1 /* 2 * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /******************************************************************************* 8 * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a 9 * plug-in component to the Secure Monitor, registered as a runtime service. The 10 * SPD is expected to be a functional extension of the Secure Payload (SP) that 11 * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting 12 * the Trusted OS/Applications range to the dispatcher. The SPD will either 13 * handle the request locally or delegate it to the Secure Payload. It is also 14 * responsible for initialising and maintaining communication with the SP. 15 ******************************************************************************/ 16 #include <arch_helpers.h> 17 #include <assert.h> 18 #include <bl31.h> 19 #include <bl_common.h> 20 #include <context_mgmt.h> 21 #include <debug.h> 22 #include <errno.h> 23 #include <platform.h> 24 #include <runtime_svc.h> 25 #include <stddef.h> 26 #include <tlk.h> 27 #include <uuid.h> 28 #include "tlkd_private.h" 29 30 extern const spd_pm_ops_t tlkd_pm_ops; 31 32 /******************************************************************************* 33 * Per-cpu Secure Payload state 34 ******************************************************************************/ 35 tlk_context_t tlk_ctx; 36 37 /******************************************************************************* 38 * CPU number on which TLK booted up 39 ******************************************************************************/ 40 static uint32_t boot_cpu; 41 42 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */ 43 DEFINE_SVC_UUID2(tlk_uuid, 44 0xc9e911bd, 0xba2b, 0xee52, 0xb1, 0x72, 45 0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63); 46 47 static int32_t tlkd_init(void); 48 49 /******************************************************************************* 50 * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type 51 * (aarch32/aarch64) if not already known and initialises the context for entry 52 * into the SP for its initialisation. 53 ******************************************************************************/ 54 static int32_t tlkd_setup(void) 55 { 56 entry_point_info_t *tlk_ep_info; 57 58 /* 59 * Get information about the Secure Payload (BL32) image. Its 60 * absence is a critical failure. 61 */ 62 tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 63 if (!tlk_ep_info) { 64 WARN("No SP provided. Booting device without SP" 65 " initialization. SMC`s destined for SP" 66 " will return SMC_UNK\n"); 67 return 1; 68 } 69 70 /* 71 * If there's no valid entry point for SP, we return a non-zero value 72 * signalling failure initializing the service. We bail out without 73 * registering any handlers 74 */ 75 if (!tlk_ep_info->pc) 76 return 1; 77 78 /* 79 * Inspect the SP image's SPSR and determine it's execution state 80 * i.e whether AArch32 or AArch64. 81 */ 82 tlkd_init_tlk_ep_state(tlk_ep_info, 83 (tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK, 84 tlk_ep_info->pc, 85 &tlk_ctx); 86 87 /* 88 * All TLK SPD initialization done. Now register our init function 89 * with BL31 for deferred invocation 90 */ 91 bl31_register_bl32_init(&tlkd_init); 92 93 return 0; 94 } 95 96 /******************************************************************************* 97 * This function passes control to the Secure Payload image (BL32) for the first 98 * time on the primary cpu after a cold boot. It assumes that a valid secure 99 * context has already been created by tlkd_setup() which can be directly 100 * used. This function performs a synchronous entry into the Secure payload. 101 * The SP passes control back to this routine through a SMC. 102 ******************************************************************************/ 103 static int32_t tlkd_init(void) 104 { 105 entry_point_info_t *tlk_entry_point; 106 107 /* 108 * Get information about the Secure Payload (BL32) image. Its 109 * absence is a critical failure. 110 */ 111 tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE); 112 assert(tlk_entry_point); 113 114 cm_init_my_context(tlk_entry_point); 115 116 /* 117 * TLK runs only on a single CPU. Store the value of the boot 118 * CPU for sanity checking later. 119 */ 120 boot_cpu = plat_my_core_pos(); 121 122 /* 123 * Arrange for an entry into the test secure payload. 