| /* |
| * Copyright (c) 2021-2022, ProvenRun S.A.S. All rights reserved. |
| * |
| * SPDX-License-Identifier: BSD-3-Clause |
| */ |
| |
| /******************************************************************************* |
| * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a |
| * plug-in component to the Secure Monitor, registered as a runtime service. The |
| * SPD is expected to be a functional extension of the Secure Payload (SP) that |
| * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting |
| * the Trusted OS/Applications range to the dispatcher. The SPD will either |
| * handle the request locally or delegate it to the Secure Payload. It is also |
| * responsible for initialising and maintaining communication with the SP. |
| ******************************************************************************/ |
| |
| #include <assert.h> |
| #include <errno.h> |
| #include <stddef.h> |
| #include <string.h> |
| |
| #include <arch_helpers.h> |
| #include <bl31/bl31.h> |
| #include <bl31/interrupt_mgmt.h> |
| #include <bl_common.h> |
| #include <common/debug.h> |
| #include <common/ep_info.h> |
| #include <drivers/arm/gic_common.h> |
| #include <lib/el3_runtime/context_mgmt.h> |
| #include <lib/spinlock.h> |
| #include <plat/common/platform.h> |
| #include <pnc.h> |
| #include "pncd_private.h" |
| #include <runtime_svc.h> |
| #include <tools_share/uuid.h> |
| |
| /******************************************************************************* |
| * Structure to keep track of ProvenCore state |
| ******************************************************************************/ |
| static pnc_context_t pncd_sp_context; |
| |
| static bool ree_info; |
| static uint64_t ree_base_addr; |
| static uint64_t ree_length; |
| static uint64_t ree_tag; |
| |
| static bool pnc_initialized; |
| |
| static spinlock_t smc_handler_lock; |
| |
| static int pncd_init(void); |
| |
| static void context_save(unsigned long security_state) |
| { |
| assert(sec_state_is_valid(security_state)); |
| |
| cm_el1_sysregs_context_save((uint32_t) security_state); |
| #if CTX_INCLUDE_FPREGS |
| fpregs_context_save(get_fpregs_ctx(cm_get_context(security_state))); |
| #endif |
| } |
| |
| static void *context_restore(unsigned long security_state) |
| { |
| void *handle; |
| |
| assert(sec_state_is_valid(security_state)); |
| |
| /* Get a reference to the next context */ |
| handle = cm_get_context((uint32_t) security_state); |
| assert(handle); |
| |
| /* Restore state */ |
| cm_el1_sysregs_context_restore((uint32_t) security_state); |
| #if CTX_INCLUDE_FPREGS |
| fpregs_context_restore(get_fpregs_ctx(cm_get_context(security_state))); |
| #endif |
| |
| cm_set_next_eret_context((uint32_t) security_state); |
| |
| return handle; |
| } |
| |
| static uint64_t pncd_sel1_interrupt_handler(uint32_t id, |
| uint32_t flags, void *handle, void *cookie); |
| |
| /******************************************************************************* |
| * Switch context to the specified security state and return the targeted |
| * handle. Note that the context may remain unchanged if the switch is not |
| * allowed. |
| ******************************************************************************/ |
| void *pncd_context_switch_to(unsigned long security_state) |
| { |
| unsigned long sec_state_from = |
| security_state == SECURE ? NON_SECURE : SECURE; |
| |
| assert(sec_state_is_valid(security_state)); |
| |
| /* Check if this is the first world switch */ |
| if (!pnc_initialized) { |
