blob: 36f7a51e516889cf02957c7e58fb3899c61f3529 [file] [log] [blame]
johpow019d134022021-06-16 17:57:28 -05001/*
Robert Wakim48e6b572021-10-21 15:39:56 +01002 * Copyright (c) 2022, Arm Limited. All rights reserved.
johpow019d134022021-06-16 17:57:28 -05003 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <assert.h>
8#include <errno.h>
Manish Pandey9174a752021-11-09 20:49:56 +00009#include <inttypes.h>
johpow019d134022021-06-16 17:57:28 -050010#include <limits.h>
11#include <stdint.h>
12
13#include <arch.h>
Olivier Deprezc80d0de2024-01-17 15:12:04 +010014#include <arch_features.h>
johpow019d134022021-06-16 17:57:28 -050015#include <arch_helpers.h>
16#include <common/debug.h>
17#include "gpt_rme_private.h"
18#include <lib/gpt_rme/gpt_rme.h>
19#include <lib/smccc.h>
20#include <lib/spinlock.h>
21#include <lib/xlat_tables/xlat_tables_v2.h>
22
23#if !ENABLE_RME
24#error "ENABLE_RME must be enabled to use the GPT library."
25#endif
26
27/*
28 * Lookup T from PPS
29 *
30 * PPS Size T
31 * 0b000 4GB 32
32 * 0b001 64GB 36
33 * 0b010 1TB 40
34 * 0b011 4TB 42
35 * 0b100 16TB 44
36 * 0b101 256TB 48
37 * 0b110 4PB 52
38 *
39 * See section 15.1.27 of the RME specification.
40 */
41static const gpt_t_val_e gpt_t_lookup[] = {PPS_4GB_T, PPS_64GB_T,
42 PPS_1TB_T, PPS_4TB_T,
43 PPS_16TB_T, PPS_256TB_T,
44 PPS_4PB_T};
45
46/*
47 * Lookup P from PGS
48 *
49 * PGS Size P
50 * 0b00 4KB 12
51 * 0b10 16KB 14
52 * 0b01 64KB 16
53 *
54 * Note that pgs=0b10 is 16KB and pgs=0b01 is 64KB, this is not a typo.
55 *
56 * See section 15.1.27 of the RME specification.
57 */
58static const gpt_p_val_e gpt_p_lookup[] = {PGS_4KB_P, PGS_64KB_P, PGS_16KB_P};
59
60/*
61 * This structure contains GPT configuration data.
62 */
63typedef struct {
64 uintptr_t plat_gpt_l0_base;
65 gpccr_pps_e pps;
66 gpt_t_val_e t;
67 gpccr_pgs_e pgs;
68 gpt_p_val_e p;
69} gpt_config_t;
70
71static gpt_config_t gpt_config;
72
73/* These variables are used during initialization of the L1 tables. */
74static unsigned int gpt_next_l1_tbl_idx;
75static uintptr_t gpt_l1_tbl;
76
77/*
78 * This function checks to see if a GPI value is valid.
79 *
80 * These are valid GPI values.
81 * GPT_GPI_NO_ACCESS U(0x0)
82 * GPT_GPI_SECURE U(0x8)
83 * GPT_GPI_NS U(0x9)
84 * GPT_GPI_ROOT U(0xA)
85 * GPT_GPI_REALM U(0xB)
86 * GPT_GPI_ANY U(0xF)
87 *
88 * Parameters
89 * gpi GPI to check for validity.
90 *
91 * Return
92 * true for a valid GPI, false for an invalid one.
93 */
94static bool gpt_is_gpi_valid(unsigned int gpi)
95{
96 if ((gpi == GPT_GPI_NO_ACCESS) || (gpi == GPT_GPI_ANY) ||
97 ((gpi >= GPT_GPI_SECURE) && (gpi <= GPT_GPI_REALM))) {
98 return true;
johpow019d134022021-06-16 17:57:28 -050099 }
Robert Wakim48e6b572021-10-21 15:39:56 +0100100 return false;
johpow019d134022021-06-16 17:57:28 -0500101}
102
103/*
104 * This function checks to see if two PAS regions overlap.
105 *
106 * Parameters
107 * base_1: base address of first PAS
108 * size_1: size of first PAS
109 * base_2: base address of second PAS
110 * size_2: size of second PAS
111 *
112 * Return
113 * True if PAS regions overlap, false if they do not.
114 */
115static bool gpt_check_pas_overlap(uintptr_t base_1, size_t size_1,
116 uintptr_t base_2, size_t size_2)
117{
118 if (((base_1 + size_1) > base_2) && ((base_2 + size_2) > base_1)) {
119 return true;
johpow019d134022021-06-16 17:57:28 -0500120 }
Robert Wakim48e6b572021-10-21 15:39:56 +0100121 return false;
johpow019d134022021-06-16 17:57:28 -0500122}
123
124/*
125 * This helper function checks to see if a PAS region from index 0 to
126 * (pas_idx - 1) occupies the L0 region at index l0_idx in the L0 table.
127 *
128 * Parameters
129 * l0_idx: Index of the L0 entry to check
130 * pas_regions: PAS region array
131 * pas_idx: Upper bound of the PAS array index.
132 *
133 * Return
134 * True if a PAS region occupies the L0 region in question, false if not.
135 */
136static bool gpt_does_previous_pas_exist_here(unsigned int l0_idx,
137 pas_region_t *pas_regions,
138 unsigned int pas_idx)
139{
140 /* Iterate over PAS regions up to pas_idx. */
141 for (unsigned int i = 0U; i < pas_idx; i++) {
142 if (gpt_check_pas_overlap((GPT_L0GPTSZ_ACTUAL_SIZE * l0_idx),
143 GPT_L0GPTSZ_ACTUAL_SIZE,
144 pas_regions[i].base_pa, pas_regions[i].size)) {
145 return true;
146 }
147 }
148 return false;
149}
150
151/*
152 * This function iterates over all of the PAS regions and checks them to ensure
153 * proper alignment of base and size, that the GPI is valid, and that no regions
154 * overlap. As a part of the overlap checks, this function checks existing L0
155 * mappings against the new PAS regions in the event that gpt_init_pas_l1_tables
156 * is called multiple times to place L1 tables in different areas of memory. It
157 * also counts the number of L1 tables needed and returns it on success.
158 *
159 * Parameters
160 * *pas_regions Pointer to array of PAS region structures.
161 * pas_region_cnt Total number of PAS regions in the array.
162 *
163 * Return
164 * Negative Linux error code in the event of a failure, number of L1 regions
165 * required when successful.
