1 /* 2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <assert.h> 32 #include <arch_helpers.h> 33 #include <auth_mod.h> 34 #include <bl1.h> 35 #include <bl_common.h> 36 #include <context.h> 37 #include <context_mgmt.h> 38 #include <debug.h> 39 #include <errno.h> 40 #include <platform.h> 41 #include <platform_def.h> 42 #include <smcc_helpers.h> 43 #include <string.h> 44 #include "bl1_private.h" 45 46 /* 47 * Function declarations. 48 */ 49 static int bl1_fwu_image_copy(unsigned int image_id, 50 uintptr_t image_addr, 51 unsigned int block_size, 52 unsigned int image_size, 53 unsigned int flags); 54 static int bl1_fwu_image_auth(unsigned int image_id, 55 uintptr_t image_addr, 56 unsigned int image_size, 57 unsigned int flags); 58 static int bl1_fwu_image_execute(unsigned int image_id, 59 void **handle, 60 unsigned int flags); 61 static register_t bl1_fwu_image_resume(unsigned int image_id, 62 register_t image_param, 63 void **handle, 64 unsigned int flags); 65 static int bl1_fwu_sec_image_done(void **handle, 66 unsigned int flags); 67 __dead2 static void bl1_fwu_done(void *cookie, void *reserved); 68 69 /* 70 * This keeps track of last executed secure image id. 71 */ 72 static unsigned int sec_exec_image_id = INVALID_IMAGE_ID; 73 74 /******************************************************************************* 75 * Top level handler for servicing FWU SMCs. 76 ******************************************************************************/ 77 register_t bl1_fwu_smc_handler(unsigned int smc_fid, 78 register_t x1, 79 register_t x2, 80 register_t x3, 81 register_t x4, 82 void *cookie, 83 void *handle, 84 unsigned int flags) 85 { 86 87 switch (smc_fid) { 88 case FWU_SMC_IMAGE_COPY: 89 SMC_RET1(handle, bl1_fwu_image_copy(x1, x2, x3, x4, flags)); 90 91 case FWU_SMC_IMAGE_AUTH: 92 SMC_RET1(handle, bl1_fwu_image_auth(x1, x2, x3, flags)); 93 94 case FWU_SMC_IMAGE_EXECUTE: 95 SMC_RET1(handle, bl1_fwu_image_execute(x1, &handle, flags)); 96 97 case FWU_SMC_IMAGE_RESUME: 98 SMC_RET1(handle, bl1_fwu_image_resume(x1, x2, &handle, flags)); 99 100 case FWU_SMC_SEC_IMAGE_DONE: 101 SMC_RET1(handle, bl1_fwu_sec_image_done(&handle, flags)); 102 103 case FWU_SMC_UPDATE_DONE: 104 bl1_fwu_done(cookie, NULL); 105 /* We should never return from bl1_fwu_done() */ 106 107 default: 108 assert(0); 109 break; 110 } 111 112 SMC_RET0(handle); 113 } 114 115 /******************************************************************************* 116 * This function is responsible for copying secure images in AP Secure RAM. 117 ******************************************************************************/ 118 static int bl1_fwu_image_copy(unsigned int image_id, 119 uintptr_t image_src, 120 unsigned int block_size, 121 unsigned int image_size, 122 unsigned int flags) 123 { 124 uintptr_t base_addr; 125 meminfo_t *mem_layout; 126 127 /* Get the image descriptor. */ 128 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); 129 130 /* Check if we are in correct state. */ 131 if ((!image_desc) || 132 ((image_desc->state != IMAGE_STATE_RESET) && 133 (image_desc->state != IMAGE_STATE_COPYING))) { 134 WARN("BL1-FWU: Copy not allowed due to invalid state\n"); 135 return -EPERM; 136 } 137 138 /* Only Normal world is allowed to copy a Secure image. */ 139 if ((GET_SEC_STATE(flags) == SECURE) || 140 (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE)) { 141 WARN("BL1-FWU: Copy not allowed for Non-Secure " 142 "image from Secure-world\n"); 143 return -EPERM; 144 } 145 146 if ((!image_src) || (!block_size)) { 147 WARN("BL1-FWU: Copy not allowed due to invalid image source" 148 " or block size\n"); 149 return -ENOMEM; 150 } 151 152 /* Get the image base address. */ 153 base_addr = image_desc->image_info.image_base; 154 155 if (image_desc->state == IMAGE_STATE_COPYING) { 156 /* 