xref: /rk3399_ARM-atf/services/spd/tlkd/tlkd_main.c (revision 6693962c341d43cb610169c8467f68acecfc5e29) 
1 /*
2  * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *
7  * Redistributions of source code must retain the above copyright notice, this
8  * list of conditions and the following disclaimer.
9  *
10  * Redistributions in binary form must reproduce the above copyright notice,
11  * this list of conditions and the following disclaimer in the documentation
12  * and/or other materials provided with the distribution.
13  *
14  * Neither the name of ARM nor the names of its contributors may be used
15  * to endorse or promote products derived from this software without specific
16  * prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28  * POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 /*******************************************************************************
32  * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a
33  * plug-in component to the Secure Monitor, registered as a runtime service. The
34  * SPD is expected to be a functional extension of the Secure Payload (SP) that
35  * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting
36  * the Trusted OS/Applications range to the dispatcher. The SPD will either
37  * handle the request locally or delegate it to the Secure Payload. It is also
38  * responsible for initialising and maintaining communication with the SP.
39  ******************************************************************************/
40 #include <arch_helpers.h>
41 #include <assert.h>
42 #include <bl_common.h>
43 #include <bl31.h>
44 #include <context_mgmt.h>
45 #include <debug.h>
46 #include <errno.h>
47 #include <platform.h>
48 #include <runtime_svc.h>
49 #include <stddef.h>
50 #include <tlk.h>
51 #include <uuid.h>
52 #include "tlkd_private.h"
53 
54 extern const spd_pm_ops_t tlkd_pm_ops;
55 
56 /*******************************************************************************
57  * Array to keep track of per-cpu Secure Payload state
58  ******************************************************************************/
59 static tlk_context_t tlk_ctx;
60 
61 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */
62 DEFINE_SVC_UUID(tlk_uuid,
63 		0xbd11e9c9, 0x2bba, 0x52ee, 0xb1, 0x72,
64 		0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63);
65 
66 int32_t tlkd_init(void);
67 
68 /*
69  * The number of arguments/results to save during a SMC call for TLK.
70  */
71 #define TLK_SHDBUF_SIZE		4
72 
73 /*******************************************************************************
74  * Shared memory buffer for passing SMC args/results to TLK
75  ******************************************************************************/
76 typedef struct tlk_args_results {
77 	uint64_t args[TLK_SHDBUF_SIZE];
78 } tlk_args_results_t;
79 
80 static tlk_args_results_t *tlk_args_results_buf;
81 
82 /*
83  * Helper function to store args from TLK and pass results back
84  */
85 static inline void store_tlk_args_results(uint64_t x0, uint64_t x1, uint64_t x2,
86 	uint64_t x3)
87 {
88 	/* store arguments sent by TLK */
89 	tlk_args_results_buf->args[0] = x0;
90 	tlk_args_results_buf->args[1] = x1;
91 	tlk_args_results_buf->args[2] = x2;
92 	tlk_args_results_buf->args[3] = x3;
93 
94 	flush_dcache_range((uint64_t)tlk_args_results_buf,
95 		sizeof(tlk_args_results_t));
96 }
97 
98 /*******************************************************************************
99  * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type
100  * (aarch32/aarch64) if not already known and initialises the context for entry
101  * into the SP for its initialisation.
102  ******************************************************************************/
103 int32_t tlkd_setup(void)
104 {
105 	entry_point_info_t *tlk_ep_info;
106 
107 	/*
108 	 * Get information about the Secure Payload (BL32) image. Its
109 	 * absence is a critical failure.
110 	 */
111 	tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE);
112 	if (!tlk_ep_info) {
113 		WARN("No SP provided. Booting device without SP"
114 			" initialization. SMC`s destined for SP"
115 			" will return SMC_UNK\n");
116 		return 1;
117 	}
118 
119 	/*
120 	 * If there's no valid entry point for SP, we return a non-zero value
121 	 * signalling failure initializing the service. We bail out without
122 	 * registering any handlers
123 	 */
124 	if (!tlk_ep_info->pc)
125 		return 1;
126 
127 	/*
128 	 * Inspect the SP image's SPSR and determine it's execution state
129 	 * i.e whether AArch32 or AArch64.
