418 if (!tee_mm_init(virt_pool, begin, size, SMALL_PAGE_SHIFT, 419 TEE_MM_POOL_NO_FLAGS)) 420 panic("core_virt_mem_pool init failed"); 421 } 422 423 /* 424 * With CFG_CORE_ASLR=y the init part is relocated very early during boot. 425 * The init part is also paged just as the rest of the normal paged code, with 426 * the difference that it's preloaded during boot. When the backing store 427 * is configured the entire paged binary is copied in place and then also 428 * the init part. Since the init part has been relocated (references to 429 * addresses updated to compensate for the new load address) this has to be 430 * undone for the hashes of those pages to match with the original binary. 431 * 432 * If CFG_CORE_ASLR=n, nothing needs to be done as the code/ro pages are 433 * unchanged. 434 */ 435 static void undo_init_relocation(uint8_t *paged_store __maybe_unused) 436 { 437 #ifdef CFG_CORE_ASLR 438 unsigned long *ptr = NULL; 439 const uint32_t *reloc = NULL; 440 const uint32_t *reloc_end = NULL; 441 unsigned long offs = boot_mmu_config.map_offset; 442 const struct boot_embdata *embdata = (const void *)__init_end; 443 vaddr_t addr_end = (vaddr_t)__init_end - offs - TEE_LOAD_ADDR; 444 vaddr_t addr_start = (vaddr_t)__init_start - offs - TEE_LOAD_ADDR; 445 446 reloc = (const void *)((vaddr_t)embdata + embdata->reloc_offset); 447 reloc_end = reloc + embdata->reloc_len / sizeof(*reloc); 448 449 for (; reloc < reloc_end; reloc++) { 450 if (*reloc < addr_start) 451 continue; 452 if (*reloc >= addr_end) 453 break; 454 ptr = (void *)(paged_store + *reloc - addr_start); 455 *ptr -= offs; 456 } 457 #endif 458 } 459 460 static struct fobj *ro_paged_alloc(tee_mm_entry_t *mm, void *hashes, 461 void *store) 462 { 463 const unsigned int num_pages = tee_mm_get_bytes(mm) / SMALL_PAGE_SIZE; 464 #ifdef CFG_CORE_ASLR 465 unsigned int reloc_offs = (vaddr_t)__pageable_start - VCORE_START_VA; 466 const struct boot_embdata *embdata = (const void *)__init_end; 467 const void *reloc = __init_end + embdata->reloc_offset; 468 469 return fobj_ro_reloc_paged_alloc(num_pages, hashes, reloc_offs, 470 reloc, embdata->reloc_len, store); 471 #else 472 return fobj_ro_paged_alloc(num_pages, hashes, store); 473 #endif 474 } 475 476 static void init_pager_runtime(unsigned long pageable_part) 477 { 478 size_t n; 479 size_t init_size = (size_t)(__init_end - __init_start); 480 size_t pageable_start = (size_t)__pageable_start; 481 size_t pageable_end = (size_t)__pageable_end; 482 size_t pageable_size = pageable_end - pageable_start; 483 vaddr_t tzsram_end = TZSRAM_BASE + TZSRAM_SIZE - TEE_LOAD_ADDR + 484 VCORE_START_VA; 485 size_t hash_size = (pageable_size / SMALL_PAGE_SIZE) * 486 TEE_SHA256_HASH_SIZE; 487 const struct boot_embdata *embdata = (const void *)__init_end; 488 const void *tmp_hashes = NULL; 489 tee_mm_entry_t *mm = NULL; 490 struct fobj *fobj = NULL; 491 uint8_t *paged_store = NULL; 492 uint8_t *hashes = NULL; 493 494 assert(pageable_size % SMALL_PAGE_SIZE == 0); 495 assert(embdata->total_len >= embdata->hashes_offset + 496 embdata->hashes_len); 497 assert(hash_size == embdata->hashes_len); 498 499 tmp_hashes = __init_end + embdata->hashes_offset; 500 501 /* 502 * This needs to be initialized early to support address lookup 503 * in MEM_AREA_TEE_RAM 504 */ 505 tee_pager_early_init(); 506 507 hashes = malloc(hash_size); 508 IMSG_RAW("\n"); 509 IMSG("Pager is enabled. Hashes: %zu bytes", hash_size); 510 assert(hashes); 511 asan_memcpy_unchecked(hashes, tmp_hashes, hash_size); 512 513 /* 514 * The pager is about the be enabled below, eventual temporary boot 515 * memory allocation must be removed now. 516 */ 517 boot_mem_release_tmp_alloc(); 518 519 carve_out_asan_mem(); 520 521 mm = nex_phys_mem_ta_alloc(pageable_size); 522 assert(mm); 523 paged_store = phys_to_virt(tee_mm_get_smem(mm), 524 MEM_AREA_SEC_RAM_OVERALL, pageable_size); 525 /* 526 * Load pageable part in the dedicated allocated area: 527 * - Move pageable non-init part into pageable area. Note bootloader 528 * may have loaded it anywhere in TA RAM hence use memmove(). 