1 /* 2 * Copyright (c) 2022, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <errno.h> 9 10 #include <arch_helpers.h> 11 #include <bl31/bl31.h> 12 #include <bl31/ehf.h> 13 #include <bl31/interrupt_mgmt.h> 14 #include <common/debug.h> 15 #include <common/fdt_wrappers.h> 16 #include <common/runtime_svc.h> 17 #include <common/uuid.h> 18 #include <lib/el3_runtime/context_mgmt.h> 19 #include <lib/smccc.h> 20 #include <lib/utils.h> 21 #include <lib/xlat_tables/xlat_tables_v2.h> 22 #include <libfdt.h> 23 #include <plat/common/platform.h> 24 #include <services/el3_spmc_logical_sp.h> 25 #include <services/ffa_svc.h> 26 #include <services/spmc_svc.h> 27 #include <services/spmd_svc.h> 28 #include "spmc.h" 29 30 #include <platform_def.h> 31 32 /* Declare the maximum number of SPs and El3 LPs. */ 33 #define MAX_SP_LP_PARTITIONS SECURE_PARTITION_COUNT + MAX_EL3_LP_DESCS_COUNT 34 35 /* 36 * Allocate a secure partition descriptor to describe each SP in the system that 37 * does not reside at EL3. 38 */ 39 static struct secure_partition_desc sp_desc[SECURE_PARTITION_COUNT]; 40 41 /* 42 * Allocate an NS endpoint descriptor to describe each VM and the Hypervisor in 43 * the system that interacts with a SP. It is used to track the Hypervisor 44 * buffer pair, version and ID for now. It could be extended to track VM 45 * properties when the SPMC supports indirect messaging. 46 */ 47 static struct ns_endpoint_desc ns_ep_desc[NS_PARTITION_COUNT]; 48 49 static uint64_t spmc_sp_interrupt_handler(uint32_t id, 50 uint32_t flags, 51 void *handle, 52 void *cookie); 53 54 /* 55 * Helper function to obtain the array storing the EL3 56 * Logical Partition descriptors. 57 */ 58 struct el3_lp_desc *get_el3_lp_array(void) 59 { 60 return (struct el3_lp_desc *) EL3_LP_DESCS_START; 61 } 62 63 /* 64 * Helper function to obtain the descriptor of the last SP to whom control was 65 * handed to on this physical cpu. Currently, we assume there is only one SP. 66 * TODO: Expand to track multiple partitions when required. 67 */ 68 struct secure_partition_desc *spmc_get_current_sp_ctx(void) 69 { 70 return &(sp_desc[ACTIVE_SP_DESC_INDEX]); 71 } 72 73 /* 74 * Helper function to obtain the execution context of an SP on the 75 * current physical cpu. 76 */ 77 struct sp_exec_ctx *spmc_get_sp_ec(struct secure_partition_desc *sp) 78 { 79 return &(sp->ec[get_ec_index(sp)]); 80 } 81 82 /* Helper function to get pointer to SP context from its ID. */ 83 struct secure_partition_desc *spmc_get_sp_ctx(uint16_t id) 84 { 85 /* Check for Secure World Partitions. */ 86 for (unsigned int i = 0U; i < SECURE_PARTITION_COUNT; i++) { 87 if (sp_desc[i].sp_id == id) { 88 return &(sp_desc[i]); 89 } 90 } 91 return NULL; 92 } 93 94 /* 95 * Helper function to obtain the descriptor of the Hypervisor or OS kernel. 96 * We assume that the first descriptor is reserved for this entity. 97 */ 98 struct ns_endpoint_desc *spmc_get_hyp_ctx(void) 99 { 100 return &(ns_ep_desc[0]); 101 } 102 103 /* 104 * Helper function to obtain the RX/TX buffer pair descriptor of the Hypervisor 105 * or OS kernel in the normal world or the last SP that was run. 106 */ 107 struct mailbox *spmc_get_mbox_desc(bool secure_origin) 108 { 109 /* Obtain the RX/TX buffer pair descriptor. */ 110 if (secure_origin) { 111 return &(spmc_get_current_sp_ctx()->mailbox); 112 } else { 113 return &(spmc_get_hyp_ctx()->mailbox); 114 } 115 } 116 117 /****************************************************************************** 118 * This function returns to the place where spmc_sp_synchronous_entry() was 119 * called originally. 120 ******************************************************************************/ 121 __dead2 void spmc_sp_synchronous_exit(struct sp_exec_ctx *ec, uint64_t rc) 122 { 123 /* 124 * The SPM must have initiated the original request through a 125 * synchronous entry into the secure partition. Jump back to the 126 * original C runtime context with the value of rc in x0; 127 */ 128 spm_secure_partition_exit(ec->c_rt_ctx, rc); 129 130 panic(); 131 } 132 133 /******************************************************************************* 134 * Return FFA_ERROR with specified error code. 135 ******************************************************************************/ 136 uint64_t spmc_ffa_error_return(void *handle, int error_code) 137 { 138 SMC_RET8(handle, FFA_ERROR, 139 FFA_TARGET_INFO_MBZ, error_code, 140 FFA_PARAM_MBZ, FFA_PARAM_MBZ, FFA_PARAM_MBZ, 141 FFA_PARAM_MBZ, FFA_PARAM_MBZ); 142 } 143 144 /****************************************************************************** 145 * Helper function to validate a secure partition ID to ensure it does not 146 * conflict with any other FF-A component and follows the convention to 147 * indicate it resides within the secure world. 148 ******************************************************************************/ 149 bool is_ffa_secure_id_valid(uint16_t partition_id) 150 { 151 struct el3_lp_desc *el3_lp_descs = get_el3_lp_array(); 152 153 /* Ensure the ID is not the invalid partition ID. */ 154 if (partition_id == INV_SP_ID) { 155 return false; 156 } 157 158 /* Ensure the ID is not the SPMD ID. */ 159 if (partition_id == SPMD_DIRECT_MSG_ENDPOINT_ID) { 160 return false; 161 } 162 163 /* 164 * Ensure the ID follows the convention to indicate it resides 165 * in the secure world. 166 */ 167 if (!ffa_is_secure_world_id(partition_id)) { 168 return false; 169 } 170 171 /* Ensure we don't conflict with the SPMC partition ID. */ 172 if (partition_id == FFA_SPMC_ID) { 173 return false; 174 } 175 176 /* Ensure we do not already have an SP context with this ID. */ 177 if (spmc_get_sp_ctx(partition_id)) { 178 return false; 179 } 180 181 /* Ensure we don't clash with any Logical SP's. */ 182 for (unsigned int i = 0U; i < EL3_LP_DESCS_COUNT; i++) { 183 if (el3_lp_descs[i].sp_id == partition_id) { 184 return false; 185 } 186 } 187 188 return true; 189 } 190 191 /******************************************************************************* 192 * This function either forwards the request to the other world or returns 193 * with an ERET depending on the source of the call. 194 * We can assume that the destination is for an entity at a lower exception 195 * level as any messages destined for a logical SP resident in EL3 will have 196 * already been taken care of by the SPMC before entering this function. 197 ******************************************************************************/ 198 static uint64_t spmc_smc_return(uint32_t smc_fid, 199 bool secure_origin, 200 uint64_t x1, 201 uint64_t x2, 202 uint64_t x3, 203 uint64_t x4, 204 void *handle, 205 void *cookie, 206 uint64_t flags, 207 uint16_t dst_id) 208 { 209 /* If the destination is in the normal world always go via the SPMD. */ 210 if (ffa_is_normal_world_id(dst_id)) { 211 return spmd_smc_handler(smc_fid, x1, x2, x3, x4, 212 cookie, handle, flags); 213 } 214 /* 215 * If the caller is secure and we want to return to the secure world, 216 * ERET directly. 