1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2020-2024, Arm Limited. 4 */ 5 #include <crypto/crypto.h> 6 #include <initcall.h> 7 #include <kernel/boot.h> 8 #include <kernel/embedded_ts.h> 9 #include <kernel/ldelf_loader.h> 10 #include <kernel/secure_partition.h> 11 #include <kernel/spinlock.h> 12 #include <kernel/spmc_sp_handler.h> 13 #include <kernel/thread_private.h> 14 #include <kernel/thread_spmc.h> 15 #include <kernel/tpm.h> 16 #include <kernel/ts_store.h> 17 #include <ldelf.h> 18 #include <libfdt.h> 19 #include <mm/core_mmu.h> 20 #include <mm/fobj.h> 21 #include <mm/mobj.h> 22 #include <mm/phys_mem.h> 23 #include <mm/vm.h> 24 #include <optee_ffa.h> 25 #include <stdio.h> 26 #include <string.h> 27 #include <tee/uuid.h> 28 #include <tee_api_types.h> 29 #include <trace.h> 30 #include <types_ext.h> 31 #include <utee_defines.h> 32 #include <util.h> 33 #include <zlib.h> 34 35 #define BOUNCE_BUFFER_SIZE 4096 36 37 #define UNDEFINED_BOOT_ORDER_VALUE UINT32_MAX 38 39 #define SP_MANIFEST_ATTR_READ BIT(0) 40 #define SP_MANIFEST_ATTR_WRITE BIT(1) 41 #define SP_MANIFEST_ATTR_EXEC BIT(2) 42 #define SP_MANIFEST_ATTR_NSEC BIT(3) 43 #define SP_MANIFEST_ATTR_GP BIT(4) 44 45 #define SP_MANIFEST_ATTR_RO (SP_MANIFEST_ATTR_READ) 46 #define SP_MANIFEST_ATTR_RW (SP_MANIFEST_ATTR_READ | \ 47 SP_MANIFEST_ATTR_WRITE) 48 #define SP_MANIFEST_ATTR_RX (SP_MANIFEST_ATTR_READ | \ 49 SP_MANIFEST_ATTR_EXEC) 50 #define SP_MANIFEST_ATTR_RWX (SP_MANIFEST_ATTR_READ | \ 51 SP_MANIFEST_ATTR_WRITE | \ 52 SP_MANIFEST_ATTR_EXEC) 53 54 #define SP_MANIFEST_FLAG_NOBITS BIT(0) 55 56 #define SP_MANIFEST_NS_INT_QUEUED (0x0) 57 #define SP_MANIFEST_NS_INT_MANAGED_EXIT (0x1) 58 #define SP_MANIFEST_NS_INT_SIGNALED (0x2) 59 60 #define SP_MANIFEST_EXEC_STATE_AARCH64 (0x0) 61 #define SP_MANIFEST_EXEC_STATE_AARCH32 (0x1) 62 63 #define SP_MANIFEST_DIRECT_REQ_RECEIVE BIT(0) 64 #define SP_MANIFEST_DIRECT_REQ_SEND BIT(1) 65 #define SP_MANIFEST_INDIRECT_REQ BIT(2) 66 67 #define SP_MANIFEST_VM_CREATED_MSG BIT(0) 68 #define SP_MANIFEST_VM_DESTROYED_MSG BIT(1) 69 70 #define SP_PKG_HEADER_MAGIC (0x474b5053) 71 #define SP_PKG_HEADER_VERSION_V1 (0x1) 72 #define SP_PKG_HEADER_VERSION_V2 (0x2) 73 74 struct sp_pkg_header { 75 uint32_t magic; 76 uint32_t version; 77 uint32_t pm_offset; 78 uint32_t pm_size; 79 uint32_t img_offset; 80 uint32_t img_size; 81 }; 82 83 struct fip_sp_head fip_sp_list = STAILQ_HEAD_INITIALIZER(fip_sp_list); 84 85 static const struct ts_ops sp_ops; 86 87 /* List that holds all of the loaded SP's */ 88 static struct sp_sessions_head open_sp_sessions = 89 TAILQ_HEAD_INITIALIZER(open_sp_sessions); 90 91 static const struct embedded_ts *find_secure_partition(const TEE_UUID *uuid) 92 { 93 const struct sp_image *sp = NULL; 94 const struct fip_sp *fip_sp = NULL; 95 96 for_each_secure_partition(sp) { 97 if (!memcmp(&sp->image.uuid, uuid, sizeof(*uuid))) 98 return &sp->image; 99 } 100 101 for_each_fip_sp(fip_sp) { 102 if (!memcmp(&fip_sp->sp_img.image.uuid, uuid, sizeof(*uuid))) 103 return &fip_sp->sp_img.image; 104 } 105 106 return NULL; 107 } 108 109 bool is_sp_ctx(struct ts_ctx *ctx) 110 { 111 return ctx && (ctx->ops == &sp_ops); 112 } 113 114 static void set_sp_ctx_ops(struct ts_ctx *ctx) 115 { 116 ctx->ops = &sp_ops; 117 } 118 119 struct sp_session *sp_get_session(uint32_t session_id) 120 { 121 struct sp_session *s = NULL; 122 123 TAILQ_FOREACH(s, &open_sp_sessions, link) { 124 if (s->endpoint_id == session_id) 125 return s; 126 } 127 128 return NULL; 129 } 130 131 TEE_Result sp_partition_info_get(uint32_t ffa_vers, void *buf, size_t buf_size, 132 const uint32_t ffa_uuid_words[4], 133 size_t *elem_count, bool count_only) 134 { 135 TEE_Result res = TEE_SUCCESS; 136 struct sp_session *s = NULL; 137 TEE_UUID uuid = { }; 138 TEE_UUID *ffa_uuid = NULL; 139 enum sp_status st = sp_idle; 140 141 if (ffa_uuid_words) { 142 tee_uuid_from_octets(&uuid, (void *)ffa_uuid_words); 143 ffa_uuid = &uuid; 144 } 145 146 TAILQ_FOREACH(s, &open_sp_sessions, link) { 147 if (ffa_uuid && 148 memcmp(&s->ffa_uuid, ffa_uuid, sizeof(*ffa_uuid))) 149 continue; 150 151 cpu_spin_lock(&s->spinlock); 152 st = s->state; 153 cpu_spin_unlock(&s->spinlock); 154 if (st == sp_dead) 155 continue; 156 157 if (!count_only && !res) { 158 uint32_t uuid_words[4] = { 0 }; 159 160 tee_uuid_to_octets((uint8_t *)uuid_words, &s->ffa_uuid); 161 res = spmc_fill_partition_entry(ffa_vers, buf, buf_size, 162 *elem_count, 163 s->endpoint_id, 1, 164 s->props, uuid_words); 165 } 166 *elem_count += 1; 167 } 168 169 return res; 170 } 171 172 bool sp_has_exclusive_access(struct sp_mem_map_region *mem, 173 struct user_mode_ctx *uctx) 174 { 175 /* 176 * Check that we have access to the region if it is supposed to be 177 * mapped to the current context. 178 */ 179 if (uctx) { 180 struct vm_region *region = NULL; 181 182 /* Make sure that each mobj belongs to the SP */ 183 TAILQ_FOREACH(region, &uctx->vm_info.regions, link) { 184 if (region->mobj == mem->mobj) 185 break; 186 } 187 188 if (!region) 189 return false; 190 } 191 192 /* Check that it is not shared with another SP */ 193 return !sp_mem_is_shared(mem); 194 } 195 196 static bool endpoint_id_is_valid(uint32_t id) 197 { 198 /* 199 * These IDs are assigned at the SPMC init so already have valid values 200 * by the time this function gets first called 201 */ 202 return !spmc_is_reserved_id(id) && !spmc_find_lsp_by_sp_id(id) && 203 id >= FFA_SWD_ID_MIN && id <= FFA_SWD_ID_MAX; 204 } 205 206 static TEE_Result new_session_id(uint16_t *endpoint_id) 207 { 208 uint32_t id = 0; 209 210 /* Find the first available endpoint id */ 211 for (id = FFA_SWD_ID_MIN; id <= FFA_SWD_ID_MAX; id++) { 212 if (endpoint_id_is_valid(id) && !sp_get_session(id)) { 213 *endpoint_id = id; 214 return TEE_SUCCESS; 215 } 216 } 217 218 return TEE_ERROR_BAD_FORMAT; 219 } 220 221 static TEE_Result sp_create_ctx(const TEE_UUID *bin_uuid, struct sp_session *s) 222 { 223 TEE_Result res = TEE_SUCCESS; 224 struct sp_ctx *spc = NULL; 225 226 /* Register context */ 227 spc = calloc(1, sizeof(struct sp_ctx)); 228 if (!spc) 229 return TEE_ERROR_OUT_OF_MEMORY; 230 231 spc->open_session = s; 232 s->ts_sess.ctx = &spc->ts_ctx; 233 spc->ts_ctx.uuid = *bin_uuid; 234 235 res = vm_info_init(&spc->uctx, &spc->ts_ctx); 236 if (res) 237 goto err; 238 239 set_sp_ctx_ops(&spc->ts_ctx); 240 241 #ifdef CFG_TA_PAUTH 242 crypto_rng_read(&spc->uctx.keys, sizeof(spc->uctx.keys)); 243 #endif 244 245 return TEE_SUCCESS; 246 247 err: 248 free(spc); 249 return res; 250 } 251 252 /* 253 * Insert a new sp_session to the sessions list, so that it is ordered 254 * by boot_order. 