1 /* 2 * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /* 8 * Exception handlers at EL3, their priority levels, and management. 9 */ 10 11 #include <assert.h> 12 #include <context.h> 13 #include <context_mgmt.h> 14 #include <cpu_data.h> 15 #include <debug.h> 16 #include <ehf.h> 17 #include <gic_common.h> 18 #include <interrupt_mgmt.h> 19 #include <platform.h> 20 #include <pubsub_events.h> 21 #include <stdbool.h> 22 23 /* Output EHF logs as verbose */ 24 #define EHF_LOG(...) VERBOSE("EHF: " __VA_ARGS__) 25 26 #define EHF_INVALID_IDX (-1) 27 28 /* For a valid handler, return the actual function pointer; otherwise, 0. */ 29 #define RAW_HANDLER(h) \ 30 ((ehf_handler_t) ((((h) & EHF_PRI_VALID_) != 0U) ? \ 31 ((h) & ~EHF_PRI_VALID_) : 0U)) 32 33 #define PRI_BIT(idx) (((ehf_pri_bits_t) 1u) << (idx)) 34 35 /* 36 * Convert index into secure priority using the platform-defined priority bits 37 * field. 38 */ 39 #define IDX_TO_PRI(idx) \ 40 ((((unsigned) idx) << (7u - exception_data.pri_bits)) & 0x7fU) 41 42 /* Check whether a given index is valid */ 43 #define IS_IDX_VALID(idx) \ 44 ((exception_data.ehf_priorities[idx].ehf_handler & EHF_PRI_VALID_) != 0U) 45 46 /* Returns whether given priority is in secure priority range */ 47 #define IS_PRI_SECURE(pri) (((pri) & 0x80U) == 0U) 48 49 /* To be defined by the platform */ 50 extern const ehf_priorities_t exception_data; 51 52 /* Translate priority to the index in the priority array */ 53 static unsigned int pri_to_idx(unsigned int priority) 54 { 55 unsigned int idx; 56 57 idx = EHF_PRI_TO_IDX(priority, exception_data.pri_bits); 58 assert(idx < exception_data.num_priorities); 59 assert(IS_IDX_VALID(idx)); 60 61 return idx; 62 } 63 64 /* Return whether there are outstanding priority activation */ 65 static bool has_valid_pri_activations(pe_exc_data_t *pe_data) 66 { 67 return pe_data->active_pri_bits != 0U; 68 } 69 70 static pe_exc_data_t *this_cpu_data(void) 71 { 72 return &get_cpu_data(ehf_data); 73 } 74 75 /* 76 * Return the current priority index of this CPU. If no priority is active, 77 * return EHF_INVALID_IDX. 78 */ 79 static int get_pe_highest_active_idx(pe_exc_data_t *pe_data) 80 { 81 if (!has_valid_pri_activations(pe_data)) 82 return EHF_INVALID_IDX; 83 84 /* Current priority is the right-most bit */ 85 return (int) __builtin_ctz(pe_data->active_pri_bits); 86 } 87 88 /* 89 * Mark priority active by setting the corresponding bit in active_pri_bits and 90 * programming the priority mask. 91 * 92 * This API is to be used as part of delegating to lower ELs other than for 93 * interrupts; e.g. while handling synchronous exceptions. 94 * 95 * This API is expected to be invoked before restoring context (Secure or 96 * Non-secure) in preparation for the respective dispatch. 97 */ 98 void ehf_activate_priority(unsigned int priority) 99 { 100 int cur_pri_idx; 101 unsigned int old_mask, run_pri, idx; 102 pe_exc_data_t *pe_data = this_cpu_data(); 103 104 /* 105 * Query interrupt controller for the running priority, or idle priority 106 * if no interrupts are being handled. The requested priority must be 107 * less (higher priority) than the active running priority. 