166 */
167static int gpt_validate_pas_mappings(pas_region_t *pas_regions,
168 unsigned int pas_region_cnt)
169{
170 unsigned int idx;
171 unsigned int l1_cnt = 0U;
172 unsigned int pas_l1_cnt;
173 uint64_t *l0_desc = (uint64_t *)gpt_config.plat_gpt_l0_base;
174
175 assert(pas_regions != NULL);
176 assert(pas_region_cnt != 0U);
177
178 for (idx = 0U; idx < pas_region_cnt; idx++) {
179 /* Check for arithmetic overflow in region. */
180 if ((ULONG_MAX - pas_regions[idx].base_pa) <
181 pas_regions[idx].size) {
182 ERROR("[GPT] Address overflow in PAS[%u]!\n", idx);
183 return -EOVERFLOW;
184 }
185
186 /* Initial checks for PAS validity. */
187 if (((pas_regions[idx].base_pa + pas_regions[idx].size) >
188 GPT_PPS_ACTUAL_SIZE(gpt_config.t)) ||
189 !gpt_is_gpi_valid(GPT_PAS_ATTR_GPI(pas_regions[idx].attrs))) {
190 ERROR("[GPT] PAS[%u] is invalid!\n", idx);
191 return -EFAULT;
192 }
193
194 /*
195 * Make sure this PAS does not overlap with another one. We
196 * start from idx + 1 instead of 0 since prior PAS mappings will
197 * have already checked themselves against this one.
198 */
199 for (unsigned int i = idx + 1; i < pas_region_cnt; i++) {
200 if (gpt_check_pas_overlap(pas_regions[idx].base_pa,
201 pas_regions[idx].size,
202 pas_regions[i].base_pa,
203 pas_regions[i].size)) {
204 ERROR("[GPT] PAS[%u] overlaps with PAS[%u]\n",
205 i, idx);
206 return -EFAULT;
207 }
208 }
209
210 /*
211 * Since this function can be called multiple times with
212 * separate L1 tables we need to check the existing L0 mapping
213 * to see if this PAS would fall into one that has already been
214 * initialized.
215 */
216 for (unsigned int i = GPT_L0_IDX(pas_regions[idx].base_pa);
217 i <= GPT_L0_IDX(pas_regions[idx].base_pa + pas_regions[idx].size - 1);
218 i++) {
219 if ((GPT_L0_TYPE(l0_desc[i]) == GPT_L0_TYPE_BLK_DESC) &&
220 (GPT_L0_BLKD_GPI(l0_desc[i]) == GPT_GPI_ANY)) {
221 /* This descriptor is unused so continue. */
222 continue;
223 }
224
225 /*
226 * This descriptor has been initialized in a previous
227 * call to this function so cannot be initialized again.
228 */
229 ERROR("[GPT] PAS[%u] overlaps with previous L0[%d]!\n",
230 idx, i);
231 return -EFAULT;
232 }
233
234 /* Check for block mapping (L0) type. */
235 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) ==
236 GPT_PAS_ATTR_MAP_TYPE_BLOCK) {
237 /* Make sure base and size are block-aligned. */
238 if (!GPT_IS_L0_ALIGNED(pas_regions[idx].base_pa) ||
239 !GPT_IS_L0_ALIGNED(pas_regions[idx].size)) {
240 ERROR("[GPT] PAS[%u] is not block-aligned!\n",
241 idx);
242 return -EFAULT;
243 }
244
245 continue;
246 }
247
248 /* Check for granule mapping (L1) type. */
249 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) ==
250 GPT_PAS_ATTR_MAP_TYPE_GRANULE) {
251 /* Make sure base and size are granule-aligned. */
252 if (!GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].base_pa) ||
253 !GPT_IS_L1_ALIGNED(gpt_config.p, pas_regions[idx].size)) {
254 ERROR("[GPT] PAS[%u] is not granule-aligned!\n",
255 idx);
256 return -EFAULT;
257 }
258
259 /* Find how many L1 tables this PAS occupies. */
260 pas_l1_cnt = (GPT_L0_IDX(pas_regions[idx].base_pa +
261 pas_regions[idx].size - 1) -
262 GPT_L0_IDX(pas_regions[idx].base_pa) + 1);
263
264 /*
265 * This creates a situation where, if multiple PAS
266 * regions occupy the same table descriptor, we can get
267 * an artificially high total L1 table count. The way we
268 * handle this is by checking each PAS against those
269 * before it in the array, and if they both occupy the
270 * same PAS we subtract from pas_l1_cnt and only the
271 * first PAS in the array gets to count it.
272 */
273
274 /*
275 * If L1 count is greater than 1 we know the start and
276 * end PAs are in different L0 regions so we must check
277 * both for overlap against other PAS.
278 */
279 if (pas_l1_cnt > 1) {
280 if (gpt_does_previous_pas_exist_here(
281 GPT_L0_IDX(pas_regions[idx].base_pa +
282 pas_regions[idx].size - 1),
283 pas_regions, idx)) {
284 pas_l1_cnt = pas_l1_cnt - 1;
285 }
286 }
287
288 if (gpt_does_previous_pas_exist_here(
289 GPT_L0_IDX(pas_regions[idx].base_pa),
290 pas_regions, idx)) {
291 pas_l1_cnt = pas_l1_cnt - 1;
292 }
293
294 l1_cnt += pas_l1_cnt;
295 continue;
296 }
297
298 /* If execution reaches this point, mapping type is invalid. */
299 ERROR("[GPT] PAS[%u] has invalid mapping type 0x%x.\n", idx,
300 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs));
301 return -EINVAL;
302 }
303
304 return l1_cnt;
305}
306
307/*
308 * This function validates L0 initialization parameters.
309 *
310 * Parameters
311 * l0_mem_base Base address of memory used for L0 tables.
312 * l1_mem_size Size of memory available for L0 tables.
313 *
314 * Return
315 * Negative Linux error code in the event of a failure, 0 for success.
316 */
317static int gpt_validate_l0_params(gpccr_pps_e pps, uintptr_t l0_mem_base,
318 size_t l0_mem_size)
319{
320 size_t l0_alignment;
321
322 /*
323 * Make sure PPS is valid and then store it since macros need this value
324 * to work.
325 */
326 if (pps > GPT_PPS_MAX) {
327 ERROR("[GPT] Invalid PPS: 0x%x\n", pps);
328 return -EINVAL;
329 }
330 gpt_config.pps = pps;
331 gpt_config.t = gpt_t_lookup[pps];
332
333 /* Alignment must be the greater of 4k or l0 table size. */
334 l0_alignment = PAGE_SIZE_4KB;
335 if (l0_alignment < GPT_L0_TABLE_SIZE(gpt_config.t)) {
336 l0_alignment = GPT_L0_TABLE_SIZE(gpt_config.t);
337 }
338
339 /* Check base address. */
340 if ((l0_mem_base == 0U) || ((l0_mem_base & (l0_alignment - 1)) != 0U)) {
341 ERROR("[GPT] Invalid L0 base address: 0x%lx\n", l0_mem_base);
342 return -EFAULT;
343 }
344
345 /* Check size. */
346 if (l0_mem_size < GPT_L0_TABLE_SIZE(gpt_config.t)) {
347 ERROR("[GPT] Inadequate L0 memory: need 0x%lx, have 0x%lx)\n",
348 GPT_L0_TABLE_SIZE(gpt_config.t),
349 l0_mem_size);
350 return -ENOMEM;
351 }
352
353 return 0;
354}
355
356/*
357 * In the event that L1 tables are needed, this function validates
358 * the L1 table generation parameters.
359 *
360 * Parameters
361 * l1_mem_base Base address of memory used for L1 table allocation.