255 */ 256 static void insert_session_ordered(struct sp_sessions_head *open_sessions, 257 struct sp_session *session) 258 { 259 struct sp_session *s = NULL; 260 261 if (!open_sessions || !session) 262 return; 263 264 TAILQ_FOREACH(s, &open_sp_sessions, link) { 265 if (s->boot_order > session->boot_order) 266 break; 267 } 268 269 if (!s) 270 TAILQ_INSERT_TAIL(open_sessions, session, link); 271 else 272 TAILQ_INSERT_BEFORE(s, session, link); 273 } 274 275 static TEE_Result sp_create_session(struct sp_sessions_head *open_sessions, 276 const TEE_UUID *bin_uuid, 277 const uint32_t boot_order, 278 struct sp_session **sess) 279 { 280 TEE_Result res = TEE_SUCCESS; 281 struct sp_session *s = calloc(1, sizeof(struct sp_session)); 282 283 if (!s) 284 return TEE_ERROR_OUT_OF_MEMORY; 285 286 s->boot_order = boot_order; 287 288 /* Other properties are filled later, based on the SP's manifest */ 289 s->props = FFA_PART_PROP_IS_PE_ID; 290 291 res = new_session_id(&s->endpoint_id); 292 if (res) 293 goto err; 294 295 DMSG("Loading Secure Partition %pUl", (void *)bin_uuid); 296 res = sp_create_ctx(bin_uuid, s); 297 if (res) 298 goto err; 299 300 insert_session_ordered(open_sessions, s); 301 *sess = s; 302 return TEE_SUCCESS; 303 304 err: 305 free(s); 306 return res; 307 } 308 309 static TEE_Result sp_init_set_registers(struct sp_ctx *ctx) 310 { 311 struct thread_ctx_regs *sp_regs = &ctx->sp_regs; 312 313 memset(sp_regs, 0, sizeof(*sp_regs)); 314 sp_regs->sp = ctx->uctx.stack_ptr; 315 sp_regs->pc = ctx->uctx.entry_func; 316 317 return TEE_SUCCESS; 318 } 319 320 TEE_Result sp_map_shared(struct sp_session *s, 321 struct sp_mem_receiver *receiver, 322 struct sp_mem *smem, 323 uint64_t *va) 324 { 325 TEE_Result res = TEE_SUCCESS; 326 struct sp_ctx *ctx = NULL; 327 uint32_t perm = TEE_MATTR_UR; 328 struct sp_mem_map_region *reg = NULL; 329 330 ctx = to_sp_ctx(s->ts_sess.ctx); 331 332 /* Get the permission */ 333 if (receiver->perm.perm & FFA_MEM_ACC_EXE) 334 perm |= TEE_MATTR_UX; 335 336 if (receiver->perm.perm & FFA_MEM_ACC_RW) { 337 if (receiver->perm.perm & FFA_MEM_ACC_EXE) 338 return TEE_ERROR_ACCESS_CONFLICT; 339 340 perm |= TEE_MATTR_UW; 341 } 342 /* 343 * Currently we don't support passing a va. We can't guarantee that the 344 * full region will be mapped in a contiguous region. A smem->region can 345 * have multiple mobj for one share. Currently there doesn't seem to be 346 * an option to guarantee that these will be mapped in a contiguous va 347 * space. 348 */ 349 if (*va) 350 return TEE_ERROR_NOT_SUPPORTED; 351 352 SLIST_FOREACH(reg, &smem->regions, link) { 353 res = vm_map(&ctx->uctx, va, reg->page_count * SMALL_PAGE_SIZE, 354 perm, 0, reg->mobj, reg->page_offset); 355 356 if (res != TEE_SUCCESS) { 357 EMSG("Failed to map memory region %#"PRIx32, res); 358 return res; 359 } 360 } 361 return TEE_SUCCESS; 362 } 363 364 TEE_Result sp_unmap_ffa_regions(struct sp_session *s, struct sp_mem *smem) 365 { 366 TEE_Result res = TEE_SUCCESS; 367 vaddr_t vaddr = 0; 368 size_t len = 0; 369 struct sp_ctx *ctx = to_sp_ctx(s->ts_sess.ctx); 370 struct sp_mem_map_region *reg = NULL; 371 372 SLIST_FOREACH(reg, &smem->regions, link) { 373 vaddr = (vaddr_t)sp_mem_get_va(&ctx->uctx, reg->page_offset, 374 reg->mobj); 375 len = reg->page_count * SMALL_PAGE_SIZE; 376 377 res = vm_unmap(&ctx->uctx, vaddr, len); 378 if (res != TEE_SUCCESS) 379 return res; 380 } 381 382 return TEE_SUCCESS; 383 } 384 385 static TEE_Result sp_dt_get_u64(const void *fdt, int node, const char *property, 386 uint64_t *value) 387 { 388 const fdt64_t *p = NULL; 389 int len = 0; 390 391 p = fdt_getprop(fdt, node, property, &len); 392 if (!p) 393 return TEE_ERROR_ITEM_NOT_FOUND; 394 395 if (len != sizeof(*p)) 396 return TEE_ERROR_BAD_FORMAT; 397 398 *value = fdt64_ld(p); 399 400 return TEE_SUCCESS; 401 } 402 403 static TEE_Result sp_dt_get_u32(const void *fdt, int node, const char *property, 404 uint32_t *value) 405 { 406 const fdt32_t *p = NULL; 407 int len = 0; 408 409 p = fdt_getprop(fdt, node, property, &len); 410 if (!p) 411 return TEE_ERROR_ITEM_NOT_FOUND; 412 413 if (len != sizeof(*p)) 414 return TEE_ERROR_BAD_FORMAT; 415 416 *value = fdt32_to_cpu(*p); 417 418 return TEE_SUCCESS; 419 } 420 421 static TEE_Result sp_dt_get_u16(const void *fdt, int node, const char *property, 422 uint16_t *value) 423 { 424 const fdt16_t *p = NULL; 425 int len = 0; 426 427 p = fdt_getprop(fdt, node, property, &len); 428 if (!p) 429 return TEE_ERROR_ITEM_NOT_FOUND; 430 431 if (len != sizeof(*p)) 432 return TEE_ERROR_BAD_FORMAT; 433 434 *value = fdt16_to_cpu(*p); 435 436 return TEE_SUCCESS; 437 } 438 439 static TEE_Result sp_dt_get_uuid(const void *fdt, int node, 440 const char *property, TEE_UUID *uuid) 441 { 442 uint32_t uuid_array[4] = { 0 }; 443 const fdt32_t *p = NULL; 444 int len = 0; 445 int i = 0; 446 447 p = fdt_getprop(fdt, node, property, &len); 448 if (!p) 449 return TEE_ERROR_ITEM_NOT_FOUND; 450 451 if (len != sizeof(TEE_UUID)) 452 return TEE_ERROR_BAD_FORMAT; 453 454 for (i = 0; i < 4; i++) 455 uuid_array[i] = fdt32_to_cpu(p[i]); 456 457 tee_uuid_from_octets(uuid, (uint8_t *)uuid_array); 458 459 return TEE_SUCCESS; 460 } 461 462 static TEE_Result sp_is_elf_format(const void *fdt, int sp_node, 463 bool *is_elf_format) 464 { 465 TEE_Result res = TEE_SUCCESS; 466 uint32_t elf_format = 0; 467 468 res = sp_dt_get_u32(fdt, sp_node, "elf-format", &elf_format); 469 if (res != TEE_SUCCESS && res != TEE_ERROR_ITEM_NOT_FOUND) 470 return res; 471 472 *is_elf_format = (elf_format != 0); 473 474 return TEE_SUCCESS; 475 } 476 477 static TEE_Result sp_binary_open(const TEE_UUID *uuid, 478 const struct ts_store_ops **ops, 479 struct ts_store_handle **handle) 480 { 481 TEE_Result res = TEE_ERROR_ITEM_NOT_FOUND; 482 483 SCATTERED_ARRAY_FOREACH(*ops, sp_stores, struct ts_store_ops) { 484 res = (*ops)->open(uuid, handle); 485 if (res != TEE_ERROR_ITEM_NOT_FOUND && 486 res != TEE_ERROR_STORAGE_NOT_AVAILABLE) 487 break; 488 } 489 490 return res; 491 } 492 493 static TEE_Result load_binary_sp(struct ts_session *s, 494 struct user_mode_ctx *uctx) 495 { 496 size_t bin_size = 0, bin_size_rounded = 0, bin_page_count = 0; 497 size_t bb_size = ROUNDUP(BOUNCE_BUFFER_SIZE, SMALL_PAGE_SIZE); 498 size_t bb_num_pages = bb_size / SMALL_PAGE_SIZE; 499 const struct ts_store_ops *store_ops = NULL; 500 struct ts_store_handle *handle = NULL; 501 TEE_Result res = TEE_SUCCESS; 502 tee_mm_entry_t *mm = NULL; 503 struct fobj *fobj = NULL; 504 struct mobj *mobj = NULL; 505 uaddr_t base_addr = 0; 506 uint32_t vm_flags = 0; 507 unsigned int idx = 0; 508 vaddr_t va = 0; 509 510 if (!s || !uctx) 511 return TEE_ERROR_BAD_PARAMETERS; 512 513 DMSG("Loading raw binary format SP %pUl", &uctx->ts_ctx->uuid); 514 515 /* Initialize the bounce buffer */ 516 fobj = fobj_sec_mem_alloc(bb_num_pages); 517 mobj = mobj_with_fobj_alloc(fobj, NULL, TEE_MATTR_MEM_TYPE_TAGGED); 518 fobj_put(fobj); 519 if (!mobj) 520 return TEE_ERROR_OUT_OF_MEMORY; 521 522 res = vm_map(uctx, &va, bb_size, TEE_MATTR_PRW, 0, mobj, 0); 523 mobj_put(mobj); 524 if (res) 525 return res; 526 527 uctx->bbuf = (uint8_t *)va; 528 uctx->bbuf_size = BOUNCE_BUFFER_SIZE; 529 530 vm_set_ctx(uctx->ts_ctx); 531 532 /* Find TS store and open SP binary */ 533 res = sp_binary_open(&uctx->ts_ctx->uuid, &store_ops, &handle); 534 if (res != TEE_SUCCESS) { 535 EMSG("Failed to open SP binary"); 536 return res; 537 } 538 539 /* Query binary size and calculate page count */ 540 res = store_ops->get_size(handle, &bin_size); 541 if (res != TEE_SUCCESS) 542 goto err; 543 544 if (ROUNDUP_OVERFLOW(bin_size, SMALL_PAGE_SIZE, &bin_size_rounded)) { 545 res = TEE_ERROR_OVERFLOW; 546 goto err; 547 } 548 549 bin_page_count = bin_size_rounded / SMALL_PAGE_SIZE; 550 551 /* Allocate memory */ 552 mm = phys_mem_ta_alloc(bin_size_rounded); 553 if (!mm) { 554 res = TEE_ERROR_OUT_OF_MEMORY; 555 goto err; 556 } 557 558 base_addr = tee_mm_get_smem(mm); 559 560 /* Create mobj */ 561 mobj = sp_mem_new_mobj(bin_page_count, TEE_MATTR_MEM_TYPE_CACHED, true); 562 if (!mobj) { 563 res = TEE_ERROR_OUT_OF_MEMORY; 564 goto err_free_tee_mm; 565 } 566 567 res = sp_mem_add_pages(mobj, &idx, base_addr, bin_page_count); 568 if (res) 569 goto err_free_mobj; 570 571 /* Map memory area for the SP binary */ 572 va = 0; 573 res = vm_map(uctx, &va, bin_size_rounded, TEE_MATTR_URWX, 574 