1 /* 2 * Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <arch.h> 32 #include <arch_helpers.h> 33 #include <assert.h> 34 #include <auth_mod.h> 35 #include <bl_common.h> 36 #include <debug.h> 37 #include <errno.h> 38 #include <io_storage.h> 39 #include <platform.h> 40 #include <string.h> 41 #include <utils.h> 42 #include <xlat_tables.h> 43 44 uintptr_t page_align(uintptr_t value, unsigned dir) 45 { 46 /* Round up the limit to the next page boundary */ 47 if (value & (PAGE_SIZE - 1)) { 48 value &= ~(PAGE_SIZE - 1); 49 if (dir == UP) 50 value += PAGE_SIZE; 51 } 52 53 return value; 54 } 55 56 #if !LOAD_IMAGE_V2 57 /****************************************************************************** 58 * Determine whether the memory region delimited by 'addr' and 'size' is free, 59 * given the extents of free memory. 60 * Return 1 if it is free, 0 if it is not free or if the input values are 61 * invalid. 62 *****************************************************************************/ 63 static int is_mem_free(uintptr_t free_base, size_t free_size, 64 uintptr_t addr, size_t size) 65 { 66 uintptr_t free_end, requested_end; 67 68 /* 69 * Handle corner cases first. 70 * 71 * The order of the 2 tests is important, because if there's no space 72 * left (i.e. free_size == 0) but we don't ask for any memory 73 * (i.e. size == 0) then we should report that the memory is free. 74 */ 75 if (size == 0) 76 return 1; /* A zero-byte region is always free */ 77 if (free_size == 0) 78 return 0; 79 80 /* 81 * Check that the end addresses don't overflow. 82 * If they do, consider that this memory region is not free, as this 83 * is an invalid scenario. 84 */ 85 if (check_uptr_overflow(free_base, free_size - 1)) 86 return 0; 87 free_end = free_base + (free_size - 1); 88 89 if (check_uptr_overflow(addr, size - 1)) 90 return 0; 91 requested_end = addr + (size - 1); 92 93 /* 94 * Finally, check that the requested memory region lies within the free 95 * region. 96 */ 97 return (addr >= free_base) && (requested_end <= free_end); 98 } 99 100 /****************************************************************************** 101 * Inside a given memory region, determine whether a sub-region of memory is 102 * closer from the top or the bottom of the encompassing region. Return the 103 * size of the smallest chunk of free memory surrounding the sub-region in 104 * 'small_chunk_size'. 105 *****************************************************************************/ 106 static unsigned int choose_mem_pos(uintptr_t mem_start, uintptr_t mem_end, 107 uintptr_t submem_start, uintptr_t submem_end, 108 size_t *small_chunk_size) 109 { 110 size_t top_chunk_size, bottom_chunk_size; 111 112 assert(mem_start <= submem_start); 113 assert(submem_start <= submem_end); 114 assert(submem_end <= mem_end); 115 assert(small_chunk_size != NULL); 116 117 top_chunk_size = mem_end - submem_end; 118 bottom_chunk_size = submem_start - mem_start; 119 120 if (top_chunk_size < bottom_chunk_size) { 121 *small_chunk_size = top_chunk_size; 122 return TOP; 123 } else { 124 *small_chunk_size = bottom_chunk_size; 125 return BOTTOM; 126 } 127 } 128 129 /****************************************************************************** 130 * Reserve the memory region delimited by 'addr' and 'size'. The extents of free 131 * memory are passed in 'free_base' and 'free_size' and they will be updated to 132 * reflect the memory usage. 