1 /* 2 * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <arch_helpers.h> 8 #include <assert.h> 9 #include <bl_common.h> 10 #include <cassert.h> 11 #include <context_mgmt.h> 12 #include <debug.h> 13 #include <ehf.h> 14 #include <interrupt_mgmt.h> 15 #include <runtime_svc.h> 16 #include <sdei.h> 17 #include <string.h> 18 #include "sdei_private.h" 19 20 #define PE_MASKED 1 21 #define PE_NOT_MASKED 0 22 23 /* x0-x17 GPREGS context */ 24 #define SDEI_SAVED_GPREGS 18 25 26 /* Maximum preemption nesting levels: Critical priority and Normal priority */ 27 #define MAX_EVENT_NESTING 2 28 29 /* Per-CPU SDEI state access macro */ 30 #define sdei_get_this_pe_state() (&sdei_cpu_state[plat_my_core_pos()]) 31 32 /* Structure to store information about an outstanding dispatch */ 33 typedef struct sdei_dispatch_context { 34 sdei_ev_map_t *map; 35 unsigned int sec_state; 36 unsigned int intr_raw; 37 uint64_t x[SDEI_SAVED_GPREGS]; 38 39 /* Exception state registers */ 40 uint64_t elr_el3; 41 uint64_t spsr_el3; 42 } sdei_dispatch_context_t; 43 44 /* Per-CPU SDEI state data */ 45 typedef struct sdei_cpu_state { 46 sdei_dispatch_context_t dispatch_stack[MAX_EVENT_NESTING]; 47 unsigned short stack_top; /* Empty ascending */ 48 unsigned int pe_masked:1; 49 unsigned int pending_enables:1; 50 } sdei_cpu_state_t; 51 52 /* SDEI states for all cores in the system */ 53 static sdei_cpu_state_t sdei_cpu_state[PLATFORM_CORE_COUNT]; 54 55 unsigned int sdei_pe_mask(void) 56 { 57 unsigned int ret; 58 sdei_cpu_state_t *state = sdei_get_this_pe_state(); 59 60 /* 61 * Return value indicates whether this call had any effect in the mask 62 * status of this PE. 63 */ 64 ret = (state->pe_masked ^ PE_MASKED); 65 state->pe_masked = PE_MASKED; 66 67 return ret; 68 } 69 70 void sdei_pe_unmask(void) 71 { 72 int i; 73 sdei_ev_map_t *map; 74 sdei_entry_t *se; 75 sdei_cpu_state_t *state = sdei_get_this_pe_state(); 76 uint64_t my_mpidr = read_mpidr_el1() & MPIDR_AFFINITY_MASK; 77 78 /* 79 * If there are pending enables, iterate through the private mappings 80 * and enable those bound maps that are in enabled state. Also, iterate 81 * through shared mappings and enable interrupts of events that are 82 * targeted to this PE. 83 */ 84 if (state->pending_enables) { 85 for_each_private_map(i, map) { 86 se = get_event_entry(map); 87 if (is_map_bound(map) && GET_EV_STATE(se, ENABLED)) 88 plat_ic_enable_interrupt(map->intr); 89 } 90 91 for_each_shared_map(i, map) { 92 se = get_event_entry(map); 93 94 sdei_map_lock(map); 95 if (is_map_bound(map) && 96 GET_EV_STATE(se, ENABLED) && 97 (se->reg_flags == SDEI_REGF_RM_PE) && 98 (se->affinity == my_mpidr)) { 99 plat_ic_enable_interrupt(map->intr); 100 } 101 sdei_map_unlock(map); 102 } 103 } 104 105 state->pending_enables = 0; 106 state->pe_masked = PE_NOT_MASKED; 107 } 108 109 /* Push a dispatch context to the dispatch stack */ 110 static sdei_dispatch_context_t *push_dispatch(void) 111 { 112 sdei_cpu_state_t *state = sdei_get_this_pe_state(); 113 sdei_dispatch_context_t *disp_ctx; 114 115 /* Cannot have more than max events */ 116 assert(state->stack_top < MAX_EVENT_NESTING); 117 118 disp_ctx = &state->dispatch_stack[state->stack_top]; 119 state->stack_top++; 120 121 return disp_ctx; 122 } 123 124 /* Pop a dispatch context to the dispatch