130 	 */
131 	tlkd_init_tlk_ep_state(tlk_ep_info,
132 		(tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK,
133 		tlk_ep_info->pc,
134 		&tlk_ctx);
135 
136 	/*
137 	 * All TLK SPD initialization done. Now register our init function
138 	 * with BL31 for deferred invocation
139 	 */
140 	bl31_register_bl32_init(&tlkd_init);
141 
142 	return 0;
143 }
144 
145 /*******************************************************************************
146  * This function passes control to the Secure Payload image (BL32) for the first
147  * time on the primary cpu after a cold boot. It assumes that a valid secure
148  * context has already been created by tlkd_setup() which can be directly
149  * used. This function performs a synchronous entry into the Secure payload.
150  * The SP passes control back to this routine through a SMC.
151  ******************************************************************************/
152 int32_t tlkd_init(void)
153 {
154 	uint64_t mpidr = read_mpidr();
155 	entry_point_info_t *tlk_entry_point;
156 
157 	/*
158 	 * Get information about the Secure Payload (BL32) image. Its
159 	 * absence is a critical failure.
160 	 */
161 	tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE);
162 	assert(tlk_entry_point);
163 
164 	cm_init_context(mpidr, tlk_entry_point);
165 
166 	/*
167 	 * Arrange for an entry into the test secure payload.
168 	 */
169 	return tlkd_synchronous_sp_entry(&tlk_ctx);
170 }
171 
172 /*******************************************************************************
173  * This function is responsible for handling all SMCs in the Trusted OS/App
174  * range from the non-secure state as defined in the SMC Calling Convention
175  * Document. It is also responsible for communicating with the Secure payload
176  * to delegate work and return results back to the non-secure state. Lastly it
177  * will also return any information that the secure payload needs to do the
178  * work assigned to it.
179  ******************************************************************************/
180 uint64_t tlkd_smc_handler(uint32_t smc_fid,
181 			 uint64_t x1,
182 			 uint64_t x2,
183 			 uint64_t x3,
184 			 uint64_t x4,
185 			 void *cookie,
186 			 void *handle,
187 			 uint64_t flags)
188 {
189 	cpu_context_t *ns_cpu_context;
190 	uint32_t ns;
191 	uint64_t vaddr, type, par;
192 
193 	/* Passing a NULL context is a critical programming error */
194 	assert(handle);
195 
196 	/* These SMCs are only supported by CPU0 */
197 	if ((read_mpidr() & MPIDR_CPU_MASK) != 0)
198 		SMC_RET1(handle, SMC_UNK);
199 
200 	/* Determine which security state this SMC originated from */
201 	ns = is_caller_non_secure(flags);
202 
203 	switch (smc_fid) {
204 
205 	/*
206 	 * This function ID is used by SP to indicate that it was
207 	 * preempted by a non-secure world IRQ.
208 	 */
209 	case TLK_PREEMPTED:
210 
211 		if (ns)
212 			SMC_RET1(handle, SMC_UNK);
213 
214 		assert(handle == cm_get_context(SECURE));
215 		cm_el1_sysregs_context_save(SECURE);
216 
217 		/* Get a reference to the non-secure context */
218 		ns_cpu_context = cm_get_context(NON_SECURE);
219 		assert(ns_cpu_context);
220 
221 		/*
222 		 * Restore non-secure state. There is no need to save the
223 		 * secure system register context since the SP was supposed
224 		 * to preserve it during S-EL1 interrupt handling.
225 		 */
226 		cm_el1_sysregs_context_restore(NON_SECURE);
227 		cm_set_next_eret_context(NON_SECURE);
228 
229 		SMC_RET1(ns_cpu_context, tlk_args_results_buf->args[0]);
230 
231 	/*
232 	 * Request from non secure world to resume the preempted
233 	 * Standard SMC call.
234 	 */
235 	case TLK_RESUME_FID:
236 
237 		/* RESUME should be invoked only by normal world */
238 		if (!ns)
239 			SMC_RET1(handle, SMC_UNK);
240 
241 		/*
242 		 * This is a resume request from the non-secure client.