108 */ 109 run_pri = plat_ic_get_running_priority(); 110 if (priority >= run_pri) { 111 ERROR("Running priority higher (0x%x) than requested (0x%x)\n", 112 run_pri, priority); 113 panic(); 114 } 115 116 /* 117 * If there were priority activations already, the requested priority 118 * must be less (higher priority) than the current highest priority 119 * activation so far. 120 */ 121 cur_pri_idx = get_pe_highest_active_idx(pe_data); 122 idx = pri_to_idx(priority); 123 if ((cur_pri_idx != EHF_INVALID_IDX) && 124 (idx >= ((unsigned int) cur_pri_idx))) { 125 ERROR("Activation priority mismatch: req=0x%x current=0x%x\n", 126 priority, IDX_TO_PRI(cur_pri_idx)); 127 panic(); 128 } 129 130 /* Set the bit corresponding to the requested priority */ 131 pe_data->active_pri_bits |= PRI_BIT(idx); 132 133 /* 134 * Program priority mask for the activated level. Check that the new 135 * priority mask is setting a higher priority level than the existing 136 * mask. 137 */ 138 old_mask = plat_ic_set_priority_mask(priority); 139 if (priority >= old_mask) { 140 ERROR("Requested priority (0x%x) lower than Priority Mask (0x%x)\n", 141 priority, old_mask); 142 panic(); 143 } 144 145 /* 146 * If this is the first activation, save the priority mask. This will be 147 * restored after the last deactivation. 148 */ 149 if (cur_pri_idx == EHF_INVALID_IDX) 150 pe_data->init_pri_mask = (uint8_t) old_mask; 151 152 EHF_LOG("activate prio=%d\n", get_pe_highest_active_idx(pe_data)); 153 } 154 155 /* 156 * Mark priority inactive by clearing the corresponding bit in active_pri_bits, 157 * and programming the priority mask. 158 * 159 * This API is expected to be used as part of delegating to to lower ELs other 160 * than for interrupts; e.g. while handling synchronous exceptions. 161 * 162 * This API is expected to be invoked after saving context (Secure or 163 * Non-secure), having concluded the respective dispatch. 164 */ 165 void ehf_deactivate_priority(unsigned int priority) 166 { 167 int cur_pri_idx; 168 pe_exc_data_t *pe_data = this_cpu_data(); 169 unsigned int old_mask, run_pri, idx; 170 171 /* 172 * Query interrupt controller for the running priority, or idle priority 173 * if no interrupts are being handled. The requested priority must be 174 * less (higher priority) than the active running priority. 175 */ 176 run_pri = plat_ic_get_running_priority(); 177 if (priority >= run_pri) { 178 ERROR("Running priority higher (0x%x) than requested (0x%x)\n", 179 run_pri, priority); 180 panic(); 181 } 182 183 /* 184 * Deactivation is allowed only when there are priority activations, and 185 * the deactivation priority level must match the current activated 186 * priority. 187 */ 188 cur_pri_idx = get_pe_highest_active_idx(pe_data); 189 idx = pri_to_idx(priority); 190 if ((cur_pri_idx == EHF_INVALID_IDX) || 191 (idx != ((unsigned int) cur_pri_idx))) { 192 ERROR("Deactivation priority mismatch: req=0x%x current=0x%x\n", 193 priority, IDX_TO_PRI(cur_pri_idx)); 194 panic(); 195 } 196 197 /* Clear bit corresponding to highest priority */ 198 pe_data->active_pri_bits &= (pe_data->active_pri_bits - 1u); 199 200 /* 201 * Restore priority mask corresponding to the next priority, or the 202 * one stashed earlier if there are no more to deactivate. 203 */ 204 cur_pri_idx = get_pe_highest_active_idx(pe_data); 205 if (cur_pri_idx == EHF_INVALID_IDX) 206 old_mask = plat_ic_set_priority_mask(pe_data->init_pri_mask); 207 else 208 old_mask = plat_ic_set_priority_mask(priority); 209 210 if (old_mask > priority) { 211 ERROR("Deactivation priority (0x%x) lower than Priority Mask (0x%x)\n", 212 priority, old_mask); 213 panic(); 214 } 215 216 EHF_LOG("deactivate prio=%d\n", get_pe_highest_active_idx(pe_data)); 217 } 218 219 /* 220 * After leaving Non-secure world, stash current Non-secure Priority Mask, and 221 * set Priority Mask to the highest Non-secure priority so that Non-secure 222 * interrupts cannot preempt Secure execution. 