362 * l1_mem_size Total size of memory available for L1 tables.
363 * l1_gpt_cnt Number of L1 tables needed.
364 *
365 * Return
366 * Negative Linux error code in the event of a failure, 0 for success.
367 */
368static int gpt_validate_l1_params(uintptr_t l1_mem_base, size_t l1_mem_size,
369 unsigned int l1_gpt_cnt)
370{
371 size_t l1_gpt_mem_sz;
372
373 /* Check if the granularity is supported */
374 if (!xlat_arch_is_granule_size_supported(
375 GPT_PGS_ACTUAL_SIZE(gpt_config.p))) {
376 return -EPERM;
377 }
378
379 /* Make sure L1 tables are aligned to their size. */
380 if ((l1_mem_base & (GPT_L1_TABLE_SIZE(gpt_config.p) - 1)) != 0U) {
381 ERROR("[GPT] Unaligned L1 GPT base address: 0x%lx\n",
382 l1_mem_base);
383 return -EFAULT;
384 }
385
386 /* Get total memory needed for L1 tables. */
387 l1_gpt_mem_sz = l1_gpt_cnt * GPT_L1_TABLE_SIZE(gpt_config.p);
388
389 /* Check for overflow. */
390 if ((l1_gpt_mem_sz / GPT_L1_TABLE_SIZE(gpt_config.p)) != l1_gpt_cnt) {
391 ERROR("[GPT] Overflow calculating L1 memory size.\n");
392 return -ENOMEM;
393 }
394
395 /* Make sure enough space was supplied. */
396 if (l1_mem_size < l1_gpt_mem_sz) {
397 ERROR("[GPT] Inadequate memory for L1 GPTs. ");
398 ERROR(" Expected 0x%lx bytes. Got 0x%lx bytes\n",
399 l1_gpt_mem_sz, l1_mem_size);
400 return -ENOMEM;
401 }
402
403 VERBOSE("[GPT] Requested 0x%lx bytes for L1 GPTs.\n", l1_gpt_mem_sz);
404 return 0;
405}
406
407/*
408 * This function initializes L0 block descriptors (regions that cannot be
409 * transitioned at the granule level) according to the provided PAS.
410 *
411 * Parameters
412 * *pas Pointer to the structure defining the PAS region to
413 * initialize.
414 */
415static void gpt_generate_l0_blk_desc(pas_region_t *pas)
416{
417 uint64_t gpt_desc;
418 unsigned int end_idx;
419 unsigned int idx;
420 uint64_t *l0_gpt_arr;
421
422 assert(gpt_config.plat_gpt_l0_base != 0U);
423 assert(pas != NULL);
424
425 /*
426 * Checking of PAS parameters has already been done in
427 * gpt_validate_pas_mappings so no need to check the same things again.
428 */
429
430 l0_gpt_arr = (uint64_t *)gpt_config.plat_gpt_l0_base;
431
432 /* Create the GPT Block descriptor for this PAS region */
433 gpt_desc = GPT_L0_BLK_DESC(GPT_PAS_ATTR_GPI(pas->attrs));
434
435 /* Start index of this region in L0 GPTs */
Robert Wakim48e6b572021-10-21 15:39:56 +0100436 idx = GPT_L0_IDX(pas->base_pa);
johpow019d134022021-06-16 17:57:28 -0500437
438 /*
439 * Determine number of L0 GPT descriptors covered by
440 * this PAS region and use the count to populate these
441 * descriptors.
442 */
Robert Wakim48e6b572021-10-21 15:39:56 +0100443 end_idx = GPT_L0_IDX(pas->base_pa + pas->size);
johpow019d134022021-06-16 17:57:28 -0500444
445 /* Generate the needed block descriptors. */
446 for (; idx < end_idx; idx++) {
447 l0_gpt_arr[idx] = gpt_desc;
Manish Pandey9174a752021-11-09 20:49:56 +0000448 VERBOSE("[GPT] L0 entry (BLOCK) index %u [%p]: GPI = 0x%" PRIx64 " (0x%" PRIx64 ")\n",
johpow019d134022021-06-16 17:57:28 -0500449 idx, &l0_gpt_arr[idx],
450 (gpt_desc >> GPT_L0_BLK_DESC_GPI_SHIFT) &
451 GPT_L0_BLK_DESC_GPI_MASK, l0_gpt_arr[idx]);
452 }
453}
454
455/*
456 * Helper function to determine if the end physical address lies in the same L0
457 * region as the current physical address. If true, the end physical address is
458 * returned else, the start address of the next region is returned.
459 *
460 * Parameters
461 * cur_pa Physical address of the current PA in the loop through
462 * the range.
463 * end_pa Physical address of the end PA in a PAS range.
464 *
465 * Return
466 * The PA of the end of the current range.
467 */
468static uintptr_t gpt_get_l1_end_pa(uintptr_t cur_pa, uintptr_t end_pa)
469{
470 uintptr_t cur_idx;
471 uintptr_t end_idx;
472
Robert Wakim48e6b572021-10-21 15:39:56 +0100473 cur_idx = GPT_L0_IDX(cur_pa);
474 end_idx = GPT_L0_IDX(end_pa);
johpow019d134022021-06-16 17:57:28 -0500475
476 assert(cur_idx <= end_idx);
477
478 if (cur_idx == end_idx) {
479 return end_pa;
480 }
481
482 return (cur_idx + 1U) << GPT_L0_IDX_SHIFT;
483}
484
485/*
486 * Helper function to fill out GPI entries in a single L1 table. This function
487 * fills out entire L1 descriptors at a time to save memory writes.
488 *
489 * Parameters
490 * gpi GPI to set this range to
491 * l1 Pointer to L1 table to fill out
492 * first Address of first granule in range.
493 * last Address of last granule in range (inclusive).
494 */
495static void gpt_fill_l1_tbl(uint64_t gpi, uint64_t *l1, uintptr_t first,
496 uintptr_t last)
497{
498 uint64_t gpi_field = GPT_BUILD_L1_DESC(gpi);
499 uint64_t gpi_mask = 0xFFFFFFFFFFFFFFFF;
500
501 assert(first <= last);
502 assert((first & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) == 0U);
503 assert((last & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) == 0U);
504 assert(GPT_L0_IDX(first) == GPT_L0_IDX(last));
505 assert(l1 != NULL);
506
507 /* Shift the mask if we're starting in the middle of an L1 entry. */
508 gpi_mask = gpi_mask << (GPT_L1_GPI_IDX(gpt_config.p, first) << 2);
509
510 /* Fill out each L1 entry for this region. */
511 for (unsigned int i = GPT_L1_IDX(gpt_config.p, first);
512 i <= GPT_L1_IDX(gpt_config.p, last); i++) {
513 /* Account for stopping in the middle of an L1 entry. */
514 if (i == GPT_L1_IDX(gpt_config.p, last)) {
515 gpi_mask &= (gpi_mask >> ((15 -
516 GPT_L1_GPI_IDX(gpt_config.p, last)) << 2));
517 }
518
519 /* Write GPI values. */
520 assert((l1[i] & gpi_mask) ==
521 (GPT_BUILD_L1_DESC(GPT_GPI_ANY) & gpi_mask));
522 l1[i] = (l1[i] & ~gpi_mask) | (gpi_mask & gpi_field);
523
524 /* Reset mask. */
525 gpi_mask = 0xFFFFFFFFFFFFFFFF;
526 }
527}
528
529/*
530 * This function finds the next available unused L1 table and initializes all
531 * granules descriptor entries to GPI_ANY. This ensures that there are no chunks
532 * of GPI_NO_ACCESS (0b0000) memory floating around in the system in the
533 * event that a PAS region stops midway through an L1 table, thus guaranteeing
534 * that all memory not explicitly assigned is GPI_ANY. This function does not
535 * check for overflow conditions, that should be done by the caller.
