1 /* 2 * Copyright (c) 2022, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <errno.h> 9 #include <inttypes.h> 10 #include <limits.h> 11 #include <stdint.h> 12 13 #include <arch.h> 14 #include <arch_features.h> 15 #include <arch_helpers.h> 16 #include <common/debug.h> 17 #include "gpt_rme_private.h" 18 #include <lib/gpt_rme/gpt_rme.h> 19 #include <lib/smccc.h> 20 #include <lib/spinlock.h> 21 #include <lib/xlat_tables/xlat_tables_v2.h> 22 23 #if !ENABLE_RME 24 #error "ENABLE_RME must be enabled to use the GPT library." 25 #endif 26 27 /* 28 * Lookup T from PPS 29 * 30 * PPS Size T 31 * 0b000 4GB 32 32 * 0b001 64GB 36 33 * 0b010 1TB 40 34 * 0b011 4TB 42 35 * 0b100 16TB 44 36 * 0b101 256TB 48 37 * 0b110 4PB 52 38 * 39 * See section 15.1.27 of the RME specification. 40 */ 41 static const gpt_t_val_e gpt_t_lookup[] = {PPS_4GB_T, PPS_64GB_T, 42 PPS_1TB_T, PPS_4TB_T, 43 PPS_16TB_T, PPS_256TB_T, 44 PPS_4PB_T}; 45 46 /* 47 * Lookup P from PGS 48 * 49 * PGS Size P 50 * 0b00 4KB 12 51 * 0b10 16KB 14 52 * 0b01 64KB 16 53 * 54 * Note that pgs=0b10 is 16KB and pgs=0b01 is 64KB, this is not a typo. 55 * 56 * See section 15.1.27 of the RME specification. 57 */ 58 static const gpt_p_val_e gpt_p_lookup[] = {PGS_4KB_P, PGS_64KB_P, PGS_16KB_P}; 59 60 /* 61 * This structure contains GPT configuration data. 62 */ 63 typedef struct { 64 uintptr_t plat_gpt_l0_base; 65 gpccr_pps_e pps; 66 gpt_t_val_e t; 67 gpccr_pgs_e pgs; 68 gpt_p_val_e p; 69 } gpt_config_t; 70 71 static gpt_config_t gpt_config; 72 73 /* These variables are used during initialization of the L1 tables. */ 74 static unsigned int gpt_next_l1_tbl_idx; 75 static uintptr_t gpt_l1_tbl; 76 77 /* 78 * This function checks to see if a GPI value is valid. 79 * 80 * These are valid GPI values. 81 * GPT_GPI_NO_ACCESS U(0x0) 82 * GPT_GPI_SECURE U(0x8) 83 * GPT_GPI_NS U(0x9) 84 * GPT_GPI_ROOT U(0xA) 85 * GPT_GPI_REALM U(0xB) 86 * GPT_GPI_ANY U(0xF) 87 * 88 * Parameters 89 * gpi GPI to check for validity. 90 * 91 * Return 92 * true for a valid GPI, false for an invalid one. 93 */ 94 static bool gpt_is_gpi_valid(unsigned int gpi) 95 { 96 if ((gpi == GPT_GPI_NO_ACCESS) || (gpi == GPT_GPI_ANY) || 97 ((gpi >= GPT_GPI_SECURE) && (gpi <= GPT_GPI_REALM))) { 98 return true; 99 } 100 return false; 101 } 102 103 /* 104 * This function checks to see if two PAS regions overlap. 105 * 106 * Parameters 107 * base_1: base address of first PAS 108 * size_1: size of first PAS 109 * base_2: base address of second PAS 110 * size_2: size of second PAS 111 * 112 * Return 113 * True if PAS regions overlap, false if they do not. 114 */ 115 static bool gpt_check_pas_overlap(uintptr_t base_1, size_t size_1, 116 uintptr_t base_2, size_t size_2) 117 { 118 if (((base_1 + size_1) > base_2) && ((base_2 + size_2) > base_1)) { 119 return true; 120 } 121 return false; 122 } 123 124 /* 125 * This helper function checks to see if a PAS region from index 0 to 126 * (pas_idx - 1) occupies the L0 region at index l0_idx in the L0 table. 127 * 128 * Parameters 129 * l0_idx: Index of the L0 entry to check 130 * pas_regions: PAS region array 131 * pas_idx: Upper bound of the PAS array index. 132 * 133 * Return 134 * True if a PAS region occupies the L0 region in question, false if not. 135 */ 136 static bool gpt_does_previous_pas_exist_here(unsigned int l0_idx, 137 pas_region_t *pas_regions, 138 unsigned int pas_idx) 139 { 140 /* Iterate over PAS regions up to pas_idx. */ 141 for (unsigned int i = 0U; i < pas_idx; i++) { 142 if (gpt_check_pas_overlap((GPT_L0GPTSZ_ACTUAL_SIZE * l0_idx), 143 GPT_L0GPTSZ_ACTUAL_SIZE, 144 pas_regions[i].base_pa, pas_regions[i].size)) { 145 return true; 146 } 147 } 148 return false; 149 } 150 151 /* 152 * This function iterates over all of the PAS regions and checks them to ensure 153 * proper alignment of base and size, that the GPI is valid, and that no regions 154 * overlap. As a part of the overlap checks, this function checks existing L0 155 * mappings against the new PAS regions in the event that gpt_init_pas_l1_tables 156 * is called multiple times to place L1 tables in different areas of memory. It 157 * also counts the number of L1 tables needed and returns it on success. 158 * 159 * Parameters 160 * *pas_regions Pointer to array of PAS region structures. 161 * pas_region_cnt Total number of PAS regions in the array. 162 * 163 * Return 164 * Negative Linux error code in the event of a failure, number of L1 regions 165 * required when successful. 166 */ 167 static int gpt_validate_pas_mappings(pas_region_t *pas_regions, 168 unsigned int pas_region_cnt) 169 { 170 unsigned int idx; 171 unsigned int l1_cnt = 0U; 172 unsigned int pas_l1_cnt; 173 uint64_t *l0_desc = (uint64_t *)gpt_config.plat_gpt_l0_base; 174 175 assert(pas_regions != NULL); 176 assert(pas_region_cnt != 0U); 177 178 for (idx = 0U; idx < pas_region_cnt; idx++) { 179 /* Check for arithmetic overflow in region. */ 180 if ((ULONG_MAX - pas_regions[idx].base_pa) < 181 pas_regions[idx].size) { 182 ERROR("[GPT] Address overflow in PAS[%u]!