529 * - Copy pageable init part from current location into pageable area. 530 */ 531 memmove(paged_store + init_size, 532 phys_to_virt(pageable_part, 533 core_mmu_get_type_by_pa(pageable_part), 534 __pageable_part_end - __pageable_part_start), 535 __pageable_part_end - __pageable_part_start); 536 asan_memcpy_unchecked(paged_store, __init_start, init_size); 537 /* 538 * Undo eventual relocation for the init part so the hash checks 539 * can pass. 540 */ 541 undo_init_relocation(paged_store); 542 543 /* Check that hashes of what's in pageable area is OK */ 544 DMSG("Checking hashes of pageable area"); 545 for (n = 0; (n * SMALL_PAGE_SIZE) < pageable_size; n++) { 546 const uint8_t *hash = hashes + n * TEE_SHA256_HASH_SIZE; 547 const uint8_t *page = paged_store + n * SMALL_PAGE_SIZE; 548 TEE_Result res; 549 550 DMSG("hash pg_idx %zu hash %p page %p", n, hash, page); 551 res = hash_sha256_check(hash, page, SMALL_PAGE_SIZE); 552 if (res != TEE_SUCCESS) { 553 EMSG("Hash failed for page %zu at %p: res 0x%x", 554 n, (void *)page, res); 555 panic(); 556 } 557 } 558 559 /* 560 * Assert prepaged init sections are page aligned so that nothing 561 * trails uninited at the end of the premapped init area. 562 */ 563 assert(!(init_size & SMALL_PAGE_MASK)); 564 565 /* 566 * Initialize the virtual memory pool used for main_mmu_l2_ttb which 567 * is supplied to tee_pager_init() below. 568 */ 569 init_virt_pool(&core_virt_mem_pool); 570 571 /* 572 * Assign alias area for pager end of the small page block the rest 573 * of the binary is loaded into. We're taking more than needed, but 574 * we're guaranteed to not need more than the physical amount of 575 * TZSRAM. 576 */ 577 mm = tee_mm_alloc2(&core_virt_mem_pool, 578 (vaddr_t)core_virt_mem_pool.lo + 579 core_virt_mem_pool.size - TZSRAM_SIZE, 580 TZSRAM_SIZE); 581 assert(mm); 582 tee_pager_set_alias_area(mm); 583 584 /* 585 * Claim virtual memory which isn't paged. 586 * Linear memory (flat map core memory) ends there. 587 */ 588 mm = tee_mm_alloc2(&core_virt_mem_pool, VCORE_UNPG_RX_PA, 589 (vaddr_t)(__pageable_start - VCORE_UNPG_RX_PA)); 590 assert(mm); 591 592 /* 593 * Allocate virtual memory for the pageable area and let the pager 594 * take charge of all the pages already assigned to that memory. 595 */ 596 mm = tee_mm_alloc2(&core_virt_mem_pool, (vaddr_t)__pageable_start, 597 pageable_size); 598 assert(mm); 599 fobj = ro_paged_alloc(mm, hashes, paged_store); 600 assert(fobj); 601 tee_pager_add_core_region(tee_mm_get_smem(mm), PAGED_REGION_TYPE_RO, 602 fobj); 603 fobj_put(fobj); 604 605 tee_pager_add_pages(pageable_start, init_size / SMALL_PAGE_SIZE, false); 606 tee_pager_add_pages(pageable_start + init_size, 607 (pageable_size - init_size) / SMALL_PAGE_SIZE, 608 true); 609 if (pageable_end < tzsram_end) 610 tee_pager_add_pages(pageable_end, (tzsram_end - pageable_end) / 611 SMALL_PAGE_SIZE, true); 612 613 /* 614 * There may be physical pages in TZSRAM before the core load address. 615 * These pages can be added to the physical pages pool of the pager. 616 * This setup may happen when a the secure bootloader runs in TZRAM 617 * and its memory can be reused by OP-TEE once boot stages complete. 618 */ 619 tee_pager_add_pages(core_virt_mem_pool.lo, 620 (VCORE_UNPG_RX_PA - core_virt_mem_pool.lo) / 621 SMALL_PAGE_SIZE, 622 true); 623 624 print_pager_pool_size(); 625 } 626 #else /*!CFG_WITH_PAGER*/ 627 static void init_pager_runtime(unsigned long pageable_part __unused) 628 { 629 } 630 #endif 631 632 #if defined(CFG_DT) 633 static int add_optee_dt_node(struct dt_descriptor *dt) 634 { 635 int offs; 636 int ret; 637 638 if (fdt_path_offset(dt->blob, "/firmware/optee") >= 0) { 639 DMSG("OP-TEE Device Tree node already exists!"); 640 return 0; 641 } 642 643 offs = fdt_path_offset(dt->blob, "/firmware"); 644 if (offs < 0) { 645 offs = add_dt_path_subnode(dt, "/", "firmware"); 646 if (offs < 0) 647 return -1; 648 } 649 650 offs = fdt_add_subnode(dt->blob, offs, "optee"); 651 if (offs < 0) 652 return -1; 653 654 ret = fdt_setprop_string(dt->blob, offs, "compatible", 655 "linaro,optee-tz"); 656 if (ret < 0) 657 return -1; 658 ret = fdt_setprop_string(dt->blob, offs, "method", "smc"); 659 if (ret < 0) 660 return -1; 661 662 if (CFG_CORE_ASYNC_NOTIF_GIC_INTID) { 663 /* 664 * The format of the interrupt property is defined by the 665 * binding of the interrupt domain root. In this case it's 666 * one Arm GIC v1, v2 or v3 so we must be compatible with 667 * these. 