1 /* 2 * Copyright (c) 2022-2024, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <errno.h> 9 #include <inttypes.h> 10 #include <limits.h> 11 #include <stdint.h> 12 13 #include <arch.h> 14 #include <arch_features.h> 15 #include <arch_helpers.h> 16 #include <common/debug.h> 17 #include "gpt_rme_private.h" 18 #include <lib/gpt_rme/gpt_rme.h> 19 #include <lib/smccc.h> 20 #include <lib/spinlock.h> 21 #include <lib/xlat_tables/xlat_tables_v2.h> 22 23 #if !ENABLE_RME 24 #error "ENABLE_RME must be enabled to use the GPT library" 25 #endif 26 27 /* 28 * Lookup T from PPS 29 * 30 * PPS Size T 31 * 0b000 4GB 32 32 * 0b001 64GB 36 33 * 0b010 1TB 40 34 * 0b011 4TB 42 35 * 0b100 16TB 44 36 * 0b101 256TB 48 37 * 0b110 4PB 52 38 * 39 * See section 15.1.27 of the RME specification. 40 */ 41 static const gpt_t_val_e gpt_t_lookup[] = {PPS_4GB_T, PPS_64GB_T, 42 PPS_1TB_T, PPS_4TB_T, 43 PPS_16TB_T, PPS_256TB_T, 44 PPS_4PB_T}; 45 46 /* 47 * Lookup P from PGS 48 * 49 * PGS Size P 50 * 0b00 4KB 12 51 * 0b10 16KB 14 52 * 0b01 64KB 16 53 * 54 * Note that pgs=0b10 is 16KB and pgs=0b01 is 64KB, this is not a typo. 55 * 56 * See section 15.1.27 of the RME specification. 57 */ 58 static const gpt_p_val_e gpt_p_lookup[] = {PGS_4KB_P, PGS_64KB_P, PGS_16KB_P}; 59 60 static void shatter_2mb(uintptr_t base, const gpi_info_t *gpi_info, 61 uint64_t l1_desc); 62 static void shatter_32mb(uintptr_t base, const gpi_info_t *gpi_info, 63 uint64_t l1_desc); 64 static void shatter_512mb(uintptr_t base, const gpi_info_t *gpi_info, 65 uint64_t l1_desc); 66 67 /* 68 * This structure contains GPT configuration data 69 */ 70 typedef struct { 71 uintptr_t plat_gpt_l0_base; 72 gpccr_pps_e pps; 73 gpt_t_val_e t; 74 gpccr_pgs_e pgs; 75 gpt_p_val_e p; 76 } gpt_config_t; 77 78 static gpt_config_t gpt_config; 79 80 /* 81 * Number of L1 entries in 2MB, depending on GPCCR_EL3.PGS: 82 * +-------+------------+ 83 * | PGS | L1 entries | 84 * +-------+------------+ 85 * | 4KB | 32 | 86 * +-------+------------+ 87 * | 16KB | 8 | 88 * +-------+------------+ 89 * | 64KB | 2 | 90 * +-------+------------+ 91 */ 92 static unsigned int gpt_l1_cnt_2mb; 93 94 /* 95 * Mask for the L1 index field, depending on 96 * GPCCR_EL3.L0GPTSZ and GPCCR_EL3.PGS: 97 * +---------+-------------------------------+ 98 * | | PGS | 99 * +---------+----------+----------+---------+ 100 * | L0GPTSZ | 4KB | 16KB | 64KB | 101 * +---------+----------+----------+---------+ 102 * | 1GB | 0x3FFF | 0xFFF | 0x3FF | 103 * +---------+----------+----------+---------+ 104 * | 16GB | 0x3FFFF | 0xFFFF | 0x3FFF | 105 * +---------+----------+----------+---------+ 106 * | 64GB | 0xFFFFF | 0x3FFFF | 0xFFFF | 107 * +---------+----------+----------+---------+ 108 * | 512GB | 0x7FFFFF | 0x1FFFFF | 0x7FFFF | 109 * +---------+----------+----------+---------+ 110 */ 111 static uint64_t gpt_l1_index_mask; 112 113 /* Number of 128-bit L1 entries in 2MB, 32MB and 512MB */ 114 #define L1_QWORDS_2MB (gpt_l1_cnt_2mb / 2U) 115 #define L1_QWORDS_32MB (L1_QWORDS_2MB * 16U) 116 #define L1_QWORDS_512MB (L1_QWORDS_32MB * 16U) 117 118 /* Size in bytes of L1 entries in 2MB, 32MB */ 119 #define L1_BYTES_2MB (gpt_l1_cnt_2mb * sizeof(uint64_t)) 120 #define L1_BYTES_32MB (L1_BYTES_2MB * 16U) 121 122 /* Get the index into the L1 table from a physical address */ 123 #define GPT_L1_INDEX(_pa) \ 124 (((_pa) >> (unsigned int)GPT_L1_IDX_SHIFT(gpt_config.p)) & gpt_l1_index_mask) 125 126 /* These variables are used during initialization of the L1 tables */ 127 static uintptr_t gpt_l1_tbl; 128 129 /* These variable is used during runtime */ 130 #if (RME_GPT_BITLOCK_BLOCK == 0) 131 /* 132 * The GPTs are protected by a global spinlock to ensure 133 * that multiple CPUs do not attempt to change the descriptors at once. 134 */ 135 static spinlock_t gpt_lock; 136 #else 137 138 /* Bitlocks base address */ 139 static bitlock_t *gpt_bitlock_base; 140 #endif 141 142 /* Lock/unlock macros for GPT entries */ 143 #if (RME_GPT_BITLOCK_BLOCK == 0) 144 /* 145 * Access to GPT is controlled by a global lock to ensure 146 * that no more than one CPU is allowed to make changes at any 147 * given time. 148 */ 149 #define GPT_LOCK spin_lock(&gpt_lock) 150 #define GPT_UNLOCK spin_unlock(&gpt_lock) 151 #else 152 /* 153 * Access to a block of memory is controlled by a bitlock. 154 * Size of block = RME_GPT_BITLOCK_BLOCK * 512MB. 155 */ 156 #define GPT_LOCK bit_lock(gpi_info.lock, gpi_info.mask) 157 #define GPT_UNLOCK bit_unlock(gpi_info.lock, gpi_info.mask) 158 #endif 159 160 static void tlbi_page_dsbosh(uintptr_t base) 161 { 162 /* Look-up table for invalidation TLBs for 4KB, 16KB and 64KB pages */ 163 static const gpt_tlbi_lookup_t tlbi_page_lookup[] = { 164 { tlbirpalos_4k, ~(SZ_4K - 1UL) }, 165 { tlbirpalos_64k, ~(SZ_64K - 1UL) }, 166 { tlbirpalos_16k, ~(SZ_16K - 1UL) } 167 }; 168 169 tlbi_page_lookup[gpt_config.pgs].function( 170 base & tlbi_page_lookup[gpt_config.pgs].mask); 171 dsbosh(); 172 } 173 174 /* 175 * Helper function to fill out GPI entries in a single L1 table 176 * with Granules or Contiguous descriptor. 177 * 178 * Parameters 179 * l1 Pointer to 2MB, 32MB or 512MB aligned L1 table entry to fill out 180 * l1_desc GPT Granules or Contiguous descriptor set this range to 181 * cnt Number of double 128-bit L1 entries to fill 182 * 183 */ 184 static void fill_desc(uint64_t *l1, uint64_t l1_desc, unsigned int cnt) 185 { 186 uint128_t *l1_quad = (uint128_t *)l1; 187 uint128_t l1_quad_desc = (uint128_t)l1_desc | ((uint128_t)l1_desc << 64); 188 189 VERBOSE("GPT: %s(%p 0x%"PRIx64" %u)\n", __func__, l1, l1_desc, cnt); 190 191 for (unsigned int i = 0U; i < cnt; i++) { 192 *l1_quad++ = l1_quad_desc; 193 } 194 } 195 196 static void shatter_2mb(uintptr_t base, const gpi_info_t *gpi_info, 197 uint64_t l1_desc) 198 { 199 unsigned long idx = GPT_L1_INDEX(ALIGN_2MB(base)); 200 201 VERBOSE("GPT: %s(0x%"PRIxPTR" 0x%"PRIx64")\n", 202 __func__, base, l1_desc); 203 204 /* Convert 2MB Contiguous block to Granules */ 205 fill_desc(&gpi_info->gpt_l1_addr[idx], l1_desc, L1_QWORDS_2MB); 206 } 207 208 static void shatter_32mb(uintptr_t base, const gpi_info_t *gpi_info, 209 uint64_t l1_desc) 210 { 211 unsigned long idx = GPT_L1_INDEX(ALIGN_2MB(base)); 212 const uint64_t *l1_gran = &gpi_info->gpt_l1_addr[idx]; 213 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 2MB); 214 uint64_t *l1; 215 216 VERBOSE("GPT: %s(0x%"PRIxPTR" 0x%"PRIx64")\n", 217 __func__, base, l1_desc); 218 219 /* Get index corresponding to 32MB aligned address */ 220 idx = GPT_L1_INDEX(ALIGN_32MB(base)); 221 l1 = &gpi_info->gpt_l1_addr[idx]; 222 223 /* 16 x 2MB blocks in 32MB */ 224 for (unsigned int i = 0U; i < 16U; i++) { 225 /* Fill with Granules or Contiguous descriptors */ 226 fill_desc(l1, (l1 == l1_gran) ? l1_desc : l1_cont_desc, 227 L1_QWORDS_2MB); 228 l1 = (uint64_t *)((uintptr_t)l1 + L1_BYTES_2MB); 229 } 230 } 231 232 static void shatter_512mb(uintptr_t base, const gpi_info_t *gpi_info, 233 uint64_t l1_desc) 234 { 235 unsigned long idx = GPT_L1_INDEX(ALIGN_32MB(base)); 236 const uint64_t *l1_32mb = &gpi_info->gpt_l1_addr[idx]; 237 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 32MB); 238 uint64_t *l1; 239 240 VERBOSE("GPT: %s(0x%"PRIxPTR" 0x%"PRIx64")\n", 241 __func__, base, l1_desc); 242 243 /* Get index corresponding to 512MB aligned address */ 244 idx = GPT_L1_INDEX(ALIGN_512MB(base)); 245 l1 = &gpi_info->gpt_l1_addr[idx]; 246 247 /* 16 x 32MB blocks in 512MB */ 248 for (unsigned int i = 0U; i < 16U; i++) { 249 if (l1 == l1_32mb) { 250 /* Shatter this 32MB block */ 251 shatter_32mb(base, gpi_info, l1_desc); 252 } else { 253 /* Fill 32MB with Contiguous descriptors */ 254 fill_desc(l1, l1_cont_desc, L1_QWORDS_32MB); 255 } 256 257 l1 = (uint64_t *)((uintptr_t)l1 + L1_BYTES_32MB); 258 } 259 } 260 261 /* 262 * This function checks to see if a GPI value is valid. 263 * 264 * These are valid GPI values. 