vm_flags, mobj, 0); 575 if (res) 576 goto err_free_mobj; 577 578 /* Read SP binary into the previously mapped memory area */ 579 res = store_ops->read(handle, NULL, (void *)va, bin_size); 580 if (res) 581 goto err_unmap; 582 583 /* Set memory protection to allow execution */ 584 res = vm_set_prot(uctx, va, bin_size_rounded, TEE_MATTR_UX); 585 if (res) 586 goto err_unmap; 587 588 mobj_put(mobj); 589 store_ops->close(handle); 590 591 /* The entry point must be at the beginning of the SP binary. */ 592 uctx->entry_func = va; 593 uctx->load_addr = va; 594 uctx->is_32bit = false; 595 596 s->handle_scall = s->ctx->ops->handle_scall; 597 598 return TEE_SUCCESS; 599 600 err_unmap: 601 vm_unmap(uctx, va, bin_size_rounded); 602 603 err_free_mobj: 604 mobj_put(mobj); 605 606 err_free_tee_mm: 607 tee_mm_free(mm); 608 609 err: 610 store_ops->close(handle); 611 612 return res; 613 } 614 615 static TEE_Result sp_open_session(struct sp_session **sess, 616 struct sp_sessions_head *open_sessions, 617 const TEE_UUID *ffa_uuid, 618 const TEE_UUID *bin_uuid, 619 const uint32_t boot_order, 620 const void *fdt) 621 { 622 TEE_Result res = TEE_SUCCESS; 623 struct sp_session *s = NULL; 624 struct sp_ctx *ctx = NULL; 625 bool is_elf_format = false; 626 627 if (!find_secure_partition(bin_uuid)) 628 return TEE_ERROR_ITEM_NOT_FOUND; 629 630 res = sp_create_session(open_sessions, bin_uuid, boot_order, &s); 631 if (res != TEE_SUCCESS) { 632 DMSG("sp_create_session failed %#"PRIx32, res); 633 return res; 634 } 635 636 ctx = to_sp_ctx(s->ts_sess.ctx); 637 assert(ctx); 638 if (!ctx) 639 return TEE_ERROR_TARGET_DEAD; 640 *sess = s; 641 642 ts_push_current_session(&s->ts_sess); 643 644 res = sp_is_elf_format(fdt, 0, &is_elf_format); 645 if (res == TEE_SUCCESS) { 646 if (is_elf_format) { 647 /* Load the SP using ldelf. */ 648 ldelf_load_ldelf(&ctx->uctx); 649 res = ldelf_init_with_ldelf(&s->ts_sess, &ctx->uctx); 650 } else { 651 /* Raw binary format SP */ 652 res = load_binary_sp(&s->ts_sess, &ctx->uctx); 653 } 654 } else { 655 EMSG("Failed to detect SP format"); 656 } 657 658 if (res != TEE_SUCCESS) { 659 EMSG("Failed loading SP %#"PRIx32, res); 660 ts_pop_current_session(); 661 return TEE_ERROR_TARGET_DEAD; 662 } 663 664 /* 665 * Make the SP ready for its first run. 666 * Set state to busy to prevent other endpoints from sending messages to 667 * the SP before its boot phase is done. 668 */ 669 s->state = sp_busy; 670 s->caller_id = 0; 671 sp_init_set_registers(ctx); 672 memcpy(&s->ffa_uuid, ffa_uuid, sizeof(*ffa_uuid)); 673 ts_pop_current_session(); 674 675 return TEE_SUCCESS; 676 } 677 678 static TEE_Result fdt_get_uuid(const void * const fdt, TEE_UUID *uuid) 679 { 680 const struct fdt_property *description = NULL; 681 int description_name_len = 0; 682 683 if (fdt_node_check_compatible(fdt, 0, "arm,ffa-manifest-1.0")) { 684 EMSG("Failed loading SP, manifest not found"); 685 return TEE_ERROR_BAD_PARAMETERS; 686 } 687 688 description = fdt_get_property(fdt, 0, "description", 689 &description_name_len); 690 if (description) 691 DMSG("Loading SP: %s", description->data); 692 693 if (sp_dt_get_uuid(fdt, 0, "uuid", uuid)) { 694 EMSG("Missing or invalid UUID in SP manifest"); 695 return TEE_ERROR_BAD_FORMAT; 696 } 697 698 return TEE_SUCCESS; 699 } 700 701 static TEE_Result copy_and_map_fdt(struct sp_ctx *ctx, const void * const fdt, 702 void **fdt_copy, size_t *mapped_size) 703 { 704 size_t total_size = ROUNDUP(fdt_totalsize(fdt), SMALL_PAGE_SIZE); 705 size_t num_pages = total_size / SMALL_PAGE_SIZE; 706 uint32_t perm = TEE_MATTR_UR | TEE_MATTR_PRW; 707 TEE_Result res = TEE_SUCCESS; 708 struct mobj *m = NULL; 709 struct fobj *f = NULL; 710 vaddr_t va = 0; 711 712 f = fobj_sec_mem_alloc(num_pages); 713 m = mobj_with_fobj_alloc(f, NULL, TEE_MATTR_MEM_TYPE_TAGGED); 714 fobj_put(f); 715 if (!m) 716 return TEE_ERROR_OUT_OF_MEMORY; 717 718 res = vm_map(&ctx->uctx, &va, total_size, perm, 0, m, 0); 719 mobj_put(m); 720 if (res) 721 return res; 722 723 if (fdt_open_into(fdt, (void *)va, total_size)) 724 return TEE_ERROR_GENERIC; 725 726 *fdt_copy = (void *)va; 727 *mapped_size = total_size; 728 729 return res; 730 } 731 732 static void fill_boot_info_1_0(vaddr_t buf, const void *fdt) 733 { 734 struct ffa_boot_info_1_0 *info = (struct ffa_boot_info_1_0 *)buf; 735 static const char fdt_name[16] = "TYPE_DT\0\0\0\0\0\0\0\0"; 736 737 memcpy(&info->magic, "FF-A", 4); 738 info->count = 1; 739 740 COMPILE_TIME_ASSERT(sizeof(info->nvp[0].name) == sizeof(fdt_name)); 741 memcpy(info->nvp[0].name, fdt_name, sizeof(fdt_name)); 742 info->nvp[0].value = (uintptr_t)fdt; 743 info->nvp[0].size = fdt_totalsize(fdt); 744 } 745 746 static void fill_boot_info_1_1(vaddr_t buf, const void *fdt, uint32_t vers) 747 { 748 size_t desc_offs = ROUNDUP(sizeof(struct ffa_boot_info_header_1_1), 8); 749 struct ffa_boot_info_header_1_1 *header = 750 (struct ffa_boot_info_header_1_1 *)buf; 751 struct ffa_boot_info_1_1 *desc = 752 (struct ffa_boot_info_1_1 *)(buf + desc_offs); 753 754 header->signature = FFA_BOOT_INFO_SIGNATURE; 755 header->version = vers; 756 header->blob_size = desc_offs + sizeof(struct ffa_boot_info_1_1); 757 header->desc_size = sizeof(struct ffa_boot_info_1_1); 758 header->desc_count = 1; 759 header->desc_offset = desc_offs; 760 761 memset(&desc[0].name, 0, sizeof(desc[0].name)); 762 /* Type: Standard boot info (bit[7] == 0), FDT type */ 763 desc[0].type = FFA_BOOT_INFO_TYPE_ID_FDT; 764 /* Flags: Contents field contains an address */ 765 desc[0].flags = FFA_BOOT_INFO_FLAG_CONTENT_FORMAT_ADDR << 766 FFA_BOOT_INFO_FLAG_CONTENT_FORMAT_SHIFT; 767 desc[0].size = fdt_totalsize(fdt); 768 desc[0].contents = (uintptr_t)fdt; 769 } 770 771 static TEE_Result create_and_map_boot_info(struct sp_ctx *ctx, const void *fdt, 772 struct thread_smc_1_2_regs *args, 773 vaddr_t *va, size_t *mapped_size, 774 uint32_t sp_ffa_version) 775 { 776 size_t total_size = ROUNDUP(CFG_SP_INIT_INFO_MAX_SIZE, SMALL_PAGE_SIZE); 777 size_t num_pages = total_size / SMALL_PAGE_SIZE; 778 uint32_t perm = TEE_MATTR_UR | TEE_MATTR_PRW; 779 TEE_Result res = TEE_SUCCESS; 780 struct fobj *f = NULL; 781 struct mobj *m = NULL; 782 uint32_t info_reg = 0; 783 784 f = fobj_sec_mem_alloc(num_pages); 785 m = mobj_with_fobj_alloc(f, NULL, TEE_MATTR_MEM_TYPE_TAGGED); 786 fobj_put(f); 787 if (!m) 788 return TEE_ERROR_OUT_OF_MEMORY; 789 790 res = vm_map(&ctx->uctx, va, total_size, perm, 0, m, 0); 791 mobj_put(m); 792 if (res) 793 return res; 794 795 *mapped_size = total_size; 796 797 switch (sp_ffa_version) { 798 case MAKE_FFA_VERSION(1, 0): 799 fill_boot_info_1_0(*va, fdt); 800 break; 801 case MAKE_FFA_VERSION(1, 1): 802 case MAKE_FFA_VERSION(1, 2): 803 fill_boot_info_1_1(*va, fdt, sp_ffa_version); 804 break; 805 default: 806 EMSG("Unknown FF-A version: %#"PRIx32, sp_ffa_version); 807 return TEE_ERROR_NOT_SUPPORTED; 808 } 809 810 res = sp_dt_get_u32(fdt, 0, "gp-register-num", &info_reg); 811 if (res) { 812 if (res == TEE_ERROR_ITEM_NOT_FOUND) { 813 /* If the property is not present, set default to x0 */ 814 info_reg = 0; 815 } else { 816 return TEE_ERROR_BAD_FORMAT; 817 } 818 } 819 820 switch (info_reg) { 821 case 0: 822 args->a0 = *va; 823 break; 824 case 1: 825 args->a1 = *va; 826 break; 827 case 2: 828 args->a2 = *va; 829 break; 830 case 3: 831 args->a3 = *va; 832 break; 833 default: 834 EMSG("Invalid register selected for passing boot info"); 835 return TEE_ERROR_BAD_FORMAT; 836 } 837 838 return TEE_SUCCESS; 839 } 840 841 static