1 /* 2 * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <errno.h> 9 #include <inttypes.h> 10 #include <stdint.h> 11 #include <string.h> 12 13 #include <arch_helpers.h> 14 #include <arch/aarch64/arch_features.h> 15 #include <bl31/bl31.h> 16 #include <bl31/interrupt_mgmt.h> 17 #include <common/debug.h> 18 #include <common/runtime_svc.h> 19 #include <common/tbbr/tbbr_img_def.h> 20 #include <lib/el3_runtime/context_mgmt.h> 21 #include <lib/fconf/fconf.h> 22 #include <lib/fconf/fconf_dyn_cfg_getter.h> 23 #include <lib/smccc.h> 24 #include <lib/spinlock.h> 25 #include <lib/utils.h> 26 #include <lib/xlat_tables/xlat_tables_v2.h> 27 #include <plat/common/common_def.h> 28 #include <plat/common/platform.h> 29 #include <platform_def.h> 30 #include <services/el3_spmd_logical_sp.h> 31 #include <services/ffa_svc.h> 32 #include <services/spmc_svc.h> 33 #include <services/spmd_svc.h> 34 #include <smccc_helpers.h> 35 #include "spmd_private.h" 36 37 /******************************************************************************* 38 * SPM Core context information. 39 ******************************************************************************/ 40 static spmd_spm_core_context_t spm_core_context[PLATFORM_CORE_COUNT]; 41 42 /******************************************************************************* 43 * SPM Core attribute information is read from its manifest if the SPMC is not 44 * at EL3. Else, it is populated from the SPMC directly. 45 ******************************************************************************/ 46 static spmc_manifest_attribute_t spmc_attrs; 47 48 /******************************************************************************* 49 * SPM Core entry point information. Discovered on the primary core and reused 50 * on secondary cores. 51 ******************************************************************************/ 52 static entry_point_info_t *spmc_ep_info; 53 54 /******************************************************************************* 55 * SPM Core context on CPU based on mpidr. 56 ******************************************************************************/ 57 spmd_spm_core_context_t *spmd_get_context_by_mpidr(uint64_t mpidr) 58 { 59 int core_idx = plat_core_pos_by_mpidr(mpidr); 60 61 if (core_idx < 0) { 62 ERROR("Invalid mpidr: %" PRIx64 ", returned ID: %d\n", mpidr, core_idx); 63 panic(); 64 } 65 66 return &spm_core_context[core_idx]; 67 } 68 69 /******************************************************************************* 70 * SPM Core context on current CPU get helper. 71 ******************************************************************************/ 72 spmd_spm_core_context_t *spmd_get_context(void) 73 { 74 return spmd_get_context_by_mpidr(read_mpidr()); 75 } 76 77 /******************************************************************************* 78 * SPM Core ID getter. 79 ******************************************************************************/ 80 uint16_t spmd_spmc_id_get(void) 81 { 82 return spmc_attrs.spmc_id; 83 } 84 85 /******************************************************************************* 86 * Static function declaration. 87 ******************************************************************************/ 88 static int32_t spmd_init(void); 89 static int spmd_spmc_init(void *pm_addr); 90 static uint64_t spmd_ffa_error_return(void *handle, 91 int error_code); 92 static uint64_t spmd_smc_forward(uint32_t smc_fid, 93 bool secure_origin, 94 uint64_t x1, 95 uint64_t x2, 96 uint64_t x3, 97 uint64_t x4, 98 void *cookie, 99 void *handle, 100 uint64_t flags); 101 102 /****************************************************************************** 103 * Builds an SPMD to SPMC direct message request. 104 *****************************************************************************/ 105 void spmd_build_spmc_message(gp_regs_t *gpregs, uint8_t target_func, 106 unsigned long long message) 107 { 108 write_ctx_reg(gpregs, CTX_GPREG_X0, FFA_MSG_SEND_DIRECT_REQ_SMC32); 109 write_ctx_reg(gpregs, CTX_GPREG_X1, 110 (SPMD_DIRECT_MSG_ENDPOINT_ID << FFA_DIRECT_MSG_SOURCE_SHIFT) | 111 spmd_spmc_id_get()); 112 write_ctx_reg(gpregs, CTX_GPREG_X2, BIT(31) | target_func); 113 write_ctx_reg(gpregs, CTX_GPREG_X3, message); 114 } 115 116 117 /******************************************************************************* 118 * This function takes an SPMC context pointer and performs a synchronous 119 * SPMC entry. 120 ******************************************************************************/ 121 uint64_t spmd_spm_core_sync_entry(spmd_spm_core_context_t *spmc_ctx) 122 { 123 uint64_t rc; 124 125 assert(spmc_ctx != NULL); 126 127 cm_set_context(&(spmc_ctx->cpu_ctx), SECURE); 128 129 /* Restore the context assigned above */ 130 #if SPMD_SPM_AT_SEL2 131 cm_el2_sysregs_context_restore(SECURE); 132 #else 133 cm_el1_sysregs_context_restore(SECURE); 134 #endif 135 cm_set_next_eret_context(SECURE); 136 137 /* Enter SPMC */ 138 rc = spmd_spm_core_enter(&spmc_ctx->c_rt_ctx); 139 140 /* Save secure state */ 141 #if SPMD_SPM_AT_SEL2 142 cm_el2_sysregs_context_save(SECURE); 143 #else 144 cm_el1_sysregs_context_save(SECURE); 145 #endif 146 147 return rc; 148 } 149 150 /******************************************************************************* 151 * This function returns to the place where spmd_spm_core_sync_entry() was 152 * called originally. 