1992f091bSAmbroise Vincent======== 2992f091bSAmbroise VincentDebug FS 3992f091bSAmbroise Vincent======== 4992f091bSAmbroise Vincent 5992f091bSAmbroise Vincent.. contents:: 6992f091bSAmbroise Vincent 7992f091bSAmbroise VincentOverview 8992f091bSAmbroise Vincent-------- 9992f091bSAmbroise Vincent 10992f091bSAmbroise VincentThe *DebugFS* feature is primarily aimed at exposing firmware debug data to 11992f091bSAmbroise Vincenthigher SW layers such as a non-secure component. Such component can be the 12992f091bSAmbroise VincentTFTF test payload or a Linux kernel module. 13992f091bSAmbroise Vincent 14992f091bSAmbroise VincentVirtual filesystem 15992f091bSAmbroise Vincent------------------ 16992f091bSAmbroise Vincent 17992f091bSAmbroise VincentThe core functionality lies in a virtual file system based on a 9p file server 183ac82b25SOlivier Deprezinterface (`Notes on the Plan 9 Kernel Source`_ and 193ac82b25SOlivier Deprez`Linux 9p remote filesystem protocol`_). 203ac82b25SOlivier DeprezThe implementation permits exposing virtual files, firmware drivers, and file blobs. 21992f091bSAmbroise Vincent 22992f091bSAmbroise VincentNamespace 23992f091bSAmbroise Vincent~~~~~~~~~ 24992f091bSAmbroise Vincent 25992f091bSAmbroise VincentTwo namespaces are exposed: 26992f091bSAmbroise Vincent 27992f091bSAmbroise Vincent - # is used as root for drivers (e.g. #t0 is the first uart) 28992f091bSAmbroise Vincent - / is used as root for virtual "files" (e.g. /fip, or /dev/uart) 29992f091bSAmbroise Vincent 30992f091bSAmbroise Vincent9p interface 31992f091bSAmbroise Vincent~~~~~~~~~~~~ 32992f091bSAmbroise Vincent 33992f091bSAmbroise VincentThe associated primitives are: 34992f091bSAmbroise Vincent 35992f091bSAmbroise Vincent- Unix-like: 36992f091bSAmbroise Vincent 37992f091bSAmbroise Vincent - open(): create a file descriptor that acts as a handle to the file passed as 38992f091bSAmbroise Vincent an argument. 39992f091bSAmbroise Vincent - close(): close the file descriptor created by open(). 40992f091bSAmbroise Vincent - read(): read from a file to a buffer. 41992f091bSAmbroise Vincent - write(): write from a buffer to a file. 42992f091bSAmbroise Vincent - seek(): set the file position indicator of a file descriptor either to a 43992f091bSAmbroise Vincent relative or an absolute offset. 44992f091bSAmbroise Vincent - stat(): get information about a file (type, mode, size, ...). 45992f091bSAmbroise Vincent 46992f091bSAmbroise Vincent.. code:: c 47992f091bSAmbroise Vincent 48992f091bSAmbroise Vincent int open(const char *name, int flags); 49992f091bSAmbroise Vincent int close(int fd); 50992f091bSAmbroise Vincent int read(int fd, void *buf, int n); 51992f091bSAmbroise Vincent int write(int fd, void *buf, int n); 52992f091bSAmbroise Vincent int seek(int fd, long off, int whence); 53992f091bSAmbroise Vincent int stat(char *path, dir_t *dir); 54992f091bSAmbroise Vincent 55992f091bSAmbroise Vincent- Specific primitives : 56992f091bSAmbroise Vincent 57992f091bSAmbroise Vincent - mount(): create a link between a driver and spec. 58992f091bSAmbroise Vincent - create(): create a file in a specific location. 59992f091bSAmbroise Vincent - bind(): expose the content of a directory to another directory. 60992f091bSAmbroise Vincent 61992f091bSAmbroise Vincent.. code:: c 62992f091bSAmbroise Vincent 63992f091bSAmbroise Vincent int mount(char *srv, char *mnt, char *spec); 64992f091bSAmbroise Vincent int create(const char *name, int flags); 65992f091bSAmbroise Vincent int bind(char *path, char *where); 66992f091bSAmbroise Vincent 67992f091bSAmbroise VincentThis interface is embedded into the BL31 run-time payload when selected by build 68992f091bSAmbroise Vincentoptions. The interface multiplexes drivers or emulated "files": 69992f091bSAmbroise Vincent 70992f091bSAmbroise Vincent- Debug data can be partitioned into different virtual files e.g. expose PMF 71992f091bSAmbroise Vincent measurements through a file, and internal firmware state counters through 72992f091bSAmbroise Vincent another file. 73992f091bSAmbroise Vincent- This permits direct access to a firmware driver, mainly for test purposes 74992f091bSAmbroise Vincent (e.g. a hardware device that may not be accessible to non-privileged/ 75992f091bSAmbroise Vincent non-secure layers, or for which no support exists in the NS side). 