TEE_Result handle_fdt_load_relative_mem_regions(struct sp_ctx *ctx, 842 const void *fdt) 843 { 844 int node = 0; 845 int subnode = 0; 846 tee_mm_entry_t *mm = NULL; 847 TEE_Result res = TEE_SUCCESS; 848 849 /* 850 * Memory regions are optional in the SP manifest, it's not an error if 851 * we don't find any. 852 */ 853 node = fdt_node_offset_by_compatible(fdt, 0, 854 "arm,ffa-manifest-memory-regions"); 855 if (node < 0) 856 return TEE_SUCCESS; 857 858 fdt_for_each_subnode(subnode, fdt, node) { 859 uint64_t load_rel_offset = 0; 860 uint32_t attributes = 0; 861 uint64_t base_addr = 0; 862 uint32_t pages_cnt = 0; 863 uint32_t flags = 0; 864 uint32_t perm = 0; 865 size_t size = 0; 866 vaddr_t va = 0; 867 868 mm = NULL; 869 870 /* Load address relative offset of a memory region */ 871 if (!sp_dt_get_u64(fdt, subnode, "load-address-relative-offset", 872 &load_rel_offset)) { 873 va = ctx->uctx.load_addr + load_rel_offset; 874 } else { 875 /* Skip non load address relative memory regions */ 876 continue; 877 } 878 879 if (!sp_dt_get_u64(fdt, subnode, "base-address", &base_addr)) { 880 EMSG("Both base-address and load-address-relative-offset fields are set"); 881 return TEE_ERROR_BAD_FORMAT; 882 } 883 884 /* Size of memory region as count of 4K pages */ 885 if (sp_dt_get_u32(fdt, subnode, "pages-count", &pages_cnt)) { 886 EMSG("Mandatory field is missing: pages-count"); 887 return TEE_ERROR_BAD_FORMAT; 888 } 889 890 if (MUL_OVERFLOW(pages_cnt, SMALL_PAGE_SIZE, &size)) 891 return TEE_ERROR_OVERFLOW; 892 893 /* Memory region attributes */ 894 if (sp_dt_get_u32(fdt, subnode, "attributes", &attributes)) { 895 EMSG("Mandatory field is missing: attributes"); 896 return TEE_ERROR_BAD_FORMAT; 897 } 898 899 /* Check instruction and data access permissions */ 900 switch (attributes & SP_MANIFEST_ATTR_RWX) { 901 case SP_MANIFEST_ATTR_RO: 902 perm = TEE_MATTR_UR; 903 break; 904 case SP_MANIFEST_ATTR_RW: 905 perm = TEE_MATTR_URW; 906 break; 907 case SP_MANIFEST_ATTR_RX: 908 perm = TEE_MATTR_URX; 909 break; 910 default: 911 EMSG("Invalid memory access permissions"); 912 return TEE_ERROR_BAD_FORMAT; 913 } 914 915 if (IS_ENABLED(CFG_TA_BTI) && 916 attributes & SP_MANIFEST_ATTR_GP) { 917 if (!(attributes & SP_MANIFEST_ATTR_RX)) { 918 EMSG("Guard only executable region"); 919 return TEE_ERROR_BAD_FORMAT; 920 } 921 perm |= TEE_MATTR_GUARDED; 922 } 923 924 res = sp_dt_get_u32(fdt, subnode, "load-flags", &flags); 925 if (res != TEE_SUCCESS && res != TEE_ERROR_ITEM_NOT_FOUND) { 926 EMSG("Optional field with invalid value: flags"); 927 return TEE_ERROR_BAD_FORMAT; 928 } 929 930 /* Load relative regions must be secure */ 931 if (attributes & SP_MANIFEST_ATTR_NSEC) { 932 EMSG("Invalid memory security attribute"); 933 return TEE_ERROR_BAD_FORMAT; 934 } 935 936 if (flags & SP_MANIFEST_FLAG_NOBITS) { 937 /* 938 * NOBITS flag is set, which means that loaded binary 939 * doesn't contain this area, so it's need to be 940 * allocated. 941 */ 942 struct mobj *m = NULL; 943 unsigned int idx = 0; 944 945 mm = phys_mem_ta_alloc(size); 946 if (!mm) 947 return TEE_ERROR_OUT_OF_MEMORY; 948 949 base_addr = tee_mm_get_smem(mm); 950 951 m = sp_mem_new_mobj(pages_cnt, 952 TEE_MATTR_MEM_TYPE_CACHED, true); 953 if (!m) { 954 res = TEE_ERROR_OUT_OF_MEMORY; 955 goto err_mm_free; 956 } 957 958 res = sp_mem_add_pages(m, &idx, base_addr, pages_cnt); 959 if (res) { 960 mobj_put(m); 961 goto err_mm_free; 962 } 963 964 res = vm_map(&ctx->uctx, &va, size, perm, 0, m, 0); 965 mobj_put(m); 966 if (res) 967 goto err_mm_free; 968 } else { 969 /* 970 * If NOBITS is not present the memory area is already 971 * mapped and only need to set the correct permissions. 972 */ 973 res = vm_set_prot(&ctx->uctx, va, size, perm); 974 if (res) 975 return res; 976 } 977 } 978 979 return TEE_SUCCESS; 980 981 err_mm_free: 982 tee_mm_free(mm); 983 return res; 984 } 985 986 static TEE_Result handle_fdt_dev_regions(struct sp_ctx *ctx, void *fdt) 987 { 988 int node = 0; 989 int subnode = 0; 990 TEE_Result res = TEE_SUCCESS; 991 const char *dt_device_match_table = { 992 "arm,ffa-manifest-device-regions", 993 }; 994 995 /* 996 * Device regions are optional in the SP manifest, it's not an error if 997 * we don't find any 998 */ 999 node = fdt_node_offset_by_compatible(fdt, 0, dt_device_match_table); 1000 if (node < 0) 1001 return TEE_SUCCESS; 1002 1003 fdt_for_each_subnode(subnode, fdt, node) { 1004 uint64_t base_addr = 0; 1005 uint32_t pages_cnt = 0; 1006 uint32_t attributes = 0; 1007 struct mobj *m = NULL; 1008 bool is_secure = true; 1009 uint32_t perm = 0; 1010 vaddr_t va = 0; 1011 unsigned int idx = 0; 1012 1013 /* 1014 * Physical base address of a device MMIO region. 1015 * Currently only physically contiguous region is supported. 1016 */ 1017 if (sp_dt_get_u64(fdt, subnode, "base-address", &base_addr)) { 1018 EMSG("Mandatory field is missing: base-address"); 1019 return TEE_ERROR_BAD_FORMAT; 1020 } 1021 1022 /* Total size of MMIO region as count of 4K pages */ 1023 if (sp_dt_get_u32(fdt, subnode, "pages-count", &pages_cnt)) { 1024 EMSG("Mandatory field is missing: pages-count"); 1025 return TEE_ERROR_BAD_FORMAT; 1026 } 1027 1028 /* Data access, instruction access and security attributes */ 1029 if (sp_dt_get_u32(fdt, subnode, "attributes", &attributes)) { 1030 EMSG("Mandatory field is missing: attributes"); 1031 return TEE_ERROR_BAD_FORMAT; 1032 } 1033 1034 /* Check instruction and data access permissions */ 1035 switch (attributes & SP_MANIFEST_ATTR_RWX) { 1036 case SP_MANIFEST_ATTR_RO: 1037 perm = TEE_MATTR_UR; 1038 break; 1039 case SP_MANIFEST_ATTR_RW: 1040 perm = TEE_MATTR_URW; 1041 break; 1042 default: 1043 EMSG("Invalid memory access permissions"); 1044 return TEE_ERROR_BAD_FORMAT; 1045 } 1046 1047 /* 1048 * The SP is a secure endpoint, security attribute can be 1049 * secure or non-secure 1050 */ 1051 if (attributes & SP_MANIFEST_ATTR_NSEC) 1052 is_secure = false; 1053 1054 /* Memory attributes must be Device-nGnRnE */ 1055 m = sp_mem_new_mobj(pages_cnt, TEE_MATTR_MEM_TYPE_STRONGLY_O, 1056 is_secure); 1057 if (!m) 1058 return TEE_ERROR_OUT_OF_MEMORY; 1059 1060 res = sp_mem_add_pages(m, &idx, (paddr_t)base_addr, pages_cnt); 1061 if (res) { 1062 mobj_put(m); 1063 return res; 1064 } 1065 1066 res = vm_map(&ctx->uctx, &va, pages_cnt * SMALL_PAGE_SIZE, 1067 perm, 0, m, 0); 1068 mobj_put(m); 1069 if (res) 1070 return res; 1071 1072 /* 1073 * Overwrite the device region's PA in the fdt with the VA. This 1074 * fdt will be passed to the SP. 1075 */ 1076 res = fdt_setprop_u64(fdt, subnode, "base-address", va); 1077 1078 /* 1079 * Unmap the region if the overwrite failed since the SP won't 1080 * be able to access it without knowing the VA. 1081 */ 1082 if (res) { 1083 vm_unmap(&ctx->uctx, va, pages_cnt * SMALL_PAGE_SIZE); 1084 return res; 1085 } 1086 } 1087 1088 return TEE_SUCCESS; 1089 } 1090 1091 static TEE_Result swap_sp_endpoints(uint32_t endpoint_id, 1092 uint32_t new_endpoint_id) 1093 { 1094 struct sp_session *session = sp_get_session(endpoint_id); 1095 uint32_t manifest_endpoint_id = 0; 1096 1097 /* 1098 * We don't know in which order the SPs are loaded. The endpoint ID 1099 * defined in the manifest could already be generated by 1100 * new_session_id() and used by another SP. If this is the case, we swap 1101 * the ID's of the two SPs. We also have to make sure that the ID's are 1102 * not defined twice in the manifest. 