1 /* 2 * Copyright (c) 2013-2014, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <arch.h> 32 #include <arch_helpers.h> 33 #include <assert.h> 34 #include <bl_common.h> 35 #include <debug.h> 36 #include <io_storage.h> 37 #include <platform.h> 38 #include <stdio.h> 39 40 unsigned long page_align(unsigned long value, unsigned dir) 41 { 42 unsigned long page_size = 1 << FOUR_KB_SHIFT; 43 44 /* Round up the limit to the next page boundary */ 45 if (value & (page_size - 1)) { 46 value &= ~(page_size - 1); 47 if (dir == UP) 48 value += page_size; 49 } 50 51 return value; 52 } 53 54 static inline unsigned int is_page_aligned (unsigned long addr) { 55 const unsigned long page_size = 1 << FOUR_KB_SHIFT; 56 57 return (addr & (page_size - 1)) == 0; 58 } 59 60 void change_security_state(unsigned int target_security_state) 61 { 62 unsigned long scr = read_scr(); 63 64 if (target_security_state == SECURE) 65 scr &= ~SCR_NS_BIT; 66 else if (target_security_state == NON_SECURE) 67 scr |= SCR_NS_BIT; 68 else 69 assert(0); 70 71 write_scr(scr); 72 } 73 74 void __dead2 drop_el(aapcs64_params_t *args, 75 unsigned long spsr, 76 unsigned long entrypoint) 77 { 78 write_spsr_el3(spsr); 79 write_elr_el3(entrypoint); 80 eret(args->arg0, 81 args->arg1, 82 args->arg2, 83 args->arg3, 84 args->arg4, 85 args->arg5, 86 args->arg6, 87 args->arg7); 88 } 89 90 void __dead2 raise_el(aapcs64_params_t *args) 91 { 92 smc(args->arg0, 93 args->arg1, 94 args->arg2, 95 args->arg3, 96 args->arg4, 97 args->arg5, 98 args->arg6, 99 args->arg7); 100 } 101 102 /* 103 * TODO: If we are not EL3 then currently we only issue an SMC. 104 * Add support for dropping into EL0 etc. Consider adding support 105 * for switching from S-EL1 to S-EL0/1 etc. 106 */ 107 void __dead2 change_el(el_change_info_t *info) 108 { 109 unsigned long current_el = read_current_el(); 110 111 if (GET_EL(current_el) == MODE_EL3) { 112 /* 113 * We can go anywhere from EL3. So find where. 114 * TODO: Lots to do if we are going non-secure. 115 * Flip the NS bit. Restore NS registers etc. 116 * Just doing the bare minimal for now. 117 */ 118 119 if (info->security_state == NON_SECURE) 120 change_security_state(info->security_state); 121 122 drop_el(&info->args, info->spsr, info->entrypoint); 123 } else 124 raise_el(&info->args); 125 } 126 127 /* TODO: add a parameter for DAIF. not needed right now */ 128 unsigned long make_spsr(unsigned long target_el, 129 unsigned long target_sp, 130 unsigned long target_rw) 131 { 132 unsigned long spsr; 133 134 /* Disable all exceptions & setup the EL */ 135 spsr = (DAIF_FIQ_BIT | DAIF_IRQ_BIT | DAIF_ABT_BIT | DAIF_DBG_BIT) 136 << PSR_DAIF_SHIFT; 137 spsr |= PSR_MODE(target_rw, target_el, target_sp); 138 139 return spsr; 140 } 141 142 /******************************************************************************* 143 * The next two functions are the weak definitions. Platform specific 144 * code can override them if it wishes to. 145 ******************************************************************************/ 146 147 /******************************************************************************* 148 * Function that takes a memory layout into which BL31 has been either top or 149 * bottom loaded. Using this information, it populates bl31_mem_layout to tell 150 * BL31 how much memory it has access to and how much is available for use. It 151 * does not need the address where BL31 has been loaded as BL31 will reclaim 152 * all the memory used by BL2. 153 * TODO: Revisit if this and init_bl2_mem_layout can be replaced by a single 154 * routine. 