xref: /rk3399_ARM-atf/services/spd/tlkd/tlkd_main.c (revision 0b32628eddfef95b51909816f625e6f37cd21cb8) 
1 /*
2  * Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *
7  * Redistributions of source code must retain the above copyright notice, this
8  * list of conditions and the following disclaimer.
9  *
10  * Redistributions in binary form must reproduce the above copyright notice,
11  * this list of conditions and the following disclaimer in the documentation
12  * and/or other materials provided with the distribution.
13  *
14  * Neither the name of ARM nor the names of its contributors may be used
15  * to endorse or promote products derived from this software without specific
16  * prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28  * POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 /*******************************************************************************
32  * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a
33  * plug-in component to the Secure Monitor, registered as a runtime service. The
34  * SPD is expected to be a functional extension of the Secure Payload (SP) that
35  * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting
36  * the Trusted OS/Applications range to the dispatcher. The SPD will either
37  * handle the request locally or delegate it to the Secure Payload. It is also
38  * responsible for initialising and maintaining communication with the SP.
39  ******************************************************************************/
40 #include <arch_helpers.h>
41 #include <assert.h>
42 #include <bl_common.h>
43 #include <bl31.h>
44 #include <context_mgmt.h>
45 #include <debug.h>
46 #include <errno.h>
47 #include <platform.h>
48 #include <runtime_svc.h>
49 #include <stddef.h>
50 #include <tlk.h>
51 #include <uuid.h>
52 #include "tlkd_private.h"
53 
54 extern const spd_pm_ops_t tlkd_pm_ops;
55 
56 /*******************************************************************************
57  * Per-cpu Secure Payload state
58  ******************************************************************************/
59 tlk_context_t tlk_ctx;
60 
61 /*******************************************************************************
62  * CPU number on which TLK booted up
63  ******************************************************************************/
64 static int boot_cpu;
65 
66 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */
67 DEFINE_SVC_UUID(tlk_uuid,
68 		0xbd11e9c9, 0x2bba, 0x52ee, 0xb1, 0x72,
69 		0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63);
70 
71 int32_t tlkd_init(void);
72 
73 /*******************************************************************************
74  * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type
75  * (aarch32/aarch64) if not already known and initialises the context for entry
76  * into the SP for its initialisation.
77  ******************************************************************************/
78 int32_t tlkd_setup(void)
79 {
80 	entry_point_info_t *tlk_ep_info;
81 
82 	/*
83 	 * Get information about the Secure Payload (BL32) image. Its
84 	 * absence is a critical failure.
85 	 */
86 	tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE);
87 	if (!tlk_ep_info) {
88 		WARN("No SP provided. Booting device without SP"
89 			" initialization. SMC`s destined for SP"
90 			" will return SMC_UNK\n");
91 		return 1;
92 	}
93 
94 	/*
95 	 * If there's no valid entry point for SP, we return a non-zero value
96 	 * signalling failure initializing the service. We bail out without
97 	 * registering any handlers
98 	 */
99 	if (!tlk_ep_info->pc)
100 		return 1;
101 
102 	/*
103 	 * Inspect the SP image's SPSR and determine it's execution state
104 	 * i.e whether AArch32 or AArch64.
105 	 */
106 	tlkd_init_tlk_ep_state(tlk_ep_info,
107 		(tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK,
108 		tlk_ep_info->pc,
109 		&tlk_ctx);
110 
111 	/*
112 	 * All TLK SPD initialization done. Now register our init function
113 	 * with BL31 for deferred invocation
114 	 */
115 	bl31_register_bl32_init(&tlkd_init);
116 
117 	return 0;
118 }
119 
120 /*******************************************************************************
121  * This function passes control to the Secure Payload image (BL32) for the first
122  * time on the primary cpu after a cold boot. It assumes that a valid secure
123  * context has already been created by tlkd_setup() which can be directly
124  * used. This function performs a synchronous entry into the Secure payload.
125  * The SP passes control back to this routine through a SMC.
126  ******************************************************************************/
127 int32_t tlkd_init(void)
128 {
129 	entry_point_info_t *tlk_entry_point;
130 
131 	/*
132 	 * Get information about the Secure Payload (BL32) image. Its
133 	 * absence is a critical failure.