1103 */ 1104 1105 /* The endpoint ID was not assigned yet */ 1106 if (!session) 1107 return TEE_SUCCESS; 1108 1109 /* 1110 * Read the manifest file from the SP who originally had the endpoint. 1111 * We can safely swap the endpoint ID's if the manifest file doesn't 1112 * have an endpoint ID defined. 1113 */ 1114 if (!sp_dt_get_u32(session->fdt, 0, "id", &manifest_endpoint_id)) { 1115 assert(manifest_endpoint_id == endpoint_id); 1116 EMSG("SP: Found duplicated endpoint ID %#"PRIx32, endpoint_id); 1117 return TEE_ERROR_ACCESS_CONFLICT; 1118 } 1119 1120 session->endpoint_id = new_endpoint_id; 1121 1122 return TEE_SUCCESS; 1123 } 1124 1125 static TEE_Result read_manifest_endpoint_id(struct sp_session *s) 1126 { 1127 uint32_t endpoint_id = 0; 1128 1129 /* 1130 * The endpoint ID can be optionally defined in the manifest file. We 1131 * have to map the ID inside the manifest to the SP if it's defined. 1132 * If not, the endpoint ID generated inside new_session_id() will be 1133 * used. 1134 */ 1135 if (!sp_dt_get_u32(s->fdt, 0, "id", &endpoint_id)) { 1136 TEE_Result res = TEE_ERROR_GENERIC; 1137 1138 if (!endpoint_id_is_valid(endpoint_id)) { 1139 EMSG("Invalid endpoint ID 0x%"PRIx32, endpoint_id); 1140 return TEE_ERROR_BAD_FORMAT; 1141 } 1142 1143 res = swap_sp_endpoints(endpoint_id, s->endpoint_id); 1144 if (res) 1145 return res; 1146 1147 DMSG("SP: endpoint ID (0x%"PRIx32") found in manifest", 1148 endpoint_id); 1149 /* Assign the endpoint ID to the current SP */ 1150 s->endpoint_id = endpoint_id; 1151 } 1152 return TEE_SUCCESS; 1153 } 1154 1155 static TEE_Result handle_fdt_mem_regions(struct sp_ctx *ctx, void *fdt) 1156 { 1157 int node = 0; 1158 int subnode = 0; 1159 tee_mm_entry_t *mm = NULL; 1160 TEE_Result res = TEE_SUCCESS; 1161 1162 /* 1163 * Memory regions are optional in the SP manifest, it's not an error if 1164 * we don't find any. 1165 */ 1166 node = fdt_node_offset_by_compatible(fdt, 0, 1167 "arm,ffa-manifest-memory-regions"); 1168 if (node < 0) 1169 return TEE_SUCCESS; 1170 1171 fdt_for_each_subnode(subnode, fdt, node) { 1172 uint64_t load_rel_offset = 0; 1173 bool alloc_needed = false; 1174 uint32_t attributes = 0; 1175 uint64_t base_addr = 0; 1176 uint32_t pages_cnt = 0; 1177 bool is_secure = true; 1178 struct mobj *m = NULL; 1179 unsigned int idx = 0; 1180 uint32_t perm = 0; 1181 size_t size = 0; 1182 vaddr_t va = 0; 1183 1184 mm = NULL; 1185 1186 /* Load address relative offset of a memory region */ 1187 if (!sp_dt_get_u64(fdt, subnode, "load-address-relative-offset", 1188 &load_rel_offset)) { 1189 /* 1190 * At this point the memory region is already mapped by 1191 * handle_fdt_load_relative_mem_regions. 1192 * Only need to set the base-address in the manifest and 1193 * then skip the rest of the mapping process. 1194 */ 1195 va = ctx->uctx.load_addr + load_rel_offset; 1196 res = fdt_setprop_u64(fdt, subnode, "base-address", va); 1197 if (res) 1198 return res; 1199 1200 continue; 1201 } 1202 1203 /* 1204 * Base address of a memory region. 1205 * If not present, we have to allocate the specified memory. 1206 * If present, this field could specify a PA or VA. Currently 1207 * only a PA is supported. 1208 */ 1209 if (sp_dt_get_u64(fdt, subnode, "base-address", &base_addr)) 1210 alloc_needed = true; 1211 1212 /* Size of memory region as count of 4K pages */ 1213 if (sp_dt_get_u32(fdt, subnode, "pages-count", &pages_cnt)) { 1214 EMSG("Mandatory field is missing: pages-count"); 1215 return TEE_ERROR_BAD_FORMAT; 1216 } 1217 1218 if (MUL_OVERFLOW(pages_cnt, SMALL_PAGE_SIZE, &size)) 1219 return TEE_ERROR_OVERFLOW; 1220 1221 /* 1222 * Memory region attributes: 1223 * - Instruction/data access permissions 1224 * - Cacheability/shareability attributes 1225 * - Security attributes 1226 * 1227 * Cacheability/shareability attributes can be ignored for now. 1228 * OP-TEE only supports a single type for normal cached memory 1229 * and currently there is no use case that would require to 1230 * change this. 1231 */ 1232 if (sp_dt_get_u32(fdt, subnode, "attributes", &attributes)) { 1233 EMSG("Mandatory field is missing: attributes"); 1234 return TEE_ERROR_BAD_FORMAT; 1235 } 1236 1237 /* Check instruction and data access permissions */ 1238 switch (attributes & SP_MANIFEST_ATTR_RWX) { 1239 case SP_MANIFEST_ATTR_RO: 1240 perm = TEE_MATTR_UR; 1241 break; 1242 case SP_MANIFEST_ATTR_RW: 1243 perm = TEE_MATTR_URW; 1244 break; 1245 case SP_MANIFEST_ATTR_RX: 1246 perm = TEE_MATTR_URX; 1247 break; 1248 default: 1249 EMSG("Invalid memory access permissions"); 1250 return TEE_ERROR_BAD_FORMAT; 1251 } 1252 1253 if (IS_ENABLED(CFG_TA_BTI) && 1254 attributes & SP_MANIFEST_ATTR_GP) { 1255 if (!(attributes & SP_MANIFEST_ATTR_RX)) { 1256 EMSG("Guard only executable region"); 1257 return TEE_ERROR_BAD_FORMAT; 1258 } 1259 perm |= TEE_MATTR_GUARDED; 1260 } 1261 1262 /* 1263 * The SP is a secure endpoint, security attribute can be 1264 * secure or non-secure. 1265 * The SPMC cannot allocate non-secure memory, i.e. if the base 1266 * address is missing this attribute must be secure. 1267 */ 1268 if (attributes & SP_MANIFEST_ATTR_NSEC) { 1269 if (alloc_needed) { 1270 EMSG("Invalid memory security attribute"); 1271 return TEE_ERROR_BAD_FORMAT; 1272 } 1273 is_secure = false; 1274 } 1275 1276 if (alloc_needed) { 1277 /* Base address is missing, we have to allocate */ 1278 mm = phys_mem_ta_alloc(size); 1279 if (!mm) 1280 return TEE_ERROR_OUT_OF_MEMORY; 1281 1282 base_addr = tee_mm_get_smem(mm); 1283 } 1284 1285 m = sp_mem_new_mobj(pages_cnt, TEE_MATTR_MEM_TYPE_CACHED, 1286 is_secure); 1287 if (!m) { 1288 res = TEE_ERROR_OUT_OF_MEMORY; 1289 goto err_mm_free; 1290 } 1291 1292 res = sp_mem_add_pages(m, &idx, base_addr, pages_cnt); 1293 if (res) { 1294 mobj_put(m); 1295 goto err_mm_free; 1296 } 1297 1298 res = vm_map(&ctx->uctx, &va, size, perm, 0, m, 0); 1299 mobj_put(m); 1300 if (res) 1301 goto err_mm_free; 1302 1303 /* 1304 * Overwrite the memory region's base address in the fdt with 1305 * the VA. This fdt will be passed to the SP. 1306 * If the base-address field was not present in the original 1307 * fdt, this function will create it. This doesn't cause issues 1308 * since the necessary extra space has been allocated when 1309 * opening the fdt. 1310 */ 1311 res = fdt_setprop_u64(fdt, subnode, "base-address", va); 1312 1313 /* 1314 * Unmap the region if the overwrite failed since the SP won't 1315 * be able to access it without knowing the VA. 1316 */ 1317 if (res) { 1318 vm_unmap(&ctx->uctx, va, size); 1319 goto err_mm_free; 1320 } 1321 } 1322 1323 return TEE_SUCCESS; 1324 1325 err_mm_free: 1326 tee_mm_free(mm); 1327 return res; 1328 } 1329 1330 static TEE_Result handle_tpm_event_log(struct sp_ctx *ctx, void *fdt) 1331 { 1332 uint32_t perm = TEE_MATTR_URW | TEE_MATTR_PRW; 1333 uint32_t dummy_size __maybe_unused = 0; 1334 TEE_Result res = TEE_SUCCESS; 1335 size_t page_count = 0; 1336 struct fobj *f = NULL; 1337 struct mobj *m = NULL; 1338 vaddr_t log_addr = 0; 1339 size_t log_size = 0; 1340 int node = 0; 1341 1342 node = fdt_node_offset_by_compatible(fdt, 0, "arm,tpm_event_log"); 1343 if (node < 0) 1344 return TEE_SUCCESS; 1345 1346 /* Checking the existence and size of the event log properties */ 1347 if (sp_dt_get_u64(fdt, node, "tpm_event_log_addr", &log_addr)) { 1348 EMSG("tpm_event_log_addr not found or has invalid size"); 1349 return TEE_ERROR_BAD_FORMAT; 1350 } 1351 1352 if (sp_dt_get_u32(fdt, node, "tpm_event_log_size", &dummy_size)) { 1353 EMSG("tpm_event_log_size not found or has invalid size"); 1354 return