76992f091bSAmbroise Vincent 77992f091bSAmbroise VincentSMC interface 78992f091bSAmbroise Vincent------------- 79992f091bSAmbroise Vincent 80992f091bSAmbroise VincentThe communication with the 9p layer in BL31 is made through an SMC conduit 8171ac931fSSandrine Bailleux(`SMC Calling Convention`_), using a specific SiP Function Id. An NS 823ac82b25SOlivier Deprezshared buffer is used to pass path string parameters, or e.g. to exchange 83*6844c347SMadhukar Pappireddydata on a read operation. Refer to :ref:`ARM SiP Services <arm sip services>` 84*6844c347SMadhukar Pappireddyfor a description of the SMC interface. 85992f091bSAmbroise Vincent 86992f091bSAmbroise VincentSecurity considerations 87992f091bSAmbroise Vincent----------------------- 88992f091bSAmbroise Vincent 89992f091bSAmbroise Vincent- Due to the nature of the exposed data, the feature is considered experimental 90992f091bSAmbroise Vincent and importantly **shall only be used in debug builds**. 91992f091bSAmbroise Vincent- Several primitive imply string manipulations and usage of string formats. 92992f091bSAmbroise Vincent- Special care is taken with the shared buffer to avoid TOCTOU attacks. 93992f091bSAmbroise Vincent 94992f091bSAmbroise VincentLimitations 95992f091bSAmbroise Vincent----------- 96992f091bSAmbroise Vincent 97992f091bSAmbroise Vincent- In order to setup the shared buffer, the component consuming the interface 98992f091bSAmbroise Vincent needs to allocate a physical page frame and transmit its address. 99992f091bSAmbroise Vincent- In order to map the shared buffer, BL31 requires enabling the dynamic xlat 100992f091bSAmbroise Vincent table option. 101992f091bSAmbroise Vincent- Data exchange is limited by the shared buffer length. A large read operation 102992f091bSAmbroise Vincent might be split into multiple read operations of smaller chunks. 103992f091bSAmbroise Vincent- On concurrent access, a spinlock is implemented in the BL31 service to protect 104992f091bSAmbroise Vincent the internal work buffer, and re-entrancy into the filesystem layers. 105992f091bSAmbroise Vincent- Notice, a physical device driver if exposed by the firmware may conflict with 106992f091bSAmbroise Vincent the higher level OS if the latter implements its own driver for the same 107992f091bSAmbroise Vincent physical device. 108992f091bSAmbroise Vincent 109992f091bSAmbroise VincentApplications 110992f091bSAmbroise Vincent------------ 111992f091bSAmbroise Vincent 112992f091bSAmbroise VincentThe SMC interface is accessible from an NS environment, that is: 113992f091bSAmbroise Vincent 114992f091bSAmbroise Vincent- a test payload, bootloader or hypervisor running at NS-EL2 115992f091bSAmbroise Vincent- a Linux kernel driver running at NS-EL1 116992f091bSAmbroise Vincent- a Linux userspace application through the kernel driver 117992f091bSAmbroise Vincent 118992f091bSAmbroise Vincent-------------- 119992f091bSAmbroise Vincent 1203ac82b25SOlivier Deprez*Copyright (c) 2019-2020, Arm Limited and Contributors. All rights reserved.* 121992f091bSAmbroise Vincent 1223ba55a3cSlaurenw-arm.. _SMC Calling Convention: https://developer.arm.com/docs/den0028/latest 123992f091bSAmbroise Vincent.. _Notes on the Plan 9 Kernel Source: http://lsub.org/who/nemo/9.pdf 124992f091bSAmbroise Vincent.. _Linux 9p remote filesystem protocol: https://www.kernel.org/doc/Documentation/filesystems/9p.txt 125992f091bSAmbroise Vincent.. _ARM SiP Services: arm-sip-service.rst 126