1 /* 2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * Redistributions of source code must retain the above copyright notice, this 8 * list of conditions and the following disclaimer. 9 * 10 * Redistributions in binary form must reproduce the above copyright notice, 11 * this list of conditions and the following disclaimer in the documentation 12 * and/or other materials provided with the distribution. 13 * 14 * Neither the name of ARM nor the names of its contributors may be used 15 * to endorse or promote products derived from this software without specific 16 * prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 /******************************************************************************* 32 * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a 33 * plug-in component to the Secure Monitor, registered as a runtime service. The 34 * SPD is expected to be a functional extension of the Secure Payload (SP) that 35 * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting 36 * the Trusted OS/Applications range to the dispatcher. The SPD will either 37 * handle the request locally or delegate it to the Secure Payload. It is also 38 * responsible for initialising and maintaining communication with the SP. 39 ******************************************************************************/ 40 #include <arch_helpers.h> 41 #include <assert.h> 42 #include <bl_common.h> 43 #include <bl31.h> 44 #include <context_mgmt.h> 45 #include <debug.h> 46 #include <errno.h> 47 #include <platform.h> 48 #include <runtime_svc.h> 49 #include <stddef.h> 50 #include <tlk.h> 51 #include <uuid.h> 52 #include "tlkd_private.h" 53 54 extern const spd_pm_ops_t tlkd_pm_ops; 55 56 /******************************************************************************* 57 * Per-cpu Secure Payload state 58 ******************************************************************************/ 59 tlk_context_t tlk_ctx; 60 61 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */ 62 DEFINE_SVC_UUID(tlk_uuid, 63 0xbd11e9c9, 0x2bba, 0x52ee, 0xb1, 0x72, 64 0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63); 65 66 int32_t tlkd_init(void); 67 68 /******************************************************************************* 69 * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type 70 * (aarch32/aarch64) if not already known and initialises the context for entry 71 * into the SP for its initialisation. 72 ******************************************************************************/ 73 int32_t tlkd_setup(void) 74 { 75 entry_point_info_t *tlk_ep_info; 76 77 /* 78 * Get information about the Secure Payload (BL32) image. Its 79 * absence is a critical failure. 80 */ 81 tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 82 if (!tlk_ep_info) { 83 WARN("No SP provided. Booting device without SP" 84 " initialization. SMC`s destined for SP" 85 " will return SMC_UNK\n"); 86 return 1; 87 } 88 89 /* 90 * If there's no valid entry point for SP, we return a non-zero value 91 * signalling failure initializing the service. We bail out without 92 * registering any handlers 93 */ 94 if (!tlk_ep_info->pc) 95 return 1; 96 97 /* 98 * Inspect the SP image's SPSR and determine it's execution state 99 * i.e whether AArch32 or AArch64. 100 */ 101 tlkd_init_tlk_ep_state(tlk_ep_info, 102 (tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK, 103 tlk_ep_info->pc, 104 &tlk_ctx); 105 106 /* 107 * All TLK SPD initialization done. Now register our init function 108 * with BL31 for deferred invocation 109 */ 110 bl31_register_bl32_init(&tlkd_init); 111 112 return 0; 113 } 114 115 /******************************************************************************* 116 * This function passes control to the Secure Payload image (BL32) for the first 117 * time on the primary cpu after a cold boot. It assumes that a valid secure 118 * context has already been created by tlkd_setup() which can be directly 119 * used. This function performs a synchronous entry into the Secure payload. 120 * The SP passes control back to this routine through a SMC. 121 ******************************************************************************/ 122 int32_t tlkd_init(void) 123 { 124 entry_point_info_t *tlk_entry_point; 125 126 /* 127 * Get information about the Secure Payload (BL32) image. Its 128 * absence is a critical failure. 129 */ 130 tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE); 131 assert(tlk_entry_point); 132 133 cm_init_my_context(tlk_entry_point); 134 135 /* 136 * Arrange for an entry into the test secure payload. 