536 *
537 * Return
538 * Pointer to the next available L1 table.
539 */
540static uint64_t *gpt_get_new_l1_tbl(void)
541{
542 /* Retrieve the next L1 table. */
543 uint64_t *l1 = (uint64_t *)((uint64_t)(gpt_l1_tbl) +
544 (GPT_L1_TABLE_SIZE(gpt_config.p) *
545 gpt_next_l1_tbl_idx));
546
547 /* Increment L1 counter. */
548 gpt_next_l1_tbl_idx++;
549
550 /* Initialize all GPIs to GPT_GPI_ANY */
551 for (unsigned int i = 0U; i < GPT_L1_ENTRY_COUNT(gpt_config.p); i++) {
552 l1[i] = GPT_BUILD_L1_DESC(GPT_GPI_ANY);
553 }
554
555 return l1;
556}
557
558/*
559 * When L1 tables are needed, this function creates the necessary L0 table
560 * descriptors and fills out the L1 table entries according to the supplied
561 * PAS range.
562 *
563 * Parameters
564 * *pas Pointer to the structure defining the PAS region.
565 */
566static void gpt_generate_l0_tbl_desc(pas_region_t *pas)
567{
568 uintptr_t end_pa;
569 uintptr_t cur_pa;
570 uintptr_t last_gran_pa;
571 uint64_t *l0_gpt_base;
572 uint64_t *l1_gpt_arr;
573 unsigned int l0_idx;
574
575 assert(gpt_config.plat_gpt_l0_base != 0U);
576 assert(pas != NULL);
577
578 /*
579 * Checking of PAS parameters has already been done in
580 * gpt_validate_pas_mappings so no need to check the same things again.
581 */
582
583 end_pa = pas->base_pa + pas->size;
584 l0_gpt_base = (uint64_t *)gpt_config.plat_gpt_l0_base;
585
586 /* We start working from the granule at base PA */
587 cur_pa = pas->base_pa;
588
589 /* Iterate over each L0 region in this memory range. */
590 for (l0_idx = GPT_L0_IDX(pas->base_pa);
591 l0_idx <= GPT_L0_IDX(end_pa - 1U);
592 l0_idx++) {
593
594 /*
595 * See if the L0 entry is already a table descriptor or if we
596 * need to create one.
597 */
598 if (GPT_L0_TYPE(l0_gpt_base[l0_idx]) == GPT_L0_TYPE_TBL_DESC) {
599 /* Get the L1 array from the L0 entry. */
600 l1_gpt_arr = GPT_L0_TBLD_ADDR(l0_gpt_base[l0_idx]);
601 } else {
602 /* Get a new L1 table from the L1 memory space. */
603 l1_gpt_arr = gpt_get_new_l1_tbl();
604
605 /* Fill out the L0 descriptor and flush it. */
606 l0_gpt_base[l0_idx] = GPT_L0_TBL_DESC(l1_gpt_arr);
607 }
608
Manish Pandey9174a752021-11-09 20:49:56 +0000609 VERBOSE("[GPT] L0 entry (TABLE) index %u [%p] ==> L1 Addr 0x%llx (0x%" PRIx64 ")\n",
johpow019d134022021-06-16 17:57:28 -0500610 l0_idx, &l0_gpt_base[l0_idx],
611 (unsigned long long)(l1_gpt_arr),
612 l0_gpt_base[l0_idx]);
613
614 /*
615 * Determine the PA of the last granule in this L0 descriptor.
616 */
617 last_gran_pa = gpt_get_l1_end_pa(cur_pa, end_pa) -
618 GPT_PGS_ACTUAL_SIZE(gpt_config.p);
619
620 /*
621 * Fill up L1 GPT entries between these two addresses. This
622 * function needs the addresses of the first granule and last
623 * granule in the range.
624 */
625 gpt_fill_l1_tbl(GPT_PAS_ATTR_GPI(pas->attrs), l1_gpt_arr,
626 cur_pa, last_gran_pa);
627
628 /* Advance cur_pa to first granule in next L0 region. */
629 cur_pa = gpt_get_l1_end_pa(cur_pa, end_pa);
630 }
631}
632
633/*
634 * This function flushes a range of L0 descriptors used by a given PAS region
635 * array. There is a chance that some unmodified L0 descriptors would be flushed
636 * in the case that there are "holes" in an array of PAS regions but overall
637 * this should be faster than individually flushing each modified L0 descriptor
638 * as they are created.
639 *
640 * Parameters
641 * *pas Pointer to an array of PAS regions.
642 * pas_count Number of entries in the PAS array.
643 */
644static void flush_l0_for_pas_array(pas_region_t *pas, unsigned int pas_count)
645{
646 unsigned int idx;
647 unsigned int start_idx;
648 unsigned int end_idx;
649 uint64_t *l0 = (uint64_t *)gpt_config.plat_gpt_l0_base;
650
651 assert(pas != NULL);
652 assert(pas_count > 0);
653
654 /* Initial start and end values. */
655 start_idx = GPT_L0_IDX(pas[0].base_pa);
656 end_idx = GPT_L0_IDX(pas[0].base_pa + pas[0].size - 1);
657
658 /* Find lowest and highest L0 indices used in this PAS array. */
659 for (idx = 1; idx < pas_count; idx++) {
660 if (GPT_L0_IDX(pas[idx].base_pa) < start_idx) {
661 start_idx = GPT_L0_IDX(pas[idx].base_pa);
662 }
663 if (GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1) > end_idx) {
664 end_idx = GPT_L0_IDX(pas[idx].base_pa + pas[idx].size - 1);
665 }
666 }
667
668 /*
669 * Flush all covered L0 descriptors, add 1 because we need to include
670 * the end index value.
671 */
672 flush_dcache_range((uintptr_t)&l0[start_idx],
673 ((end_idx + 1) - start_idx) * sizeof(uint64_t));
674}
675
676/*
677 * Public API to enable granule protection checks once the tables have all been
678 * initialized. This function is called at first initialization and then again
679 * later during warm boots of CPU cores.
680 *
681 * Return
682 * Negative Linux error code in the event of a failure, 0 for success.
683 */
684int gpt_enable(void)
685{
686 u_register_t gpccr_el3;
687
688 /*
689 * Granule tables must be initialised before enabling
690 * granule protection.