134 	 */
135 	tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE);
136 	assert(tlk_entry_point);
137 
138 	cm_init_my_context(tlk_entry_point);
139 
140 	/*
141 	 * TLK runs only on a single CPU. Store the value of the boot
142 	 * CPU for sanity checking later.
143 	 */
144 	boot_cpu = plat_my_core_pos();
145 
146 	/*
147 	 * Arrange for an entry into the test secure payload.
148 	 */
149 	return tlkd_synchronous_sp_entry(&tlk_ctx);
150 }
151 
152 /*******************************************************************************
153  * This function is responsible for handling all SMCs in the Trusted OS/App
154  * range from the non-secure state as defined in the SMC Calling Convention
155  * Document. It is also responsible for communicating with the Secure payload
156  * to delegate work and return results back to the non-secure state. Lastly it
157  * will also return any information that the secure payload needs to do the
158  * work assigned to it.
159  ******************************************************************************/
160 uint64_t tlkd_smc_handler(uint32_t smc_fid,
161 			 uint64_t x1,
162 			 uint64_t x2,
163 			 uint64_t x3,
164 			 uint64_t x4,
165 			 void *cookie,
166 			 void *handle,
167 			 uint64_t flags)
168 {
169 	cpu_context_t *ns_cpu_context;
170 	gp_regs_t *gp_regs;
171 	uint32_t ns;
172 	uint64_t par;
173 
174 	/* Passing a NULL context is a critical programming error */
175 	assert(handle);
176 
177 	/* These SMCs are only supported by a single CPU */
178 	if (boot_cpu != plat_my_core_pos())
179 		SMC_RET1(handle, SMC_UNK);
180 
181 	/* Determine which security state this SMC originated from */
182 	ns = is_caller_non_secure(flags);
183 
184 	switch (smc_fid) {
185 
186 	/*
187 	 * This function ID is used by SP to indicate that it was
188 	 * preempted by a non-secure world IRQ.
189 	 */
190 	case TLK_PREEMPTED:
191 
192 		if (ns)
193 			SMC_RET1(handle, SMC_UNK);
194 
195 		assert(handle == cm_get_context(SECURE));
196 		cm_el1_sysregs_context_save(SECURE);
197 
198 		/* Get a reference to the non-secure context */
199 		ns_cpu_context = cm_get_context(NON_SECURE);
200 		assert(ns_cpu_context);
201 
202 		/*
203 		 * Restore non-secure state. There is no need to save the
204 		 * secure system register context since the SP was supposed
205 		 * to preserve it during S-EL1 interrupt handling.
206 		 */
207 		cm_el1_sysregs_context_restore(NON_SECURE);
208 		cm_set_next_eret_context(NON_SECURE);
209 
210 		SMC_RET1(ns_cpu_context, x1);
211 
212 	/*
213 	 * This is a request from the non-secure context to:
214 	 *
215 	 * a. register shared memory with the SP for storing it's
216 	 *    activity logs.
217 	 * b. register shared memory with the SP for passing args
218 	 *    required for maintaining sessions with the Trusted
219 	 *    Applications.
220 	 * c. open/close sessions
221 	 * d. issue commands to the Trusted Apps
222 	 * e. resume the preempted standard SMC call.
223 	 */
224 	case TLK_REGISTER_LOGBUF:
225 	case TLK_REGISTER_REQBUF:
226 	case TLK_OPEN_TA_SESSION:
227 	case TLK_CLOSE_TA_SESSION:
228 	case TLK_TA_LAUNCH_OP:
229 	case TLK_TA_SEND_EVENT:
230 	case TLK_RESUME_FID:
231 
232 		if (!ns)
233 			SMC_RET1(handle, SMC_UNK);
234 
235 		/*
236 		 * This is a fresh request from the non-secure client.
237 		 * The parameters are in x1 and x2. Figure out which
238 		 * registers need to be preserved, save the non-secure
239 		 * state and send the request to the secure payload.