\n", idx); 183 return -EOVERFLOW; 184 } 185 186 /* Initial checks for PAS validity. */ 187 if (((pas_regions[idx].base_pa + pas_regions[idx].size) > 188 GPT_PPS_ACTUAL_SIZE(gpt_config.t)) || 189 !gpt_is_gpi_valid(GPT_PAS_ATTR_GPI(pas_regions[idx].attrs))) { 190 ERROR("[GPT] PAS[%u] is invalid!\n", idx); 191 return -EFAULT; 192 } 193 194 /* 195 * Make sure this PAS does not overlap with another one. We 196 * start from idx + 1 instead of 0 since prior PAS mappings will 197 * have already checked themselves against this one. 198 */ 199 for (unsigned int i = idx + 1; i < pas_region_cnt; i++) { 200 if (gpt_check_pas_overlap(pas_regions[idx].base_pa, 201 pas_regions[idx].size, 202 pas_regions[i].base_pa, 203 pas_regions[i].size)) { 204 ERROR("[GPT] PAS[%u] overlaps with PAS[%u]\n", 205 i, idx); 206 return -EFAULT; 207 } 208 } 209 210 /* 211 * Since this function can be called multiple times with 212 * separate L1 tables we need to check the existing L0 mapping 213 * to see if this PAS would fall into one that has already been 214 * initialized. 215 */ 216 for (unsigned int i = GPT_L0_IDX(pas_regions[idx].base_pa); 217 i <= GPT_L0_IDX(pas_regions[idx].base_pa + pas_regions[idx].size - 1); 218 i++) { 219 if ((GPT_L0_TYPE(l0_desc[i]) == GPT_L0_TYPE_BLK_DESC) && 220 (GPT_L0_BLKD_GPI(l0_desc[i]) == GPT_GPI_ANY)) { 221 /* This descriptor is unused so continue. */ 222 continue; 223 } 224 225 /* 226 * This descriptor has been initialized in a previous 227 * call to this function so cannot be initialized again. 228 */ 229 ERROR("[GPT] PAS[%u] overlaps with previous L0[%d]!\n", 230 idx, i); 231 return -EFAULT; 232 } 233 234 /* Check for block mapping (L0) type. */ 235 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) == 236 GPT_PAS_ATTR_MAP_TYPE_BLOCK) { 237 /* Make sure base and size are block-aligned. */ 238 if (!GPT_IS_L0_ALIGNED(pas_regions[idx].base_pa) || 239 !GPT_IS_L0_ALIGNED(pas_regions[idx].size)) { 240 ERROR("[GPT] PAS[%u] is not block-aligned!\n", 241 idx); 242 return -EFAULT; 243 } 244 245 continue; 246 } 247 248 /* Check for granule mapping (L1) type. */ 249 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) == 250 GPT_PAS_ATTR_MAP_TYPE_GRANULE) { 251 /* Make sure base and size are granule-aligned. */ 252 if (!GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].base_pa) || 253 !GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].size)) { 254 ERROR("[GPT] PAS[%u] is not granule-aligned!\n", 255 idx); 256 return -EFAULT; 257 } 258 259 /* Find how many L1 tables this PAS occupies. */ 260 pas_l1_cnt = (GPT_L0_IDX(pas_regions[idx].base_pa + 261 pas_regions[idx].size - 1) - 262 GPT_L0_IDX(pas_regions[idx].base_pa) + 1); 263 264 /* 265 * This creates a situation where, if multiple PAS 266 * regions occupy the same table descriptor, we can get 267 * an artificially high total L1 table count. The way we 268 * handle this is by checking each PAS against those 269 * before it in the array, and if they both occupy the 270 * same PAS we subtract from pas_l1_cnt and only the 271 * first PAS in the array gets to count it. 272 */ 273 274 /* 275 * If L1 count is greater than 1 we know the start and 276 * end PAs are in different L0 regions so we must check 277 * both for overlap against other PAS. 278 */ 279 if (pas_l1_cnt > 1) { 280 if (gpt_does_previous_pas_exist_here( 281 GPT_L0_IDX(pas_regions[idx].base_pa + 282 pas_regions[idx].size - 1), 283 pas_regions, idx)) { 284 pas_l1_cnt = pas_l1_cnt - 1; 285 } 286 } 287 288 if (gpt_does_previous_pas_exist_here( 289 GPT_L0_IDX(pas_regions[idx].base_pa), 290 pas_regions, idx)) { 291 pas_l1_cnt = pas_l1_cnt - 1; 292 } 293 294 l1_cnt += pas_l1_cnt; 295 continue; 296 } 297 298 /* If execution reaches this point, mapping type is invalid. */ 299 ERROR("[GPT] PAS[%u] has invalid mapping type 0x%x.\n", idx, 300 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs)); 301 return -EINVAL; 302 } 303 304 return l1_cnt; 305 } 306 307 /* 308 * This function validates L0 initialization parameters. 309 * 310 * Parameters 311 * l0_mem_base Base address of memory used for L0 tables. 312 * l1_mem_size Size of memory available for L0 tables. 313 * 314 * Return 315 * Negative Linux error code in the event of a failure, 0 for success. 316 */ 317 static int gpt_validate_l0_params(gpccr_pps_e pps, uintptr_t l0_mem_base, 318 size_t l0_mem_size) 319 { 320 size_t l0_alignment; 321 322 /* 323 * Make sure PPS is valid and then store it since macros need this value 324 * to work. 325 */ 326 if (pps > GPT_PPS_MAX) { 327 ERROR("[GPT] Invalid PPS: 0x%x\n", pps); 328 return -EINVAL; 329 } 330 gpt_config.pps = pps; 331 gpt_config.t = gpt_t_lookup[pps]; 332 333 /* Alignment must be the greater of 4k or l0 table size. */ 334 l0_alignment = PAGE_SIZE_4KB; 335 if (l0_alignment < GPT_L0_TABLE_SIZE(gpt_config.t)) { 336 l0_alignment = GPT_L0_TABLE_SIZE(gpt_config.t); 337 } 338 339 /* Check base address. */ 340 if ((l0_mem_base == 0U) || ((l0_mem_base & (l0_alignment - 1)) != 0U)) { 341 ERROR("[GPT] Invalid L0 base address: 0x%lx\n", l0_mem_base); 342 return -EFAULT; 343 } 344 345 /* Check size. */ 346 if (l0_mem_size < GPT_L0_TABLE_SIZE(gpt_config.t)) { 347 ERROR("[GPT] Inadequate L0 memory: need 0x%lx, have 0x%lx)\n", 348 GPT_L0_TABLE_SIZE(gpt_config.t), 349 l0_mem_size); 350 return -ENOMEM; 351 } 352 353 return 0; 354 } 355 356 /* 357 * In the event that L1 tables are needed, this function validates 358 * the L1 table generation parameters. 