157 * If last block is more than expected then 158 * clip the block to the required image size. 159 */ 160 if (image_desc->image_info.copied_size + block_size > 161 image_desc->image_info.image_size) { 162 block_size = image_desc->image_info.image_size - 163 image_desc->image_info.copied_size; 164 WARN("BL1-FWU: Copy argument block_size > remaining image size." 165 " Clipping block_size\n"); 166 } 167 168 /* Make sure the image src/size is mapped. */ 169 if (bl1_plat_mem_check(image_src, block_size, flags)) { 170 WARN("BL1-FWU: Copy arguments source/size not mapped\n"); 171 return -ENOMEM; 172 } 173 174 INFO("BL1-FWU: Continuing image copy in blocks\n"); 175 176 /* Copy image for given block size. */ 177 base_addr += image_desc->image_info.copied_size; 178 image_desc->image_info.copied_size += block_size; 179 memcpy((void *)base_addr, (const void *)image_src, block_size); 180 flush_dcache_range(base_addr, block_size); 181 182 /* Update the state if last block. */ 183 if (image_desc->image_info.copied_size == 184 image_desc->image_info.image_size) { 185 image_desc->state = IMAGE_STATE_COPIED; 186 INFO("BL1-FWU: Image copy in blocks completed\n"); 187 } 188 } else { 189 /* This means image is in RESET state and ready to be copied. */ 190 INFO("BL1-FWU: Fresh call to copy an image\n"); 191 192 if (!image_size) { 193 WARN("BL1-FWU: Copy not allowed due to invalid image size\n"); 194 return -ENOMEM; 195 } 196 197 /* 198 * If block size is more than total size then 199 * assume block size as the total image size. 200 */ 201 if (block_size > image_size) { 202 block_size = image_size; 203 WARN("BL1-FWU: Copy argument block_size > image size." 204 " Clipping block_size\n"); 205 } 206 207 /* Make sure the image src/size is mapped. */ 208 if (bl1_plat_mem_check(image_src, block_size, flags)) { 209 WARN("BL1-FWU: Copy arguments source/size not mapped\n"); 210 return -ENOMEM; 211 } 212 213 /* Find out how much free trusted ram remains after BL1 load */ 214 mem_layout = bl1_plat_sec_mem_layout(); 215 if ((image_desc->image_info.image_base < mem_layout->free_base) || 216 (image_desc->image_info.image_base + image_size > 217 mem_layout->free_base + mem_layout->free_size)) { 218 WARN("BL1-FWU: Memory not available to copy\n"); 219 return -ENOMEM; 220 } 221 222 /* Update the image size. */ 223 image_desc->image_info.image_size = image_size; 224 225 /* Copy image for given size. */ 226 memcpy((void *)base_addr, (const void *)image_src, block_size); 227 flush_dcache_range(base_addr, block_size); 228 229 /* Update the state. */ 230 if (block_size == image_size) { 231 image_desc->state = IMAGE_STATE_COPIED; 232 INFO("BL1-FWU: Image is copied successfully\n"); 233 } else { 234 image_desc->state = IMAGE_STATE_COPYING; 235 INFO("BL1-FWU: Started image copy in blocks\n"); 236 } 237 238 image_desc->image_info.copied_size = block_size; 239 } 240 241 return 0; 242 } 243 244 /******************************************************************************* 245 * This function is responsible for authenticating Normal/Secure images. 246 ******************************************************************************/ 247 static int bl1_fwu_image_auth(unsigned int image_id, 248 uintptr_t image_src, 249 unsigned int image_size, 250 unsigned int flags) 251 { 252 int result; 253 uintptr_t base_addr; 254 unsigned int total_size; 255 256 /* Get the image descriptor. */ 257 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); 258 if (!image_desc) 259 return -EPERM; 260 261 if (GET_SEC_STATE(flags) == SECURE) { 262 if (image_desc->state != IMAGE_STATE_RESET) { 263 WARN("BL1-FWU: Authentication from secure world " 264 "while in invalid state\n"); 265 return -EPERM; 266 } 267 } else { 268 if (GET_SEC_STATE(image_desc->ep_info.h.attr) == SECURE) { 269 if (image_desc->state != IMAGE_STATE_COPIED) { 270 WARN("BL1-FWU: Authentication of secure image " 271 "from non-secure world while not in copied state\n"); 272 return -EPERM; 273 } 274 } else { 275 if (image_desc->state != IMAGE_STATE_RESET) { 276 WARN("BL1-FWU: Authentication of non-secure image " 277 "from non-secure world while in invalid state\n"); 278 return -EPERM; 279 } 280 } 281 } 282 283 if (image_desc->state == IMAGE_STATE_COPIED) { 284 /* 285 * Image is in COPIED state. 