691 */
692 if (gpt_config.plat_gpt_l0_base == 0U) {
693 ERROR("[GPT] Tables have not been initialized!\n");
694 return -EPERM;
695 }
696
johpow019d134022021-06-16 17:57:28 -0500697 /* Write the base address of the L0 tables into GPTBR */
698 write_gptbr_el3(((gpt_config.plat_gpt_l0_base >> GPTBR_BADDR_VAL_SHIFT)
699 >> GPTBR_BADDR_SHIFT) & GPTBR_BADDR_MASK);
700
701 /* GPCCR_EL3.PPS */
702 gpccr_el3 = SET_GPCCR_PPS(gpt_config.pps);
703
704 /* GPCCR_EL3.PGS */
705 gpccr_el3 |= SET_GPCCR_PGS(gpt_config.pgs);
706
Soby Mathew521375d2021-10-11 14:38:46 +0100707 /*
708 * Since EL3 maps the L1 region as Inner shareable, use the same
709 * shareability attribute for GPC as well so that
710 * GPC fetches are visible to PEs
711 */
712 gpccr_el3 |= SET_GPCCR_SH(GPCCR_SH_IS);
johpow019d134022021-06-16 17:57:28 -0500713
714 /* Outer and Inner cacheability set to Normal memory, WB, RA, WA. */
715 gpccr_el3 |= SET_GPCCR_ORGN(GPCCR_ORGN_WB_RA_WA);
716 gpccr_el3 |= SET_GPCCR_IRGN(GPCCR_IRGN_WB_RA_WA);
717
Kathleen Capella221f7ce2022-07-22 16:26:36 -0400718 /* Prepopulate GPCCR_EL3 but don't enable GPC yet */
719 write_gpccr_el3(gpccr_el3);
720 isb();
721
722 /* Invalidate any stale TLB entries and any cached register fields */
723 tlbipaallos();
724 dsb();
725 isb();
726
johpow019d134022021-06-16 17:57:28 -0500727 /* Enable GPT */
728 gpccr_el3 |= GPCCR_GPC_BIT;
729
730 /* TODO: Configure GPCCR_EL3_GPCP for Fault control. */
731 write_gpccr_el3(gpccr_el3);
Soby Mathew521375d2021-10-11 14:38:46 +0100732 isb();
johpow019d134022021-06-16 17:57:28 -0500733 tlbipaallos();
734 dsb();
735 isb();
736
737 return 0;
738}
739
740/*
741 * Public API to disable granule protection checks.
742 */
743void gpt_disable(void)
744{
745 u_register_t gpccr_el3 = read_gpccr_el3();
746
747 write_gpccr_el3(gpccr_el3 & ~GPCCR_GPC_BIT);
748 dsbsy();
749 isb();
750}
751
752/*
753 * Public API that initializes the entire protected space to GPT_GPI_ANY using
754 * the L0 tables (block descriptors). Ideally, this function is invoked prior
755 * to DDR discovery and initialization. The MMU must be initialized before
756 * calling this function.
757 *
758 * Parameters
759 * pps PPS value to use for table generation
760 * l0_mem_base Base address of L0 tables in memory.
761 * l0_mem_size Total size of memory available for L0 tables.
762 *
763 * Return
764 * Negative Linux error code in the event of a failure, 0 for success.
765 */
AlexeiFedorov86ffd7b2022-12-09 11:27:14 +0000766int gpt_init_l0_tables(gpccr_pps_e pps, uintptr_t l0_mem_base,
johpow019d134022021-06-16 17:57:28 -0500767 size_t l0_mem_size)
768{
769 int ret;
770 uint64_t gpt_desc;
771
Soby Mathew521375d2021-10-11 14:38:46 +0100772 /* Ensure that MMU and Data caches are enabled. */
johpow019d134022021-06-16 17:57:28 -0500773 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U);
774
775 /* Validate other parameters. */
776 ret = gpt_validate_l0_params(pps, l0_mem_base, l0_mem_size);
Robert Wakim48e6b572021-10-21 15:39:56 +0100777 if (ret != 0) {
johpow019d134022021-06-16 17:57:28 -0500778 return ret;
779 }
780
781 /* Create the descriptor to initialize L0 entries with. */
782 gpt_desc = GPT_L0_BLK_DESC(GPT_GPI_ANY);
783
784 /* Iterate through all L0 entries */
785 for (unsigned int i = 0U; i < GPT_L0_REGION_COUNT(gpt_config.t); i++) {
786 ((uint64_t *)l0_mem_base)[i] = gpt_desc;
787 }
788
789 /* Flush updated L0 tables to memory. */
790 flush_dcache_range((uintptr_t)l0_mem_base,
791 (size_t)GPT_L0_TABLE_SIZE(gpt_config.t));
792
793 /* Stash the L0 base address once initial setup is complete. */
794 gpt_config.plat_gpt_l0_base = l0_mem_base;
795
796 return 0;
797}
798
799/*
800 * Public API that carves out PAS regions from the L0 tables and builds any L1
801 * tables that are needed. This function ideally is run after DDR discovery and
802 * initialization. The L0 tables must have already been initialized to GPI_ANY
803 * when this function is called.
804 *
805 * This function can be called multiple times with different L1 memory ranges
806 * and PAS regions if it is desirable to place L1 tables in different locations
807 * in memory. (ex: you have multiple DDR banks and want to place the L1 tables
808 * in the DDR bank that they control)
809 *
810 * Parameters
811 * pgs PGS value to use for table generation.
812 * l1_mem_base Base address of memory used for L1 tables.
813 * l1_mem_size Total size of memory available for L1 tables.
814 * *pas_regions Pointer to PAS regions structure array.
815 * pas_count Total number of PAS regions.
816 *
817 * Return
818 * Negative Linux error code in the event of a failure, 0 for success.