| int rc; |
| uint32_t flags; |
| |
| assert(sec_state_from == SECURE); |
| |
| INFO("PnC initialization done\n"); |
| |
| /* |
| * Register an interrupt handler for S-EL1 interrupts |
| * when generated during code executing in the |
| * non-secure state. |
| */ |
| flags = 0U; |
| set_interrupt_rm_flag(flags, NON_SECURE); |
| rc = register_interrupt_type_handler(INTR_TYPE_S_EL1, |
| pncd_sel1_interrupt_handler, |
| flags); |
| if (rc != 0) { |
| ERROR("Failed to register S-EL1 interrupt handler (%d)\n", |
| rc); |
| panic(); |
| } |
| |
| context_save(SECURE); |
| |
| pnc_initialized = true; |
| |
| /* |
| * Release the lock before restoring the EL3 context to |
| * bl31_main. |
| */ |
| spin_unlock(&smc_handler_lock); |
| |
| /* |
| * SP reports completion. The SPD must have initiated |
| * the original request through a synchronous entry |
| * into the SP. Jump back to the original C runtime |
| * context. |
| */ |
| pncd_synchronous_sp_exit(&pncd_sp_context, (uint64_t) 0x0); |
| |
| /* Unreachable */ |
| ERROR("Returned from pncd_synchronous_sp_exit... Should not happen\n"); |
| panic(); |
| } |
| |
| /* Check that the world switch is allowed */ |
| if (read_mpidr() != pncd_sp_context.mpidr) { |
| if (sec_state_from == SECURE) { |
| /* |
| * Secure -> Non-Secure world switch initiated on a CPU where there |
| * should be no Trusted OS running |
| */ |
| WARN("Secure to Non-Secure switch requested on CPU where ProvenCore is not supposed to be running...\n"); |
| } |
| |
| /* |
| * Secure or Non-Secure world wants to switch world but there is no Secure |
| * software on this core |
| */ |
| return cm_get_context((uint32_t) sec_state_from); |
| } |
| |
| context_save(sec_state_from); |
| |
| return context_restore(security_state); |
| } |
| |
| /******************************************************************************* |
| * This function is the handler registered for S-EL1 interrupts by the PNCD. It |
| * validates the interrupt and upon success arranges entry into the PNC at |
| * 'pnc_sel1_intr_entry()' for handling the interrupt. |
| ******************************************************************************/ |
| static uint64_t pncd_sel1_interrupt_handler(uint32_t id, |
| uint32_t flags, |
| void *handle, |
| void *cookie) |
| { |
| /* Check the security state when the exception was generated */ |
| assert(get_interrupt_src_ss(flags) == NON_SECURE); |
| |
| /* Sanity check the pointer to this cpu's context */ |
| assert(handle == cm_get_context(NON_SECURE)); |
| |
| /* switch to PnC */ |
| handle = pncd_context_switch_to(SECURE); |
| |
| assert(handle != NULL); |
| |
| SMC_RET0(handle); |
| } |
| |
| #pragma weak plat_pncd_setup |
| int plat_pncd_setup(void) |
| { |
| return 0; |
| } |
| |
| /******************************************************************************* |
| * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type |
| * (aarch32/aarch64) if not already known and initialises the context for entry |
| * into the SP for its initialisation. |
| ******************************************************************************/ |
| static int pncd_setup(void) |
| { |
| entry_point_info_t *pnc_ep_info; |
| |
| /* |
| * Get information about the Secure Payload (BL32) image. Its |
| * absence is a critical failure. |
| * |
| * TODO: Add support to conditionally include the SPD service |
| */ |
| pnc_ep_info = bl31_plat_get_next_image_ep_info(SECURE); |
| if (!pnc_ep_info) { |