133 * The caller must ensure the memory to reserve is free and that the addresses 134 * and sizes passed in arguments are sane. 135 *****************************************************************************/ 136 void reserve_mem(uintptr_t *free_base, size_t *free_size, 137 uintptr_t addr, size_t size) 138 { 139 size_t discard_size; 140 size_t reserved_size; 141 unsigned int pos; 142 143 assert(free_base != NULL); 144 assert(free_size != NULL); 145 assert(is_mem_free(*free_base, *free_size, addr, size)); 146 147 if (size == 0) { 148 WARN("Nothing to allocate, requested size is zero\n"); 149 return; 150 } 151 152 pos = choose_mem_pos(*free_base, *free_base + (*free_size - 1), 153 addr, addr + (size - 1), 154 &discard_size); 155 156 reserved_size = size + discard_size; 157 *free_size -= reserved_size; 158 159 if (pos == BOTTOM) 160 *free_base = addr + size; 161 162 VERBOSE("Reserved 0x%zx bytes (discarded 0x%zx bytes %s)\n", 163 reserved_size, discard_size, 164 pos == TOP ? "above" : "below"); 165 } 166 167 static void dump_load_info(uintptr_t image_load_addr, 168 size_t image_size, 169 const meminfo_t *mem_layout) 170 { 171 INFO("Trying to load image at address %p, size = 0x%zx\n", 172 (void *)image_load_addr, image_size); 173 INFO("Current memory layout:\n"); 174 INFO(" total region = [base = %p, size = 0x%zx]\n", 175 (void *) mem_layout->total_base, mem_layout->total_size); 176 INFO(" free region = [base = %p, size = 0x%zx]\n", 177 (void *) mem_layout->free_base, mem_layout->free_size); 178 } 179 #endif /* LOAD_IMAGE_V2 */ 180 181 /* Generic function to return the size of an image */ 182 size_t image_size(unsigned int image_id) 183 { 184 uintptr_t dev_handle; 185 uintptr_t image_handle; 186 uintptr_t image_spec; 187 size_t image_size = 0; 188 int io_result; 189 190 /* Obtain a reference to the image by querying the platform layer */ 191 io_result = plat_get_image_source(image_id, &dev_handle, &image_spec); 192 if (io_result != 0) { 193 WARN("Failed to obtain reference to image id=%u (%i)\n", 194 image_id, io_result); 195 return 0; 196 } 197 198 /* Attempt to access the image */ 199 io_result = io_open(dev_handle, image_spec, &image_handle); 200 if (io_result != 0) { 201 WARN("Failed to access image id=%u (%i)\n", 202 image_id, io_result); 203 return 0; 204 } 205 206 /* Find the size of the image */ 207 io_result = io_size(image_handle, &image_size); 208 if ((io_result != 0) || (image_size == 0)) { 209 WARN("Failed to determine the size of the image id=%u (%i)\n", 210 image_id, io_result); 211 } 212 io_result = io_close(image_handle); 213 /* Ignore improbable/unrecoverable error in 'close' */ 214 215 /* TODO: Consider maintaining open device connection from this 216 * bootloader stage 217 */ 218 io_result = io_dev_close(dev_handle); 219 /* Ignore improbable/unrecoverable error in 'dev_close' */ 220 221 return image_size; 222 } 223 224 #if LOAD_IMAGE_V2 225 226 /******************************************************************************* 227 * Generic function to load an image at a specific address given 228 * an image ID and extents of free memory. 229 * 230 * If the load is successful then the image information is updated. 231 * 232 * Returns 0 on success, a negative error code otherwise. 233 ******************************************************************************/ 234 int load_image(unsigned int image_id, image_info_t *image_data) 235 { 236 uintptr_t dev_handle; 237 uintptr_t image_handle; 238 uintptr_t image_spec; 239 uintptr_t image_base; 240 size_t image_size; 241 size_t bytes_read; 242 int io_result; 243 244 assert(image_data != NULL); 245 assert(image_data->h.version >= VERSION_2); 246 247 image_base = image_data->image_base; 248 249 /* Obtain a reference to the image by querying the platform layer */ 250 io_result = plat_get_image_source(image_id, &dev_handle, &image_spec); 251 if (io_result != 0) { 252 WARN("Failed to obtain reference to image id=%u (%i)\n", 253 