153 ******************************************************************************/ 154 __dead2 void spmd_spm_core_sync_exit(uint64_t rc) 155 { 156 spmd_spm_core_context_t *ctx = spmd_get_context(); 157 158 /* Get current CPU context from SPMC context */ 159 assert(cm_get_context(SECURE) == &(ctx->cpu_ctx)); 160 161 /* 162 * The SPMD must have initiated the original request through a 163 * synchronous entry into SPMC. Jump back to the original C runtime 164 * context with the value of rc in x0; 165 */ 166 spmd_spm_core_exit(ctx->c_rt_ctx, rc); 167 168 panic(); 169 } 170 171 /******************************************************************************* 172 * Jump to the SPM Core for the first time. 173 ******************************************************************************/ 174 static int32_t spmd_init(void) 175 { 176 spmd_spm_core_context_t *ctx = spmd_get_context(); 177 uint64_t rc; 178 179 VERBOSE("SPM Core init start.\n"); 180 181 /* Primary boot core enters the SPMC for initialization. */ 182 ctx->state = SPMC_STATE_ON_PENDING; 183 184 rc = spmd_spm_core_sync_entry(ctx); 185 if (rc != 0ULL) { 186 ERROR("SPMC initialisation failed 0x%" PRIx64 "\n", rc); 187 return 0; 188 } 189 190 ctx->state = SPMC_STATE_ON; 191 192 VERBOSE("SPM Core init end.\n"); 193 194 spmd_logical_sp_set_spmc_initialized(); 195 rc = spmd_logical_sp_init(); 196 if (rc != 0) { 197 WARN("SPMD Logical partitions failed init.\n"); 198 } 199 200 return 1; 201 } 202 203 /******************************************************************************* 204 * spmd_secure_interrupt_handler 205 * Enter the SPMC for further handling of the secure interrupt by the SPMC 206 * itself or a Secure Partition. 207 ******************************************************************************/ 208 static uint64_t spmd_secure_interrupt_handler(uint32_t id, 209 uint32_t flags, 210 void *handle, 211 void *cookie) 212 { 213 spmd_spm_core_context_t *ctx = spmd_get_context(); 214 gp_regs_t *gpregs = get_gpregs_ctx(&ctx->cpu_ctx); 215 unsigned int linear_id = plat_my_core_pos(); 216 int64_t rc; 217 218 /* Sanity check the security state when the exception was generated */ 219 assert(get_interrupt_src_ss(flags) == NON_SECURE); 220 221 /* Sanity check the pointer to this cpu's context */ 222 assert(handle == cm_get_context(NON_SECURE)); 223 224 /* Save the non-secure context before entering SPMC */ 225 cm_el1_sysregs_context_save(NON_SECURE); 226 #if SPMD_SPM_AT_SEL2 227 cm_el2_sysregs_context_save(NON_SECURE); 228 #endif 229 230 /* Convey the event to the SPMC through the FFA_INTERRUPT interface. */ 231 write_ctx_reg(gpregs, CTX_GPREG_X0, FFA_INTERRUPT); 232 write_ctx_reg(gpregs, CTX_GPREG_X1, 0); 233 write_ctx_reg(gpregs, CTX_GPREG_X2, 0); 234 write_ctx_reg(gpregs, CTX_GPREG_X3, 0); 235 write_ctx_reg(gpregs, CTX_GPREG_X4, 0); 236 write_ctx_reg(gpregs, CTX_GPREG_X5, 0); 237 write_ctx_reg(gpregs, CTX_GPREG_X6, 0); 238 write_ctx_reg(gpregs, CTX_GPREG_X7, 0); 239 240 /* Mark current core as handling a secure interrupt. */ 241 ctx->secure_interrupt_ongoing = true; 242 243 rc = spmd_spm_core_sync_entry(ctx); 244 if (rc != 0ULL) { 245 ERROR("%s failed (%" PRId64 ") on CPU%u\n", __func__, rc, linear_id); 246 } 247 248 ctx->secure_interrupt_ongoing = false; 249 250 cm_el1_sysregs_context_restore(NON_SECURE); 251 #if SPMD_SPM_AT_SEL2 252 cm_el2_sysregs_context_restore(NON_SECURE); 253 #endif 254 cm_set_next_eret_context(NON_SECURE); 255 256 SMC_RET0(&ctx->cpu_ctx); 257 } 258 259 #if (EL3_EXCEPTION_HANDLING == 0) 260 /******************************************************************************* 261 * spmd_group0_interrupt_handler_nwd 262 * Group0 secure interrupt in the normal world are trapped to EL3. Delegate the 263 * handling of the interrupt to the platform handler, and return only upon 264 * successfully handling the Group0 interrupt. 265 ******************************************************************************/ 266 static uint64_t spmd_group0_interrupt_handler_nwd(uint32_t id, 267 uint32_t flags, 268 void *handle, 269 void *cookie) 270 { 271 uint32_t intid; 272 273 /* Sanity check the security state when the exception was generated. */ 274 assert(get_interrupt_src_ss(flags) == NON_SECURE); 275 276 /* Sanity check the pointer to this cpu's context. */ 277 assert(handle == cm_get_context(NON_SECURE)); 278 279 assert(id == INTR_ID_UNAVAILABLE); 280 281 assert(plat_ic_get_pending_interrupt_type() == INTR_TYPE_EL3); 282 283 intid = plat_ic_acknowledge_interrupt(); 284 285 if (plat_spmd_handle_group0_interrupt(intid) < 0) { 286 ERROR("Group0 interrupt %u not handled\n", intid); 287 panic(); 288 } 289 290 /* Deactivate the corresponding Group0 interrupt. */ 291 plat_ic_end_of_interrupt(intid); 292 293 return 0U; 294 } 295 #endif 296 297 /******************************************************************************* 298 * spmd_handle_group0_intr_swd 299 * SPMC delegates handling of Group0 secure interrupt to EL3 firmware using 300 * FFA_EL3_INTR_HANDLE SMC call. Further, SPMD delegates the handling of the 301 * interrupt to the platform handler, and returns only upon successfully 302 * handling the Group0 interrupt. 