stack */ 125 static sdei_dispatch_context_t *pop_dispatch(void) 126 { 127 sdei_cpu_state_t *state = sdei_get_this_pe_state(); 128 129 if (state->stack_top == 0) 130 return NULL; 131 132 assert(state->stack_top <= MAX_EVENT_NESTING); 133 134 state->stack_top--; 135 136 return &state->dispatch_stack[state->stack_top]; 137 } 138 139 /* Retrieve the context at the top of dispatch stack */ 140 static sdei_dispatch_context_t *get_outstanding_dispatch(void) 141 { 142 sdei_cpu_state_t *state = sdei_get_this_pe_state(); 143 144 if (state->stack_top == 0) 145 return NULL; 146 147 assert(state->stack_top <= MAX_EVENT_NESTING); 148 149 return &state->dispatch_stack[state->stack_top - 1]; 150 } 151 152 static void save_event_ctx(sdei_ev_map_t *map, void *tgt_ctx, int sec_state, 153 unsigned int intr_raw) 154 { 155 sdei_dispatch_context_t *disp_ctx; 156 gp_regs_t *tgt_gpregs; 157 el3_state_t *tgt_el3; 158 159 assert(tgt_ctx); 160 tgt_gpregs = get_gpregs_ctx(tgt_ctx); 161 tgt_el3 = get_el3state_ctx(tgt_ctx); 162 163 disp_ctx = push_dispatch(); 164 assert(disp_ctx); 165 disp_ctx->sec_state = sec_state; 166 disp_ctx->map = map; 167 disp_ctx->intr_raw = intr_raw; 168 169 /* Save general purpose and exception registers */ 170 memcpy(disp_ctx->x, tgt_gpregs, sizeof(disp_ctx->x)); 171 disp_ctx->spsr_el3 = read_ctx_reg(tgt_el3, CTX_SPSR_EL3); 172 disp_ctx->elr_el3 = read_ctx_reg(tgt_el3, CTX_ELR_EL3); 173 } 174 175 static void restore_event_ctx(sdei_dispatch_context_t *disp_ctx, void *tgt_ctx) 176 { 177 gp_regs_t *tgt_gpregs; 178 el3_state_t *tgt_el3; 179 180 assert(tgt_ctx); 181 tgt_gpregs = get_gpregs_ctx(tgt_ctx); 182 tgt_el3 = get_el3state_ctx(tgt_ctx); 183 184 CASSERT(sizeof(disp_ctx->x) == (SDEI_SAVED_GPREGS * sizeof(uint64_t)), 185 foo); 186 187 /* Restore general purpose and exception registers */ 188 memcpy(tgt_gpregs, disp_ctx->x, sizeof(disp_ctx->x)); 189 write_ctx_reg(tgt_el3, CTX_SPSR_EL3, disp_ctx->spsr_el3); 190 write_ctx_reg(tgt_el3, CTX_ELR_EL3, disp_ctx->elr_el3); 191 } 192 193 static void save_secure_context(void) 194 { 195 cm_el1_sysregs_context_save(SECURE); 196 } 197 198 /* Restore Secure context and arrange to resume it at the next ERET */ 199 static void restore_and_resume_secure_context(void) 200 { 201 cm_el1_sysregs_context_restore(SECURE); 202 cm_set_next_eret_context(SECURE); 203 } 204 205 /* 206 * Restore Non-secure context and arrange to resume it at the next ERET. Return 207 * pointer to the Non-secure context. 208 */ 209 static cpu_context_t *restore_and_resume_ns_context(void) 210 { 211 cpu_context_t *ns_ctx; 212 213 cm_el1_sysregs_context_restore(NON_SECURE); 214 cm_set_next_eret_context(NON_SECURE); 215 216 ns_ctx = cm_get_context(NON_SECURE); 217 assert(ns_ctx); 218 219 return ns_ctx; 220 } 221 222 /* 223 * Populate the Non-secure context so that the next ERET will dispatch to the 224 * SDEI client. 