265 * GPT_GPI_NO_ACCESS U(0x0) 266 * GPT_GPI_SECURE U(0x8) 267 * GPT_GPI_NS U(0x9) 268 * GPT_GPI_ROOT U(0xA) 269 * GPT_GPI_REALM U(0xB) 270 * GPT_GPI_ANY U(0xF) 271 * 272 * Parameters 273 * gpi GPI to check for validity. 274 * 275 * Return 276 * true for a valid GPI, false for an invalid one. 277 */ 278 static bool is_gpi_valid(unsigned int gpi) 279 { 280 if ((gpi == GPT_GPI_NO_ACCESS) || (gpi == GPT_GPI_ANY) || 281 ((gpi >= GPT_GPI_SECURE) && (gpi <= GPT_GPI_REALM))) { 282 return true; 283 } 284 return false; 285 } 286 287 /* 288 * This function checks to see if two PAS regions overlap. 289 * 290 * Parameters 291 * base_1: base address of first PAS 292 * size_1: size of first PAS 293 * base_2: base address of second PAS 294 * size_2: size of second PAS 295 * 296 * Return 297 * True if PAS regions overlap, false if they do not. 298 */ 299 static bool check_pas_overlap(uintptr_t base_1, size_t size_1, 300 uintptr_t base_2, size_t size_2) 301 { 302 if (((base_1 + size_1) > base_2) && ((base_2 + size_2) > base_1)) { 303 return true; 304 } 305 return false; 306 } 307 308 /* 309 * This helper function checks to see if a PAS region from index 0 to 310 * (pas_idx - 1) occupies the L0 region at index l0_idx in the L0 table. 311 * 312 * Parameters 313 * l0_idx: Index of the L0 entry to check 314 * pas_regions: PAS region array 315 * pas_idx: Upper bound of the PAS array index. 316 * 317 * Return 318 * True if a PAS region occupies the L0 region in question, false if not. 319 */ 320 static bool does_previous_pas_exist_here(unsigned int l0_idx, 321 pas_region_t *pas_regions, 322 unsigned int pas_idx) 323 { 324 /* Iterate over PAS regions up to pas_idx */ 325 for (unsigned int i = 0U; i < pas_idx; i++) { 326 if (check_pas_overlap((GPT_L0GPTSZ_ACTUAL_SIZE * l0_idx), 327 GPT_L0GPTSZ_ACTUAL_SIZE, 328 pas_regions[i].base_pa, pas_regions[i].size)) { 329 return true; 330 } 331 } 332 return false; 333 } 334 335 /* 336 * This function iterates over all of the PAS regions and checks them to ensure 337 * proper alignment of base and size, that the GPI is valid, and that no regions 338 * overlap. As a part of the overlap checks, this function checks existing L0 339 * mappings against the new PAS regions in the event that gpt_init_pas_l1_tables 340 * is called multiple times to place L1 tables in different areas of memory. It 341 * also counts the number of L1 tables needed and returns it on success. 342 * 343 * Parameters 344 * *pas_regions Pointer to array of PAS region structures. 345 * pas_region_cnt Total number of PAS regions in the array. 346 * 347 * Return 348 * Negative Linux error code in the event of a failure, number of L1 regions 349 * required when successful. 350 */ 351 static int validate_pas_mappings(pas_region_t *pas_regions, 352 unsigned int pas_region_cnt) 353 { 354 unsigned int idx; 355 unsigned int l1_cnt = 0U; 356 unsigned int pas_l1_cnt; 357 uint64_t *l0_desc = (uint64_t *)gpt_config.plat_gpt_l0_base; 358 359 assert(pas_regions != NULL); 360 assert(pas_region_cnt != 0U); 361 362 for (idx = 0U; idx < pas_region_cnt; idx++) { 363 /* Check for arithmetic overflow in region */ 364 if ((ULONG_MAX - pas_regions[idx].base_pa) < 365 pas_regions[idx].size) { 366 ERROR("GPT: Address overflow in PAS[%u]!\n", idx); 367 return -EOVERFLOW; 368 } 369 370 /* Initial checks for PAS validity */ 371 if (((pas_regions[idx].base_pa + pas_regions[idx].size) > 372 GPT_PPS_ACTUAL_SIZE(gpt_config.t)) || 373 !is_gpi_valid(GPT_PAS_ATTR_GPI(pas_regions[idx].attrs))) { 374 ERROR("GPT: PAS[%u] is invalid!\n", idx); 375 return -EFAULT; 376 } 377 378 /* 379 * Make sure this PAS does not overlap with another one. We 380 * start from idx + 1 instead of 0 since prior PAS mappings will 381 * have already checked themselves against this one. 382 */ 383 for (unsigned int i = idx + 1U; i < pas_region_cnt; i++) { 384 if (check_pas_overlap(pas_regions[idx].base_pa, 385 pas_regions[idx].size, 386 pas_regions[i].base_pa, 387 pas_regions[i].size)) { 388 ERROR("GPT: PAS[%u] overlaps with PAS[%u]\n", 389 i, idx); 390 return -EFAULT; 391 } 392 } 393 394 /* 395 * Since this function can be called multiple times with 396 * separate L1 tables we need to check the existing L0 mapping 397 * to see if this PAS would fall into one that has already been 398 * initialized. 399 */ 400 for (unsigned int i = 401 (unsigned int)GPT_L0_IDX(pas_regions[idx].base_pa); 402 i <= GPT_L0_IDX(pas_regions[idx].base_pa + 403 pas_regions[idx].size - 1UL); 404 i++) { 405 if ((GPT_L0_TYPE(l0_desc[i]) == GPT_L0_TYPE_BLK_DESC) && 406 (GPT_L0_BLKD_GPI(l0_desc[i]) == GPT_GPI_ANY)) { 407 /* This descriptor is unused so continue */ 408 continue; 409 } 410 411 /* 412 * This descriptor has been initialized in a previous 413 * call to this function so cannot be initialized again. 414 */ 415 ERROR("GPT: PAS[%u] overlaps with previous L0[%u]!\n", 416 idx, i); 417 return -EFAULT; 418 } 419 420 /* Check for block mapping (L0) type */ 421 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) == 422 GPT_PAS_ATTR_MAP_TYPE_BLOCK) { 423 /* Make sure base and size are block-aligned */ 424 if (!GPT_IS_L0_ALIGNED(pas_regions[idx].base_pa) || 425 !GPT_IS_L0_ALIGNED(pas_regions[idx].size)) { 426 ERROR("GPT: PAS[%u] is not block-aligned!\n", 427 idx); 428 return -EFAULT; 429 } 430 431 continue; 432 } 433 434 /* Check for granule mapping (L1) type */ 435 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) == 436 GPT_PAS_ATTR_MAP_TYPE_GRANULE) { 437 /* Make sure base and size are granule-aligned */ 438 if (!GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].base_pa) || 439 !GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].size)) { 440 ERROR("GPT: PAS[%u] is not granule-aligned!\n", 441 idx); 442 return -EFAULT; 443 } 444 445 /* Find how many L1 tables this PAS occupies */ 446 pas_l1_cnt = (GPT_L0_IDX(pas_regions[idx].base_pa + 447 pas_regions[idx].size - 1UL) - 448 GPT_L0_IDX(pas_regions[idx].base_pa) + 1U); 449 450 /* 451 * This creates a situation where, if multiple PAS 452 * regions occupy the same table descriptor, we can get 453 * an artificially high total L1 table count. The way we 454 * handle this is by checking each PAS against those 455 * before it in the array, and if they both occupy the 456 * same PAS we subtract from pas_l1_cnt and only the 457 * first PAS in the array gets to count it. 458 */ 459 460 /* 461 * If L1 count is greater than 1 we know the start and 462 * end PAs are in different L0 regions so we must check 463 * both for overlap against other PAS. 464 */ 465 if (pas_l1_cnt > 1) { 466 if (does_previous_pas_exist_here( 467 GPT_L0_IDX(pas_regions[idx].base_pa + 468 pas_regions[idx].size - 1UL), 469 pas_regions, idx)) { 470 pas_l1_cnt--; 471 } 472 } 473 474 if (does_previous_pas_exist_here( 475 GPT_L0_IDX(pas_regions[idx].base_pa), 476 pas_regions, idx)) { 477 pas_l1_cnt--; 478 } 479 480 l1_cnt += pas_l1_cnt; 481 continue; 482 } 483 484 /* If execution reaches this point, mapping type is invalid */ 485 ERROR("GPT: PAS[%u] has invalid mapping type 0x%x.\n", idx, 486 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs)); 487 return -EINVAL; 488 } 489 490 return l1_cnt; 491 } 492 493 /* 494 * This function validates L0 initialization parameters. 495 * 496 * Parameters 497 * l0_mem_base Base address of memory used for L0 tables. 498 * l1_mem_size Size of memory available for L0 tables. 499 * 500 * Return 501 * Negative Linux error code in the event of a failure, 0 for success. 