| WARN("No PNC provided by BL2 boot loader, Booting device without PNC initialization. SMC`s destined for PNC will return SMC_UNK\n"); |
| return 1; |
| } |
| |
| /* |
| * If there's no valid entry point for SP, we return a non-zero value |
| * signalling failure initializing the service. We bail out without |
| * registering any handlers |
| */ |
| if (!pnc_ep_info->pc) { |
| return 1; |
| } |
| |
| pncd_init_pnc_ep_state(pnc_ep_info, |
| pnc_ep_info->pc, |
| &pncd_sp_context); |
| |
| /* |
| * All PNCD initialization done. Now register our init function with |
| * BL31 for deferred invocation |
| */ |
| bl31_register_bl32_init(&pncd_init); |
| bl31_set_next_image_type(NON_SECURE); |
| |
| return plat_pncd_setup(); |
| } |
| |
| /******************************************************************************* |
| * This function passes control to the Secure Payload image (BL32) for the first |
| * time on the primary cpu after a cold boot. It assumes that a valid secure |
| * context has already been created by pncd_setup() which can be directly used. |
| * It also assumes that a valid non-secure context has been initialised by PSCI |
| * so it does not need to save and restore any non-secure state. This function |
| * performs a synchronous entry into the Secure payload. The SP passes control |
| * back to this routine through a SMC. |
| ******************************************************************************/ |
| static int32_t pncd_init(void) |
| { |
| entry_point_info_t *pnc_entry_point; |
| uint64_t rc = 0; |
| |
| /* |
| * Get information about the Secure Payload (BL32) image. Its |
| * absence is a critical failure. |
| */ |
| pnc_entry_point = bl31_plat_get_next_image_ep_info(SECURE); |
| assert(pnc_entry_point); |
| |
| cm_init_my_context(pnc_entry_point); |
| |
| /* |
| * Arrange for an entry into the test secure payload. It will be |
| * returned via PNC_ENTRY_DONE case |
| */ |
| rc = pncd_synchronous_sp_entry(&pncd_sp_context); |
| |
| /* |
| * If everything went well at this point, the return value should be 0. |
| */ |
| return rc == 0; |
| } |
| |
| #pragma weak plat_pncd_smc_handler |
| /******************************************************************************* |
| * This function is responsible for handling the platform-specific SMCs in the |
| * Trusted OS/App range as defined in the SMC Calling Convention Document. |
| ******************************************************************************/ |
| uintptr_t plat_pncd_smc_handler(uint32_t smc_fid, |
| u_register_t x1, |
| u_register_t x2, |
| u_register_t x3, |
| u_register_t x4, |
| void *cookie, |
| void *handle, |
| u_register_t flags) |
| { |
| (void) smc_fid; |
| (void) x1; |
| (void) x2; |
| (void) x3; |
| (void) x4; |
| (void) cookie; |
| (void) flags; |
| |
| SMC_RET1(handle, SMC_UNK); |
| } |
| |
| /******************************************************************************* |
| * This function is responsible for handling all SMCs in the Trusted OS/App |
| * range as defined in the SMC Calling Convention Document. It is also |
| * responsible for communicating with the Secure payload to delegate work and |
| * return results back to the non-secure state. Lastly it will also return any |
| * information that the secure payload needs to do the work assigned to it. |
| * |
| * It should only be called with the smc_handler_lock held. |
| ******************************************************************************/ |
| static uintptr_t pncd_smc_handler_unsafe(uint32_t smc_fid, |
| u_register_t x1, |
| u_register_t x2, |