243 		 * save the non-secure state and send the request to
244 		 * the secure payload.
245 		 */
246 		assert(handle == cm_get_context(NON_SECURE));
247 
248 		/* Check if we are already preempted before resume */
249 		if (!get_std_smc_active_flag(tlk_ctx.state))
250 			SMC_RET1(handle, SMC_UNK);
251 
252 		cm_el1_sysregs_context_save(NON_SECURE);
253 
254 		/*
255 		 * We are done stashing the non-secure context. Ask the
256 		 * secure payload to do the work now.
257 		 */
258 
259 		/* We just need to return to the preempted point in
260 		 * SP and the execution will resume as normal.
261 		 */
262 		cm_el1_sysregs_context_restore(SECURE);
263 		cm_set_next_eret_context(SECURE);
264 		SMC_RET0(handle);
265 
266 	/*
267 	 * This is a request from the non-secure context to:
268 	 *
269 	 * a. register shared memory with the SP for storing it's
270 	 *    activity logs.
271 	 * b. register shared memory with the SP for passing args
272 	 *    required for maintaining sessions with the Trusted
273 	 *    Applications.
274 	 * c. open/close sessions
275 	 * d. issue commands to the Trusted Apps
276 	 */
277 	case TLK_REGISTER_LOGBUF:
278 	case TLK_REGISTER_REQBUF:
279 	case TLK_OPEN_TA_SESSION:
280 	case TLK_CLOSE_TA_SESSION:
281 	case TLK_TA_LAUNCH_OP:
282 	case TLK_TA_SEND_EVENT:
283 
284 		if (!ns || !tlk_args_results_buf)
285 			SMC_RET1(handle, SMC_UNK);
286 
287 		/*
288 		 * This is a fresh request from the non-secure client.
289 		 * The parameters are in x1 and x2. Figure out which
290 		 * registers need to be preserved, save the non-secure
291 		 * state and send the request to the secure payload.
292 		 */
293 		assert(handle == cm_get_context(NON_SECURE));
294 
295 		/* Check if we are already preempted */
296 		if (get_std_smc_active_flag(tlk_ctx.state))
297 			SMC_RET1(handle, SMC_UNK);
298 
299 		cm_el1_sysregs_context_save(NON_SECURE);
300 
301 		/*
302 		 * Verify if there is a valid context to use.
303 		 */
304 		assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE));
305 
306 		/*
307 		 * Mark the SP state as active.
308 		 */
309 		set_std_smc_active_flag(tlk_ctx.state);
310 
311 		/* Save args for use by the SP on return */
312 		store_tlk_args_results(smc_fid, x1, x2, x3);
313 
314 		/*
315 		 * We are done stashing the non-secure context. Ask the
316 		 * secure payload to do the work now.
317 		 */
318 		cm_el1_sysregs_context_restore(SECURE);
319 		cm_set_next_eret_context(SECURE);
320 		SMC_RET0(&tlk_ctx.cpu_ctx);
321 
322 	/*
323 	 * Translate NS/EL1-S virtual addresses
324 	 */
325 	case TLK_VA_TRANSLATE:
326 		if (ns || !tlk_args_results_buf)
327 			SMC_RET1(handle, SMC_UNK);
328 
329 		/* virtual address and type: ns/s */
330 		vaddr = tlk_args_results_buf->args[0];
331 		type = tlk_args_results_buf->args[1];
332 
333 		par = tlkd_va_translate(vaddr, type);
334 
335 		/* Save PA for use by the SP on return */
336 		store_tlk_args_results(par, 0, 0, 0);
337 
338 		SMC_RET0(handle);
339 
340 	/*
341 	 * This is a request from the SP to mark completion of
342 	 * a standard function ID.
343 	 */
344 	case TLK_REQUEST_DONE:
345 		if (ns || !tlk_args_results_buf)
346 			SMC_RET1(handle, SMC_UNK);
347 
348 		/*
349 		 * Mark the SP state as inactive.