223 * 224 * If the current running priority is in the secure range, or if there are 225 * outstanding priority activations, this function does nothing. 226 * 227 * This function subscribes to the 'cm_exited_normal_world' event published by 228 * the Context Management Library. 229 */ 230 static void *ehf_exited_normal_world(const void *arg) 231 { 232 unsigned int run_pri; 233 pe_exc_data_t *pe_data = this_cpu_data(); 234 235 /* If the running priority is in the secure range, do nothing */ 236 run_pri = plat_ic_get_running_priority(); 237 if (IS_PRI_SECURE(run_pri)) 238 return NULL; 239 240 /* Do nothing if there are explicit activations */ 241 if (has_valid_pri_activations(pe_data)) 242 return NULL; 243 244 assert(pe_data->ns_pri_mask == 0u); 245 246 pe_data->ns_pri_mask = 247 (uint8_t) plat_ic_set_priority_mask(GIC_HIGHEST_NS_PRIORITY); 248 249 /* The previous Priority Mask is not expected to be in secure range */ 250 if (IS_PRI_SECURE(pe_data->ns_pri_mask)) { 251 ERROR("Priority Mask (0x%x) already in secure range\n", 252 pe_data->ns_pri_mask); 253 panic(); 254 } 255 256 EHF_LOG("Priority Mask: 0x%x => 0x%x\n", pe_data->ns_pri_mask, 257 GIC_HIGHEST_NS_PRIORITY); 258 259 return NULL; 260 } 261 262 /* 263 * Conclude Secure execution and prepare for return to Non-secure world. Restore 264 * the Non-secure Priority Mask previously stashed upon leaving Non-secure 265 * world. 266 * 267 * If there the current running priority is in the secure range, or if there are 268 * outstanding priority activations, this function does nothing. 269 * 270 * This function subscribes to the 'cm_entering_normal_world' event published by 271 * the Context Management Library. 272 */ 273 static void *ehf_entering_normal_world(const void *arg) 274 { 275 unsigned int old_pmr, run_pri; 276 pe_exc_data_t *pe_data = this_cpu_data(); 277 278 /* If the running priority is in the secure range, do nothing */ 279 run_pri = plat_ic_get_running_priority(); 280 if (IS_PRI_SECURE(run_pri)) 281 return NULL; 282 283 /* 284 * If there are explicit activations, do nothing. The Priority Mask will 285 * be restored upon the last deactivation. 286 */ 287 if (has_valid_pri_activations(pe_data)) 288 return NULL; 289 290 /* Do nothing if we don't have a valid Priority Mask to restore */ 291 if (pe_data->ns_pri_mask == 0U) 292 return NULL; 293 294 old_pmr = plat_ic_set_priority_mask(pe_data->ns_pri_mask); 295 296 /* 297 * When exiting secure world, the current Priority Mask must be 298 * GIC_HIGHEST_NS_PRIORITY (as set during entry), or the Non-secure 299 * priority mask set upon calling ehf_allow_ns_preemption() 300 */ 301 if ((old_pmr != GIC_HIGHEST_NS_PRIORITY) && 302 (old_pmr != pe_data->ns_pri_mask)) { 303 ERROR("Invalid Priority Mask (0x%x) restored\n", old_pmr); 304 panic(); 305 } 306 307 EHF_LOG("Priority Mask: 0x%x => 0x%x\n", old_pmr, pe_data->ns_pri_mask); 308 309 pe_data->ns_pri_mask = 0; 310 311 return NULL; 312 } 313 314 /* 315 * Program Priority Mask to the original Non-secure priority such that 316 * Non-secure interrupts may preempt Secure execution, viz. during Yielding SMC 317 * calls. The 'preempt_ret_code' parameter indicates the Yielding SMC's return 318 * value in case the call was preempted. 