359 * 360 * Parameters 361 * l1_mem_base Base address of memory used for L1 table allocation. 362 * l1_mem_size Total size of memory available for L1 tables. 363 * l1_gpt_cnt Number of L1 tables needed. 364 * 365 * Return 366 * Negative Linux error code in the event of a failure, 0 for success. 367 */ 368 static int gpt_validate_l1_params(uintptr_t l1_mem_base, size_t l1_mem_size, 369 unsigned int l1_gpt_cnt) 370 { 371 size_t l1_gpt_mem_sz; 372 373 /* Check if the granularity is supported */ 374 if (!xlat_arch_is_granule_size_supported( 375 GPT_PGS_ACTUAL_SIZE(gpt_config.p))) { 376 return -EPERM; 377 } 378 379 /* Make sure L1 tables are aligned to their size. */ 380 if ((l1_mem_base & (GPT_L1_TABLE_SIZE(gpt_config.p) - 1)) != 0U) { 381 ERROR("[GPT] Unaligned L1 GPT base address: 0x%lx\n", 382 l1_mem_base); 383 return -EFAULT; 384 } 385 386 /* Get total memory needed for L1 tables. */ 387 l1_gpt_mem_sz = l1_gpt_cnt * GPT_L1_TABLE_SIZE(gpt_config.p); 388 389 /* Check for overflow. */ 390 if ((l1_gpt_mem_sz / GPT_L1_TABLE_SIZE(gpt_config.p)) != l1_gpt_cnt) { 391 ERROR("[GPT] Overflow calculating L1 memory size.\n"); 392 return -ENOMEM; 393 } 394 395 /* Make sure enough space was supplied. */ 396 if (l1_mem_size < l1_gpt_mem_sz) { 397 ERROR("[GPT] Inadequate memory for L1 GPTs. "); 398 ERROR(" Expected 0x%lx bytes. Got 0x%lx bytes\n", 399 l1_gpt_mem_sz, l1_mem_size); 400 return -ENOMEM; 401 } 402 403 VERBOSE("[GPT] Requested 0x%lx bytes for L1 GPTs.\n", l1_gpt_mem_sz); 404 return 0; 405 } 406 407 /* 408 * This function initializes L0 block descriptors (regions that cannot be 409 * transitioned at the granule level) according to the provided PAS. 410 * 411 * Parameters 412 * *pas Pointer to the structure defining the PAS region to 413 * initialize. 414 */ 415 static void gpt_generate_l0_blk_desc(pas_region_t *pas) 416 { 417 uint64_t gpt_desc; 418 unsigned int end_idx; 419 unsigned int idx; 420 uint64_t *l0_gpt_arr; 421 422 assert(gpt_config.plat_gpt_l0_base != 0U); 423 assert(pas != NULL); 424 425 /* 426 * Checking of PAS parameters has already been done in 427 * gpt_validate_pas_mappings so no need to check the same things again. 428 */ 429 430 l0_gpt_arr = (uint64_t *)gpt_config.plat_gpt_l0_base; 431 432 /* Create the GPT Block descriptor for this PAS region */ 433 gpt_desc = GPT_L0_BLK_DESC(GPT_PAS_ATTR_GPI(pas->attrs)); 434 435 /* Start index of this region in L0 GPTs */ 436 idx = GPT_L0_IDX(pas->base_pa); 437 438 /* 439 * Determine number of L0 GPT descriptors covered by 440 * this PAS region and use the count to populate these 441 * descriptors. 442 */ 443 end_idx = GPT_L0_IDX(pas->base_pa + pas->size); 444 445 /* Generate the needed block descriptors. */ 446 for (; idx < end_idx; idx++) { 447 l0_gpt_arr[idx] = gpt_desc; 448 VERBOSE("[GPT] L0 entry (BLOCK) index %u [%p]: GPI = 0x%" PRIx64 " (0x%" PRIx64 ")\n", 449 idx, &l0_gpt_arr[idx], 450 (gpt_desc >> GPT_L0_BLK_DESC_GPI_SHIFT) & 451 GPT_L0_BLK_DESC_GPI_MASK, l0_gpt_arr[idx]); 452 } 453 } 454 455 /* 456 * Helper function to determine if the end physical address lies in the same L0 457 * region as the current physical address. If true, the end physical address is 458 * returned else, the start address of the next region is returned. 459 * 460 * Parameters 461 * cur_pa Physical address of the current PA in the loop through 462 * the range. 463 * end_pa Physical address of the end PA in a PAS range. 464 * 465 * Return 466 * The PA of the end of the current range. 467 */ 468 static uintptr_t gpt_get_l1_end_pa(uintptr_t cur_pa, uintptr_t end_pa) 469 { 470 uintptr_t cur_idx; 471 uintptr_t end_idx; 472 473 cur_idx = GPT_L0_IDX(cur_pa); 474 end_idx = GPT_L0_IDX(end_pa); 475 476 assert(cur_idx <= end_idx); 477 478 if (cur_idx == end_idx) { 479 return end_pa; 480 } 481 482 return (cur_idx + 1U) << GPT_L0_IDX_SHIFT; 483 } 484 485 /* 486 * Helper function to fill out GPI entries in a single L1 table. This function 487 * fills out entire L1 descriptors at a time to save memory writes. 488 * 489 * Parameters 490 * gpi GPI to set this range to 491 * l1 Pointer to L1 table to fill out 492 * first Address of first granule in range. 493 * last Address of last granule in range (inclusive). 