240 		 */
241 		assert(handle == cm_get_context(NON_SECURE));
242 
243 		/*
244 		 * Check if we are already processing a standard SMC
245 		 * call. Of all the supported fids, only the "resume"
246 		 * fid expects the flag to be set.
247 		 */
248 		if (smc_fid == TLK_RESUME_FID) {
249 			if (!get_std_smc_active_flag(tlk_ctx.state))
250 				SMC_RET1(handle, SMC_UNK);
251 		} else {
252 			if (get_std_smc_active_flag(tlk_ctx.state))
253 				SMC_RET1(handle, SMC_UNK);
254 		}
255 
256 		cm_el1_sysregs_context_save(NON_SECURE);
257 
258 		/*
259 		 * Verify if there is a valid context to use.
260 		 */
261 		assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE));
262 
263 		/*
264 		 * Mark the SP state as active.
265 		 */
266 		set_std_smc_active_flag(tlk_ctx.state);
267 
268 		/*
269 		 * We are done stashing the non-secure context. Ask the
270 		 * secure payload to do the work now.
271 		 */
272 		cm_el1_sysregs_context_restore(SECURE);
273 		cm_set_next_eret_context(SECURE);
274 
275 		/*
276 		 * TLK is a 32-bit Trusted OS and so expects the SMC
277 		 * arguments via r0-r7. TLK expects the monitor frame
278 		 * registers to be 64-bits long. Hence, we pass x0 in
279 		 * r0-r1, x1 in r2-r3, x3 in r4-r5 and x4 in r6-r7.
280 		 *
281 		 * As smc_fid is a uint32 value, r1 contains 0.
282 		 */
283 		gp_regs = get_gpregs_ctx(&tlk_ctx.cpu_ctx);
284 		write_ctx_reg(gp_regs, CTX_GPREG_X4, (uint32_t)x2);
285 		write_ctx_reg(gp_regs, CTX_GPREG_X5, (uint32_t)(x2 >> 32));
286 		write_ctx_reg(gp_regs, CTX_GPREG_X6, (uint32_t)x3);
287 		write_ctx_reg(gp_regs, CTX_GPREG_X7, (uint32_t)(x3 >> 32));
288 		SMC_RET4(&tlk_ctx.cpu_ctx, smc_fid, 0, (uint32_t)x1,
289 			(uint32_t)(x1 >> 32));
290 
291 	/*
292 	 * Translate NS/EL1-S virtual addresses.
293 	 *
294 	 * x1 = virtual address
295 	 * x3 = type (NS/S)
296 	 *
297 	 * Returns PA:lo in r0, PA:hi in r1.
298 	 */
299 	case TLK_VA_TRANSLATE:
300 
301 		/* Should be invoked only by secure world */
302 		if (ns)
303 			SMC_RET1(handle, SMC_UNK);
304 
305 		/* NS virtual addresses are 64-bit long */
306 		if (x3 & TLK_TRANSLATE_NS_VADDR)
307 			x1 = (uint32_t)x1 | (x2 << 32);
308 
309 		if (!x1)
310 			SMC_RET1(handle, SMC_UNK);
311 
312 		/*
313 		 * TODO: Sanity check x1. This would require platform
314 		 * support.
315 		 */
316 
317 		/* virtual address and type: ns/s */
318 		par = tlkd_va_translate(x1, x3);
319 
320 		/* return physical address in r0-r1 */
321 		SMC_RET4(handle, (uint32_t)par, (uint32_t)(par >> 32), 0, 0);
322 
323 	/*
324 	 * This is a request from the SP to mark completion of
325 	 * a standard function ID.
326 	 */
327 	case TLK_REQUEST_DONE:
328 		if (ns)
329 			SMC_RET1(handle, SMC_UNK);
330 
331 		/*
332 		 * Mark the SP state as inactive.
333 		 */
334 		clr_std_smc_active_flag(tlk_ctx.state);
335 
336 		/* Get a reference to the non-secure context */
337 		ns_cpu_context = cm_get_context(NON_SECURE);
338 		assert(ns_cpu_context);
339 
340 		/*
341 		 * This is a request completion SMC and we must switch to
342 		 * the non-secure world to pass the result.