819 */
820int gpt_init_pas_l1_tables(gpccr_pgs_e pgs, uintptr_t l1_mem_base,
821 size_t l1_mem_size, pas_region_t *pas_regions,
822 unsigned int pas_count)
823{
824 int ret;
825 int l1_gpt_cnt;
826
Soby Mathew521375d2021-10-11 14:38:46 +0100827 /* Ensure that MMU and Data caches are enabled. */
johpow019d134022021-06-16 17:57:28 -0500828 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U);
829
830 /* PGS is needed for gpt_validate_pas_mappings so check it now. */
831 if (pgs > GPT_PGS_MAX) {
832 ERROR("[GPT] Invalid PGS: 0x%x\n", pgs);
833 return -EINVAL;
834 }
835 gpt_config.pgs = pgs;
836 gpt_config.p = gpt_p_lookup[pgs];
837
838 /* Make sure L0 tables have been initialized. */
839 if (gpt_config.plat_gpt_l0_base == 0U) {
840 ERROR("[GPT] L0 tables must be initialized first!\n");
841 return -EPERM;
842 }
843
844 /* Check if L1 GPTs are required and how many. */
845 l1_gpt_cnt = gpt_validate_pas_mappings(pas_regions, pas_count);
846 if (l1_gpt_cnt < 0) {
847 return l1_gpt_cnt;
848 }
849
850 VERBOSE("[GPT] %u L1 GPTs requested.\n", l1_gpt_cnt);
851
852 /* If L1 tables are needed then validate the L1 parameters. */
853 if (l1_gpt_cnt > 0) {
854 ret = gpt_validate_l1_params(l1_mem_base, l1_mem_size,
855 l1_gpt_cnt);
Robert Wakim48e6b572021-10-21 15:39:56 +0100856 if (ret != 0) {
johpow019d134022021-06-16 17:57:28 -0500857 return ret;
858 }
859
860 /* Set up parameters for L1 table generation. */
861 gpt_l1_tbl = l1_mem_base;
862 gpt_next_l1_tbl_idx = 0U;
863 }
864
865 INFO("[GPT] Boot Configuration\n");
866 INFO(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t);
867 INFO(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p);
868 INFO(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL);
869 INFO(" PAS count: 0x%x\n", pas_count);
870 INFO(" L0 base: 0x%lx\n", gpt_config.plat_gpt_l0_base);
871
872 /* Generate the tables in memory. */
873 for (unsigned int idx = 0U; idx < pas_count; idx++) {
874 INFO("[GPT] PAS[%u]: base 0x%lx, size 0x%lx, GPI 0x%x, type 0x%x\n",
875 idx, pas_regions[idx].base_pa, pas_regions[idx].size,
876 GPT_PAS_ATTR_GPI(pas_regions[idx].attrs),
877 GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs));
878
879 /* Check if a block or table descriptor is required */
880 if (GPT_PAS_ATTR_MAP_TYPE(pas_regions[idx].attrs) ==
881 GPT_PAS_ATTR_MAP_TYPE_BLOCK) {
882 gpt_generate_l0_blk_desc(&pas_regions[idx]);
883
884 } else {
885 gpt_generate_l0_tbl_desc(&pas_regions[idx]);
886 }
887 }
888
889 /* Flush modified L0 tables. */
890 flush_l0_for_pas_array(pas_regions, pas_count);
891
892 /* Flush L1 tables if needed. */
893 if (l1_gpt_cnt > 0) {
894 flush_dcache_range(l1_mem_base,
895 GPT_L1_TABLE_SIZE(gpt_config.p) *
896 l1_gpt_cnt);
897 }
898
899 /* Make sure that all the entries are written to the memory. */
900 dsbishst();
Soby Mathew521375d2021-10-11 14:38:46 +0100901 tlbipaallos();
902 dsb();
903 isb();
johpow019d134022021-06-16 17:57:28 -0500904
905 return 0;
906}
907
908/*
909 * Public API to initialize the runtime gpt_config structure based on the values
910 * present in the GPTBR_EL3 and GPCCR_EL3 registers. GPT initialization
911 * typically happens in a bootloader stage prior to setting up the EL3 runtime
912 * environment for the granule transition service so this function detects the
913 * initialization from a previous stage. Granule protection checks must be
914 * enabled already or this function will return an error.
915 *
916 * Return
917 * Negative Linux error code in the event of a failure, 0 for success.
918 */
919int gpt_runtime_init(void)
920{
921 u_register_t reg;
922
Soby Mathew521375d2021-10-11 14:38:46 +0100923 /* Ensure that MMU and Data caches are enabled. */
johpow019d134022021-06-16 17:57:28 -0500924 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0U);
925
926 /* Ensure GPC are already enabled. */
927 if ((read_gpccr_el3() & GPCCR_GPC_BIT) == 0U) {
928 ERROR("[GPT] Granule protection checks are not enabled!\n");
929 return -EPERM;
930 }
931
932 /*
933 * Read the L0 table address from GPTBR, we don't need the L1 base
934 * address since those are included in the L0 tables as needed.
935 */
936 reg = read_gptbr_el3();
937 gpt_config.plat_gpt_l0_base = ((reg >> GPTBR_BADDR_SHIFT) &
938 GPTBR_BADDR_MASK) <<
939 GPTBR_BADDR_VAL_SHIFT;
940
941 /* Read GPCCR to get PGS and PPS values. */
942 reg = read_gpccr_el3();
943 gpt_config.pps = (reg >> GPCCR_PPS_SHIFT) & GPCCR_PPS_MASK;
944 gpt_config.t = gpt_t_lookup[gpt_config.pps];
945 gpt_config.pgs = (reg >> GPCCR_PGS_SHIFT) & GPCCR_PGS_MASK;
946 gpt_config.p = gpt_p_lookup[gpt_config.pgs];
947
948 VERBOSE("[GPT] Runtime Configuration\n");
949 VERBOSE(" PPS/T: 0x%x/%u\n", gpt_config.pps, gpt_config.t);
950 VERBOSE(" PGS/P: 0x%x/%u\n", gpt_config.pgs, gpt_config.p);
951 VERBOSE(" L0GPTSZ/S: 0x%x/%u\n", GPT_L0GPTSZ, GPT_S_VAL);
952 VERBOSE(" L0 base: 0x%lx\n", gpt_config.plat_gpt_l0_base);
953
954 return 0;
955}
956
957/*
958 * The L1 descriptors are protected by a spinlock to ensure that multiple
959 * CPUs do not attempt to change the descriptors at once. In the future it
960 * would be better to have separate spinlocks for each L1 descriptor.
961 */
962static spinlock_t gpt_lock;
963
964/*
Robert Wakim48e6b572021-10-21 15:39:56 +0100965 * A helper to write the value (target_pas << gpi_shift) to the index of
966 * the gpt_l1_addr
967 */
968static inline void write_gpt(uint64_t *gpt_l1_desc, uint64_t *gpt_l1_addr,
969 unsigned int gpi_shift, unsigned int idx,
970 unsigned int target_pas)
971{
972 *gpt_l1_desc &= ~(GPT_L1_GRAN_DESC_GPI_MASK << gpi_shift);
973 *gpt_l1_desc |= ((uint64_t)target_pas << gpi_shift);
974 gpt_l1_addr[idx] = *gpt_l1_desc;
975}
976
977/*
978 * Helper to retrieve the gpt_l1_* information from the base address
979 * returned in gpi_info
980 */
981static int get_gpi_params(uint64_t base, gpi_info_t *gpi_info)
982{
983 uint64_t gpt_l0_desc, *gpt_l0_base;
984
985 gpt_l0_base = (uint64_t *)gpt_config.plat_gpt_l0_base;
986 gpt_l0_desc = gpt_l0_base[GPT_L0_IDX(base)];
987 if (GPT_L0_TYPE(gpt_l0_desc) != GPT_L0_TYPE_TBL_DESC) {
988 VERBOSE("[GPT] Granule is not covered by a table descriptor!\n");
989 VERBOSE(" Base=0x%" PRIx64 "\n", base);
990 return -EINVAL;
991 }
992
993 /* Get the table index and GPI shift from PA. */
994 gpi_info->gpt_l1_addr = GPT_L0_TBLD_ADDR(gpt_l0_desc);
995 gpi_info->idx = GPT_L1_IDX(gpt_config.p, base);
996 gpi_info->gpi_shift = GPT_L1_GPI_IDX(gpt_config.p, base) << 2;
997
998 gpi_info->gpt_l1_desc = (gpi_info->gpt_l1_addr)[gpi_info->idx];
999 gpi_info->gpi = (gpi_info->gpt_l1_desc >> gpi_info->gpi_shift) &
1000 GPT_L1_GRAN_DESC_GPI_MASK;
1001 return 0;
1002}
1003
1004/*
1005 * This function is the granule transition delegate service. When a granule
1006 * transition request occurs it is routed to this function to have the request,
1007 * if valid, fulfilled following A1.1.1 Delegate of RME supplement
johpow019d134022021-06-16 17:57:28 -05001008 *
Robert Wakim48e6b572021-10-21 15:39:56 +01001009 * TODO: implement support for transitioning multiple granules at once.
johpow019d134022021-06-16 17:57:28 -05001010 *
1011 * Parameters
Robert Wakim48e6b572021-10-21 15:39:56 +01001012 * base Base address of the region to transition, must be
1013 * aligned to granule size.
