1 /* 2 * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /******************************************************************************* 8 * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a 9 * plug-in component to the Secure Monitor, registered as a runtime service. The 10 * SPD is expected to be a functional extension of the Secure Payload (SP) that 11 * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting 12 * the Trusted OS/Applications range to the dispatcher. The SPD will either 13 * handle the request locally or delegate it to the Secure Payload. It is also 14 * responsible for initialising and maintaining communication with the SP. 15 ******************************************************************************/ 16 #include <assert.h> 17 #include <errno.h> 18 #include <stddef.h> 19 20 #include <arch_helpers.h> 21 #include <bl31/bl31.h> 22 #include <bl32/payloads/tlk.h> 23 #include <common/bl_common.h> 24 #include <common/debug.h> 25 #include <common/runtime_svc.h> 26 #include <lib/el3_runtime/context_mgmt.h> 27 #include <plat/common/platform.h> 28 #include <tools_share/uuid.h> 29 30 #include "tlkd_private.h" 31 32 extern const spd_pm_ops_t tlkd_pm_ops; 33 34 /******************************************************************************* 35 * Per-cpu Secure Payload state 36 ******************************************************************************/ 37 tlk_context_t tlk_ctx; 38 39 /******************************************************************************* 40 * CPU number on which TLK booted up 41 ******************************************************************************/ 42 static uint32_t boot_cpu; 43 44 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */ 45 DEFINE_SVC_UUID2(tlk_uuid, 46 0xc9e911bd, 0xba2b, 0xee52, 0xb1, 0x72, 47 0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63); 48 49 static int32_t tlkd_init(void); 50 51 /******************************************************************************* 52 * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type 53 * (aarch32/aarch64) if not already known and initialises the context for entry 54 * into the SP for its initialisation. 55 ******************************************************************************/ 56 static int32_t tlkd_setup(void) 57 { 58 entry_point_info_t *tlk_ep_info; 59 60 /* 61 * Get information about the Secure Payload (BL32) image. Its 62 * absence is a critical failure. 63 */ 64 tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 65 if (!tlk_ep_info) { 66 WARN("No SP provided. Booting device without SP" 67 " initialization. SMC`s destined for SP" 68 " will return SMC_UNK\n"); 69 return 1; 70 } 71 72 /* 73 * If there's no valid entry point for SP, we return a non-zero value 74 * signalling failure initializing the service. We bail out without 75 * registering any handlers 76 */ 77 if (!tlk_ep_info->pc) 78 return 1; 79 80 /* 81 * Inspect the SP image's SPSR and determine it's execution state 82 * i.e whether AArch32 or AArch64. 83 */ 84 tlkd_init_tlk_ep_state(tlk_ep_info, 85 (tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK, 86 tlk_ep_info->pc, 87 &tlk_ctx); 88 89 /* 90 * All TLK SPD initialization done. Now register our init function 91 * with BL31 for deferred invocation 92 */ 93 bl31_register_bl32_init(&tlkd_init); 94 95 return 0; 96 } 97 98 /******************************************************************************* 99 * This function passes control to the Secure Payload image (BL32) for the first 100 * time on the primary cpu after a cold boot. It assumes that a valid secure 101 * context has already been created by tlkd_setup() which can be directly 102 * used. This function performs a synchronous entry into the Secure payload. 103 * The SP passes control back to this routine through a SMC. 104 ******************************************************************************/ 105 static int32_t tlkd_init(void) 106 { 107 entry_point_info_t *tlk_entry_point; 108 109 /* 110 * Get information about the Secure Payload (BL32) image. Its 111 * absence is a critical failure. 112 */ 113 tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE); 114 assert(tlk_entry_point); 115 116 cm_init_my_context(tlk_entry_point); 117 118 /* 119 * TLK runs only on a single CPU. Store the value of the boot 120 * CPU for sanity checking later. 121 */ 122 boot_cpu = plat_my_core_pos(); 123 124 /* 125 * Arrange for an entry into the test secure payload. 