1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2016, 2022 Linaro Limited 4 * Copyright (c) 2014, STMicroelectronics International N.V. 5 * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. 6 */ 7 8 #include <assert.h> 9 #include <config.h> 10 #include <kernel/boot.h> 11 #include <kernel/dt.h> 12 #include <kernel/linker.h> 13 #include <kernel/panic.h> 14 #include <kernel/spinlock.h> 15 #include <kernel/tee_l2cc_mutex.h> 16 #include <kernel/tee_misc.h> 17 #include <kernel/tlb_helpers.h> 18 #include <kernel/user_mode_ctx.h> 19 #include <kernel/virtualization.h> 20 #include <libfdt.h> 21 #include <mm/core_memprot.h> 22 #include <mm/core_mmu.h> 23 #include <mm/mobj.h> 24 #include <mm/pgt_cache.h> 25 #include <mm/tee_pager.h> 26 #include <mm/vm.h> 27 #include <platform_config.h> 28 #include <string.h> 29 #include <trace.h> 30 #include <util.h> 31 32 #ifndef DEBUG_XLAT_TABLE 33 #define DEBUG_XLAT_TABLE 0 34 #endif 35 36 #define SHM_VASPACE_SIZE (1024 * 1024 * 32) 37 38 #ifdef CFG_CORE_PHYS_RELOCATABLE 39 unsigned long core_mmu_tee_load_pa __nex_bss; 40 #else 41 const unsigned long core_mmu_tee_load_pa = TEE_LOAD_ADDR; 42 #endif 43 44 /* 45 * These variables are initialized before .bss is cleared. To avoid 46 * resetting them when .bss is cleared we're storing them in .data instead, 47 * even if they initially are zero. 48 */ 49 50 #ifdef CFG_CORE_RESERVED_SHM 51 /* Default NSec shared memory allocated from NSec world */ 52 unsigned long default_nsec_shm_size __nex_bss; 53 unsigned long default_nsec_shm_paddr __nex_bss; 54 #endif 55 56 static struct tee_mmap_region static_memory_map[CFG_MMAP_REGIONS 57 #if defined(CFG_CORE_ASLR) || defined(CFG_CORE_PHYS_RELOCATABLE) 58 + 1 59 #endif 60 + 1] __nex_bss; 61 62 /* Define the platform's memory layout. */ 63 struct memaccess_area { 64 paddr_t paddr; 65 size_t size; 66 }; 67 68 #define MEMACCESS_AREA(a, s) { .paddr = a, .size = s } 69 70 static struct memaccess_area secure_only[] __nex_data = { 71 #ifdef CFG_CORE_PHYS_RELOCATABLE 72 MEMACCESS_AREA(0, 0), 73 #else 74 #ifdef TRUSTED_SRAM_BASE 75 MEMACCESS_AREA(TRUSTED_SRAM_BASE, TRUSTED_SRAM_SIZE), 76 #endif 77 MEMACCESS_AREA(TRUSTED_DRAM_BASE, TRUSTED_DRAM_SIZE), 78 #endif 79 }; 80 81 static struct memaccess_area nsec_shared[] __nex_data = { 82 #ifdef CFG_CORE_RESERVED_SHM 83 MEMACCESS_AREA(TEE_SHMEM_START, TEE_SHMEM_SIZE), 84 #endif 85 }; 86 87 #if defined(CFG_SECURE_DATA_PATH) 88 static const char *tz_sdp_match = "linaro,secure-heap"; 89 static struct memaccess_area sec_sdp; 90 #ifdef CFG_TEE_SDP_MEM_BASE 91 register_sdp_mem(CFG_TEE_SDP_MEM_BASE, CFG_TEE_SDP_MEM_SIZE); 92 #endif 93 #ifdef TEE_SDP_TEST_MEM_BASE 94 register_sdp_mem(TEE_SDP_TEST_MEM_BASE, TEE_SDP_TEST_MEM_SIZE); 95 #endif 96 #endif 97 98 #ifdef CFG_CORE_RESERVED_SHM 99 register_phys_mem(MEM_AREA_NSEC_SHM, TEE_SHMEM_START, TEE_SHMEM_SIZE); 100 #endif 101 static unsigned int mmu_spinlock; 102 103 static uint32_t mmu_lock(void) 104 { 105 return cpu_spin_lock_xsave(&mmu_spinlock); 106 } 107 108 static void mmu_unlock(uint32_t exceptions) 109 { 110 cpu_spin_unlock_xrestore(&mmu_spinlock, exceptions); 111 } 112 113 void core_mmu_get_secure_memory(paddr_t *base, paddr_size_t *size) 114 { 115 /* 116 * The first range is always used to cover OP-TEE core memory, but 117 * depending on configuration it may cover more than that. 118 */ 119 *base = secure_only[0].paddr; 120 *size = secure_only[0].size; 121 } 122 123 #ifdef CFG_CORE_PHYS_RELOCATABLE 124 void core_mmu_set_secure_memory(paddr_t base, size_t size) 125 { 126 static_assert(ARRAY_SIZE(secure_only) == 1); 127 assert(!secure_only[0].size); 128 assert(base && size); 129 130 DMSG("Physical secure memory base %#"PRIxPA" size %#zx", base, size); 131 secure_only[0].paddr = base; 132 secure_only[0].size = size; 133 } 134 #endif 135 136 void core_mmu_get_ta_range(paddr_t *base, size_t *size) 137 { 138 paddr_t b = 0; 139 size_t s = 0; 140 141 static_assert(!(TEE_RAM_VA_SIZE % SMALL_PAGE_SIZE)); 142 #ifdef TA_RAM_START 143 b = TA_RAM_START; 144 s = TA_RAM_SIZE; 145 #else 146 static_assert(ARRAY_SIZE(secure_only) <= 2); 147 if (ARRAY_SIZE(secure_only) == 1) { 148 vaddr_t load_offs = 0; 149 150 assert(core_mmu_tee_load_pa >= secure_only[0].paddr); 151 load_offs = core_mmu_tee_load_pa - secure_only[0].paddr; 152 153 assert(secure_only[0].size > 154 load_offs + TEE_RAM_VA_SIZE + TEE_SDP_TEST_MEM_SIZE); 155 b = secure_only[0].paddr + load_offs + TEE_RAM_VA_SIZE; 156 s = secure_only[0].size - load_offs - TEE_RAM_VA_SIZE - 157 TEE_SDP_TEST_MEM_SIZE; 158 } else { 159 assert(secure_only[1].size > TEE_SDP_TEST_MEM_SIZE); 160 b = secure_only[1].paddr; 161 s = secure_only[1].size - TEE_SDP_TEST_MEM_SIZE; 162 } 163 #endif 164 if (base) 165 *base = b; 166 if (size) 167 *size = s; 168 } 169 170 static struct tee_mmap_region *get_memory_map(void) 171 { 172 if (IS_ENABLED(CFG_NS_VIRTUALIZATION)) { 173 struct tee_mmap_region *map = virt_get_memory_map(); 174 175 if (map) 176 return map; 177 } 178 179 return static_memory_map; 180 } 181 182 static bool _pbuf_intersects(struct memaccess_area *a, size_t alen, 183 paddr_t pa, size_t size) 184 { 185 size_t n; 186 187 for (n = 0; n < alen; n++) 188 if (core_is_buffer_intersect(pa, size, a[n].paddr, a[n].size)) 189 return true; 190 return false; 191 } 192 193 #define pbuf_intersects(a, pa, size) \ 194 _pbuf_intersects((a), ARRAY_SIZE(a), (pa), (size)) 195 196 static bool _pbuf_is_inside(struct memaccess_area *a, size_t alen, 197 paddr_t pa, size_t size) 198 { 199 size_t n; 200 201 for (n = 0; n < alen; n++) 202 if (core_is_buffer_inside(pa, size, a[n].paddr, a[n].size)) 203 return true; 204 return false; 205 } 206 207 #define pbuf_is_inside(a, pa, size) \ 208 _pbuf_is_inside((a), ARRAY_SIZE(a), (pa), (size)) 209 210 static bool pa_is_in_map(struct tee_mmap_region *map, paddr_t pa, size_t len) 211 { 212 paddr_t end_pa = 0; 213 214 if (!map) 215 return false; 216 217 if (SUB_OVERFLOW(len, 1, &end_pa) || ADD_OVERFLOW(pa, end_pa, &end_pa)) 218 return false; 219 220 return (pa >= map->pa && end_pa <= map->pa + map->size - 1); 221 } 222 223 static bool va_is_in_map(struct tee_mmap_region *map, vaddr_t va) 224 { 225 if (!map) 226 return false; 227 return (va >= map->va && va <= (map->va + map->size - 1)); 228 } 229 230 /* check if target buffer fits in a core default map area */ 231 static bool pbuf_inside_map_area(unsigned long p, size_t l, 232 struct tee_mmap_region *map) 233 { 234 return core_is_buffer_inside(p, l, map->pa, map->size); 235 } 236 237 static struct tee_mmap_region *find_map_by_type(enum teecore_memtypes type) 238 { 239 struct tee_mmap_region *map; 240 241 for (map = get_memory_map(); !core_mmap_is_end_of_table(map); map++) 242 if (map->type == type) 243 return map; 244 return NULL; 245 } 246 247 static struct tee_mmap_region * 248 find_map_by_type_and_pa(enum teecore_memtypes type, paddr_t pa, size_t len) 249 { 250 struct tee_mmap_region *map; 251 252 for (map = get_memory_map(); !core_mmap_is_end_of_table(map); map++) { 253 if (map->type != type) 254 continue; 255 if (pa_is_in_map(map, pa, len)) 256 return map; 257 } 258 return NULL; 259 } 260 261 static struct tee_mmap_region *find_map_by_va(void *va) 262 { 263 struct tee_mmap_region *map = get_memory_map(); 264 unsigned long a = (unsigned long)va; 265 266 while (!core_mmap_is_end_of_table(map)) { 267 if (a >= map->va && a <= (map->va - 1 + map->size)) 268 return map; 269 map++; 270 } 271 return NULL; 272 } 273 274 static struct tee_mmap_region *find_map_by_pa(unsigned long pa) 275 { 276 struct tee_mmap_region *map = get_memory_map(); 277 278 while (!core_mmap_is_end_of_table(map)) { 279 if (pa >= map->pa && pa <= (map->pa + map->size - 1)) 280 return map; 281 map++; 282 } 283 return NULL; 284 } 285 286 #if defined(CFG_SECURE_DATA_PATH) 287 static bool dtb_get_sdp_region(void) 288 { 289 void *fdt = NULL; 290 int node = 0; 291 int tmp_node = 0; 292 paddr_t tmp_addr = 0; 293 size_t tmp_size = 0; 294 295 if (!IS_ENABLED(CFG_EMBED_DTB)) 296 return false; 297 298 fdt = get_embedded_dt(); 299 if (!fdt) 300 panic("No DTB found"); 301 302 node = fdt_node_offset_by_compatible(fdt, -1, tz_sdp_match); 303 if (node < 0) { 304 DMSG("No %s compatible node found", tz_sdp_match); 305 return false; 306 } 307 tmp_node = node; 308 while (tmp_node >= 0) { 309 tmp_node = fdt_node_offset_by_compatible(fdt, tmp_node, 310 tz_sdp_match); 311 if (tmp_node >= 0) 312 DMSG("Ignore SDP pool node %s, supports only 1 node", 313 fdt_get_name(fdt, tmp_node, NULL)); 314 } 315 316 tmp_addr = fdt_reg_base_address(fdt, node); 317 if (tmp_addr == DT_INFO_INVALID_REG) { 318 EMSG("%s: Unable to get base addr from DT", tz_sdp_match); 319 return false; 320 } 321 322 tmp_size = fdt_reg_size(fdt, node); 323 if (tmp_size == DT_INFO_INVALID_REG_SIZE) { 324 EMSG("%s: Unable to get size of base addr from DT", 325 tz_sdp_match); 326 return false; 327 } 328 329 sec_sdp.paddr = tmp_addr; 330 sec_sdp.size = tmp_size; 331 332 return true; 333 } 334 #endif 335 336 #if defined(CFG_CORE_DYN_SHM) || defined(CFG_SECURE_DATA_PATH) 