124 */ 125 return tlkd_synchronous_sp_entry(&tlk_ctx); 126 } 127 128 /******************************************************************************* 129 * This function is responsible for handling all SMCs in the Trusted OS/App 130 * range from the non-secure state as defined in the SMC Calling Convention 131 * Document. It is also responsible for communicating with the Secure payload 132 * to delegate work and return results back to the non-secure state. Lastly it 133 * will also return any information that the secure payload needs to do the 134 * work assigned to it. 135 ******************************************************************************/ 136 static uintptr_t tlkd_smc_handler(uint32_t smc_fid, 137 u_register_t x1, 138 u_register_t x2, 139 u_register_t x3, 140 u_register_t x4, 141 void *cookie, 142 void *handle, 143 u_register_t flags) 144 { 145 cpu_context_t *ns_cpu_context; 146 gp_regs_t *gp_regs; 147 uint32_t ns; 148 uint64_t par; 149 150 /* Passing a NULL context is a critical programming error */ 151 assert(handle); 152 153 /* These SMCs are only supported by a single CPU */ 154 if (boot_cpu != plat_my_core_pos()) 155 SMC_RET1(handle, SMC_UNK); 156 157 /* Determine which security state this SMC originated from */ 158 ns = is_caller_non_secure(flags); 159 160 switch (smc_fid) { 161 162 /* 163 * This function ID is used by SP to indicate that it was 164 * preempted by a non-secure world IRQ. 165 */ 166 case TLK_PREEMPTED: 167 168 if (ns) 169 SMC_RET1(handle, SMC_UNK); 170 171 assert(handle == cm_get_context(SECURE)); 172 cm_el1_sysregs_context_save(SECURE); 173 174 /* Get a reference to the non-secure context */ 175 ns_cpu_context = cm_get_context(NON_SECURE); 176 assert(ns_cpu_context); 177 178 /* 179 * Restore non-secure state. There is no need to save the 180 * secure system register context since the SP was supposed 181 * to preserve it during S-EL1 interrupt handling. 182 */ 183 cm_el1_sysregs_context_restore(NON_SECURE); 184 cm_set_next_eret_context(NON_SECURE); 185 186 SMC_RET1(ns_cpu_context, x1); 187 188 /* 189 * This is a request from the non-secure context to: 190 * 191 * a. register shared memory with the SP for storing it's 192 * activity logs. 193 * b. register shared memory with the SP for passing args 194 * required for maintaining sessions with the Trusted 195 * Applications. 196 * c. register non-secure world's memory map with the OS 197 * d. open/close sessions 198 * e. issue commands to the Trusted Apps 199 * f. resume the preempted yielding SMC call. 200 */ 201 case TLK_REGISTER_LOGBUF: 202 case TLK_REGISTER_REQBUF: 203 case TLK_REGISTER_NS_DRAM: 204 case TLK_OPEN_TA_SESSION: 205 case TLK_CLOSE_TA_SESSION: 206 case TLK_TA_LAUNCH_OP: 207 case TLK_TA_SEND_EVENT: 208 case TLK_RESUME_FID: 209 210 if (!ns) 211 SMC_RET1(handle, SMC_UNK); 212 213 /* 214 * This is a fresh request from the non-secure client. 215 * The parameters are in x1 and x2. Figure out which 216 * registers need to be preserved, save the non-secure 217 * state and send the request to the secure payload. 218 */ 219 assert(handle == cm_get_context(NON_SECURE)); 220 221 /* 222 * Check if we are already processing a yielding SMC 223 * call. Of all the supported fids, only the "resume" 224 * fid expects the flag to be set. 225 */ 226 if (smc_fid == TLK_RESUME_FID) { 227 if (!get_yield_smc_active_flag(tlk_ctx.state)) 228 SMC_RET1(handle, SMC_UNK); 229 } else { 230 if (get_yield_smc_active_flag(tlk_ctx.state)) 231 SMC_RET1(handle, SMC_UNK); 232 } 233 234 cm_el1_sysregs_context_save(NON_SECURE); 235 236 /* 237 * Verify if there is a valid context to use. 238 */ 239 assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE)); 240 241 /* 242 * Mark the SP state as active. 243 */ 244 set_yield_smc_active_flag(tlk_ctx.state); 245 246 /* 247 * We are done stashing the non-secure context. Ask the 248 * secure payload to do the work now. 249 */ 250 cm_el1_sysregs_context_restore(SECURE); 251 cm_set_next_eret_context(SECURE); 252 253 /* 254 * TLK is a 32-bit Trusted OS and so expects the SMC 255 * arguments via r0-r7. TLK expects the monitor frame 256 * registers to be 64-bits long. Hence, we pass x0 in 257 * r0-r1, x1 in r2-r3, x3 in r4-r5 and x4 in r6-r7. 258 * 259 * As smc_fid is a uint32 value, r1 contains 0. 260 */ 261 gp_regs = get_gpregs_ctx(&tlk_ctx.cpu_ctx); 262 write_ctx_reg(gp_regs, CTX_GPREG_X4, (uint32_t)x2); 263 write_ctx_reg(gp_regs, CTX_GPREG_X5, (uint32_t)(x2 >> 32)); 264 write_ctx_reg(gp_regs, CTX_GPREG_X6, (uint32_t)x3); 265 write_ctx_reg(gp_regs, CTX_GPREG_X7, (uint32_t)(x3 >> 32)); 266 SMC_RET4(&tlk_ctx.cpu_ctx, smc_fid, 0, (uint32_t)x1, 267 (uint32_t)(x1 >> 32)); 268 269 /* 270 * Translate NS/EL1-S virtual addresses. 