668 * 669 * An SPI type of interrupt is indicated with a 0 in the 670 * first cell. A PPI type is indicated with value 1. 671 * 672 * The interrupt number goes in the second cell where 673 * SPIs ranges from 0 to 987 and PPI ranges from 0 to 15. 674 * 675 * Flags are passed in the third cells. 676 */ 677 uint32_t itr_trigger = 0; 678 uint32_t itr_type = 0; 679 uint32_t itr_id = 0; 680 uint32_t val[3] = { }; 681 682 /* PPI are visible only in current CPU cluster */ 683 static_assert(IS_ENABLED(CFG_CORE_FFA) || 684 !CFG_CORE_ASYNC_NOTIF_GIC_INTID || 685 (CFG_CORE_ASYNC_NOTIF_GIC_INTID >= 686 GIC_SPI_BASE) || 687 ((CFG_TEE_CORE_NB_CORE <= 8) && 688 (CFG_CORE_ASYNC_NOTIF_GIC_INTID >= 689 GIC_PPI_BASE))); 690 691 if (CFG_CORE_ASYNC_NOTIF_GIC_INTID >= GIC_SPI_BASE) { 692 itr_type = GIC_SPI; 693 itr_id = CFG_CORE_ASYNC_NOTIF_GIC_INTID - GIC_SPI_BASE; 694 itr_trigger = IRQ_TYPE_EDGE_RISING; 695 } else { 696 itr_type = GIC_PPI; 697 itr_id = CFG_CORE_ASYNC_NOTIF_GIC_INTID - GIC_PPI_BASE; 698 itr_trigger = IRQ_TYPE_EDGE_RISING | 699 GIC_CPU_MASK_SIMPLE(CFG_TEE_CORE_NB_CORE); 700 } 701 702 val[0] = TEE_U32_TO_BIG_ENDIAN(itr_type); 703 val[1] = TEE_U32_TO_BIG_ENDIAN(itr_id); 704 val[2] = TEE_U32_TO_BIG_ENDIAN(itr_trigger); 705 706 ret = fdt_setprop(dt->blob, offs, "interrupts", val, 707 sizeof(val)); 708 if (ret < 0) 709 return -1; 710 } 711 return 0; 712 } 713 714 #ifdef CFG_PSCI_ARM32 715 static int append_psci_compatible(void *fdt, int offs, const char *str) 716 { 717 return fdt_appendprop(fdt, offs, "compatible", str, strlen(str) + 1); 718 } 719 720 static int dt_add_psci_node(struct dt_descriptor *dt) 721 { 722 int offs; 723 724 if (fdt_path_offset(dt->blob, "/psci") >= 0) { 725 DMSG("PSCI Device Tree node already exists!"); 726 return 0; 727 } 728 729 offs = add_dt_path_subnode(dt, "/", "psci"); 730 if (offs < 0) 731 return -1; 732 if (append_psci_compatible(dt->blob, offs, "arm,psci-1.0")) 733 return -1; 734 if (append_psci_compatible(dt->blob, offs, "arm,psci-0.2")) 735 return -1; 736 if (append_psci_compatible(dt->blob, offs, "arm,psci")) 737 return -1; 738 if (fdt_setprop_string(dt->blob, offs, "method", "smc")) 739 return -1; 740 if (fdt_setprop_u32(dt->blob, offs, "cpu_suspend", PSCI_CPU_SUSPEND)) 741 return -1; 742 if (fdt_setprop_u32(dt->blob, offs, "cpu_off", PSCI_CPU_OFF)) 743 return -1; 744 if (fdt_setprop_u32(dt->blob, offs, "cpu_on", PSCI_CPU_ON)) 745 return -1; 746 if (fdt_setprop_u32(dt->blob, offs, "sys_poweroff", PSCI_SYSTEM_OFF)) 747 return -1; 748 if (fdt_setprop_u32(dt->blob, offs, "sys_reset", PSCI_SYSTEM_RESET)) 749 return -1; 750 return 0; 751 } 752 753 static int check_node_compat_prefix(struct dt_descriptor *dt, int offs, 754 const char *prefix) 755 { 756 const size_t prefix_len = strlen(prefix); 757 size_t l; 758 int plen; 759 const char *prop; 760 761 prop = fdt_getprop(dt->blob, offs, "compatible", &plen); 762 if (!prop) 763 return -1; 764 765 while (plen > 0) { 766 if (memcmp(prop, prefix, prefix_len) == 0) 767 return 0; /* match */ 768 769 l = strlen(prop) + 1; 770 prop += l; 771 plen -= l; 772 } 773 774 return -1; 775 } 776 777 static int dt_add_psci_cpu_enable_methods(struct dt_descriptor *dt) 778 { 779 int offs = 0; 780 781 while (1) { 782 offs = fdt_next_node(dt->blob, offs, NULL); 783 if (offs < 0) 784 break; 785 if (fdt_getprop(dt->blob, offs, "enable-method", NULL)) 786 continue; /* already set */ 787 if (check_node_compat_prefix(dt, offs, "arm,cortex-a")) 788 continue; /* no compatible */ 789 if (fdt_setprop_string(dt->blob, offs, "enable-method", "psci")) 790 return -1; 791 /* Need to restart scanning as offsets may have changed */ 792 offs = 0; 793 } 794 return 0; 795 } 796 797 static int config_psci(struct dt_descriptor *dt) 798 { 799 if (dt_add_psci_node(dt)) 800 return -1; 801 return dt_add_psci_cpu_enable_methods(dt); 802 } 803 #else 804 static int config_psci(struct dt_descriptor *dt __unused) 805 { 806 return 0; 807 } 808 #endif /*CFG_PSCI_ARM32*/ 809 810 static int