337 static bool pbuf_is_special_mem(paddr_t pbuf, size_t len, 338 const struct core_mmu_phys_mem *start, 339 const struct core_mmu_phys_mem *end) 340 { 341 const struct core_mmu_phys_mem *mem; 342 343 for (mem = start; mem < end; mem++) { 344 if (core_is_buffer_inside(pbuf, len, mem->addr, mem->size)) 345 return true; 346 } 347 348 return false; 349 } 350 #endif 351 352 #ifdef CFG_CORE_DYN_SHM 353 static void carve_out_phys_mem(struct core_mmu_phys_mem **mem, size_t *nelems, 354 paddr_t pa, size_t size) 355 { 356 struct core_mmu_phys_mem *m = *mem; 357 size_t n = 0; 358 359 while (true) { 360 if (n >= *nelems) { 361 DMSG("No need to carve out %#" PRIxPA " size %#zx", 362 pa, size); 363 return; 364 } 365 if (core_is_buffer_inside(pa, size, m[n].addr, m[n].size)) 366 break; 367 if (!core_is_buffer_outside(pa, size, m[n].addr, m[n].size)) 368 panic(); 369 n++; 370 } 371 372 if (pa == m[n].addr && size == m[n].size) { 373 /* Remove this entry */ 374 (*nelems)--; 375 memmove(m + n, m + n + 1, sizeof(*m) * (*nelems - n)); 376 m = nex_realloc(m, sizeof(*m) * *nelems); 377 if (!m) 378 panic(); 379 *mem = m; 380 } else if (pa == m[n].addr) { 381 m[n].addr += size; 382 m[n].size -= size; 383 } else if ((pa + size) == (m[n].addr + m[n].size)) { 384 m[n].size -= size; 385 } else { 386 /* Need to split the memory entry */ 387 m = nex_realloc(m, sizeof(*m) * (*nelems + 1)); 388 if (!m) 389 panic(); 390 *mem = m; 391 memmove(m + n + 1, m + n, sizeof(*m) * (*nelems - n)); 392 (*nelems)++; 393 m[n].size = pa - m[n].addr; 394 m[n + 1].size -= size + m[n].size; 395 m[n + 1].addr = pa + size; 396 } 397 } 398 399 static void check_phys_mem_is_outside(struct core_mmu_phys_mem *start, 400 size_t nelems, 401 struct tee_mmap_region *map) 402 { 403 size_t n; 404 405 for (n = 0; n < nelems; n++) { 406 if (!core_is_buffer_outside(start[n].addr, start[n].size, 407 map->pa, map->size)) { 408 EMSG("Non-sec mem (%#" PRIxPA ":%#" PRIxPASZ 409 ") overlaps map (type %d %#" PRIxPA ":%#zx)", 410 start[n].addr, start[n].size, 411 map->type, map->pa, map->size); 412 panic(); 413 } 414 } 415 } 416 417 static const struct core_mmu_phys_mem *discovered_nsec_ddr_start __nex_bss; 418 static size_t discovered_nsec_ddr_nelems __nex_bss; 419 420 static int cmp_pmem_by_addr(const void *a, const void *b) 421 { 422 const struct core_mmu_phys_mem *pmem_a = a; 423 const struct core_mmu_phys_mem *pmem_b = b; 424 425 return CMP_TRILEAN(pmem_a->addr, pmem_b->addr); 426 } 427 428 void core_mmu_set_discovered_nsec_ddr(struct core_mmu_phys_mem *start, 429 size_t nelems) 430 { 431 struct core_mmu_phys_mem *m = start; 432 size_t num_elems = nelems; 433 struct tee_mmap_region *map = static_memory_map; 434 const struct core_mmu_phys_mem __maybe_unused *pmem; 435 size_t n = 0; 436 437 assert(!discovered_nsec_ddr_start); 438 assert(m && num_elems); 439 440 qsort(m, num_elems, sizeof(*m), cmp_pmem_by_addr); 441 442 /* 443 * Non-secure shared memory and also secure data 444 * path memory are supposed to reside inside 445 * non-secure memory. Since NSEC_SHM and SDP_MEM 446 * are used for a specific purpose make holes for 447 * those memory in the normal non-secure memory. 448 * 449 * This has to be done since for instance QEMU 450 * isn't aware of which memory range in the 451 * non-secure memory is used for NSEC_SHM. 452 */ 453 454 #ifdef CFG_SECURE_DATA_PATH 455 if (dtb_get_sdp_region()) 456 carve_out_phys_mem(&m, &num_elems, sec_sdp.paddr, sec_sdp.size); 457 458 for (pmem = phys_sdp_mem_begin; pmem < phys_sdp_mem_end; pmem++) 459 carve_out_phys_mem(&m, &num_elems, pmem->addr, pmem->size); 460 #endif 461 462 for (n = 0; n < ARRAY_SIZE(secure_only); n++) 463 carve_out_phys_mem(&m, &num_elems, secure_only[n].paddr, 464 secure_only[n].size); 465 466 for (map = static_memory_map; !core_mmap_is_end_of_table(map); map++) { 467 switch (map->type) { 468 case MEM_AREA_NSEC_SHM: 469 carve_out_phys_mem(&m, &num_elems, map->pa, map->size); 470 break; 471 case MEM_AREA_EXT_DT: 472 case MEM_AREA_RES_VASPACE: 473 case MEM_AREA_SHM_VASPACE: 474 case MEM_AREA_TS_VASPACE: 475 case MEM_AREA_PAGER_VASPACE: 476 break; 477 default: 478 check_phys_mem_is_outside(m, num_elems, map); 479 } 480 } 481 482 discovered_nsec_ddr_start = m; 483 discovered_nsec_ddr_nelems = num_elems; 484 485 if (!core_mmu_check_end_pa(m[num_elems - 1].addr, 486 m[num_elems - 1].size)) 487 panic(); 488 } 489 490 static bool get_discovered_nsec_ddr(const struct core_mmu_phys_mem **start, 491 const struct core_mmu_phys_mem **end) 492 { 493 if (!discovered_nsec_ddr_start) 494 return false; 495 496 *start = discovered_nsec_ddr_start; 497 *end = discovered_nsec_ddr_start + discovered_nsec_ddr_nelems; 498 499 return true; 500 } 501 502 static bool pbuf_is_nsec_ddr(paddr_t pbuf, size_t len) 503 { 504 const struct core_mmu_phys_mem *start; 505 const struct core_mmu_phys_mem *end; 506 507 if (!get_discovered_nsec_ddr(&start, &end)) 508 return false; 509 510 return pbuf_is_special_mem(pbuf, len, start, end); 511 } 512 513 bool core_mmu_nsec_ddr_is_defined(void) 514 { 515 const struct core_mmu_phys_mem *start; 516 const struct core_mmu_phys_mem *end; 517 518 if (!get_discovered_nsec_ddr(&start, &end)) 519 return false; 520 521 return start != end; 522 } 523 #else 524 static bool pbuf_is_nsec_ddr(paddr_t pbuf __unused, size_t len __unused) 525 { 526 return false; 527 } 528 #endif /*CFG_CORE_DYN_SHM*/ 529 530 #define MSG_MEM_INSTERSECT(pa1, sz1, pa2, sz2) \ 531 EMSG("[%" PRIxPA " %" PRIx64 "] intersects [%" PRIxPA " %" PRIx64 "]", \ 532 pa1, (uint64_t)pa1 + (sz1), pa2, (uint64_t)pa2 + (sz2)) 533 534 #ifdef CFG_SECURE_DATA_PATH 535 static bool pbuf_is_sdp_mem(paddr_t pbuf, size_t len) 536 { 537 bool is_sdp_mem = false; 538 539 if (sec_sdp.size) 540 is_sdp_mem = core_is_buffer_inside(pbuf, len, sec_sdp.paddr, 541 sec_sdp.size); 542 543 if (!is_sdp_mem) 544 is_sdp_mem = pbuf_is_special_mem(pbuf, len, phys_sdp_mem_begin, 545 phys_sdp_mem_end); 546 547 return is_sdp_mem; 548 } 549 550 static struct mobj *core_sdp_mem_alloc_mobj(paddr_t pa, size_t size) 551 { 552 struct mobj *mobj = mobj_phys_alloc(pa, size, TEE_MATTR_MEM_TYPE_CACHED, 553 CORE_MEM_SDP_MEM); 554 555 if (!mobj) 556 panic("can't create SDP physical memory object"); 557 558 return mobj; 559 } 560 561 struct mobj **core_sdp_mem_create_mobjs(void) 562 { 563 const struct core_mmu_phys_mem *mem = NULL; 564 struct mobj **mobj_base = NULL; 565 struct mobj **mobj = NULL; 566 int cnt = phys_sdp_mem_end - phys_sdp_mem_begin; 567 568 if (sec_sdp.size) 569 cnt++; 570 571 /* SDP mobjs table must end with a NULL entry */ 572 mobj_base = calloc(cnt + 1, sizeof(struct mobj *)); 573 if (!mobj_base) 574 panic("Out of memory"); 575 576 mobj = mobj_base; 577 578 for (mem = phys_sdp_mem_begin; mem < phys_sdp_mem_end; mem++, mobj++) 579 *mobj = core_sdp_mem_alloc_mobj(mem->addr, mem->size); 580 581 if (sec_sdp.size) 582 *mobj = core_sdp_mem_alloc_mobj(sec_sdp.paddr, sec_sdp.size); 583 584 return mobj_base; 585 } 586 587 #else /* CFG_SECURE_DATA_PATH */ 588 static bool pbuf_is_sdp_mem(paddr_t pbuf __unused, size_t len __unused) 589 { 590 return false; 591 } 592 593 #endif /* CFG_SECURE_DATA_PATH */ 594 595 /* Check special memories comply with registered memories */ 596 static void verify_special_mem_areas(struct tee_mmap_region *mem_map, 597 size_t len, 598 const struct core_mmu_phys_mem *start, 599 const struct core_mmu_phys_mem *end, 600 const char *area_name __maybe_unused) 601 { 602 const struct core_mmu_phys_mem *mem; 603 const struct core_mmu_phys_mem *mem2; 604 struct tee_mmap_region *mmap; 605 size_t n; 606 607 if (start == end) { 608 DMSG("No %s memory area defined", area_name); 609 return; 610 } 611 612 for (mem = start; mem < end; mem++) 613 DMSG("%s memory [%" PRIxPA " %" PRIx64 "]", 614 area_name, mem->addr, (uint64_t)mem->addr + mem->size); 615 616 /* Check memories do not intersect each other */ 617 for (mem = start; mem + 1 < end; mem++) { 618 for (mem2 = mem + 1; mem2 < end; mem2++) { 619 if (core_is_buffer_intersect(mem2->addr, mem2->size, 620 mem->addr, mem->size)) { 621 MSG_MEM_INSTERSECT(mem2->addr, mem2->size, 622 mem->addr, mem->size); 623 panic("Special memory intersection"); 624 } 625 } 626 } 627 628 /* 629 * Check memories do not intersect any mapped memory. 630 * This is called before reserved VA space is loaded in mem_map. 631 */ 632 for (mem = start; mem < end; mem++) { 633 for (mmap = mem_map, n = 0; n < len; mmap++, n++) { 634 if (core_is_buffer_intersect(mem->addr, mem->size, 635 mmap->pa, mmap->size)) { 636 MSG_MEM_INSTERSECT(mem->addr, mem->size, 637 mmap->pa, mmap->size); 638 panic("Special memory intersection"); 639 } 640 } 641 } 642 } 643 644 static void add_phys_mem(struct tee_mmap_region *memory_map, size_t num_elems, 645 const char *mem_name __maybe_unused, 646 enum teecore_memtypes mem_type, 647 paddr_t mem_addr, paddr_size_t mem_size, size_t *last) 648 { 649 size_t n = 0; 650 paddr_t pa; 651 paddr_size_t size; 652 653 if (!mem_size) /* Discard null size entries */ 654 return; 655 /* 656 * If some ranges of memory of the same type do overlap 657 * each others they are coalesced into one entry. To help this 658 * added entries are sorted by increasing physical. 