319 * 320 * This API is expected to be invoked before delegating a yielding SMC to Secure 321 * EL1. I.e. within the window of secure execution after Non-secure context is 322 * saved (after entry into EL3) and Secure context is restored (before entering 323 * Secure EL1). 324 */ 325 void ehf_allow_ns_preemption(uint64_t preempt_ret_code) 326 { 327 cpu_context_t *ns_ctx; 328 unsigned int old_pmr __unused; 329 pe_exc_data_t *pe_data = this_cpu_data(); 330 331 /* 332 * We should have been notified earlier of entering secure world, and 333 * therefore have stashed the Non-secure priority mask. 334 */ 335 assert(pe_data->ns_pri_mask != 0U); 336 337 /* Make sure no priority levels are active when requesting this */ 338 if (has_valid_pri_activations(pe_data)) { 339 ERROR("PE %lx has priority activations: 0x%x\n", 340 read_mpidr_el1(), pe_data->active_pri_bits); 341 panic(); 342 } 343 344 /* 345 * Program preempted return code to x0 right away so that, if the 346 * Yielding SMC was indeed preempted before a dispatcher gets a chance 347 * to populate it, the caller would find the correct return value. 348 */ 349 ns_ctx = cm_get_context(NON_SECURE); 350 assert(ns_ctx != NULL); 351 write_ctx_reg(get_gpregs_ctx(ns_ctx), CTX_GPREG_X0, preempt_ret_code); 352 353 old_pmr = plat_ic_set_priority_mask(pe_data->ns_pri_mask); 354 355 EHF_LOG("Priority Mask: 0x%x => 0x%x\n", old_pmr, pe_data->ns_pri_mask); 356 357 pe_data->ns_pri_mask = 0; 358 } 359 360 /* 361 * Return whether Secure execution has explicitly allowed Non-secure interrupts 362 * to preempt itself, viz. during Yielding SMC calls. 363 */ 364 unsigned int ehf_is_ns_preemption_allowed(void) 365 { 366 unsigned int run_pri; 367 pe_exc_data_t *pe_data = this_cpu_data(); 368 369 /* If running priority is in secure range, return false */ 370 run_pri = plat_ic_get_running_priority(); 371 if (IS_PRI_SECURE(run_pri)) 372 return 0; 373 374 /* 375 * If Non-secure preemption was permitted by calling 376 * ehf_allow_ns_preemption() earlier: 377 * 378 * - There wouldn't have been priority activations; 379 * - We would have cleared the stashed the Non-secure Priority Mask. 380 */ 381 if (has_valid_pri_activations(pe_data)) 382 return 0; 383 if (pe_data->ns_pri_mask != 0U) 384 return 0; 385 386 return 1; 387 } 388 389 /* 390 * Top-level EL3 interrupt handler. 391 */ 392 static uint64_t ehf_el3_interrupt_handler(uint32_t id, uint32_t flags, 393 void *handle, void *cookie) 394 { 395 int ret = 0; 396 uint32_t intr_raw; 397 unsigned int intr, pri, idx; 398 ehf_handler_t handler; 399 400 /* 401 * Top-level interrupt type handler from Interrupt Management Framework 402 * doesn't acknowledge the interrupt; so the interrupt ID must be 403 * invalid. 404 */ 405 assert(id == INTR_ID_UNAVAILABLE); 406 407 /* 408 * Acknowledge interrupt. Proceed with handling only for valid interrupt 409 * IDs. This situation may arise because of Interrupt Management 410 * Framework identifying an EL3 interrupt, but before it's been 411 * acknowledged here, the interrupt was either deasserted, or there was 412 * a higher-priority interrupt of another type. 413 */ 414 intr_raw = plat_ic_acknowledge_interrupt(); 415 intr = plat_ic_get_interrupt_id(intr_raw); 416 if (intr == INTR_ID_UNAVAILABLE) 417 return 0; 418 419 /* Having acknowledged the interrupt, get the running priority */ 420 pri = plat_ic_get_running_priority(); 421 422 /* Check EL3 interrupt priority is in secure range */ 423 assert(IS_PRI_SECURE(pri)); 424 425 /* 426 * Translate the priority to a descriptor index. We do this by masking 427 * and shifting the running priority value (platform-supplied). 