1014 * size Size of region to transition, must be aligned to granule
1015 * size.
johpow019d134022021-06-16 17:57:28 -05001016 * src_sec_state Security state of the caller.
johpow019d134022021-06-16 17:57:28 -05001017 *
1018 * Return
1019 * Negative Linux error code in the event of a failure, 0 for success.
1020 */
Robert Wakim48e6b572021-10-21 15:39:56 +01001021int gpt_delegate_pas(uint64_t base, size_t size, unsigned int src_sec_state)
johpow019d134022021-06-16 17:57:28 -05001022{
Robert Wakim48e6b572021-10-21 15:39:56 +01001023 gpi_info_t gpi_info;
1024 uint64_t nse;
1025 int res;
1026 unsigned int target_pas;
1027
1028 /* Ensure that the tables have been set up before taking requests. */
1029 assert(gpt_config.plat_gpt_l0_base != 0UL);
johpow019d134022021-06-16 17:57:28 -05001030
Robert Wakim48e6b572021-10-21 15:39:56 +01001031 /* Ensure that caches are enabled. */
1032 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL);
1033
1034 /* Delegate request can only come from REALM or SECURE */
1035 assert(src_sec_state == SMC_FROM_REALM ||
1036 src_sec_state == SMC_FROM_SECURE);
1037
1038 /* See if this is a single or a range of granule transition. */
1039 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) {
johpow019d134022021-06-16 17:57:28 -05001040 return -EINVAL;
1041 }
1042
Robert Wakim48e6b572021-10-21 15:39:56 +01001043 /* Check that base and size are valid */
1044 if ((ULONG_MAX - base) < size) {
1045 VERBOSE("[GPT] Transition request address overflow!\n");
1046 VERBOSE(" Base=0x%" PRIx64 "\n", base);
1047 VERBOSE(" Size=0x%lx\n", size);
johpow019d134022021-06-16 17:57:28 -05001048 return -EINVAL;
1049 }
1050
Robert Wakim48e6b572021-10-21 15:39:56 +01001051 /* Make sure base and size are valid. */
1052 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1053 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1054 (size == 0UL) ||
1055 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) {
1056 VERBOSE("[GPT] Invalid granule transition address range!\n");
1057 VERBOSE(" Base=0x%" PRIx64 "\n", base);
1058 VERBOSE(" Size=0x%lx\n", size);
johpow019d134022021-06-16 17:57:28 -05001059 return -EINVAL;
1060 }
Robert Wakim48e6b572021-10-21 15:39:56 +01001061
1062 target_pas = GPT_GPI_REALM;
1063 if (src_sec_state == SMC_FROM_SECURE) {
1064 target_pas = GPT_GPI_SECURE;
1065 }
1066
1067 /*
1068 * Access to L1 tables is controlled by a global lock to ensure
1069 * that no more than one CPU is allowed to make changes at any
1070 * given time.
1071 */
1072 spin_lock(&gpt_lock);
1073 res = get_gpi_params(base, &gpi_info);
1074 if (res != 0) {
1075 spin_unlock(&gpt_lock);
1076 return res;
1077 }
1078
1079 /* Check that the current address is in NS state */
1080 if (gpi_info.gpi != GPT_GPI_NS) {
1081 VERBOSE("[GPT] Only Granule in NS state can be delegated.\n");
1082 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state,
1083 gpi_info.gpi);
1084 spin_unlock(&gpt_lock);
Javier Almansa Sobrinof809b162022-07-04 17:06:36 +01001085 return -EPERM;
johpow019d134022021-06-16 17:57:28 -05001086 }
1087
Robert Wakim48e6b572021-10-21 15:39:56 +01001088 if (src_sec_state == SMC_FROM_SECURE) {
1089 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT;
1090 } else {
1091 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT;
1092 }
1093
1094 /*
1095 * In order to maintain mutual distrust between Realm and Secure
1096 * states, remove any data speculatively fetched into the target
1097 * physical address space. Issue DC CIPAPA over address range
1098 */
Olivier Deprezc80d0de2024-01-17 15:12:04 +01001099 if (is_feat_mte2_supported()) {
1100 flush_dcache_to_popa_range_mte2(nse | base,
1101 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1102 } else {
1103 flush_dcache_to_popa_range(nse | base,
1104 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1105 }
Robert Wakim48e6b572021-10-21 15:39:56 +01001106
1107 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr,
1108 gpi_info.gpi_shift, gpi_info.idx, target_pas);
1109 dsboshst();
1110
1111 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1112 dsbosh();
1113
1114 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT;
1115
Olivier Deprezc80d0de2024-01-17 15:12:04 +01001116 if (is_feat_mte2_supported()) {
1117 flush_dcache_to_popa_range_mte2(nse | base,
1118 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1119 } else {
1120 flush_dcache_to_popa_range(nse | base,
1121 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1122 }
Robert Wakim48e6b572021-10-21 15:39:56 +01001123
1124 /* Unlock access to the L1 tables. */
1125 spin_unlock(&gpt_lock);
1126
1127 /*
1128 * The isb() will be done as part of context
1129 * synchronization when returning to lower EL
1130 */
1131 VERBOSE("[GPT] Granule 0x%" PRIx64 ", GPI 0x%x->0x%x\n",
1132 base, gpi_info.gpi, target_pas);
1133
johpow019d134022021-06-16 17:57:28 -05001134 return 0;
1135}
1136
1137/*
Robert Wakim48e6b572021-10-21 15:39:56 +01001138 * This function is the granule transition undelegate service. When a granule
johpow019d134022021-06-16 17:57:28 -05001139 * transition request occurs it is routed to this function where the request is
1140 * validated then fulfilled if possible.
1141 *
1142 * TODO: implement support for transitioning multiple granules at once.
1143 *
1144 * Parameters
1145 * base Base address of the region to transition, must be
1146 * aligned to granule size.
1147 * size Size of region to transition, must be aligned to granule
1148 * size.
1149 * src_sec_state Security state of the caller.
johpow019d134022021-06-16 17:57:28 -05001150 *
1151 * Return
1152 * Negative Linux error code in the event of a failure, 0 for success.