126 */ 127 return tlkd_synchronous_sp_entry(&tlk_ctx); 128 } 129 130 /******************************************************************************* 131 * This function is responsible for handling all SMCs in the Trusted OS/App 132 * range from the non-secure state as defined in the SMC Calling Convention 133 * Document. It is also responsible for communicating with the Secure payload 134 * to delegate work and return results back to the non-secure state. Lastly it 135 * will also return any information that the secure payload needs to do the 136 * work assigned to it. 137 ******************************************************************************/ 138 static uintptr_t tlkd_smc_handler(uint32_t smc_fid, 139 u_register_t x1, 140 u_register_t x2, 141 u_register_t x3, 142 u_register_t x4, 143 void *cookie, 144 void *handle, 145 u_register_t flags) 146 { 147 cpu_context_t *ns_cpu_context; 148 gp_regs_t *gp_regs; 149 uint32_t ns; 150 uint64_t par; 151 152 /* Passing a NULL context is a critical programming error */ 153 assert(handle); 154 155 /* These SMCs are only supported by a single CPU */ 156 if (boot_cpu != plat_my_core_pos()) 157 SMC_RET1(handle, SMC_UNK); 158 159 /* Determine which security state this SMC originated from */ 160 ns = is_caller_non_secure(flags); 161 162 switch (smc_fid) { 163 164 /* 165 * This function ID is used by SP to indicate that it was 166 * preempted by a non-secure world IRQ. 167 */ 168 case TLK_PREEMPTED: 169 170 if (ns) 171 SMC_RET1(handle, SMC_UNK); 172 173 assert(handle == cm_get_context(SECURE)); 174 cm_el1_sysregs_context_save(SECURE); 175 176 /* Get a reference to the non-secure context */ 177 ns_cpu_context = cm_get_context(NON_SECURE); 178 assert(ns_cpu_context); 179 180 /* 181 * Restore non-secure state. There is no need to save the 182 * secure system register context since the SP was supposed 183 * to preserve it during S-EL1 interrupt handling. 184 */ 185 cm_el1_sysregs_context_restore(NON_SECURE); 186 cm_set_next_eret_context(NON_SECURE); 187 188 SMC_RET1(ns_cpu_context, x1); 189 190 /* 191 * This is a request from the non-secure context to: 192 * 193 * a. register shared memory with the SP for storing it's 194 * activity logs. 195 * b. register shared memory with the SP for passing args 196 * required for maintaining sessions with the Trusted 197 * Applications. 198 * c. register shared persistent buffers for secure storage 199 * d. register NS DRAM ranges passed by Cboot 200 * e. register Root of Trust parameters from Cboot for Verified Boot 201 * f. open/close sessions 202 * g. issue commands to the Trusted Apps 203 * h. resume the preempted yielding SMC call. 204 */ 205 case TLK_REGISTER_LOGBUF: 206 case TLK_REGISTER_REQBUF: 207 case TLK_SS_REGISTER_HANDLER: 208 case TLK_REGISTER_NS_DRAM_RANGES: 209 case TLK_SET_ROOT_OF_TRUST: 210 case TLK_OPEN_TA_SESSION: 211 case TLK_CLOSE_TA_SESSION: 212 case TLK_TA_LAUNCH_OP: 213 case TLK_TA_SEND_EVENT: 214 case TLK_RESUME_FID: 215 216 if (!ns) 217 SMC_RET1(handle, SMC_UNK); 218 219 /* 220 * This is a fresh request from the non-secure client. 221 * The parameters are in x1 and x2. Figure out which 222 * registers need to be preserved, save the non-secure 223 * state and send the request to the secure payload. 224 */ 225 assert(handle == cm_get_context(NON_SECURE)); 226 227 /* 228 * Check if we are already processing a yielding SMC 229 * call. Of all the supported fids, only the "resume" 230 * fid expects the flag to be set. 231 */ 232 if (smc_fid == TLK_RESUME_FID) { 233 if (!get_yield_smc_active_flag(tlk_ctx.state)) 234 SMC_RET1(handle, SMC_UNK); 235 } else { 236 if (get_yield_smc_active_flag(tlk_ctx.state)) 237 SMC_RET1(handle, SMC_UNK); 238 } 239 240 cm_el1_sysregs_context_save(NON_SECURE); 241 242 /* 243 * Verify if there is a valid context to use. 244 */ 245 assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE)); 246 247 /* 248 * Mark the SP state as active. 249 */ 250 set_yield_smc_active_flag(tlk_ctx.state); 251 252 /* 253 * We are done stashing the non-secure context. Ask the 254 * secure payload to do the work now. 255 */ 256 cm_el1_sysregs_context_restore(SECURE); 257 cm_set_next_eret_context(SECURE); 258 259 /* 260 * TLK is a 32-bit Trusted OS and so expects the SMC 261 * arguments via r0-r7. TLK expects the monitor frame 262 * registers to be 64-bits long. Hence, we pass x0 in 263 * r0-r1, x1 in r2-r3, x3 in r4-r5 and x4 in r6-r7. 264 * 265 * As smc_fid is a uint32 value, r1 contains 0. 