659 * 660 * Note that it's valid to have the same physical memory as several 661 * different memory types, for instance the same device memory 662 * mapped as both secure and non-secure. This will probably not 663 * happen often in practice. 664 */ 665 DMSG("%s type %s 0x%08" PRIxPA " size 0x%08" PRIxPASZ, 666 mem_name, teecore_memtype_name(mem_type), mem_addr, mem_size); 667 while (true) { 668 if (n >= (num_elems - 1)) { 669 EMSG("Out of entries (%zu) in memory_map", num_elems); 670 panic(); 671 } 672 if (n == *last) 673 break; 674 pa = memory_map[n].pa; 675 size = memory_map[n].size; 676 if (mem_type == memory_map[n].type && 677 ((pa <= (mem_addr + (mem_size - 1))) && 678 (mem_addr <= (pa + (size - 1))))) { 679 DMSG("Physical mem map overlaps 0x%" PRIxPA, mem_addr); 680 memory_map[n].pa = MIN(pa, mem_addr); 681 memory_map[n].size = MAX(size, mem_size) + 682 (pa - memory_map[n].pa); 683 return; 684 } 685 if (mem_type < memory_map[n].type || 686 (mem_type == memory_map[n].type && mem_addr < pa)) 687 break; /* found the spot where to insert this memory */ 688 n++; 689 } 690 691 memmove(memory_map + n + 1, memory_map + n, 692 sizeof(struct tee_mmap_region) * (*last - n)); 693 (*last)++; 694 memset(memory_map + n, 0, sizeof(memory_map[0])); 695 memory_map[n].type = mem_type; 696 memory_map[n].pa = mem_addr; 697 memory_map[n].size = mem_size; 698 } 699 700 static void add_va_space(struct tee_mmap_region *memory_map, size_t num_elems, 701 enum teecore_memtypes type, size_t size, size_t *last) 702 { 703 size_t n = 0; 704 705 DMSG("type %s size 0x%08zx", teecore_memtype_name(type), size); 706 while (true) { 707 if (n >= (num_elems - 1)) { 708 EMSG("Out of entries (%zu) in memory_map", num_elems); 709 panic(); 710 } 711 if (n == *last) 712 break; 713 if (type < memory_map[n].type) 714 break; 715 n++; 716 } 717 718 memmove(memory_map + n + 1, memory_map + n, 719 sizeof(struct tee_mmap_region) * (*last - n)); 720 (*last)++; 721 memset(memory_map + n, 0, sizeof(memory_map[0])); 722 memory_map[n].type = type; 723 memory_map[n].size = size; 724 } 725 726 uint32_t core_mmu_type_to_attr(enum teecore_memtypes t) 727 { 728 const uint32_t attr = TEE_MATTR_VALID_BLOCK; 729 const uint32_t tagged = TEE_MATTR_MEM_TYPE_TAGGED << 730 TEE_MATTR_MEM_TYPE_SHIFT; 731 const uint32_t cached = TEE_MATTR_MEM_TYPE_CACHED << 732 TEE_MATTR_MEM_TYPE_SHIFT; 733 const uint32_t noncache = TEE_MATTR_MEM_TYPE_DEV << 734 TEE_MATTR_MEM_TYPE_SHIFT; 735 736 switch (t) { 737 case MEM_AREA_TEE_RAM: 738 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRWX | tagged; 739 case MEM_AREA_TEE_RAM_RX: 740 case MEM_AREA_INIT_RAM_RX: 741 case MEM_AREA_IDENTITY_MAP_RX: 742 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRX | tagged; 743 case MEM_AREA_TEE_RAM_RO: 744 case MEM_AREA_INIT_RAM_RO: 745 return attr | TEE_MATTR_SECURE | TEE_MATTR_PR | tagged; 746 case MEM_AREA_TEE_RAM_RW: 747 case MEM_AREA_NEX_RAM_RO: /* This has to be r/w during init runtime */ 748 case MEM_AREA_NEX_RAM_RW: 749 case MEM_AREA_TEE_ASAN: 750 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRW | tagged; 751 case MEM_AREA_TEE_COHERENT: 752 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRWX | noncache; 753 case MEM_AREA_TA_RAM: 754 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRW | tagged; 755 case MEM_AREA_NSEC_SHM: 756 case MEM_AREA_NEX_NSEC_SHM: 757 return attr | TEE_MATTR_PRW | cached; 758 case MEM_AREA_EXT_DT: 759 /* 760 * If CFG_MAP_EXT_DT_SECURE is enabled map the external device 761 * tree as secure non-cached memory, otherwise, fall back to 762 * non-secure mapping. 763 */ 764 if (IS_ENABLED(CFG_MAP_EXT_DT_SECURE)) 765 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRW | 766 noncache; 767 fallthrough; 768 case MEM_AREA_IO_NSEC: 769 return attr | TEE_MATTR_PRW | noncache; 770 case MEM_AREA_IO_SEC: 771 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRW | noncache; 772 case MEM_AREA_RAM_NSEC: 773 return attr | TEE_MATTR_PRW | cached; 774 case MEM_AREA_RAM_SEC: 775 case MEM_AREA_SEC_RAM_OVERALL: 776 return attr | TEE_MATTR_SECURE | TEE_MATTR_PRW | cached; 777 case MEM_AREA_RES_VASPACE: 778 case MEM_AREA_SHM_VASPACE: 779 return 0; 780 case MEM_AREA_PAGER_VASPACE: 781 return TEE_MATTR_SECURE; 782 default: 783 panic("invalid type"); 784 } 785 } 786 787 static bool __maybe_unused map_is_tee_ram(const struct tee_mmap_region *mm) 788 { 789 switch (mm->type) { 790 case MEM_AREA_TEE_RAM: 791 case MEM_AREA_TEE_RAM_RX: 792 case MEM_AREA_TEE_RAM_RO: 793 case MEM_AREA_TEE_RAM_RW: 794 case MEM_AREA_INIT_RAM_RX: 795 case MEM_AREA_INIT_RAM_RO: 796 case MEM_AREA_NEX_RAM_RW: 797 case MEM_AREA_NEX_RAM_RO: 798 case MEM_AREA_TEE_ASAN: 799 return true; 800 default: 801 return false; 802 } 803 } 804 805 static bool __maybe_unused map_is_secure(const struct tee_mmap_region *mm) 806 { 807 return !!(core_mmu_type_to_attr(mm->type) & TEE_MATTR_SECURE); 808 } 809 810 static bool __maybe_unused map_is_pgdir(const struct tee_mmap_region *mm) 811 { 812 return mm->region_size == CORE_MMU_PGDIR_SIZE; 813 } 814 815 static int cmp_mmap_by_lower_va(const void *a, const void *b) 816 { 817 const struct tee_mmap_region *mm_a = a; 818 const struct tee_mmap_region *mm_b = b; 819 820 return CMP_TRILEAN(mm_a->va, mm_b->va); 821 } 822 823 static void dump_mmap_table(struct tee_mmap_region *memory_map) 824 { 825 struct tee_mmap_region *map; 826 827 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) { 828 vaddr_t __maybe_unused vstart; 829 830 vstart = map->va + ((vaddr_t)map->pa & (map->region_size - 1)); 831 DMSG("type %-12s va 0x%08" PRIxVA "..0x%08" PRIxVA 832 " pa 0x%08" PRIxPA "..0x%08" PRIxPA " size 0x%08zx (%s)", 833 teecore_memtype_name(map->type), vstart, 834 vstart + map->size - 1, map->pa, 835 (paddr_t)(map->pa + map->size - 1), map->size, 836 map->region_size == SMALL_PAGE_SIZE ? "smallpg" : "pgdir"); 837 } 838 } 839 840 #if DEBUG_XLAT_TABLE 841 842 static void dump_xlat_table(vaddr_t va, unsigned int level) 843 { 844 struct core_mmu_table_info tbl_info; 845 unsigned int idx = 0; 846 paddr_t pa; 847 uint32_t attr; 848 849 core_mmu_find_table(NULL, va, level, &tbl_info); 850 va = tbl_info.va_base; 851 for (idx = 0; idx < tbl_info.num_entries; idx++) { 852 core_mmu_get_entry(&tbl_info, idx, &pa, &attr); 853 if (attr || level > CORE_MMU_BASE_TABLE_LEVEL) { 854 const char *security_bit = ""; 855 856 if (core_mmu_entry_have_security_bit(attr)) { 857 if (attr & TEE_MATTR_SECURE) 858 security_bit = "S"; 859 else 860 security_bit = "NS"; 861 } 862 863 if (attr & TEE_MATTR_TABLE) { 864 DMSG_RAW("%*s [LVL%d] VA:0x%010" PRIxVA 865 " TBL:0x%010" PRIxPA " %s", 866 level * 2, "", level, va, pa, 867 security_bit); 868 dump_xlat_table(va, level + 1); 869 } else if (attr) { 870 DMSG_RAW("%*s [LVL%d] VA:0x%010" PRIxVA 871 " PA:0x%010" PRIxPA " %s-%s-%s-%s", 872 level * 2, "", level, va, pa, 873 mattr_is_cached(attr) ? "MEM" : 874 "DEV", 875 attr & TEE_MATTR_PW ? "RW" : "RO", 876 attr & TEE_MATTR_PX ? "X " : "XN", 877 security_bit); 878 } else { 879 DMSG_RAW("%*s [LVL%d] VA:0x%010" PRIxVA 880 " INVALID\n", 881 level * 2, "", level, va); 882 } 883 } 884 va += BIT64(tbl_info.shift); 885 } 886 } 887 888 #else 889 890 static void dump_xlat_table(vaddr_t va __unused, int level __unused) 891 { 892 } 893 894 #endif 895 896 /* 897 * Reserves virtual memory space for pager usage. 898 * 899 * From the start of the first memory used by the link script + 900 * TEE_RAM_VA_SIZE should be covered, either with a direct mapping or empty 901 * mapping for pager usage. This adds translation tables as needed for the 902 * pager to operate. 