502 */ 503 static int validate_l0_params(gpccr_pps_e pps, uintptr_t l0_mem_base, 504 size_t l0_mem_size) 505 { 506 size_t l0_alignment, locks_size = 0; 507 508 /* 509 * Make sure PPS is valid and then store it since macros need this value 510 * to work. 511 */ 512 if (pps > GPT_PPS_MAX) { 513 ERROR("GPT: Invalid PPS: 0x%x\n", pps); 514 return -EINVAL; 515 } 516 gpt_config.pps = pps; 517 gpt_config.t = gpt_t_lookup[pps]; 518 519 /* Alignment must be the greater of 4KB or l0 table size */ 520 l0_alignment = PAGE_SIZE_4KB; 521 if (l0_alignment < GPT_L0_TABLE_SIZE(gpt_config.t)) { 522 l0_alignment = GPT_L0_TABLE_SIZE(gpt_config.t); 523 } 524 525 /* Check base address */ 526 if ((l0_mem_base == 0UL) || 527 ((l0_mem_base & (l0_alignment - 1UL)) != 0UL)) { 528 ERROR("GPT: Invalid L0 base address: 0x%lx\n", l0_mem_base); 529 return -EFAULT; 530 } 531 532 #if (RME_GPT_BITLOCK_BLOCK != 0) 533 /* 534 * Size of bitlocks in bytes for the protected address space 535 * with RME_GPT_BITLOCK_BLOCK * 512MB per bitlock. 536 */ 537 locks_size = GPT_PPS_ACTUAL_SIZE(gpt_config.t) / 538 (RME_GPT_BITLOCK_BLOCK * SZ_512M * 8U); 539 540 /* 541 * If protected space size is less than the size covered 542 * by 'bitlock' structure, check for a single bitlock. 543 */ 544 if (locks_size < LOCK_SIZE) { 545 locks_size = LOCK_SIZE; 546 } 547 #endif 548 /* Check size for L0 tables and bitlocks */ 549 if (l0_mem_size < (GPT_L0_TABLE_SIZE(gpt_config.t) + locks_size)) { 550 ERROR("GPT: Inadequate L0 memory\n"); 551 ERROR(" Expected 0x%lx bytes, got 0x%lx bytes\n", 552 GPT_L0_TABLE_SIZE(gpt_config.t) + locks_size, 553 l0_mem_size); 554 return -ENOMEM; 555 } 556 557 return 0; 558 } 559 560 /* 561 * In the event that L1 tables are needed, this function validates 562 * the L1 table generation parameters. 563 * 564 * Parameters 565 * l1_mem_base Base address of memory used for L1 table allocation. 566 * l1_mem_size Total size of memory available for L1 tables. 567 * l1_gpt_cnt Number of L1 tables needed. 568 * 569 * Return 570 * Negative Linux error code in the event of a failure, 0 for success. 571 */ 572 static int validate_l1_params(uintptr_t l1_mem_base, size_t l1_mem_size, 573 unsigned int l1_gpt_cnt) 574 { 575 size_t l1_gpt_mem_sz; 576 577 /* Check if the granularity is supported */ 578 if (!xlat_arch_is_granule_size_supported( 579 GPT_PGS_ACTUAL_SIZE(gpt_config.p))) { 580 return -EPERM; 581 } 582 583 /* Make sure L1 tables are aligned to their size */ 584 if ((l1_mem_base & (GPT_L1_TABLE_SIZE(gpt_config.p) - 1UL)) != 0UL) { 585 ERROR("GPT: Unaligned L1 GPT base address: 0x%"PRIxPTR"\n", 586 l1_mem_base); 587 return -EFAULT; 588 } 589 590 /* Get total memory needed for L1 tables */ 591 l1_gpt_mem_sz = l1_gpt_cnt * GPT_L1_TABLE_SIZE(gpt_config.p); 592 593 /* Check for overflow */ 594 if ((l1_gpt_mem_sz / GPT_L1_TABLE_SIZE(gpt_config.p)) != l1_gpt_cnt) { 595 ERROR("GPT: Overflow calculating L1 memory size\n"); 596 return -ENOMEM; 597 } 598 599 /* Make sure enough space was supplied */ 600 if (l1_mem_size < l1_gpt_mem_sz) { 601 ERROR("%sL1 GPTs%s", (const char *)"GPT: Inadequate ", 602 (const char *)" memory\n"); 603 ERROR(" Expected 0x%lx bytes, got 0x%lx bytes\n", 604 l1_gpt_mem_sz, l1_mem_size); 605 return -ENOMEM; 606 } 607 608 VERBOSE("GPT: Requested 0x%lx bytes for L1 GPTs\n", l1_gpt_mem_sz); 609 return 0; 610 } 611 612 /* 613 * This function initializes L0 block descriptors (regions that cannot be 614 * transitioned at the granule level) according to the provided PAS. 615 * 616 * Parameters 617 * *pas Pointer to the structure defining the PAS region to 618 * initialize. 619 */ 620 static void generate_l0_blk_desc(pas_region_t *pas) 621 { 622 uint64_t gpt_desc; 623 unsigned long idx, end_idx; 624 uint64_t *l0_gpt_arr; 625 626 assert(gpt_config.plat_gpt_l0_base != 0U); 627 assert(pas != NULL); 628 629 /* 630 * Checking of PAS parameters has already been done in 631 * validate_pas_mappings so no need to check the same things again. 632 */ 633 634 l0_gpt_arr = (uint64_t *)gpt_config.plat_gpt_l0_base; 635 636 /* Create the GPT Block descriptor for this PAS region */ 637 gpt_desc = GPT_L0_BLK_DESC(GPT_PAS_ATTR_GPI(pas->attrs)); 638 639 /* Start index of this region in L0 GPTs */ 640 idx = GPT_L0_IDX(pas->base_pa); 641 642 /* 643 * Determine number of L0 GPT descriptors covered by 644 * this PAS region and use the count to populate these 645 * descriptors. 646 */ 647 end_idx = GPT_L0_IDX(pas->base_pa + pas->size); 648 649 /* Generate the needed block descriptors */ 650 for (; idx < end_idx; idx++) { 651 l0_gpt_arr[idx] = gpt_desc; 652 VERBOSE("GPT: L0 entry (BLOCK) index %lu [%p]: GPI = 0x%"PRIx64" (0x%"PRIx64")\n", 653 idx, &l0_gpt_arr[idx], 654 (gpt_desc >> GPT_L0_BLK_DESC_GPI_SHIFT) & 655 GPT_L0_BLK_DESC_GPI_MASK, l0_gpt_arr[idx]); 656 } 657 } 658 659 /* 660 * Helper function to determine if the end physical address lies in the same L0 661 * region as the current physical address. If true, the end physical address is 662 * returned else, the start address of the next region is returned. 663 * 664 * Parameters 665 * cur_pa Physical address of the current PA in the loop through 666 * the range. 667 * end_pa Physical address of the end PA in a PAS range. 668 * 669 * Return 670 * The PA of the end of the current range. 671 */ 672 static uintptr_t get_l1_end_pa(uintptr_t cur_pa, uintptr_t end_pa) 673 { 674 uintptr_t cur_idx; 675 uintptr_t end_idx; 676 677 cur_idx = GPT_L0_IDX(cur_pa); 678 end_idx = GPT_L0_IDX(end_pa); 679 680 assert(cur_idx <= end_idx); 681 682 if (cur_idx == end_idx) { 683 return end_pa; 684 } 685 686 return (cur_idx + 1UL) << GPT_L0_IDX_SHIFT; 687 } 688 689 /* 690 * Helper function to fill out GPI entries from 'first' granule address of 691 * the specified 'length' in a single L1 table with 'l1_desc' Contiguous 692 * descriptor. 693 * 694 * Parameters 695 * l1 Pointer to L1 table to fill out 696 * first Address of first granule in range 697 * length Length of the range in bytes 698 * gpi GPI set this range to 699 * 700 * Return 701 * Address of next granule in range. 702 */ 703 static uintptr_t fill_l1_cont_desc(uint64_t *l1, uintptr_t first, 704 size_t length, unsigned int gpi) 705 { 706 /* 707 * Look up table for contiguous blocks and descriptors. 708 * Entries should be defined in descending block sizes: 709 * 512MB, 32MB and 2MB. 710 */ 711 static const gpt_fill_lookup_t gpt_fill_lookup[] = { 712 #if (RME_GPT_MAX_BLOCK == 512) 713 { SZ_512M, GPT_L1_CONT_DESC_512MB }, 714 #endif 715 #if (RME_GPT_MAX_BLOCK >= 32) 716 { SZ_32M, GPT_L1_CONT_DESC_32MB }, 717 #endif 718 #if (RME_GPT_MAX_BLOCK != 0) 719 { SZ_2M, GPT_L1_CONT_DESC_2MB } 720 #endif 721 }; 722 723 /* 724 * Iterate through all block sizes (512MB, 32MB and 2MB) 725 * starting with maximum supported. 726 */ 727 for (unsigned long i = 0UL; i < ARRAY_SIZE(gpt_fill_lookup); i++) { 728 /* Calculate index */ 729 unsigned long idx = GPT_L1_INDEX(first); 730 731 /* Contiguous block size */ 732 size_t cont_size = gpt_fill_lookup[i].size; 733 734 if (GPT_REGION_IS_CONT(length, first, cont_size)) { 735 736 /* Generate Contiguous descriptor */ 737 uint64_t l1_desc = GPT_L1_GPI_CONT_DESC(gpi, 738 gpt_fill_lookup[i].desc); 739 740 /* Number of 128-bit L1 entries in block */ 741 unsigned int cnt; 742 743 switch (cont_size) { 744 case SZ_512M: 745 cnt = L1_QWORDS_512MB; 746 break; 747 case SZ_32M: 748 cnt = L1_QWORDS_32MB; 749 break; 750 default: /* SZ_2MB */ 751 cnt = L1_QWORDS_2MB; 752 } 753 754 VERBOSE("GPT: Contiguous descriptor 0x%"PRIxPTR" %luMB\n", 755 first, cont_size / SZ_1M); 756 757 /* Fill Contiguous descriptors */ 758 fill_desc(&l1[idx], l1_desc, cnt); 759 first += cont_size; 760 length -= cont_size; 761 762 if (length == 0UL) { 763 break; 764 } 765 } 766 } 767 768 return first; 769 } 770 771 /* Build Granules descriptor with the same 'gpi' for every GPI entry */ 772 static uint64_t build_l1_desc(unsigned int gpi) 773 { 774 uint64_t l1_desc = (uint64_t)gpi | ((uint64_t)gpi << 4); 775 776 l1_desc |= (l1_desc << 8); 777 l1_desc |= (l1_desc << 16); 778 return (l1_desc | (l1_desc << 32)); 779 } 780 781 /* 782 * Helper function to fill out GPI entries from 'first' to 'last' granule 783 * address in a single L1 table with 'l1_desc' Granules descriptor. 