303 ******************************************************************************/ 304 static uint64_t spmd_handle_group0_intr_swd(void *handle) 305 { 306 uint32_t intid; 307 308 /* Sanity check the pointer to this cpu's context */ 309 assert(handle == cm_get_context(SECURE)); 310 311 assert(plat_ic_get_pending_interrupt_type() == INTR_TYPE_EL3); 312 313 intid = plat_ic_acknowledge_interrupt(); 314 315 /* 316 * TODO: Currently due to a limitation in SPMD implementation, the 317 * platform handler is expected to not delegate handling to NWd while 318 * processing Group0 secure interrupt. 319 */ 320 if (plat_spmd_handle_group0_interrupt(intid) < 0) { 321 /* Group0 interrupt was not handled by the platform. */ 322 ERROR("Group0 interrupt %u not handled\n", intid); 323 panic(); 324 } 325 326 /* Deactivate the corresponding Group0 interrupt. */ 327 plat_ic_end_of_interrupt(intid); 328 329 /* Return success. */ 330 SMC_RET8(handle, FFA_SUCCESS_SMC32, FFA_PARAM_MBZ, FFA_PARAM_MBZ, 331 FFA_PARAM_MBZ, FFA_PARAM_MBZ, FFA_PARAM_MBZ, FFA_PARAM_MBZ, 332 FFA_PARAM_MBZ); 333 } 334 335 #if ENABLE_RME && SPMD_SPM_AT_SEL2 && !RESET_TO_BL31 336 static int spmd_dynamic_map_mem(uintptr_t base_addr, size_t size, 337 unsigned int attr, uintptr_t *align_addr, 338 size_t *align_size) 339 { 340 uintptr_t base_addr_align; 341 size_t mapped_size_align; 342 int rc; 343 344 /* Page aligned address and size if necessary */ 345 base_addr_align = page_align(base_addr, DOWN); 346 mapped_size_align = page_align(size, UP); 347 348 if ((base_addr != base_addr_align) && 349 (size == mapped_size_align)) { 350 mapped_size_align += PAGE_SIZE; 351 } 352 353 /* 354 * Map dynamically given region with its aligned base address and 355 * size 356 */ 357 rc = mmap_add_dynamic_region((unsigned long long)base_addr_align, 358 base_addr_align, 359 mapped_size_align, 360 attr); 361 if (rc == 0) { 362 *align_addr = base_addr_align; 363 *align_size = mapped_size_align; 364 } 365 366 return rc; 367 } 368 369 static void spmd_do_sec_cpy(uintptr_t root_base_addr, uintptr_t sec_base_addr, 370 size_t size) 371 { 372 uintptr_t root_base_addr_align, sec_base_addr_align; 373 size_t root_mapped_size_align, sec_mapped_size_align; 374 int rc; 375 376 assert(root_base_addr != 0UL); 377 assert(sec_base_addr != 0UL); 378 assert(size != 0UL); 379 380 /* Map the memory with required attributes */ 381 rc = spmd_dynamic_map_mem(root_base_addr, size, MT_RO_DATA | MT_ROOT, 382 &root_base_addr_align, 383 &root_mapped_size_align); 384 if (rc != 0) { 385 ERROR("%s %s %lu (%d)\n", "Error while mapping", "root region", 386 root_base_addr, rc); 387 panic(); 388 } 389 390 rc = spmd_dynamic_map_mem(sec_base_addr, size, MT_RW_DATA | MT_SECURE, 391 &sec_base_addr_align, &sec_mapped_size_align); 392 if (rc != 0) { 393 ERROR("%s %s %lu (%d)\n", "Error while mapping", 394 "secure region", sec_base_addr, rc); 395 panic(); 396 } 397 398 /* Do copy operation */ 399 (void)memcpy((void *)sec_base_addr, (void *)root_base_addr, size); 400 401 /* Unmap root memory region */ 402 rc = mmap_remove_dynamic_region(root_base_addr_align, 403 root_mapped_size_align); 404 if (rc != 0) { 405 ERROR("%s %s %lu (%d)\n", "Error while unmapping", 406 "root region", root_base_addr_align, rc); 407 panic(); 408 } 409 410 /* Unmap secure memory region */ 411 rc = mmap_remove_dynamic_region(sec_base_addr_align, 412 sec_mapped_size_align); 413 if (rc != 0) { 414 ERROR("%s %s %lu (%d)\n", "Error while unmapping", 415 "secure region", sec_base_addr_align, rc); 416 panic(); 417 } 418 } 419 #endif /* ENABLE_RME && SPMD_SPM_AT_SEL2 && !RESET_TO_BL31 */ 420 421 /******************************************************************************* 422 * Loads SPMC manifest and inits SPMC. 423 ******************************************************************************/ 424 static int spmd_spmc_init(void *pm_addr) 425 { 426 cpu_context_t *cpu_ctx; 427 unsigned int core_id; 428 uint32_t ep_attr, flags; 429 int rc; 430 const struct dyn_cfg_dtb_info_t *image_info __unused; 431 432 /* Load the SPM Core manifest */ 433 rc = plat_spm_core_manifest_load(&spmc_attrs, pm_addr); 434 if (rc != 0) { 435 WARN("No or invalid SPM Core manifest image provided by BL2\n"); 436 return rc; 437 } 438 439 /* 440 * Ensure that the SPM Core version is compatible with the SPM 441 * Dispatcher version. 442 */ 443 if ((spmc_attrs.major_version != FFA_VERSION_MAJOR) || 444 (spmc_attrs.minor_version > FFA_VERSION_MINOR)) { 445 WARN("Unsupported FFA version (%u.