| u_register_t x3, |
| u_register_t x4, |
| void *cookie, |
| void *handle, |
| u_register_t flags) |
| { |
| uint32_t ns; |
| |
| /* Determine which security state this SMC originated from */ |
| ns = is_caller_non_secure(flags); |
| |
| assert(ns != 0 || read_mpidr() == pncd_sp_context.mpidr); |
| |
| switch (smc_fid) { |
| case SMC_CONFIG_SHAREDMEM: |
| if (ree_info) { |
| /* Do not Yield */ |
| SMC_RET0(handle); |
| } |
| |
| /* |
| * Fetch the physical base address (x1) and size (x2) of the |
| * shared memory allocated by the Non-Secure world. This memory |
| * will be used by PNC to communicate with the Non-Secure world. |
| * Verifying the validity of these values is up to the Trusted |
| * OS. |
| */ |
| ree_base_addr = x1 | (x2 << 32); |
| ree_length = x3; |
| ree_tag = x4; |
| |
| INFO("IN SMC_CONFIG_SHAREDMEM: addr=%lx, length=%lx, tag=%lx\n", |
| (unsigned long) ree_base_addr, |
| (unsigned long) ree_length, |
| (unsigned long) ree_tag); |
| |
| if ((ree_base_addr % 0x200000) != 0) { |
| SMC_RET1(handle, SMC_UNK); |
| } |
| |
| if ((ree_length % 0x200000) != 0) { |
| SMC_RET1(handle, SMC_UNK); |
| } |
| |
| ree_info = true; |
| |
| /* Do not Yield */ |
| SMC_RET4(handle, 0, 0, 0, 0); |
| |
| break; |
| |
| case SMC_GET_SHAREDMEM: |
| if (ree_info) { |
| x1 = (1U << 16) | ree_tag; |
| x2 = ree_base_addr & 0xFFFFFFFF; |
| x3 = (ree_base_addr >> 32) & 0xFFFFFFFF; |
| x4 = ree_length & 0xFFFFFFFF; |
| SMC_RET4(handle, x1, x2, x3, x4); |
| } else { |
| SMC_RET4(handle, 0, 0, 0, 0); |
| } |
| |
| break; |
| |
| case SMC_ACTION_FROM_NS: |
| if (ns == 0) { |
| SMC_RET1(handle, SMC_UNK); |
| } |
| |
| if (SPD_PNCD_S_IRQ < MIN_PPI_ID) { |
| plat_ic_raise_s_el1_sgi(SPD_PNCD_S_IRQ, |
| pncd_sp_context.mpidr); |
| } else { |
| plat_ic_set_interrupt_pending(SPD_PNCD_S_IRQ); |
| } |
| |
| SMC_RET0(handle); |
| |
| break; |
| |
| case SMC_ACTION_FROM_S: |
| if (ns != 0) { |
| SMC_RET1(handle, SMC_UNK); |
| } |
| |
| if (SPD_PNCD_NS_IRQ < MIN_PPI_ID) { |
| /* |
| * NS SGI is sent to the same core as the one running |
| * PNC |
| */ |
| plat_ic_raise_ns_sgi(SPD_PNCD_NS_IRQ, read_mpidr()); |
| } else { |
| plat_ic_set_interrupt_pending(SPD_PNCD_NS_IRQ); |
| } |
| |
| SMC_RET0(handle); |
| |
| break; |
| |
| case SMC_YIELD: |
| assert(handle == cm_get_context(ns != 0 ? NON_SECURE : SECURE)); |
| handle = pncd_context_switch_to(ns != 0 ? SECURE : NON_SECURE); |
| |
| assert(handle != NULL); |
| |
| SMC_RET0(handle); |
| |
| break; |
| |
| default: |
| INFO("Unknown smc: %x\n", smc_fid); |
| break; |
| } |
| |
| return plat_pncd_smc_handler(smc_fid, x1, x2, x3, x4, |
| cookie, handle, flags); |
| } |
| |
| static uintptr_t pncd_smc_handler(uint32_t smc_fid, |
| u_register_t x1, |
| u_register_t x2, |
| u_register_t x3, |
| u_register_t x4, |
| void *cookie, |
| void *handle, |
| u_register_t flags) |
| { |
| uintptr_t ret; |
| |
| /* SMC handling is serialized */ |
| spin_lock(&smc_handler_lock); |
| ret = pncd_smc_handler_unsafe(smc_fid, x1, x2, x3, x4, cookie, handle, |
| flags); |
| spin_unlock(&smc_handler_lock); |
| |
| return ret; |
| } |
| |
| /* Define a SPD runtime service descriptor for fast SMC calls */ |
| DECLARE_RT_SVC( |
| pncd_fast, |
| OEN_TOS_START, |
| OEN_TOS_END, |
| SMC_TYPE_FAST, |
| pncd_setup, |
| pncd_smc_handler |
| ); |
| |
| /* Define a SPD runtime service descriptor for standard SMC calls */ |
| DECLARE_RT_SVC( |
| pncd_std, |
| OEN_TOS_START, |
| OEN_TOS_END, |
| SMC_TYPE_YIELD, |
| NULL, |
| pncd_smc_handler |
| ); |