784 * 785 * Parameters 786 * l1 Pointer to L1 table to fill out 787 * first Address of first granule in range 788 * last Address of last granule in range (inclusive) 789 * gpi GPI set this range to 790 * 791 * Return 792 * Address of next granule in range. 793 */ 794 static uintptr_t fill_l1_gran_desc(uint64_t *l1, uintptr_t first, 795 uintptr_t last, unsigned int gpi) 796 { 797 uint64_t gpi_mask; 798 unsigned long i; 799 800 /* Generate Granules descriptor */ 801 uint64_t l1_desc = build_l1_desc(gpi); 802 803 /* Shift the mask if we're starting in the middle of an L1 entry */ 804 gpi_mask = ULONG_MAX << (GPT_L1_GPI_IDX(gpt_config.p, first) << 2); 805 806 /* Fill out each L1 entry for this region */ 807 for (i = GPT_L1_INDEX(first); i <= GPT_L1_INDEX(last); i++) { 808 809 /* Account for stopping in the middle of an L1 entry */ 810 if (i == GPT_L1_INDEX(last)) { 811 gpi_mask &= (gpi_mask >> ((15U - 812 GPT_L1_GPI_IDX(gpt_config.p, last)) << 2)); 813 } 814 815 assert((l1[i] & gpi_mask) == (GPT_L1_ANY_DESC & gpi_mask)); 816 817 /* Write GPI values */ 818 l1[i] = (l1[i] & ~gpi_mask) | (l1_desc & gpi_mask); 819 820 /* Reset mask */ 821 gpi_mask = ULONG_MAX; 822 } 823 824 return last + GPT_PGS_ACTUAL_SIZE(gpt_config.p); 825 } 826 827 /* 828 * Helper function to fill out GPI entries in a single L1 table. 829 * This function fills out an entire L1 table with either Contiguous 830 * or Granules descriptors depending on region length and alignment. 831 * 832 * Parameters 833 * l1 Pointer to L1 table to fill out 834 * first Address of first granule in range 835 * last Address of last granule in range (inclusive) 836 * gpi GPI set this range to 837 */ 838 static void fill_l1_tbl(uint64_t *l1, uintptr_t first, uintptr_t last, 839 unsigned int gpi) 840 { 841 assert(l1 != NULL); 842 assert(first <= last); 843 assert((first & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1UL)) == 0UL); 844 assert((last & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1UL)) == 0UL); 845 assert(GPT_L0_IDX(first) == GPT_L0_IDX(last)); 846 847 while (first < last) { 848 /* Region length */ 849 size_t length = last - first + GPT_PGS_ACTUAL_SIZE(gpt_config.p); 850 851 if (length < SZ_2M) { 852 /* 853 * Fill with Granule descriptor in case of 854 * region length < 2MB. 855 */ 856 first = fill_l1_gran_desc(l1, first, last, gpi); 857 858 } else if ((first & (SZ_2M - UL(1))) == UL(0)) { 859 /* 860 * For region length >= 2MB and at least 2MB aligned 861 * call to fill_l1_cont_desc will iterate through 862 * all block sizes (512MB, 32MB and 2MB) supported and 863 * fill corresponding Contiguous descriptors. 864 */ 865 first = fill_l1_cont_desc(l1, first, length, gpi); 866 } else { 867 /* 868 * For not aligned region >= 2MB fill with Granules 869 * descriptors up to the next 2MB aligned address. 870 */ 871 uintptr_t new_last = ALIGN_2MB(first + SZ_2M) - 872 GPT_PGS_ACTUAL_SIZE(gpt_config.p); 873 874 first = fill_l1_gran_desc(l1, first, new_last, gpi); 875 } 876 } 877 878 assert(first == (last + GPT_PGS_ACTUAL_SIZE(gpt_config.p))); 879 } 880 881 /* 882 * This function finds the next available unused L1 table and initializes all 883 * granules descriptor entries to GPI_ANY. This ensures that there are no chunks 884 * of GPI_NO_ACCESS (0b0000) memory floating around in the system in the 885 * event that a PAS region stops midway through an L1 table, thus guaranteeing 886 * that all memory not explicitly assigned is GPI_ANY. This function does not 887 * check for overflow conditions, that should be done by the caller. 888 * 889 * Return 890 * Pointer to the next available L1 table. 891 */ 892 static uint64_t *get_new_l1_tbl(void) 893 { 894 /* Retrieve the next L1 table */ 895 uint64_t *l1 = (uint64_t *)gpt_l1_tbl; 896 897 /* Increment L1 GPT address */ 898 gpt_l1_tbl += GPT_L1_TABLE_SIZE(gpt_config.p); 899 900 /* Initialize all GPIs to GPT_GPI_ANY */ 901 for (unsigned int i = 0U; i < GPT_L1_ENTRY_COUNT(gpt_config.p); i++) { 902 l1[i] = GPT_L1_ANY_DESC; 903 } 904 905 return l1; 906 } 907 908 /* 909 * When L1 tables are needed, this function creates the necessary L0 table 910 * descriptors and fills out the L1 table entries according to the supplied 911 * PAS range. 912 * 913 * Parameters 914 * *pas Pointer to the structure defining the PAS region. 915 */ 916 static void generate_l0_tbl_desc(pas_region_t *pas) 917 { 918 uintptr_t end_pa; 919 uintptr_t cur_pa; 920 uintptr_t last_gran_pa; 921 uint64_t *l0_gpt_base; 922 uint64_t *l1_gpt_arr; 923 unsigned int l0_idx, gpi; 924 925 assert(gpt_config.plat_gpt_l0_base != 0U); 926 assert(pas != NULL); 927 928 /* 929 * Checking of PAS parameters has already been done in 930 * validate_pas_mappings so no need to check the same things again. 931 */ 932 end_pa = pas->base_pa + pas->size; 933 l0_gpt_base = (uint64_t *)gpt_config.plat_gpt_l0_base; 934 935 /* We start working from the granule at base PA */ 936 cur_pa = pas->base_pa; 937 938 /* Get GPI */ 939 gpi = GPT_PAS_ATTR_GPI(pas->attrs); 940 941 /* Iterate over each L0 region in this memory range */ 942 for (l0_idx = (unsigned int)GPT_L0_IDX(pas->base_pa); 943 l0_idx <= (unsigned int)GPT_L0_IDX(end_pa - 1UL); 944 l0_idx++) { 945 /* 946 * See if the L0 entry is already a table descriptor or if we 947 * need to create one. 948 */ 949 if (GPT_L0_TYPE(l0_gpt_base[l0_idx]) == GPT_L0_TYPE_TBL_DESC) { 950 /* Get the L1 array from the L0 entry */ 951 l1_gpt_arr = GPT_L0_TBLD_ADDR(l0_gpt_base[l0_idx]); 952 } else { 953 /* Get a new L1 table from the L1 memory space */ 954 l1_gpt_arr = get_new_l1_tbl(); 955 956 /* Fill out the L0 descriptor and flush it */ 957 l0_gpt_base[l0_idx] = GPT_L0_TBL_DESC(l1_gpt_arr); 958 } 959 960 VERBOSE("GPT: L0 entry (TABLE) index %u [%p] ==> L1 Addr %p (0x%"PRIx64")\n", 961 l0_idx, &l0_gpt_base[l0_idx], l1_gpt_arr, l0_gpt_base[l0_idx]); 962 963 /* 964 * Determine the PA of the last granule in this L0 descriptor. 965 */ 966 last_gran_pa = get_l1_end_pa(cur_pa, end_pa) - 967 GPT_PGS_ACTUAL_SIZE(gpt_config.p); 968 969 /* 970 * Fill up L1 GPT entries between these two addresses. This 971 * function needs the addresses of the first granule and last 972 * granule in the range. 973 */ 974 fill_l1_tbl(l1_gpt_arr, cur_pa, last_gran_pa, gpi); 975 976 /* Advance cur_pa to first granule in next L0 region */ 977 cur_pa = get_l1_end_pa(cur_pa, end_pa); 978 } 979 } 980 981 /* 982 * This function flushes a range of L0 descriptors used by a given PAS region 983 * array. There is a chance that some unmodified L0 descriptors would be flushed 984 * in the case that there are "holes" in an array of PAS regions but overall 985 * this should be faster than individually flushing each modified L0 descriptor 986 * as they are created. 987 * 988 * Parameters 989 * *pas Pointer to an array of PAS regions. 990 * pas_count Number of entries in the PAS array. 991 */ 992 static void flush_l0_for_pas_array(pas_region_t *pas, unsigned int pas_count) 993 { 994 unsigned long idx; 995 unsigned long start_idx; 996 unsigned long end_idx; 997 uint64_t *l0 = (uint64_t *)gpt_config.plat_gpt_l0_base; 998 999 assert(pas != NULL); 1000 assert(pas_count != 0U); 1001 1002 /* Initial start and end values */ 1003 start_idx = GPT_L0_IDX(pas[0].base_pa); 1004 end_idx = GPT_L0_IDX(pas[0].base_pa + pas[0].size - 1UL); 1005 1006 /* Find lowest and highest L0 indices used in this PAS array */ 1007 for (idx = 1UL; idx < pas_count; idx++) { 1008 if (GPT_L0_IDX(pas[idx].base_pa) < start_idx) { 1009 start_idx = GPT_L0_IDX(pas[idx].base_pa); 1010 } 1011 if (GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1UL) > end_idx) { 1012 end_idx = GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1UL); 1013 } 1014 } 1015 1016 /* 1017 * Flush all covered L0 descriptors, add 1 because we need to include 1018 * the end index value. 