155 ******************************************************************************/ 156 void init_bl31_mem_layout(const meminfo_t *bl2_mem_layout, 157 meminfo_t *bl31_mem_layout, 158 unsigned int load_type) 159 { 160 if (load_type == BOT_LOAD) { 161 /* 162 * ------------ ^ 163 * | BL2 | | 164 * |----------| ^ | BL2 165 * | | | BL2 free | total 166 * | | | size | size 167 * |----------| BL2 free base v | 168 * | BL31 | | 169 * ------------ BL2 total base v 170 */ 171 unsigned long bl31_size; 172 173 bl31_mem_layout->free_base = bl2_mem_layout->free_base; 174 175 bl31_size = bl2_mem_layout->free_base - bl2_mem_layout->total_base; 176 bl31_mem_layout->free_size = bl2_mem_layout->total_size - bl31_size; 177 } else { 178 /* 179 * ------------ ^ 180 * | BL31 | | 181 * |----------| ^ | BL2 182 * | | | BL2 free | total 183 * | | | size | size 184 * |----------| BL2 free base v | 185 * | BL2 | | 186 * ------------ BL2 total base v 187 */ 188 unsigned long bl2_size; 189 190 bl31_mem_layout->free_base = bl2_mem_layout->total_base; 191 192 bl2_size = bl2_mem_layout->free_base - bl2_mem_layout->total_base; 193 bl31_mem_layout->free_size = bl2_mem_layout->free_size + bl2_size; 194 } 195 196 bl31_mem_layout->total_base = bl2_mem_layout->total_base; 197 bl31_mem_layout->total_size = bl2_mem_layout->total_size; 198 bl31_mem_layout->attr = load_type; 199 200 flush_dcache_range((unsigned long) bl31_mem_layout, sizeof(meminfo_t)); 201 return; 202 } 203 204 /******************************************************************************* 205 * Function that takes a memory layout into which BL2 has been either top or 206 * bottom loaded along with the address where BL2 has been loaded in it. Using 207 * this information, it populates bl2_mem_layout to tell BL2 how much memory 208 * it has access to and how much is available for use. 209 ******************************************************************************/ 210 void init_bl2_mem_layout(meminfo_t *bl1_mem_layout, 211 meminfo_t *bl2_mem_layout, 212 unsigned int load_type, 213 unsigned long bl2_base) 214 { 215 unsigned tmp; 216 217 if (load_type == BOT_LOAD) { 218 bl2_mem_layout->total_base = bl2_base; 219 tmp = bl1_mem_layout->free_base - bl2_base; 220 bl2_mem_layout->total_size = bl1_mem_layout->free_size + tmp; 221 222 } else { 223 bl2_mem_layout->total_base = bl1_mem_layout->free_base; 224 tmp = bl1_mem_layout->total_base + bl1_mem_layout->total_size; 225 bl2_mem_layout->total_size = tmp - bl1_mem_layout->free_base; 226 } 227 228 bl2_mem_layout->free_base = bl1_mem_layout->free_base; 229 bl2_mem_layout->free_size = bl1_mem_layout->free_size; 230 bl2_mem_layout->attr = load_type; 231 232 flush_dcache_range((unsigned long) bl2_mem_layout, sizeof(meminfo_t)); 233 return; 234 } 235 236 static void dump_load_info(unsigned long image_load_addr, 237 unsigned long image_size, 238 const meminfo_t *mem_layout) 239 { 240 #if DEBUG 241 printf("Trying to load image at address 0x%lx, size = 0x%lx\r\n", 242 image_load_addr, image_size); 243 printf("Current memory layout:\r\n"); 244 printf(" total region = [0x%lx, 0x%lx]\r\n", mem_layout->total_base, 245 mem_layout->total_base + mem_layout->total_size); 246 printf(" free region = [0x%lx, 0x%lx]\r\n", mem_layout->free_base, 247 mem_layout->free_base + mem_layout->free_size); 248 #endif 249 } 250 251 /* Generic function to return the size of an image */ 252 unsigned long image_size(const char *image_name) 253 { 254 io_dev_handle dev_handle; 255 io_handle image_handle; 256 void *image_spec; 257 size_t