mark_tzdram_as_reserved(struct dt_descriptor *dt) 811 { 812 return add_res_mem_dt_node(dt, "optee_core", CFG_TZDRAM_START, 813 CFG_TZDRAM_SIZE); 814 } 815 816 static void update_external_dt(void) 817 { 818 struct dt_descriptor *dt = get_external_dt_desc(); 819 820 if (!dt || !dt->blob) 821 return; 822 823 if (!IS_ENABLED(CFG_CORE_FFA) && add_optee_dt_node(dt)) 824 panic("Failed to add OP-TEE Device Tree node"); 825 826 if (config_psci(dt)) 827 panic("Failed to config PSCI"); 828 829 #ifdef CFG_CORE_RESERVED_SHM 830 if (mark_static_shm_as_reserved(dt)) 831 panic("Failed to config non-secure memory"); 832 #endif 833 834 if (mark_tzdram_as_reserved(dt)) 835 panic("Failed to config secure memory"); 836 } 837 #else /*CFG_DT*/ 838 static void update_external_dt(void) 839 { 840 } 841 #endif /*!CFG_DT*/ 842 843 void init_tee_runtime(void) 844 { 845 /* 846 * With virtualization we call this function when creating the 847 * OP-TEE partition instead. 848 */ 849 if (!IS_ENABLED(CFG_NS_VIRTUALIZATION)) 850 call_preinitcalls(); 851 call_early_initcalls(); 852 call_service_initcalls(); 853 854 /* 855 * These two functions uses crypto_rng_read() to initialize the 856 * pauth keys. Once call_initcalls() returns we're guaranteed that 857 * crypto_rng_read() is ready to be used. 858 */ 859 thread_init_core_local_pauth_keys(); 860 thread_init_thread_pauth_keys(); 861 862 /* 863 * Reinitialize canaries around the stacks with crypto_rng_read(). 864 * 865 * TODO: Updating canaries when CFG_NS_VIRTUALIZATION is enabled will 866 * require synchronization between thread_check_canaries() and 867 * thread_update_canaries(). 868 */ 869 if (!IS_ENABLED(CFG_NS_VIRTUALIZATION)) 870 thread_update_canaries(); 871 } 872 873 static bool add_padding_to_pool(vaddr_t va, size_t len, void *ptr __unused) 874 { 875 #ifdef CFG_NS_VIRTUALIZATION 876 nex_malloc_add_pool((void *)va, len); 877 #else 878 malloc_add_pool((void *)va, len); 879 #endif 880 return true; 881 } 882 883 static void init_primary(unsigned long pageable_part) 884 { 885 vaddr_t va = 0; 886 887 /* 888 * Mask asynchronous exceptions before switch to the thread vector 889 * as the thread handler requires those to be masked while 890 * executing with the temporary stack. The thread subsystem also 891 * asserts that the foreign interrupts are blocked when using most of 892 * its functions. 893 */ 894 thread_set_exceptions(THREAD_EXCP_ALL); 895 primary_save_cntfrq(); 896 init_vfp_sec(); 897 898 if (IS_ENABLED(CFG_CRYPTO_WITH_CE)) 899 check_crypto_extensions(); 900 901 init_asan(); 902 903 /* 904 * By default whole OP-TEE uses malloc, so we need to initialize 905 * it early. But, when virtualization is enabled, malloc is used 906 * only by TEE runtime, so malloc should be initialized later, for 907 * every virtual partition separately. Core code uses nex_malloc 908 * instead. 909 */ 910 #ifdef CFG_WITH_PAGER 911 /* Add heap2 first as heap1 may be too small as initial bget pool */ 912 malloc_add_pool(__heap2_start, __heap2_end - __heap2_start); 913 #endif 914 #ifdef CFG_NS_VIRTUALIZATION 915 nex_malloc_add_pool(__nex_heap_start, __nex_heap_end - 916 __nex_heap_start); 917 #else 918 malloc_add_pool(__heap1_start, __heap1_end - __heap1_start); 919 #endif 920 IMSG_RAW("\n"); 921 if (IS_ENABLED(CFG_DYN_CONFIG)) { 922 size_t sz = sizeof(struct thread_core_local) * 923 CFG_TEE_CORE_NB_CORE; 924 void *p = boot_mem_alloc(sz, alignof(void *) * 2); 925 926 #ifdef CFG_NS_VIRTUALIZATION 927 nex_malloc_add_pool(p, sz); 928 #else 929 malloc_add_pool(p, sz); 930 #endif 931 } 932 933 core_mmu_save_mem_map(); 934 core_mmu_init_phys_mem(); 935 boot_mem_foreach_padding(add_padding_to_pool, NULL); 936 va = boot_mem_release_unused(); 937 if (!IS_ENABLED(CFG_WITH_PAGER)) { 938 /* 939 * We must update boot_cached_mem_end to reflect the memory 940 * just unmapped by boot_mem_release_unused(). 941 */ 942 assert(va && va <= boot_cached_mem_end); 943 boot_cached_mem_end = va; 944 } 945 946 if (IS_ENABLED(CFG_DYN_CONFIG)) { 947 /* 948 * This is needed to enable virt_page_alloc() now that 949 * boot_mem_alloc() can't be used any longer. 