%u)\n", 446 spmc_attrs.major_version, spmc_attrs.minor_version); 447 return -EINVAL; 448 } 449 450 VERBOSE("FFA version (%u.%u)\n", spmc_attrs.major_version, 451 spmc_attrs.minor_version); 452 453 VERBOSE("SPM Core run time EL%x.\n", 454 SPMD_SPM_AT_SEL2 ? MODE_EL2 : MODE_EL1); 455 456 /* Validate the SPMC ID, Ensure high bit is set */ 457 if (((spmc_attrs.spmc_id >> SPMC_SECURE_ID_SHIFT) & 458 SPMC_SECURE_ID_MASK) == 0U) { 459 WARN("Invalid ID (0x%x) for SPMC.\n", spmc_attrs.spmc_id); 460 return -EINVAL; 461 } 462 463 /* Validate the SPM Core execution state */ 464 if ((spmc_attrs.exec_state != MODE_RW_64) && 465 (spmc_attrs.exec_state != MODE_RW_32)) { 466 WARN("Unsupported %s%x.\n", "SPM Core execution state 0x", 467 spmc_attrs.exec_state); 468 return -EINVAL; 469 } 470 471 VERBOSE("%s%x.\n", "SPM Core execution state 0x", 472 spmc_attrs.exec_state); 473 474 #if SPMD_SPM_AT_SEL2 475 /* Ensure manifest has not requested AArch32 state in S-EL2 */ 476 if (spmc_attrs.exec_state == MODE_RW_32) { 477 WARN("AArch32 state at S-EL2 is not supported.\n"); 478 return -EINVAL; 479 } 480 481 /* 482 * Check if S-EL2 is supported on this system if S-EL2 483 * is required for SPM 484 */ 485 if (!is_feat_sel2_supported()) { 486 WARN("SPM Core run time S-EL2 is not supported.\n"); 487 return -EINVAL; 488 } 489 #endif /* SPMD_SPM_AT_SEL2 */ 490 491 /* Initialise an entrypoint to set up the CPU context */ 492 ep_attr = SECURE | EP_ST_ENABLE; 493 if ((read_sctlr_el3() & SCTLR_EE_BIT) != 0ULL) { 494 ep_attr |= EP_EE_BIG; 495 } 496 497 SET_PARAM_HEAD(spmc_ep_info, PARAM_EP, VERSION_1, ep_attr); 498 499 /* 500 * Populate SPSR for SPM Core based upon validated parameters from the 501 * manifest. 502 */ 503 if (spmc_attrs.exec_state == MODE_RW_32) { 504 spmc_ep_info->spsr = SPSR_MODE32(MODE32_svc, SPSR_T_ARM, 505 SPSR_E_LITTLE, 506 DAIF_FIQ_BIT | 507 DAIF_IRQ_BIT | 508 DAIF_ABT_BIT); 509 } else { 510 511 #if SPMD_SPM_AT_SEL2 512 static const uint32_t runtime_el = MODE_EL2; 513 #else 514 static const uint32_t runtime_el = MODE_EL1; 515 #endif 516 spmc_ep_info->spsr = SPSR_64(runtime_el, 517 MODE_SP_ELX, 518 DISABLE_ALL_EXCEPTIONS); 519 } 520 521 #if ENABLE_RME && SPMD_SPM_AT_SEL2 && !RESET_TO_BL31 522 image_info = FCONF_GET_PROPERTY(dyn_cfg, dtb, TOS_FW_CONFIG_ID); 523 assert(image_info != NULL); 524 525 if ((image_info->config_addr == 0UL) || 526 (image_info->secondary_config_addr == 0UL) || 527 (image_info->config_max_size == 0UL)) { 528 return -EINVAL; 529 } 530 531 /* Copy manifest from root->secure region */ 532 spmd_do_sec_cpy(image_info->config_addr, 533 image_info->secondary_config_addr, 534 image_info->config_max_size); 535 536 /* Update ep info of BL32 */ 537 assert(spmc_ep_info != NULL); 538 spmc_ep_info->args.arg0 = image_info->secondary_config_addr; 539 #endif /* ENABLE_RME && SPMD_SPM_AT_SEL2 && !RESET_TO_BL31 */ 540 541 /* Set an initial SPMC context state for all cores. */ 542 for (core_id = 0U; core_id < PLATFORM_CORE_COUNT; core_id++) { 543 spm_core_context[core_id].state = SPMC_STATE_OFF; 544 545 /* Setup an initial cpu context for the SPMC. */ 546 cpu_ctx = &spm_core_context[core_id].cpu_ctx; 547 cm_setup_context(cpu_ctx, spmc_ep_info); 548 549 /* 550 * Pass the core linear ID to the SPMC through x4. 551 * (TF-A implementation defined behavior helping 552 * a legacy TOS migration to adopt FF-A). 553 */ 554 write_ctx_reg(get_gpregs_ctx(cpu_ctx), CTX_GPREG_X4, core_id); 555 } 556 557 /* Register power management hooks with PSCI */ 558 psci_register_spd_pm_hook(&spmd_pm); 559 560 /* Register init function for deferred init. */ 561 bl31_register_bl32_init(&spmd_init); 562 563 INFO("SPM Core setup done.\n"); 564 565 /* 566 * Register an interrupt handler routing secure interrupts to SPMD 567 * while the NWd is running. 568 */ 569 flags = 0; 570 set_interrupt_rm_flag(flags, NON_SECURE); 571 rc = register_interrupt_type_handler(INTR_TYPE_S_EL1, 572 spmd_secure_interrupt_handler, 573 flags); 574 if (rc != 0) { 575 panic(); 576 } 577 578 /* 579 * Permit configurations where the SPM resides at S-EL1/2 and upon a 580 * Group0 interrupt triggering while the normal world runs, the 581 * interrupt is routed either through the EHF or directly to the SPMD: 582 * 583 * EL3_EXCEPTION_HANDLING=0: the Group0 interrupt is routed to the SPMD 584 * for handling by spmd_group0_interrupt_handler_nwd. 585 * 586 * EL3_EXCEPTION_HANDLING=1: the Group0 interrupt is routed to the EHF. 587 * 588 */ 589 #if (EL3_EXCEPTION_HANDLING == 0) 590 /* 591 * Register an interrupt handler routing Group0 interrupts to SPMD 592 * while the NWd is running. 593 */ 594 rc = register_interrupt_type_handler(INTR_TYPE_EL3, 595 spmd_group0_interrupt_handler_nwd, 596 flags); 597 if (rc != 0) { 598 panic(); 599 } 600 #endif 601 602 return 0; 603 } 604 605 /******************************************************************************* 606 * Initialize context of SPM Core. 607 ******************************************************************************/ 608 int spmd_setup(void) 609 { 610 int rc; 611 void *spmc_manifest; 612 613 /* 614 * If the SPMC is at EL3, then just initialise it directly. The 615 * shenanigans of when it is at a lower EL are not needed. 