225 */ 226 static void setup_ns_dispatch(sdei_ev_map_t *map, sdei_entry_t *se, 227 cpu_context_t *ctx, int sec_state_to_resume, 228 unsigned int intr_raw) 229 { 230 el3_state_t *el3_ctx = get_el3state_ctx(ctx); 231 232 /* Push the event and context */ 233 save_event_ctx(map, ctx, sec_state_to_resume, intr_raw); 234 235 /* 236 * Setup handler arguments: 237 * 238 * - x0: Event number 239 * - x1: Handler argument supplied at the time of event registration 240 * - x2: Interrupted PC 241 * - x3: Interrupted SPSR 242 */ 243 SMC_SET_GP(ctx, CTX_GPREG_X0, map->ev_num); 244 SMC_SET_GP(ctx, CTX_GPREG_X1, se->arg); 245 SMC_SET_GP(ctx, CTX_GPREG_X2, read_ctx_reg(el3_ctx, CTX_ELR_EL3)); 246 SMC_SET_GP(ctx, CTX_GPREG_X3, read_ctx_reg(el3_ctx, CTX_SPSR_EL3)); 247 248 /* 249 * Prepare for ERET: 250 * 251 * - Set PC to the registered handler address 252 * - Set SPSR to jump to client EL with exceptions masked 253 */ 254 cm_set_elr_spsr_el3(NON_SECURE, (uintptr_t) se->ep, 255 SPSR_64(sdei_client_el(), MODE_SP_ELX, 256 DISABLE_ALL_EXCEPTIONS)); 257 } 258 259 /* Handle a triggered SDEI interrupt while events were masked on this PE */ 260 static void handle_masked_trigger(sdei_ev_map_t *map, sdei_entry_t *se, 261 sdei_cpu_state_t *state, unsigned int intr_raw) 262 { 263 uint64_t my_mpidr __unused = (read_mpidr_el1() & MPIDR_AFFINITY_MASK); 264 int disable = 0; 265 266 /* Nothing to do for event 0 */ 267 if (map->ev_num == SDEI_EVENT_0) 268 return; 269 270 /* 271 * For a private event, or for a shared event specifically routed to 272 * this CPU, we disable interrupt, leave the interrupt pending, and do 273 * EOI. 274 */ 275 if (is_event_private(map)) { 276 disable = 1; 277 } else if (se->reg_flags == SDEI_REGF_RM_PE) { 278 assert(se->affinity == my_mpidr); 279 disable = 1; 280 } 281 282 if (disable) { 283 plat_ic_disable_interrupt(map->intr); 284 plat_ic_set_interrupt_pending(map->intr); 285 plat_ic_end_of_interrupt(intr_raw); 286 state->pending_enables = 1; 287 288 return; 289 } 290 291 /* 292 * We just received a shared event with routing set to ANY PE. The 293 * interrupt can't be delegated on this PE as SDEI events are masked. 294 * However, because its routing mode is ANY, it is possible that the 295 * event can be delegated on any other PE that hasn't masked events. 296 * Therefore, we set the interrupt back pending so as to give other 297 * suitable PEs a chance of handling it. 298 */ 299 assert(plat_ic_is_spi(map->intr)); 300 plat_ic_set_interrupt_pending(map->intr); 301 302 /* 303 * Leaving the same interrupt pending also means that the same interrupt 304 * can target this PE again as soon as this PE leaves EL3. Whether and 305 * how often that happens depends on the implementation of GIC. 306 * 307 * We therefore call a platform handler to resolve this situation. 308 */ 309 plat_sdei_handle_masked_trigger(my_mpidr, map->intr); 310 311 /* This PE is masked. We EOI the interrupt, as it can't be delegated */ 312 plat_ic_end_of_interrupt(intr_raw); 313 } 314 315 /* SDEI main interrupt handler */ 316 int sdei_intr_handler(uint32_t intr_raw, uint32_t flags, void *handle, 317 void *cookie) 318 { 319 sdei_entry_t *se; 320 cpu_context_t *ctx; 321 sdei_ev_map_t *map; 322 sdei_dispatch_context_t *disp_ctx; 323 unsigned int sec_state; 324 sdei_cpu_state_t *state; 325 uint32_t intr; 326 327 /* 328 * To handle an event, the following conditions must be true: 329 * 330 * 1. Event must be signalled 331 * 2. Event must be enabled 332 * 3. This PE must be a target PE for the event 333 * 4. PE must be unmasked for SDEI 334 * 5. If this is a normal event, no event must be running 335 * 6. If this is a critical event, no critical event must be running 336 * 337 * (1) and (2) are true when this function is running 338 * (3) is enforced in GIC by selecting the appropriate routing option 339 * (4) is satisfied by client calling PE_UNMASK 340 * (5) and (6) is enforced using interrupt priority, the RPR, in GIC: 341 * - Normal SDEI events belong to Normal SDE priority class 342 * - Critical SDEI events belong to Critical CSDE priority class 343 * 344 * The interrupt has already been acknowledged, and therefore is active, 345 * so no other PE can handle this event while we are at it. 346 * 347 * Find if this is an SDEI interrupt. There must be an event mapped to 348 * this interrupt 349 */ 350 intr = plat_ic_get_interrupt_id(intr_raw); 351 map = find_event_map_by_intr(intr, plat_ic_is_spi(intr)); 352 if (!map) { 353 ERROR("No SDEI map for interrupt %u\n", intr); 354 panic(); 355 } 356 357 /* 358 * Received interrupt number must either correspond to event 0, or must 359 * be bound interrupt. 360 */ 361 assert((map->ev_num == SDEI_EVENT_0) || is_map_bound(map)); 362 363 se = get_event_entry(map); 364 state = sdei_get_this_pe_state(); 365 366 if (state->pe_masked == PE_MASKED) { 367 /* 368 * Interrupts received while this PE was masked can't be 369 * dispatched. 370 */ 371 SDEI_LOG("interrupt %u on %lx while PE masked\n", map->intr, 372 read_mpidr_el1()); 373 if (is_event_shared(map)) 374 sdei_map_lock(map); 375 376 handle_masked_trigger(map, se, state, intr_raw); 377 378 if (is_event_shared(map)) 379 sdei_map_unlock(map); 380 381 return 0; 382 } 383 384 /* Insert load barrier for signalled SDEI event */ 385 if (map->ev_num == SDEI_EVENT_0) 386 dmbld(); 387 388 if (is_event_shared(map)) 389 sdei_map_lock(map); 390 391 /* Assert shared event routed to this PE had been configured so */ 392 if (is_event_shared(map) && (se->reg_flags == SDEI_REGF_RM_PE)) { 393 assert(se->affinity == 394 (read_mpidr_el1() & MPIDR_AFFINITY_MASK)); 395 } 396 397 if (!can_sdei_state_trans(se, DO_DISPATCH)) { 398 SDEI_LOG("SDEI event 0x%x can't be dispatched; state=0x%x\n", 399 map->ev_num, se->state); 400 401 /* 402 * If the event is registered, leave the interrupt pending so 403 * that it's delivered when the event is enabled. 404 */ 405 if (GET_EV_STATE(se, REGISTERED)) 406 plat_ic_set_interrupt_pending(map->intr); 407 408 /* 409 * The interrupt was disabled or unregistered after the handler 410 * started to execute, which means now the interrupt is already 411 * disabled and we just need to EOI the interrupt. 412 */ 413 plat_ic_end_of_interrupt(intr_raw); 414 415 if (is_event_shared(map)) 416 sdei_map_unlock(map); 417 418 return 0; 419 } 420 421 disp_ctx = get_outstanding_dispatch(); 422 if (is_event_critical(map)) { 423 /* 424 * If this event is Critical, and if there's an outstanding 425 * dispatch, assert the latter is a Normal dispatch. Critical 426 * events can preempt an outstanding Normal event dispatch. 427 */ 428 if (disp_ctx) 429 assert(is_event_normal(disp_ctx->map)); 430 } else { 431 /* 432 * If this event is Normal, assert that there are no outstanding 433 * dispatches. Normal events can't preempt any outstanding event 434 * dispatches. 