903 */ 904 static void add_pager_vaspace(struct tee_mmap_region *mmap, size_t num_elems, 905 size_t *last) 906 { 907 paddr_t begin = 0; 908 paddr_t end = 0; 909 size_t size = 0; 910 size_t pos = 0; 911 size_t n = 0; 912 913 if (*last >= (num_elems - 1)) { 914 EMSG("Out of entries (%zu) in memory map", num_elems); 915 panic(); 916 } 917 918 for (n = 0; !core_mmap_is_end_of_table(mmap + n); n++) { 919 if (map_is_tee_ram(mmap + n)) { 920 if (!begin) 921 begin = mmap[n].pa; 922 pos = n + 1; 923 } 924 } 925 926 end = mmap[pos - 1].pa + mmap[pos - 1].size; 927 assert(end - begin < TEE_RAM_VA_SIZE); 928 size = TEE_RAM_VA_SIZE - (end - begin); 929 930 assert(pos <= *last); 931 memmove(mmap + pos + 1, mmap + pos, 932 sizeof(struct tee_mmap_region) * (*last - pos)); 933 (*last)++; 934 memset(mmap + pos, 0, sizeof(mmap[0])); 935 mmap[pos].type = MEM_AREA_PAGER_VASPACE; 936 mmap[pos].va = 0; 937 mmap[pos].size = size; 938 mmap[pos].region_size = SMALL_PAGE_SIZE; 939 mmap[pos].attr = core_mmu_type_to_attr(MEM_AREA_PAGER_VASPACE); 940 } 941 942 static void check_sec_nsec_mem_config(void) 943 { 944 size_t n = 0; 945 946 for (n = 0; n < ARRAY_SIZE(secure_only); n++) { 947 if (pbuf_intersects(nsec_shared, secure_only[n].paddr, 948 secure_only[n].size)) 949 panic("Invalid memory access config: sec/nsec"); 950 } 951 } 952 953 static size_t collect_mem_ranges(struct tee_mmap_region *memory_map, 954 size_t num_elems) 955 { 956 const struct core_mmu_phys_mem *mem = NULL; 957 vaddr_t ram_start = secure_only[0].paddr; 958 size_t last = 0; 959 960 961 #define ADD_PHYS_MEM(_type, _addr, _size) \ 962 add_phys_mem(memory_map, num_elems, #_addr, (_type), \ 963 (_addr), (_size), &last) 964 965 if (IS_ENABLED(CFG_CORE_RWDATA_NOEXEC)) { 966 ADD_PHYS_MEM(MEM_AREA_TEE_RAM_RO, ram_start, 967 VCORE_UNPG_RX_PA - ram_start); 968 ADD_PHYS_MEM(MEM_AREA_TEE_RAM_RX, VCORE_UNPG_RX_PA, 969 VCORE_UNPG_RX_SZ); 970 ADD_PHYS_MEM(MEM_AREA_TEE_RAM_RO, VCORE_UNPG_RO_PA, 971 VCORE_UNPG_RO_SZ); 972 973 if (IS_ENABLED(CFG_NS_VIRTUALIZATION)) { 974 ADD_PHYS_MEM(MEM_AREA_NEX_RAM_RO, VCORE_UNPG_RW_PA, 975 VCORE_UNPG_RW_SZ); 976 ADD_PHYS_MEM(MEM_AREA_NEX_RAM_RW, VCORE_NEX_RW_PA, 977 VCORE_NEX_RW_SZ); 978 } else { 979 ADD_PHYS_MEM(MEM_AREA_TEE_RAM_RW, VCORE_UNPG_RW_PA, 980 VCORE_UNPG_RW_SZ); 981 } 982 983 if (IS_ENABLED(CFG_WITH_PAGER)) { 984 ADD_PHYS_MEM(MEM_AREA_INIT_RAM_RX, VCORE_INIT_RX_PA, 985 VCORE_INIT_RX_SZ); 986 ADD_PHYS_MEM(MEM_AREA_INIT_RAM_RO, VCORE_INIT_RO_PA, 987 VCORE_INIT_RO_SZ); 988 } 989 } else { 990 ADD_PHYS_MEM(MEM_AREA_TEE_RAM, TEE_RAM_START, TEE_RAM_PH_SIZE); 991 } 992 993 if (IS_ENABLED(CFG_NS_VIRTUALIZATION)) { 994 ADD_PHYS_MEM(MEM_AREA_SEC_RAM_OVERALL, TRUSTED_DRAM_BASE, 995 TRUSTED_DRAM_SIZE); 996 } else { 997 /* 998 * Every guest will have own TA RAM if virtualization 999 * support is enabled. 1000 */ 1001 paddr_t ta_base = 0; 1002 size_t ta_size = 0; 1003 1004 core_mmu_get_ta_range(&ta_base, &ta_size); 1005 ADD_PHYS_MEM(MEM_AREA_TA_RAM, ta_base, ta_size); 1006 } 1007 1008 if (IS_ENABLED(CFG_CORE_SANITIZE_KADDRESS) && 1009 IS_ENABLED(CFG_WITH_PAGER)) { 1010 /* 1011 * Asan ram is part of MEM_AREA_TEE_RAM_RW when pager is 1012 * disabled. 1013 */ 1014 ADD_PHYS_MEM(MEM_AREA_TEE_ASAN, ASAN_MAP_PA, ASAN_MAP_SZ); 1015 } 1016 1017 #undef ADD_PHYS_MEM 1018 1019 for (mem = phys_mem_map_begin; mem < phys_mem_map_end; mem++) { 1020 /* Only unmapped virtual range may have a null phys addr */ 1021 assert(mem->addr || !core_mmu_type_to_attr(mem->type)); 1022 1023 add_phys_mem(memory_map, num_elems, mem->name, mem->type, 1024 mem->addr, mem->size, &last); 1025 } 1026 1027 if (IS_ENABLED(CFG_SECURE_DATA_PATH)) 1028 verify_special_mem_areas(memory_map, num_elems, 1029 phys_sdp_mem_begin, 1030 phys_sdp_mem_end, "SDP"); 1031 1032 add_va_space(memory_map, num_elems, MEM_AREA_RES_VASPACE, 1033 CFG_RESERVED_VASPACE_SIZE, &last); 1034 1035 add_va_space(memory_map, num_elems, MEM_AREA_SHM_VASPACE, 1036 SHM_VASPACE_SIZE, &last); 1037 1038 memory_map[last].type = MEM_AREA_END; 1039 1040 return last; 1041 } 1042 1043 static void assign_mem_granularity(struct tee_mmap_region *memory_map) 1044 { 1045 struct tee_mmap_region *map = NULL; 1046 1047 /* 1048 * Assign region sizes, note that MEM_AREA_TEE_RAM always uses 1049 * SMALL_PAGE_SIZE. 1050 */ 1051 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) { 1052 paddr_t mask = map->pa | map->size; 1053 1054 if (!(mask & CORE_MMU_PGDIR_MASK)) 1055 map->region_size = CORE_MMU_PGDIR_SIZE; 1056 else if (!(mask & SMALL_PAGE_MASK)) 1057 map->region_size = SMALL_PAGE_SIZE; 1058 else 1059 panic("Impossible memory alignment"); 1060 1061 if (map_is_tee_ram(map)) 1062 map->region_size = SMALL_PAGE_SIZE; 1063 } 1064 } 1065 1066 static bool place_tee_ram_at_top(paddr_t paddr) 1067 { 1068 return paddr > BIT64(core_mmu_get_va_width()) / 2; 1069 } 1070 1071 /* 1072 * MMU arch driver shall override this function if it helps 1073 * optimizing the memory footprint of the address translation tables. 1074 */ 1075 bool __weak core_mmu_prefer_tee_ram_at_top(paddr_t paddr) 1076 { 1077 return place_tee_ram_at_top(paddr); 1078 } 1079 1080 static bool assign_mem_va_dir(vaddr_t tee_ram_va, 1081 struct tee_mmap_region *memory_map, 1082 bool tee_ram_at_top) 1083 { 1084 struct tee_mmap_region *map = NULL; 1085 vaddr_t va = 0; 1086 bool va_is_secure = true; 1087 1088 /* 1089 * tee_ram_va might equals 0 when CFG_CORE_ASLR=y. 1090 * 0 is by design an invalid va, so return false directly. 1091 */ 1092 if (!tee_ram_va) 1093 return false; 1094 1095 /* Clear eventual previous assignments */ 1096 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) 1097 map->va = 0; 1098 1099 /* 1100 * TEE RAM regions are always aligned with region_size. 1101 * 1102 * Note that MEM_AREA_PAGER_VASPACE also counts as TEE RAM here 1103 * since it handles virtual memory which covers the part of the ELF 1104 * that cannot fit directly into memory. 1105 */ 1106 va = tee_ram_va; 1107 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) { 1108 if (map_is_tee_ram(map) || 1109 map->type == MEM_AREA_PAGER_VASPACE) { 1110 assert(!(va & (map->region_size - 1))); 1111 assert(!(map->size & (map->region_size - 1))); 1112 map->va = va; 1113 if (ADD_OVERFLOW(va, map->size, &va)) 1114 return false; 1115 if (va >= BIT64(core_mmu_get_va_width())) 1116 return false; 1117 } 1118 } 1119 1120 if (tee_ram_at_top) { 1121 /* 1122 * Map non-tee ram regions at addresses lower than the tee 1123 * ram region. 1124 */ 1125 va = tee_ram_va; 1126 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) { 1127 map->attr = core_mmu_type_to_attr(map->type); 1128 if (map->va) 1129 continue; 1130 1131 if (!IS_ENABLED(CFG_WITH_LPAE) && 1132 va_is_secure != map_is_secure(map)) { 1133 va_is_secure = !va_is_secure; 1134 va = ROUNDDOWN(va, CORE_MMU_PGDIR_SIZE); 1135 } 1136 1137 if (SUB_OVERFLOW(va, map->size, &va)) 1138 return false; 1139 va = ROUNDDOWN(va, map->region_size); 1140 /* 1141 * Make sure that va is aligned with pa for 1142 * efficient pgdir mapping. Basically pa & 1143 * pgdir_mask should be == va & pgdir_mask 1144 */ 1145 if (map->size > 2 * CORE_MMU_PGDIR_SIZE) { 1146 if (SUB_OVERFLOW(va, CORE_MMU_PGDIR_SIZE, &va)) 1147 return false; 1148 va += (map->pa - va) & CORE_MMU_PGDIR_MASK; 1149 } 1150 map->va = va; 1151 } 1152 } else { 1153 /* 1154 * Map non-tee ram regions at addresses higher than the tee 1155 * ram region. 1156 */ 1157 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) { 1158 map->attr = core_mmu_type_to_attr(map->type); 1159 if (map->va) 1160 continue; 1161 1162 if (!IS_ENABLED(CFG_WITH_LPAE) && 1163 va_is_secure != map_is_secure(map)) { 1164 va_is_secure = !va_is_secure; 1165 if (ROUNDUP_OVERFLOW(va, CORE_MMU_PGDIR_SIZE, 1166 &va)) 1167 return false; 1168 } 1169 1170 if (ROUNDUP_OVERFLOW(va, map->region_size, &va)) 1171 return false; 1172 /* 1173 * Make sure that va is aligned with pa for 1174 * efficient pgdir mapping. Basically pa & 1175 * pgdir_mask should be == va & pgdir_mask 1176 */ 1177 if (map->size > 2 * CORE_MMU_PGDIR_SIZE) { 1178 vaddr_t offs = (map->pa - va) & 1179 CORE_MMU_PGDIR_MASK; 1180 1181 if (ADD_OVERFLOW(va, offs, &va)) 1182 return false; 1183 } 1184 1185 map->va = va; 1186 if (ADD_OVERFLOW(va, map->size, &va)) 1187 return false; 1188 if (va >= BIT64(core_mmu_get_va_width())) 1189 return false; 1190 } 1191 } 1192 1193 return true; 1194 } 1195 1196 static bool assign_mem_va(vaddr_t tee_ram_va, 1197 struct tee_mmap_region *memory_map) 1198 { 1199 bool tee_ram_at_top = place_tee_ram_at_top(tee_ram_va); 1200 1201 /* 1202 * Check that we're not overlapping with the user VA range. 1203 */ 1204 if (IS_ENABLED(CFG_WITH_LPAE)) { 1205 /* 1206 * User VA range is supposed to be defined after these 1207 * mappings have been established. 1208 */ 1209 assert(!core_mmu_user_va_range_is_defined()); 1210 } else { 1211 vaddr_t user_va_base = 0; 1212 size_t user_va_size = 0; 1213 1214 assert(core_mmu_user_va_range_is_defined()); 1215 core_mmu_get_user_va_range(&user_va_base, &user_va_size); 1216 if (tee_ram_va < (user_va_base + user_va_size)) 1217 return false; 1218 } 1219 1220 if (IS_ENABLED(CFG_WITH_PAGER)) { 1221 bool prefered_dir = core_mmu_prefer_tee_ram_at_top(tee_ram_va); 1222 1223 /* Try whole mapping covered by a single base xlat entry */ 1224 if (prefered_dir != tee_ram_at_top && 1225 assign_mem_va_dir(tee_ram_va, memory_map, prefered_dir)) 1226 return true; 1227 } 1228 1229 return assign_mem_va_dir(tee_ram_va, memory_map, tee_ram_at_top); 1230 } 1231 1232 static int cmp_init_mem_map(const void *a, const void *b) 1233 { 1234 const struct tee_mmap_region *mm_a = a; 1235 const struct tee_mmap_region *mm_b = b; 1236 int rc = 0; 1237 1238 rc = CMP_TRILEAN(mm_a->region_size, mm_b->region_size); 1239 if (!rc) 1240 rc = CMP_TRILEAN(mm_a->pa, mm_b->pa); 1241 /* 1242 * 32bit MMU descriptors cannot mix secure and non-secure mapping in 1243 * the same level2 table. Hence sort secure mapping from non-secure 1244 * mapping. 