266 */ 267 gp_regs = get_gpregs_ctx(&tlk_ctx.cpu_ctx); 268 write_ctx_reg(gp_regs, CTX_GPREG_X4, (uint32_t)x2); 269 write_ctx_reg(gp_regs, CTX_GPREG_X5, (uint32_t)(x2 >> 32)); 270 write_ctx_reg(gp_regs, CTX_GPREG_X6, (uint32_t)x3); 271 write_ctx_reg(gp_regs, CTX_GPREG_X7, (uint32_t)(x3 >> 32)); 272 SMC_RET4(&tlk_ctx.cpu_ctx, smc_fid, 0, (uint32_t)x1, 273 (uint32_t)(x1 >> 32)); 274 275 /* 276 * Translate NS/EL1-S virtual addresses. 277 * 278 * x1 = virtual address 279 * x3 = type (NS/S) 280 * 281 * Returns PA:lo in r0, PA:hi in r1. 282 */ 283 case TLK_VA_TRANSLATE: 284 285 /* Should be invoked only by secure world */ 286 if (ns) 287 SMC_RET1(handle, SMC_UNK); 288 289 /* NS virtual addresses are 64-bit long */ 290 if (x3 & TLK_TRANSLATE_NS_VADDR) 291 x1 = (uint32_t)x1 | (x2 << 32); 292 293 if (!x1) 294 SMC_RET1(handle, SMC_UNK); 295 296 /* 297 * TODO: Sanity check x1. This would require platform 298 * support. 299 */ 300 301 /* virtual address and type: ns/s */ 302 par = tlkd_va_translate(x1, x3); 303 304 /* return physical address in r0-r1 */ 305 SMC_RET4(handle, (uint32_t)par, (uint32_t)(par >> 32), 0, 0); 306 307 /* 308 * This is a request from the SP to mark completion of 309 * a yielding function ID. 310 */ 311 case TLK_REQUEST_DONE: 312 if (ns) 313 SMC_RET1(handle, SMC_UNK); 314 315 /* 316 * Mark the SP state as inactive. 317 */ 318 clr_yield_smc_active_flag(tlk_ctx.state); 319 320 /* Get a reference to the non-secure context */ 321 ns_cpu_context = cm_get_context(NON_SECURE); 322 assert(ns_cpu_context); 323 324 /* 325 * This is a request completion SMC and we must switch to 326 * the non-secure world to pass the result. 327 */ 328 cm_el1_sysregs_context_save(SECURE); 329 330 /* 331 * We are done stashing the secure context. Switch to the 332 * non-secure context and return the result. 333 */ 334 cm_el1_sysregs_context_restore(NON_SECURE); 335 cm_set_next_eret_context(NON_SECURE); 336 SMC_RET1(ns_cpu_context, x1); 337 338 /* 339 * This function ID is used only by the SP to indicate it has 340 * finished initialising itself after a cold boot 341 */ 342 case TLK_ENTRY_DONE: 343 if (ns) 344 SMC_RET1(handle, SMC_UNK); 345 346 /* 347 * SP has been successfully initialized. Register power 348 * management hooks with PSCI 349 */ 350 psci_register_spd_pm_hook(&tlkd_pm_ops); 351 352 /* 353 * TLK reports completion. The SPD must have initiated 354 * the original request through a synchronous entry 355 * into the SP. Jump back to the original C runtime 356 * context. 357 */ 358 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 359 break; 360 361 /* 362 * These function IDs are used only by TLK to indicate it has 363 * finished: 364 * 1. suspending itself after an earlier psci cpu_suspend 365 * request. 366 * 2. resuming itself after an earlier psci cpu_suspend 367 * request. 368 * 3. powering down after an earlier psci system_off/system_reset 369 * request. 370 */ 371 case TLK_SUSPEND_DONE: 372 case TLK_RESUME_DONE: 373 case TLK_SYSTEM_OFF_DONE: 374 375 if (ns) 376 SMC_RET1(handle, SMC_UNK); 377 378 /* 379 * TLK reports completion. TLKD must have initiated the 380 * original request through a synchronous entry into the SP. 381 * Jump back to the original C runtime context, and pass x1 as 382 * return value to the caller 383 */ 384 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 385 break; 386 387 /* 388 * Return the number of service function IDs implemented to 389 * provide service to non-secure 390 */ 391 case TOS_CALL_COUNT: 392 SMC_RET1(handle, TLK_NUM_FID); 393 394 /* 395 * Return TLK's UID to the caller 396 */ 397 case TOS_UID: 398 SMC_UUID_RET(handle, tlk_uuid); 399 400 /* 401 * Return the version of current implementation 402 */ 403 case TOS_CALL_VERSION: 404 SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR); 405 406 default: 407 WARN("%s: Unhandled SMC: 0x%x\n", __func__, smc_fid); 408 break; 409 } 410 411 SMC_RET1(handle, SMC_UNK); 412 } 413 414 /* Define a SPD runtime service descriptor for fast SMC calls */ 415 DECLARE_RT_SVC( 416 tlkd_tos_fast, 417 418 OEN_TOS_START, 419 OEN_TOS_END, 420 SMC_TYPE_FAST, 421 tlkd_setup, 422 tlkd_smc_handler 423 ); 424 425 /* Define a SPD runtime service descriptor for yielding SMC calls */ 426 DECLARE_RT_SVC( 427 tlkd_tos_std, 428 429 OEN_TOS_START, 430 OEN_TOS_END, 431 SMC_TYPE_YIELD, 432 NULL, 433 tlkd_smc_handler 434 ); 435 436 /* Define a SPD runtime service descriptor for fast SMC calls */ 437 DECLARE_RT_SVC( 438 tlkd_tap_fast, 439 440 OEN_TAP_START, 441 OEN_TAP_END, 442 SMC_TYPE_FAST, 443 NULL, 444 tlkd_smc_handler 445 ); 446 447 /* Define a SPD runtime service descriptor for yielding SMC calls */ 448 DECLARE_RT_SVC( 449 tlkd_tap_std, 450 451 OEN_TAP_START, 452 OEN_TAP_END, 453 SMC_TYPE_YIELD, 454 NULL, 455 tlkd_smc_handler 456 ); 457