1019 */ 1020 flush_dcache_range((uintptr_t)&l0[start_idx], 1021 ((end_idx + 1UL) - start_idx) * sizeof(uint64_t)); 1022 } 1023 1024 /* 1025 * Public API to enable granule protection checks once the tables have all been 1026 * initialized. This function is called at first initialization and then again 1027 * later during warm boots of CPU cores. 1028 * 1029 * Return 1030 * Negative Linux error code in the event of a failure, 0 for success. 1031 */ 1032 int gpt_enable(void) 1033 { 1034 u_register_t gpccr_el3; 1035 1036 /* 1037 * Granule tables must be initialised before enabling 1038 * granule protection. 1039 */ 1040 if (gpt_config.plat_gpt_l0_base == 0UL) { 1041 ERROR("GPT: Tables have not been initialized!\n"); 1042 return -EPERM; 1043 } 1044 1045 /* Write the base address of the L0 tables into GPTBR */ 1046 write_gptbr_el3(((gpt_config.plat_gpt_l0_base >> GPTBR_BADDR_VAL_SHIFT) 1047 >> GPTBR_BADDR_SHIFT) & GPTBR_BADDR_MASK); 1048 1049 /* GPCCR_EL3.PPS */ 1050 gpccr_el3 = SET_GPCCR_PPS(gpt_config.pps); 1051 1052 /* GPCCR_EL3.PGS */ 1053 gpccr_el3 |= SET_GPCCR_PGS(gpt_config.pgs); 1054 1055 /* 1056 * Since EL3 maps the L1 region as Inner shareable, use the same 1057 * shareability attribute for GPC as well so that 1058 * GPC fetches are visible to PEs 1059 */ 1060 gpccr_el3 |= SET_GPCCR_SH(GPCCR_SH_IS); 1061 1062 /* Outer and Inner cacheability set to Normal memory, WB, RA, WA */ 1063 gpccr_el3 |= SET_GPCCR_ORGN(GPCCR_ORGN_WB_RA_WA); 1064 gpccr_el3 |= SET_GPCCR_IRGN(GPCCR_IRGN_WB_RA_WA); 1065 1066 /* Prepopulate GPCCR_EL3 but don't enable GPC yet */ 1067 write_gpccr_el3(gpccr_el3); 1068 isb(); 1069 1070 /* Invalidate any stale TLB entries and any cached register fields */ 1071 tlbipaallos(); 1072 dsb(); 1073 isb(); 1074 1075 /* Enable GPT */ 1076 gpccr_el3 |= GPCCR_GPC_BIT; 1077 1078 /* TODO: Configure GPCCR_EL3_GPCP for Fault control */ 1079 write_gpccr_el3(gpccr_el3); 1080 isb(); 1081 tlbipaallos(); 1082 dsb(); 1083 isb(); 1084 1085 return 0; 1086 } 1087 1088 /* 1089 * Public API to disable granule protection checks. 1090 */ 1091 void gpt_disable(void) 1092 { 1093 u_register_t gpccr_el3 = read_gpccr_el3(); 1094 1095 write_gpccr_el3(gpccr_el3 & ~GPCCR_GPC_BIT); 1096 dsbsy(); 1097 isb(); 1098 } 1099 1100 /* 1101 * Public API that initializes the entire protected space to GPT_GPI_ANY using 1102 * the L0 tables (block descriptors). Ideally, this function is invoked prior 1103 * to DDR discovery and initialization. The MMU must be initialized before 1104 * calling this function. 1105 * 1106 * Parameters 1107 * pps PPS value to use for table generation 1108 * l0_mem_base Base address of L0 tables in memory. 1109 * l0_mem_size Total size of memory available for L0 tables. 1110 * 1111 * Return 1112 * Negative Linux error code in the event of a failure, 0 for success. 1113 */ 1114 int gpt_init_l0_tables(gpccr_pps_e pps, uintptr_t l0_mem_base, 1115 size_t l0_mem_size) 1116 { 1117 uint64_t gpt_desc; 1118 size_t locks_size = 0; 1119 __unused bitlock_t *bit_locks; 1120 int ret; 1121 1122 /* Ensure that MMU and Data caches are enabled */ 1123 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U); 1124 1125 /* Validate other parameters */ 1126 ret = validate_l0_params(pps, l0_mem_base, l0_mem_size); 1127 if (ret != 0) { 1128 return ret; 1129 } 1130 1131 /* Create the descriptor to initialize L0 entries with */ 1132 gpt_desc = GPT_L0_BLK_DESC(GPT_GPI_ANY); 1133 1134 /* Iterate through all L0 entries */ 1135 for (unsigned int i = 0U; i < GPT_L0_REGION_COUNT(gpt_config.t); i++) { 1136 ((uint64_t *)l0_mem_base)[i] = gpt_desc; 1137 } 1138 1139 #if (RME_GPT_BITLOCK_BLOCK != 0) 1140 /* Initialise bitlocks at the end of L0 table */ 1141 bit_locks = (bitlock_t *)(l0_mem_base + 1142 GPT_L0_TABLE_SIZE(gpt_config.t)); 1143 1144 /* Size of bitlocks in bytes */ 1145 locks_size = GPT_PPS_ACTUAL_SIZE(gpt_config.t) / 1146 (RME_GPT_BITLOCK_BLOCK * SZ_512M * 8U); 1147 1148 /* 1149 * If protected space size is less than the size covered 1150 * by 'bitlock' structure, initialise a single bitlock. 1151 */ 1152 if (locks_size < LOCK_SIZE) { 1153 locks_size = LOCK_SIZE; 1154 } 1155 1156 for (size_t i = 0UL; i < (locks_size/LOCK_SIZE); i++) { 1157 bit_locks[i].lock = 0U; 1158 } 1159 #endif 1160 1161 /* Flush updated L0 tables and bitlocks to memory */ 1162 flush_dcache_range((uintptr_t)l0_mem_base, 1163 GPT_L0_TABLE_SIZE(gpt_config.t) + locks_size); 1164 1165 /* Stash the L0 base address once initial setup is complete */ 1166 gpt_config.plat_gpt_l0_base = l0_mem_base; 1167 1168 return 0; 1169 } 1170 1171 /* 1172 * Public API that carves out PAS regions from the L0 tables and builds any L1 1173 * tables that are needed. This function ideally is run after DDR discovery and 1174 * initialization. The L0 tables must have already been initialized to GPI_ANY 1175 * when this function is called. 1176 * 1177 * This function can be called multiple times with different L1 memory ranges 1178 * and PAS regions if it is desirable to place L1 tables in different locations 1179 * in memory. (ex: you have multiple DDR banks and want to place the L1 tables 1180 * in the DDR bank that they control). 1181 * 1182 * Parameters 1183 * pgs PGS value to use for table generation. 1184 * l1_mem_base Base address of memory used for L1 tables. 1185 * l1_mem_size Total size of memory available for L1 tables. 1186 * *pas_regions Pointer to PAS regions structure array. 1187 * pas_count Total number of PAS regions. 1188 * 1189 * Return 1190 * Negative Linux error code in the event of a failure, 0 for success. 1191 */ 1192 int gpt_init_pas_l1_tables(gpccr_pgs_e pgs, uintptr_t l1_mem_base, 1193 size_t l1_mem_size, pas_region_t *pas_regions, 1194 unsigned int pas_count) 1195 { 1196 int l1_gpt_cnt, ret; 1197 1198 /* Ensure that MMU and Data caches are enabled */ 1199 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U); 1200 1201 /* PGS is needed for validate_pas_mappings so check it now */ 1202 if (pgs > GPT_PGS_MAX) { 1203 ERROR("GPT: Invalid PGS: 0x%x\n", pgs); 1204 return -EINVAL; 1205 } 1206 gpt_config.pgs = pgs; 1207 gpt_config.p = gpt_p_lookup[pgs]; 1208 1209 /* Make sure L0 tables have been initialized */ 1210 if (gpt_config.plat_gpt_l0_base == 0U) { 1211 ERROR("GPT: L0 tables must be initialized first!\n"); 1212 return -EPERM; 1213 } 1214 1215 /* Check if L1 GPTs are required and how many */ 1216 l1_gpt_cnt = validate_pas_mappings(pas_regions, pas_count); 1217 if (l1_gpt_cnt < 0) { 1218 return l1_gpt_cnt; 1219 } 1220 1221 VERBOSE("GPT: %i L1 GPTs requested\n", l1_gpt_cnt); 1222 1223 /* If L1 tables are needed then validate the L1 parameters */ 1224 if (l1_gpt_cnt > 0) { 1225 ret = validate_l1_params(l1_mem_base, l1_mem_size, 1226 (unsigned int)l1_gpt_cnt); 1227 if (ret != 0) { 1228 return ret; 1229 } 1230 1231 /* Set up parameters for L1 table generation */ 1232 gpt_l1_tbl = l1_mem_base; 1233 } 1234 1235 /* Number of L1 entries in 2MB depends on GPCCR_EL3.PGS value */ 1236 gpt_l1_cnt_2mb = (unsigned int)GPT_L1_ENTRY_COUNT_2MB(gpt_config.p); 1237 1238 /* Mask for the L1 index field */ 1239 gpt_l1_index_mask = GPT_L1_IDX_MASK(gpt_config.p); 1240 1241 INFO("GPT: Boot Configuration\n"); 1242 INFO(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t); 1243 INFO(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p); 1244 INFO(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL); 1245 INFO(" PAS count: %u\n", pas_count); 1246 INFO(" L0 base: 0x%"PRIxPTR"\n", gpt_config.plat_gpt_l0_base); 1247 1248 /* Generate the tables in memory */ 1249 for (unsigned int idx = 0U; idx < pas_count; idx++) { 1250 VERBOSE("GPT: PAS[%u]: base 0x%"PRIxPTR"\tsize 0x%lx\tGPI 0x%x\ttype 0x%x\n", 1251 idx, pas_regions[idx].base_pa, pas_regions[idx].size, 1252 GPT_PAS_ATTR_GPI(pas_regions[idx].attrs), 1253 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs)); 1254 1255 /* Check if a block or table descriptor is required */ 1256 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) == 1257 GPT_PAS_ATTR_MAP_TYPE_BLOCK) { 1258 generate_l0_blk_desc(&pas_regions[idx]); 1259 1260 } else { 1261 generate_l0_tbl_desc(&pas_regions[idx]); 1262 } 1263 } 1264 1265 /* Flush modified L0 tables */ 1266 flush_l0_for_pas_array(pas_regions, pas_count); 1267 1268 /* Flush L1 tables if needed */ 1269 if (l1_gpt_cnt > 0) { 1270 flush_dcache_range(l1_mem_base, 1271 GPT_L1_TABLE_SIZE(gpt_config.p) * 1272 (size_t)l1_gpt_cnt); 1273 } 1274 1275 /* Make sure that all the entries are written to the memory */ 1276 dsbishst(); 1277 tlbipaallos(); 1278 dsb(); 1279 isb(); 1280 1281 return 0; 1282 } 1283 1284 /* 1285 * Public API to initialize the runtime gpt_config structure based on the values 1286 * present in the GPTBR_EL3 and GPCCR_EL3 registers. GPT initialization 1287 * typically happens in a bootloader stage prior to setting up the EL3 runtime 1288 * environment for the granule transition service so this function detects the 1289 * initialization from a previous stage. Granule protection checks must be 1290 * enabled already or this function will return an error. 