137 */ 138 return tlkd_synchronous_sp_entry(&tlk_ctx); 139 } 140 141 /******************************************************************************* 142 * This function is responsible for handling all SMCs in the Trusted OS/App 143 * range from the non-secure state as defined in the SMC Calling Convention 144 * Document. It is also responsible for communicating with the Secure payload 145 * to delegate work and return results back to the non-secure state. Lastly it 146 * will also return any information that the secure payload needs to do the 147 * work assigned to it. 148 ******************************************************************************/ 149 uint64_t tlkd_smc_handler(uint32_t smc_fid, 150 uint64_t x1, 151 uint64_t x2, 152 uint64_t x3, 153 uint64_t x4, 154 void *cookie, 155 void *handle, 156 uint64_t flags) 157 { 158 cpu_context_t *ns_cpu_context; 159 gp_regs_t *gp_regs; 160 uint32_t ns; 161 uint64_t par; 162 163 /* Passing a NULL context is a critical programming error */ 164 assert(handle); 165 166 /* These SMCs are only supported by CPU0 */ 167 if ((read_mpidr() & MPIDR_CPU_MASK) != 0) 168 SMC_RET1(handle, SMC_UNK); 169 170 /* Determine which security state this SMC originated from */ 171 ns = is_caller_non_secure(flags); 172 173 switch (smc_fid) { 174 175 /* 176 * This function ID is used by SP to indicate that it was 177 * preempted by a non-secure world IRQ. 178 */ 179 case TLK_PREEMPTED: 180 181 if (ns) 182 SMC_RET1(handle, SMC_UNK); 183 184 assert(handle == cm_get_context(SECURE)); 185 cm_el1_sysregs_context_save(SECURE); 186 187 /* Get a reference to the non-secure context */ 188 ns_cpu_context = cm_get_context(NON_SECURE); 189 assert(ns_cpu_context); 190 191 /* 192 * Restore non-secure state. There is no need to save the 193 * secure system register context since the SP was supposed 194 * to preserve it during S-EL1 interrupt handling. 195 */ 196 cm_el1_sysregs_context_restore(NON_SECURE); 197 cm_set_next_eret_context(NON_SECURE); 198 199 SMC_RET1(ns_cpu_context, x1); 200 201 /* 202 * This is a request from the non-secure context to: 203 * 204 * a. register shared memory with the SP for storing it's 205 * activity logs. 206 * b. register shared memory with the SP for passing args 207 * required for maintaining sessions with the Trusted 208 * Applications. 209 * c. open/close sessions 210 * d. issue commands to the Trusted Apps 211 * e. resume the preempted standard SMC call. 212 */ 213 case TLK_REGISTER_LOGBUF: 214 case TLK_REGISTER_REQBUF: 215 case TLK_OPEN_TA_SESSION: 216 case TLK_CLOSE_TA_SESSION: 217 case TLK_TA_LAUNCH_OP: 218 case TLK_TA_SEND_EVENT: 219 case TLK_RESUME_FID: 220 221 if (!ns) 222 SMC_RET1(handle, SMC_UNK); 223 224 /* 225 * This is a fresh request from the non-secure client. 226 * The parameters are in x1 and x2. Figure out which 227 * registers need to be preserved, save the non-secure 228 * state and send the request to the secure payload. 229 */ 230 assert(handle == cm_get_context(NON_SECURE)); 231 232 /* 233 * Check if we are already processing a standard SMC 234 * call. Of all the supported fids, only the "resume" 235 * fid expects the flag to be set. 236 */ 237 if (smc_fid == TLK_RESUME_FID) { 238 if (!get_std_smc_active_flag(tlk_ctx.state)) 239 SMC_RET1(handle, SMC_UNK); 240 } else { 241 if (get_std_smc_active_flag(tlk_ctx.state)) 242 SMC_RET1(handle, SMC_UNK); 243 } 244 245 cm_el1_sysregs_context_save(NON_SECURE); 246 247 /* 248 * Verify if there is a valid context to use. 249 */ 250 assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE)); 251 252 /* 253 * Mark the SP state as active. 254 */ 255 set_std_smc_active_flag(tlk_ctx.state); 256 257 /* 258 * We are done stashing the non-secure context. Ask the 259 * secure payload to do the work now. 260 */ 261 cm_el1_sysregs_context_restore(SECURE); 262 cm_set_next_eret_context(SECURE); 263 264 /* 265 * TLK is a 32-bit Trusted OS and so expects the SMC 266 * arguments via r0-r7. TLK expects the monitor frame 267 * registers to be 64-bits long. Hence, we pass x0 in 268 * r0-r1, x1 in r2-r3, x3 in r4-r5 and x4 in r6-r7. 269 * 270 * As smc_fid is a uint32 value, r1 contains 0. 271 */ 272 gp_regs = get_gpregs_ctx(&tlk_ctx.cpu_ctx); 273 write_ctx_reg(gp_regs, CTX_GPREG_X4, (uint32_t)x2); 274 write_ctx_reg(gp_regs, CTX_GPREG_X5, (uint32_t)(x2 >> 32)); 275 write_ctx_reg(gp_regs, CTX_GPREG_X6, (uint32_t)x3); 276 write_ctx_reg(gp_regs, CTX_GPREG_X7, (uint32_t)(x3 >> 32)); 277 SMC_RET4(&tlk_ctx.cpu_ctx, smc_fid, 0, (uint32_t)x1, 278 (uint32_t)(x1 >> 32)); 279 280 /* 281 * Translate NS/EL1-S virtual addresses. 