1245 */ 1246 if (!rc && !IS_ENABLED(CFG_WITH_LPAE)) 1247 rc = CMP_TRILEAN(map_is_secure(mm_a), map_is_secure(mm_b)); 1248 1249 return rc; 1250 } 1251 1252 static bool mem_map_add_id_map(struct tee_mmap_region *memory_map, 1253 size_t num_elems, size_t *last, 1254 vaddr_t id_map_start, vaddr_t id_map_end) 1255 { 1256 struct tee_mmap_region *map = NULL; 1257 vaddr_t start = ROUNDDOWN(id_map_start, SMALL_PAGE_SIZE); 1258 vaddr_t end = ROUNDUP(id_map_end, SMALL_PAGE_SIZE); 1259 size_t len = end - start; 1260 1261 if (*last >= num_elems - 1) { 1262 EMSG("Out of entries (%zu) in memory map", num_elems); 1263 panic(); 1264 } 1265 1266 for (map = memory_map; !core_mmap_is_end_of_table(map); map++) 1267 if (core_is_buffer_intersect(map->va, map->size, start, len)) 1268 return false; 1269 1270 *map = (struct tee_mmap_region){ 1271 .type = MEM_AREA_IDENTITY_MAP_RX, 1272 /* 1273 * Could use CORE_MMU_PGDIR_SIZE to potentially save a 1274 * translation table, at the increased risk of clashes with 1275 * the rest of the memory map. 1276 */ 1277 .region_size = SMALL_PAGE_SIZE, 1278 .pa = start, 1279 .va = start, 1280 .size = len, 1281 .attr = core_mmu_type_to_attr(MEM_AREA_IDENTITY_MAP_RX), 1282 }; 1283 1284 (*last)++; 1285 1286 return true; 1287 } 1288 1289 static unsigned long init_mem_map(struct tee_mmap_region *memory_map, 1290 size_t num_elems, unsigned long seed) 1291 { 1292 /* 1293 * @id_map_start and @id_map_end describes a physical memory range 1294 * that must be mapped Read-Only eXecutable at identical virtual 1295 * addresses. 1296 */ 1297 vaddr_t id_map_start = (vaddr_t)__identity_map_init_start; 1298 vaddr_t id_map_end = (vaddr_t)__identity_map_init_end; 1299 vaddr_t start_addr = secure_only[0].paddr; 1300 unsigned long offs = 0; 1301 size_t last = 0; 1302 1303 last = collect_mem_ranges(memory_map, num_elems); 1304 assign_mem_granularity(memory_map); 1305 1306 /* 1307 * To ease mapping and lower use of xlat tables, sort mapping 1308 * description moving small-page regions after the pgdir regions. 1309 */ 1310 qsort(memory_map, last, sizeof(struct tee_mmap_region), 1311 cmp_init_mem_map); 1312 1313 if (IS_ENABLED(CFG_WITH_PAGER)) 1314 add_pager_vaspace(memory_map, num_elems, &last); 1315 1316 if (IS_ENABLED(CFG_CORE_ASLR) && seed) { 1317 vaddr_t base_addr = start_addr + seed; 1318 const unsigned int va_width = core_mmu_get_va_width(); 1319 const vaddr_t va_mask = GENMASK_64(va_width - 1, 1320 SMALL_PAGE_SHIFT); 1321 vaddr_t ba = base_addr; 1322 size_t n = 0; 1323 1324 for (n = 0; n < 3; n++) { 1325 if (n) 1326 ba = base_addr ^ BIT64(va_width - n); 1327 ba &= va_mask; 1328 if (assign_mem_va(ba, memory_map) && 1329 mem_map_add_id_map(memory_map, num_elems, &last, 1330 id_map_start, id_map_end)) { 1331 offs = ba - start_addr; 1332 DMSG("Mapping core at %#"PRIxVA" offs %#lx", 1333 ba, offs); 1334 goto out; 1335 } else { 1336 DMSG("Failed to map core at %#"PRIxVA, ba); 1337 } 1338 } 1339 EMSG("Failed to map core with seed %#lx", seed); 1340 } 1341 1342 if (!assign_mem_va(start_addr, memory_map)) 1343 panic(); 1344 1345 out: 1346 qsort(memory_map, last, sizeof(struct tee_mmap_region), 1347 cmp_mmap_by_lower_va); 1348 1349 dump_mmap_table(memory_map); 1350 1351 return offs; 1352 } 1353 1354 static void check_mem_map(struct tee_mmap_region *map) 1355 { 1356 struct tee_mmap_region *m = NULL; 1357 1358 for (m = map; !core_mmap_is_end_of_table(m); m++) { 1359 switch (m->type) { 1360 case MEM_AREA_TEE_RAM: 1361 case MEM_AREA_TEE_RAM_RX: 1362 case MEM_AREA_TEE_RAM_RO: 1363 case MEM_AREA_TEE_RAM_RW: 1364 case MEM_AREA_INIT_RAM_RX: 1365 case MEM_AREA_INIT_RAM_RO: 1366 case MEM_AREA_NEX_RAM_RW: 1367 case MEM_AREA_NEX_RAM_RO: 1368 case MEM_AREA_IDENTITY_MAP_RX: 1369 if (!pbuf_is_inside(secure_only, m->pa, m->size)) 1370 panic("TEE_RAM can't fit in secure_only"); 1371 break; 1372 case MEM_AREA_TA_RAM: 1373 if (!pbuf_is_inside(secure_only, m->pa, m->size)) 1374 panic("TA_RAM can't fit in secure_only"); 1375 break; 1376 case MEM_AREA_NSEC_SHM: 1377 if (!pbuf_is_inside(nsec_shared, m->pa, m->size)) 1378 panic("NS_SHM can't fit in nsec_shared"); 1379 break; 1380 case MEM_AREA_SEC_RAM_OVERALL: 1381 case MEM_AREA_TEE_COHERENT: 1382 case MEM_AREA_TEE_ASAN: 1383 case MEM_AREA_IO_SEC: 1384 case MEM_AREA_IO_NSEC: 1385 case MEM_AREA_EXT_DT: 1386 case MEM_AREA_RAM_SEC: 1387 case MEM_AREA_RAM_NSEC: 1388 case MEM_AREA_RES_VASPACE: 1389 case MEM_AREA_SHM_VASPACE: 1390 case MEM_AREA_PAGER_VASPACE: 1391 break; 1392 default: 1393 EMSG("Uhandled memtype %d", m->type); 1394 panic(); 1395 } 1396 } 1397 } 1398 1399 static struct tee_mmap_region *get_tmp_mmap(void) 1400 { 1401 struct tee_mmap_region *tmp_mmap = (void *)__heap1_start; 1402 1403 #ifdef CFG_WITH_PAGER 1404 if (__heap1_end - __heap1_start < (ptrdiff_t)sizeof(static_memory_map)) 1405 tmp_mmap = (void *)__heap2_start; 1406 #endif 1407 1408 memset(tmp_mmap, 0, sizeof(static_memory_map)); 1409 1410 return tmp_mmap; 1411 } 1412 1413 /* 1414 * core_init_mmu_map() - init tee core default memory mapping 1415 * 1416 * This routine sets the static default TEE core mapping. If @seed is > 0 1417 * and configured with CFG_CORE_ASLR it will map tee core at a location 1418 * based on the seed and return the offset from the link address. 1419 * 1420 * If an error happened: core_init_mmu_map is expected to panic. 1421 * 1422 * Note: this function is weak just to make it possible to exclude it from 1423 * the unpaged area. 1424 */ 1425 void __weak core_init_mmu_map(unsigned long seed, struct core_mmu_config *cfg) 1426 { 1427 #ifndef CFG_NS_VIRTUALIZATION 1428 vaddr_t start = ROUNDDOWN((vaddr_t)__nozi_start, SMALL_PAGE_SIZE); 1429 #else 1430 vaddr_t start = ROUNDDOWN((vaddr_t)__vcore_nex_rw_start, 1431 SMALL_PAGE_SIZE); 1432 #endif 1433 vaddr_t len = ROUNDUP((vaddr_t)__nozi_end, SMALL_PAGE_SIZE) - start; 1434 struct tee_mmap_region *tmp_mmap = get_tmp_mmap(); 1435 unsigned long offs = 0; 1436 1437 if (IS_ENABLED(CFG_CORE_PHYS_RELOCATABLE) && 1438 (core_mmu_tee_load_pa & SMALL_PAGE_MASK)) 1439 panic("OP-TEE load address is not page aligned"); 1440 1441 check_sec_nsec_mem_config(); 1442 1443 /* 1444 * Add a entry covering the translation tables which will be 1445 * involved in some virt_to_phys() and phys_to_virt() conversions. 1446 */ 1447 static_memory_map[0] = (struct tee_mmap_region){ 1448 .type = MEM_AREA_TEE_RAM, 1449 .region_size = SMALL_PAGE_SIZE, 1450 .pa = start, 1451 .va = start, 1452 .size = len, 1453 .attr = core_mmu_type_to_attr(MEM_AREA_IDENTITY_MAP_RX), 1454 }; 1455 1456 COMPILE_TIME_ASSERT(CFG_MMAP_REGIONS >= 13); 1457 offs = init_mem_map(tmp_mmap, ARRAY_SIZE(static_memory_map), seed); 1458 1459 check_mem_map(tmp_mmap); 1460 core_init_mmu(tmp_mmap); 1461 dump_xlat_table(0x0, CORE_MMU_BASE_TABLE_LEVEL); 1462 core_init_mmu_regs(cfg); 1463 cfg->map_offset = offs; 1464 memcpy(static_memory_map, tmp_mmap, sizeof(static_memory_map)); 1465 } 1466 1467 bool core_mmu_mattr_is_ok(uint32_t mattr) 1468 { 1469 /* 1470 * Keep in sync with core_mmu_lpae.c:mattr_to_desc and 1471 * core_mmu_v7.c:mattr_to_texcb 1472 */ 1473 1474 switch ((mattr >> TEE_MATTR_MEM_TYPE_SHIFT) & TEE_MATTR_MEM_TYPE_MASK) { 1475 case TEE_MATTR_MEM_TYPE_DEV: 1476 case TEE_MATTR_MEM_TYPE_STRONGLY_O: 1477 case TEE_MATTR_MEM_TYPE_CACHED: 1478 case TEE_MATTR_MEM_TYPE_TAGGED: 1479 return true; 1480 default: 1481 return false; 1482 } 1483 } 1484 1485 /* 1486 * test attributes of target physical buffer 1487 * 1488 * Flags: pbuf_is(SECURE, NOT_SECURE, RAM, IOMEM, KEYVAULT). 1489 * 1490 */ 1491 bool core_pbuf_is(uint32_t attr, paddr_t pbuf, size_t len) 1492 { 1493 paddr_t ta_base = 0; 1494 size_t ta_size = 0; 1495 struct tee_mmap_region *map; 1496 1497 /* Empty buffers complies with anything */ 1498 if (len == 0) 1499 return true; 1500 1501 switch (attr) { 1502 case CORE_MEM_SEC: 1503 return pbuf_is_inside(secure_only, pbuf, len); 1504 case CORE_MEM_NON_SEC: 1505 return pbuf_is_inside(nsec_shared, pbuf, len) || 1506 pbuf_is_nsec_ddr(pbuf, len); 1507 case CORE_MEM_TEE_RAM: 1508 return core_is_buffer_inside(pbuf, len, TEE_RAM_START, 1509 TEE_RAM_PH_SIZE); 1510 case CORE_MEM_TA_RAM: 1511 core_mmu_get_ta_range(&ta_base, &ta_size); 1512 return core_is_buffer_inside(pbuf, len, ta_base, ta_size); 1513 #ifdef CFG_CORE_RESERVED_SHM 1514 case CORE_MEM_NSEC_SHM: 1515 return core_is_buffer_inside(pbuf, len, TEE_SHMEM_START, 1516 TEE_SHMEM_SIZE); 1517 #endif 1518 case CORE_MEM_SDP_MEM: 1519 return pbuf_is_sdp_mem(pbuf, len); 1520 case CORE_MEM_CACHED: 1521 map = find_map_by_pa(pbuf); 1522 if (!map || !pbuf_inside_map_area(pbuf, len, map)) 1523 return false; 1524 return mattr_is_cached(map->attr); 1525 default: 1526 return false; 1527 } 1528 } 1529 1530 /* test attributes of target virtual buffer (in core mapping) */ 1531 bool core_vbuf_is(uint32_t attr, const void *vbuf, size_t len) 1532 { 1533 paddr_t p; 1534 1535 /* Empty buffers complies with anything */ 1536 if (len == 0) 1537 return true; 1538 1539 p = virt_to_phys((void *)vbuf); 1540 if (!p) 1541 return false; 1542 1543 return core_pbuf_is(attr, p, len); 1544 } 1545 1546 /* core_va2pa - teecore exported service */ 1547 static int __maybe_unused core_va2pa_helper(void *va, paddr_t *pa) 1548 { 1549 struct tee_mmap_region *map; 1550 1551 map = find_map_by_va(va); 1552 if (!va_is_in_map(map, (vaddr_t)va)) 1553 return -1; 1554 1555 /* 1556 * We can calculate PA for static map. Virtual address ranges 1557 * reserved to core dynamic mapping return a 'match' (return 0;) 1558 * together with an invalid null physical address. 