494 */ 495 static void gpt_fill_l1_tbl(uint64_t gpi, uint64_t *l1, uintptr_t first, 496 uintptr_t last) 497 { 498 uint64_t gpi_field = GPT_BUILD_L1_DESC(gpi); 499 uint64_t gpi_mask = 0xFFFFFFFFFFFFFFFF; 500 501 assert(first <= last); 502 assert((first & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) == 0U); 503 assert((last & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) == 0U); 504 assert(GPT_L0_IDX(first) == GPT_L0_IDX(last)); 505 assert(l1 != NULL); 506 507 /* Shift the mask if we're starting in the middle of an L1 entry. */ 508 gpi_mask = gpi_mask << (GPT_L1_GPI_IDX(gpt_config.p, first) << 2); 509 510 /* Fill out each L1 entry for this region. */ 511 for (unsigned int i = GPT_L1_IDX(gpt_config.p, first); 512 i <= GPT_L1_IDX(gpt_config.p, last); i++) { 513 /* Account for stopping in the middle of an L1 entry. */ 514 if (i == GPT_L1_IDX(gpt_config.p, last)) { 515 gpi_mask &= (gpi_mask >> ((15 - 516 GPT_L1_GPI_IDX(gpt_config.p, last)) << 2)); 517 } 518 519 /* Write GPI values. */ 520 assert((l1[i] & gpi_mask) == 521 (GPT_BUILD_L1_DESC(GPT_GPI_ANY) & gpi_mask)); 522 l1[i] = (l1[i] & ~gpi_mask) | (gpi_mask & gpi_field); 523 524 /* Reset mask. */ 525 gpi_mask = 0xFFFFFFFFFFFFFFFF; 526 } 527 } 528 529 /* 530 * This function finds the next available unused L1 table and initializes all 531 * granules descriptor entries to GPI_ANY. This ensures that there are no chunks 532 * of GPI_NO_ACCESS (0b0000) memory floating around in the system in the 533 * event that a PAS region stops midway through an L1 table, thus guaranteeing 534 * that all memory not explicitly assigned is GPI_ANY. This function does not 535 * check for overflow conditions, that should be done by the caller. 536 * 537 * Return 538 * Pointer to the next available L1 table. 539 */ 540 static uint64_t *gpt_get_new_l1_tbl(void) 541 { 542 /* Retrieve the next L1 table. */ 543 uint64_t *l1 = (uint64_t *)((uint64_t)(gpt_l1_tbl) + 544 (GPT_L1_TABLE_SIZE(gpt_config.p) * 545 gpt_next_l1_tbl_idx)); 546 547 /* Increment L1 counter. */ 548 gpt_next_l1_tbl_idx++; 549 550 /* Initialize all GPIs to GPT_GPI_ANY */ 551 for (unsigned int i = 0U; i < GPT_L1_ENTRY_COUNT(gpt_config.p); i++) { 552 l1[i] = GPT_BUILD_L1_DESC(GPT_GPI_ANY); 553 } 554 555 return l1; 556 } 557 558 /* 559 * When L1 tables are needed, this function creates the necessary L0 table 560 * descriptors and fills out the L1 table entries according to the supplied 561 * PAS range. 562 * 563 * Parameters 564 * *pas Pointer to the structure defining the PAS region. 565 */ 566 static void gpt_generate_l0_tbl_desc(pas_region_t *pas) 567 { 568 uintptr_t end_pa; 569 uintptr_t cur_pa; 570 uintptr_t last_gran_pa; 571 uint64_t *l0_gpt_base; 572 uint64_t *l1_gpt_arr; 573 unsigned int l0_idx; 574 575 assert(gpt_config.plat_gpt_l0_base != 0U); 576 assert(pas != NULL); 577 578 /* 579 * Checking of PAS parameters has already been done in 580 * gpt_validate_pas_mappings so no need to check the same things again. 581 */ 582 583 end_pa = pas->base_pa + pas->size; 584 l0_gpt_base = (uint64_t *)gpt_config.plat_gpt_l0_base; 585 586 /* We start working from the granule at base PA */ 587 cur_pa = pas->base_pa; 588 589 /* Iterate over each L0 region in this memory range. */ 590 for (l0_idx = GPT_L0_IDX(pas->base_pa); 591 l0_idx <= GPT_L0_IDX(end_pa - 1U); 592 l0_idx++) { 593 594 /* 595 * See if the L0 entry is already a table descriptor or if we 596 * need to create one. 597 */ 598 if (GPT_L0_TYPE(l0_gpt_base[l0_idx]) == GPT_L0_TYPE_TBL_DESC) { 599 /* Get the L1 array from the L0 entry. */ 600 l1_gpt_arr = GPT_L0_TBLD_ADDR(l0_gpt_base[l0_idx]); 601 } else { 602 /* Get a new L1 table from the L1 memory space. */ 603 l1_gpt_arr = gpt_get_new_l1_tbl(); 604 605 /* Fill out the L0 descriptor and flush it. */ 606 l0_gpt_base[l0_idx] = GPT_L0_TBL_DESC(l1_gpt_arr); 607 } 608 609 VERBOSE("[GPT] L0 entry (TABLE) index %u [%p] ==> L1 Addr 0x%llx (0x%" PRIx64 ")\n", 610 l0_idx, &l0_gpt_base[l0_idx], 611 (unsigned long long)(l1_gpt_arr), 612 l0_gpt_base[l0_idx]); 613 614 /* 615 * Determine the PA of the last granule in this L0 descriptor. 616 */ 617 last_gran_pa = gpt_get_l1_end_pa(cur_pa, end_pa) - 618 GPT_PGS_ACTUAL_SIZE(gpt_config.p); 619 620 /* 621 * Fill up L1 GPT entries between these two addresses. This 622 * function needs the addresses of the first granule and last 623 * granule in the range. 624 */ 625 gpt_fill_l1_tbl(GPT_PAS_ATTR_GPI(pas->attrs), l1_gpt_arr, 626 cur_pa, last_gran_pa); 627 628 /* Advance cur_pa to first granule in next L0 region. */ 629 cur_pa = gpt_get_l1_end_pa(cur_pa, end_pa); 630 } 631 } 632 633 /* 634 * This function flushes a range of L0 descriptors used by a given PAS region 635 * array. There is a chance that some unmodified L0 descriptors would be flushed 636 * in the case that there are "holes" in an array of PAS regions but overall 637 * this should be faster than individually flushing each modified L0 descriptor 638 * as they are created. 639 * 640 * Parameters 641 * *pas Pointer to an array of PAS regions. 642 * pas_count Number of entries in the PAS array. 643 */ 644 static void flush_l0_for_pas_array(pas_region_t *pas, unsigned int pas_count) 645 { 646 unsigned int idx; 647 unsigned int start_idx; 648 unsigned int end_idx; 649 uint64_t *l0 = (uint64_t *)gpt_config.plat_gpt_l0_base; 650 651 assert(pas != NULL); 652 assert(pas_count > 0); 653 654 /* Initial start and end values. */ 655 start_idx = GPT_L0_IDX(pas[0].base_pa); 656 end_idx = GPT_L0_IDX(pas[0].base_pa + pas[0].size - 1); 657 658 /* Find lowest and highest L0 indices used in this PAS array. */ 659 for (idx = 1; idx < pas_count; idx++) { 660 if (GPT_L0_IDX(pas[idx].base_pa) < start_idx) { 661 start_idx = GPT_L0_IDX(pas[idx].base_pa); 662 } 663 if (GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1) > end_idx) { 664 end_idx = GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1); 665 } 666 } 667 668 /* 669 * Flush all covered L0 descriptors, add 1 because we need to include 670 * the end index value. 