image_id, io_result); 254 return io_result; 255 } 256 257 /* Attempt to access the image */ 258 io_result = io_open(dev_handle, image_spec, &image_handle); 259 if (io_result != 0) { 260 WARN("Failed to access image id=%u (%i)\n", 261 image_id, io_result); 262 return io_result; 263 } 264 265 INFO("Loading image id=%u at address %p\n", image_id, 266 (void *) image_base); 267 268 /* Find the size of the image */ 269 io_result = io_size(image_handle, &image_size); 270 if ((io_result != 0) || (image_size == 0)) { 271 WARN("Failed to determine the size of the image id=%u (%i)\n", 272 image_id, io_result); 273 goto exit; 274 } 275 276 /* Check that the image size to load is within limit */ 277 if (image_size > image_data->image_max_size) { 278 WARN("Image id=%u size out of bounds\n", image_id); 279 io_result = -EFBIG; 280 goto exit; 281 } 282 283 image_data->image_size = image_size; 284 285 /* We have enough space so load the image now */ 286 /* TODO: Consider whether to try to recover/retry a partially successful read */ 287 io_result = io_read(image_handle, image_base, image_size, &bytes_read); 288 if ((io_result != 0) || (bytes_read < image_size)) { 289 WARN("Failed to load image id=%u (%i)\n", image_id, io_result); 290 goto exit; 291 } 292 293 #if !TRUSTED_BOARD_BOOT 294 /* 295 * File has been successfully loaded. 296 * Flush the image to main memory so that it can be executed later by 297 * any CPU, regardless of cache and MMU state. 298 * When TBB is enabled the image is flushed later, after image 299 * authentication. 300 */ 301 flush_dcache_range(image_base, image_size); 302 #endif /* TRUSTED_BOARD_BOOT */ 303 304 INFO("Image id=%u loaded: %p - %p\n", image_id, (void *) image_base, 305 (void *) (image_base + image_size)); 306 307 exit: 308 io_close(image_handle); 309 /* Ignore improbable/unrecoverable error in 'close' */ 310 311 /* TODO: Consider maintaining open device connection from this bootloader stage */ 312 io_dev_close(dev_handle); 313 /* Ignore improbable/unrecoverable error in 'dev_close' */ 314 315 return io_result; 316 } 317 318 /******************************************************************************* 319 * Generic function to load and authenticate an image. The image is actually 320 * loaded by calling the 'load_image()' function. Therefore, it returns the 321 * same error codes if the loading operation failed, or -EAUTH if the 322 * authentication failed. In addition, this function uses recursion to 323 * authenticate the parent images up to the root of trust. 324 ******************************************************************************/ 325 int load_auth_image(unsigned int image_id, image_info_t *image_data) 326 { 327 int rc; 328 329 #if TRUSTED_BOARD_BOOT 330 unsigned int parent_id; 331 332 /* Use recursion to authenticate parent images */ 333 rc = auth_mod_get_parent_id(image_id, &parent_id); 334 if (rc == 0) { 335 rc = load_auth_image(parent_id, image_data); 336 if (rc != 0) { 337 return rc; 338 } 339 } 340 #endif /* TRUSTED_BOARD_BOOT */ 341 342 /* Load the image */ 343 rc = load_image(image_id, image_data); 344 if (rc != 0) { 345 return rc; 346 } 347 348 #if TRUSTED_BOARD_BOOT 349 /* Authenticate it */ 350 rc = auth_mod_verify_img(image_id, 351 (void *)image_data->image_base, 352 image_data->image_size); 353 if (rc != 0) { 354 memset((void *)image_data->image_base, 0x00, 355 image_data->image_size); 356 flush_dcache_range(image_data->image_base, 357 image_data->image_size); 358 return -EAUTH; 359 } 360 361 /* 362 * File has been successfully loaded and authenticated. 363 * Flush the image to main memory so that it can be executed later by 364 * any CPU, regardless of cache and MMU state. 