1 /* 2 * Copyright (c) 2013-2014, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #include <stdio.h> 32 #include <string.h> 33 #include <errno.h> 34 #include <assert.h> 35 #include <arch_helpers.h> 36 #include <console.h> 37 #include <platform.h> 38 #include <semihosting.h> 39 #include <bl_common.h> 40 #include "io_storage.h" 41 #include "debug.h" 42 43 /*********************************************************** 44 * Memory for sharing data while changing exception levels. 45 * Only used by the primary core. 46 **********************************************************/ 47 unsigned char bl2_el_change_mem_ptr[EL_CHANGE_MEM_SIZE]; 48 49 unsigned long *get_el_change_mem_ptr(void) 50 { 51 return (unsigned long *) bl2_el_change_mem_ptr; 52 } 53 54 unsigned long page_align(unsigned long value, unsigned dir) 55 { 56 unsigned long page_size = 1 << FOUR_KB_SHIFT; 57 58 /* Round up the limit to the next page boundary */ 59 if (value & (page_size - 1)) { 60 value &= ~(page_size - 1); 61 if (dir == UP) 62 value += page_size; 63 } 64 65 return value; 66 } 67 68 static inline unsigned int is_page_aligned (unsigned long addr) { 69 const unsigned long page_size = 1 << FOUR_KB_SHIFT; 70 71 return (addr & (page_size - 1)) == 0; 72 } 73 74 void change_security_state(unsigned int target_security_state) 75 { 76 unsigned long scr = read_scr(); 77 78 if (target_security_state == SECURE) 79 scr &= ~SCR_NS_BIT; 80 else if (target_security_state == NON_SECURE) 81 scr |= SCR_NS_BIT; 82 else 83 assert(0); 84 85 write_scr(scr); 86 } 87 88 int drop_el(aapcs64_params *args, 89 unsigned long spsr, 90 unsigned long entrypoint) 91 { 92 write_spsr(spsr); 93 write_elr(entrypoint); 94 eret(args->arg0, 95 args->arg1, 96 args->arg2, 97 args->arg3, 98 args->arg4, 99 args->arg5, 100 args->arg6, 101 args->arg7); 102 return -EINVAL; 103 } 104 105 long raise_el(aapcs64_params *args) 106 { 107 return smc(args->arg0, 108 args->arg1, 109 args->arg2, 110 args->arg3, 111 args->arg4, 112 args->arg5, 113 args->arg6, 114 args->arg7); 115 } 116 117 /* 118 * TODO: If we are not EL3 then currently we only issue an SMC. 119 * Add support for dropping into EL0 etc. Consider adding support 120 * for switching from S-EL1 to S-EL0/1 etc. 121 */ 122 long change_el(el_change_info *info) 123 { 124 unsigned long current_el = read_current_el(); 125 126 if (GET_EL(current_el) == MODE_EL3) { 127 /* 128 * We can go anywhere from EL3. So find where. 129 * TODO: Lots to do if we are going non-secure. 130 * Flip the NS bit. Restore NS registers etc. 131 * Just doing the bare minimal for now. 132 */ 133 134 if (info->security_state == NON_SECURE) 135 change_security_state(info->security_state); 136 137 return drop_el(&info->args, info->spsr, info->entrypoint); 138 } else 139 return raise_el(&info->args); 140 } 141 142 /* TODO: add a parameter for DAIF. not needed right now */ 143 unsigned long make_spsr(unsigned long target_el, 144 unsigned long target_sp, 145 unsigned long target_rw) 146 { 147 unsigned long spsr; 148 149 /* Disable all exceptions & setup the EL */ 150 spsr = (DAIF_FIQ_BIT | DAIF_IRQ_BIT | DAIF_ABT_BIT | DAIF_DBG_BIT) 151 << PSR_DAIF_SHIFT; 152 spsr |= PSR_MODE(target_rw, target_el, target_sp); 153 154 return spsr; 155 } 156 157 /******************************************************************************* 158 * The next two functions are the weak definitions. Platform specific 159 * code can override them if it wishes to. 160 ******************************************************************************/ 161 162 /******************************************************************************* 163 * Function that takes a memory layout into which BL31 has been either top or 164 * bottom loaded. Using this information, it populates bl31_mem_layout to tell 165 * BL31 how much memory it has access to and how much is available for use. It 166 * does not need the address where BL31 has been loaded as BL31 will reclaim 167 * all the memory used by BL2. 168 * TODO: Revisit if this and init_bl2_mem_layout can be replaced by a single 169 * routine. 