616 */ 617 if (is_spmc_at_el3()) { 618 /* Allow the SPMC to populate its attributes directly. */ 619 spmc_populate_attrs(&spmc_attrs); 620 621 rc = spmc_setup(); 622 if (rc != 0) { 623 WARN("SPMC initialisation failed 0x%x.\n", rc); 624 } 625 return 0; 626 } 627 628 spmc_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 629 if (spmc_ep_info == NULL) { 630 WARN("No SPM Core image provided by BL2 boot loader.\n"); 631 return 0; 632 } 633 634 /* Under no circumstances will this parameter be 0 */ 635 assert(spmc_ep_info->pc != 0ULL); 636 637 /* 638 * Check if BL32 ep_info has a reference to 'tos_fw_config'. This will 639 * be used as a manifest for the SPM Core at the next lower EL/mode. 640 */ 641 spmc_manifest = (void *)spmc_ep_info->args.arg0; 642 if (spmc_manifest == NULL) { 643 WARN("Invalid or absent SPM Core manifest.\n"); 644 return 0; 645 } 646 647 /* Load manifest, init SPMC */ 648 rc = spmd_spmc_init(spmc_manifest); 649 if (rc != 0) { 650 WARN("Booting device without SPM initialization.\n"); 651 } 652 653 return 0; 654 } 655 656 /******************************************************************************* 657 * Forward FF-A SMCs to the other security state. 658 ******************************************************************************/ 659 uint64_t spmd_smc_switch_state(uint32_t smc_fid, 660 bool secure_origin, 661 uint64_t x1, 662 uint64_t x2, 663 uint64_t x3, 664 uint64_t x4, 665 void *handle) 666 { 667 unsigned int secure_state_in = (secure_origin) ? SECURE : NON_SECURE; 668 unsigned int secure_state_out = (!secure_origin) ? SECURE : NON_SECURE; 669 670 /* Save incoming security state */ 671 #if SPMD_SPM_AT_SEL2 672 if (secure_state_in == NON_SECURE) { 673 cm_el1_sysregs_context_save(secure_state_in); 674 } 675 cm_el2_sysregs_context_save(secure_state_in); 676 #else 677 cm_el1_sysregs_context_save(secure_state_in); 678 #endif 679 680 /* Restore outgoing security state */ 681 #if SPMD_SPM_AT_SEL2 682 if (secure_state_out == NON_SECURE) { 683 cm_el1_sysregs_context_restore(secure_state_out); 684 } 685 cm_el2_sysregs_context_restore(secure_state_out); 686 #else 687 cm_el1_sysregs_context_restore(secure_state_out); 688 #endif 689 cm_set_next_eret_context(secure_state_out); 690 691 #if SPMD_SPM_AT_SEL2 692 /* 693 * If SPMC is at SEL2, save additional registers x8-x17, which may 694 * be used in FF-A calls such as FFA_PARTITION_INFO_GET_REGS. 695 * Note that technically, all SPMCs can support this, but this code is 696 * under ifdef to minimize breakage in case other SPMCs do not save 697 * and restore x8-x17. 698 * We also need to pass through these registers since not all FF-A ABIs 699 * modify x8-x17, in which case, SMCCC requires that these registers be 700 * preserved, so the SPMD passes through these registers and expects the 701 * SPMC to save and restore (potentially also modify) them. 702 */ 703 SMC_RET18(cm_get_context(secure_state_out), smc_fid, x1, x2, x3, x4, 704 SMC_GET_GP(handle, CTX_GPREG_X5), 705 SMC_GET_GP(handle, CTX_GPREG_X6), 706 SMC_GET_GP(handle, CTX_GPREG_X7), 707 SMC_GET_GP(handle, CTX_GPREG_X8), 708 SMC_GET_GP(handle, CTX_GPREG_X9), 709 SMC_GET_GP(handle, CTX_GPREG_X10), 710 SMC_GET_GP(handle, CTX_GPREG_X11), 711 SMC_GET_GP(handle, CTX_GPREG_X12), 712 SMC_GET_GP(handle, CTX_GPREG_X13), 713 SMC_GET_GP(handle, CTX_GPREG_X14), 714 SMC_GET_GP(handle, CTX_GPREG_X15), 715 SMC_GET_GP(handle, CTX_GPREG_X16), 716 SMC_GET_GP(handle, CTX_GPREG_X17) 717 ); 718 719 #else 720 SMC_RET8(cm_get_context(secure_state_out), smc_fid, x1, x2, x3, x4, 721 SMC_GET_GP(handle, CTX_GPREG_X5), 722 SMC_GET_GP(handle, CTX_GPREG_X6), 723 SMC_GET_GP(handle, CTX_GPREG_X7)); 724 #endif 725 } 726 727 /******************************************************************************* 728 * Forward SMCs to the other security state. 729 ******************************************************************************/ 730 static uint64_t spmd_smc_forward(uint32_t smc_fid, 731 bool secure_origin, 732 uint64_t x1, 733 uint64_t x2, 734 uint64_t x3, 735 uint64_t x4, 736 void *cookie, 737 void *handle, 738 uint64_t flags) 739 { 740 if (is_spmc_at_el3() && !secure_origin) { 741 return spmc_smc_handler(smc_fid, secure_origin, x1, x2, x3, x4, 742 cookie, handle, flags); 743 } 744 return spmd_smc_switch_state(smc_fid, secure_origin, x1, x2, x3, x4, 745 handle); 746 747 } 748 749 /******************************************************************************* 750 * Return FFA_ERROR with specified error code 751 ******************************************************************************/ 752 static uint64_t spmd_ffa_error_return(void *handle, int error_code) 753 { 754 SMC_RET8(handle, (uint32_t) FFA_ERROR, 755 FFA_TARGET_INFO_MBZ, (uint32_t)error_code, 