428 */ 429 idx = pri_to_idx(pri); 430 431 /* Validate priority */ 432 assert(pri == IDX_TO_PRI(idx)); 433 434 handler = (ehf_handler_t) RAW_HANDLER( 435 exception_data.ehf_priorities[idx].ehf_handler); 436 if (handler == NULL) { 437 ERROR("No EL3 exception handler for priority 0x%x\n", 438 IDX_TO_PRI(idx)); 439 panic(); 440 } 441 442 /* 443 * Call registered handler. Pass the raw interrupt value to registered 444 * handlers. 445 */ 446 ret = handler(intr_raw, flags, handle, cookie); 447 448 return (uint64_t) ret; 449 } 450 451 /* 452 * Initialize the EL3 exception handling. 453 */ 454 void ehf_init(void) 455 { 456 unsigned int flags = 0; 457 int ret __unused; 458 459 /* Ensure EL3 interrupts are supported */ 460 assert(plat_ic_has_interrupt_type(INTR_TYPE_EL3) != 0); 461 462 /* 463 * Make sure that priority water mark has enough bits to represent the 464 * whole priority array. 465 */ 466 assert(exception_data.num_priorities <= (sizeof(ehf_pri_bits_t) * 8U)); 467 468 assert(exception_data.ehf_priorities != NULL); 469 470 /* 471 * Bit 7 of GIC priority must be 0 for secure interrupts. This means 472 * platforms must use at least 1 of the remaining 7 bits. 473 */ 474 assert((exception_data.pri_bits >= 1U) || 475 (exception_data.pri_bits < 8U)); 476 477 /* Route EL3 interrupts when in Secure and Non-secure. */ 478 set_interrupt_rm_flag(flags, NON_SECURE); 479 set_interrupt_rm_flag(flags, SECURE); 480 481 /* Register handler for EL3 interrupts */ 482 ret = register_interrupt_type_handler(INTR_TYPE_EL3, 483 ehf_el3_interrupt_handler, flags); 484 assert(ret == 0); 485 } 486 487 /* 488 * Register a handler at the supplied priority. Registration is allowed only if 489 * a handler hasn't been registered before, or one wasn't provided at build 490 * time. The priority for which the handler is being registered must also accord 491 * with the platform-supplied data. 492 */ 493 void ehf_register_priority_handler(unsigned int pri, ehf_handler_t handler) 494 { 495 unsigned int idx; 496 497 /* Sanity check for handler */ 498 assert(handler != NULL); 499 500 /* Handler ought to be 4-byte aligned */ 501 assert((((uintptr_t) handler) & 3U) == 0U); 502 503 /* Ensure we register for valid priority */ 504 idx = pri_to_idx(pri); 505 assert(idx < exception_data.num_priorities); 506 assert(IDX_TO_PRI(idx) == pri); 507 508 /* Return failure if a handler was already registered */ 509 if (exception_data.ehf_priorities[idx].ehf_handler != EHF_NO_HANDLER_) { 510 ERROR("Handler already registered for priority 0x%x\n", pri); 511 panic(); 512 } 513 514 /* 515 * Install handler, and retain the valid bit. We assume that the handler 516 * is 4-byte aligned, which is usually the case. 517 */ 518 exception_data.ehf_priorities[idx].ehf_handler = 519 (((uintptr_t) handler) | EHF_PRI_VALID_); 520 521 EHF_LOG("register pri=0x%x handler=%p\n", pri, handler); 522 } 523 524 SUBSCRIBE_TO_EVENT(cm_entering_normal_world, ehf_entering_normal_world); 525 SUBSCRIBE_TO_EVENT(cm_exited_normal_world, ehf_exited_normal_world); 526