TEE_ERROR_BAD_FORMAT; 1355 } 1356 1357 /* Validating event log */ 1358 res = tpm_get_event_log_size(&log_size); 1359 if (res) 1360 return res; 1361 1362 if (!log_size) { 1363 EMSG("Empty TPM event log was provided"); 1364 return TEE_ERROR_ITEM_NOT_FOUND; 1365 } 1366 1367 /* Allocating memory area for the event log to share with the SP */ 1368 page_count = ROUNDUP_DIV(log_size, SMALL_PAGE_SIZE); 1369 1370 f = fobj_sec_mem_alloc(page_count); 1371 m = mobj_with_fobj_alloc(f, NULL, TEE_MATTR_MEM_TYPE_TAGGED); 1372 fobj_put(f); 1373 if (!m) 1374 return TEE_ERROR_OUT_OF_MEMORY; 1375 1376 res = vm_map(&ctx->uctx, &log_addr, log_size, perm, 0, m, 0); 1377 mobj_put(m); 1378 if (res) 1379 return res; 1380 1381 /* Copy event log */ 1382 res = tpm_get_event_log((void *)log_addr, &log_size); 1383 if (res) 1384 goto err_unmap; 1385 1386 /* Setting event log details in the manifest */ 1387 res = fdt_setprop_u64(fdt, node, "tpm_event_log_addr", log_addr); 1388 if (res) 1389 goto err_unmap; 1390 1391 res = fdt_setprop_u32(fdt, node, "tpm_event_log_size", log_size); 1392 if (res) 1393 goto err_unmap; 1394 1395 return TEE_SUCCESS; 1396 1397 err_unmap: 1398 vm_unmap(&ctx->uctx, log_addr, log_size); 1399 1400 return res; 1401 } 1402 1403 /* 1404 * Note: this function is called only on the primary CPU. It assumes that the 1405 * features present on the primary CPU are available on all of the secondary 1406 * CPUs as well. 1407 */ 1408 static TEE_Result handle_hw_features(void *fdt) 1409 { 1410 uint32_t val __maybe_unused = 0; 1411 TEE_Result res = TEE_SUCCESS; 1412 int node = 0; 1413 1414 /* 1415 * HW feature descriptions are optional in the SP manifest, it's not an 1416 * error if we don't find any. 1417 */ 1418 node = fdt_node_offset_by_compatible(fdt, 0, "arm,hw-features"); 1419 if (node < 0) 1420 return TEE_SUCCESS; 1421 1422 /* Modify the crc32 property only if it's already present */ 1423 if (!sp_dt_get_u32(fdt, node, "crc32", &val)) { 1424 res = fdt_setprop_u32(fdt, node, "crc32", 1425 feat_crc32_implemented()); 1426 if (res) 1427 return res; 1428 } 1429 1430 /* Modify the property only if it's already present */ 1431 if (!sp_dt_get_u32(fdt, node, "bti", &val)) { 1432 res = fdt_setprop_u32(fdt, node, "bti", 1433 feat_bti_is_implemented()); 1434 if (res) 1435 return res; 1436 } 1437 1438 /* Modify the property only if it's already present */ 1439 if (!sp_dt_get_u32(fdt, node, "pauth", &val)) { 1440 res = fdt_setprop_u32(fdt, node, "pauth", 1441 feat_pauth_is_implemented()); 1442 if (res) 1443 return res; 1444 } 1445 1446 return TEE_SUCCESS; 1447 } 1448 1449 static TEE_Result read_ns_interrupts_action(const void *fdt, 1450 struct sp_session *s) 1451 { 1452 TEE_Result res = TEE_ERROR_BAD_PARAMETERS; 1453 1454 res = sp_dt_get_u32(fdt, 0, "ns-interrupts-action", &s->ns_int_mode); 1455 1456 if (res) { 1457 EMSG("Mandatory property is missing: ns-interrupts-action"); 1458 return res; 1459 } 1460 1461 switch (s->ns_int_mode) { 1462 case SP_MANIFEST_NS_INT_QUEUED: 1463 case SP_MANIFEST_NS_INT_SIGNALED: 1464 /* OK */ 1465 break; 1466 1467 case SP_MANIFEST_NS_INT_MANAGED_EXIT: 1468 EMSG("Managed exit is not implemented"); 1469 return TEE_ERROR_NOT_IMPLEMENTED; 1470 1471 default: 1472 EMSG("Invalid ns-interrupts-action value: %"PRIu32, 1473 s->ns_int_mode); 1474 return TEE_ERROR_BAD_PARAMETERS; 1475 } 1476 1477 return TEE_SUCCESS; 1478 } 1479 1480 static TEE_Result read_ffa_version(const void *fdt, struct sp_session *s) 1481 { 1482 TEE_Result res = TEE_ERROR_BAD_PARAMETERS; 1483 uint32_t ffa_version = 0; 1484 1485 res = sp_dt_get_u32(fdt, 0, "ffa-version", &ffa_version); 1486 if (res) { 1487 EMSG("Mandatory property is missing: ffa-version"); 1488 return res; 1489 } 1490 1491 if (ffa_version != FFA_VERSION_1_0 && ffa_version != FFA_VERSION_1_1) { 1492 EMSG("Invalid FF-A version value: 0x%08"PRIx32, ffa_version); 1493 return TEE_ERROR_BAD_PARAMETERS; 1494 } 1495 1496 s->rxtx.ffa_vers = ffa_version; 1497 1498 return TEE_SUCCESS; 1499 } 1500 1501 static TEE_Result read_sp_exec_state(const void *fdt, struct sp_session *s) 1502 { 1503 TEE_Result res = TEE_ERROR_BAD_PARAMETERS; 1504 uint32_t exec_state = 0; 1505 1506 res = sp_dt_get_u32(fdt, 0, "execution-state", &exec_state); 1507 if (res) { 1508 EMSG("Mandatory property is missing: execution-state"); 1509 return res; 1510 } 1511 1512 /* Currently only AArch64 SPs are supported */ 1513 if (exec_state == SP_MANIFEST_EXEC_STATE_AARCH64) { 1514 s->props |= FFA_PART_PROP_AARCH64_STATE; 1515 } else { 1516 EMSG("Invalid execution-state value: %"PRIu32, exec_state); 1517 return TEE_ERROR_BAD_PARAMETERS; 1518 } 1519 1520 return TEE_SUCCESS; 1521 } 1522 1523 static TEE_Result read_sp_msg_types(const void *fdt, struct sp_session *s) 1524 { 1525 TEE_Result res = TEE_ERROR_BAD_PARAMETERS; 1526 uint32_t msg_method = 0; 1527 1528 res = sp_dt_get_u32(fdt, 0, "messaging-method", &msg_method); 1529 if (res) { 1530 EMSG("Mandatory property is missing: messaging-method"); 1531 return res; 1532 } 1533 1534 if (msg_method & SP_MANIFEST_DIRECT_REQ_RECEIVE) 1535 s->props |= FFA_PART_PROP_DIRECT_REQ_RECV; 1536 1537 if (msg_method & SP_MANIFEST_DIRECT_REQ_SEND) 1538 s->props |= FFA_PART_PROP_DIRECT_REQ_SEND; 1539 1540 if (msg_method & SP_MANIFEST_INDIRECT_REQ) 1541 IMSG("Indirect messaging is not supported"); 1542 1543 return TEE_SUCCESS; 1544 } 1545 1546 static TEE_Result read_vm_availability_msg(const void *fdt, 1547 struct sp_session *s) 1548 { 1549 TEE_Result res = TEE_ERROR_BAD_PARAMETERS; 1550 uint32_t v = 0; 1551 1552 res = sp_dt_get_u32(fdt, 0, "vm-availability-messages", &v); 1553 1554 /* This field in the manifest is optional */ 1555 if (res == TEE_ERROR_ITEM_NOT_FOUND) 1556 return TEE_SUCCESS; 1557 1558 if (res) 1559 return res; 1560 1561 if (v & ~(SP_MANIFEST_VM_CREATED_MSG | SP_MANIFEST_VM_DESTROYED_MSG)) { 1562 EMSG("Invalid vm-availability-messages value: %"PRIu32, v); 1563 return TEE_ERROR_BAD_PARAMETERS; 1564 } 1565 1566 if (v & SP_MANIFEST_VM_CREATED_MSG) 1567 s->props |= FFA_PART_PROP_NOTIF_CREATED; 1568 1569 if (v & SP_MANIFEST_VM_DESTROYED_MSG) 1570 s->props |= FFA_PART_PROP_NOTIF_DESTROYED; 1571 1572 return TEE_SUCCESS; 1573 } 1574 1575 static TEE_Result get_boot_order(const void *fdt, uint32_t *boot_order) 1576 { 1577 TEE_Result res = TEE_SUCCESS; 1578 1579 res = sp_dt_get_u32(fdt, 0, "boot-order", boot_order); 1580 1581 if (res == TEE_SUCCESS) { 1582 if (*boot_order > UINT16_MAX) { 1583 EMSG("Value of boot-order property (%"PRIu32") is out of range", 1584 *boot_order); 1585 res = TEE_ERROR_BAD_FORMAT; 1586 } 1587 } else if (res == TEE_ERROR_BAD_FORMAT) { 1588 uint16_t boot_order_u16 = 0; 1589 1590 res = sp_dt_get_u16(fdt, 0, "boot-order", &boot_order_u16); 1591 if (res == TEE_SUCCESS) 1592 *boot_order = boot_order_u16; 1593 } 1594 1595 if (res == TEE_ERROR_ITEM_NOT_FOUND) 1596 *boot_order = UNDEFINED_BOOT_ORDER_VALUE; 1597 else if (res != TEE_SUCCESS) 1598 EMSG("Failed reading boot-order property err: %#"PRIx32, res); 1599 1600 return res; 1601 } 1602 1603 static TEE_Result sp_init_uuid(const TEE_UUID *bin_uuid, const void * const fdt) 1604 { 1605 TEE_Result res = TEE_SUCCESS; 1606 struct sp_session *sess = NULL; 1607 TEE_UUID ffa_uuid = {}; 1608 uint32_t boot_order = 0; 1609 1610 res = fdt_get_uuid(fdt, &ffa_uuid); 1611 if (res) 1612 return res; 1613 1614 res = get_boot_order(fdt, &boot_order); 1615 if (res) 1616 return res; 1617 1618 res = sp_open_session(&sess, 1619 &open_sp_sessions, 1620 &ffa_uuid, bin_uuid, boot_order, fdt); 1621 if (res) 1622 return res; 1623 1624 sess->fdt = fdt; 1625 1626 res = read_manifest_endpoint_id(sess); 1627 if (res) 1628 return res; 1629 DMSG("endpoint is 0x%"PRIx16, sess->endpoint_id); 1630 1631 res = read_ns_interrupts_action(fdt, sess); 1632 if (res) 1633 return res; 1634 1635 res = read_ffa_version(fdt, sess); 1636 if (res) 1637 return res; 1638 1639 res = read_sp_exec_state(fdt, sess); 1640 if (res) 1641 return res; 1642 1643 res = read_sp_msg_types(fdt, sess); 1644 if (res) 1645 return res; 1646 1647 res = read_vm_availability_msg(fdt, sess); 1648 if (res) 1649 return res; 1650 1651 return TEE_SUCCESS; 1652 } 1653 1654 static TEE_Result sp_first_run(struct sp_session *sess) 1655 { 1656 TEE_Result res = TEE_SUCCESS; 1657 struct thread_smc_1_2_regs args = { }; 1658 struct sp_ctx *ctx = NULL; 1659 vaddr_t boot_info_va = 0; 1660 size_t boot_info_size = 0; 1661 void *fdt_copy = NULL; 1662 size_t fdt_size = 0; 1663 1664 ctx = to_sp_ctx(sess->ts_sess.ctx); 1665 ts_push_current_session(&sess->ts_sess); 1666 sess->is_initialized = false; 1667 1668 /* 1669 * Load relative memory regions must be handled before doing any other 1670 * mapping to prevent conflicts in the VA space. 1671 */ 1672 res = handle_fdt_load_relative_mem_regions(ctx, sess->fdt); 1673 if (res) { 1674 ts_pop_current_session(); 1675 return res; 1676 } 1677 1678 res = copy_and_map_fdt(ctx, sess->fdt, &fdt_copy, &fdt_size); 1679 if (res) 1680 goto out; 1681 1682 res = handle_fdt_dev_regions(ctx, fdt_copy); 1683 if (res) 1684 goto out; 1685 1686 res = handle_fdt_mem_regions(ctx, fdt_copy); 1687 if (res) 1688 goto out; 1689 1690 if (IS_ENABLED(CFG_CORE_TPM_EVENT_LOG)) { 1691 res = handle_tpm_event_log(ctx, fdt_copy); 1692 if (res) 1693 goto out; 1694 } 1695 1696 res = handle_hw_features(fdt_copy); 1697 if (res) 1698 goto out; 1699 1700 res = create_and_map_boot_info(ctx, fdt_copy, &args, &boot_info_va, 1701 &boot_info_size, sess->rxtx.ffa_vers); 1702 if (res) 1703 goto out; 1704 1705 ts_pop_current_session(); 1706 1707 res = sp_enter(&args, sess); 1708 if (res) { 1709 ts_push_current_session(&sess->ts_sess); 1710 goto out; 1711 } 1712 1713 spmc_sp_msg_handler(&args, sess); 1714 1715 ts_push_current_session(&sess->ts_sess); 1716 sess->is_initialized = true; 1717 1718 out: 1719 /* Free the boot info page from the SP memory */ 1720 vm_unmap(&ctx->uctx, boot_info_va, boot_info_size); 1721 vm_unmap(&ctx->uctx, (vaddr_t)fdt_copy, fdt_size); 1722 ts_pop_current_session(); 1723 1724 return res; 1725 } 1726 1727 TEE_Result sp_enter(struct thread_smc_1_2_regs *args, struct sp_session *sp) 1728 { 1729 TEE_Result res = TEE_SUCCESS; 1730 struct sp_ctx *ctx = to_sp_ctx(sp->ts_sess.ctx); 1731 1732 ctx->sp_regs.x[0] = args->a0; 1733 ctx->sp_regs.x[1] = args->a1; 1734 ctx->sp_regs.x[2] = args->a2; 1735 ctx->sp_regs.x[3] = args->a3; 1736 ctx->sp_regs.x[4] = args->a4; 1737 ctx->sp_regs.x[5] = args->a5; 1738 ctx->sp_regs.x[6] = args->a6; 1739 ctx->sp_regs.x[7] = args->a7; 1740 #ifdef CFG_TA_PAUTH 1741 ctx->sp_regs.apiakey_hi = ctx->uctx.keys.apia_hi; 1742 ctx->sp_regs.apiakey_lo = ctx->uctx.keys.apia_lo; 1743 #endif 1744 1745 res = sp->ts_sess.ctx->ops->enter_invoke_cmd(&sp->ts_sess, 0); 1746 1747 args->a0 = ctx->sp_regs.x[0]; 1748 args->a1 = ctx->sp_regs.x[1]; 1749 args->a2 = ctx->sp_regs.x[2]; 1750 args->a3 = ctx->sp_regs.x[3]; 1751 args->a4 = ctx->sp_regs.x[4]; 1752 args->a5 = ctx->sp_regs.x[5]; 1753 args->a6 = ctx->sp_regs.x[6]; 1754 args->a7 = ctx->sp_regs.x[7]; 1755 1756 return res; 1757 } 1758 1759 /* 1760 * According to FF-A v1.1 section 8.3.1.4 if a caller requires less permissive 1761 * active on NS interrupt than the callee, the callee must inherit the caller's 1762 * configuration. 1763 * Each SP's own NS action setting is stored in ns_int_mode. The effective 1764 * action will be MIN([self action], [caller's action]) which is stored in the 1765 * ns_int_mode_inherited field. 1766 */ 1767 static void sp_cpsr_configure_foreign_interrupts(struct sp_session *s, 1768 struct ts_session *caller, 1769 uint64_t *cpsr) 1770 { 1771 if (caller) { 1772 struct sp_session *caller_sp = to_sp_session(caller); 1773 1774 s->ns_int_mode_inherited = MIN(caller_sp->ns_int_mode_inherited, 1775 s->ns_int_mode); 1776 } else { 1777 s->ns_int_mode_inherited = s->ns_int_mode; 1778 } 1779 1780 if (s->ns_int_mode_inherited == SP_MANIFEST_NS_INT_QUEUED) 1781 *cpsr |= SHIFT_U32(THREAD_EXCP_FOREIGN_INTR, 1782 ARM32_CPSR_F_SHIFT); 1783 else 1784 *cpsr &= ~SHIFT_U32(THREAD_EXCP_FOREIGN_INTR, 1785 ARM32_CPSR_F_SHIFT); 1786 } 1787 1788 static TEE_Result sp_enter_invoke_cmd(struct ts_session *s, 1789 uint32_t cmd __unused) 1790 { 1791 struct sp_ctx *ctx = to_sp_ctx(s->ctx); 1792 TEE_Result res = TEE_SUCCESS; 1793 uint32_t exceptions = 0; 1794 struct sp_session *sp_s = to_sp_session(s); 1795 struct ts_session *sess = NULL; 1796 struct thread_ctx_regs *sp_regs = NULL; 1797 struct ts_session *caller = NULL; 1798 uint32_t rpc_target_info = 0; 1799 uint32_t panicked = false; 1800 uint32_t panic_code = 0; 1801 1802 sp_regs = &ctx->sp_regs; 1803 ts_push_current_session(s); 1804 1805 exceptions = thread_mask_exceptions(THREAD_EXCP_ALL); 1806 1807 /* Enable/disable foreign interrupts in CPSR/SPSR */ 1808 caller = ts_get_calling_session(); 1809 sp_cpsr_configure_foreign_interrupts(sp_s, caller, &sp_regs->cpsr); 1810 1811 /* 1812 * Store endpoint ID and thread ID in rpc_target_info. This will be used 1813 * as w1 in FFA_INTERRUPT in case of a foreign interrupt. 1814 */ 1815 rpc_target_info = thread_get_tsd()->rpc_target_info; 1816 sp_s->thread_id = thread_get_id(); 1817 thread_get_tsd()->rpc_target_info = 1818 FFA_TARGET_INFO_SET(sp_s->endpoint_id, sp_s->thread_id); 1819 1820 __thread_enter_user_mode(sp_regs, &panicked, &panic_code); 1821 1822 sp_s->thread_id = THREAD_ID_INVALID; 1823 1824 /* Restore rpc_target_info */ 1825 thread_get_tsd()->rpc_target_info = rpc_target_info; 1826 1827 thread_unmask_exceptions(exceptions); 1828 1829 thread_user_clear_vfp(&ctx->uctx); 1830 1831 if (panicked) { 1832 DMSG("SP panicked with code %#"PRIx32, panic_code); 1833 abort_print_current_ts(); 1834 1835 sess = ts_pop_current_session(); 1836 cpu_spin_lock(&sp_s->spinlock); 1837 sp_s->state = sp_dead; 1838 cpu_spin_unlock(&sp_s->spinlock); 1839 1840 return TEE_ERROR_TARGET_DEAD; 1841 } 1842 1843 sess = ts_pop_current_session(); 1844 assert(sess == s); 1845 1846 return res; 1847 } 1848 1849 /* We currently don't support 32 bits */ 1850 #ifdef ARM64 1851 static void sp_svc_store_registers(struct thread_scall_regs *regs, 1852 struct thread_ctx_regs *sp_regs) 1853 { 1854 COMPILE_TIME_ASSERT(sizeof(sp_regs->x[0]) == sizeof(regs->x0)); 1855 memcpy(sp_regs->x, ®s->x0, 31 * sizeof(regs->x0)); 1856 sp_regs->pc = regs->elr; 1857 sp_regs->sp = regs->sp_el0; 1858 } 1859 #endif 1860 1861 static bool sp_handle_scall(struct thread_scall_regs *regs) 1862 { 1863 struct ts_session *ts = ts_get_current_session(); 1864 struct sp_ctx *uctx = to_sp_ctx(ts->ctx); 1865 struct sp_session *s = uctx->open_session; 1866 1867 assert(s); 1868 1869 sp_svc_store_registers(regs, &uctx->sp_regs); 1870 1871 regs->x0 = 0; 1872 regs->x1 = 0; /* panic */ 1873 regs->x2 = 0; /* panic code */ 1874 1875 /* 1876 * All the registers of the SP are saved in the SP session by the SVC 1877 * handler. 1878 * We always return to S-El1 after handling the SVC. We will continue 1879 * in sp_enter_invoke_cmd() (return from __thread_enter_user_mode). 