170 ******************************************************************************/ 171 void init_bl31_mem_layout(const meminfo *bl2_mem_layout, 172 meminfo *bl31_mem_layout, 173 unsigned int load_type) 174 { 175 if (load_type == BOT_LOAD) { 176 /* 177 * ------------ ^ 178 * | BL2 | | 179 * |----------| ^ | BL2 180 * | | | BL2 free | total 181 * | | | size | size 182 * |----------| BL2 free base v | 183 * | BL31 | | 184 * ------------ BL2 total base v 185 */ 186 unsigned long bl31_size; 187 188 bl31_mem_layout->free_base = bl2_mem_layout->free_base; 189 190 bl31_size = bl2_mem_layout->free_base - bl2_mem_layout->total_base; 191 bl31_mem_layout->free_size = bl2_mem_layout->total_size - bl31_size; 192 } else { 193 /* 194 * ------------ ^ 195 * | BL31 | | 196 * |----------| ^ | BL2 197 * | | | BL2 free | total 198 * | | | size | size 199 * |----------| BL2 free base v | 200 * | BL2 | | 201 * ------------ BL2 total base v 202 */ 203 unsigned long bl2_size; 204 205 bl31_mem_layout->free_base = bl2_mem_layout->total_base; 206 207 bl2_size = bl2_mem_layout->free_base - bl2_mem_layout->total_base; 208 bl31_mem_layout->free_size = bl2_mem_layout->free_size + bl2_size; 209 } 210 211 bl31_mem_layout->total_base = bl2_mem_layout->total_base; 212 bl31_mem_layout->total_size = bl2_mem_layout->total_size; 213 bl31_mem_layout->attr = load_type; 214 215 flush_dcache_range((unsigned long) bl31_mem_layout, sizeof(meminfo)); 216 return; 217 } 218 219 /******************************************************************************* 220 * Function that takes a memory layout into which BL2 has been either top or 221 * bottom loaded along with the address where BL2 has been loaded in it. Using 222 * this information, it populates bl2_mem_layout to tell BL2 how much memory 223 * it has access to and how much is available for use. 224 ******************************************************************************/ 225 void init_bl2_mem_layout(meminfo *bl1_mem_layout, 226 meminfo *bl2_mem_layout, 227 unsigned int load_type, 228 unsigned long bl2_base) 229 { 230 unsigned tmp; 231 232 if (load_type == BOT_LOAD) { 233 bl2_mem_layout->total_base = bl2_base; 234 tmp = bl1_mem_layout->free_base - bl2_base; 235 bl2_mem_layout->total_size = bl1_mem_layout->free_size + tmp; 236 237 } else { 238 bl2_mem_layout->total_base = bl1_mem_layout->free_base; 239 tmp = bl1_mem_layout->total_base + bl1_mem_layout->total_size; 240 bl2_mem_layout->total_size = tmp - bl1_mem_layout->free_base; 241 } 242 243 bl2_mem_layout->free_base = bl1_mem_layout->free_base; 244 bl2_mem_layout->free_size = bl1_mem_layout->free_size; 245 bl2_mem_layout->attr = load_type; 246 247 flush_dcache_range((unsigned long) bl2_mem_layout, sizeof(meminfo)); 248 return; 249 } 250 251 static void dump_load_info(unsigned long image_load_addr, 252 unsigned long image_size, 253 const meminfo *mem_layout) 254 { 255 #if DEBUG 256 printf("Trying to load image at address 0x%lx, size = 0x%lx\r\n", 257 image_load_addr, image_size); 258 printf("Current memory layout:\r\n"); 259 printf(" total region = [0x%lx, 0x%lx]\r\n", mem_layout->total_base, 260 mem_layout->total_base + mem_layout->total_size); 261 printf(" free region = [0x%lx, 0x%lx]\r\n", mem_layout->free_base, 262 mem_layout->free_base + mem_layout->free_size); 263 #endif 264 } 265 266 /******************************************************************************* 267 * Generic function to load an image into the trusted RAM, 268 * given a name, extents of free memory & whether the image should be loaded at 269 * the bottom or top of the free memory. It updates the memory layout if the 270 * load is successful. 271 ******************************************************************************/ 272 unsigned long load_image(meminfo *mem_layout, 273 const char *image_name, 274 unsigned int load_type, 275 unsigned long fixed_addr) 276 { 277 io_dev_handle dev_handle; 278 io_handle image_handle; 279 void *image_spec; 280 unsigned long temp_image_base = 0; 281 unsigned long image_base = 0; 282 long offset = 0; 283 size_t image_size = 0; 284 size_t bytes_read = 0; 285 int io_result = IO_FAIL; 286 287 assert(mem_layout != NULL); 288 assert(image_name != NULL); 289 290 /* Obtain a reference to the image by querying the platform layer */ 291 io_result = plat_get_image_source(image_name, &dev_handle, &image_spec); 