1 /* 2 * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <assert.h> 32 #include <arch_helpers.h> 33 #include <auth_mod.h> 34 #include <bl1.h> 35 #include <bl_common.h> 36 #include <context.h> 37 #include <context_mgmt.h> 38 #include <debug.h> 39 #include <errno.h> 40 #include <platform.h> 41 #include <platform_def.h> 42 #include <smcc_helpers.h> 43 #include <string.h> 44 #include "bl1_private.h" 45 46 /* 47 * Function declarations. 48 */ 49 static int bl1_fwu_image_copy(unsigned int image_id, 50 uintptr_t image_addr, 51 unsigned int block_size, 52 unsigned int image_size, 53 unsigned int flags); 54 static int bl1_fwu_image_auth(unsigned int image_id, 55 uintptr_t image_addr, 56 unsigned int image_size, 57 unsigned int flags); 58 static int bl1_fwu_image_execute(unsigned int image_id, 59 void **handle, 60 unsigned int flags); 61 static register_t bl1_fwu_image_resume(register_t image_param, 62 void **handle, 63 unsigned int flags); 64 static int bl1_fwu_sec_image_done(void **handle, 65 unsigned int flags); 66 __dead2 static void bl1_fwu_done(void *client_cookie, void *reserved); 67 68 /* 69 * This keeps track of last executed secure image id. 70 */ 71 static unsigned int sec_exec_image_id = INVALID_IMAGE_ID; 72 73 /******************************************************************************* 74 * Top level handler for servicing FWU SMCs. 75 ******************************************************************************/ 76 register_t bl1_fwu_smc_handler(unsigned int smc_fid, 77 register_t x1, 78 register_t x2, 79 register_t x3, 80 register_t x4, 81 void *cookie, 82 void *handle, 83 unsigned int flags) 84 { 85 86 switch (smc_fid) { 87 case FWU_SMC_IMAGE_COPY: 88 SMC_RET1(handle, bl1_fwu_image_copy(x1, x2, x3, x4, flags)); 89 90 case FWU_SMC_IMAGE_AUTH: 91 SMC_RET1(handle, bl1_fwu_image_auth(x1, x2, x3, flags)); 92 93 case FWU_SMC_IMAGE_EXECUTE: 94 SMC_RET1(handle, bl1_fwu_image_execute(x1, &handle, flags)); 95 96 case FWU_SMC_IMAGE_RESUME: 97 SMC_RET1(handle, bl1_fwu_image_resume(x1, &handle, flags)); 98 99 case FWU_SMC_SEC_IMAGE_DONE: 100 SMC_RET1(handle, bl1_fwu_sec_image_done(&handle, flags)); 101 102 case FWU_SMC_UPDATE_DONE: 103 bl1_fwu_done((void *)x1, NULL); 104 /* We should never return from bl1_fwu_done() */ 105 106 default: 107 assert(0); 108 break; 109 } 110 111 SMC_RET0(handle); 112 } 113 114 /******************************************************************************* 115 * This function is responsible for copying secure images in AP Secure RAM. 116 ******************************************************************************/ 117 static int bl1_fwu_image_copy(unsigned int image_id, 118 uintptr_t image_src, 119 unsigned int block_size, 120 unsigned int image_size, 121 unsigned int flags) 122 { 123 uintptr_t base_addr; 124 125 /* Get the image descriptor. */ 126 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); 127 128 /* Check if we are in correct state. */ 129 if ((!image_desc) || 130 ((image_desc->state != IMAGE_STATE_RESET) && 131 (image_desc->state != IMAGE_STATE_COPYING))) { 132 WARN("BL1-FWU: Copy not allowed due to invalid state\n"); 133 return -EPERM; 134 } 135 136 /* Only Normal world is allowed to copy a Secure image. */ 137 if ((GET_SECURITY_STATE(flags) == SECURE) || 138 (GET_SECURITY_STATE(image_desc->ep_info.h.attr) == NON_SECURE)) { 139 WARN("BL1-FWU: Copy not allowed for Non-Secure " 140 "image from Secure-world\n"); 141 return -EPERM; 142 } 143 144 if ((!image_src) || (!block_size)) { 145 WARN("BL1-FWU: Copy not allowed due to invalid image source" 146 " or block size\n"); 147 return -ENOMEM; 148 } 149 150 /* Get the image base address. */ 151 base_addr = image_desc->image_info.image_base; 152 153 if (image_desc->state == IMAGE_STATE_COPYING) { 154 /* 155 * If last block is more than expected then 156 * clip the block to the required image size. 157 */ 158 if (image_desc->copied_size + block_size > 159 image_desc->image_info.image_size) { 160 block_size = image_desc->image_info.image_size - 161 image_desc->copied_size; 162 WARN("BL1-FWU: Copy argument block_size > remaining image size." 163 " Clipping block_size\n"); 164 } 165 166 /* Make sure the image src/size is mapped. */ 167 if (bl1_plat_mem_check(image_src, block_size, flags)) { 168 WARN("BL1-FWU: Copy arguments source/size not mapped\n"); 169 return -ENOMEM; 170 } 171 172 INFO("BL1-FWU: Continuing image copy in blocks\n"); 173 174 /* Copy image for given block size. */ 175 base_addr += image_desc->copied_size; 176 image_desc->copied_size += block_size; 177 memcpy((void *)base_addr, (const void *)image_src, block_size); 178 flush_dcache_range(base_addr, block_size); 179 180 /* Update the state if last block. */ 181 if (image_desc->copied_size == 182 image_desc->image_info.image_size) { 183 image_desc->state = IMAGE_STATE_COPIED; 184 INFO("BL1-FWU: Image copy in blocks completed\n"); 185 } 186 } else { 187 /* This means image is in RESET state and ready to be copied. */ 188 INFO("BL1-FWU: Fresh call to copy an image\n"); 189 190 if (!image_size) { 191 WARN("BL1-FWU: Copy not allowed due to invalid image size\n"); 192 return -ENOMEM; 193 } 194 195 /* 196 * If block size is more than total size then 197 * assume block size as the total image size. 198 */ 199 if (block_size > image_size) { 200 block_size = image_size; 201 WARN("BL1-FWU: Copy argument block_size > image size." 202 " Clipping block_size\n"); 203 } 204 205 /* Make sure the image src/size is mapped. */ 206 if (bl1_plat_mem_check(image_src, block_size, flags)) { 207 WARN("BL1-FWU: Copy arguments source/size not mapped\n"); 208 return -ENOMEM; 209 } 210 #if LOAD_IMAGE_V2 211 /* Check that the image size to load is within limit */ 212 if (image_size > image_desc->image_info.image_max_size) { 213 WARN("BL1-FWU: Image size out of bounds\n"); 214 return -ENOMEM; 215 } 216 #else 217 /* Find out how much free trusted ram remains after BL1 load */ 218 meminfo_t *mem_layout = bl1_plat_sec_mem_layout(); 219 if ((image_desc->image_info.image_base < mem_layout->free_base) || 220 (image_desc->image_info.image_base + image_size > 221 mem_layout->free_base + mem_layout->free_size)) { 222 WARN("BL1-FWU: Memory not available to copy\n"); 223 return -ENOMEM; 224 } 225 #endif 226 227 /* Update the image size. */ 228 image_desc->image_info.image_size = image_size; 229 230 /* Copy image for given size. */ 231 memcpy((void *)base_addr, (const void *)image_src, block_size); 232 flush_dcache_range(base_addr, block_size); 233 234 /* Update the state. */ 235 if (block_size == image_size) { 236 image_desc->state = IMAGE_STATE_COPIED; 237 INFO("BL1-FWU: Image is copied successfully\n"); 238 } else { 239 image_desc->state = IMAGE_STATE_COPYING; 240 INFO("BL1-FWU: Started image copy in blocks\n"); 241 } 242 243 image_desc->copied_size = block_size; 244 } 245 246 return 0; 247 } 248 249 /******************************************************************************* 250 * This function is responsible for authenticating Normal/Secure images. 251 ******************************************************************************/ 252 static int bl1_fwu_image_auth(unsigned int image_id, 253 uintptr_t image_src, 254 unsigned int image_size, 255 unsigned int flags) 256 { 257 int result; 258 uintptr_t base_addr; 259 unsigned int total_size; 260 261 /* Get the image descriptor. */ 262 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); 263 if (!image_desc) 264 return -EPERM; 265 266 if (GET_SECURITY_STATE(flags) == SECURE) { 267 if (image_desc->state != IMAGE_STATE_RESET) { 268 WARN("BL1-FWU: Authentication from secure world " 269 "while in invalid state\n"); 270 return -EPERM; 271 } 272 } else { 273 if (GET_SECURITY_STATE(image_desc->ep_info.h.attr) == SECURE) { 274 if (image_desc->state != IMAGE_STATE_COPIED) { 275 WARN("BL1-FWU: Authentication of secure image " 276 "from non-secure world while not in copied state\n"); 277 return -EPERM; 278 } 279 } else { 280 if (image_desc->state != IMAGE_STATE_RESET) { 281 WARN("BL1-FWU: Authentication of non-secure image " 282 "from non-secure world while in invalid state\n"); 283 return -EPERM; 284 } 285 } 286 } 287 288 if (image_desc->state == IMAGE_STATE_COPIED) { 289 /* 290 * Image is in COPIED state. 