950 */ 951 if (IS_ENABLED(CFG_NS_VIRTUALIZATION)) 952 nex_page_alloc_init(); 953 else 954 page_alloc_init(); 955 } 956 957 if (IS_ENABLED(CFG_WITH_PAGER)) { 958 /* 959 * Pager: init_runtime() calls thread_kernel_enable_vfp() 960 * so we must set a current thread right now to avoid a 961 * chicken-and-egg problem (thread_init_boot_thread() sets 962 * the current thread but needs things set by 963 * init_runtime()). 964 */ 965 thread_get_core_local()->curr_thread = 0; 966 init_pager_runtime(pageable_part); 967 } 968 969 /* Initialize canaries around the stacks */ 970 thread_init_canaries(); 971 thread_init_per_cpu(); 972 } 973 974 static bool cpu_nmfi_enabled(void) 975 { 976 #if defined(ARM32) 977 return read_sctlr() & SCTLR_NMFI; 978 #else 979 /* Note: ARM64 does not feature non-maskable FIQ support. */ 980 return false; 981 #endif 982 } 983 984 /* 985 * Note: this function is weak just to make it possible to exclude it from 986 * the unpaged area. 987 */ 988 void __weak boot_init_primary_late(unsigned long fdt __unused, 989 unsigned long manifest __unused) 990 { 991 size_t fdt_size = CFG_DTB_MAX_SIZE; 992 993 if (IS_ENABLED(CFG_TRANSFER_LIST) && mapped_tl) { 994 struct transfer_list_entry *tl_e = NULL; 995 996 tl_e = transfer_list_find(mapped_tl, TL_TAG_FDT); 997 if (tl_e) { 998 /* 999 * Expand the data size of the DTB entry to the maximum 1000 * allocable mapped memory to reserve sufficient space 1001 * for inserting new nodes, avoid potentially corrupting 1002 * next entries. 1003 */ 1004 uint32_t dtb_max_sz = mapped_tl->max_size - 1005 mapped_tl->size + tl_e->data_size; 1006 1007 if (!transfer_list_set_data_size(mapped_tl, tl_e, 1008 dtb_max_sz)) { 1009 EMSG("Failed to extend DTB size to %#"PRIx32, 1010 dtb_max_sz); 1011 panic(); 1012 } 1013 fdt_size = tl_e->data_size; 1014 } 1015 } 1016 1017 init_external_dt(boot_arg_fdt, fdt_size); 1018 reinit_manifest_dt(); 1019 #ifdef CFG_CORE_FFA 1020 tpm_map_log_area(get_manifest_dt()); 1021 #else 1022 tpm_map_log_area(get_external_dt()); 1023 #endif 1024 discover_nsec_memory(); 1025 update_external_dt(); 1026 configure_console_from_dt(); 1027 1028 if (IS_ENABLED(CFG_NS_VIRTUALIZATION)) { 1029 /* 1030 * Virtualization: We can't initialize threads right now because 1031 * threads belong to "tee" part and will be initialized 1032 * separately per each new virtual guest. So, we'll clear 1033 * "curr_thread" and call it done. 1034 */ 1035 thread_get_core_local()->curr_thread = -1; 1036 } else { 1037 thread_init_threads(CFG_NUM_THREADS); 1038 thread_init_boot_thread(); 1039 } 1040 thread_init_thread_core_local(CFG_TEE_CORE_NB_CORE); 1041 } 1042 1043 void __weak boot_init_primary_runtime(void) 1044 { 1045 thread_init_primary(); 1046 IMSG("OP-TEE version: %s", core_v_str); 1047 if (IS_ENABLED(CFG_INSECURE)) { 1048 IMSG("WARNING: This OP-TEE configuration might be insecure!"); 1049 IMSG("WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html"); 1050 } 1051 IMSG("Primary CPU initializing"); 1052 #ifdef CFG_CORE_ASLR 1053 DMSG("Executing at offset %#lx with virtual load address %#"PRIxVA, 1054 (unsigned long)boot_mmu_config.map_offset, VCORE_START_VA); 1055 #endif 1056 #ifdef CFG_NS_VIRTUALIZATION 1057 DMSG("NS-virtualization enabled, supporting %u guests", 1058 CFG_VIRT_GUEST_COUNT); 1059 #endif 1060 if (IS_ENABLED(CFG_MEMTAG)) 1061 DMSG("Memory tagging %s", 1062 memtag_is_enabled() ? "enabled" : "disabled"); 1063 1064 /* Check if platform needs NMFI workaround */ 1065 if (cpu_nmfi_enabled()) { 1066 if (!IS_ENABLED(CFG_CORE_WORKAROUND_ARM_NMFI)) 1067 IMSG("WARNING: This ARM core has NMFI enabled, please apply workaround!"); 1068 } else { 1069 if (IS_ENABLED(CFG_CORE_WORKAROUND_ARM_NMFI)) 1070 IMSG("WARNING: This ARM core does not have NMFI enabled, no need for workaround"); 1071 } 1072 1073 boot_primary_init_intc(); 1074 init_vfp_nsec(); 1075 if (!IS_ENABLED(CFG_NS_VIRTUALIZATION)) { 1076 /* 1077 * Unmask native interrupts during driver initcalls. 1078 * 1079 * NS-virtualization still uses the temporary stack also 1080 * used for exception handling so it must still have native 1081 * interrupts masked. 