292 if (io_result != IO_SUCCESS) { 293 ERROR("Failed to obtain reference to image '%s' (%i)\n", 294 image_name, io_result); 295 return 0; 296 } 297 298 /* Attempt to access the image */ 299 io_result = io_open(dev_handle, image_spec, &image_handle); 300 if (io_result != IO_SUCCESS) { 301 ERROR("Failed to access image '%s' (%i)\n", 302 image_name, io_result); 303 return 0; 304 } 305 306 /* Find the size of the image */ 307 io_result = io_size(image_handle, &image_size); 308 if ((io_result != IO_SUCCESS) || (image_size == 0)) { 309 ERROR("Failed to determine the size of the image '%s' file (%i)\n", 310 image_name, io_result); 311 goto fail; 312 } 313 314 /* See if we have enough space */ 315 if (image_size > mem_layout->free_size) { 316 ERROR("ERROR: Cannot load '%s' file: Not enough space.\n", 317 image_name); 318 dump_load_info(0, image_size, mem_layout); 319 goto fail; 320 } 321 322 switch (load_type) { 323 324 case TOP_LOAD: 325 326 /* Load the image in the top of free memory */ 327 temp_image_base = mem_layout->free_base + mem_layout->free_size; 328 temp_image_base -= image_size; 329 330 /* Page align base address and check whether the image still fits */ 331 image_base = page_align(temp_image_base, DOWN); 332 assert(image_base <= temp_image_base); 333 334 if (image_base < mem_layout->free_base) { 335 ERROR("Cannot load '%s' file: Not enough space.\n", 336 image_name); 337 dump_load_info(image_base, image_size, mem_layout); 338 goto fail; 339 } 340 341 /* Calculate the amount of extra memory used due to alignment */ 342 offset = temp_image_base - image_base; 343 344 break; 345 346 case BOT_LOAD: 347 348 /* Load the BL2 image in the bottom of free memory */ 349 temp_image_base = mem_layout->free_base; 350 image_base = page_align(temp_image_base, UP); 351 assert(image_base >= temp_image_base); 352 353 /* Page align base address and check whether the image still fits */ 354 if (image_base + image_size > 355 mem_layout->free_base + mem_layout->free_size) { 356 ERROR("Cannot load '%s' file: Not enough space.\n", 357 image_name); 358 dump_load_info(image_base, image_size, mem_layout); 359 goto fail; 360 } 361 362 /* Calculate the amount of extra memory used due to alignment */ 363 offset = image_base - temp_image_base; 364 365 break; 366 367 default: 368 assert(0); 369 370 } 371 372 /* 373 * Some images must be loaded at a fixed address, not a dynamic one. 374 * 375 * This has been implemented as a hack on top of the existing dynamic 376 * loading mechanism, for the time being. If the 'fixed_addr' function 377 * argument is different from zero, then it will force the load address. 378 * So we still have this principle of top/bottom loading but the code 379 * determining the load address is bypassed and the load address is 380 * forced to the fixed one. 381 * 382 * This can result in quite a lot of wasted space because we still use 383 * 1 sole meminfo structure to represent the extents of free memory, 384 * where we should use some sort of linked list. 385 * 386 * E.g. we want to load BL2 at address 0x04020000, the resulting memory 387 * layout should look as follows: 388 * ------------ 0x04040000 389 * | | <- Free space (1) 390 * |----------| 391 * | BL2 | 392 * |----------| 0x04020000 393 * | | <- Free space (2) 394 * |----------| 395 * | BL1 | 396 * ------------ 0x04000000 397 * 398 * But in the current hacky implementation, we'll need to specify 399 * whether BL2 is loaded at the top or bottom of the free memory. 400 * E.g. if BL2 is considered as top-loaded, the meminfo structure 401 * will give the following view of the memory, hiding the chunk of 402 * free memory above BL2: 403 * ------------ 0x04040000 404 * | | 405 * | | 406 * | BL2 | 407 * |----------| 0x04020000 408 * | | <- Free space (2) 409 * |----------| 410 * | BL1 | 411 * ------------ 0x04000000 412 */ 413 if (fixed_addr != 0) { 414 /* Load the image at the given address. */ 415 image_base = fixed_addr; 416 417 /* Check whether the image fits. */ 418 if ((image_base < mem_layout->free_base) || 419 (image_base + image_size > 420 mem_layout->free_base + mem_layout->free_size)) { 421 ERROR("Cannot load '%s' file: Not enough space.