217 */ 218 else if (secure_origin && ffa_is_secure_world_id(dst_id)) { 219 SMC_RET5(handle, smc_fid, x1, x2, x3, x4); 220 } 221 /* If we originated in the normal world then switch contexts. */ 222 else if (!secure_origin && ffa_is_secure_world_id(dst_id)) { 223 return spmd_smc_switch_state(smc_fid, secure_origin, x1, x2, 224 x3, x4, handle); 225 } else { 226 /* Unknown State. */ 227 panic(); 228 } 229 230 /* Shouldn't be Reached. */ 231 return 0; 232 } 233 234 /******************************************************************************* 235 * FF-A ABI Handlers. 236 ******************************************************************************/ 237 238 /******************************************************************************* 239 * Helper function to validate arg2 as part of a direct message. 240 ******************************************************************************/ 241 static inline bool direct_msg_validate_arg2(uint64_t x2) 242 { 243 /* Check message type. */ 244 if (x2 & FFA_FWK_MSG_BIT) { 245 /* We have a framework message, ensure it is a known message. */ 246 if (x2 & ~(FFA_FWK_MSG_MASK | FFA_FWK_MSG_BIT)) { 247 VERBOSE("Invalid message format 0x%lx.\n", x2); 248 return false; 249 } 250 } else { 251 /* We have a partition messages, ensure x2 is not set. */ 252 if (x2 != (uint64_t) 0) { 253 VERBOSE("Arg2 MBZ for partition messages. (0x%lx).\n", 254 x2); 255 return false; 256 } 257 } 258 return true; 259 } 260 261 /******************************************************************************* 262 * Handle direct request messages and route to the appropriate destination. 263 ******************************************************************************/ 264 static uint64_t direct_req_smc_handler(uint32_t smc_fid, 265 bool secure_origin, 266 uint64_t x1, 267 uint64_t x2, 268 uint64_t x3, 269 uint64_t x4, 270 void *cookie, 271 void *handle, 272 uint64_t flags) 273 { 274 uint16_t dst_id = ffa_endpoint_destination(x1); 275 struct el3_lp_desc *el3_lp_descs; 276 struct secure_partition_desc *sp; 277 unsigned int idx; 278 279 /* Check if arg2 has been populated correctly based on message type. */ 280 if (!direct_msg_validate_arg2(x2)) { 281 return spmc_ffa_error_return(handle, 282 FFA_ERROR_INVALID_PARAMETER); 283 } 284 285 el3_lp_descs = get_el3_lp_array(); 286 287 /* Check if the request is destined for a Logical Partition. */ 288 for (unsigned int i = 0U; i < MAX_EL3_LP_DESCS_COUNT; i++) { 289 if (el3_lp_descs[i].sp_id == dst_id) { 290 return el3_lp_descs[i].direct_req( 291 smc_fid, secure_origin, x1, x2, x3, x4, 292 cookie, handle, flags); 293 } 294 } 295 296 /* 297 * If the request was not targeted to a LSP and from the secure world 298 * then it is invalid since a SP cannot call into the Normal world and 299 * there is no other SP to call into. If there are other SPs in future 300 * then the partition runtime model would need to be validated as well. 301 */ 302 if (secure_origin) { 303 VERBOSE("Direct request not supported to the Normal World.\n"); 304 return spmc_ffa_error_return(handle, 305 FFA_ERROR_INVALID_PARAMETER); 306 } 307 308 /* Check if the SP ID is valid. */ 309 sp = spmc_get_sp_ctx(dst_id); 310 if (sp == NULL) { 311 VERBOSE("Direct request to unknown partition ID (0x%x).\n", 312 dst_id); 313 return spmc_ffa_error_return(handle, 314 FFA_ERROR_INVALID_PARAMETER); 315 } 316 317 /* 318 * Check that the target execution context is in a waiting state before 319 * forwarding the direct request to it. 320 */ 321 idx = get_ec_index(sp); 322 if (sp->ec[idx].rt_state != RT_STATE_WAITING) { 323 VERBOSE("SP context on core%u is not waiting (%u).\n", 324 idx, sp->ec[idx].rt_model); 325 return spmc_ffa_error_return(handle, FFA_ERROR_BUSY); 326 } 327 328 /* 329 * Everything checks out so forward the request to the SP after updating 330 * its state and runtime model. 331 */ 332 sp->ec[idx].rt_state = RT_STATE_RUNNING; 333 sp->ec[idx].rt_model = RT_MODEL_DIR_REQ; 334 return spmc_smc_return(smc_fid, secure_origin, x1, x2, x3, x4, 335 handle, cookie, flags, dst_id); 336 } 337 338 /******************************************************************************* 339 * Handle direct response messages and route to the appropriate destination. 340 ******************************************************************************/ 341 static uint64_t direct_resp_smc_handler(uint32_t smc_fid, 342 bool secure_origin, 343 uint64_t x1, 344 uint64_t x2, 345 uint64_t x3, 346 uint64_t x4, 347 void *cookie, 348 void *handle, 349 uint64_t flags) 350 { 351 uint16_t dst_id = ffa_endpoint_destination(x1); 352 struct secure_partition_desc *sp; 353 unsigned int idx; 354 355 /* Check if arg2 has been populated correctly based on message type. */ 356 if (!direct_msg_validate_arg2(x2)) { 357 return spmc_ffa_error_return(handle, 358 FFA_ERROR_INVALID_PARAMETER); 359 } 360 361 /* Check that the response did not originate from the Normal world. */ 362 if (!secure_origin) { 363 VERBOSE("Direct Response not supported from Normal World.\n"); 364 return spmc_ffa_error_return(handle, 365 FFA_ERROR_INVALID_PARAMETER); 366 } 367 368 /* 369 * Check that the response is either targeted to the Normal world or the 370 * SPMC e.g. a PM response. 371 */ 372 if ((dst_id != FFA_SPMC_ID) && ffa_is_secure_world_id(dst_id)) { 373 VERBOSE("Direct response to invalid partition ID (0x%x).\n", 374 dst_id); 375 return spmc_ffa_error_return(handle, 376 FFA_ERROR_INVALID_PARAMETER); 377 } 378 379 /* Obtain the SP descriptor and update its runtime state. */ 380 sp = spmc_get_sp_ctx(ffa_endpoint_source(x1)); 381 if (sp == NULL) { 382 VERBOSE("Direct response to unknown partition ID (0x%x).\n", 383 dst_id); 384 return spmc_ffa_error_return(handle, 385 FFA_ERROR_INVALID_PARAMETER); 386 } 387 388 /* Sanity check state is being tracked correctly in the SPMC. */ 389 idx = get_ec_index(sp); 390 assert(sp->ec[idx].rt_state == RT_STATE_RUNNING); 391 392 /* Ensure SP execution context was in the right runtime model. */ 393 if (sp->ec[idx].rt_model != RT_MODEL_DIR_REQ) { 394 VERBOSE("SP context on core%u not handling direct req (%u).\n", 395 idx, sp->ec[idx].rt_model); 396 return spmc_ffa_error_return(handle, FFA_ERROR_DENIED); 397 } 398 399 /* Update the state of the SP execution context. */ 400 sp->ec[idx].rt_state = RT_STATE_WAITING; 401 402 /* 403 * If the receiver is not the SPMC then forward the response to the 404 * Normal world. 405 */ 406 if (dst_id == FFA_SPMC_ID) { 407 spmc_sp_synchronous_exit(&sp->ec[idx], x4); 408 /* Should not get here. */ 409 panic(); 410 } 411 412 return spmc_smc_return(smc_fid, secure_origin, x1, x2, x3, x4, 413 handle, cookie, flags, dst_id); 414 } 415 416 /******************************************************************************* 417 * This function handles the FFA_MSG_WAIT SMC to allow an SP to relinquish its 418 * cycles. 419 ******************************************************************************/ 420 static uint64_t msg_wait_handler(uint32_t smc_fid, 421 bool secure_origin, 422 uint64_t x1, 423 uint64_t x2, 424 uint64_t x3, 425 uint64_t x4, 426 void *cookie, 427 void *handle, 428 uint64_t flags) 429 { 430 struct secure_partition_desc *sp; 431 unsigned int idx; 432 433 /* 434 * Check that the response did not originate from the Normal world as 435 * only the secure world can call this ABI. 436 */ 437 if (!secure_origin) { 438 VERBOSE("Normal world cannot call FFA_MSG_WAIT.