271 * 272 * x1 = virtual address 273 * x3 = type (NS/S) 274 * 275 * Returns PA:lo in r0, PA:hi in r1. 276 */ 277 case TLK_VA_TRANSLATE: 278 279 /* Should be invoked only by secure world */ 280 if (ns) 281 SMC_RET1(handle, SMC_UNK); 282 283 /* NS virtual addresses are 64-bit long */ 284 if (x3 & TLK_TRANSLATE_NS_VADDR) 285 x1 = (uint32_t)x1 | (x2 << 32); 286 287 if (!x1) 288 SMC_RET1(handle, SMC_UNK); 289 290 /* 291 * TODO: Sanity check x1. This would require platform 292 * support. 293 */ 294 295 /* virtual address and type: ns/s */ 296 par = tlkd_va_translate(x1, x3); 297 298 /* return physical address in r0-r1 */ 299 SMC_RET4(handle, (uint32_t)par, (uint32_t)(par >> 32), 0, 0); 300 301 /* 302 * This is a request from the SP to mark completion of 303 * a yielding function ID. 304 */ 305 case TLK_REQUEST_DONE: 306 if (ns) 307 SMC_RET1(handle, SMC_UNK); 308 309 /* 310 * Mark the SP state as inactive. 311 */ 312 clr_yield_smc_active_flag(tlk_ctx.state); 313 314 /* Get a reference to the non-secure context */ 315 ns_cpu_context = cm_get_context(NON_SECURE); 316 assert(ns_cpu_context); 317 318 /* 319 * This is a request completion SMC and we must switch to 320 * the non-secure world to pass the result. 321 */ 322 cm_el1_sysregs_context_save(SECURE); 323 324 /* 325 * We are done stashing the secure context. Switch to the 326 * non-secure context and return the result. 327 */ 328 cm_el1_sysregs_context_restore(NON_SECURE); 329 cm_set_next_eret_context(NON_SECURE); 330 SMC_RET1(ns_cpu_context, x1); 331 332 /* 333 * This function ID is used only by the SP to indicate it has 334 * finished initialising itself after a cold boot 335 */ 336 case TLK_ENTRY_DONE: 337 if (ns) 338 SMC_RET1(handle, SMC_UNK); 339 340 /* 341 * SP has been successfully initialized. Register power 342 * managemnt hooks with PSCI 343 */ 344 psci_register_spd_pm_hook(&tlkd_pm_ops); 345 346 /* 347 * TLK reports completion. The SPD must have initiated 348 * the original request through a synchronous entry 349 * into the SP. Jump back to the original C runtime 350 * context. 351 */ 352 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 353 break; 354 355 /* 356 * These function IDs are used only by TLK to indicate it has 357 * finished: 358 * 1. suspending itself after an earlier psci cpu_suspend 359 * request. 360 * 2. resuming itself after an earlier psci cpu_suspend 361 * request. 362 * 3. powering down after an earlier psci system_off/system_reset 363 * request. 364 */ 365 case TLK_SUSPEND_DONE: 366 case TLK_RESUME_DONE: 367 case TLK_SYSTEM_OFF_DONE: 368 369 if (ns) 370 SMC_RET1(handle, SMC_UNK); 371 372 /* 373 * TLK reports completion. TLKD must have initiated the 374 * original request through a synchronous entry into the SP. 375 * Jump back to the original C runtime context, and pass x1 as 376 * return value to the caller 377 */ 378 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 379 break; 380 381 /* 382 * Return the number of service function IDs implemented to 383 * provide service to non-secure 384 */ 385 case TOS_CALL_COUNT: 386 SMC_RET1(handle, TLK_NUM_FID); 387 388 /* 389 * Return TLK's UID to the caller 390 */ 391 case TOS_UID: 392 SMC_UUID_RET(handle, tlk_uuid); 393 394 /* 395 * Return the version of current implementation 396 */ 397 case TOS_CALL_VERSION: 398 SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR); 399 400 default: 401 break; 402 } 403 404 SMC_RET1(handle, SMC_UNK); 405 } 406 407 /* Define a SPD runtime service descriptor for fast SMC calls */ 408 DECLARE_RT_SVC( 409 tlkd_tos_fast, 410 411 OEN_TOS_START, 412 OEN_TOS_END, 413 SMC_TYPE_FAST, 414 tlkd_setup, 415 tlkd_smc_handler 416 ); 417 418 /* Define a SPD runtime service descriptor for yielding SMC calls */ 419 DECLARE_RT_SVC( 420 tlkd_tos_std, 421 422 OEN_TOS_START, 423 OEN_TOS_END, 424 SMC_TYPE_YIELD, 425 NULL, 426 tlkd_smc_handler 427 ); 428 429 /* Define a SPD runtime service descriptor for fast SMC calls */ 430 DECLARE_RT_SVC( 431 tlkd_tap_fast, 432 433 OEN_TAP_START, 434 OEN_TAP_END, 435 SMC_TYPE_FAST, 436 NULL, 437 tlkd_smc_handler 438 ); 439 440 /* Define a SPD runtime service descriptor for yielding SMC calls */ 441 DECLARE_RT_SVC( 442 tlkd_tap_std, 443 444 OEN_TAP_START, 445 OEN_TAP_END, 446 SMC_TYPE_YIELD, 447 NULL, 448 tlkd_smc_handler 449 ); 450