1291 * 1292 * Return 1293 * Negative Linux error code in the event of a failure, 0 for success. 1294 */ 1295 int gpt_runtime_init(void) 1296 { 1297 u_register_t reg; 1298 1299 /* Ensure that MMU and Data caches are enabled */ 1300 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U); 1301 1302 /* Ensure GPC are already enabled */ 1303 if ((read_gpccr_el3() & GPCCR_GPC_BIT) == 0U) { 1304 ERROR("GPT: Granule protection checks are not enabled!\n"); 1305 return -EPERM; 1306 } 1307 1308 /* 1309 * Read the L0 table address from GPTBR, we don't need the L1 base 1310 * address since those are included in the L0 tables as needed. 1311 */ 1312 reg = read_gptbr_el3(); 1313 gpt_config.plat_gpt_l0_base = ((reg >> GPTBR_BADDR_SHIFT) & 1314 GPTBR_BADDR_MASK) << 1315 GPTBR_BADDR_VAL_SHIFT; 1316 1317 /* Read GPCCR to get PGS and PPS values */ 1318 reg = read_gpccr_el3(); 1319 gpt_config.pps = (reg >> GPCCR_PPS_SHIFT) & GPCCR_PPS_MASK; 1320 gpt_config.t = gpt_t_lookup[gpt_config.pps]; 1321 gpt_config.pgs = (reg >> GPCCR_PGS_SHIFT) & GPCCR_PGS_MASK; 1322 gpt_config.p = gpt_p_lookup[gpt_config.pgs]; 1323 1324 /* Number of L1 entries in 2MB depends on GPCCR_EL3.PGS value */ 1325 gpt_l1_cnt_2mb = (unsigned int)GPT_L1_ENTRY_COUNT_2MB(gpt_config.p); 1326 1327 /* Mask for the L1 index field */ 1328 gpt_l1_index_mask = GPT_L1_IDX_MASK(gpt_config.p); 1329 1330 #if (RME_GPT_BITLOCK_BLOCK != 0) 1331 /* Bitlocks at the end of L0 table */ 1332 gpt_bitlock_base = (bitlock_t *)(gpt_config.plat_gpt_l0_base + 1333 GPT_L0_TABLE_SIZE(gpt_config.t)); 1334 #endif 1335 VERBOSE("GPT: Runtime Configuration\n"); 1336 VERBOSE(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t); 1337 VERBOSE(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p); 1338 VERBOSE(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL); 1339 VERBOSE(" L0 base: 0x%"PRIxPTR"\n", gpt_config.plat_gpt_l0_base); 1340 #if (RME_GPT_BITLOCK_BLOCK != 0) 1341 VERBOSE(" Bitlocks: 0x%"PRIxPTR"\n", (uintptr_t)gpt_bitlock_base); 1342 #endif 1343 return 0; 1344 } 1345 1346 /* 1347 * A helper to write the value (target_pas << gpi_shift) to the index of 1348 * the gpt_l1_addr. 1349 */ 1350 static inline void write_gpt(uint64_t *gpt_l1_desc, uint64_t *gpt_l1_addr, 1351 unsigned int gpi_shift, unsigned int idx, 1352 unsigned int target_pas) 1353 { 1354 *gpt_l1_desc &= ~(GPT_L1_GRAN_DESC_GPI_MASK << gpi_shift); 1355 *gpt_l1_desc |= ((uint64_t)target_pas << gpi_shift); 1356 gpt_l1_addr[idx] = *gpt_l1_desc; 1357 1358 dsboshst(); 1359 } 1360 1361 /* 1362 * Helper to retrieve the gpt_l1_* information from the base address 1363 * returned in gpi_info. 1364 */ 1365 static int get_gpi_params(uint64_t base, gpi_info_t *gpi_info) 1366 { 1367 uint64_t gpt_l0_desc, *gpt_l0_base; 1368 __unused unsigned int block_idx; 1369 1370 gpt_l0_base = (uint64_t *)gpt_config.plat_gpt_l0_base; 1371 gpt_l0_desc = gpt_l0_base[GPT_L0_IDX(base)]; 1372 if (GPT_L0_TYPE(gpt_l0_desc) != GPT_L0_TYPE_TBL_DESC) { 1373 VERBOSE("GPT: Granule is not covered by a table descriptor!\n"); 1374 VERBOSE(" Base=0x%"PRIx64"\n", base); 1375 return -EINVAL; 1376 } 1377 1378 /* Get the table index and GPI shift from PA */ 1379 gpi_info->gpt_l1_addr = GPT_L0_TBLD_ADDR(gpt_l0_desc); 1380 gpi_info->idx = (unsigned int)GPT_L1_INDEX(base); 1381 gpi_info->gpi_shift = GPT_L1_GPI_IDX(gpt_config.p, base) << 2; 1382 1383 #if (RME_GPT_BITLOCK_BLOCK != 0) 1384 /* Block index */ 1385 block_idx = (unsigned int)(base / (RME_GPT_BITLOCK_BLOCK * SZ_512M)); 1386 1387 /* Bitlock address and mask */ 1388 gpi_info->lock = &gpt_bitlock_base[block_idx / LOCK_BITS]; 1389 gpi_info->mask = 1U << (block_idx & (LOCK_BITS - 1U)); 1390 #endif 1391 return 0; 1392 } 1393 1394 /* 1395 * Helper to retrieve the gpt_l1_desc and GPI information from gpi_info. 1396 * This function is called with bitlock or spinlock acquired. 1397 */ 1398 static void read_gpi(gpi_info_t *gpi_info) 1399 { 1400 gpi_info->gpt_l1_desc = (gpi_info->gpt_l1_addr)[gpi_info->idx]; 1401 1402 if ((gpi_info->gpt_l1_desc & GPT_L1_TYPE_CONT_DESC_MASK) == 1403 GPT_L1_TYPE_CONT_DESC) { 1404 /* Read GPI from Contiguous descriptor */ 1405 gpi_info->gpi = (unsigned int)GPT_L1_CONT_GPI(gpi_info->gpt_l1_desc); 1406 } else { 1407 /* Read GPI from Granules descriptor */ 1408 gpi_info->gpi = (unsigned int)((gpi_info->gpt_l1_desc >> gpi_info->gpi_shift) & 1409 GPT_L1_GRAN_DESC_GPI_MASK); 1410 } 1411 } 1412 1413 static void flush_page_to_popa(uintptr_t addr) 1414 { 1415 size_t size = GPT_PGS_ACTUAL_SIZE(gpt_config.p); 1416 1417 if (is_feat_mte2_supported()) { 1418 flush_dcache_to_popa_range_mte2(addr, size); 1419 } else { 1420 flush_dcache_to_popa_range(addr, size); 1421 } 1422 } 1423 1424 /* 1425 * Helper function to check if all L1 entries in 2MB block have 1426 * the same Granules descriptor value. 1427 * 1428 * Parameters 1429 * base Base address of the region to be checked 1430 * gpi_info Pointer to 'gpt_config_t' structure 1431 * l1_desc GPT Granules descriptor with all entries 1432 * set to the same GPI. 1433 * 1434 * Return 1435 * true if L1 all entries have the same descriptor value, false otherwise. 1436 */ 1437 __unused static bool check_fuse_2mb(uint64_t base, const gpi_info_t *gpi_info, 1438 uint64_t l1_desc) 1439 { 1440 /* Last L1 entry index in 2MB block */ 1441 unsigned int long idx = GPT_L1_INDEX(ALIGN_2MB(base)) + 1442 gpt_l1_cnt_2mb - 1UL; 1443 1444 /* Number of L1 entries in 2MB block */ 1445 unsigned int cnt = gpt_l1_cnt_2mb; 1446 1447 /* 1448 * Start check from the last L1 entry and continue until the first 1449 * non-matching to the passed Granules descriptor value is found. 1450 */ 1451 while (cnt-- != 0U) { 1452 if (gpi_info->gpt_l1_addr[idx--] != l1_desc) { 1453 /* Non-matching L1 entry found */ 1454 return false; 1455 } 1456 } 1457 1458 return true; 1459 } 1460 1461 __unused static void fuse_2mb(uint64_t base, const gpi_info_t *gpi_info, 1462 uint64_t l1_desc) 1463 { 1464 /* L1 entry index of the start of 2MB block */ 1465 unsigned long idx_2 = GPT_L1_INDEX(ALIGN_2MB(base)); 1466 1467 /* 2MB Contiguous descriptor */ 1468 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 2MB); 1469 1470 VERBOSE("GPT: %s(0x%"PRIxPTR" 0x%"PRIx64")\n", __func__, base, l1_desc); 1471 1472 fill_desc(&gpi_info->gpt_l1_addr[idx_2], l1_cont_desc, L1_QWORDS_2MB); 1473 } 1474 1475 /* 1476 * Helper function to check if all 1st L1 entries of 2MB blocks 1477 * in 32MB have the same 2MB Contiguous descriptor value. 1478 * 1479 * Parameters 1480 * base Base address of the region to be checked 1481 * gpi_info Pointer to 'gpt_config_t' structure 1482 * l1_desc GPT Granules descriptor. 1483 * 1484 * Return 1485 * true if all L1 entries have the same descriptor value, false otherwise. 