\n"); 439 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 440 } 441 442 /* Get the descriptor of the SP that invoked FFA_MSG_WAIT. */ 443 sp = spmc_get_current_sp_ctx(); 444 if (sp == NULL) { 445 return spmc_ffa_error_return(handle, 446 FFA_ERROR_INVALID_PARAMETER); 447 } 448 449 /* 450 * Get the execution context of the SP that invoked FFA_MSG_WAIT. 451 */ 452 idx = get_ec_index(sp); 453 454 /* Ensure SP execution context was in the right runtime model. */ 455 if (sp->ec[idx].rt_model == RT_MODEL_DIR_REQ) { 456 return spmc_ffa_error_return(handle, FFA_ERROR_DENIED); 457 } 458 459 /* Sanity check the state is being tracked correctly in the SPMC. */ 460 assert(sp->ec[idx].rt_state == RT_STATE_RUNNING); 461 462 /* 463 * Perform a synchronous exit if the partition was initialising. The 464 * state is updated after the exit. 465 */ 466 if (sp->ec[idx].rt_model == RT_MODEL_INIT) { 467 spmc_sp_synchronous_exit(&sp->ec[idx], x4); 468 /* Should not get here */ 469 panic(); 470 } 471 472 /* Update the state of the SP execution context. */ 473 sp->ec[idx].rt_state = RT_STATE_WAITING; 474 475 /* Resume normal world if a secure interrupt was handled. */ 476 if (sp->ec[idx].rt_model == RT_MODEL_INTR) { 477 /* FFA_MSG_WAIT can only be called from the secure world. */ 478 unsigned int secure_state_in = SECURE; 479 unsigned int secure_state_out = NON_SECURE; 480 481 cm_el1_sysregs_context_save(secure_state_in); 482 cm_el1_sysregs_context_restore(secure_state_out); 483 cm_set_next_eret_context(secure_state_out); 484 SMC_RET0(cm_get_context(secure_state_out)); 485 } 486 487 /* Forward the response to the Normal world. */ 488 return spmc_smc_return(smc_fid, secure_origin, x1, x2, x3, x4, 489 handle, cookie, flags, FFA_NWD_ID); 490 } 491 492 static uint64_t ffa_error_handler(uint32_t smc_fid, 493 bool secure_origin, 494 uint64_t x1, 495 uint64_t x2, 496 uint64_t x3, 497 uint64_t x4, 498 void *cookie, 499 void *handle, 500 uint64_t flags) 501 { 502 struct secure_partition_desc *sp; 503 unsigned int idx; 504 505 /* Check that the response did not originate from the Normal world. */ 506 if (!secure_origin) { 507 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 508 } 509 510 /* Get the descriptor of the SP that invoked FFA_ERROR. */ 511 sp = spmc_get_current_sp_ctx(); 512 if (sp == NULL) { 513 return spmc_ffa_error_return(handle, 514 FFA_ERROR_INVALID_PARAMETER); 515 } 516 517 /* Get the execution context of the SP that invoked FFA_ERROR. */ 518 idx = get_ec_index(sp); 519 520 /* 521 * We only expect FFA_ERROR to be received during SP initialisation 522 * otherwise this is an invalid call. 523 */ 524 if (sp->ec[idx].rt_model == RT_MODEL_INIT) { 525 ERROR("SP 0x%x failed to initialize.\n", sp->sp_id); 526 spmc_sp_synchronous_exit(&sp->ec[idx], x2); 527 /* Should not get here. */ 528 panic(); 529 } 530 531 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 532 } 533 534 static uint64_t ffa_version_handler(uint32_t smc_fid, 535 bool secure_origin, 536 uint64_t x1, 537 uint64_t x2, 538 uint64_t x3, 539 uint64_t x4, 540 void *cookie, 541 void *handle, 542 uint64_t flags) 543 { 544 uint32_t requested_version = x1 & FFA_VERSION_MASK; 545 546 if (requested_version & FFA_VERSION_BIT31_MASK) { 547 /* Invalid encoding, return an error. */ 548 SMC_RET1(handle, FFA_ERROR_NOT_SUPPORTED); 549 /* Execution stops here. */ 550 } 551 552 /* Determine the caller to store the requested version. */ 553 if (secure_origin) { 554 /* 555 * Ensure that the SP is reporting the same version as 556 * specified in its manifest. If these do not match there is 557 * something wrong with the SP. 558 * TODO: Should we abort the SP? For now assert this is not 559 * case. 560 */ 561 assert(requested_version == 562 spmc_get_current_sp_ctx()->ffa_version); 563 } else { 564 /* 565 * If this is called by the normal world, record this 566 * information in its descriptor. 567 */ 568 spmc_get_hyp_ctx()->ffa_version = requested_version; 569 } 570 571 SMC_RET1(handle, MAKE_FFA_VERSION(FFA_VERSION_MAJOR, 572 FFA_VERSION_MINOR)); 573 } 574 575 /******************************************************************************* 576 * Helper function to obtain the FF-A version of the calling partition. 577 ******************************************************************************/ 578 uint32_t get_partition_ffa_version(bool secure_origin) 579 { 580 if (secure_origin) { 581 return spmc_get_current_sp_ctx()->ffa_version; 582 } else { 583 return spmc_get_hyp_ctx()->ffa_version; 584 } 585 } 586 587 static uint64_t rxtx_map_handler(uint32_t smc_fid, 588 bool secure_origin, 589 uint64_t x1, 590 uint64_t x2, 591 uint64_t x3, 592 uint64_t x4, 593 void *cookie, 594 void *handle, 595 uint64_t flags) 596 { 597 int ret; 598 uint32_t error_code; 599 uint32_t mem_atts = secure_origin ? MT_SECURE : MT_NS; 600 struct mailbox *mbox; 601 uintptr_t tx_address = x1; 602 uintptr_t rx_address = x2; 603 uint32_t page_count = x3 & FFA_RXTX_PAGE_COUNT_MASK; /* Bits [5:0] */ 604 uint32_t buf_size = page_count * FFA_PAGE_SIZE; 605 606 /* 607 * The SPMC does not support mapping of VM RX/TX pairs to facilitate 608 * indirect messaging with SPs. Check if the Hypervisor has invoked this 609 * ABI on behalf of a VM and reject it if this is the case. 610 */ 611 if (tx_address == 0 || rx_address == 0) { 612 WARN("Mapping RX/TX Buffers on behalf of VM not supported.\n"); 613 return spmc_ffa_error_return(handle, 614 FFA_ERROR_INVALID_PARAMETER); 615 } 616 617 /* Ensure the specified buffers are not the same. */ 618 if (tx_address == rx_address) { 619 WARN("TX Buffer must not be the same as RX Buffer.\n"); 620 return spmc_ffa_error_return(handle, 621 FFA_ERROR_INVALID_PARAMETER); 622 } 623 624 /* Ensure the buffer size is not 0. */ 625 if (buf_size == 0U) { 626 WARN("Buffer size must not be 0\n"); 627 return spmc_ffa_error_return(handle, 628 FFA_ERROR_INVALID_PARAMETER); 629 } 630 631 /* 632 * Ensure the buffer size is a multiple of the translation granule size 633 * in TF-A. 634 */ 635 if (buf_size % PAGE_SIZE != 0U) { 636 WARN("Buffer size must be aligned to translation granule.