1559 */ 1560 if (map->pa) 1561 *pa = map->pa + (vaddr_t)va - map->va; 1562 else 1563 *pa = 0; 1564 1565 return 0; 1566 } 1567 1568 static void *map_pa2va(struct tee_mmap_region *map, paddr_t pa, size_t len) 1569 { 1570 if (!pa_is_in_map(map, pa, len)) 1571 return NULL; 1572 1573 return (void *)(vaddr_t)(map->va + pa - map->pa); 1574 } 1575 1576 /* 1577 * teecore gets some memory area definitions 1578 */ 1579 void core_mmu_get_mem_by_type(enum teecore_memtypes type, vaddr_t *s, 1580 vaddr_t *e) 1581 { 1582 struct tee_mmap_region *map = find_map_by_type(type); 1583 1584 if (map) { 1585 *s = map->va; 1586 *e = map->va + map->size; 1587 } else { 1588 *s = 0; 1589 *e = 0; 1590 } 1591 } 1592 1593 enum teecore_memtypes core_mmu_get_type_by_pa(paddr_t pa) 1594 { 1595 struct tee_mmap_region *map = find_map_by_pa(pa); 1596 1597 if (!map) 1598 return MEM_AREA_MAXTYPE; 1599 return map->type; 1600 } 1601 1602 void core_mmu_set_entry(struct core_mmu_table_info *tbl_info, unsigned int idx, 1603 paddr_t pa, uint32_t attr) 1604 { 1605 assert(idx < tbl_info->num_entries); 1606 core_mmu_set_entry_primitive(tbl_info->table, tbl_info->level, 1607 idx, pa, attr); 1608 } 1609 1610 void core_mmu_get_entry(struct core_mmu_table_info *tbl_info, unsigned int idx, 1611 paddr_t *pa, uint32_t *attr) 1612 { 1613 assert(idx < tbl_info->num_entries); 1614 core_mmu_get_entry_primitive(tbl_info->table, tbl_info->level, 1615 idx, pa, attr); 1616 } 1617 1618 static void clear_region(struct core_mmu_table_info *tbl_info, 1619 struct tee_mmap_region *region) 1620 { 1621 unsigned int end = 0; 1622 unsigned int idx = 0; 1623 1624 /* va, len and pa should be block aligned */ 1625 assert(!core_mmu_get_block_offset(tbl_info, region->va)); 1626 assert(!core_mmu_get_block_offset(tbl_info, region->size)); 1627 assert(!core_mmu_get_block_offset(tbl_info, region->pa)); 1628 1629 idx = core_mmu_va2idx(tbl_info, region->va); 1630 end = core_mmu_va2idx(tbl_info, region->va + region->size); 1631 1632 while (idx < end) { 1633 core_mmu_set_entry(tbl_info, idx, 0, 0); 1634 idx++; 1635 } 1636 } 1637 1638 static void set_region(struct core_mmu_table_info *tbl_info, 1639 struct tee_mmap_region *region) 1640 { 1641 unsigned int end; 1642 unsigned int idx; 1643 paddr_t pa; 1644 1645 /* va, len and pa should be block aligned */ 1646 assert(!core_mmu_get_block_offset(tbl_info, region->va)); 1647 assert(!core_mmu_get_block_offset(tbl_info, region->size)); 1648 assert(!core_mmu_get_block_offset(tbl_info, region->pa)); 1649 1650 idx = core_mmu_va2idx(tbl_info, region->va); 1651 end = core_mmu_va2idx(tbl_info, region->va + region->size); 1652 pa = region->pa; 1653 1654 while (idx < end) { 1655 core_mmu_set_entry(tbl_info, idx, pa, region->attr); 1656 idx++; 1657 pa += BIT64(tbl_info->shift); 1658 } 1659 } 1660 1661 static void set_pg_region(struct core_mmu_table_info *dir_info, 1662 struct vm_region *region, struct pgt **pgt, 1663 struct core_mmu_table_info *pg_info) 1664 { 1665 struct tee_mmap_region r = { 1666 .va = region->va, 1667 .size = region->size, 1668 .attr = region->attr, 1669 }; 1670 vaddr_t end = r.va + r.size; 1671 uint32_t pgt_attr = (r.attr & TEE_MATTR_SECURE) | TEE_MATTR_TABLE; 1672 1673 while (r.va < end) { 1674 if (!pg_info->table || 1675 r.va >= (pg_info->va_base + CORE_MMU_PGDIR_SIZE)) { 1676 /* 1677 * We're assigning a new translation table. 1678 */ 1679 unsigned int idx; 1680 1681 /* Virtual addresses must grow */ 1682 assert(r.va > pg_info->va_base); 1683 1684 idx = core_mmu_va2idx(dir_info, r.va); 1685 pg_info->va_base = core_mmu_idx2va(dir_info, idx); 1686 1687 /* 1688 * Advance pgt to va_base, note that we may need to 1689 * skip multiple page tables if there are large 1690 * holes in the vm map. 1691 */ 1692 while ((*pgt)->vabase < pg_info->va_base) { 1693 *pgt = SLIST_NEXT(*pgt, link); 1694 /* We should have allocated enough */ 1695 assert(*pgt); 1696 } 1697 assert((*pgt)->vabase == pg_info->va_base); 1698 pg_info->table = (*pgt)->tbl; 1699 1700 core_mmu_set_entry(dir_info, idx, 1701 virt_to_phys(pg_info->table), 1702 pgt_attr); 1703 } 1704 1705 r.size = MIN(CORE_MMU_PGDIR_SIZE - (r.va - pg_info->va_base), 1706 end - r.va); 1707 1708 if (!(*pgt)->populated && !mobj_is_paged(region->mobj)) { 1709 size_t granule = BIT(pg_info->shift); 1710 size_t offset = r.va - region->va + region->offset; 1711 1712 r.size = MIN(r.size, 1713 mobj_get_phys_granule(region->mobj)); 1714 r.size = ROUNDUP(r.size, SMALL_PAGE_SIZE); 1715 1716 if (mobj_get_pa(region->mobj, offset, granule, 1717 &r.pa) != TEE_SUCCESS) 1718 panic("Failed to get PA of unpaged mobj"); 1719 set_region(pg_info, &r); 1720 } 1721 r.va += r.size; 1722 } 1723 } 1724 1725 static bool can_map_at_level(paddr_t paddr, vaddr_t vaddr, 1726 size_t size_left, paddr_t block_size, 1727 struct tee_mmap_region *mm __maybe_unused) 1728 { 1729 /* VA and PA are aligned to block size at current level */ 1730 if ((vaddr | paddr) & (block_size - 1)) 1731 return false; 1732 1733 /* Remainder fits into block at current level */ 1734 if (size_left < block_size) 1735 return false; 1736 1737 #ifdef CFG_WITH_PAGER 1738 /* 1739 * If pager is enabled, we need to map tee ram 1740 * regions with small pages only 1741 */ 1742 if (map_is_tee_ram(mm) && block_size != SMALL_PAGE_SIZE) 1743 return false; 1744 #endif 1745 1746 return true; 1747 } 1748 1749 void core_mmu_map_region(struct mmu_partition *prtn, struct tee_mmap_region *mm) 1750 { 1751 struct core_mmu_table_info tbl_info; 1752 unsigned int idx; 1753 vaddr_t vaddr = mm->va; 1754 paddr_t paddr = mm->pa; 1755 ssize_t size_left = mm->size; 1756 unsigned int level; 1757 bool table_found; 1758 uint32_t old_attr; 1759 1760 assert(!((vaddr | paddr) & SMALL_PAGE_MASK)); 1761 1762 while (size_left > 0) { 1763 level = CORE_MMU_BASE_TABLE_LEVEL; 1764 1765 while (true) { 1766 paddr_t block_size = 0; 1767 1768 assert(core_mmu_level_in_range(level)); 1769 1770 table_found = core_mmu_find_table(prtn, vaddr, level, 1771 &tbl_info); 1772 if (!table_found) 1773 panic("can't find table for mapping"); 1774 1775 block_size = BIT64(tbl_info.shift); 1776 1777 idx = core_mmu_va2idx(&tbl_info, vaddr); 1778 if (!can_map_at_level(paddr, vaddr, size_left, 1779 block_size, mm)) { 1780 bool secure = mm->attr & TEE_MATTR_SECURE; 1781 1782 /* 1783 * This part of the region can't be mapped at 1784 * this level. Need to go deeper. 1785 */ 1786 if (!core_mmu_entry_to_finer_grained(&tbl_info, 1787 idx, 1788 secure)) 1789 panic("Can't divide MMU entry"); 1790 level = tbl_info.next_level; 1791 continue; 1792 } 1793 1794 /* We can map part of the region at current level */ 1795 core_mmu_get_entry(&tbl_info, idx, NULL, &old_attr); 1796 if (old_attr) 1797 panic("Page is already mapped"); 1798 1799 core_mmu_set_entry(&tbl_info, idx, paddr, mm->attr); 1800 paddr += block_size; 1801 vaddr += block_size; 1802 size_left -= block_size; 1803 1804 break; 1805 } 1806 } 1807 } 1808 1809 TEE_Result core_mmu_map_pages(vaddr_t vstart, paddr_t *pages, size_t num_pages, 1810 enum teecore_memtypes memtype) 1811 { 1812 TEE_Result ret; 1813 struct core_mmu_table_info tbl_info; 1814 struct tee_mmap_region *mm; 1815 unsigned int idx; 1816 uint32_t old_attr; 1817 uint32_t exceptions; 1818 vaddr_t vaddr = vstart; 1819 size_t i; 1820 bool secure; 1821 1822 assert(!(core_mmu_type_to_attr(memtype) & TEE_MATTR_PX)); 1823 1824 secure = core_mmu_type_to_attr(memtype) & TEE_MATTR_SECURE; 1825 1826 if (vaddr & SMALL_PAGE_MASK) 1827 return TEE_ERROR_BAD_PARAMETERS; 1828 1829 exceptions = mmu_lock(); 1830 1831 mm = find_map_by_va((void *)vaddr); 1832 if (!mm || !va_is_in_map(mm, vaddr + num_pages * SMALL_PAGE_SIZE - 1)) 1833 panic("VA does not belong to any known mm region"); 1834 1835 if (!core_mmu_is_dynamic_vaspace(mm)) 1836 panic("Trying to map into static region"); 1837 1838 for (i = 0; i < num_pages; i++) { 1839 if (pages[i] & SMALL_PAGE_MASK) { 1840 ret = TEE_ERROR_BAD_PARAMETERS; 1841 goto err; 1842 } 1843 1844 while (true) { 1845 if (!core_mmu_find_table(NULL, vaddr, UINT_MAX, 1846 &tbl_info)) 1847 panic("Can't find pagetable for vaddr "); 1848 1849 idx = core_mmu_va2idx(&tbl_info, vaddr); 1850 if (tbl_info.shift == SMALL_PAGE_SHIFT) 1851 break; 1852 1853 /* This is supertable. Need to divide it. */ 1854 if (!core_mmu_entry_to_finer_grained(&tbl_info, idx, 1855 secure)) 1856 panic("Failed to spread pgdir on small tables"); 1857 } 1858 1859 core_mmu_get_entry(&tbl_info, idx, NULL, &old_attr); 1860 if (old_attr) 1861 panic("Page is already mapped"); 1862 1863 core_mmu_set_entry(&tbl_info, idx, pages[i], 1864 core_mmu_type_to_attr(memtype)); 1865 vaddr += SMALL_PAGE_SIZE; 1866 } 1867 1868 /* 1869 * Make sure all the changes to translation tables are visible 1870 * before returning. TLB doesn't need to be invalidated as we are 1871 * guaranteed that there's no valid mapping in this range. 