1880 * The sp_enter() function copies the FF-A parameters (a0-a7) from the 1881 * saved registers to the thread_smc_args. The thread_smc_args object is 1882 * afterward used by the spmc_sp_msg_handler() to handle the 1883 * FF-A message send by the SP. 1884 */ 1885 return false; 1886 } 1887 1888 static void sp_dump_state(struct ts_ctx *ctx) 1889 { 1890 struct sp_ctx *utc = to_sp_ctx(ctx); 1891 1892 if (utc->uctx.dump_entry_func) { 1893 TEE_Result res = ldelf_dump_state(&utc->uctx); 1894 1895 if (!res || res == TEE_ERROR_TARGET_DEAD) 1896 return; 1897 } 1898 1899 user_mode_ctx_print_mappings(&utc->uctx); 1900 } 1901 1902 static const struct ts_ops sp_ops = { 1903 .enter_invoke_cmd = sp_enter_invoke_cmd, 1904 .handle_scall = sp_handle_scall, 1905 .dump_state = sp_dump_state, 1906 }; 1907 1908 static TEE_Result process_sp_pkg(uint64_t sp_pkg_pa, TEE_UUID *sp_uuid) 1909 { 1910 enum teecore_memtypes mtype = MEM_AREA_SEC_RAM_OVERALL; 1911 struct sp_pkg_header *sp_pkg_hdr = NULL; 1912 struct fip_sp *sp = NULL; 1913 uint64_t sp_fdt_end = 0; 1914 size_t sp_pkg_size = 0; 1915 vaddr_t sp_pkg_va = 0; 1916 1917 /* Process the first page which contains the SP package header */ 1918 sp_pkg_va = (vaddr_t)phys_to_virt(sp_pkg_pa, mtype, SMALL_PAGE_SIZE); 1919 if (!sp_pkg_va) { 1920 EMSG("Cannot find mapping for PA %#" PRIxPA, sp_pkg_pa); 1921 return TEE_ERROR_GENERIC; 1922 } 1923 1924 sp_pkg_hdr = (struct sp_pkg_header *)sp_pkg_va; 1925 1926 if (sp_pkg_hdr->magic != SP_PKG_HEADER_MAGIC) { 1927 EMSG("Invalid SP package magic"); 1928 return TEE_ERROR_BAD_FORMAT; 1929 } 1930 1931 if (sp_pkg_hdr->version != SP_PKG_HEADER_VERSION_V1 && 1932 sp_pkg_hdr->version != SP_PKG_HEADER_VERSION_V2) { 1933 EMSG("Invalid SP header version"); 1934 return TEE_ERROR_BAD_FORMAT; 1935 } 1936 1937 if (ADD_OVERFLOW(sp_pkg_hdr->img_offset, sp_pkg_hdr->img_size, 1938 &sp_pkg_size)) { 1939 EMSG("Invalid SP package size"); 1940 return TEE_ERROR_BAD_FORMAT; 1941 } 1942 1943 if (ADD_OVERFLOW(sp_pkg_hdr->pm_offset, sp_pkg_hdr->pm_size, 1944 &sp_fdt_end) || sp_fdt_end > sp_pkg_hdr->img_offset) { 1945 EMSG("Invalid SP manifest size"); 1946 return TEE_ERROR_BAD_FORMAT; 1947 } 1948 1949 /* Process the whole SP package now that the size is known */ 1950 sp_pkg_va = (vaddr_t)phys_to_virt(sp_pkg_pa, mtype, sp_pkg_size); 1951 if (!sp_pkg_va) { 1952 EMSG("Cannot find mapping for PA %#" PRIxPA, sp_pkg_pa); 1953 return TEE_ERROR_GENERIC; 1954 } 1955 1956 sp_pkg_hdr = (struct sp_pkg_header *)sp_pkg_va; 1957 1958 sp = calloc(1, sizeof(struct fip_sp)); 1959 if (!sp) 1960 return TEE_ERROR_OUT_OF_MEMORY; 1961 1962 memcpy(&sp->sp_img.image.uuid, sp_uuid, sizeof(*sp_uuid)); 1963 sp->sp_img.image.ts = (uint8_t *)(sp_pkg_va + sp_pkg_hdr->img_offset); 1964 sp->sp_img.image.size = sp_pkg_hdr->img_size; 1965 sp->sp_img.image.flags = 0; 1966 sp->sp_img.fdt = (uint8_t *)(sp_pkg_va + sp_pkg_hdr->pm_offset); 1967 1968 STAILQ_INSERT_TAIL(&fip_sp_list, sp, link); 1969 1970 return TEE_SUCCESS; 1971 } 1972 1973 static TEE_Result fip_sp_init_all(void) 1974 { 1975 TEE_Result res = TEE_SUCCESS; 1976 uint64_t sp_pkg_addr = 0; 1977 const void *fdt = NULL; 1978 TEE_UUID sp_uuid = { }; 1979 int sp_pkgs_node = 0; 1980 int subnode = 0; 1981 int root = 0; 1982 1983 fdt = get_manifest_dt(); 1984 if (!fdt) { 1985 EMSG("No SPMC manifest found"); 1986 return TEE_ERROR_GENERIC; 1987 } 1988 1989 root = fdt_path_offset(fdt, "/"); 1990 if (root < 0) 1991 return TEE_ERROR_BAD_FORMAT; 1992 1993 if (fdt_node_check_compatible(fdt, root, "arm,ffa-core-manifest-1.0")) 1994 return TEE_ERROR_BAD_FORMAT; 1995 1996 /* SP packages are optional, it's not an error if we don't find any */ 1997 sp_pkgs_node = fdt_node_offset_by_compatible(fdt, root, "arm,sp_pkg"); 1998 if (sp_pkgs_node < 0) 1999 return TEE_SUCCESS; 2000 2001 fdt_for_each_subnode(subnode, fdt, sp_pkgs_node) { 2002 res = sp_dt_get_u64(fdt, subnode, "load-address", &sp_pkg_addr); 2003 if (res) { 2004 EMSG("Invalid FIP SP load address"); 2005 return res; 2006 } 2007 2008 res = sp_dt_get_uuid(fdt, subnode, "uuid", &sp_uuid); 2009 if (res) { 2010 EMSG("Invalid FIP SP uuid"); 2011 return res; 2012 } 2013 2014 res = process_sp_pkg(sp_pkg_addr, &sp_uuid); 2015 if (res) { 2016 EMSG("Invalid FIP SP package"); 2017 return res; 2018 } 2019 } 2020 2021 return TEE_SUCCESS; 2022 } 2023 2024 static void fip_sp_deinit_all(void) 2025 { 2026 while (!STAILQ_EMPTY(&fip_sp_list)) { 2027 struct fip_sp *sp = STAILQ_FIRST(&fip_sp_list); 2028 2029 STAILQ_REMOVE_HEAD(&fip_sp_list, link); 2030 free(sp); 2031 } 2032 } 2033 2034 static TEE_Result sp_init_all(void) 2035 { 2036 TEE_Result res = TEE_SUCCESS; 2037 const struct sp_image *sp = NULL; 2038 const struct fip_sp *fip_sp = NULL; 2039 char __maybe_unused msg[60] = { '\0', }; 2040 struct sp_session *s = NULL; 2041 struct sp_session *prev_sp = NULL; 2042 2043 for_each_secure_partition(sp) { 2044 if (sp->image.uncompressed_size) 2045 snprintf(msg, sizeof(msg), 2046 " (compressed, uncompressed %u)", 2047 sp->image.uncompressed_size); 2048 else 2049 msg[0] = '\0'; 2050 DMSG("SP %pUl size %u%s", (void *)&sp->image.uuid, 2051 sp->image.size, msg); 2052 2053 res = sp_init_uuid(&sp->image.uuid, sp->fdt); 2054 2055 if (res != TEE_SUCCESS) { 2056 EMSG("Failed initializing SP(%pUl) err:%#"PRIx32, 2057 &sp->image.uuid, res); 2058 if (!IS_ENABLED(CFG_SP_SKIP_FAILED)) 2059 panic(); 2060 } 2061 } 2062 2063 res = fip_sp_init_all(); 2064 if (res) 2065 panic("Failed initializing FIP SPs"); 2066 2067 for_each_fip_sp(fip_sp) { 2068 sp = &fip_sp->sp_img; 2069 2070 DMSG("SP %pUl size %u", (void *)&sp->image.uuid, 2071 sp->image.size); 2072 2073 res = sp_init_uuid(&sp->image.uuid, sp->fdt); 2074 2075 if (res != TEE_SUCCESS) { 2076 EMSG("Failed initializing SP(%pUl) err:%#"PRIx32, 2077 &sp->image.uuid, res); 2078 if (!IS_ENABLED(CFG_SP_SKIP_FAILED)) 2079 panic(); 2080 } 2081 } 2082 2083 /* 2084 * At this point all FIP SPs are loaded by ldelf or by the raw binary SP 2085 * loader, so the original images (loaded by BL2) are not needed anymore 2086 */ 2087 fip_sp_deinit_all(); 2088 2089 /* 2090 * Now that all SPs are loaded, check through the boot order values, 2091 * and warn in case there is a non-unique value. 2092 */ 2093 TAILQ_FOREACH(s, &open_sp_sessions, link) { 2094 /* Avoid warnings if multiple SP have undefined boot-order. */ 2095 if (s->boot_order == UNDEFINED_BOOT_ORDER_VALUE) 2096 break; 2097 2098 if (prev_sp && prev_sp->boot_order == s->boot_order) 2099 IMSG("WARNING: duplicated boot-order (%pUl vs %pUl)", 2100 &prev_sp->ts_sess.ctx->uuid, 2101 &s->ts_sess.ctx->uuid); 2102 2103 prev_sp = s; 2104 } 2105 2106 /* Continue the initialization and run the SP */ 2107 TAILQ_FOREACH(s, &open_sp_sessions, link) { 2108 DMSG("Starting SP: 0x%"PRIx16, s->endpoint_id); 2109 2110 res = sp_first_run(s); 2111 if (res != TEE_SUCCESS) { 2112 EMSG("Failed starting SP(0x%"PRIx16") err:%#"PRIx32, 2113 s->endpoint_id, res); 2114 if (!IS_ENABLED(CFG_SP_SKIP_FAILED)) 2115 panic(); 2116 } 2117 } 2118 2119 return TEE_SUCCESS; 2120 } 2121 2122 boot_final(sp_init_all); 2123 2124 static TEE_Result secure_partition_open(const TEE_UUID *uuid, 2125 struct ts_store_handle **h) 2126 { 2127 return emb_ts_open(uuid, h, find_secure_partition); 2128 } 2129 2130 REGISTER_SP_STORE(2) = { 2131 .description = "SP store", 2132 .open = secure_partition_open, 2133 .get_size = emb_ts_get_size, 2134 .get_tag = emb_ts_get_tag, 2135 .read = emb_ts_read, 2136 .close = emb_ts_close, 2137 }; 2138