1082 */ 1083 thread_set_exceptions(thread_get_exceptions() & 1084 ~THREAD_EXCP_NATIVE_INTR); 1085 init_tee_runtime(); 1086 } 1087 1088 if (!IS_ENABLED(CFG_WITH_PAGER)) 1089 boot_mem_release_tmp_alloc(); 1090 } 1091 1092 void __weak boot_init_primary_final(void) 1093 { 1094 if (!IS_ENABLED(CFG_NS_VIRTUALIZATION)) 1095 call_driver_initcalls(); 1096 1097 call_finalcalls(); 1098 1099 IMSG("Primary CPU switching to normal world boot"); 1100 1101 /* Mask native interrupts before switching to the normal world */ 1102 if (!IS_ENABLED(CFG_NS_VIRTUALIZATION)) 1103 thread_set_exceptions(thread_get_exceptions() | 1104 THREAD_EXCP_NATIVE_INTR); 1105 } 1106 1107 static void init_secondary_helper(void) 1108 { 1109 IMSG("Secondary CPU %zu initializing", get_core_pos()); 1110 1111 /* 1112 * Mask asynchronous exceptions before switch to the thread vector 1113 * as the thread handler requires those to be masked while 1114 * executing with the temporary stack. The thread subsystem also 1115 * asserts that the foreign interrupts are blocked when using most of 1116 * its functions. 1117 */ 1118 thread_set_exceptions(THREAD_EXCP_ALL); 1119 1120 secondary_init_cntfrq(); 1121 thread_init_per_cpu(); 1122 boot_secondary_init_intc(); 1123 init_vfp_sec(); 1124 init_vfp_nsec(); 1125 1126 IMSG("Secondary CPU %zu switching to normal world boot", get_core_pos()); 1127 } 1128 1129 /* 1130 * Note: this function is weak just to make it possible to exclude it from 1131 * the unpaged area so that it lies in the init area. 1132 */ 1133 void __weak boot_init_primary_early(void) 1134 { 1135 unsigned long pageable_part = 0; 1136 struct transfer_list_entry *tl_e = NULL; 1137 1138 if (IS_ENABLED(CFG_TRANSFER_LIST) && boot_arg_transfer_list) { 1139 /* map and save the TL */ 1140 mapped_tl = transfer_list_map(boot_arg_transfer_list); 1141 if (!mapped_tl) 1142 panic("Failed to map transfer list"); 1143 1144 transfer_list_dump(mapped_tl); 1145 tl_e = transfer_list_find(mapped_tl, TL_TAG_OPTEE_PAGABLE_PART); 1146 } 1147 1148 if (IS_ENABLED(CFG_WITH_PAGER)) { 1149 if (IS_ENABLED(CFG_TRANSFER_LIST) && tl_e) 1150 pageable_part = 1151 get_le64(transfer_list_entry_data(tl_e)); 1152 else 1153 pageable_part = boot_arg_pageable_part; 1154 } 1155 1156 init_primary(pageable_part); 1157 } 1158 1159 static void boot_save_transfer_list(unsigned long zero_reg, 1160 unsigned long transfer_list, 1161 unsigned long fdt) 1162 { 1163 struct transfer_list_header *tl = (void *)transfer_list; 1164 struct transfer_list_entry *tl_e = NULL; 1165 1166 if (zero_reg != 0) 1167 panic("Incorrect transfer list register convention"); 1168 1169 if (!IS_ALIGNED_WITH_TYPE(transfer_list, struct transfer_list_header) || 1170 !IS_ALIGNED(transfer_list, TL_ALIGNMENT_FROM_ORDER(tl->alignment))) 1171 panic("Transfer list base address is not aligned"); 1172 1173 if (transfer_list_check_header(tl) == TL_OPS_NONE) 1174 panic("Invalid transfer list"); 1175 1176 tl_e = transfer_list_find(tl, TL_TAG_FDT); 1177 if (fdt != (unsigned long)transfer_list_entry_data(tl_e)) 1178 panic("DT does not match to the DT entry of the TL"); 1179 1180 boot_arg_transfer_list = transfer_list; 1181 } 1182 1183 #if defined(CFG_WITH_ARM_TRUSTED_FW) 1184 unsigned long boot_cpu_on_handler(unsigned long a0 __maybe_unused, 1185 unsigned long a1 __unused) 1186 { 1187 init_secondary_helper(); 1188 return 0; 1189 } 1190 #else 1191 void boot_init_secondary(unsigned long nsec_entry __unused) 1192 { 1193 init_secondary_helper(); 1194 } 1195 #endif 1196 1197 #if defined(CFG_BOOT_SECONDARY_REQUEST) 1198 void boot_set_core_ns_entry(size_t core_idx, uintptr_t entry, 1199 uintptr_t context_id) 1200 { 1201 ns_entry_contexts[core_idx].entry_point = entry; 1202 ns_entry_contexts[core_idx].context_id = context_id; 1203 dsb_ishst(); 1204 } 1205 1206 int boot_core_release(size_t core_idx, paddr_t entry) 1207 { 1208 if (!core_idx || core_idx >= CFG_TEE_CORE_NB_CORE) 1209 return -1; 1210 1211 ns_entry_contexts[core_idx].entry_point = entry; 1212 dmb(); 1213 spin_table[core_idx] = 1; 1214 dsb(); 1215 sev(); 1216 1217 return 0; 1218 } 1219 1220 /* 1221 * spin until secondary boot request, then returns with 1222 * the secondary core entry address. 