343 		 */
344 		cm_el1_sysregs_context_save(SECURE);
345 
346 		/*
347 		 * We are done stashing the secure context. Switch to the
348 		 * non-secure context and return the result.
349 		 */
350 		cm_el1_sysregs_context_restore(NON_SECURE);
351 		cm_set_next_eret_context(NON_SECURE);
352 		SMC_RET1(ns_cpu_context, x1);
353 
354 	/*
355 	 * This function ID is used only by the SP to indicate it has
356 	 * finished initialising itself after a cold boot
357 	 */
358 	case TLK_ENTRY_DONE:
359 		if (ns)
360 			SMC_RET1(handle, SMC_UNK);
361 
362 		/*
363 		 * SP has been successfully initialized. Register power
364 		 * managemnt hooks with PSCI
365 		 */
366 		psci_register_spd_pm_hook(&tlkd_pm_ops);
367 
368 		/*
369 		 * TLK reports completion. The SPD must have initiated
370 		 * the original request through a synchronous entry
371 		 * into the SP. Jump back to the original C runtime
372 		 * context.
373 		 */
374 		tlkd_synchronous_sp_exit(&tlk_ctx, x1);
375 
376 	/*
377 	 * These function IDs are used only by TLK to indicate it has
378 	 * finished:
379 	 * 1. suspending itself after an earlier psci cpu_suspend
380 	 *    request.
381 	 * 2. resuming itself after an earlier psci cpu_suspend
382 	 *    request.
383 	 * 3. powering down after an earlier psci system_off/system_reset
384 	 *    request.
385 	 */
386 	case TLK_SUSPEND_DONE:
387 	case TLK_RESUME_DONE:
388 	case TLK_SYSTEM_OFF_DONE:
389 
390 		if (ns)
391 			SMC_RET1(handle, SMC_UNK);
392 
393 		/*
394 		 * TLK reports completion. TLKD must have initiated the
395 		 * original request through a synchronous entry into the SP.
396 		 * Jump back to the original C runtime context, and pass x1 as
397 		 * return value to the caller
398 		 */
399 		tlkd_synchronous_sp_exit(&tlk_ctx, x1);
400 
401 	/*
402 	 * Return the number of service function IDs implemented to
403 	 * provide service to non-secure
404 	 */
405 	case TOS_CALL_COUNT:
406 		SMC_RET1(handle, TLK_NUM_FID);
407 
408 	/*
409 	 * Return TLK's UID to the caller
410 	 */
411 	case TOS_UID:
412 		SMC_UUID_RET(handle, tlk_uuid);
413 
414 	/*
415 	 * Return the version of current implementation
416 	 */
417 	case TOS_CALL_VERSION:
418 		SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR);
419 
420 	default:
421 		break;
422 	}
423 
424 	SMC_RET1(handle, SMC_UNK);
425 }
426 
427 /* Define a SPD runtime service descriptor for fast SMC calls */
428 DECLARE_RT_SVC(
429 	tlkd_tos_fast,
430 
431 	OEN_TOS_START,
432 	OEN_TOS_END,
433 	SMC_TYPE_FAST,
434 	tlkd_setup,
435 	tlkd_smc_handler
436 );
437 
438 /* Define a SPD runtime service descriptor for standard SMC calls */
439 DECLARE_RT_SVC(
440 	tlkd_tos_std,
441 
442 	OEN_TOS_START,
443 	OEN_TOS_END,
444 	SMC_TYPE_STD,
445 	NULL,
446 	tlkd_smc_handler
447 );
448 
449 /* Define a SPD runtime service descriptor for fast SMC calls */
450 DECLARE_RT_SVC(
451 	tlkd_tap_fast,
452 
453 	OEN_TAP_START,
454 	OEN_TAP_END,
455 	SMC_TYPE_FAST,
456 	NULL,
457 	tlkd_smc_handler
458 );
459 
460 /* Define a SPD runtime service descriptor for standard SMC calls */
461 DECLARE_RT_SVC(
462 	tlkd_tap_std,
463 
464 	OEN_TAP_START,
465 	OEN_TAP_END,
466 	SMC_TYPE_STD,
467 	NULL,
468 	tlkd_smc_handler
469 );
470