image_size = 0; 258 int io_result = IO_FAIL; 259 260 assert(image_name != NULL); 261 262 /* Obtain a reference to the image by querying the platform layer */ 263 io_result = plat_get_image_source(image_name, &dev_handle, &image_spec); 264 if (io_result != IO_SUCCESS) { 265 WARN("Failed to obtain reference to image '%s' (%i)\n", 266 image_name, io_result); 267 return 0; 268 } 269 270 /* Attempt to access the image */ 271 io_result = io_open(dev_handle, image_spec, &image_handle); 272 if (io_result != IO_SUCCESS) { 273 WARN("Failed to access image '%s' (%i)\n", 274 image_name, io_result); 275 return 0; 276 } 277 278 /* Find the size of the image */ 279 io_result = io_size(image_handle, &image_size); 280 if ((io_result != IO_SUCCESS) || (image_size == 0)) { 281 WARN("Failed to determine the size of the image '%s' file (%i)\n", 282 image_name, io_result); 283 } 284 io_result = io_close(image_handle); 285 /* Ignore improbable/unrecoverable error in 'close' */ 286 287 /* TODO: Consider maintaining open device connection from this 288 * bootloader stage 289 */ 290 io_result = io_dev_close(dev_handle); 291 /* Ignore improbable/unrecoverable error in 'dev_close' */ 292 293 return image_size; 294 } 295 /******************************************************************************* 296 * Generic function to load an image into the trusted RAM, 297 * given a name, extents of free memory & whether the image should be loaded at 298 * the bottom or top of the free memory. It updates the memory layout if the 299 * load is successful. 300 ******************************************************************************/ 301 unsigned long load_image(meminfo_t *mem_layout, 302 const char *image_name, 303 unsigned int load_type, 304 unsigned long fixed_addr) 305 { 306 io_dev_handle dev_handle; 307 io_handle image_handle; 308 void *image_spec; 309 unsigned long temp_image_base = 0; 310 unsigned long image_base = 0; 311 long offset = 0; 312 size_t image_size = 0; 313 size_t bytes_read = 0; 314 int io_result = IO_FAIL; 315 316 assert(mem_layout != NULL); 317 assert(image_name != NULL); 318 319 /* Obtain a reference to the image by querying the platform layer */ 320 io_result = plat_get_image_source(image_name, &dev_handle, &image_spec); 321 if (io_result != IO_SUCCESS) { 322 WARN("Failed to obtain reference to image '%s' (%i)\n", 323 image_name, io_result); 324 return 0; 325 } 326 327 /* Attempt to access the image */ 328 io_result = io_open(dev_handle, image_spec, &image_handle); 329 if (io_result != IO_SUCCESS) { 330 WARN("Failed to access image '%s' (%i)\n", 331 image_name, io_result); 332 return 0; 333 } 334 335 /* Find the size of the image */ 336 io_result = io_size(image_handle, &image_size); 337 if ((io_result != IO_SUCCESS) || (image_size == 0)) { 338 WARN("Failed to determine the size of the image '%s' file (%i)\n", 339 image_name, io_result); 340 goto fail; 341 } 342 343 /* See if we have enough space */ 344 if (image_size > mem_layout->free_size) { 345 WARN("Cannot load '%s' file: Not enough space.\n", 346 image_name); 347 dump_load_info(0, image_size, mem_layout); 348 goto fail; 349 } 350 351 switch (load_type) { 352 353 case TOP_LOAD: 354 355 /* Load the image in the top of free memory */ 356 temp_image_base = mem_layout->free_base + mem_layout->free_size; 357 temp_image_base -= image_size; 358 359 /* Page align base address and check whether the image still fits */ 360 image_base = page_align(temp_image_base, DOWN); 361 assert(image_base <= temp_image_base); 362 363 if (image_base < mem_layout->free_base) { 364 WARN("Cannot load '%s' file: Not enough space.