1223 */ 1224 struct ns_entry_context *boot_core_hpen(void) 1225 { 1226 #ifdef CFG_PSCI_ARM32 1227 return &ns_entry_contexts[get_core_pos()]; 1228 #else 1229 do { 1230 wfe(); 1231 } while (!spin_table[get_core_pos()]); 1232 dmb(); 1233 return &ns_entry_contexts[get_core_pos()]; 1234 #endif 1235 } 1236 #endif 1237 1238 #if defined(CFG_CORE_ASLR) 1239 #if defined(CFG_DT) 1240 unsigned long __weak get_aslr_seed(void) 1241 { 1242 void *fdt = NULL; 1243 int rc = 0; 1244 const uint64_t *seed = NULL; 1245 int offs = 0; 1246 int len = 0; 1247 1248 if (!IS_ENABLED(CFG_CORE_SEL2_SPMC)) 1249 fdt = (void *)boot_arg_fdt; 1250 1251 if (!fdt) { 1252 DMSG("No fdt"); 1253 goto err; 1254 } 1255 1256 rc = fdt_check_header(fdt); 1257 if (rc) { 1258 DMSG("Bad fdt: %d", rc); 1259 goto err; 1260 } 1261 1262 offs = fdt_path_offset(fdt, "/secure-chosen"); 1263 if (offs < 0) { 1264 DMSG("Cannot find /secure-chosen"); 1265 goto err; 1266 } 1267 seed = fdt_getprop(fdt, offs, "kaslr-seed", &len); 1268 if (!seed || len != sizeof(*seed)) { 1269 DMSG("Cannot find valid kaslr-seed"); 1270 goto err; 1271 } 1272 1273 return fdt64_to_cpu(fdt64_ld(seed)); 1274 1275 err: 1276 /* Try platform implementation */ 1277 return plat_get_aslr_seed(); 1278 } 1279 #else /*!CFG_DT*/ 1280 unsigned long __weak get_aslr_seed(void) 1281 { 1282 /* Try platform implementation */ 1283 return plat_get_aslr_seed(); 1284 } 1285 #endif /*!CFG_DT*/ 1286 #endif /*CFG_CORE_ASLR*/ 1287 1288 static void *get_fdt_from_boot_info(struct ffa_boot_info_header_1_1 *hdr) 1289 { 1290 struct ffa_boot_info_1_1 *desc = NULL; 1291 uint8_t content_fmt = 0; 1292 uint8_t name_fmt = 0; 1293 void *fdt = NULL; 1294 int ret = 0; 1295 1296 if (hdr->signature != FFA_BOOT_INFO_SIGNATURE) { 1297 EMSG("Bad boot info signature %#"PRIx32, hdr->signature); 1298 panic(); 1299 } 1300 if (hdr->version != FFA_BOOT_INFO_VERSION_1_1 && 1301 hdr->version != FFA_BOOT_INFO_VERSION_1_2) { 1302 EMSG("Bad boot info version %#"PRIx32, hdr->version); 1303 panic(); 1304 } 1305 if (hdr->desc_count != 1) { 1306 EMSG("Bad boot info descriptor count %#"PRIx32, 1307 hdr->desc_count); 1308 panic(); 1309 } 1310 desc = (void *)((vaddr_t)hdr + hdr->desc_offset); 1311 name_fmt = desc->flags & FFA_BOOT_INFO_FLAG_NAME_FORMAT_MASK; 1312 if (name_fmt == FFA_BOOT_INFO_FLAG_NAME_FORMAT_STRING) 1313 DMSG("Boot info descriptor name \"%16s\"", desc->name); 1314 else if (name_fmt == FFA_BOOT_INFO_FLAG_NAME_FORMAT_UUID) 1315 DMSG("Boot info descriptor UUID %pUl", (void *)desc->name); 1316 else 1317 DMSG("Boot info descriptor: unknown name format %"PRIu8, 1318 name_fmt); 1319 1320 content_fmt = (desc->flags & FFA_BOOT_INFO_FLAG_CONTENT_FORMAT_MASK) >> 1321 FFA_BOOT_INFO_FLAG_CONTENT_FORMAT_SHIFT; 1322 if (content_fmt != FFA_BOOT_INFO_FLAG_CONTENT_FORMAT_ADDR) { 1323 EMSG("Bad boot info content format %"PRIu8", expected %u (address)", 1324 content_fmt, FFA_BOOT_INFO_FLAG_CONTENT_FORMAT_ADDR); 1325 panic(); 1326 } 1327 1328 fdt = (void *)(vaddr_t)desc->contents; 1329 ret = fdt_check_full(fdt, desc->size); 1330 if (ret < 0) { 1331 EMSG("Invalid Device Tree at %p: error %d", fdt, ret); 1332 panic(); 1333 } 1334 return fdt; 1335 } 1336 1337 static void get_sec_mem_from_manifest(void *fdt, paddr_t *base, 1338 paddr_size_t *size) 1339 { 1340 int ret = 0; 1341 uint64_t num = 0; 1342 1343 ret = fdt_node_check_compatible(fdt, 0, "arm,ffa-manifest-1.0"); 1344 if (ret < 0) { 1345 EMSG("Invalid FF-A manifest at %p: error %d", fdt, ret); 1346 panic(); 1347 } 1348 ret = dt_getprop_as_number(fdt, 0, "load-address", &num); 1349 if (ret < 0) { 1350 EMSG("Can't read \"load-address\" from FF-A manifest at %p: error %d", 1351 fdt, ret); 1352 panic(); 1353 } 1354 *base = num; 1355 /* "mem-size" is currently an undocumented extension to the spec. */ 1356 ret = dt_getprop_as_number(fdt, 0, "mem-size", &num); 1357 if (ret < 0) { 1358 EMSG("Can't read \"mem-size\" from FF-A manifest at %p: error %d", 1359 fdt, ret); 1360 panic(); 1361 } 1362 *size = num; 1363 } 1364 1365 void __weak boot_save_args(unsigned long a0, unsigned long a1, 1366 unsigned long a2, unsigned long a3, 1367 unsigned long a4 __maybe_unused) 1368 { 1369 /* 1370 * Register use: 1371 * 1372 * Scenario A: Default arguments 1373 * a0 - CFG_CORE_FFA=y && CFG_CORE_SEL2_SPMC=n: 1374 * if non-NULL holds the TOS FW