350 		 */
351 		clr_std_smc_active_flag(tlk_ctx.state);
352 
353 		/* Get a reference to the non-secure context */
354 		ns_cpu_context = cm_get_context(NON_SECURE);
355 		assert(ns_cpu_context);
356 
357 		/*
358 		 * This is a request completion SMC and we must switch to
359 		 * the non-secure world to pass the result.
360 		 */
361 		cm_el1_sysregs_context_save(SECURE);
362 
363 		/*
364 		 * We are done stashing the secure context. Switch to the
365 		 * non-secure context and return the result.
366 		 */
367 		cm_el1_sysregs_context_restore(NON_SECURE);
368 		cm_set_next_eret_context(NON_SECURE);
369 		SMC_RET1(ns_cpu_context, tlk_args_results_buf->args[0]);
370 
371 	/*
372 	 * This function ID is used only by the SP to indicate it has
373 	 * finished initialising itself after a cold boot
374 	 */
375 	case TLK_ENTRY_DONE:
376 		if (ns || !tlk_args_results_buf)
377 			SMC_RET1(handle, SMC_UNK);
378 
379 		/*
380 		 * SP has been successfully initialized. Register power
381 		 * managemnt hooks with PSCI
382 		 */
383 		psci_register_spd_pm_hook(&tlkd_pm_ops);
384 
385 		/*
386 		 * TLK reports completion. The SPD must have initiated
387 		 * the original request through a synchronous entry
388 		 * into the SP. Jump back to the original C runtime
389 		 * context.
390 		 */
391 		tlkd_synchronous_sp_exit(&tlk_ctx, tlk_args_results_buf->args[0]);
392 
393 	/*
394 	 * This is a request from the secure payload to register
395 	 * shared memory to pass SMC args/results between EL1, EL3.
396 	 */
397 	case TLK_FID_SHARED_MEMBUF:
398 		if (ns || !x1)
399 			SMC_RET1(handle, SMC_UNK);
400 
401 		/*
402 		 * TODO: Check if the passed memory pointer is valid. Might
403 		 * require a call into the platform code.
404 		 */
405 
406 		tlk_args_results_buf = (tlk_args_results_t *)x1;
407 		SMC_RET0(handle);
408 
409 	/*
410 	 * Return the number of service function IDs implemented to
411 	 * provide service to non-secure
412 	 */
413 	case TOS_CALL_COUNT:
414 		SMC_RET1(handle, TLK_NUM_FID);
415 
416 	/*
417 	 * Return TLK's UID to the caller
418 	 */
419 	case TOS_UID:
420 		SMC_UUID_RET(handle, tlk_uuid);
421 
422 	/*
423 	 * Return the version of current implementation
424 	 */
425 	case TOS_CALL_VERSION:
426 		SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR);
427 
428 	default:
429 		break;
430 	}
431 
432 	SMC_RET1(handle, SMC_UNK);
433 }
434 
435 /* Define a SPD runtime service descriptor for fast SMC calls */
436 DECLARE_RT_SVC(
437 	tlkd_tos_fast,
438 
439 	OEN_TOS_START,
440 	OEN_TOS_END,
441 	SMC_TYPE_FAST,
442 	tlkd_setup,
443 	tlkd_smc_handler
444 );
445 
446 /* Define a SPD runtime service descriptor for standard SMC calls */
447 DECLARE_RT_SVC(
448 	tlkd_tos_std,
449 
450 	OEN_TOS_START,
451 	OEN_TOS_END,
452 	SMC_TYPE_STD,
453 	NULL,
454 	tlkd_smc_handler
455 );
456 
457 /* Define a SPD runtime service descriptor for fast SMC calls */
458 DECLARE_RT_SVC(
459 	tlkd_tap_fast,
460 
461 	OEN_TAP_START,
462 	OEN_TAP_END,
463 	SMC_TYPE_FAST,
464 	NULL,
465 	tlkd_smc_handler
466 );
467 
468 /* Define a SPD runtime service descriptor for standard SMC calls */
469 DECLARE_RT_SVC(
470 	tlkd_tap_std,
471 
472 	OEN_TAP_START,
473 	OEN_TAP_END,
474 	SMC_TYPE_STD,
475 	NULL,
476 	tlkd_smc_handler
477 );
478