286 * Use the stored address and size. 287 */ 288 base_addr = image_desc->image_info.image_base; 289 total_size = image_desc->image_info.image_size; 290 } else { 291 if ((!image_src) || (!image_size)) { 292 WARN("BL1-FWU: Auth not allowed due to invalid" 293 " image source/size\n"); 294 return -ENOMEM; 295 } 296 297 /* 298 * Image is in RESET state. 299 * Check the parameters and authenticate the source image in place. 300 */ 301 if (bl1_plat_mem_check(image_src, image_size, flags)) { 302 WARN("BL1-FWU: Authentication arguments source/size not mapped\n"); 303 return -ENOMEM; 304 } 305 306 base_addr = image_src; 307 total_size = image_size; 308 309 /* Update the image size in the descriptor. */ 310 image_desc->image_info.image_size = total_size; 311 } 312 313 /* 314 * Authenticate the image. 315 */ 316 INFO("BL1-FWU: Authenticating image_id:%d\n", image_id); 317 result = auth_mod_verify_img(image_id, (void *)base_addr, total_size); 318 if (result != 0) { 319 WARN("BL1-FWU: Authentication Failed err=%d\n", result); 320 321 /* 322 * Authentication has failed. 323 * Clear the memory if the image was copied. 324 * This is to prevent an attack where this contains 325 * some malicious code that can somehow be executed later. 326 */ 327 if (image_desc->state == IMAGE_STATE_COPIED) { 328 /* Clear the memory.*/ 329 memset((void *)base_addr, 0, total_size); 330 flush_dcache_range(base_addr, total_size); 331 332 /* Indicate that image can be copied again*/ 333 image_desc->state = IMAGE_STATE_RESET; 334 } 335 return -EAUTH; 336 } 337 338 /* Indicate that image is in authenticated state. */ 339 image_desc->state = IMAGE_STATE_AUTHENTICATED; 340 341 /* 342 * Flush image_info to memory so that other 343 * secure world images can see changes. 344 */ 345 flush_dcache_range((unsigned long)&image_desc->image_info, 346 sizeof(image_info_t)); 347 348 INFO("BL1-FWU: Authentication was successful\n"); 349 350 return 0; 351 } 352 353 /******************************************************************************* 354 * This function is responsible for executing Secure images. 355 ******************************************************************************/ 356 static int bl1_fwu_image_execute(unsigned int image_id, 357 void **handle, 358 unsigned int flags) 359 { 360 /* Get the image descriptor. */ 361 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); 362 363 /* 364 * Execution is NOT allowed if: 365 * Caller is from Secure world OR 366 * Image is Non-Secure OR 367 * Image is Non-Executable OR 368 * Image is NOT in AUTHENTICATED state. 369 */ 370 if ((!image_desc) || 371 (GET_SEC_STATE(flags) == SECURE) || 372 (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE) || 373 (GET_EXEC_STATE(image_desc->image_info.h.attr) == NON_EXECUTABLE) || 374 (image_desc->state != IMAGE_STATE_AUTHENTICATED)) { 375 WARN("BL1-FWU: Execution not allowed due to invalid state/args\n"); 376 return -EPERM; 377 } 378 379 INFO("BL1-FWU: Executing Secure image\n"); 380 381 /* Save NS-EL1 system registers. */ 382 cm_el1_sysregs_context_save(NON_SECURE); 383 384 /* Prepare the image for execution. */ 385 bl1_prepare_next_image(image_id); 386 387 /* Update the secure image id. */ 388 sec_exec_image_id = image_id; 389 390 *handle = cm_get_context(SECURE); 391 return 0; 392 } 393 394 /******************************************************************************* 395 * This function is responsible for resuming Secure/Non-Secure images. 