756 FFA_PARAM_MBZ, FFA_PARAM_MBZ, FFA_PARAM_MBZ, 757 FFA_PARAM_MBZ, FFA_PARAM_MBZ); 758 } 759 760 /******************************************************************************* 761 * spmd_check_address_in_binary_image 762 ******************************************************************************/ 763 bool spmd_check_address_in_binary_image(uint64_t address) 764 { 765 assert(!check_uptr_overflow(spmc_attrs.load_address, spmc_attrs.binary_size)); 766 767 return ((address >= spmc_attrs.load_address) && 768 (address < (spmc_attrs.load_address + spmc_attrs.binary_size))); 769 } 770 771 /****************************************************************************** 772 * spmd_is_spmc_message 773 *****************************************************************************/ 774 static bool spmd_is_spmc_message(unsigned int ep) 775 { 776 if (is_spmc_at_el3()) { 777 return false; 778 } 779 780 return ((ffa_endpoint_destination(ep) == SPMD_DIRECT_MSG_ENDPOINT_ID) 781 && (ffa_endpoint_source(ep) == spmc_attrs.spmc_id)); 782 } 783 784 /****************************************************************************** 785 * spmd_handle_spmc_message 786 *****************************************************************************/ 787 static int spmd_handle_spmc_message(unsigned long long msg, 788 unsigned long long parm1, unsigned long long parm2, 789 unsigned long long parm3, unsigned long long parm4) 790 { 791 VERBOSE("%s %llx %llx %llx %llx %llx\n", __func__, 792 msg, parm1, parm2, parm3, parm4); 793 794 return -EINVAL; 795 } 796 797 /******************************************************************************* 798 * This function forwards FF-A SMCs to either the main SPMD handler or the 799 * SPMC at EL3, depending on the origin security state, if enabled. 800 ******************************************************************************/ 801 uint64_t spmd_ffa_smc_handler(uint32_t smc_fid, 802 uint64_t x1, 803 uint64_t x2, 804 uint64_t x3, 805 uint64_t x4, 806 void *cookie, 807 void *handle, 808 uint64_t flags) 809 { 810 if (is_spmc_at_el3()) { 811 /* 812 * If we have an SPMC at EL3 allow handling of the SMC first. 813 * The SPMC will call back through to SPMD handler if required. 814 */ 815 if (is_caller_secure(flags)) { 816 return spmc_smc_handler(smc_fid, 817 is_caller_secure(flags), 818 x1, x2, x3, x4, cookie, 819 handle, flags); 820 } 821 } 822 return spmd_smc_handler(smc_fid, x1, x2, x3, x4, cookie, 823 handle, flags); 824 } 825 826 /******************************************************************************* 827 * This function handles all SMCs in the range reserved for FFA. Each call is 828 * either forwarded to the other security state or handled by the SPM dispatcher 829 ******************************************************************************/ 830 uint64_t spmd_smc_handler(uint32_t smc_fid, 831 uint64_t x1, 832 uint64_t x2, 833 uint64_t x3, 834 uint64_t x4, 835 void *cookie, 836 void *handle, 837 uint64_t flags) 838 { 839 unsigned int linear_id = plat_my_core_pos(); 840 spmd_spm_core_context_t *ctx = spmd_get_context(); 841 bool secure_origin; 842 int32_t ret; 843 uint32_t input_version; 844 845 /* Determine which security state this SMC originated from */ 846 secure_origin = is_caller_secure(flags); 847 848 VERBOSE("SPM(%u): 0x%x 0x%" PRIx64 " 0x%" PRIx64 " 0x%" PRIx64 " 0x%" PRIx64 849 " 0x%" PRIx64 " 0x%" PRIx64 " 0x%" PRIx64 "\n", 850 linear_id, smc_fid, x1, x2, x3, x4, 851 SMC_GET_GP(handle, CTX_GPREG_X5), 852 SMC_GET_GP(handle, CTX_GPREG_X6), 853 SMC_GET_GP(handle, CTX_GPREG_X7)); 854 855 switch (smc_fid) { 856 case FFA_ERROR: 857 /* 858 * Check if this is the first invocation of this interface on 859 * this CPU. If so, then indicate that the SPM Core initialised 860 * unsuccessfully. 861 */ 862 if (secure_origin && (ctx->state == SPMC_STATE_ON_PENDING)) { 863 spmd_spm_core_sync_exit(x2); 864 } 865 866 return spmd_smc_forward(smc_fid, secure_origin, 867 x1, x2, x3, x4, cookie, 868 handle, flags); 869 break; /* not reached */ 870 871 case FFA_VERSION: 872 input_version = (uint32_t)(0xFFFFFFFF & x1); 873 /* 874 * If caller is secure and SPMC was initialized, 875 * return FFA_VERSION of SPMD. 876 * If caller is non secure and SPMC was initialized, 877 * forward to the EL3 SPMC if enabled, otherwise return 878 * the SPMC version if implemented at a lower EL. 879 * Sanity check to "input_version". 880 * If the EL3 SPMC is enabled, ignore the SPMC state as 881 * this is not used. 882 */ 883 if ((input_version & FFA_VERSION_BIT31_MASK) || 884 (!is_spmc_at_el3() && (ctx->state == SPMC_STATE_RESET))) { 885 ret = FFA_ERROR_NOT_SUPPORTED; 886 } else if (!secure_origin) { 887 if (is_spmc_at_el3()) { 888 /* 889 * Forward the call directly to the EL3 SPMC, if 890 * enabled, as we don't need to wrap the call in 891 * a direct request. 