282 * 283 * x1 = virtual address 284 * x3 = type (NS/S) 285 * 286 * Returns PA:lo in r0, PA:hi in r1. 287 */ 288 case TLK_VA_TRANSLATE: 289 290 /* Should be invoked only by secure world */ 291 if (ns) 292 SMC_RET1(handle, SMC_UNK); 293 294 /* NS virtual addresses are 64-bit long */ 295 if (x3 & TLK_TRANSLATE_NS_VADDR) 296 x1 = (uint32_t)x1 | (x2 << 32); 297 298 if (!x1) 299 SMC_RET1(handle, SMC_UNK); 300 301 /* 302 * TODO: Sanity check x1. This would require platform 303 * support. 304 */ 305 306 /* virtual address and type: ns/s */ 307 par = tlkd_va_translate(x1, x3); 308 309 /* return physical address in r0-r1 */ 310 SMC_RET4(handle, (uint32_t)par, (uint32_t)(par >> 32), 0, 0); 311 312 /* 313 * This is a request from the SP to mark completion of 314 * a standard function ID. 315 */ 316 case TLK_REQUEST_DONE: 317 if (ns) 318 SMC_RET1(handle, SMC_UNK); 319 320 /* 321 * Mark the SP state as inactive. 322 */ 323 clr_std_smc_active_flag(tlk_ctx.state); 324 325 /* Get a reference to the non-secure context */ 326 ns_cpu_context = cm_get_context(NON_SECURE); 327 assert(ns_cpu_context); 328 329 /* 330 * This is a request completion SMC and we must switch to 331 * the non-secure world to pass the result. 332 */ 333 cm_el1_sysregs_context_save(SECURE); 334 335 /* 336 * We are done stashing the secure context. Switch to the 337 * non-secure context and return the result. 338 */ 339 cm_el1_sysregs_context_restore(NON_SECURE); 340 cm_set_next_eret_context(NON_SECURE); 341 SMC_RET1(ns_cpu_context, x1); 342 343 /* 344 * This function ID is used only by the SP to indicate it has 345 * finished initialising itself after a cold boot 346 */ 347 case TLK_ENTRY_DONE: 348 if (ns) 349 SMC_RET1(handle, SMC_UNK); 350 351 /* 352 * SP has been successfully initialized. Register power 353 * managemnt hooks with PSCI 354 */ 355 psci_register_spd_pm_hook(&tlkd_pm_ops); 356 357 /* 358 * TLK reports completion. The SPD must have initiated 359 * the original request through a synchronous entry 360 * into the SP. Jump back to the original C runtime 361 * context. 362 */ 363 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 364 365 /* 366 * These function IDs are used only by TLK to indicate it has 367 * finished: 368 * 1. suspending itself after an earlier psci cpu_suspend 369 * request. 370 * 2. resuming itself after an earlier psci cpu_suspend 371 * request. 372 * 3. powering down after an earlier psci system_off/system_reset 373 * request. 374 */ 375 case TLK_SUSPEND_DONE: 376 case TLK_RESUME_DONE: 377 case TLK_SYSTEM_OFF_DONE: 378 379 if (ns) 380 SMC_RET1(handle, SMC_UNK); 381 382 /* 383 * TLK reports completion. TLKD must have initiated the 384 * original request through a synchronous entry into the SP. 385 * Jump back to the original C runtime context, and pass x1 as 386 * return value to the caller 387 */ 388 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 389 390 /* 391 * Return the number of service function IDs implemented to 392 * provide service to non-secure 393 */ 394 case TOS_CALL_COUNT: 395 SMC_RET1(handle, TLK_NUM_FID); 396 397 /* 398 * Return TLK's UID to the caller 399 */ 400 case TOS_UID: 401 SMC_UUID_RET(handle, tlk_uuid); 402 403 /* 404 * Return the version of current implementation 405 */ 406 case TOS_CALL_VERSION: 407 SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR); 408 409 default: 410 break; 411 } 412 413 SMC_RET1(handle, SMC_UNK); 414 } 415 416 /* Define a SPD runtime service descriptor for fast SMC calls */ 417 DECLARE_RT_SVC( 418 tlkd_tos_fast, 419 420 OEN_TOS_START, 421 OEN_TOS_END, 422 SMC_TYPE_FAST, 423 tlkd_setup, 424 tlkd_smc_handler 425 ); 426 427 /* Define a SPD runtime service descriptor for standard SMC calls */ 428 DECLARE_RT_SVC( 429 tlkd_tos_std, 430 431 OEN_TOS_START, 432 OEN_TOS_END, 433 SMC_TYPE_STD, 434 NULL, 435 tlkd_smc_handler 436 ); 437 438 /* Define a SPD runtime service descriptor for fast SMC calls */ 439 DECLARE_RT_SVC( 440 tlkd_tap_fast, 441 442 OEN_TAP_START, 443 OEN_TAP_END, 444 SMC_TYPE_FAST, 445 NULL, 446 tlkd_smc_handler 447 ); 448 449 /* Define a SPD runtime service descriptor for standard SMC calls */ 450 DECLARE_RT_SVC( 451 tlkd_tap_std, 452 453 OEN_TAP_START, 454 OEN_TAP_END, 455 SMC_TYPE_STD, 456 NULL, 457 tlkd_smc_handler 458 ); 459