\n"); 637 return spmc_ffa_error_return(handle, 638 FFA_ERROR_INVALID_PARAMETER); 639 } 640 641 /* Obtain the RX/TX buffer pair descriptor. */ 642 mbox = spmc_get_mbox_desc(secure_origin); 643 644 spin_lock(&mbox->lock); 645 646 /* Check if buffers have already been mapped. */ 647 if (mbox->rx_buffer != 0 || mbox->tx_buffer != 0) { 648 WARN("RX/TX Buffers already mapped (%p/%p)\n", 649 (void *) mbox->rx_buffer, (void *)mbox->tx_buffer); 650 error_code = FFA_ERROR_DENIED; 651 goto err; 652 } 653 654 /* memmap the TX buffer as read only. */ 655 ret = mmap_add_dynamic_region(tx_address, /* PA */ 656 tx_address, /* VA */ 657 buf_size, /* size */ 658 mem_atts | MT_RO_DATA); /* attrs */ 659 if (ret != 0) { 660 /* Return the correct error code. */ 661 error_code = (ret == -ENOMEM) ? FFA_ERROR_NO_MEMORY : 662 FFA_ERROR_INVALID_PARAMETER; 663 WARN("Unable to map TX buffer: %d\n", error_code); 664 goto err; 665 } 666 667 /* memmap the RX buffer as read write. */ 668 ret = mmap_add_dynamic_region(rx_address, /* PA */ 669 rx_address, /* VA */ 670 buf_size, /* size */ 671 mem_atts | MT_RW_DATA); /* attrs */ 672 673 if (ret != 0) { 674 error_code = (ret == -ENOMEM) ? FFA_ERROR_NO_MEMORY : 675 FFA_ERROR_INVALID_PARAMETER; 676 WARN("Unable to map RX buffer: %d\n", error_code); 677 /* Unmap the TX buffer again. */ 678 mmap_remove_dynamic_region(tx_address, buf_size); 679 goto err; 680 } 681 682 mbox->tx_buffer = (void *) tx_address; 683 mbox->rx_buffer = (void *) rx_address; 684 mbox->rxtx_page_count = page_count; 685 spin_unlock(&mbox->lock); 686 687 SMC_RET1(handle, FFA_SUCCESS_SMC32); 688 /* Execution stops here. */ 689 err: 690 spin_unlock(&mbox->lock); 691 return spmc_ffa_error_return(handle, error_code); 692 } 693 694 static uint64_t rxtx_unmap_handler(uint32_t smc_fid, 695 bool secure_origin, 696 uint64_t x1, 697 uint64_t x2, 698 uint64_t x3, 699 uint64_t x4, 700 void *cookie, 701 void *handle, 702 uint64_t flags) 703 { 704 struct mailbox *mbox = spmc_get_mbox_desc(secure_origin); 705 uint32_t buf_size = mbox->rxtx_page_count * FFA_PAGE_SIZE; 706 707 /* 708 * The SPMC does not support mapping of VM RX/TX pairs to facilitate 709 * indirect messaging with SPs. Check if the Hypervisor has invoked this 710 * ABI on behalf of a VM and reject it if this is the case. 711 */ 712 if (x1 != 0UL) { 713 return spmc_ffa_error_return(handle, 714 FFA_ERROR_INVALID_PARAMETER); 715 } 716 717 spin_lock(&mbox->lock); 718 719 /* Check if buffers are currently mapped. */ 720 if (mbox->rx_buffer == 0 || mbox->tx_buffer == 0) { 721 spin_unlock(&mbox->lock); 722 return spmc_ffa_error_return(handle, 723 FFA_ERROR_INVALID_PARAMETER); 724 } 725 726 /* Unmap RX Buffer */ 727 if (mmap_remove_dynamic_region((uintptr_t) mbox->rx_buffer, 728 buf_size) != 0) { 729 WARN("Unable to unmap RX buffer!\n"); 730 } 731 732 mbox->rx_buffer = 0; 733 734 /* Unmap TX Buffer */ 735 if (mmap_remove_dynamic_region((uintptr_t) mbox->tx_buffer, 736 buf_size) != 0) { 737 WARN("Unable to unmap TX buffer!\n"); 738 } 739 740 mbox->tx_buffer = 0; 741 mbox->rxtx_page_count = 0; 742 743 spin_unlock(&mbox->lock); 744 SMC_RET1(handle, FFA_SUCCESS_SMC32); 745 } 746 747 /* 748 * Collate the partition information in a v1.1 partition information 749 * descriptor format, this will be converter later if required. 750 */ 751 static int partition_info_get_handler_v1_1(uint32_t *uuid, 752 struct ffa_partition_info_v1_1 753 *partitions, 754 uint32_t max_partitions, 755 uint32_t *partition_count) 756 { 757 uint32_t index; 758 struct ffa_partition_info_v1_1 *desc; 759 bool null_uuid = is_null_uuid(uuid); 760 struct el3_lp_desc *el3_lp_descs = get_el3_lp_array(); 761 762 /* Deal with Logical Partitions. */ 763 for (index = 0U; index < EL3_LP_DESCS_COUNT; index++) { 764 if (null_uuid || uuid_match(uuid, el3_lp_descs[index].uuid)) { 765 /* Found a matching UUID, populate appropriately. */ 766 if (*partition_count >= max_partitions) { 767 return FFA_ERROR_NO_MEMORY; 768 } 769 770 desc = &partitions[*partition_count]; 771 desc->ep_id = el3_lp_descs[index].sp_id; 772 desc->execution_ctx_count = PLATFORM_CORE_COUNT; 773 desc->properties = el3_lp_descs[index].properties; 774 if (null_uuid) { 775 copy_uuid(desc->uuid, el3_lp_descs[index].uuid); 776 } 777 (*partition_count)++; 778 } 779 } 780 781 /* Deal with physical SP's. */ 782 for (index = 0U; index < SECURE_PARTITION_COUNT; index++) { 783 if (null_uuid || uuid_match(uuid, sp_desc[index].uuid)) { 784 /* Found a matching UUID, populate appropriately. */ 785 if (*partition_count >= max_partitions) { 786 return FFA_ERROR_NO_MEMORY; 787 } 788 789 desc = &partitions[*partition_count]; 790 desc->ep_id = sp_desc[index].sp_id; 791 /* 792 * Execution context count must match No. cores for 793 * S-EL1 SPs. 794 */ 795 desc->execution_ctx_count = PLATFORM_CORE_COUNT; 796 desc->properties = sp_desc[index].properties; 797 if (null_uuid) { 798 copy_uuid(desc->uuid, sp_desc[index].uuid); 799 } 800 (*partition_count)++; 801 } 802 } 803 return 0; 804 } 805 806 /* 807 * Handle the case where that caller only wants the count of partitions 808 * matching a given UUID and does not want the corresponding descriptors 809 * populated. 810 */ 811 static uint32_t partition_info_get_handler_count_only(uint32_t *uuid) 812 { 813 uint32_t index = 0; 814 uint32_t partition_count = 0; 815 bool null_uuid = is_null_uuid(uuid); 816 struct el3_lp_desc *el3_lp_descs = get_el3_lp_array(); 817 818 /* Deal with Logical Partitions. */ 819 for (index = 0U; index < EL3_LP_DESCS_COUNT; index++) { 820 if (null_uuid || 821 uuid_match(uuid, el3_lp_descs[index].uuid)) { 822 (partition_count)++; 823 } 824 } 825 826 /* Deal with physical SP's. */ 827 for (index = 0U; index < SECURE_PARTITION_COUNT; index++) { 828 if (null_uuid || uuid_match(uuid, sp_desc[index].uuid)) { 829 (partition_count)++; 830 } 831 } 832 return partition_count; 833 } 834 835 /* 836 * If the caller of the PARTITION_INFO_GET ABI was a v1.0 caller, populate 837 * the coresponding descriptor format from the v1.1 descriptor array. 838 */ 839 static uint64_t partition_info_populate_v1_0(struct ffa_partition_info_v1_1 840 *partitions, 841 struct mailbox *mbox, 842 int partition_count) 843 { 844 uint32_t index; 845 uint32_t buf_size; 846 uint32_t descriptor_size; 847 struct ffa_partition_info_v1_0 *v1_0_partitions = 848 (struct ffa_partition_info_v1_0 *) mbox->rx_buffer; 849 850 buf_size = mbox->rxtx_page_count * FFA_PAGE_SIZE; 851 descriptor_size = partition_count * 852 sizeof(struct ffa_partition_info_v1_0); 853 854 if (descriptor_size > buf_size) { 855 return FFA_ERROR_NO_MEMORY; 856 } 857 858 for (index = 0U; index < partition_count; index++) { 859 v1_0_partitions[index].ep_id = partitions[index].ep_id; 860 v1_0_partitions[index].execution_ctx_count = 861 partitions[index].execution_ctx_count; 862 v1_0_partitions[index].properties = 863 partitions[index].properties; 864 } 865 return 0; 866 } 867 868 /* 869 * Main handler for FFA_PARTITION_INFO_GET which supports both FF-A v1.1 and 870 * v1.0 implementations. 871 */ 872 static uint64_t partition_info_get_handler(uint32_t smc_fid, 873 bool secure_origin, 874 uint64_t x1, 875 uint64_t x2, 876 uint64_t x3, 877 uint64_t x4, 878 void *cookie, 879 void *handle, 880 uint64_t flags) 881 { 882 int ret; 883 uint32_t partition_count = 0; 884 uint32_t size = 0; 885 uint32_t ffa_version = get_partition_ffa_version(secure_origin); 886 struct mailbox *mbox; 887 uint64_t info_get_flags; 888 bool count_only; 889 uint32_t uuid[4]; 890 891 uuid[0] = x1; 892 uuid[1] = x2; 893 uuid[2] = x3; 894 uuid[3] = x4; 895 896 /* Determine if the Partition descriptors should be populated. */ 897 info_get_flags = SMC_GET_GP(handle, CTX_GPREG_X5); 898 count_only = (info_get_flags & FFA_PARTITION_INFO_GET_COUNT_FLAG_MASK); 899 900 /* Handle the case where we don't need to populate the descriptors. */ 901 if (count_only) { 902 partition_count = partition_info_get_handler_count_only(uuid); 903 if (partition_count == 0) { 904 return spmc_ffa_error_return(handle, 905 FFA_ERROR_INVALID_PARAMETER); 906 } 907 } else { 908 struct ffa_partition_info_v1_1 partitions[MAX_SP_LP_PARTITIONS]; 909 910 /* 911 * Handle the case where the partition descriptors are required, 912 * check we have the buffers available and populate the 913 * appropriate structure version. 