892 */ 893 return spmd_smc_forward(smc_fid, secure_origin, 894 x1, x2, x3, x4, cookie, 895 handle, flags); 896 } 897 898 gp_regs_t *gpregs = get_gpregs_ctx(&ctx->cpu_ctx); 899 uint64_t rc; 900 901 if (spmc_attrs.major_version == 1 && 902 spmc_attrs.minor_version == 0) { 903 ret = MAKE_FFA_VERSION(spmc_attrs.major_version, 904 spmc_attrs.minor_version); 905 SMC_RET8(handle, (uint32_t)ret, 906 FFA_TARGET_INFO_MBZ, 907 FFA_TARGET_INFO_MBZ, 908 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 909 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 910 FFA_PARAM_MBZ); 911 break; 912 } 913 /* Save non-secure system registers context */ 914 cm_el1_sysregs_context_save(NON_SECURE); 915 #if SPMD_SPM_AT_SEL2 916 cm_el2_sysregs_context_save(NON_SECURE); 917 #endif 918 919 /* 920 * The incoming request has FFA_VERSION as X0 smc_fid 921 * and requested version in x1. Prepare a direct request 922 * from SPMD to SPMC with FFA_VERSION framework function 923 * identifier in X2 and requested version in X3. 924 */ 925 spmd_build_spmc_message(gpregs, 926 SPMD_FWK_MSG_FFA_VERSION_REQ, 927 input_version); 928 929 rc = spmd_spm_core_sync_entry(ctx); 930 931 if ((rc != 0ULL) || 932 (SMC_GET_GP(gpregs, CTX_GPREG_X0) != 933 FFA_MSG_SEND_DIRECT_RESP_SMC32) || 934 (SMC_GET_GP(gpregs, CTX_GPREG_X2) != 935 (FFA_FWK_MSG_BIT | 936 SPMD_FWK_MSG_FFA_VERSION_RESP))) { 937 ERROR("Failed to forward FFA_VERSION\n"); 938 ret = FFA_ERROR_NOT_SUPPORTED; 939 } else { 940 ret = SMC_GET_GP(gpregs, CTX_GPREG_X3); 941 } 942 943 /* 944 * Return here after SPMC has handled FFA_VERSION. 945 * The returned SPMC version is held in X3. 946 * Forward this version in X0 to the non-secure caller. 947 */ 948 return spmd_smc_forward(ret, true, FFA_PARAM_MBZ, 949 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 950 FFA_PARAM_MBZ, cookie, gpregs, 951 flags); 952 } else { 953 ret = MAKE_FFA_VERSION(FFA_VERSION_MAJOR, 954 FFA_VERSION_MINOR); 955 } 956 957 SMC_RET8(handle, (uint32_t)ret, FFA_TARGET_INFO_MBZ, 958 FFA_TARGET_INFO_MBZ, FFA_PARAM_MBZ, FFA_PARAM_MBZ, 959 FFA_PARAM_MBZ, FFA_PARAM_MBZ, FFA_PARAM_MBZ); 960 break; /* not reached */ 961 962 case FFA_FEATURES: 963 /* 964 * This is an optional interface. Do the minimal checks and 965 * forward to SPM Core which will handle it if implemented. 966 */ 967 968 /* Forward SMC from Normal world to the SPM Core */ 969 if (!secure_origin) { 970 return spmd_smc_forward(smc_fid, secure_origin, 971 x1, x2, x3, x4, cookie, 972 handle, flags); 973 } 974 975 /* 976 * Return success if call was from secure world i.e. all 977 * FFA functions are supported. This is essentially a 978 * nop. 979 */ 980 SMC_RET8(handle, FFA_SUCCESS_SMC32, x1, x2, x3, x4, 981 SMC_GET_GP(handle, CTX_GPREG_X5), 982 SMC_GET_GP(handle, CTX_GPREG_X6), 983 SMC_GET_GP(handle, CTX_GPREG_X7)); 984 985 break; /* not reached */ 986 987 case FFA_ID_GET: 988 /* 989 * Returns the ID of the calling FFA component. 990 */ 991 if (!secure_origin) { 992 SMC_RET8(handle, FFA_SUCCESS_SMC32, 993 FFA_TARGET_INFO_MBZ, FFA_NS_ENDPOINT_ID, 994 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 995 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 996 FFA_PARAM_MBZ); 997 } 998 999 SMC_RET8(handle, FFA_SUCCESS_SMC32, 1000 FFA_TARGET_INFO_MBZ, spmc_attrs.spmc_id, 1001 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1002 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1003 FFA_PARAM_MBZ); 1004 1005 break; /* not reached */ 1006 1007 case FFA_SECONDARY_EP_REGISTER_SMC64: 1008 if (secure_origin) { 1009 ret = spmd_pm_secondary_ep_register(x1); 1010 1011 if (ret < 0) { 1012 SMC_RET8(handle, FFA_ERROR_SMC64, 1013 FFA_TARGET_INFO_MBZ, ret, 1014 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1015 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1016 FFA_PARAM_MBZ); 1017 } else { 1018 SMC_RET8(handle, FFA_SUCCESS_SMC64, 1019 FFA_TARGET_INFO_MBZ, FFA_PARAM_MBZ, 1020 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1021 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1022 FFA_PARAM_MBZ); 1023 } 1024 } 1025 1026 return spmd_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1027 break; /* Not reached */ 1028 1029 case FFA_SPM_ID_GET: 1030 if (MAKE_FFA_VERSION(1, 1) > FFA_VERSION_COMPILED) { 1031 return spmd_ffa_error_return(handle, 1032 FFA_ERROR_NOT_SUPPORTED); 1033 } 1034 /* 1035 * Returns the ID of the SPMC or SPMD depending on the FF-A 1036 * instance where this function is invoked 1037 */ 1038 if (!secure_origin) { 1039 SMC_RET8(handle, FFA_SUCCESS_SMC32, 1040 FFA_TARGET_INFO_MBZ, spmc_attrs.spmc_id, 1041 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1042 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1043 FFA_PARAM_MBZ); 1044 } 1045 SMC_RET8(handle, FFA_SUCCESS_SMC32, 1046 FFA_TARGET_INFO_MBZ, SPMD_DIRECT_MSG_ENDPOINT_ID, 1047 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1048 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1049 FFA_PARAM_MBZ); 1050 1051 break; /* not reached */ 1052 1053 case FFA_MSG_SEND_DIRECT_REQ_SMC32: 1054 case FFA_MSG_SEND_DIRECT_REQ_SMC64: 1055 if (!secure_origin) { 1056 /* Validate source endpoint is