435 */ 436 assert(disp_ctx == NULL); 437 } 438 439 sec_state = get_interrupt_src_ss(flags); 440 441 if (is_event_shared(map)) 442 sdei_map_unlock(map); 443 444 SDEI_LOG("ACK %lx, ev:%d ss:%d spsr:%lx ELR:%lx\n", read_mpidr_el1(), 445 map->ev_num, sec_state, read_spsr_el3(), 446 read_elr_el3()); 447 448 ctx = handle; 449 450 /* 451 * Check if we interrupted secure state. Perform a context switch so 452 * that we can delegate to NS. 453 */ 454 if (sec_state == SECURE) { 455 save_secure_context(); 456 ctx = restore_and_resume_ns_context(); 457 } 458 459 setup_ns_dispatch(map, se, ctx, sec_state, intr_raw); 460 461 /* 462 * End of interrupt is done in sdei_event_complete, when the client 463 * signals completion. 464 */ 465 return 0; 466 } 467 468 /* Explicitly dispatch the given SDEI event */ 469 int sdei_dispatch_event(int ev_num, unsigned int preempted_sec_state) 470 { 471 sdei_entry_t *se; 472 sdei_ev_map_t *map; 473 cpu_context_t *ctx; 474 sdei_dispatch_context_t *disp_ctx; 475 sdei_cpu_state_t *state; 476 477 /* Validate preempted security state */ 478 if ((preempted_sec_state != SECURE) && 479 (preempted_sec_state != NON_SECURE)) { 480 return -1; 481 } 482 483 /* Can't dispatch if events are masked on this PE */ 484 state = sdei_get_this_pe_state(); 485 if (state->pe_masked == PE_MASKED) 486 return -1; 487 488 /* Event 0 can't be dispatched */ 489 if (ev_num == SDEI_EVENT_0) 490 return -1; 491 492 /* Locate mapping corresponding to this event */ 493 map = find_event_map(ev_num); 494 if (!map) 495 return -1; 496 497 /* 498 * Statically-bound or dynamic maps are dispatched only as a result of 499 * interrupt, and not upon explicit request. 500 */ 501 if (is_map_dynamic(map) || is_map_bound(map)) 502 return -1; 503 504 /* The event must be private */ 505 if (is_event_shared(map)) 506 return -1; 507 508 /* Examine state of dispatch stack */ 509 disp_ctx = get_outstanding_dispatch(); 510 if (disp_ctx) { 511 /* 512 * There's an outstanding dispatch. If the outstanding dispatch 513 * is critical, no more dispatches are possible. 514 */ 515 if (is_event_critical(disp_ctx->map)) 516 return -1; 517 518 /* 519 * If the outstanding dispatch is Normal, only critical events 520 * can be dispatched. 521 */ 522 if (is_event_normal(map)) 523 return -1; 524 } 525 526 se = get_event_entry(map); 527 if (!can_sdei_state_trans(se, DO_DISPATCH)) 528 return -1; 529 530 /* Activate the priority corresponding to the event being dispatched */ 531 ehf_activate_priority(sdei_event_priority(map)); 532 533 /* 534 * We assume the current context is SECURE, and that it's already been 535 * saved. 536 */ 537 ctx = restore_and_resume_ns_context(); 538 539 /* 540 * The caller has effectively terminated execution. Record to resume the 541 * preempted context later when the event completes or 542 * complete-and-resumes. 543 */ 544 setup_ns_dispatch(map, se, ctx, preempted_sec_state, 0); 545 546 return 0; 547 } 548 549 int sdei_event_complete(int resume, uint64_t pc) 550 { 551 sdei_dispatch_context_t *disp_ctx; 552 sdei_entry_t *se; 553 sdei_ev_map_t *map; 554 cpu_context_t *ctx; 555 sdei_action_t act; 556 unsigned int client_el = sdei_client_el(); 557 558 /* Return error if called without an active event */ 559 disp_ctx = get_outstanding_dispatch(); 560 if (!disp_ctx) 561 return SDEI_EDENY; 562 563 /* Validate resumption point */ 564 if (resume && (plat_sdei_validate_entry_point(pc, client_el) != 0)) 565 return SDEI_EDENY; 566 