1 /* 2 * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /******************************************************************************* 8 * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a 9 * plug-in component to the Secure Monitor, registered as a runtime service. The 10 * SPD is expected to be a functional extension of the Secure Payload (SP) that 11 * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting 12 * the Trusted OS/Applications range to the dispatcher. The SPD will either 13 * handle the request locally or delegate it to the Secure Payload. It is also 14 * responsible for initialising and maintaining communication with the SP. 15 ******************************************************************************/ 16 #include <arch_helpers.h> 17 #include <assert.h> 18 #include <errno.h> 19 #include <stddef.h> 20 21 #include <bl31/bl31.h> 22 #include <common/bl_common.h> 23 #include <common/debug.h> 24 #include <common/runtime_svc.h> 25 #include <lib/el3_runtime/context_mgmt.h> 26 #include <plat/common/platform.h> 27 #include <tools_share/uuid.h> 28 29 #include <tlk.h> 30 #include "tlkd_private.h" 31 32 extern const spd_pm_ops_t tlkd_pm_ops; 33 34 /******************************************************************************* 35 * Per-cpu Secure Payload state 36 ******************************************************************************/ 37 tlk_context_t tlk_ctx; 38 39 /******************************************************************************* 40 * CPU number on which TLK booted up 41 ******************************************************************************/ 42 static uint32_t boot_cpu; 43 44 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */ 45 DEFINE_SVC_UUID2(tlk_uuid, 46 0xc9e911bd, 0xba2b, 0xee52, 0xb1, 0x72, 47 0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63); 48 49 static int32_t tlkd_init(void); 50 51 /******************************************************************************* 52 * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type 53 * (aarch32/aarch64) if not already known and initialises the context for entry 54 * into the SP for its initialisation. 55 ******************************************************************************/ 56 static int32_t tlkd_setup(void) 57 { 58 entry_point_info_t *tlk_ep_info; 59 60 /* 61 * Get information about the Secure Payload (BL32) image. Its 62 * absence is a critical failure. 63 */ 64 tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 65 if (!tlk_ep_info) { 66 WARN("No SP provided. Booting device without SP" 67 " initialization. SMC`s destined for SP" 68 " will return SMC_UNK\n"); 69 return 1; 70 } 71 72 /* 73 * If there's no valid entry point for SP, we return a non-zero value 74 * signalling failure initializing the service. We bail out without 75 * registering any handlers 76 */ 77 if (!tlk_ep_info->pc) 78 return 1; 79 80 /* 81 * Inspect the SP image's SPSR and determine it's execution state 82 * i.e whether AArch32 or AArch64. 83 */ 84 tlkd_init_tlk_ep_state(tlk_ep_info, 85 (tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK, 86 tlk_ep_info->pc, 87 &tlk_ctx); 88 89 /* 90 * All TLK SPD initialization done. Now register our init function 91 * with BL31 for deferred invocation 92 */ 93 bl31_register_bl32_init(&tlkd_init); 94 95 return 0; 96 } 97 98 /******************************************************************************* 99 * This function passes control to the Secure Payload image (BL32) for the first 100 * time on the primary cpu after a cold boot. It assumes that a valid secure 101 * context has already been created by tlkd_setup() which can be directly 102 * used. This function performs a synchronous entry into the Secure payload. 103 * The SP passes control back to this routine through a SMC. 104 ******************************************************************************/ 105 static int32_t tlkd_init(void) 106 { 107 entry_point_info_t *tlk_entry_point; 108 109 /* 110 * Get information about the Secure Payload (BL32) image. Its 111 * absence is a critical failure. 112 */ 113 tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE); 114 assert(tlk_entry_point); 115 116 cm_init_my_context(tlk_entry_point); 117 118 /* 119 * TLK runs only on a single CPU. Store the value of the boot 120 * CPU for sanity checking later. 121 */ 122 boot_cpu = plat_my_core_pos(); 123 124 /* 125 * Arrange for an entry into the test secure payload. 