671 */ 672 flush_dcache_range((uintptr_t)&l0[start_idx], 673 ((end_idx + 1) - start_idx) * sizeof(uint64_t)); 674 } 675 676 /* 677 * Public API to enable granule protection checks once the tables have all been 678 * initialized. This function is called at first initialization and then again 679 * later during warm boots of CPU cores. 680 * 681 * Return 682 * Negative Linux error code in the event of a failure, 0 for success. 683 */ 684 int gpt_enable(void) 685 { 686 u_register_t gpccr_el3; 687 688 /* 689 * Granule tables must be initialised before enabling 690 * granule protection. 691 */ 692 if (gpt_config.plat_gpt_l0_base == 0U) { 693 ERROR("[GPT] Tables have not been initialized!\n"); 694 return -EPERM; 695 } 696 697 /* Write the base address of the L0 tables into GPTBR */ 698 write_gptbr_el3(((gpt_config.plat_gpt_l0_base >> GPTBR_BADDR_VAL_SHIFT) 699 >> GPTBR_BADDR_SHIFT) & GPTBR_BADDR_MASK); 700 701 /* GPCCR_EL3.PPS */ 702 gpccr_el3 = SET_GPCCR_PPS(gpt_config.pps); 703 704 /* GPCCR_EL3.PGS */ 705 gpccr_el3 |= SET_GPCCR_PGS(gpt_config.pgs); 706 707 /* 708 * Since EL3 maps the L1 region as Inner shareable, use the same 709 * shareability attribute for GPC as well so that 710 * GPC fetches are visible to PEs 711 */ 712 gpccr_el3 |= SET_GPCCR_SH(GPCCR_SH_IS); 713 714 /* Outer and Inner cacheability set to Normal memory, WB, RA, WA. */ 715 gpccr_el3 |= SET_GPCCR_ORGN(GPCCR_ORGN_WB_RA_WA); 716 gpccr_el3 |= SET_GPCCR_IRGN(GPCCR_IRGN_WB_RA_WA); 717 718 /* Prepopulate GPCCR_EL3 but don't enable GPC yet */ 719 write_gpccr_el3(gpccr_el3); 720 isb(); 721 722 /* Invalidate any stale TLB entries and any cached register fields */ 723 tlbipaallos(); 724 dsb(); 725 isb(); 726 727 /* Enable GPT */ 728 gpccr_el3 |= GPCCR_GPC_BIT; 729 730 /* TODO: Configure GPCCR_EL3_GPCP for Fault control. */ 731 write_gpccr_el3(gpccr_el3); 732 isb(); 733 tlbipaallos(); 734 dsb(); 735 isb(); 736 737 return 0; 738 } 739 740 /* 741 * Public API to disable granule protection checks. 742 */ 743 void gpt_disable(void) 744 { 745 u_register_t gpccr_el3 = read_gpccr_el3(); 746 747 write_gpccr_el3(gpccr_el3 & ~GPCCR_GPC_BIT); 748 dsbsy(); 749 isb(); 750 } 751 752 /* 753 * Public API that initializes the entire protected space to GPT_GPI_ANY using 754 * the L0 tables (block descriptors). Ideally, this function is invoked prior 755 * to DDR discovery and initialization. The MMU must be initialized before 756 * calling this function. 757 * 758 * Parameters 759 * pps PPS value to use for table generation 760 * l0_mem_base Base address of L0 tables in memory. 761 * l0_mem_size Total size of memory available for L0 tables. 762 * 763 * Return 764 * Negative Linux error code in the event of a failure, 0 for success. 765 */ 766 int gpt_init_l0_tables(gpccr_pps_e pps, uintptr_t l0_mem_base, 767 size_t l0_mem_size) 768 { 769 int ret; 770 uint64_t gpt_desc; 771 772 /* Ensure that MMU and Data caches are enabled. */ 773 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U); 774 775 /* Validate other parameters. */ 776 ret = gpt_validate_l0_params(pps, l0_mem_base, l0_mem_size); 777 if (ret != 0) { 778 return ret; 779 } 780 781 /* Create the descriptor to initialize L0 entries with. */ 782 gpt_desc = GPT_L0_BLK_DESC(GPT_GPI_ANY); 783 784 /* Iterate through all L0 entries */ 785 for (unsigned int i = 0U; i < GPT_L0_REGION_COUNT(gpt_config.t); i++) { 786 ((uint64_t *)l0_mem_base)[i] = gpt_desc; 787 } 788 789 /* Flush updated L0 tables to memory. */ 790 flush_dcache_range((uintptr_t)l0_mem_base, 791 (size_t)GPT_L0_TABLE_SIZE(gpt_config.t)); 792 793 /* Stash the L0 base address once initial setup is complete. */ 794 gpt_config.plat_gpt_l0_base = l0_mem_base; 795 796 return 0; 797 } 798 799 /* 800 * Public API that carves out PAS regions from the L0 tables and builds any L1 801 * tables that are needed. This function ideally is run after DDR discovery and 802 * initialization. The L0 tables must have already been initialized to GPI_ANY 803 * when this function is called. 804 * 805 * This function can be called multiple times with different L1 memory ranges 806 * and PAS regions if it is desirable to place L1 tables in different locations 807 * in memory. (ex: you have multiple DDR banks and want to place the L1 tables 808 * in the DDR bank that they control) 809 * 810 * Parameters 811 * pgs PGS value to use for table generation. 812 * l1_mem_base Base address of memory used for L1 tables. 813 * l1_mem_size Total size of memory available for L1 tables. 814 * *pas_regions Pointer to PAS regions structure array. 815 * pas_count Total number of PAS regions. 816 * 817 * Return 818 * Negative Linux error code in the event of a failure, 0 for success. 