\n", 422 image_name); 423 dump_load_info(image_base, image_size, mem_layout); 424 goto fail; 425 } 426 427 /* Check whether the fixed load address is page-aligned. */ 428 if (!is_page_aligned(image_base)) { 429 ERROR("Cannot load '%s' file at unaligned address 0x%lx\n", 430 image_name, fixed_addr); 431 goto fail; 432 } 433 434 /* 435 * Calculate the amount of extra memory used due to fixed 436 * loading. 437 */ 438 if (load_type == TOP_LOAD) { 439 unsigned long max_addr, space_used; 440 /* 441 * ------------ max_addr 442 * | /wasted/ | | offset 443 * |..........|.............................. 444 * | image | | image_flen 445 * |----------| fixed_addr 446 * | | 447 * | | 448 * ------------ total_base 449 */ 450 max_addr = mem_layout->total_base + mem_layout->total_size; 451 /* 452 * Compute the amount of memory used by the image. 453 * Corresponds to all space above the image load 454 * address. 455 */ 456 space_used = max_addr - fixed_addr; 457 /* 458 * Calculate the amount of wasted memory within the 459 * amount of memory used by the image. 460 */ 461 offset = space_used - image_size; 462 } else /* BOT_LOAD */ 463 /* 464 * ------------ 465 * | | 466 * | | 467 * |----------| 468 * | image | 469 * |..........| fixed_addr 470 * | /wasted/ | | offset 471 * ------------ total_base 472 */ 473 offset = fixed_addr - mem_layout->total_base; 474 } 475 476 /* We have enough space so load the image now */ 477 /* TODO: Consider whether to try to recover/retry a partially successful read */ 478 io_result = io_read(image_handle, (void *)image_base, image_size, &bytes_read); 479 if ((io_result != IO_SUCCESS) || (bytes_read < image_size)) { 480 ERROR("Failed to load '%s' file (%i)\n", image_name, io_result); 481 goto fail; 482 } 483 484 /* 485 * File has been successfully loaded. Update the free memory 486 * data structure & flush the contents of the TZRAM so that 487 * the next EL can see it. 488 */ 489 /* Update the memory contents */ 490 flush_dcache_range(image_base, image_size); 491 492 mem_layout->free_size -= image_size + offset; 493 494 /* Update the base of free memory since its moved up */ 495 if (load_type == BOT_LOAD) 496 mem_layout->free_base += offset + image_size; 497 498 exit: 499 io_result = io_close(image_handle); 500 /* Ignore improbable/unrecoverable error in 'close' */ 501 502 /* TODO: Consider maintaining open device connection from this bootloader stage */ 503 io_result = io_dev_close(dev_handle); 504 /* Ignore improbable/unrecoverable error in 'dev_close' */ 505 506 return image_base; 507 508 fail: image_base = 0; 509 goto exit; 510 } 511 512 /******************************************************************************* 513 * Run a loaded image from the given entry point. This could result in either 514 * dropping into a lower exception level or jumping to a higher exception level. 515 * The only way of doing the latter is through an SMC. In either case, setup the 516 * parameters for the EL change request correctly. 517 ******************************************************************************/ 518 int run_image(unsigned long entrypoint, 519 unsigned long spsr, 520 unsigned long target_security_state, 521 meminfo *mem_layout, 522 void *data) 523 { 524 el_change_info run_image_info; 525 unsigned long current_el = read_current_el(); 526 527 /* Tell next EL what we want done */ 528 run_image_info.args.arg0 = RUN_IMAGE; 529 run_image_info.entrypoint = entrypoint; 530 run_image_info.spsr = spsr; 531 run_image_info.security_state = target_security_state; 532 run_image_info.next = 0; 533 534 /* 535 * If we are EL3 then only an eret can take us to the desired 536 * exception level. Else for the time being assume that we have 537 * to jump to a higher EL and issue an SMC. Contents of argY 538 * will go into the general purpose register xY e.g. arg0->x0 539 */ 540 if (GET_EL(current_el) == MODE_EL3) { 541 run_image_info.args.arg1 = (unsigned long) mem_layout; 542 run_image_info.args.arg2 = (unsigned long) data; 543 } else { 544 run_image_info.args.arg1 = entrypoint; 545 run_image_info.args.arg2 = spsr; 546 run_image_info.args.arg3 = (unsigned long) mem_layout; 547 run_image_info.args.arg4 = (unsigned long) data; 548 } 549 550 return change_el(&run_image_info); 551 } 552