914 */ 915 916 /* Obtain the v1.1 format of the descriptors. */ 917 ret = partition_info_get_handler_v1_1(uuid, partitions, 918 MAX_SP_LP_PARTITIONS, 919 &partition_count); 920 921 /* Check if an error occurred during discovery. */ 922 if (ret != 0) { 923 goto err; 924 } 925 926 /* If we didn't find any matches the UUID is unknown. */ 927 if (partition_count == 0) { 928 ret = FFA_ERROR_INVALID_PARAMETER; 929 goto err; 930 } 931 932 /* Obtain the partition mailbox RX/TX buffer pair descriptor. */ 933 mbox = spmc_get_mbox_desc(secure_origin); 934 935 /* 936 * If the caller has not bothered registering its RX/TX pair 937 * then return an error code. 938 */ 939 spin_lock(&mbox->lock); 940 if (mbox->rx_buffer == NULL) { 941 ret = FFA_ERROR_BUSY; 942 goto err_unlock; 943 } 944 945 /* Ensure the RX buffer is currently free. */ 946 if (mbox->state != MAILBOX_STATE_EMPTY) { 947 ret = FFA_ERROR_BUSY; 948 goto err_unlock; 949 } 950 951 /* Zero the RX buffer before populating. */ 952 (void)memset(mbox->rx_buffer, 0, 953 mbox->rxtx_page_count * FFA_PAGE_SIZE); 954 955 /* 956 * Depending on the FF-A version of the requesting partition 957 * we may need to convert to a v1.0 format otherwise we can copy 958 * directly. 959 */ 960 if (ffa_version == MAKE_FFA_VERSION(U(1), U(0))) { 961 ret = partition_info_populate_v1_0(partitions, 962 mbox, 963 partition_count); 964 if (ret != 0) { 965 goto err_unlock; 966 } 967 } else { 968 uint32_t buf_size = mbox->rxtx_page_count * 969 FFA_PAGE_SIZE; 970 971 /* Ensure the descriptor will fit in the buffer. */ 972 size = sizeof(struct ffa_partition_info_v1_1); 973 if (partition_count * size > buf_size) { 974 ret = FFA_ERROR_NO_MEMORY; 975 goto err_unlock; 976 } 977 memcpy(mbox->rx_buffer, partitions, 978 partition_count * size); 979 } 980 981 mbox->state = MAILBOX_STATE_FULL; 982 spin_unlock(&mbox->lock); 983 } 984 SMC_RET4(handle, FFA_SUCCESS_SMC32, 0, partition_count, size); 985 986 err_unlock: 987 spin_unlock(&mbox->lock); 988 err: 989 return spmc_ffa_error_return(handle, ret); 990 } 991 992 static uint64_t ffa_features_handler(uint32_t smc_fid, 993 bool secure_origin, 994 uint64_t x1, 995 uint64_t x2, 996 uint64_t x3, 997 uint64_t x4, 998 void *cookie, 999 void *handle, 1000 uint64_t flags) 1001 { 1002 uint32_t function_id = (uint32_t) x1; 1003 uint32_t input_properties = (uint32_t) x2; 1004 1005 /* 1006 * We don't currently support any additional input properties 1007 * for any ABI therefore ensure this value is always set to 0. 1008 */ 1009 if (input_properties != 0) { 1010 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1011 } 1012 1013 /* Check if a Feature ID was requested. */ 1014 if ((function_id & FFA_FEATURES_BIT31_MASK) == 0U) { 1015 /* We currently don't support any additional features. */ 1016 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1017 } 1018 1019 /* Report if an FF-A ABI is supported. */ 1020 switch (function_id) { 1021 /* Supported features from both worlds. */ 1022 case FFA_ERROR: 1023 case FFA_SUCCESS_SMC32: 1024 case FFA_INTERRUPT: 1025 case FFA_ID_GET: 1026 case FFA_FEATURES: 1027 case FFA_VERSION: 1028 case FFA_RX_RELEASE: 1029 case FFA_MSG_SEND_DIRECT_REQ_SMC32: 1030 case FFA_MSG_SEND_DIRECT_REQ_SMC64: 1031 case FFA_PARTITION_INFO_GET: 1032 case FFA_RXTX_MAP_SMC32: 1033 case FFA_RXTX_MAP_SMC64: 1034 case FFA_RXTX_UNMAP: 1035 case FFA_MSG_RUN: 1036 1037 /* 1038 * We are relying on the fact that the other registers 1039 * will be set to 0 as these values align with the 1040 * currently implemented features of the SPMC. If this 1041 * changes this function must be extended to handle 1042 * reporting the additional functionality. 1043 */ 1044 1045 SMC_RET1(handle, FFA_SUCCESS_SMC32); 1046 /* Execution stops here. */ 1047 1048 /* Supported ABIs only from the secure world. */ 1049 case FFA_SECONDARY_EP_REGISTER_SMC64: 1050 case FFA_MSG_SEND_DIRECT_RESP_SMC32: 1051 case FFA_MSG_SEND_DIRECT_RESP_SMC64: 1052 case FFA_MSG_WAIT: 1053 1054 if (!secure_origin) { 1055 return spmc_ffa_error_return(handle, 1056 FFA_ERROR_NOT_SUPPORTED); 1057 } 1058 SMC_RET1(handle, FFA_SUCCESS_SMC32); 1059 /* Execution stops here. */ 1060 1061 default: 1062 return spmc_ffa_error_return(handle, 1063 FFA_ERROR_NOT_SUPPORTED); 1064 } 1065 } 1066 1067 static uint64_t ffa_id_get_handler(uint32_t smc_fid, 1068 bool secure_origin, 1069 uint64_t x1, 1070 uint64_t x2, 1071 uint64_t x3, 1072 uint64_t x4, 1073 void *cookie, 1074 void *handle, 1075 uint64_t flags) 1076 { 1077 if (secure_origin) { 1078 SMC_RET3(handle, FFA_SUCCESS_SMC32, 0x0, 1079 spmc_get_current_sp_ctx()->sp_id); 1080 } else { 1081 SMC_RET3(handle, FFA_SUCCESS_SMC32, 0x0, 1082 spmc_get_hyp_ctx()->ns_ep_id); 1083 } 1084 } 1085 1086 static uint64_t ffa_run_handler(uint32_t smc_fid, 1087 bool secure_origin, 1088 uint64_t x1, 1089 uint64_t x2, 1090 uint64_t x3, 1091 uint64_t x4, 1092 void *cookie, 1093 void *handle, 1094 uint64_t flags) 1095 { 1096 struct secure_partition_desc *sp; 1097 uint16_t target_id = FFA_RUN_EP_ID(x1); 1098 uint16_t vcpu_id = FFA_RUN_VCPU_ID(x1); 1099 unsigned int idx; 1100 unsigned int *rt_state; 1101 unsigned int *rt_model; 1102 1103 /* Can only be called from the normal world. */ 1104 if (secure_origin) { 1105 ERROR("FFA_RUN can only be called from NWd.\n"); 1106 return spmc_ffa_error_return(handle, 1107 FFA_ERROR_INVALID_PARAMETER); 1108 } 1109 1110 /* Cannot run a Normal world partition. */ 1111 if (ffa_is_normal_world_id(target_id)) { 1112 ERROR("Cannot run a NWd partition (0x%x).\n", target_id); 1113 return spmc_ffa_error_return(handle, 1114 FFA_ERROR_INVALID_PARAMETER); 1115 } 1116 1117 /* Check that the target SP exists. */ 1118 sp = spmc_get_sp_ctx(target_id); 1119 ERROR("Unknown partition ID (0x%x).\n", target_id); 1120 if (sp == NULL) { 1121 return spmc_ffa_error_return(handle, 1122 FFA_ERROR_INVALID_PARAMETER); 1123 } 1124 1125 idx = get_ec_index(sp); 1126 if (idx != vcpu_id) { 1127 ERROR("Cannot run vcpu %d != %d.\n", idx, vcpu_id); 1128 return spmc_ffa_error_return(handle, 1129 FFA_ERROR_INVALID_PARAMETER); 1130 } 1131 rt_state = &((sp->ec[idx]).rt_state); 1132 rt_model = &((sp->ec[idx]).rt_model); 1133 if (*rt_state == RT_STATE_RUNNING) { 1134 ERROR("Partition (0x%x) is already running.\n", target_id); 1135 return spmc_ffa_error_return(handle, FFA_ERROR_BUSY); 1136 } 1137 1138 /* 1139 * Sanity check that if the execution context was not waiting then it 1140 * was either in the direct request or the run partition runtime model. 1141 */ 1142 if (*rt_state == RT_STATE_PREEMPTED || *rt_state == RT_STATE_BLOCKED) { 1143 assert(*rt_model == RT_MODEL_RUN || 1144 *rt_model == RT_MODEL_DIR_REQ); 1145 } 1146 1147 /* 1148 * If the context was waiting then update the partition runtime model. 1149 */ 1150 if (*rt_state == RT_STATE_WAITING) { 1151 *rt_model = RT_MODEL_RUN; 1152 } 1153 1154 /* 1155 * Forward the request to the correct SP vCPU after updating 1156 * its state. 