291 * Use the stored address and size. 292 */ 293 base_addr = image_desc->image_info.image_base; 294 total_size = image_desc->image_info.image_size; 295 } else { 296 if ((!image_src) || (!image_size)) { 297 WARN("BL1-FWU: Auth not allowed due to invalid" 298 " image source/size\n"); 299 return -ENOMEM; 300 } 301 302 /* 303 * Image is in RESET state. 304 * Check the parameters and authenticate the source image in place. 305 */ 306 if (bl1_plat_mem_check(image_src, image_size, \ 307 image_desc->ep_info.h.attr)) { 308 WARN("BL1-FWU: Authentication arguments source/size not mapped\n"); 309 return -ENOMEM; 310 } 311 312 base_addr = image_src; 313 total_size = image_size; 314 315 /* Update the image size in the descriptor. */ 316 image_desc->image_info.image_size = total_size; 317 } 318 319 /* 320 * Authenticate the image. 321 */ 322 INFO("BL1-FWU: Authenticating image_id:%d\n", image_id); 323 result = auth_mod_verify_img(image_id, (void *)base_addr, total_size); 324 if (result != 0) { 325 WARN("BL1-FWU: Authentication Failed err=%d\n", result); 326 327 /* 328 * Authentication has failed. 329 * Clear the memory if the image was copied. 330 * This is to prevent an attack where this contains 331 * some malicious code that can somehow be executed later. 332 */ 333 if (image_desc->state == IMAGE_STATE_COPIED) { 334 /* Clear the memory.*/ 335 memset((void *)base_addr, 0, total_size); 336 flush_dcache_range(base_addr, total_size); 337 338 /* Indicate that image can be copied again*/ 339 image_desc->state = IMAGE_STATE_RESET; 340 } 341 return -EAUTH; 342 } 343 344 /* Indicate that image is in authenticated state. */ 345 image_desc->state = IMAGE_STATE_AUTHENTICATED; 346 347 /* 348 * Flush image_info to memory so that other 349 * secure world images can see changes. 350 */ 351 flush_dcache_range((unsigned long)&image_desc->image_info, 352 sizeof(image_info_t)); 353 354 INFO("BL1-FWU: Authentication was successful\n"); 355 356 return 0; 357 } 358 359 /******************************************************************************* 360 * This function is responsible for executing Secure images. 361 ******************************************************************************/ 362 static int bl1_fwu_image_execute(unsigned int image_id, 363 void **handle, 364 unsigned int flags) 365 { 366 /* Get the image descriptor. */ 367 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id); 368 369 /* 370 * Execution is NOT allowed if: 371 * image_id is invalid OR 372 * Caller is from Secure world OR 373 * Image is Non-Secure OR 374 * Image is Non-Executable OR 375 * Image is NOT in AUTHENTICATED state. 376 */ 377 if ((!image_desc) || 378 (GET_SECURITY_STATE(flags) == SECURE) || 379 (GET_SECURITY_STATE(image_desc->ep_info.h.attr) == NON_SECURE) || 380 (EP_GET_EXE(image_desc->ep_info.h.attr) == NON_EXECUTABLE) || 381 (image_desc->state != IMAGE_STATE_AUTHENTICATED)) { 382 WARN("BL1-FWU: Execution not allowed due to invalid state/args\n"); 383 return -EPERM; 384 } 385 386 INFO("BL1-FWU: Executing Secure image\n"); 387 388 /* Save NS-EL1 system registers. */ 389 cm_el1_sysregs_context_save(NON_SECURE); 390 391 /* Prepare the image for execution. */ 392 bl1_prepare_next_image(image_id); 393 394 /* Update the secure image id. */ 395 sec_exec_image_id = image_id; 396 397 *handle = cm_get_context(SECURE); 398 return 0; 399 } 400 401 /******************************************************************************* 402 * This function is