\n", 365 image_name); 366 dump_load_info(image_base, image_size, mem_layout); 367 goto fail; 368 } 369 370 /* Calculate the amount of extra memory used due to alignment */ 371 offset = temp_image_base - image_base; 372 373 break; 374 375 case BOT_LOAD: 376 377 /* Load the BL2 image in the bottom of free memory */ 378 temp_image_base = mem_layout->free_base; 379 image_base = page_align(temp_image_base, UP); 380 assert(image_base >= temp_image_base); 381 382 /* Page align base address and check whether the image still fits */ 383 if (image_base + image_size > 384 mem_layout->free_base + mem_layout->free_size) { 385 WARN("Cannot load '%s' file: Not enough space.\n", 386 image_name); 387 dump_load_info(image_base, image_size, mem_layout); 388 goto fail; 389 } 390 391 /* Calculate the amount of extra memory used due to alignment */ 392 offset = image_base - temp_image_base; 393 394 break; 395 396 default: 397 assert(0); 398 399 } 400 401 /* 402 * Some images must be loaded at a fixed address, not a dynamic one. 403 * 404 * This has been implemented as a hack on top of the existing dynamic 405 * loading mechanism, for the time being. If the 'fixed_addr' function 406 * argument is different from zero, then it will force the load address. 407 * So we still have this principle of top/bottom loading but the code 408 * determining the load address is bypassed and the load address is 409 * forced to the fixed one. 410 * 411 * This can result in quite a lot of wasted space because we still use 412 * 1 sole meminfo structure to represent the extents of free memory, 413 * where we should use some sort of linked list. 414 * 415 * E.g. we want to load BL2 at address 0x04020000, the resulting memory 416 * layout should look as follows: 417 * ------------ 0x04040000 418 * | | <- Free space (1) 419 * |----------| 420 * | BL2 | 421 * |----------| 0x04020000 422 * | | <- Free space (2) 423 * |----------| 424 * | BL1 | 425 * ------------ 0x04000000 426 * 427 * But in the current hacky implementation, we'll need to specify 428 * whether BL2 is loaded at the top or bottom of the free memory. 429 * E.g. if BL2 is considered as top-loaded, the meminfo structure 430 * will give the following view of the memory, hiding the chunk of 431 * free memory above BL2: 432 * ------------ 0x04040000 433 * | | 434 * | | 435 * | BL2 | 436 * |----------| 0x04020000 437 * | | <- Free space (2) 438 * |----------| 439 * | BL1 | 440 * ------------ 0x04000000 441 */ 442 if (fixed_addr != 0) { 443 /* Load the image at the given address. */ 444 image_base = fixed_addr; 445 446 /* Check whether the image fits. */ 447 if ((image_base < mem_layout->free_base) || 448 (image_base + image_size > 449 mem_layout->free_base + mem_layout->free_size)) { 450 WARN("Cannot load '%s' file: Not enough space.\n", 451 image_name); 452 dump_load_info(image_base, image_size, mem_layout); 453 goto fail; 454 } 455 456 /* Check whether the fixed load address is page-aligned. */ 457 if (!is_page_aligned(image_base)) { 458 WARN("Cannot load '%s' file at unaligned address 0x%lx\n", 459 image_name, fixed_addr); 460 goto fail; 461 } 462 463 /* 464 * Calculate the amount of extra memory used due to fixed 465 * loading. 466 */ 467 if (load_type == TOP_LOAD) { 468 unsigned long max_addr, space_used; 469 /* 470 * ------------ max_addr 471 * | /wasted/ | | offset 472 * |..........|.............................. 