819 */ 820 int gpt_init_pas_l1_tables(gpccr_pgs_e pgs, uintptr_t l1_mem_base, 821 size_t l1_mem_size, pas_region_t *pas_regions, 822 unsigned int pas_count) 823 { 824 int ret; 825 int l1_gpt_cnt; 826 827 /* Ensure that MMU and Data caches are enabled. */ 828 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U); 829 830 /* PGS is needed for gpt_validate_pas_mappings so check it now. */ 831 if (pgs > GPT_PGS_MAX) { 832 ERROR("[GPT] Invalid PGS: 0x%x\n", pgs); 833 return -EINVAL; 834 } 835 gpt_config.pgs = pgs; 836 gpt_config.p = gpt_p_lookup[pgs]; 837 838 /* Make sure L0 tables have been initialized. */ 839 if (gpt_config.plat_gpt_l0_base == 0U) { 840 ERROR("[GPT] L0 tables must be initialized first!\n"); 841 return -EPERM; 842 } 843 844 /* Check if L1 GPTs are required and how many. */ 845 l1_gpt_cnt = gpt_validate_pas_mappings(pas_regions, pas_count); 846 if (l1_gpt_cnt < 0) { 847 return l1_gpt_cnt; 848 } 849 850 VERBOSE("[GPT] %u L1 GPTs requested.\n", l1_gpt_cnt); 851 852 /* If L1 tables are needed then validate the L1 parameters. */ 853 if (l1_gpt_cnt > 0) { 854 ret = gpt_validate_l1_params(l1_mem_base, l1_mem_size, 855 l1_gpt_cnt); 856 if (ret != 0) { 857 return ret; 858 } 859 860 /* Set up parameters for L1 table generation. */ 861 gpt_l1_tbl = l1_mem_base; 862 gpt_next_l1_tbl_idx = 0U; 863 } 864 865 INFO("[GPT] Boot Configuration\n"); 866 INFO(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t); 867 INFO(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p); 868 INFO(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL); 869 INFO(" PAS count: 0x%x\n", pas_count); 870 INFO(" L0 base: 0x%lx\n", gpt_config.plat_gpt_l0_base); 871 872 /* Generate the tables in memory. */ 873 for (unsigned int idx = 0U; idx < pas_count; idx++) { 874 INFO("[GPT] PAS[%u]: base 0x%lx, size 0x%lx, GPI 0x%x, type 0x%x\n", 875 idx, pas_regions[idx].base_pa, pas_regions[idx].size, 876 GPT_PAS_ATTR_GPI(pas_regions[idx].attrs), 877 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs)); 878 879 /* Check if a block or table descriptor is required */ 880 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) == 881 GPT_PAS_ATTR_MAP_TYPE_BLOCK) { 882 gpt_generate_l0_blk_desc(&pas_regions[idx]); 883 884 } else { 885 gpt_generate_l0_tbl_desc(&pas_regions[idx]); 886 } 887 } 888 889 /* Flush modified L0 tables. */ 890 flush_l0_for_pas_array(pas_regions, pas_count); 891 892 /* Flush L1 tables if needed. */ 893 if (l1_gpt_cnt > 0) { 894 flush_dcache_range(l1_mem_base, 895 GPT_L1_TABLE_SIZE(gpt_config.p) * 896 l1_gpt_cnt); 897 } 898 899 /* Make sure that all the entries are written to the memory. */ 900 dsbishst(); 901 tlbipaallos(); 902 dsb(); 903 isb(); 904 905 return 0; 906 } 907 908 /* 909 * Public API to initialize the runtime gpt_config structure based on the values 910 * present in the GPTBR_EL3 and GPCCR_EL3 registers. GPT initialization 911 * typically happens in a bootloader stage prior to setting up the EL3 runtime 912 * environment for the granule transition service so this function detects the 913 * initialization from a previous stage. Granule protection checks must be 914 * enabled already or this function will return an error. 915 * 916 * Return 917 * Negative Linux error code in the event of a failure, 0 for success. 918 */ 919 int gpt_runtime_init(void) 920 { 921 u_register_t reg; 922 923 /* Ensure that MMU and Data caches are enabled. */ 924 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U); 925 926 /* Ensure GPC are already enabled. */ 927 if ((read_gpccr_el3() & GPCCR_GPC_BIT) == 0U) { 928 ERROR("[GPT] Granule protection checks are not enabled!\n"); 929 return -EPERM; 930 } 931 932 /* 933 * Read the L0 table address from GPTBR, we don't need the L1 base 934 * address since those are included in the L0 tables as needed. 935 */ 936 reg = read_gptbr_el3(); 937 gpt_config.plat_gpt_l0_base = ((reg >> GPTBR_BADDR_SHIFT) & 938 GPTBR_BADDR_MASK) << 939 GPTBR_BADDR_VAL_SHIFT; 940 941 /* Read GPCCR to get PGS and PPS values. */ 942 reg = read_gpccr_el3(); 943 gpt_config.pps = (reg >> GPCCR_PPS_SHIFT) & GPCCR_PPS_MASK; 944 gpt_config.t = gpt_t_lookup[gpt_config.pps]; 945 gpt_config.pgs = (reg >> GPCCR_PGS_SHIFT) & GPCCR_PGS_MASK; 946 gpt_config.p = gpt_p_lookup[gpt_config.pgs]; 947 948 VERBOSE("[GPT] Runtime Configuration\n"); 949 VERBOSE(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t); 950 VERBOSE(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p); 951 VERBOSE(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL); 952 VERBOSE(" L0 base: 0x%lx\n", gpt_config.plat_gpt_l0_base); 953 954 return 0; 955 } 956 957 /* 958 * The L1 descriptors are protected by a spinlock to ensure that multiple 959 * CPUs do not attempt to change the descriptors at once. In the future it 960 * would be better to have separate spinlocks for each L1 descriptor. 961 */ 962 static spinlock_t gpt_lock; 963 964 /* 965 * A helper to write the value (target_pas << gpi_shift) to the index of 966 * the gpt_l1_addr 967 */ 968 static inline void write_gpt(uint64_t *gpt_l1_desc, uint64_t *gpt_l1_addr, 969 unsigned int gpi_shift, unsigned int idx, 970 unsigned int target_pas) 971 { 972 *gpt_l1_desc &= ~(GPT_L1_GRAN_DESC_GPI_MASK << gpi_shift); 973 *gpt_l1_desc |= ((uint64_t)target_pas << gpi_shift); 974 gpt_l1_addr[idx] = *gpt_l1_desc; 975 } 976 977 /* 978 * Helper to retrieve the gpt_l1_* information from the base address 979 * returned in gpi_info 980 */ 981 static int get_gpi_params(uint64_t base, gpi_info_t *gpi_info) 982 { 983 uint64_t gpt_l0_desc, *gpt_l0_base; 984 985 gpt_l0_base = (uint64_t *)gpt_config.plat_gpt_l0_base; 986 gpt_l0_desc = gpt_l0_base[GPT_L0_IDX(base)]; 987 if (GPT_L0_TYPE(gpt_l0_desc) != GPT_L0_TYPE_TBL_DESC) { 988 VERBOSE("[GPT] Granule is not covered by a table descriptor!