1157 */ 1158 *rt_state = RT_STATE_RUNNING; 1159 1160 return spmc_smc_return(smc_fid, secure_origin, x1, 0, 0, 0, 1161 handle, cookie, flags, target_id); 1162 } 1163 1164 static uint64_t rx_release_handler(uint32_t smc_fid, 1165 bool secure_origin, 1166 uint64_t x1, 1167 uint64_t x2, 1168 uint64_t x3, 1169 uint64_t x4, 1170 void *cookie, 1171 void *handle, 1172 uint64_t flags) 1173 { 1174 struct mailbox *mbox = spmc_get_mbox_desc(secure_origin); 1175 1176 spin_lock(&mbox->lock); 1177 1178 if (mbox->state != MAILBOX_STATE_FULL) { 1179 spin_unlock(&mbox->lock); 1180 return spmc_ffa_error_return(handle, FFA_ERROR_DENIED); 1181 } 1182 1183 mbox->state = MAILBOX_STATE_EMPTY; 1184 spin_unlock(&mbox->lock); 1185 1186 SMC_RET1(handle, FFA_SUCCESS_SMC32); 1187 } 1188 1189 /* 1190 * Perform initial validation on the provided secondary entry point. 1191 * For now ensure it does not lie within the BL31 Image or the SP's 1192 * RX/TX buffers as these are mapped within EL3. 1193 * TODO: perform validation for additional invalid memory regions. 1194 */ 1195 static int validate_secondary_ep(uintptr_t ep, struct secure_partition_desc *sp) 1196 { 1197 struct mailbox *mb; 1198 uintptr_t buffer_size; 1199 uintptr_t sp_rx_buffer; 1200 uintptr_t sp_tx_buffer; 1201 uintptr_t sp_rx_buffer_limit; 1202 uintptr_t sp_tx_buffer_limit; 1203 1204 mb = &sp->mailbox; 1205 buffer_size = (uintptr_t) (mb->rxtx_page_count * FFA_PAGE_SIZE); 1206 sp_rx_buffer = (uintptr_t) mb->rx_buffer; 1207 sp_tx_buffer = (uintptr_t) mb->tx_buffer; 1208 sp_rx_buffer_limit = sp_rx_buffer + buffer_size; 1209 sp_tx_buffer_limit = sp_tx_buffer + buffer_size; 1210 1211 /* 1212 * Check if the entry point lies within BL31, or the 1213 * SP's RX or TX buffer. 1214 */ 1215 if ((ep >= BL31_BASE && ep < BL31_LIMIT) || 1216 (ep >= sp_rx_buffer && ep < sp_rx_buffer_limit) || 1217 (ep >= sp_tx_buffer && ep < sp_tx_buffer_limit)) { 1218 return -EINVAL; 1219 } 1220 return 0; 1221 } 1222 1223 /******************************************************************************* 1224 * This function handles the FFA_SECONDARY_EP_REGISTER SMC to allow an SP to 1225 * register an entry point for initialization during a secondary cold boot. 1226 ******************************************************************************/ 1227 static uint64_t ffa_sec_ep_register_handler(uint32_t smc_fid, 1228 bool secure_origin, 1229 uint64_t x1, 1230 uint64_t x2, 1231 uint64_t x3, 1232 uint64_t x4, 1233 void *cookie, 1234 void *handle, 1235 uint64_t flags) 1236 { 1237 struct secure_partition_desc *sp; 1238 struct sp_exec_ctx *sp_ctx; 1239 1240 /* This request cannot originate from the Normal world. */ 1241 if (!secure_origin) { 1242 WARN("%s: Can only be called from SWd.\n", __func__); 1243 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1244 } 1245 1246 /* Get the context of the current SP. */ 1247 sp = spmc_get_current_sp_ctx(); 1248 if (sp == NULL) { 1249 WARN("%s: Cannot find SP context.\n", __func__); 1250 return spmc_ffa_error_return(handle, 1251 FFA_ERROR_INVALID_PARAMETER); 1252 } 1253 1254 /* Only an S-EL1 SP should be invoking this ABI. */ 1255 if (sp->runtime_el != S_EL1) { 1256 WARN("%s: Can only be called for a S-EL1 SP.\n", __func__); 1257 return spmc_ffa_error_return(handle, FFA_ERROR_DENIED); 1258 } 1259 1260 /* Ensure the SP is in its initialization state. */ 1261 sp_ctx = spmc_get_sp_ec(sp); 1262 if (sp_ctx->rt_model != RT_MODEL_INIT) { 1263 WARN("%s: Can only be called during SP initialization.\n", 1264 __func__); 1265 return spmc_ffa_error_return(handle, FFA_ERROR_DENIED); 1266 } 1267 1268 /* Perform initial validation of the secondary entry point. */ 1269 if (validate_secondary_ep(x1, sp)) { 1270 WARN("%s: Invalid entry point provided (0x%lx).\n", 1271 __func__, x1); 1272 return spmc_ffa_error_return(handle, 1273 FFA_ERROR_INVALID_PARAMETER); 1274 } 1275 1276 /* 1277 * Update the secondary entrypoint in SP context. 1278 * We don't need a lock here as during partition initialization there 1279 * will only be a single core online. 1280 */ 1281 sp->secondary_ep = x1; 1282 VERBOSE("%s: 0x%lx\n", __func__, sp->secondary_ep); 1283 1284 SMC_RET1(handle, FFA_SUCCESS_SMC32); 1285 } 1286 1287 /******************************************************************************* 1288 * This function will parse the Secure Partition Manifest. From manifest, it 1289 * will fetch details for preparing Secure partition image context and secure 1290 * partition image boot arguments if any. 1291 ******************************************************************************/ 1292 static int sp_manifest_parse(void *sp_manifest, int offset, 1293 struct secure_partition_desc *sp, 1294 entry_point_info_t *ep_info) 1295 { 1296 int32_t ret, node; 1297 uint32_t config_32; 1298 1299 /* 1300 * Look for the mandatory fields that are expected to be present in 1301 * the SP manifests. 1302 */ 1303 node = fdt_path_offset(sp_manifest, "/"); 1304 if (node < 0) { 1305 ERROR("Did not find root node.\n"); 1306 return node; 1307 } 1308 1309 ret = fdt_read_uint32_array(sp_manifest, node, "uuid", 1310 ARRAY_SIZE(sp->uuid), sp->uuid); 1311 if (ret != 0) { 1312 ERROR("Missing Secure Partition UUID.\n"); 1313 return ret; 1314 } 1315 1316 ret = fdt_read_uint32(sp_manifest, node, "exception-level", &config_32); 1317 if (ret != 0) { 1318 ERROR("Missing SP Exception Level information.\n"); 1319 return ret; 1320 } 1321 1322 sp->runtime_el = config_32; 1323 1324 ret = fdt_read_uint32(sp_manifest, node, "ffa-version", &config_32); 1325 if (ret != 0) { 1326 ERROR("Missing Secure Partition FF-A Version.\n"); 1327 return ret; 1328 } 1329 1330 sp->ffa_version = config_32; 1331 1332 ret = fdt_read_uint32(sp_manifest, node, "execution-state", &config_32); 1333 if (ret != 0) { 1334 ERROR("Missing Secure Partition Execution State.\n"); 1335 return ret; 1336 } 1337 1338 sp->execution_state = config_32; 1339 1340 ret = fdt_read_uint32(sp_manifest, node, 1341 "messaging-method", &config_32); 1342 if (ret != 0) { 1343 ERROR("Missing Secure Partition messaging method.\n"); 1344 return ret; 1345 } 1346 1347 /* Validate this entry, we currently only support direct messaging. */ 1348 if ((config_32 & ~(FFA_PARTITION_DIRECT_REQ_RECV | 1349 FFA_PARTITION_DIRECT_REQ_SEND)) != 0U) { 1350 WARN("Invalid Secure Partition messaging method (0x%x)\n", 1351 config_32); 1352 return -EINVAL; 1353 } 1354 1355 sp->properties = config_32; 1356 1357 ret = fdt_read_uint32(sp_manifest, node, 1358 "execution-ctx-count", &config_32); 1359 1360 if (ret != 0) { 1361 ERROR("Missing SP Execution Context Count.\n"); 1362 return ret; 1363 } 1364 1365 /* 1366 * Ensure this field is set correctly in the manifest however 1367 * since this is currently a hardcoded value for S-EL1 partitions 1368 * we don't need to save it here, just validate. 1369 */ 1370 if (config_32 != PLATFORM_CORE_COUNT) { 1371 ERROR("SP Execution Context Count (%u) must be %u.\n", 1372 config_32, PLATFORM_CORE_COUNT); 1373 return -EINVAL; 1374 } 1375 1376 /* 1377 * Look for the optional fields that are expected to be present in 1378 * an SP manifest. 