365 */ 366 flush_dcache_range(image_data->image_base, image_data->image_size); 367 #endif /* TRUSTED_BOARD_BOOT */ 368 369 return 0; 370 } 371 372 #else /* LOAD_IMAGE_V2 */ 373 374 /******************************************************************************* 375 * Generic function to load an image at a specific address given an image ID and 376 * extents of free memory. 377 * 378 * If the load is successful then the image information is updated. 379 * 380 * If the entry_point_info argument is not NULL then this function also updates: 381 * - the memory layout to mark the memory as reserved; 382 * - the entry point information. 383 * 384 * The caller might pass a NULL pointer for the entry point if they are not 385 * interested in this information. This is typically the case for non-executable 386 * images (e.g. certificates) and executable images that won't ever be executed 387 * on the application processor (e.g. additional microcontroller firmware). 388 * 389 * Returns 0 on success, a negative error code otherwise. 390 ******************************************************************************/ 391 int load_image(meminfo_t *mem_layout, 392 unsigned int image_id, 393 uintptr_t image_base, 394 image_info_t *image_data, 395 entry_point_info_t *entry_point_info) 396 { 397 uintptr_t dev_handle; 398 uintptr_t image_handle; 399 uintptr_t image_spec; 400 size_t image_size; 401 size_t bytes_read; 402 int io_result; 403 404 assert(mem_layout != NULL); 405 assert(image_data != NULL); 406 assert(image_data->h.version == VERSION_1); 407 408 /* Obtain a reference to the image by querying the platform layer */ 409 io_result = plat_get_image_source(image_id, &dev_handle, &image_spec); 410 if (io_result != 0) { 411 WARN("Failed to obtain reference to image id=%u (%i)\n", 412 image_id, io_result); 413 return io_result; 414 } 415 416 /* Attempt to access the image */ 417 io_result = io_open(dev_handle, image_spec, &image_handle); 418 if (io_result != 0) { 419 WARN("Failed to access image id=%u (%i)\n", 420 image_id, io_result); 421 return io_result; 422 } 423 424 INFO("Loading image id=%u at address %p\n", image_id, 425 (void *) image_base); 426 427 /* Find the size of the image */ 428 io_result = io_size(image_handle, &image_size); 429 if ((io_result != 0) || (image_size == 0)) { 430 WARN("Failed to determine the size of the image id=%u (%i)\n", 431 image_id, io_result); 432 goto exit; 433 } 434 435 /* Check that the memory where the image will be loaded is free */ 436 if (!is_mem_free(mem_layout->free_base, mem_layout->free_size, 437 image_base, image_size)) { 438 WARN("Failed to reserve region [base = %p, size = 0x%zx]\n", 439 (void *) image_base, image_size); 440 dump_load_info(image_base, image_size, mem_layout); 441 io_result = -ENOMEM; 442 goto exit; 443 } 444 445 /* We have enough space so load the image now */ 446 /* TODO: Consider whether to try to recover/retry a partially successful read */ 447 io_result = io_read(image_handle, image_base, image_size, &bytes_read); 448 if ((io_result != 0) || (bytes_read < image_size)) { 449 WARN("Failed to load image id=%u (%i)\n", image_id, io_result); 450 goto exit; 451 } 452 453 image_data->image_base = image_base; 454 image_data->image_size = image_size; 455 456 /* 457 * Update the memory usage info. 458 * This is done after the actual loading so that it is not updated when 459 * the load is unsuccessful. 460 * If the caller does not provide an entry point, bypass the memory 461 * reservation. 462 */ 463 if (entry_point_info != NULL) { 464 reserve_mem(&mem_layout->free_base, &mem_layout->free_size, 465 image_base, image_size); 466 entry_point_info->pc = image_base; 467 } else { 468 INFO("Skip reserving region [base = %p, size = 0x%zx]\n", 469 (void *) image_base, image_size); 470 } 471 472 #if !TRUSTED_BOARD_BOOT 473 /* 474 * File has been successfully loaded. 