126 */ 127 return tlkd_synchronous_sp_entry(&tlk_ctx); 128 } 129 130 /******************************************************************************* 131 * This function is responsible for handling all SMCs in the Trusted OS/App 132 * range from the non-secure state as defined in the SMC Calling Convention 133 * Document. It is also responsible for communicating with the Secure payload 134 * to delegate work and return results back to the non-secure state. Lastly it 135 * will also return any information that the secure payload needs to do the 136 * work assigned to it. 137 ******************************************************************************/ 138 static uintptr_t tlkd_smc_handler(uint32_t smc_fid, 139 u_register_t x1, 140 u_register_t x2, 141 u_register_t x3, 142 u_register_t x4, 143 void *cookie, 144 void *handle, 145 u_register_t flags) 146 { 147 cpu_context_t *ns_cpu_context; 148 gp_regs_t *gp_regs; 149 uint32_t ns; 150 uint64_t par; 151 152 /* Passing a NULL context is a critical programming error */ 153 assert(handle); 154 155 /* These SMCs are only supported by a single CPU */ 156 if (boot_cpu != plat_my_core_pos()) 157 SMC_RET1(handle, SMC_UNK); 158 159 /* Determine which security state this SMC originated from */ 160 ns = is_caller_non_secure(flags); 161 162 switch (smc_fid) { 163 164 /* 165 * This function ID is used by SP to indicate that it was 166 * preempted by a non-secure world IRQ. 167 */ 168 case TLK_PREEMPTED: 169 170 if (ns) 171 SMC_RET1(handle, SMC_UNK); 172 173 assert(handle == cm_get_context(SECURE)); 174 cm_el1_sysregs_context_save(SECURE); 175 176 /* Get a reference to the non-secure context */ 177 ns_cpu_context = cm_get_context(NON_SECURE); 178 assert(ns_cpu_context); 179 180 /* 181 * Restore non-secure state. There is no need to save the 182 * secure system register context since the SP was supposed 183 * to preserve it during S-EL1 interrupt handling. 184 */ 185 cm_el1_sysregs_context_restore(NON_SECURE); 186 cm_set_next_eret_context(NON_SECURE); 187 188 SMC_RET1(ns_cpu_context, x1); 189 190 /* 191 * This is a request from the non-secure context to: 192 * 193 * a. register shared memory with the SP for storing it's 194 * activity logs. 195 * b. register shared memory with the SP for passing args 196 * required for maintaining sessions with the Trusted 197 * Applications. 198 * c. register non-secure world's memory map with the OS 199 * d. open/close sessions 200 * e. issue commands to the Trusted Apps 201 * f. resume the preempted yielding SMC call. 202 */ 203 case TLK_REGISTER_LOGBUF: 204 case TLK_REGISTER_REQBUF: 205 case TLK_REGISTER_NS_DRAM: 206 case TLK_OPEN_TA_SESSION: 207 case TLK_CLOSE_TA_SESSION: 208 case TLK_TA_LAUNCH_OP: 209 case TLK_TA_SEND_EVENT: 210 case TLK_RESUME_FID: 211 212 if (!ns) 213 SMC_RET1(handle, SMC_UNK); 214 215 /* 216 * This is a fresh request from the non-secure client. 217 * The parameters are in x1 and x2. Figure out which 218 * registers need to be preserved, save the non-secure 219 * state and send the request to the secure payload. 220 */ 221 assert(handle == cm_get_context(NON_SECURE)); 222 223 /* 224 * Check if we are already processing a yielding SMC 225 * call. Of all the supported fids, only the "resume" 226 * fid expects the flag to be set. 227 */ 228 if (smc_fid == TLK_RESUME_FID) { 229 if (!get_yield_smc_active_flag(tlk_ctx.state)) 230 SMC_RET1(handle, SMC_UNK); 231 } else { 232 if (get_yield_smc_active_flag(tlk_ctx.state)) 233 SMC_RET1(handle, SMC_UNK); 234 } 235 236 cm_el1_sysregs_context_save(NON_SECURE); 237 238 /* 239 * Verify if there is a valid context to use. 240 */ 241 assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE)); 242 243 /* 244 * Mark the SP state as active. 245 */ 246 set_yield_smc_active_flag(tlk_ctx.state); 247 248 /* 249 * We are done stashing the non-secure context. Ask the 250 * secure payload to do the work now. 251 */ 252 cm_el1_sysregs_context_restore(SECURE); 253 cm_set_next_eret_context(SECURE); 254 255 /* 256 * TLK is a 32-bit Trusted OS and so expects the SMC 257 * arguments via r0-r7. TLK expects the monitor frame 258 * registers to be 64-bits long. Hence, we pass x0 in 259 * r0-r1, x1 in r2-r3, x3 in r4-r5 and x4 in r6-r7. 260 * 261 * As smc_fid is a uint32 value, r1 contains 0. 262 */ 263 gp_regs = get_gpregs_ctx(&tlk_ctx.cpu_ctx); 264 write_ctx_reg(gp_regs, CTX_GPREG_X4, (uint32_t)x2); 265 write_ctx_reg(gp_regs, CTX_GPREG_X5, (uint32_t)(x2 >> 32)); 266 write_ctx_reg(gp_regs, CTX_GPREG_X6, (uint32_t)x3); 267 write_ctx_reg(gp_regs, CTX_GPREG_X7, (uint32_t)(x3 >> 32)); 268 SMC_RET4(&tlk_ctx.cpu_ctx, smc_fid, 0, (uint32_t)x1, 269 (uint32_t)(x1 >> 32)); 270 271 /* 272 * Translate NS/EL1-S virtual addresses. 