1872 */ 1873 core_mmu_table_write_barrier(); 1874 mmu_unlock(exceptions); 1875 1876 return TEE_SUCCESS; 1877 err: 1878 mmu_unlock(exceptions); 1879 1880 if (i) 1881 core_mmu_unmap_pages(vstart, i); 1882 1883 return ret; 1884 } 1885 1886 TEE_Result core_mmu_map_contiguous_pages(vaddr_t vstart, paddr_t pstart, 1887 size_t num_pages, 1888 enum teecore_memtypes memtype) 1889 { 1890 struct core_mmu_table_info tbl_info = { }; 1891 struct tee_mmap_region *mm = NULL; 1892 unsigned int idx = 0; 1893 uint32_t old_attr = 0; 1894 uint32_t exceptions = 0; 1895 vaddr_t vaddr = vstart; 1896 paddr_t paddr = pstart; 1897 size_t i = 0; 1898 bool secure = false; 1899 1900 assert(!(core_mmu_type_to_attr(memtype) & TEE_MATTR_PX)); 1901 1902 secure = core_mmu_type_to_attr(memtype) & TEE_MATTR_SECURE; 1903 1904 if ((vaddr | paddr) & SMALL_PAGE_MASK) 1905 return TEE_ERROR_BAD_PARAMETERS; 1906 1907 exceptions = mmu_lock(); 1908 1909 mm = find_map_by_va((void *)vaddr); 1910 if (!mm || !va_is_in_map(mm, vaddr + num_pages * SMALL_PAGE_SIZE - 1)) 1911 panic("VA does not belong to any known mm region"); 1912 1913 if (!core_mmu_is_dynamic_vaspace(mm)) 1914 panic("Trying to map into static region"); 1915 1916 for (i = 0; i < num_pages; i++) { 1917 while (true) { 1918 if (!core_mmu_find_table(NULL, vaddr, UINT_MAX, 1919 &tbl_info)) 1920 panic("Can't find pagetable for vaddr "); 1921 1922 idx = core_mmu_va2idx(&tbl_info, vaddr); 1923 if (tbl_info.shift == SMALL_PAGE_SHIFT) 1924 break; 1925 1926 /* This is supertable. Need to divide it. */ 1927 if (!core_mmu_entry_to_finer_grained(&tbl_info, idx, 1928 secure)) 1929 panic("Failed to spread pgdir on small tables"); 1930 } 1931 1932 core_mmu_get_entry(&tbl_info, idx, NULL, &old_attr); 1933 if (old_attr) 1934 panic("Page is already mapped"); 1935 1936 core_mmu_set_entry(&tbl_info, idx, paddr, 1937 core_mmu_type_to_attr(memtype)); 1938 paddr += SMALL_PAGE_SIZE; 1939 vaddr += SMALL_PAGE_SIZE; 1940 } 1941 1942 /* 1943 * Make sure all the changes to translation tables are visible 1944 * before returning. TLB doesn't need to be invalidated as we are 1945 * guaranteed that there's no valid mapping in this range. 1946 */ 1947 core_mmu_table_write_barrier(); 1948 mmu_unlock(exceptions); 1949 1950 return TEE_SUCCESS; 1951 } 1952 1953 void core_mmu_unmap_pages(vaddr_t vstart, size_t num_pages) 1954 { 1955 struct core_mmu_table_info tbl_info; 1956 struct tee_mmap_region *mm; 1957 size_t i; 1958 unsigned int idx; 1959 uint32_t exceptions; 1960 1961 exceptions = mmu_lock(); 1962 1963 mm = find_map_by_va((void *)vstart); 1964 if (!mm || !va_is_in_map(mm, vstart + num_pages * SMALL_PAGE_SIZE - 1)) 1965 panic("VA does not belong to any known mm region"); 1966 1967 if (!core_mmu_is_dynamic_vaspace(mm)) 1968 panic("Trying to unmap static region"); 1969 1970 for (i = 0; i < num_pages; i++, vstart += SMALL_PAGE_SIZE) { 1971 if (!core_mmu_find_table(NULL, vstart, UINT_MAX, &tbl_info)) 1972 panic("Can't find pagetable"); 1973 1974 if (tbl_info.shift != SMALL_PAGE_SHIFT) 1975 panic("Invalid pagetable level"); 1976 1977 idx = core_mmu_va2idx(&tbl_info, vstart); 1978 core_mmu_set_entry(&tbl_info, idx, 0, 0); 1979 } 1980 tlbi_all(); 1981 1982 mmu_unlock(exceptions); 1983 } 1984 1985 void core_mmu_populate_user_map(struct core_mmu_table_info *dir_info, 1986 struct user_mode_ctx *uctx) 1987 { 1988 struct core_mmu_table_info pg_info = { }; 1989 struct pgt_cache *pgt_cache = &uctx->pgt_cache; 1990 struct pgt *pgt = NULL; 1991 struct pgt *p = NULL; 1992 struct vm_region *r = NULL; 1993 1994 if (TAILQ_EMPTY(&uctx->vm_info.regions)) 1995 return; /* Nothing to map */ 1996 1997 /* 1998 * Allocate all page tables in advance. 1999 */ 2000 pgt_get_all(uctx); 2001 pgt = SLIST_FIRST(pgt_cache); 2002 2003 core_mmu_set_info_table(&pg_info, dir_info->next_level, 0, NULL); 2004 2005 TAILQ_FOREACH(r, &uctx->vm_info.regions, link) 2006 set_pg_region(dir_info, r, &pgt, &pg_info); 2007 /* Record that the translation tables now are populated. */ 2008 SLIST_FOREACH(p, pgt_cache, link) { 2009 p->populated = true; 2010 if (p == pgt) 2011 break; 2012 } 2013 assert(p == pgt); 2014 } 2015 2016 TEE_Result core_mmu_remove_mapping(enum teecore_memtypes type, void *addr, 2017 size_t len) 2018 { 2019 struct core_mmu_table_info tbl_info = { }; 2020 struct tee_mmap_region *res_map = NULL; 2021 struct tee_mmap_region *map = NULL; 2022 paddr_t pa = virt_to_phys(addr); 2023 size_t granule = 0; 2024 ptrdiff_t i = 0; 2025 paddr_t p = 0; 2026 size_t l = 0; 2027 2028 map = find_map_by_type_and_pa(type, pa, len); 2029 if (!map) 2030 return TEE_ERROR_GENERIC; 2031 2032 res_map = find_map_by_type(MEM_AREA_RES_VASPACE); 2033 if (!res_map) 2034 return TEE_ERROR_GENERIC; 2035 if (!core_mmu_find_table(NULL, res_map->va, UINT_MAX, &tbl_info)) 2036 return TEE_ERROR_GENERIC; 2037 granule = BIT(tbl_info.shift); 2038 2039 if (map < static_memory_map || 2040 map >= static_memory_map + ARRAY_SIZE(static_memory_map)) 2041 return TEE_ERROR_GENERIC; 2042 i = map - static_memory_map; 2043 2044 /* Check that we have a full match */ 2045 p = ROUNDDOWN(pa, granule); 2046 l = ROUNDUP(len + pa - p, granule); 2047 if (map->pa != p || map->size != l) 2048 return TEE_ERROR_GENERIC; 2049 2050 clear_region(&tbl_info, map); 2051 tlbi_all(); 2052 2053 /* If possible remove the va range from res_map */ 2054 if (res_map->va - map->size == map->va) { 2055 res_map->va -= map->size; 2056 res_map->size += map->size; 2057 } 2058 2059 /* Remove the entry. */ 2060 memmove(map, map + 1, 2061 (ARRAY_SIZE(static_memory_map) - i - 1) * sizeof(*map)); 2062 2063 /* Clear the last new entry in case it was used */ 2064 memset(static_memory_map + ARRAY_SIZE(static_memory_map) - 1, 2065 0, sizeof(*map)); 2066 2067 return TEE_SUCCESS; 2068 } 2069 2070 struct tee_mmap_region * 2071 core_mmu_find_mapping_exclusive(enum teecore_memtypes type, size_t len) 2072 { 2073 struct tee_mmap_region *map = NULL; 2074 struct tee_mmap_region *map_found = NULL; 2075 2076 if (!len) 2077 return NULL; 2078 2079 for (map = get_memory_map(); !core_mmap_is_end_of_table(map); map++) { 2080 if (map->type != type) 2081 continue; 2082 2083 if (map_found) 2084 return NULL; 2085 2086 map_found = map; 2087 } 2088 2089 if (!map_found || map_found->size < len) 2090 return NULL; 2091 2092 return map_found; 2093 } 2094 2095 void *core_mmu_add_mapping(enum teecore_memtypes type, paddr_t addr, size_t len) 2096 { 2097 struct core_mmu_table_info tbl_info; 2098 struct tee_mmap_region *map; 2099 size_t n; 2100 size_t granule; 2101 paddr_t p; 2102 size_t l; 2103 2104 if (!len) 2105 return NULL; 2106 2107 if (!core_mmu_check_end_pa(addr, len)) 2108 return NULL; 2109 2110 /* Check if the memory is already mapped */ 2111 map = find_map_by_type_and_pa(type, addr, len); 2112 if (map && pbuf_inside_map_area(addr, len, map)) 2113 return (void *)(vaddr_t)(map->va + addr - map->pa); 2114 2115 /* Find the reserved va space used for late mappings */ 2116 map = find_map_by_type(MEM_AREA_RES_VASPACE); 2117 if (!map) 2118 return NULL; 2119 2120 if (!core_mmu_find_table(NULL, map->va, UINT_MAX, &tbl_info)) 2121 return NULL; 2122 2123 granule = BIT64(tbl_info.shift); 2124 p = ROUNDDOWN(addr, granule); 2125 l = ROUNDUP(len + addr - p, granule); 2126 2127 /* Ban overflowing virtual addresses */ 2128 if (map->size < l) 2129 return NULL; 2130 2131 /* 2132 * Something is wrong, we can't fit the va range into the selected 2133 * table. The reserved va range is possibly missaligned with 2134 * granule. 2135 */ 2136 if (core_mmu_va2idx(&tbl_info, map->va + len) >= tbl_info.num_entries) 2137 return NULL; 2138 2139 /* Find end of the memory map */ 2140 n = 0; 2141 while (!core_mmap_is_end_of_table(static_memory_map + n)) 2142 n++; 2143 2144 if (n < (ARRAY_SIZE(static_memory_map) - 1)) { 2145 /* There's room for another entry */ 2146 static_memory_map[n].va = map->va; 2147 static_memory_map[n].size = l; 2148 static_memory_map[n + 1].type = MEM_AREA_END; 2149 map->va += l; 2150 map->size -= l; 2151 map = static_memory_map + n; 2152 } else { 2153 /* 2154 * There isn't room for another entry, steal the reserved 2155 * entry as it's not useful for anything else any longer. 