475 * Flush the image to main memory so that it can be executed later by 476 * any CPU, regardless of cache and MMU state. 477 * When TBB is enabled the image is flushed later, after image 478 * authentication. 479 */ 480 flush_dcache_range(image_base, image_size); 481 #endif /* TRUSTED_BOARD_BOOT */ 482 483 INFO("Image id=%u loaded at address %p, size = 0x%zx\n", image_id, 484 (void *) image_base, image_size); 485 486 exit: 487 io_close(image_handle); 488 /* Ignore improbable/unrecoverable error in 'close' */ 489 490 /* TODO: Consider maintaining open device connection from this bootloader stage */ 491 io_dev_close(dev_handle); 492 /* Ignore improbable/unrecoverable error in 'dev_close' */ 493 494 return io_result; 495 } 496 497 /******************************************************************************* 498 * Generic function to load and authenticate an image. The image is actually 499 * loaded by calling the 'load_image()' function. Therefore, it returns the 500 * same error codes if the loading operation failed, or -EAUTH if the 501 * authentication failed. In addition, this function uses recursion to 502 * authenticate the parent images up to the root of trust. 503 ******************************************************************************/ 504 int load_auth_image(meminfo_t *mem_layout, 505 unsigned int image_id, 506 uintptr_t image_base, 507 image_info_t *image_data, 508 entry_point_info_t *entry_point_info) 509 { 510 int rc; 511 512 #if TRUSTED_BOARD_BOOT 513 unsigned int parent_id; 514 515 /* Use recursion to authenticate parent images */ 516 rc = auth_mod_get_parent_id(image_id, &parent_id); 517 if (rc == 0) { 518 rc = load_auth_image(mem_layout, parent_id, image_base, 519 image_data, NULL); 520 if (rc != 0) { 521 return rc; 522 } 523 } 524 #endif /* TRUSTED_BOARD_BOOT */ 525 526 /* Load the image */ 527 rc = load_image(mem_layout, image_id, image_base, image_data, 528 entry_point_info); 529 if (rc != 0) { 530 return rc; 531 } 532 533 #if TRUSTED_BOARD_BOOT 534 /* Authenticate it */ 535 rc = auth_mod_verify_img(image_id, 536 (void *)image_data->image_base, 537 image_data->image_size); 538 if (rc != 0) { 539 memset((void *)image_data->image_base, 0x00, 540 image_data->image_size); 541 flush_dcache_range(image_data->image_base, 542 image_data->image_size); 543 return -EAUTH; 544 } 545 /* 546 * File has been successfully loaded and authenticated. 547 * Flush the image to main memory so that it can be executed later by 548 * any CPU, regardless of cache and MMU state. 549 */ 550 flush_dcache_range(image_data->image_base, image_data->image_size); 551 #endif /* TRUSTED_BOARD_BOOT */ 552 553 return 0; 554 } 555 556 #endif /* LOAD_IMAGE_V2 */ 557 558 /******************************************************************************* 559 * Print the content of an entry_point_info_t structure. 560 ******************************************************************************/ 561 void print_entry_point_info(const entry_point_info_t *ep_info) 562 { 563 INFO("Entry point address = %p\n", (void *)ep_info->pc); 564 INFO("SPSR = 0x%x\n", ep_info->spsr); 565 566 #define PRINT_IMAGE_ARG(n) \ 567 VERBOSE("Argument #" #n " = 0x%llx\n", \ 568 (unsigned long long) ep_info->args.arg##n) 569 570 PRINT_IMAGE_ARG(0); 571 PRINT_IMAGE_ARG(1); 572 PRINT_IMAGE_ARG(2); 573 PRINT_IMAGE_ARG(3); 574 #ifndef AARCH32 575 PRINT_IMAGE_ARG(4); 576 PRINT_IMAGE_ARG(5); 577 PRINT_IMAGE_ARG(6); 578 PRINT_IMAGE_ARG(7); 579 #endif 580 #undef PRINT_IMAGE_ARG 581 } 582