config [1] address 1375 * - CFG_CORE_FFA=y && 1376 (CFG_CORE_SEL2_SPMC=y || CFG_CORE_EL3_SPMC=y): 1377 * address of FF-A Boot Information Blob 1378 * - CFG_CORE_FFA=n: 1379 * if non-NULL holds the pagable part address 1380 * a1 - CFG_WITH_ARM_TRUSTED_FW=n (Armv7): 1381 * Armv7 standard bootarg #1 (kept track of in entry_a32.S) 1382 * a2 - CFG_CORE_SEL2_SPMC=n: 1383 * if non-NULL holds the system DTB address 1384 * - CFG_WITH_ARM_TRUSTED_FW=n (Armv7): 1385 * Armv7 standard bootarg #2 (system DTB address, kept track 1386 * of in entry_a32.S) 1387 * a3 - Not used 1388 * a4 - CFG_WITH_ARM_TRUSTED_FW=n: 1389 * Non-secure entry address 1390 * 1391 * [1] A TF-A concept: TOS_FW_CONFIG - Trusted OS Firmware 1392 * configuration file. Used by Trusted OS (BL32), that is, OP-TEE 1393 * here. This is also called Manifest DT, related to the Manifest DT 1394 * passed in the FF-A Boot Information Blob, but with a different 1395 * compatible string. 1396 1397 * Scenario B: FW Handoff via Transfer List 1398 * Note: FF-A and non-secure entry are not yet supported with 1399 * Transfer List 1400 * a0 - DTB address or 0 (AArch64) 1401 * - must be 0 (AArch32) 1402 * a1 - 1 << 32 | TRANSFER_LIST_SIGNATURE[0:31] (AArch64) 1403 * - 1 << 24 | TRANSFER_LIST_SIGNATURE[0:23] (AArch32) 1404 * a2 - must be 0 (AArch64) 1405 * - DTB address or 0 (AArch32) 1406 * a3 - Transfer list base address 1407 * a4 - Not used 1408 */ 1409 1410 if (IS_ENABLED(CFG_TRANSFER_LIST)) { 1411 if (IS_ENABLED(CFG_ARM64_core) && 1412 a1 == TL_HANDOFF_X1_VALUE(TL_REG_CONVENTION_VER)) { 1413 boot_save_transfer_list(a2, a3, a0); 1414 boot_arg_fdt = a0; 1415 } else if (IS_ENABLED(CFG_ARM32_core) && 1416 a1 == TL_HANDOFF_R1_VALUE(TL_REG_CONVENTION_VER)) { 1417 boot_save_transfer_list(a0, a3, a2); 1418 boot_arg_fdt = a2; 1419 } 1420 1421 return; 1422 } 1423 1424 if (!IS_ENABLED(CFG_CORE_SEL2_SPMC)) { 1425 #if defined(CFG_DT_ADDR) 1426 boot_arg_fdt = CFG_DT_ADDR; 1427 #else 1428 boot_arg_fdt = a2; 1429 #endif 1430 } 1431 1432 if (IS_ENABLED(CFG_CORE_FFA)) { 1433 size_t fdt_max_size = CFG_DTB_MAX_SIZE; 1434 void *fdt = NULL; 1435 1436 if (IS_ENABLED(CFG_CORE_SEL2_SPMC) || 1437 IS_ENABLED(CFG_CORE_EL3_SPMC)) 1438 fdt = get_fdt_from_boot_info((void *)a0); 1439 else 1440 fdt = (void *)a0; 1441 if (IS_ENABLED(CFG_CORE_SEL2_SPMC)) { 1442 paddr_size_t size = 0; 1443 paddr_t base = 0; 1444 1445 if (IS_ENABLED(CFG_CORE_PHYS_RELOCATABLE)) { 1446 get_sec_mem_from_manifest(fdt, &base, &size); 1447 core_mmu_set_secure_memory(base, size); 1448 } else { 1449 core_mmu_get_secure_memory(&base, &size); 1450 } 1451 assert((unsigned long)fdt >= base); 1452 assert((unsigned long)fdt <= base + size); 1453 assert((unsigned long)fdt < VCORE_START_VA); 1454 fdt_max_size = VCORE_START_VA - (unsigned long)fdt; 1455 } 1456 init_manifest_dt(fdt, fdt_max_size); 1457 } else { 1458 if (IS_ENABLED(CFG_WITH_PAGER)) { 1459 #if defined(CFG_PAGEABLE_ADDR) 1460 boot_arg_pageable_part = CFG_PAGEABLE_ADDR; 1461 #else 1462 boot_arg_pageable_part = a0; 1463 #endif 1464 } 1465 if (!IS_ENABLED(CFG_WITH_ARM_TRUSTED_FW)) { 1466 #if defined(CFG_NS_ENTRY_ADDR) 1467 boot_arg_nsec_entry = CFG_NS_ENTRY_ADDR; 1468 #else 1469 boot_arg_nsec_entry = a4; 1470 #endif 1471 } 1472 } 1473 } 1474 1475 #if defined(CFG_TRANSFER_LIST) 1476 static TEE_Result release_transfer_list(void) 1477 { 1478 struct dt_descriptor *dt = get_external_dt_desc(); 1479 1480 if (!mapped_tl) 1481 return TEE_SUCCESS; 1482 1483 if (dt) { 1484 int ret = 0; 1485 struct transfer_list_entry *tl_e = NULL; 1486 1487 /* 1488 * Pack the DTB and update the transfer list before un-mapping 1489 */ 1490 ret = fdt_pack(dt->blob); 1491 if (ret < 0) { 1492 EMSG("Failed to pack Device Tree at 0x%" PRIxPA 1493 ": error %d", virt_to_phys(dt->blob), ret); 1494 panic(); 1495 } 1496 1497 tl_e = transfer_list_find(mapped_tl, TL_TAG_FDT); 1498 assert(dt->blob == transfer_list_entry_data(tl_e)); 1499 transfer_list_set_data_size(mapped_tl, tl_e, 1500 fdt_totalsize(dt->blob)); 1501 dt->blob = NULL; 1502 } 1503 1504 transfer_list_unmap_sync(mapped_tl); 1505 mapped_tl = NULL; 1506 1507 return TEE_SUCCESS; 1508 } 1509 1510 boot_final(release_transfer_list); 1511 #endif 1512