1486 */ 1487 __unused static bool check_fuse_32mb(uint64_t base, const gpi_info_t *gpi_info, 1488 uint64_t l1_desc) 1489 { 1490 /* The 1st L1 entry index of the last 2MB block in 32MB */ 1491 unsigned long idx = GPT_L1_INDEX(ALIGN_32MB(base)) + 1492 (15UL * gpt_l1_cnt_2mb); 1493 1494 /* 2MB Contiguous descriptor */ 1495 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 2MB); 1496 1497 /* Number of 2MB blocks in 32MB */ 1498 unsigned int cnt = 16U; 1499 1500 /* Set the first L1 entry to 2MB Contiguous descriptor */ 1501 gpi_info->gpt_l1_addr[GPT_L1_INDEX(ALIGN_2MB(base))] = l1_cont_desc; 1502 1503 /* 1504 * Start check from the 1st L1 entry of the last 2MB block and 1505 * continue until the first non-matching to 2MB Contiguous descriptor 1506 * value is found. 1507 */ 1508 while (cnt-- != 0U) { 1509 if (gpi_info->gpt_l1_addr[idx] != l1_cont_desc) { 1510 /* Non-matching L1 entry found */ 1511 return false; 1512 } 1513 idx -= gpt_l1_cnt_2mb; 1514 } 1515 1516 return true; 1517 } 1518 1519 __unused static void fuse_32mb(uint64_t base, const gpi_info_t *gpi_info, 1520 uint64_t l1_desc) 1521 { 1522 /* L1 entry index of the start of 32MB block */ 1523 unsigned long idx_32 = GPT_L1_INDEX(ALIGN_32MB(base)); 1524 1525 /* 32MB Contiguous descriptor */ 1526 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 32MB); 1527 1528 VERBOSE("GPT: %s(0x%"PRIxPTR" 0x%"PRIx64")\n", __func__, base, l1_desc); 1529 1530 fill_desc(&gpi_info->gpt_l1_addr[idx_32], l1_cont_desc, L1_QWORDS_32MB); 1531 } 1532 1533 /* 1534 * Helper function to check if all 1st L1 entries of 32MB blocks 1535 * in 512MB have the same 32MB Contiguous descriptor value. 1536 * 1537 * Parameters 1538 * base Base address of the region to be checked 1539 * gpi_info Pointer to 'gpt_config_t' structure 1540 * l1_desc GPT Granules descriptor. 1541 * 1542 * Return 1543 * true if all L1 entries have the same descriptor value, false otherwise. 1544 */ 1545 __unused static bool check_fuse_512mb(uint64_t base, const gpi_info_t *gpi_info, 1546 uint64_t l1_desc) 1547 { 1548 /* The 1st L1 entry index of the last 32MB block in 512MB */ 1549 unsigned long idx = GPT_L1_INDEX(ALIGN_512MB(base)) + 1550 (15UL * 16UL * gpt_l1_cnt_2mb); 1551 1552 /* 32MB Contiguous descriptor */ 1553 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 32MB); 1554 1555 /* Number of 32MB blocks in 512MB */ 1556 unsigned int cnt = 16U; 1557 1558 /* Set the first L1 entry to 2MB Contiguous descriptor */ 1559 gpi_info->gpt_l1_addr[GPT_L1_INDEX(ALIGN_32MB(base))] = l1_cont_desc; 1560 1561 /* 1562 * Start check from the 1st L1 entry of the last 32MB block and 1563 * continue until the first non-matching to 32MB Contiguous descriptor 1564 * value is found. 1565 */ 1566 while (cnt-- != 0U) { 1567 if (gpi_info->gpt_l1_addr[idx] != l1_cont_desc) { 1568 /* Non-matching L1 entry found */ 1569 return false; 1570 } 1571 idx -= 16UL * gpt_l1_cnt_2mb; 1572 } 1573 1574 return true; 1575 } 1576 1577 __unused static void fuse_512mb(uint64_t base, const gpi_info_t *gpi_info, 1578 uint64_t l1_desc) 1579 { 1580 /* L1 entry index of the start of 512MB block */ 1581 unsigned long idx_512 = GPT_L1_INDEX(ALIGN_512MB(base)); 1582 1583 /* 512MB Contiguous descriptor */ 1584 uint64_t l1_cont_desc = GPT_L1_CONT_DESC(l1_desc, 512MB); 1585 1586 VERBOSE("GPT: %s(0x%"PRIxPTR" 0x%"PRIx64")\n", __func__, base, l1_desc); 1587 1588 fill_desc(&gpi_info->gpt_l1_addr[idx_512], l1_cont_desc, L1_QWORDS_512MB); 1589 } 1590 1591 /* 1592 * Helper function to convert GPI entries in a single L1 table 1593 * from Granules to Contiguous descriptor. 1594 * 1595 * Parameters 1596 * base Base address of the region to be written 1597 * gpi_info Pointer to 'gpt_config_t' structure 1598 * l1_desc GPT Granules descriptor with all entries 1599 * set to the same GPI. 1600 */ 1601 __unused static void fuse_block(uint64_t base, const gpi_info_t *gpi_info, 1602 uint64_t l1_desc) 1603 { 1604 /* Start with check for 2MB block */ 1605 if (!check_fuse_2mb(base, gpi_info, l1_desc)) { 1606 /* Check for 2MB fusing failed */ 1607 return; 1608 } 1609 1610 #if (RME_GPT_MAX_BLOCK == 2) 1611 fuse_2mb(base, gpi_info, l1_desc); 1612 #else 1613 /* Check for 32MB block */ 1614 if (!check_fuse_32mb(base, gpi_info, l1_desc)) { 1615 /* Check for 32MB fusing failed, fuse to 2MB */ 1616 fuse_2mb(base, gpi_info, l1_desc); 1617 return; 1618 } 1619 1620 #if (RME_GPT_MAX_BLOCK == 32) 1621 fuse_32mb(base, gpi_info, l1_desc); 1622 #else 1623 /* Check for 512MB block */ 1624 if (!check_fuse_512mb(base, gpi_info, l1_desc)) { 1625 /* Check for 512MB fusing failed, fuse to 32MB */ 1626 fuse_32mb(base, gpi_info, l1_desc); 1627 return; 1628 } 1629 1630 /* Fuse to 512MB */ 1631 fuse_512mb(base, gpi_info, l1_desc); 1632 1633 #endif /* RME_GPT_MAX_BLOCK == 32 */ 1634 #endif /* RME_GPT_MAX_BLOCK == 2 */ 1635 } 1636 1637 /* 1638 * Helper function to convert GPI entries in a single L1 table 1639 * from Contiguous to Granules descriptor. This function updates 1640 * descriptor to Granules in passed 'gpt_config_t' structure as 1641 * the result of shuttering. 1642 * 1643 * Parameters 1644 * base Base address of the region to be written 1645 * gpi_info Pointer to 'gpt_config_t' structure 1646 * l1_desc GPT Granules descriptor set this range to. 1647 */ 1648 __unused static void shatter_block(uint64_t base, gpi_info_t *gpi_info, 1649 uint64_t l1_desc) 1650 { 1651 /* Look-up table for 2MB, 32MB and 512MB locks shattering */ 1652 static const gpt_shatter_func gpt_shatter_lookup[] = { 1653 shatter_2mb, 1654 shatter_32mb, 1655 shatter_512mb 1656 }; 1657 1658 /* Look-up table for invalidation TLBs for 2MB, 32MB and 512MB blocks */ 1659 static const gpt_tlbi_lookup_t tlbi_lookup[] = { 1660 { tlbirpalos_2m, ~(SZ_2M - 1UL) }, 1661 { tlbirpalos_32m, ~(SZ_32M - 1UL) }, 1662 { tlbirpalos_512m, ~(SZ_512M - 1UL) } 1663 }; 1664 1665 /* Get shattering level from Contig field of Contiguous descriptor */ 1666 unsigned long level = GPT_L1_CONT_CONTIG(gpi_info->gpt_l1_desc) - 1UL; 1667 1668 /* Shatter contiguous block */ 1669 gpt_shatter_lookup[level](base, gpi_info, l1_desc); 1670 1671 tlbi_lookup[level].function(base & tlbi_lookup[level].mask); 1672 dsbosh(); 1673 1674 /* 1675 * Update 'gpt_config_t' structure's descriptor to Granules to reflect 1676 * the shattered GPI back to caller. 1677 */ 1678 gpi_info->gpt_l1_desc = l1_desc; 1679 } 1680 1681 /* 1682 * This function is the granule transition delegate service. When a granule 1683 * transition request occurs it is routed to this function to have the request, 1684 * if valid, fulfilled following A1.1.1 Delegate of RME supplement. 1685 * 1686 * TODO: implement support for transitioning multiple granules at once. 1687 * 1688 * Parameters 1689 * base Base address of the region to transition, must be 1690 * aligned to granule size. 1691 * size Size of region to transition, must be aligned to granule 1692 * size. 1693 * src_sec_state Security state of the caller. 1694 * 1695 * Return 1696 * Negative Linux error code in the event of a failure, 0 for success. 1697 */ 1698 int gpt_delegate_pas(uint64_t base, size_t size, unsigned int src_sec_state) 1699 { 1700 gpi_info_t gpi_info; 1701 uint64_t nse, __unused l1_desc; 1702 unsigned int target_pas; 1703 int res; 1704 1705 /* Ensure that the tables have been set up before taking requests */ 1706 assert(gpt_config.plat_gpt_l0_base != 0UL); 1707 1708 /* Ensure that caches are enabled */ 1709 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL); 1710 1711 /* See if this is a single or a range of granule transition */ 1712 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) { 1713 return -EINVAL; 1714 } 1715 1716 /* Check that base and size are valid */ 1717 if ((ULONG_MAX - base) < size) { 1718 VERBOSE("GPT: Transition request address overflow!