\n"); 989 VERBOSE(" Base=0x%" PRIx64 "\n", base); 990 return -EINVAL; 991 } 992 993 /* Get the table index and GPI shift from PA. */ 994 gpi_info->gpt_l1_addr = GPT_L0_TBLD_ADDR(gpt_l0_desc); 995 gpi_info->idx = GPT_L1_IDX(gpt_config.p, base); 996 gpi_info->gpi_shift = GPT_L1_GPI_IDX(gpt_config.p, base) << 2; 997 998 gpi_info->gpt_l1_desc = (gpi_info->gpt_l1_addr)[gpi_info->idx]; 999 gpi_info->gpi = (gpi_info->gpt_l1_desc >> gpi_info->gpi_shift) & 1000 GPT_L1_GRAN_DESC_GPI_MASK; 1001 return 0; 1002 } 1003 1004 /* 1005 * This function is the granule transition delegate service. When a granule 1006 * transition request occurs it is routed to this function to have the request, 1007 * if valid, fulfilled following A1.1.1 Delegate of RME supplement 1008 * 1009 * TODO: implement support for transitioning multiple granules at once. 1010 * 1011 * Parameters 1012 * base Base address of the region to transition, must be 1013 * aligned to granule size. 1014 * size Size of region to transition, must be aligned to granule 1015 * size. 1016 * src_sec_state Security state of the caller. 1017 * 1018 * Return 1019 * Negative Linux error code in the event of a failure, 0 for success. 1020 */ 1021 int gpt_delegate_pas(uint64_t base, size_t size, unsigned int src_sec_state) 1022 { 1023 gpi_info_t gpi_info; 1024 uint64_t nse; 1025 int res; 1026 unsigned int target_pas; 1027 1028 /* Ensure that the tables have been set up before taking requests. */ 1029 assert(gpt_config.plat_gpt_l0_base != 0UL); 1030 1031 /* Ensure that caches are enabled. */ 1032 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL); 1033 1034 /* Delegate request can only come from REALM or SECURE */ 1035 assert(src_sec_state == SMC_FROM_REALM || 1036 src_sec_state == SMC_FROM_SECURE); 1037 1038 /* See if this is a single or a range of granule transition. */ 1039 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) { 1040 return -EINVAL; 1041 } 1042 1043 /* Check that base and size are valid */ 1044 if ((ULONG_MAX - base) < size) { 1045 VERBOSE("[GPT] Transition request address overflow!\n"); 1046 VERBOSE(" Base=0x%" PRIx64 "\n", base); 1047 VERBOSE(" Size=0x%lx\n", size); 1048 return -EINVAL; 1049 } 1050 1051 /* Make sure base and size are valid. */ 1052 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) || 1053 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) || 1054 (size == 0UL) || 1055 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) { 1056 VERBOSE("[GPT] Invalid granule transition address range!\n"); 1057 VERBOSE(" Base=0x%" PRIx64 "\n", base); 1058 VERBOSE(" Size=0x%lx\n", size); 1059 return -EINVAL; 1060 } 1061 1062 target_pas = GPT_GPI_REALM; 1063 if (src_sec_state == SMC_FROM_SECURE) { 1064 target_pas = GPT_GPI_SECURE; 1065 } 1066 1067 /* 1068 * Access to L1 tables is controlled by a global lock to ensure 1069 * that no more than one CPU is allowed to make changes at any 1070 * given time. 1071 */ 1072 spin_lock(&gpt_lock); 1073 res = get_gpi_params(base, &gpi_info); 1074 if (res != 0) { 1075 spin_unlock(&gpt_lock); 1076 return res; 1077 } 1078 1079 /* Check that the current address is in NS state */ 1080 if (gpi_info.gpi != GPT_GPI_NS) { 1081 VERBOSE("[GPT] Only Granule in NS state can be delegated.\n"); 1082 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state, 1083 gpi_info.gpi); 1084 spin_unlock(&gpt_lock); 1085 return -EPERM; 1086 } 1087 1088 if (src_sec_state == SMC_FROM_SECURE) { 1089 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT; 1090 } else { 1091 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT; 1092 } 1093 1094 /* 1095 * In order to maintain mutual distrust between Realm and Secure 1096 * states, remove any data speculatively fetched into the target 1097 * physical address space. Issue DC CIPAPA over address range 1098 */ 1099 if (is_feat_mte2_supported()) { 1100 flush_dcache_to_popa_range_mte2(nse | base, 1101 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1102 } else { 1103 flush_dcache_to_popa_range(nse | base, 1104 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1105 } 1106 1107 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr, 1108 gpi_info.gpi_shift, gpi_info.idx, target_pas); 1109 dsboshst(); 1110 1111 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1112 dsbosh(); 1113 1114 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT; 1115 1116 if (is_feat_mte2_supported()) { 1117 flush_dcache_to_popa_range_mte2(nse | base, 1118 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1119 } else { 1120 flush_dcache_to_popa_range(nse | base, 1121 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1122 } 1123 1124 /* Unlock access to the L1 tables. */ 1125 spin_unlock(&gpt_lock); 1126 1127 /* 1128 * The isb() will be done as part of context 1129 * synchronization when returning to lower EL 1130 */ 1131 VERBOSE("[GPT] Granule 0x%" PRIx64 ", GPI 0x%x->0x%x\n", 1132 base, gpi_info.gpi, target_pas); 1133 1134 return 0; 1135 } 1136 1137 /* 1138 * This function is the granule transition undelegate service. When a granule 1139 * transition request occurs it is routed to this function where the request is 1140 * validated then fulfilled if possible. 