responsible for resuming execution in the other security 403 * world 404 ******************************************************************************/ 405 static register_t bl1_fwu_image_resume(register_t image_param, 406 void **handle, 407 unsigned int flags) 408 { 409 image_desc_t *image_desc; 410 unsigned int resume_sec_state; 411 unsigned int caller_sec_state = GET_SECURITY_STATE(flags); 412 413 /* Get the image descriptor for last executed secure image id. */ 414 image_desc = bl1_plat_get_image_desc(sec_exec_image_id); 415 if (caller_sec_state == NON_SECURE) { 416 if (!image_desc) { 417 WARN("BL1-FWU: Resume not allowed due to no available" 418 "secure image\n"); 419 return -EPERM; 420 } 421 } else { 422 /* image_desc must be valid for secure world callers */ 423 assert(image_desc); 424 } 425 426 assert(GET_SECURITY_STATE(image_desc->ep_info.h.attr) == SECURE); 427 assert(EP_GET_EXE(image_desc->ep_info.h.attr) == EXECUTABLE); 428 429 if (caller_sec_state == SECURE) { 430 assert(image_desc->state == IMAGE_STATE_EXECUTED); 431 432 /* Update the flags. */ 433 image_desc->state = IMAGE_STATE_INTERRUPTED; 434 resume_sec_state = NON_SECURE; 435 } else { 436 assert(image_desc->state == IMAGE_STATE_INTERRUPTED); 437 438 /* Update the flags. */ 439 image_desc->state = IMAGE_STATE_EXECUTED; 440 resume_sec_state = SECURE; 441 } 442 443 /* Save the EL1 system registers of calling world. */ 444 cm_el1_sysregs_context_save(caller_sec_state); 445 446 /* Restore the EL1 system registers of resuming world. */ 447 cm_el1_sysregs_context_restore(resume_sec_state); 448 449 /* Update the next context. */ 450 cm_set_next_eret_context(resume_sec_state); 451 452 INFO("BL1-FWU: Resuming %s world context\n", 453 (resume_sec_state == SECURE) ? "secure" : "normal"); 454 455 *handle = cm_get_context(resume_sec_state); 456 return image_param; 457 } 458 459 /******************************************************************************* 460 * This function is responsible for resuming normal world context. 461 ******************************************************************************/ 462 static int bl1_fwu_sec_image_done(void **handle, unsigned int flags) 463 { 464 image_desc_t *image_desc; 465 466 /* Make sure caller is from the secure world */ 467 if (GET_SECURITY_STATE(flags) == NON_SECURE) { 468 WARN("BL1-FWU: Image done not allowed from normal world\n"); 469 return -EPERM; 470 } 471 472 /* Get the image descriptor for last executed secure image id */ 473 image_desc = bl1_plat_get_image_desc(sec_exec_image_id); 474 475 /* image_desc must correspond to a valid secure executing image */ 476 assert(image_desc); 477 assert(GET_SECURITY_STATE(image_desc->ep_info.h.attr) == SECURE); 478 assert(EP_GET_EXE(image_desc->ep_info.h.attr) == EXECUTABLE); 479 assert(image_desc->state == IMAGE_STATE_EXECUTED); 480 481 /* Update the flags. */ 482 image_desc->state = IMAGE_STATE_RESET; 483 sec_exec_image_id = INVALID_IMAGE_ID; 484 485 /* 486 * Secure world is done so no need to save the context. 487 * Just restore the Non-Secure context. 488 */ 489 cm_el1_sysregs_context_restore(NON_SECURE); 490 491 /* Update the next context. */ 492 cm_set_next_eret_context(NON_SECURE); 493 494 INFO("BL1-FWU: Resuming Normal world context\n"); 495 496 *handle = cm_get_context(NON_SECURE); 497 return 0; 498 } 499 500 /******************************************************************************* 501 * This function provides the opportunity for users to perform any 502 * platform specific handling after the Firmware update is done. 503 ******************************************************************************/ 504 __dead2 static void bl1_fwu_done(void *client_cookie, void *reserved) 505 { 506 NOTICE("BL1-FWU: *******FWU Process Completed*******\n"); 507 508 /* 509 * Call platform done function. 510 */ 511 bl1_plat_fwu_done(client_cookie, reserved); 512 assert(0); 513 } 514