non-secure for non-secure caller. */ 1057 if (ffa_is_secure_world_id(ffa_endpoint_source(x1))) { 1058 return spmd_ffa_error_return(handle, 1059 FFA_ERROR_INVALID_PARAMETER); 1060 } 1061 } 1062 if (secure_origin && spmd_is_spmc_message(x1)) { 1063 ret = spmd_handle_spmc_message(x3, x4, 1064 SMC_GET_GP(handle, CTX_GPREG_X5), 1065 SMC_GET_GP(handle, CTX_GPREG_X6), 1066 SMC_GET_GP(handle, CTX_GPREG_X7)); 1067 1068 SMC_RET8(handle, FFA_SUCCESS_SMC32, 1069 FFA_TARGET_INFO_MBZ, ret, 1070 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1071 FFA_PARAM_MBZ, FFA_PARAM_MBZ, 1072 FFA_PARAM_MBZ); 1073 } else { 1074 /* Forward direct message to the other world */ 1075 return spmd_smc_forward(smc_fid, secure_origin, 1076 x1, x2, x3, x4, cookie, 1077 handle, flags); 1078 } 1079 break; /* Not reached */ 1080 1081 case FFA_MSG_SEND_DIRECT_RESP_SMC32: 1082 if (secure_origin && spmd_is_spmc_message(x1)) { 1083 spmd_spm_core_sync_exit(0ULL); 1084 } else { 1085 /* Forward direct message to the other world */ 1086 return spmd_smc_forward(smc_fid, secure_origin, 1087 x1, x2, x3, x4, cookie, 1088 handle, flags); 1089 } 1090 break; /* Not reached */ 1091 1092 case FFA_RX_RELEASE: 1093 case FFA_RXTX_MAP_SMC32: 1094 case FFA_RXTX_MAP_SMC64: 1095 case FFA_RXTX_UNMAP: 1096 case FFA_PARTITION_INFO_GET: 1097 #if MAKE_FFA_VERSION(1, 1) <= FFA_VERSION_COMPILED 1098 case FFA_NOTIFICATION_BITMAP_CREATE: 1099 case FFA_NOTIFICATION_BITMAP_DESTROY: 1100 case FFA_NOTIFICATION_BIND: 1101 case FFA_NOTIFICATION_UNBIND: 1102 case FFA_NOTIFICATION_SET: 1103 case FFA_NOTIFICATION_GET: 1104 case FFA_NOTIFICATION_INFO_GET: 1105 case FFA_NOTIFICATION_INFO_GET_SMC64: 1106 case FFA_MSG_SEND2: 1107 case FFA_RX_ACQUIRE: 1108 #endif 1109 case FFA_MSG_RUN: 1110 /* 1111 * Above calls should be invoked only by the Normal world and 1112 * must not be forwarded from Secure world to Normal world. 1113 */ 1114 if (secure_origin) { 1115 return spmd_ffa_error_return(handle, 1116 FFA_ERROR_NOT_SUPPORTED); 1117 } 1118 1119 /* Forward the call to the other world */ 1120 /* fallthrough */ 1121 case FFA_MSG_SEND: 1122 case FFA_MSG_SEND_DIRECT_RESP_SMC64: 1123 case FFA_MEM_DONATE_SMC32: 1124 case FFA_MEM_DONATE_SMC64: 1125 case FFA_MEM_LEND_SMC32: 1126 case FFA_MEM_LEND_SMC64: 1127 case FFA_MEM_SHARE_SMC32: 1128 case FFA_MEM_SHARE_SMC64: 1129 case FFA_MEM_RETRIEVE_REQ_SMC32: 1130 case FFA_MEM_RETRIEVE_REQ_SMC64: 1131 case FFA_MEM_RETRIEVE_RESP: 1132 case FFA_MEM_RELINQUISH: 1133 case FFA_MEM_RECLAIM: 1134 case FFA_MEM_FRAG_TX: 1135 case FFA_MEM_FRAG_RX: 1136 case FFA_SUCCESS_SMC32: 1137 case FFA_SUCCESS_SMC64: 1138 /* 1139 * TODO: Assume that no requests originate from EL3 at the 1140 * moment. This will change if a SP service is required in 1141 * response to secure interrupts targeted to EL3. Until then 1142 * simply forward the call to the Normal world. 1143 */ 1144 1145 return spmd_smc_forward(smc_fid, secure_origin, 1146 x1, x2, x3, x4, cookie, 1147 handle, flags); 1148 break; /* not reached */ 1149 1150 case FFA_MSG_WAIT: 1151 /* 1152 * Check if this is the first invocation of this interface on 1153 * this CPU from the Secure world. If so, then indicate that the 1154 * SPM Core initialised successfully. 1155 */ 1156 if (secure_origin && (ctx->state == SPMC_STATE_ON_PENDING)) { 1157 spmd_spm_core_sync_exit(0ULL); 1158 } 1159 1160 /* Forward the call to the other world */ 1161 /* fallthrough */ 1162 case FFA_INTERRUPT: 1163 case FFA_MSG_YIELD: 1164 /* This interface must be invoked only by the Secure world */ 1165 if (!secure_origin) { 1166 return spmd_ffa_error_return(handle, 1167 FFA_ERROR_NOT_SUPPORTED); 1168 } 1169 1170 return spmd_smc_forward(smc_fid, secure_origin, 1171 x1, x2, x3, x4, cookie, 1172 handle, flags); 1173 break; /* not reached */ 1174 1175 case FFA_NORMAL_WORLD_RESUME: 1176 if (secure_origin && ctx->secure_interrupt_ongoing) { 1177 spmd_spm_core_sync_exit(0ULL); 1178 } else { 1179 return spmd_ffa_error_return(handle, FFA_ERROR_DENIED); 1180 } 1181 break; /* Not reached */ 1182 #if MAKE_FFA_VERSION(1, 1) <= FFA_VERSION_COMPILED 1183 case FFA_PARTITION_INFO_GET_REGS_SMC64: 1184 if (secure_origin) { 1185 /* TODO: Future patches to enable support for this */ 1186 return spmd_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1187 } 1188 1189 /* Call only supported with SMCCC 1.2+ */ 1190 if (MAKE_SMCCC_VERSION(SMCCC_MAJOR_VERSION, SMCCC_MINOR_VERSION) < 0x10002) { 1191 return spmd_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1192 } 1193 1194 return spmd_smc_forward(smc_fid, secure_origin, 1195 x1, x2, x3, x4, cookie, 1196 handle, flags); 1197 break; /* Not reached */ 1198 #endif 1199 case FFA_EL3_INTR_HANDLE: 1200 if (secure_origin) { 1201 return spmd_handle_group0_intr_swd(handle); 1202 } else { 1203 return spmd_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1204 } 1205 default: 1206 WARN("SPM: Unsupported call 0x%08x\n", smc_fid); 1207 return spmd_ffa_error_return(handle, FFA_ERROR_NOT_SUPPORTED); 1208 } 1209 } 1210