1141 * 1142 * TODO: implement support for transitioning multiple granules at once. 1143 * 1144 * Parameters 1145 * base Base address of the region to transition, must be 1146 * aligned to granule size. 1147 * size Size of region to transition, must be aligned to granule 1148 * size. 1149 * src_sec_state Security state of the caller. 1150 * 1151 * Return 1152 * Negative Linux error code in the event of a failure, 0 for success. 1153 */ 1154 int gpt_undelegate_pas(uint64_t base, size_t size, unsigned int src_sec_state) 1155 { 1156 gpi_info_t gpi_info; 1157 uint64_t nse; 1158 int res; 1159 1160 /* Ensure that the tables have been set up before taking requests. */ 1161 assert(gpt_config.plat_gpt_l0_base != 0UL); 1162 1163 /* Ensure that MMU and caches are enabled. */ 1164 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL); 1165 1166 /* Delegate request can only come from REALM or SECURE */ 1167 assert(src_sec_state == SMC_FROM_REALM || 1168 src_sec_state == SMC_FROM_SECURE); 1169 1170 /* See if this is a single or a range of granule transition. */ 1171 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) { 1172 return -EINVAL; 1173 } 1174 1175 /* Check that base and size are valid */ 1176 if ((ULONG_MAX - base) < size) { 1177 VERBOSE("[GPT] Transition request address overflow!\n"); 1178 VERBOSE(" Base=0x%" PRIx64 "\n", base); 1179 VERBOSE(" Size=0x%lx\n", size); 1180 return -EINVAL; 1181 } 1182 1183 /* Make sure base and size are valid. */ 1184 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) || 1185 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) || 1186 (size == 0UL) || 1187 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) { 1188 VERBOSE("[GPT] Invalid granule transition address range!\n"); 1189 VERBOSE(" Base=0x%" PRIx64 "\n", base); 1190 VERBOSE(" Size=0x%lx\n", size); 1191 return -EINVAL; 1192 } 1193 1194 /* 1195 * Access to L1 tables is controlled by a global lock to ensure 1196 * that no more than one CPU is allowed to make changes at any 1197 * given time. 1198 */ 1199 spin_lock(&gpt_lock); 1200 1201 res = get_gpi_params(base, &gpi_info); 1202 if (res != 0) { 1203 spin_unlock(&gpt_lock); 1204 return res; 1205 } 1206 1207 /* Check that the current address is in the delegated state */ 1208 if ((src_sec_state == SMC_FROM_REALM && 1209 gpi_info.gpi != GPT_GPI_REALM) || 1210 (src_sec_state == SMC_FROM_SECURE && 1211 gpi_info.gpi != GPT_GPI_SECURE)) { 1212 VERBOSE("[GPT] Only Granule in REALM or SECURE state can be undelegated.\n"); 1213 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state, 1214 gpi_info.gpi); 1215 spin_unlock(&gpt_lock); 1216 return -EPERM; 1217 } 1218 1219 1220 /* In order to maintain mutual distrust between Realm and Secure 1221 * states, remove access now, in order to guarantee that writes 1222 * to the currently-accessible physical address space will not 1223 * later become observable. 1224 */ 1225 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr, 1226 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NO_ACCESS); 1227 dsboshst(); 1228 1229 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1230 dsbosh(); 1231 1232 if (src_sec_state == SMC_FROM_SECURE) { 1233 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT; 1234 } else { 1235 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT; 1236 } 1237 1238 /* Ensure that the scrubbed data has made it past the PoPA */ 1239 if (is_feat_mte2_supported()) { 1240 flush_dcache_to_popa_range_mte2(nse | base, 1241 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1242 } else { 1243 flush_dcache_to_popa_range(nse | base, 1244 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1245 } 1246 1247 /* 1248 * Remove any data loaded speculatively 1249 * in NS space from before the scrubbing 1250 */ 1251 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT; 1252 1253 if (is_feat_mte2_supported()) { 1254 flush_dcache_to_popa_range_mte2(nse | base, 1255 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1256 } else { 1257 flush_dcache_to_popa_range(nse | base, 1258 GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1259 } 1260 1261 /* Clear existing GPI encoding and transition granule. */ 1262 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr, 1263 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NS); 1264 dsboshst(); 1265 1266 /* Ensure that all agents observe the new NS configuration */ 1267 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p)); 1268 dsbosh(); 1269 1270 /* Unlock access to the L1 tables. */ 1271 spin_unlock(&gpt_lock); 1272 1273 /* 1274 * The isb() will be done as part of context 1275 * synchronization when returning to lower EL 1276 */ 1277 VERBOSE("[GPT] Granule 0x%" PRIx64 ", GPI 0x%x->0x%x\n", 1278 base, gpi_info.gpi, GPT_GPI_NS); 1279 1280 return 0; 1281 } 1282