273 * 274 * x1 = virtual address 275 * x3 = type (NS/S) 276 * 277 * Returns PA:lo in r0, PA:hi in r1. 278 */ 279 case TLK_VA_TRANSLATE: 280 281 /* Should be invoked only by secure world */ 282 if (ns) 283 SMC_RET1(handle, SMC_UNK); 284 285 /* NS virtual addresses are 64-bit long */ 286 if (x3 & TLK_TRANSLATE_NS_VADDR) 287 x1 = (uint32_t)x1 | (x2 << 32); 288 289 if (!x1) 290 SMC_RET1(handle, SMC_UNK); 291 292 /* 293 * TODO: Sanity check x1. This would require platform 294 * support. 295 */ 296 297 /* virtual address and type: ns/s */ 298 par = tlkd_va_translate(x1, x3); 299 300 /* return physical address in r0-r1 */ 301 SMC_RET4(handle, (uint32_t)par, (uint32_t)(par >> 32), 0, 0); 302 303 /* 304 * This is a request from the SP to mark completion of 305 * a yielding function ID. 306 */ 307 case TLK_REQUEST_DONE: 308 if (ns) 309 SMC_RET1(handle, SMC_UNK); 310 311 /* 312 * Mark the SP state as inactive. 313 */ 314 clr_yield_smc_active_flag(tlk_ctx.state); 315 316 /* Get a reference to the non-secure context */ 317 ns_cpu_context = cm_get_context(NON_SECURE); 318 assert(ns_cpu_context); 319 320 /* 321 * This is a request completion SMC and we must switch to 322 * the non-secure world to pass the result. 323 */ 324 cm_el1_sysregs_context_save(SECURE); 325 326 /* 327 * We are done stashing the secure context. Switch to the 328 * non-secure context and return the result. 329 */ 330 cm_el1_sysregs_context_restore(NON_SECURE); 331 cm_set_next_eret_context(NON_SECURE); 332 SMC_RET1(ns_cpu_context, x1); 333 334 /* 335 * This function ID is used only by the SP to indicate it has 336 * finished initialising itself after a cold boot 337 */ 338 case TLK_ENTRY_DONE: 339 if (ns) 340 SMC_RET1(handle, SMC_UNK); 341 342 /* 343 * SP has been successfully initialized. Register power 344 * management hooks with PSCI 345 */ 346 psci_register_spd_pm_hook(&tlkd_pm_ops); 347 348 /* 349 * TLK reports completion. The SPD must have initiated 350 * the original request through a synchronous entry 351 * into the SP. Jump back to the original C runtime 352 * context. 353 */ 354 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 355 break; 356 357 /* 358 * These function IDs are used only by TLK to indicate it has 359 * finished: 360 * 1. suspending itself after an earlier psci cpu_suspend 361 * request. 362 * 2. resuming itself after an earlier psci cpu_suspend 363 * request. 364 * 3. powering down after an earlier psci system_off/system_reset 365 * request. 366 */ 367 case TLK_SUSPEND_DONE: 368 case TLK_RESUME_DONE: 369 case TLK_SYSTEM_OFF_DONE: 370 371 if (ns) 372 SMC_RET1(handle, SMC_UNK); 373 374 /* 375 * TLK reports completion. TLKD must have initiated the 376 * original request through a synchronous entry into the SP. 377 * Jump back to the original C runtime context, and pass x1 as 378 * return value to the caller 379 */ 380 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 381 break; 382 383 /* 384 * Return the number of service function IDs implemented to 385 * provide service to non-secure 386 */ 387 case TOS_CALL_COUNT: 388 SMC_RET1(handle, TLK_NUM_FID); 389 390 /* 391 * Return TLK's UID to the caller 392 */ 393 case TOS_UID: 394 SMC_UUID_RET(handle, tlk_uuid); 395 396 /* 397 * Return the version of current implementation 398 */ 399 case TOS_CALL_VERSION: 400 SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR); 401 402 default: 403 break; 404 } 405 406 SMC_RET1(handle, SMC_UNK); 407 } 408 409 /* Define a SPD runtime service descriptor for fast SMC calls */ 410 DECLARE_RT_SVC( 411 tlkd_tos_fast, 412 413 OEN_TOS_START, 414 OEN_TOS_END, 415 SMC_TYPE_FAST, 416 tlkd_setup, 417 tlkd_smc_handler 418 ); 419 420 /* Define a SPD runtime service descriptor for yielding SMC calls */ 421 DECLARE_RT_SVC( 422 tlkd_tos_std, 423 424 OEN_TOS_START, 425 OEN_TOS_END, 426 SMC_TYPE_YIELD, 427 NULL, 428 tlkd_smc_handler 429 ); 430 431 /* Define a SPD runtime service descriptor for fast SMC calls */ 432 DECLARE_RT_SVC( 433 tlkd_tap_fast, 434 435 OEN_TAP_START, 436 OEN_TAP_END, 437 SMC_TYPE_FAST, 438 NULL, 439 tlkd_smc_handler 440 ); 441 442 /* Define a SPD runtime service descriptor for yielding SMC calls */ 443 DECLARE_RT_SVC( 444 tlkd_tap_std, 445 446 OEN_TAP_START, 447 OEN_TAP_END, 448 SMC_TYPE_YIELD, 449 NULL, 450 tlkd_smc_handler 451 ); 452