2156 */ 2157 map->size = l; 2158 } 2159 map->type = type; 2160 map->region_size = granule; 2161 map->attr = core_mmu_type_to_attr(type); 2162 map->pa = p; 2163 2164 set_region(&tbl_info, map); 2165 2166 /* Make sure the new entry is visible before continuing. */ 2167 core_mmu_table_write_barrier(); 2168 2169 return (void *)(vaddr_t)(map->va + addr - map->pa); 2170 } 2171 2172 #ifdef CFG_WITH_PAGER 2173 static vaddr_t get_linear_map_end_va(void) 2174 { 2175 /* this is synced with the generic linker file kern.ld.S */ 2176 return (vaddr_t)__heap2_end; 2177 } 2178 2179 static paddr_t get_linear_map_end_pa(void) 2180 { 2181 return get_linear_map_end_va() - boot_mmu_config.map_offset; 2182 } 2183 #endif 2184 2185 #if defined(CFG_TEE_CORE_DEBUG) 2186 static void check_pa_matches_va(void *va, paddr_t pa) 2187 { 2188 TEE_Result res = TEE_ERROR_GENERIC; 2189 vaddr_t v = (vaddr_t)va; 2190 paddr_t p = 0; 2191 struct core_mmu_table_info ti __maybe_unused = { }; 2192 2193 if (core_mmu_user_va_range_is_defined()) { 2194 vaddr_t user_va_base = 0; 2195 size_t user_va_size = 0; 2196 2197 core_mmu_get_user_va_range(&user_va_base, &user_va_size); 2198 if (v >= user_va_base && 2199 v <= (user_va_base - 1 + user_va_size)) { 2200 if (!core_mmu_user_mapping_is_active()) { 2201 if (pa) 2202 panic("issue in linear address space"); 2203 return; 2204 } 2205 2206 res = vm_va2pa(to_user_mode_ctx(thread_get_tsd()->ctx), 2207 va, &p); 2208 if (res == TEE_ERROR_NOT_SUPPORTED) 2209 return; 2210 if (res == TEE_SUCCESS && pa != p) 2211 panic("bad pa"); 2212 if (res != TEE_SUCCESS && pa) 2213 panic("false pa"); 2214 return; 2215 } 2216 } 2217 #ifdef CFG_WITH_PAGER 2218 if (is_unpaged(va)) { 2219 if (v - boot_mmu_config.map_offset != pa) 2220 panic("issue in linear address space"); 2221 return; 2222 } 2223 2224 if (tee_pager_get_table_info(v, &ti)) { 2225 uint32_t a; 2226 2227 /* 2228 * Lookups in the page table managed by the pager is 2229 * dangerous for addresses in the paged area as those pages 2230 * changes all the time. But some ranges are safe, 2231 * rw-locked areas when the page is populated for instance. 2232 */ 2233 core_mmu_get_entry(&ti, core_mmu_va2idx(&ti, v), &p, &a); 2234 if (a & TEE_MATTR_VALID_BLOCK) { 2235 paddr_t mask = BIT64(ti.shift) - 1; 2236 2237 p |= v & mask; 2238 if (pa != p) 2239 panic(); 2240 } else { 2241 if (pa) 2242 panic(); 2243 } 2244 return; 2245 } 2246 #endif 2247 2248 if (!core_va2pa_helper(va, &p)) { 2249 /* Verfiy only the static mapping (case non null phys addr) */ 2250 if (p && pa != p) { 2251 DMSG("va %p maps 0x%" PRIxPA ", expect 0x%" PRIxPA, 2252 va, p, pa); 2253 panic(); 2254 } 2255 } else { 2256 if (pa) { 2257 DMSG("va %p unmapped, expect 0x%" PRIxPA, va, pa); 2258 panic(); 2259 } 2260 } 2261 } 2262 #else 2263 static void check_pa_matches_va(void *va __unused, paddr_t pa __unused) 2264 { 2265 } 2266 #endif 2267 2268 paddr_t virt_to_phys(void *va) 2269 { 2270 paddr_t pa = 0; 2271 2272 if (!arch_va2pa_helper(va, &pa)) 2273 pa = 0; 2274 check_pa_matches_va(va, pa); 2275 return pa; 2276 } 2277 2278 #if defined(CFG_TEE_CORE_DEBUG) 2279 static void check_va_matches_pa(paddr_t pa, void *va) 2280 { 2281 paddr_t p = 0; 2282 2283 if (!va) 2284 return; 2285 2286 p = virt_to_phys(va); 2287 if (p != pa) { 2288 DMSG("va %p maps 0x%" PRIxPA " expect 0x%" PRIxPA, va, p, pa); 2289 panic(); 2290 } 2291 } 2292 #else 2293 static void check_va_matches_pa(paddr_t pa __unused, void *va __unused) 2294 { 2295 } 2296 #endif 2297 2298 static void *phys_to_virt_ts_vaspace(paddr_t pa, size_t len) 2299 { 2300 if (!core_mmu_user_mapping_is_active()) 2301 return NULL; 2302 2303 return vm_pa2va(to_user_mode_ctx(thread_get_tsd()->ctx), pa, len); 2304 } 2305 2306 #ifdef CFG_WITH_PAGER 2307 static void *phys_to_virt_tee_ram(paddr_t pa, size_t len) 2308 { 2309 paddr_t end_pa = 0; 2310 2311 if (SUB_OVERFLOW(len, 1, &end_pa) || ADD_OVERFLOW(pa, end_pa, &end_pa)) 2312 return NULL; 2313 2314 if (pa >= TEE_LOAD_ADDR && pa < get_linear_map_end_pa()) { 2315 if (end_pa > get_linear_map_end_pa()) 2316 return NULL; 2317 return (void *)(vaddr_t)(pa + boot_mmu_config.map_offset); 2318 } 2319 2320 return tee_pager_phys_to_virt(pa, len); 2321 } 2322 #else 2323 static void *phys_to_virt_tee_ram(paddr_t pa, size_t len) 2324 { 2325 struct tee_mmap_region *mmap = NULL; 2326 2327 mmap = find_map_by_type_and_pa(MEM_AREA_TEE_RAM, pa, len); 2328 if (!mmap) 2329 mmap = find_map_by_type_and_pa(MEM_AREA_NEX_RAM_RW, pa, len); 2330 if (!mmap) 2331 mmap = find_map_by_type_and_pa(MEM_AREA_NEX_RAM_RO, pa, len); 2332 if (!mmap) 2333 mmap = find_map_by_type_and_pa(MEM_AREA_TEE_RAM_RW, pa, len); 2334 if (!mmap) 2335 mmap = find_map_by_type_and_pa(MEM_AREA_TEE_RAM_RO, pa, len); 2336 if (!mmap) 2337 mmap = find_map_by_type_and_pa(MEM_AREA_TEE_RAM_RX, pa, len); 2338 /* 2339 * Note that MEM_AREA_INIT_RAM_RO and MEM_AREA_INIT_RAM_RX are only 2340 * used with pager and not needed here. 2341 */ 2342 return map_pa2va(mmap, pa, len); 2343 } 2344 #endif 2345 2346 void *phys_to_virt(paddr_t pa, enum teecore_memtypes m, size_t len) 2347 { 2348 void *va = NULL; 2349 2350 switch (m) { 2351 case MEM_AREA_TS_VASPACE: 2352 va = phys_to_virt_ts_vaspace(pa, len); 2353 break; 2354 case MEM_AREA_TEE_RAM: 2355 case MEM_AREA_TEE_RAM_RX: 2356 case MEM_AREA_TEE_RAM_RO: 2357 case MEM_AREA_TEE_RAM_RW: 2358 case MEM_AREA_NEX_RAM_RO: 2359 case MEM_AREA_NEX_RAM_RW: 2360 va = phys_to_virt_tee_ram(pa, len); 2361 break; 2362 case MEM_AREA_SHM_VASPACE: 2363 /* Find VA from PA in dynamic SHM is not yet supported */ 2364 va = NULL; 2365 break; 2366 default: 2367 va = map_pa2va(find_map_by_type_and_pa(m, pa, len), pa, len); 2368 } 2369 if (m != MEM_AREA_SEC_RAM_OVERALL) 2370 check_va_matches_pa(pa, va); 2371 return va; 2372 } 2373 2374 void *phys_to_virt_io(paddr_t pa, size_t len) 2375 { 2376 struct tee_mmap_region *map = NULL; 2377 void *va = NULL; 2378 2379 map = find_map_by_type_and_pa(MEM_AREA_IO_SEC, pa, len); 2380 if (!map) 2381 map = find_map_by_type_and_pa(MEM_AREA_IO_NSEC, pa, len); 2382 if (!map) 2383 return NULL; 2384 va = map_pa2va(map, pa, len); 2385 check_va_matches_pa(pa, va); 2386 return va; 2387 } 2388 2389 vaddr_t core_mmu_get_va(paddr_t pa, enum teecore_memtypes type, size_t len) 2390 { 2391 if (cpu_mmu_enabled()) 2392 return (vaddr_t)phys_to_virt(pa, type, len); 2393 2394 return (vaddr_t)pa; 2395 } 2396 2397 #ifdef CFG_WITH_PAGER 2398 bool is_unpaged(void *va) 2399 { 2400 vaddr_t v = (vaddr_t)va; 2401 2402 return v >= VCORE_START_VA && v < get_linear_map_end_va(); 2403 } 2404 #else 2405 bool is_unpaged(void *va __unused) 2406 { 2407 return true; 2408 } 2409 #endif 2410 2411 void core_mmu_init_virtualization(void) 2412 { 2413 paddr_t b1 = 0; 2414 paddr_size_t s1 = 0; 2415 2416 static_assert(ARRAY_SIZE(secure_only) <= 2); 2417 if (ARRAY_SIZE(secure_only) == 2) { 2418 b1 = secure_only[1].paddr; 2419 s1 = secure_only[1].size; 2420 } 2421 virt_init_memory(static_memory_map, secure_only[0].paddr, 2422 secure_only[0].size, b1, s1); 2423 } 2424 2425 vaddr_t io_pa_or_va(struct io_pa_va *p, size_t len) 2426 { 2427 assert(p->pa); 2428 if (cpu_mmu_enabled()) { 2429 if (!p->va) 2430 p->va = (vaddr_t)phys_to_virt_io(p->pa, len); 2431 assert(p->va); 2432 return p->va; 2433 } 2434 return p->pa; 2435 } 2436 2437 vaddr_t io_pa_or_va_secure(struct io_pa_va *p, size_t len) 2438 { 2439 assert(p->pa); 2440 if (cpu_mmu_enabled()) { 2441 if (!p->va) 2442 p->va = (vaddr_t)phys_to_virt(p->pa, MEM_AREA_IO_SEC, 2443 len); 2444 assert(p->va); 2445 return p->va; 2446 } 2447 return p->pa; 2448 } 2449 2450 vaddr_t io_pa_or_va_nsec(struct io_pa_va *p, size_t len) 2451 { 2452 assert(p->pa); 2453 if (cpu_mmu_enabled()) { 2454 if (!p->va) 2455 p->va = (vaddr_t)phys_to_virt(p->pa, MEM_AREA_IO_NSEC, 2456 len); 2457 assert(p->va); 2458 return p->va; 2459 } 2460 return p->pa; 2461 } 2462 2463 #ifdef CFG_CORE_RESERVED_SHM 2464 static TEE_Result teecore_init_pub_ram(void) 2465 { 2466 vaddr_t s = 0; 2467 vaddr_t e = 0; 2468 2469 /* get virtual addr/size of NSec shared mem allocated from teecore */ 2470 core_mmu_get_mem_by_type(MEM_AREA_NSEC_SHM, &s, &e); 2471 2472 if (s >= e || s & SMALL_PAGE_MASK || e & SMALL_PAGE_MASK) 2473 panic("invalid PUB RAM"); 2474 2475 /* extra check: we could rely on core_mmu_get_mem_by_type() */ 2476 if (!tee_vbuf_is_non_sec(s, e - s)) 2477 panic("PUB RAM is not non-secure"); 2478 2479 #ifdef CFG_PL310 2480 /* Allocate statically the l2cc mutex */ 2481 tee_l2cc_store_mutex_boot_pa(virt_to_phys((void *)s)); 2482 s += sizeof(uint32_t); /* size of a pl310 mutex */ 2483 s = ROUNDUP(s, SMALL_PAGE_SIZE); /* keep required alignment */ 2484 #endif 2485 2486 default_nsec_shm_paddr = virt_to_phys((void *)s); 2487 default_nsec_shm_size = e - s; 2488 2489 return TEE_SUCCESS; 2490 } 2491 early_init(teecore_init_pub_ram); 2492 #endif /*CFG_CORE_RESERVED_SHM*/ 2493 2494 void core_mmu_init_ta_ram(void) 2495 { 2496 vaddr_t s = 0; 2497 vaddr_t e = 0; 2498 paddr_t ps = 0; 2499 size_t size = 0; 2500 2501 /* 2502 * Get virtual addr/size of RAM where TA are loaded/executedNSec 2503 * shared mem allocated from teecore. 2504 */ 2505 if (IS_ENABLED(CFG_NS_VIRTUALIZATION)) 2506 virt_get_ta_ram(&s, &e); 2507 else 2508 core_mmu_get_mem_by_type(MEM_AREA_TA_RAM, &s, &e); 2509 2510 ps = virt_to_phys((void *)s); 2511 size = e - s; 2512 2513 if (!ps || (ps & CORE_MMU_USER_CODE_MASK) || 2514 !size || (size & CORE_MMU_USER_CODE_MASK)) 2515 panic("invalid TA RAM"); 2516 2517 /* extra check: we could rely on core_mmu_get_mem_by_type() */ 2518 if (!tee_pbuf_is_sec(ps, size)) 2519 panic("TA RAM is not secure"); 2520 2521 if (!tee_mm_is_empty(&tee_mm_sec_ddr)) 2522 panic("TA RAM pool is not empty"); 2523 2524 /* remove previous config and init TA ddr memory pool */ 2525 tee_mm_final(&tee_mm_sec_ddr); 2526 tee_mm_init(&tee_mm_sec_ddr, ps, size, CORE_MMU_USER_CODE_SHIFT, 2527 TEE_MM_POOL_NO_FLAGS); 2528 } 2529