1379 */ 1380 ret = fdt_read_uint32(sp_manifest, node, "id", &config_32); 1381 if (ret != 0) { 1382 WARN("Missing Secure Partition ID.\n"); 1383 } else { 1384 if (!is_ffa_secure_id_valid(config_32)) { 1385 ERROR("Invalid Secure Partition ID (0x%x).\n", 1386 config_32); 1387 return -EINVAL; 1388 } 1389 sp->sp_id = config_32; 1390 } 1391 1392 ret = fdt_read_uint32(sp_manifest, node, 1393 "power-management-messages", &config_32); 1394 if (ret != 0) { 1395 WARN("Missing Power Management Messages entry.\n"); 1396 } else { 1397 /* 1398 * Ensure only the currently supported power messages have 1399 * been requested. 1400 */ 1401 if (config_32 & ~(FFA_PM_MSG_SUB_CPU_OFF | 1402 FFA_PM_MSG_SUB_CPU_SUSPEND | 1403 FFA_PM_MSG_SUB_CPU_SUSPEND_RESUME)) { 1404 ERROR("Requested unsupported PM messages (%x)\n", 1405 config_32); 1406 return -EINVAL; 1407 } 1408 sp->pwr_mgmt_msgs = config_32; 1409 } 1410 1411 return 0; 1412 } 1413 1414 /******************************************************************************* 1415 * This function gets the Secure Partition Manifest base and maps the manifest 1416 * region. 1417 * Currently only one Secure Partition manifest is considered which is used to 1418 * prepare the context for the single Secure Partition. 1419 ******************************************************************************/ 1420 static int find_and_prepare_sp_context(void) 1421 { 1422 void *sp_manifest; 1423 uintptr_t manifest_base; 1424 uintptr_t manifest_base_align; 1425 entry_point_info_t *next_image_ep_info; 1426 int32_t ret; 1427 struct secure_partition_desc *sp; 1428 1429 next_image_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 1430 if (next_image_ep_info == NULL) { 1431 WARN("No Secure Partition image provided by BL2.\n"); 1432 return -ENOENT; 1433 } 1434 1435 sp_manifest = (void *)next_image_ep_info->args.arg0; 1436 if (sp_manifest == NULL) { 1437 WARN("Secure Partition manifest absent.\n"); 1438 return -ENOENT; 1439 } 1440 1441 manifest_base = (uintptr_t)sp_manifest; 1442 manifest_base_align = page_align(manifest_base, DOWN); 1443 1444 /* 1445 * Map the secure partition manifest region in the EL3 translation 1446 * regime. 1447 * Map an area equal to (2 * PAGE_SIZE) for now. During manifest base 1448 * alignment the region of 1 PAGE_SIZE from manifest align base may 1449 * not completely accommodate the secure partition manifest region. 1450 */ 1451 ret = mmap_add_dynamic_region((unsigned long long)manifest_base_align, 1452 manifest_base_align, 1453 PAGE_SIZE * 2, 1454 MT_RO_DATA); 1455 if (ret != 0) { 1456 ERROR("Error while mapping SP manifest (%d).\n", ret); 1457 return ret; 1458 } 1459 1460 ret = fdt_node_offset_by_compatible(sp_manifest, -1, 1461 "arm,ffa-manifest-1.0"); 1462 if (ret < 0) { 1463 ERROR("Error happened in SP manifest reading.\n"); 1464 return -EINVAL; 1465 } 1466 1467 /* 1468 * Store the size of the manifest so that it can be used later to pass 1469 * the manifest as boot information later. 1470 */ 1471 next_image_ep_info->args.arg1 = fdt_totalsize(sp_manifest); 1472 INFO("Manifest size = %lu bytes.\n", next_image_ep_info->args.arg1); 1473 1474 /* 1475 * Select an SP descriptor for initialising the partition's execution 1476 * context on the primary CPU. 1477 */ 1478 sp = spmc_get_current_sp_ctx(); 1479 1480 /* Initialize entry point information for the SP */ 1481 SET_PARAM_HEAD(next_image_ep_info, PARAM_EP, VERSION_1, 1482 SECURE | EP_ST_ENABLE); 1483 1484 /* Parse the SP manifest. */ 1485 ret = sp_manifest_parse(sp_manifest, ret, sp, next_image_ep_info); 1486 if (ret != 0) { 1487 ERROR("Error in Secure Partition manifest parsing.\n"); 1488 return ret; 1489 } 1490 1491 /* Check that the runtime EL in the manifest was correct. */ 1492 if (sp->runtime_el != S_EL1) { 1493 ERROR("Unexpected runtime EL: %d\n", sp->runtime_el); 1494 return -EINVAL; 1495 } 1496 1497 /* Perform any common initialisation. */ 1498 spmc_sp_common_setup(sp, next_image_ep_info); 1499 1500 /* Perform any initialisation specific to S-EL1 SPs. */ 1501 spmc_el1_sp_setup(sp, next_image_ep_info); 1502 1503 /* Initialize the SP context with the required ep info. */ 1504 spmc_sp_common_ep_commit(sp, next_image_ep_info); 1505 1506 return 0; 1507 } 1508 1509 /******************************************************************************* 1510 * This function takes an SP context pointer and performs a synchronous entry 1511 * into it. 1512 ******************************************************************************/ 1513 static int32_t logical_sp_init(void) 1514 { 1515 int32_t rc = 0; 1516 struct el3_lp_desc *el3_lp_descs; 1517 1518 /* Perform initial validation of the Logical Partitions. */ 1519 rc = el3_sp_desc_validate(); 1520 if (rc != 0) { 1521 ERROR("Logical Partition validation failed!\n"); 1522 return rc; 1523 } 1524 1525 el3_lp_descs = get_el3_lp_array(); 1526 1527 INFO("Logical Secure Partition init start.\n"); 1528 for (unsigned int i = 0U; i < EL3_LP_DESCS_COUNT; i++) { 1529 rc = el3_lp_descs[i].init(); 1530 if (rc != 0) { 1531 ERROR("Logical SP (0x%x) Failed to Initialize\n", 1532 el3_lp_descs[i].sp_id); 1533 return rc; 1534 } 1535 VERBOSE("Logical SP (0x%x) Initialized\n", 1536 el3_lp_descs[i].sp_id); 1537 } 1538 1539 INFO("Logical Secure Partition init completed.\n"); 1540 1541 return rc; 1542 } 1543 1544 uint64_t spmc_sp_synchronous_entry(struct sp_exec_ctx *ec) 1545 { 1546 uint64_t rc; 1547 1548 assert(ec != NULL); 1549 1550 /* Assign the context of the SP to this CPU */ 1551 cm_set_context(&(ec->cpu_ctx), SECURE); 1552 1553 /* Restore the context assigned above */ 1554 cm_el1_sysregs_context_restore(SECURE); 1555 cm_set_next_eret_context(SECURE); 1556 1557 /* Invalidate TLBs at EL1. */ 1558 tlbivmalle1(); 1559 dsbish(); 1560 1561 /* Enter Secure Partition */ 1562 rc = spm_secure_partition_enter(&ec->c_rt_ctx); 1563 1564 /* Save secure state */ 1565 cm_el1_sysregs_context_save(SECURE); 1566 1567 return rc; 1568 } 1569 1570 /******************************************************************************* 1571 * SPMC Helper Functions. 1572 ******************************************************************************/ 1573 static int32_t sp_init(void) 1574 { 1575 uint64_t rc; 1576 struct secure_partition_desc *sp; 1577 struct sp_exec_ctx *ec; 1578 1579 sp = spmc_get_current_sp_ctx(); 1580 ec = spmc_get_sp_ec(sp); 1581 ec->rt_model = RT_MODEL_INIT; 1582 ec->rt_state = RT_STATE_RUNNING; 1583 1584 INFO("Secure Partition (0x%x) init start.\n", sp->sp_id); 1585 1586 rc = spmc_sp_synchronous_entry(ec); 1587 if (rc != 0) { 1588 /* Indicate SP init was not successful. */ 1589 ERROR("SP (0x%x) failed to initialize (%lu).\n", 1590 sp->sp_id, rc); 1591 return 0; 1592 } 1593 1594 ec->rt_state = RT_STATE_WAITING; 1595 INFO("Secure Partition initialized.\n"); 1596 1597 return 1; 1598 } 1599 1600 static void initalize_sp_descs(void) 1601 { 1602 struct secure_partition_desc *sp; 1603 1604 for (unsigned int i = 0U; i < SECURE_PARTITION_COUNT; i++) { 1605 sp = &sp_desc[i]; 1606 sp->sp_id = INV_SP_ID; 1607 sp->mailbox.rx_buffer = NULL; 1608 sp->mailbox.tx_buffer = NULL; 1609 sp->mailbox.state = MAILBOX_STATE_EMPTY; 1610 sp->secondary_ep = 0; 1611 } 1612 } 1613 1614 static void initalize_ns_ep_descs(void) 1615 { 1616 struct ns_endpoint_desc *ns_ep; 1617 1618 for (unsigned int i = 0U; i < NS_PARTITION_COUNT; i++) { 1619 ns_ep = &ns_ep_desc[i]; 1620 /* 1621 * Clashes with the Hypervisor ID but will not be a 1622 * problem in practice. 