473 * | image | | image_flen 474 * |----------| fixed_addr 475 * | | 476 * | | 477 * ------------ total_base 478 */ 479 max_addr = mem_layout->total_base + mem_layout->total_size; 480 /* 481 * Compute the amount of memory used by the image. 482 * Corresponds to all space above the image load 483 * address. 484 */ 485 space_used = max_addr - fixed_addr; 486 /* 487 * Calculate the amount of wasted memory within the 488 * amount of memory used by the image. 489 */ 490 offset = space_used - image_size; 491 } else /* BOT_LOAD */ 492 /* 493 * ------------ 494 * | | 495 * | | 496 * |----------| 497 * | image | 498 * |..........| fixed_addr 499 * | /wasted/ | | offset 500 * ------------ total_base 501 */ 502 offset = fixed_addr - mem_layout->total_base; 503 } 504 505 /* We have enough space so load the image now */ 506 /* TODO: Consider whether to try to recover/retry a partially successful read */ 507 io_result = io_read(image_handle, (void *)image_base, image_size, &bytes_read); 508 if ((io_result != IO_SUCCESS) || (bytes_read < image_size)) { 509 WARN("Failed to load '%s' file (%i)\n", image_name, io_result); 510 goto fail; 511 } 512 513 /* 514 * File has been successfully loaded. Update the free memory 515 * data structure & flush the contents of the TZRAM so that 516 * the next EL can see it. 517 */ 518 /* Update the memory contents */ 519 flush_dcache_range(image_base, image_size); 520 521 mem_layout->free_size -= image_size + offset; 522 523 /* Update the base of free memory since its moved up */ 524 if (load_type == BOT_LOAD) 525 mem_layout->free_base += offset + image_size; 526 527 exit: 528 io_result = io_close(image_handle); 529 /* Ignore improbable/unrecoverable error in 'close' */ 530 531 /* TODO: Consider maintaining open device connection from this bootloader stage */ 532 io_result = io_dev_close(dev_handle); 533 /* Ignore improbable/unrecoverable error in 'dev_close' */ 534 535 return image_base; 536 537 fail: image_base = 0; 538 goto exit; 539 } 540 541 /******************************************************************************* 542 * Run a loaded image from the given entry point. This could result in either 543 * dropping into a lower exception level or jumping to a higher exception level. 544 * The only way of doing the latter is through an SMC. In either case, setup the 545 * parameters for the EL change request correctly. 546 ******************************************************************************/ 547 void __dead2 run_image(unsigned long entrypoint, 548 unsigned long spsr, 549 unsigned long target_security_state, 550 void *first_arg, 551 void *second_arg) 552 { 553 el_change_info_t run_image_info; 554 unsigned long current_el = read_current_el(); 555 556 /* Tell next EL what we want done */ 557 run_image_info.args.arg0 = RUN_IMAGE; 558 run_image_info.entrypoint = entrypoint; 559 run_image_info.spsr = spsr; 560 run_image_info.security_state = target_security_state; 561 562 /* 563 * If we are EL3 then only an eret can take us to the desired 564 * exception level. Else for the time being assume that we have 565 * to jump to a higher EL and issue an SMC. Contents of argY 566 * will go into the general purpose register xY e.g. arg0->x0 567 */ 568 if (GET_EL(current_el) == MODE_EL3) { 569 run_image_info.args.arg1 = (unsigned long) first_arg; 570 run_image_info.args.arg2 = (unsigned long) second_arg; 571 } else { 572 run_image_info.args.arg1 = entrypoint; 573 run_image_info.args.arg2 = spsr; 574 run_image_info.args.arg3 = (unsigned long) first_arg; 575 run_image_info.args.arg4 = (unsigned long) second_arg; 576 } 577 578 change_el(&run_image_info); 579 } 580