\n"); 1719 VERBOSE(" Base=0x%"PRIx64"\n", base); 1720 VERBOSE(" Size=0x%lx\n", size); 1721 return -EINVAL; 1722 } 1723 1724 /* Make sure base and size are valid */ 1725 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1UL)) != 0UL) || 1726 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1UL)) != 0UL) || 1727 (size == 0UL) || 1728 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) { 1729 VERBOSE("GPT: Invalid granule transition address range!\n"); 1730 VERBOSE(" Base=0x%"PRIx64"\n", base); 1731 VERBOSE(" Size=0x%lx\n", size); 1732 return -EINVAL; 1733 } 1734 1735 /* Delegate request can only come from REALM or SECURE */ 1736 if ((src_sec_state != SMC_FROM_REALM) && 1737 (src_sec_state != SMC_FROM_SECURE)) { 1738 VERBOSE("GPT: Invalid caller security state 0x%x\n", 1739 src_sec_state); 1740 return -EINVAL; 1741 } 1742 1743 if (src_sec_state == SMC_FROM_REALM) { 1744 target_pas = GPT_GPI_REALM; 1745 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT; 1746 l1_desc = GPT_L1_REALM_DESC; 1747 } else { 1748 target_pas = GPT_GPI_SECURE; 1749 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT; 1750 l1_desc = GPT_L1_SECURE_DESC; 1751 } 1752 1753 res = get_gpi_params(base, &gpi_info); 1754 if (res != 0) { 1755 return res; 1756 } 1757 1758 /* 1759 * Access to GPT is controlled by a lock to ensure that no more 1760 * than one CPU is allowed to make changes at any given time. 1761 */ 1762 GPT_LOCK; 1763 read_gpi(&gpi_info); 1764 1765 /* Check that the current address is in NS state */ 1766 if (gpi_info.gpi != GPT_GPI_NS) { 1767 VERBOSE("GPT: Only Granule in NS state can be delegated.\n"); 1768 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state, 1769 gpi_info.gpi); 1770 GPT_UNLOCK; 1771 return -EPERM; 1772 } 1773 1774 #if (RME_GPT_MAX_BLOCK != 0) 1775 /* Check for Contiguous descriptor */ 1776 if ((gpi_info.gpt_l1_desc & GPT_L1_TYPE_CONT_DESC_MASK) == 1777 GPT_L1_TYPE_CONT_DESC) { 1778 shatter_block(base, &gpi_info, GPT_L1_NS_DESC); 1779 } 1780 #endif 1781 /* 1782 * In order to maintain mutual distrust between Realm and Secure 1783 * states, remove any data speculatively fetched into the target 1784 * physical address space. 1785 * Issue DC CIPAPA or DC_CIGDPAPA on implementations with FEAT_MTE2. 1786 */ 1787 flush_page_to_popa(base | nse); 1788 1789 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr, 1790 gpi_info.gpi_shift, gpi_info.idx, target_pas); 1791 1792 /* Ensure that all agents observe the new configuration */ 1793 tlbi_page_dsbosh(base); 1794 1795 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT; 1796 1797 /* Ensure that the scrubbed data have made it past the PoPA */ 1798 flush_page_to_popa(base | nse); 1799 1800 #if (RME_GPT_MAX_BLOCK != 0) 1801 if (gpi_info.gpt_l1_desc == l1_desc) { 1802 /* Try to fuse */ 1803 fuse_block(base, &gpi_info, l1_desc); 1804 } 1805 #endif 1806 1807 /* Unlock the lock to GPT */ 1808 GPT_UNLOCK; 1809 1810 /* 1811 * The isb() will be done as part of context 1812 * synchronization when returning to lower EL. 1813 */ 1814 VERBOSE("GPT: Granule 0x%"PRIx64" GPI 0x%x->0x%x\n", 1815 base, gpi_info.gpi, target_pas); 1816 1817 return 0; 1818 } 1819 1820 /* 1821 * This function is the granule transition undelegate service. When a granule 1822 * transition request occurs it is routed to this function where the request is 1823 * validated then fulfilled if possible. 1824 * 1825 * TODO: implement support for transitioning multiple granules at once. 1826 * 1827 * Parameters 1828 * base Base address of the region to transition, must be 1829 * aligned to granule size. 1830 * size Size of region to transition, must be aligned to granule 1831 * size. 1832 * src_sec_state Security state of the caller. 1833 * 1834 * Return 1835 * Negative Linux error code in the event of a failure, 0 for success. 1836 */ 1837 int gpt_undelegate_pas(uint64_t base, size_t size, unsigned int src_sec_state) 1838 { 1839 gpi_info_t gpi_info; 1840 uint64_t nse, __unused l1_desc; 1841 int res; 1842 1843 /* Ensure that the tables have been set up before taking requests */ 1844 assert(gpt_config.plat_gpt_l0_base != 0UL); 1845 1846 /* Ensure that MMU and caches are enabled */ 1847 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL); 1848 1849 /* See if this is a single or a range of granule transition */ 1850 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) { 1851 return -EINVAL; 1852 } 1853 1854 /* Check that base and size are valid */ 1855 if ((ULONG_MAX - base) < size) { 1856 VERBOSE("GPT: Transition request address overflow!\n"); 1857 VERBOSE(" Base=0x%"PRIx64"\n", base); 1858 VERBOSE(" Size=0x%lx\n", size); 1859 return -EINVAL; 1860 } 1861 1862 /* Make sure base and size are valid */ 1863 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1UL)) != 0UL) || 1864 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1UL)) != 0UL) || 1865 (size == 0UL) || 1866 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) { 1867 VERBOSE("GPT: Invalid granule transition address range!\n"); 1868 VERBOSE(" Base=0x%"PRIx64"\n", base); 1869 VERBOSE(" Size=0x%lx\n", size); 1870 return -EINVAL; 1871 } 1872 1873 res = get_gpi_params(base, &gpi_info); 1874 if (res != 0) { 1875 return res; 1876 } 1877 1878 /* 1879 * Access to GPT is controlled by a lock to ensure that no more 1880 * than one CPU is allowed to make changes at any given time. 1881 */ 1882 GPT_LOCK; 1883 read_gpi(&gpi_info); 1884 1885 /* Check that the current address is in the delegated state */ 1886 if ((src_sec_state == SMC_FROM_REALM) && 1887 (gpi_info.gpi == GPT_GPI_REALM)) { 1888 l1_desc = GPT_L1_REALM_DESC; 1889 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT; 1890 } else if ((src_sec_state == SMC_FROM_SECURE) && 1891 (gpi_info.gpi == GPT_GPI_SECURE)) { 1892 l1_desc = GPT_L1_SECURE_DESC; 1893 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT; 1894 } else { 1895 VERBOSE("GPT: Only Granule in REALM or SECURE state can be undelegated\n"); 1896 VERBOSE(" Caller: %u Current GPI: %u\n", src_sec_state, 1897 gpi_info.gpi); 1898 GPT_UNLOCK; 1899 return -EPERM; 1900 } 1901 1902 #if (RME_GPT_MAX_BLOCK != 0) 1903 /* Check for Contiguous descriptor */ 1904 if ((gpi_info.gpt_l1_desc & GPT_L1_TYPE_CONT_DESC_MASK) == 1905 GPT_L1_TYPE_CONT_DESC) { 1906 shatter_block(base, &gpi_info, l1_desc); 1907 } 1908 #endif 1909 /* 1910 * In order to maintain mutual distrust between Realm and Secure 1911 * states, remove access now, in order to guarantee that writes 1912 * to the currently-accessible physical address space will not 1913 * later become observable. 1914 */ 1915 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr, 1916 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NO_ACCESS); 1917 1918 /* Ensure that all agents observe the new NO_ACCESS configuration */ 1919 tlbi_page_dsbosh(base); 1920 1921 /* Ensure that the scrubbed data have made it past the PoPA */ 1922 flush_page_to_popa(base | nse); 1923 1924 /* 1925 * Remove any data loaded speculatively in NS space from before 1926 * the scrubbing. 1927 */ 1928 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT; 1929 1930 flush_page_to_popa(base | nse); 1931 1932 /* Clear existing GPI encoding and transition granule */ 1933 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr, 1934 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NS); 1935 1936 /* Ensure that all agents observe the new NS configuration */ 1937 tlbi_page_dsbosh(base); 1938 1939 #if (RME_GPT_MAX_BLOCK != 0) 1940 if (gpi_info.gpt_l1_desc == GPT_L1_NS_DESC) { 1941 /* Try to fuse */ 1942 fuse_block(base, &gpi_info, GPT_L1_NS_DESC); 1943 } 1944 #endif 1945 /* Unlock the lock to GPT */ 1946 GPT_UNLOCK; 1947 1948 /* 1949 * The isb() will be done as part of context 1950 * synchronization when returning to lower EL. 1951 */ 1952 VERBOSE("GPT: Granule 0x%"PRIx64" GPI 0x%x->0x%x\n", 1953 base, gpi_info.gpi, GPT_GPI_NS); 1954 1955 return 0; 1956 } 1957