1623 */ 1624 ns_ep->ns_ep_id = 0; 1625 ns_ep->ffa_version = 0; 1626 ns_ep->mailbox.rx_buffer = NULL; 1627 ns_ep->mailbox.tx_buffer = NULL; 1628 ns_ep->mailbox.state = MAILBOX_STATE_EMPTY; 1629 } 1630 } 1631 1632 /******************************************************************************* 1633 * Initialize SPMC attributes for the SPMD. 1634 ******************************************************************************/ 1635 void spmc_populate_attrs(spmc_manifest_attribute_t *spmc_attrs) 1636 { 1637 spmc_attrs->major_version = FFA_VERSION_MAJOR; 1638 spmc_attrs->minor_version = FFA_VERSION_MINOR; 1639 spmc_attrs->exec_state = MODE_RW_64; 1640 spmc_attrs->spmc_id = FFA_SPMC_ID; 1641 } 1642 1643 /******************************************************************************* 1644 * Initialize contexts of all Secure Partitions. 1645 ******************************************************************************/ 1646 int32_t spmc_setup(void) 1647 { 1648 int32_t ret; 1649 uint32_t flags; 1650 1651 /* Initialize endpoint descriptors */ 1652 initalize_sp_descs(); 1653 initalize_ns_ep_descs(); 1654 1655 /* Setup logical SPs. */ 1656 ret = logical_sp_init(); 1657 if (ret != 0) { 1658 ERROR("Failed to initialize Logical Partitions.\n"); 1659 return ret; 1660 } 1661 1662 /* Perform physical SP setup. */ 1663 1664 /* Disable MMU at EL1 (initialized by BL2) */ 1665 disable_mmu_icache_el1(); 1666 1667 /* Initialize context of the SP */ 1668 INFO("Secure Partition context setup start.\n"); 1669 1670 ret = find_and_prepare_sp_context(); 1671 if (ret != 0) { 1672 ERROR("Error in SP finding and context preparation.\n"); 1673 return ret; 1674 } 1675 1676 /* Register power management hooks with PSCI */ 1677 psci_register_spd_pm_hook(&spmc_pm); 1678 1679 /* 1680 * Register an interrupt handler for S-EL1 interrupts 1681 * when generated during code executing in the 1682 * non-secure state. 1683 */ 1684 flags = 0; 1685 set_interrupt_rm_flag(flags, NON_SECURE); 1686 ret = register_interrupt_type_handler(INTR_TYPE_S_EL1, 1687 spmc_sp_interrupt_handler, 1688 flags); 1689 if (ret != 0) { 1690 ERROR("Failed to register interrupt handler! (%d)\n", ret); 1691 panic(); 1692 } 1693 1694 /* Register init function for deferred init. */ 1695 bl31_register_bl32_init(&sp_init); 1696 1697 INFO("Secure Partition setup done.\n"); 1698 1699 return 0; 1700 } 1701 1702 /******************************************************************************* 1703 * Secure Partition Manager SMC handler. 1704 ******************************************************************************/ 1705 uint64_t spmc_smc_handler(uint32_t smc_fid, 1706 bool secure_origin, 1707 uint64_t x1, 1708 uint64_t x2, 1709 uint64_t x3, 1710 uint64_t x4, 1711 void *cookie, 1712 void *handle, 1713 uint64_t flags) 1714 { 1715 switch (smc_fid) { 1716 1717 case FFA_VERSION: 1718 return ffa_version_handler(smc_fid, secure_origin, x1, x2, x3, 1719 x4, cookie, handle, flags); 1720 1721 case FFA_ID_GET: 1722 return ffa_id_get_handler(smc_fid, secure_origin, x1, x2, x3, 1723 x4, cookie, handle, flags); 1724 1725 case FFA_FEATURES: 1726 return ffa_features_handler(smc_fid, secure_origin, x1, x2, x3, 1727 x4, cookie, handle, flags); 1728 1729 case FFA_SECONDARY_EP_REGISTER_SMC64: 1730 return ffa_sec_ep_register_handler(smc_fid, secure_origin, x1, 1731 x2, x3, x4, cookie, handle, 1732 flags); 1733 1734 case FFA_MSG_SEND_DIRECT_REQ_SMC32: 1735 case FFA_MSG_SEND_DIRECT_REQ_SMC64: 1736 return direct_req_smc_handler(smc_fid, secure_origin, x1, x2, 1737 x3, x4, cookie, handle, flags); 1738 1739 case FFA_MSG_SEND_DIRECT_RESP_SMC32: 1740 case FFA_MSG_SEND_DIRECT_RESP_SMC64: 1741 return direct_resp_smc_handler(smc_fid, secure_origin, x1, x2, 1742 x3, x4, cookie, handle, flags); 1743 1744 case FFA_RXTX_MAP_SMC32: 1745 case FFA_RXTX_MAP_SMC64: 1746 return rxtx_map_handler(smc_fid, secure_origin, x1, x2, x3, x4, 1747 cookie, handle, flags); 1748 1749 case FFA_RXTX_UNMAP: 1750 return rxtx_unmap_handler(smc_fid, secure_origin, x1, x2, x3, 1751 x4, cookie, handle, flags); 1752 1753 case FFA_PARTITION_INFO_GET: 1754 return partition_info_get_handler(smc_fid, secure_origin, x1, 1755 x2, x3, x4, cookie, handle, 1756 flags); 1757 1758 case FFA_RX_RELEASE: 1759 return rx_release_handler(smc_fid, secure_origin, x1, x2, x3, 1760 x4, cookie, handle, flags); 1761 1762 case FFA_MSG_WAIT: 1763 return msg_wait_handler(smc_fid, secure_origin, x1, x2, x3, x4, 1764 cookie, handle, flags); 1765 1766 case FFA_ERROR: 1767 return ffa_error_handler(smc_fid, secure_origin, x1, x2, x3, x4, 1768 cookie, handle, flags); 1769 1770 case FFA_MSG_RUN: 1771 return ffa_run_handler(smc_fid, secure_origin, x1, x2, x3, x4, 1772 cookie, handle, flags); 1773 default: 1774 WARN("Unsupported FF-A call 0x%08x.\n", smc_fid); 1775 break; 1776 } 1777 return spmc_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1778 } 1779 1780 /******************************************************************************* 1781 * This function is the handler registered for S-EL1 interrupts by the SPMC. It 1782 * validates the interrupt and upon success arranges entry into the SP for 1783 * handling the interrupt. 1784 ******************************************************************************/ 1785 static uint64_t spmc_sp_interrupt_handler(uint32_t id, 1786 uint32_t flags, 1787 void *handle, 1788 void *cookie) 1789 { 1790 struct secure_partition_desc *sp = spmc_get_current_sp_ctx(); 1791 struct sp_exec_ctx *ec; 1792 uint32_t linear_id = plat_my_core_pos(); 1793 1794 /* Sanity check for a NULL pointer dereference. */ 1795 assert(sp != NULL); 1796 1797 /* Check the security state when the exception was generated. */ 1798 assert(get_interrupt_src_ss(flags) == NON_SECURE); 1799 1800 /* Panic if not an S-EL1 Partition. */ 1801 if (sp->runtime_el != S_EL1) { 1802 ERROR("Interrupt received for a non S-EL1 SP on core%u.\n", 1803 linear_id); 1804 panic(); 1805 } 1806 1807 /* Obtain a reference to the SP execution context. */ 1808 ec = spmc_get_sp_ec(sp); 1809 1810 /* Ensure that the execution context is in waiting state else panic. */ 1811 if (ec->rt_state != RT_STATE_WAITING) { 1812 ERROR("SP EC on core%u is not waiting (%u), it is (%u).\n", 1813 linear_id, RT_STATE_WAITING, ec->rt_state); 1814 panic(); 1815 } 1816 1817 /* Update the runtime model and state of the partition. */ 1818 ec->rt_model = RT_MODEL_INTR; 1819 ec->rt_state = RT_STATE_RUNNING; 1820 1821 VERBOSE("SP (0x%x) interrupt start on core%u.\n", sp->sp_id, linear_id); 1822 1823 /* 1824 * Forward the interrupt to the S-EL1 SP. The interrupt ID is not 1825 * populated as the SP can determine this by itself. 1826 */ 1827 return spmd_smc_switch_state(FFA_INTERRUPT, false, 1828 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1829 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1830 handle); 1831 } 1832