396 ******************************************************************************/ 397 static register_t bl1_fwu_image_resume(unsigned int image_id, 398 register_t image_param, 399 void **handle, 400 unsigned int flags) 401 { 402 image_desc_t *image_desc; 403 unsigned int resume_sec_state; 404 405 if (GET_SEC_STATE(flags) == SECURE) { 406 /* Get the image descriptor for last executed secure image id. */ 407 image_desc = bl1_plat_get_image_desc(sec_exec_image_id); 408 409 if ((!image_desc) || (image_desc->state != IMAGE_STATE_EXECUTED)) { 410 WARN("BL1-FWU: Resume not allowed for secure image " 411 "due to invalid state\n"); 412 return -EPERM; 413 } 414 415 /* Update the flags. */ 416 image_desc->state = IMAGE_STATE_INTERRUPTED; 417 resume_sec_state = NON_SECURE; 418 } else { 419 /* Get the image descriptor for image id to be resumed. */ 420 image_desc = bl1_plat_get_image_desc(image_id); 421 422 /* Make sure image is secure and was interrupted. */ 423 if ((!image_desc) || 424 (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE) || 425 (image_desc->state != IMAGE_STATE_INTERRUPTED)) { 426 WARN("BL1-FWU: Resume not allowed for NS image/ invalid state\n"); 427 return -EPERM; 428 } 429 430 /* Update the flags. */ 431 image_desc->state = IMAGE_STATE_EXECUTED; 432 resume_sec_state = SECURE; 433 } 434 435 /* Save the EL1 system registers of calling world. */ 436 cm_el1_sysregs_context_save(GET_SEC_STATE(flags)); 437 438 /* Restore the EL1 system registers of resuming world. */ 439 cm_el1_sysregs_context_restore(resume_sec_state); 440 441 /* Update the next context. */ 442 cm_set_next_eret_context(resume_sec_state); 443 444 INFO("BL1-FWU: Resuming %s world context\n", 445 (resume_sec_state == SECURE) ? "Secure" : "Normal"); 446 447 *handle = cm_get_context(resume_sec_state); 448 return image_param; 449 } 450 451 /******************************************************************************* 452 * This function is responsible for resuming normal world context. 453 ******************************************************************************/ 454 static int bl1_fwu_sec_image_done(void **handle, unsigned int flags) 455 { 456 457 /* Get the image descriptor for last executed secure image id. */ 458 image_desc_t *image_desc = bl1_plat_get_image_desc(sec_exec_image_id); 459 460 /* 461 * Make sure caller is from secure world 462 * and the image is in EXECUTED state. 463 */ 464 if ((!image_desc) || 465 (GET_SEC_STATE(flags) == NON_SECURE) || 466 (image_desc->state != IMAGE_STATE_EXECUTED)) { 467 WARN("BL1-FWU: Done not allowed for NS caller/ invalid state\n"); 468 return -EPERM; 469 } 470 471 /* Update the flags. */ 472 image_desc->state = IMAGE_STATE_RESET; 473 sec_exec_image_id = INVALID_IMAGE_ID; 474 475 /* 476 * Secure world is done so no need to save the context. 477 * Just restore the Non-Secure context. 478 */ 479 cm_el1_sysregs_context_restore(NON_SECURE); 480 481 /* Update the next context. */ 482 cm_set_next_eret_context(NON_SECURE); 483 484 INFO("BL1-FWU: Resuming Normal world context\n"); 485 486 *handle = cm_get_context(NON_SECURE); 487 return 0; 488 } 489 490 /******************************************************************************* 491 * This function provides the opportunity for users to perform any 492 * platform specific handling after the Firmware update is done. 493 ******************************************************************************/ 494 __dead2 static void bl1_fwu_done(void *cookie, void *reserved) 495 { 496 NOTICE("BL1-FWU: *******FWU Process Completed*******\n"); 497 498 /* 499 * Call platform done function. 500 */ 501 bl1_plat_fwu_done(cookie, reserved); 502 assert(0); 503 } 504