567 map = disp_ctx->map; 568 assert(map); 569 se = get_event_entry(map); 570 571 act = resume ? DO_COMPLETE_RESUME : DO_COMPLETE; 572 if (!can_sdei_state_trans(se, act)) { 573 if (is_event_shared(map)) 574 sdei_map_unlock(map); 575 return SDEI_EDENY; 576 } 577 578 /* Having done sanity checks, pop dispatch */ 579 pop_dispatch(); 580 581 SDEI_LOG("EOI:%lx, %d spsr:%lx elr:%lx\n", read_mpidr_el1(), 582 map->ev_num, read_spsr_el3(), read_elr_el3()); 583 584 if (is_event_shared(map)) 585 sdei_map_lock(map); 586 587 /* 588 * Restore Non-secure to how it was originally interrupted. Once done, 589 * it's up-to-date with the saved copy. 590 */ 591 ctx = cm_get_context(NON_SECURE); 592 restore_event_ctx(disp_ctx, ctx); 593 594 if (resume) { 595 /* 596 * Complete-and-resume call. Prepare the Non-secure context 597 * (currently active) for complete and resume. 598 */ 599 cm_set_elr_spsr_el3(NON_SECURE, pc, SPSR_64(client_el, 600 MODE_SP_ELX, DISABLE_ALL_EXCEPTIONS)); 601 602 /* 603 * Make it look as if a synchronous exception were taken at the 604 * supplied Non-secure resumption point. Populate SPSR and 605 * ELR_ELx so that an ERET from there works as expected. 606 * 607 * The assumption is that the client, if necessary, would have 608 * saved any live content in these registers before making this 609 * call. 610 */ 611 if (client_el == MODE_EL2) { 612 write_elr_el2(disp_ctx->elr_el3); 613 write_spsr_el2(disp_ctx->spsr_el3); 614 } else { 615 /* EL1 */ 616 write_elr_el1(disp_ctx->elr_el3); 617 write_spsr_el1(disp_ctx->spsr_el3); 618 } 619 } 620 621 /* 622 * If the cause of dispatch originally interrupted the Secure world, and 623 * if Non-secure world wasn't allowed to preempt Secure execution, 624 * resume Secure. 625 * 626 * No need to save the Non-secure context ahead of a world switch: the 627 * Non-secure context was fully saved before dispatch, and has been 628 * returned to its pre-dispatch state. 629 */ 630 if ((disp_ctx->sec_state == SECURE) && 631 (ehf_is_ns_preemption_allowed() == 0)) { 632 restore_and_resume_secure_context(); 633 } 634 635 if ((map->ev_num == SDEI_EVENT_0) || is_map_bound(map)) { 636 /* 637 * The event was dispatched after receiving SDEI interrupt. With 638 * the event handling completed, EOI the corresponding 639 * interrupt. 640 */ 641 plat_ic_end_of_interrupt(disp_ctx->intr_raw); 642 } else { 643 /* 644 * An unbound event must have been dispatched explicitly. 645 * Deactivate the priority level that was activated at the time 646 * of explicit dispatch. 647 */ 648 ehf_deactivate_priority(sdei_event_priority(map)); 649 } 650 651 if (is_event_shared(map)) 652 sdei_map_unlock(map); 653 654 return 0; 655 } 656 657 int sdei_event_context(void *handle, unsigned int param) 658 { 659 sdei_dispatch_context_t *disp_ctx; 660 661 if (param >= SDEI_SAVED_GPREGS) 662 return SDEI_EINVAL; 663 664 /* Get outstanding dispatch on this CPU */ 665 disp_ctx = get_outstanding_dispatch(); 666 if (!disp_ctx) 667 return SDEI_EDENY; 668 669 assert(disp_ctx->map); 670 671 if (!can_sdei_state_trans(get_event_entry(disp_ctx->map), DO_CONTEXT)) 672 return SDEI_EDENY; 673 674 /* 675 * No locking is required for the Running status as this is the only CPU 676 * which can complete the event 677 */ 678 679 return disp_ctx->x[param]; 680 } 681