1153 */
Robert Wakim48e6b572021-10-21 15:39:56 +01001154int gpt_undelegate_pas(uint64_t base, size_t size, unsigned int src_sec_state)
johpow019d134022021-06-16 17:57:28 -05001155{
Robert Wakim48e6b572021-10-21 15:39:56 +01001156 gpi_info_t gpi_info;
1157 uint64_t nse;
1158 int res;
johpow019d134022021-06-16 17:57:28 -05001159
1160 /* Ensure that the tables have been set up before taking requests. */
Robert Wakim48e6b572021-10-21 15:39:56 +01001161 assert(gpt_config.plat_gpt_l0_base != 0UL);
johpow019d134022021-06-16 17:57:28 -05001162
Robert Wakim48e6b572021-10-21 15:39:56 +01001163 /* Ensure that MMU and caches are enabled. */
1164 assert((read_sctlr_el3() & SCTLR_C_BIT) != 0UL);
1165
1166 /* Delegate request can only come from REALM or SECURE */
1167 assert(src_sec_state == SMC_FROM_REALM ||
1168 src_sec_state == SMC_FROM_SECURE);
Soby Mathew521375d2021-10-11 14:38:46 +01001169
Robert Wakim48e6b572021-10-21 15:39:56 +01001170 /* See if this is a single or a range of granule transition. */
1171 if (size != GPT_PGS_ACTUAL_SIZE(gpt_config.p)) {
1172 return -EINVAL;
1173 }
1174
1175 /* Check that base and size are valid */
johpow019d134022021-06-16 17:57:28 -05001176 if ((ULONG_MAX - base) < size) {
1177 VERBOSE("[GPT] Transition request address overflow!\n");
Manish Pandey9174a752021-11-09 20:49:56 +00001178 VERBOSE(" Base=0x%" PRIx64 "\n", base);
johpow019d134022021-06-16 17:57:28 -05001179 VERBOSE(" Size=0x%lx\n", size);
1180 return -EINVAL;
1181 }
1182
1183 /* Make sure base and size are valid. */
Robert Wakim48e6b572021-10-21 15:39:56 +01001184 if (((base & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1185 ((size & (GPT_PGS_ACTUAL_SIZE(gpt_config.p) - 1)) != 0UL) ||
1186 (size == 0UL) ||
johpow019d134022021-06-16 17:57:28 -05001187 ((base + size) >= GPT_PPS_ACTUAL_SIZE(gpt_config.t))) {
1188 VERBOSE("[GPT] Invalid granule transition address range!\n");
Manish Pandey9174a752021-11-09 20:49:56 +00001189 VERBOSE(" Base=0x%" PRIx64 "\n", base);
johpow019d134022021-06-16 17:57:28 -05001190 VERBOSE(" Size=0x%lx\n", size);
1191 return -EINVAL;
1192 }
1193
johpow019d134022021-06-16 17:57:28 -05001194 /*
1195 * Access to L1 tables is controlled by a global lock to ensure
1196 * that no more than one CPU is allowed to make changes at any
1197 * given time.
1198 */
1199 spin_lock(&gpt_lock);
johpow019d134022021-06-16 17:57:28 -05001200
Robert Wakim48e6b572021-10-21 15:39:56 +01001201 res = get_gpi_params(base, &gpi_info);
1202 if (res != 0) {
johpow019d134022021-06-16 17:57:28 -05001203 spin_unlock(&gpt_lock);
Robert Wakim48e6b572021-10-21 15:39:56 +01001204 return res;
1205 }
1206
1207 /* Check that the current address is in the delegated state */
1208 if ((src_sec_state == SMC_FROM_REALM &&
1209 gpi_info.gpi != GPT_GPI_REALM) ||
1210 (src_sec_state == SMC_FROM_SECURE &&
1211 gpi_info.gpi != GPT_GPI_SECURE)) {
1212 VERBOSE("[GPT] Only Granule in REALM or SECURE state can be undelegated.\n");
1213 VERBOSE(" Caller: %u, Current GPI: %u\n", src_sec_state,
1214 gpi_info.gpi);
1215 spin_unlock(&gpt_lock);
Javier Almansa Sobrinof809b162022-07-04 17:06:36 +01001216 return -EPERM;
johpow019d134022021-06-16 17:57:28 -05001217 }
1218
Robert Wakim48e6b572021-10-21 15:39:56 +01001219
1220 /* In order to maintain mutual distrust between Realm and Secure
1221 * states, remove access now, in order to guarantee that writes
1222 * to the currently-accessible physical address space will not
1223 * later become observable.
1224 */
1225 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr,
1226 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NO_ACCESS);
1227 dsboshst();
1228
1229 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1230 dsbosh();
1231
1232 if (src_sec_state == SMC_FROM_SECURE) {
1233 nse = (uint64_t)GPT_NSE_SECURE << GPT_NSE_SHIFT;
1234 } else {
1235 nse = (uint64_t)GPT_NSE_REALM << GPT_NSE_SHIFT;
1236 }
1237
1238 /* Ensure that the scrubbed data has made it past the PoPA */
Olivier Deprezc80d0de2024-01-17 15:12:04 +01001239 if (is_feat_mte2_supported()) {
1240 flush_dcache_to_popa_range_mte2(nse | base,
1241 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1242 } else {
1243 flush_dcache_to_popa_range(nse | base,
1244 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1245 }
Robert Wakim48e6b572021-10-21 15:39:56 +01001246
1247 /*
1248 * Remove any data loaded speculatively
1249 * in NS space from before the scrubbing
1250 */
1251 nse = (uint64_t)GPT_NSE_NS << GPT_NSE_SHIFT;
1252
Olivier Deprezc80d0de2024-01-17 15:12:04 +01001253 if (is_feat_mte2_supported()) {
1254 flush_dcache_to_popa_range_mte2(nse | base,
1255 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1256 } else {
1257 flush_dcache_to_popa_range(nse | base,
1258 GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1259 }
Robert Wakim48e6b572021-10-21 15:39:56 +01001260
johpow019d134022021-06-16 17:57:28 -05001261 /* Clear existing GPI encoding and transition granule. */
Robert Wakim48e6b572021-10-21 15:39:56 +01001262 write_gpt(&gpi_info.gpt_l1_desc, gpi_info.gpt_l1_addr,
1263 gpi_info.gpi_shift, gpi_info.idx, GPT_GPI_NS);
1264 dsboshst();
johpow019d134022021-06-16 17:57:28 -05001265
Robert Wakim48e6b572021-10-21 15:39:56 +01001266 /* Ensure that all agents observe the new NS configuration */
1267 gpt_tlbi_by_pa_ll(base, GPT_PGS_ACTUAL_SIZE(gpt_config.p));
1268 dsbosh();
johpow019d134022021-06-16 17:57:28 -05001269
1270 /* Unlock access to the L1 tables. */
1271 spin_unlock(&gpt_lock);
1272
Soby Mathew521375d2021-10-11 14:38:46 +01001273 /*
1274 * The isb() will be done as part of context
1275 * synchronization when returning to lower EL
1276 */
Robert Wakim48e6b572021-10-21 15:39:56 +01001277 VERBOSE("[GPT] Granule 0x%" PRIx64 ", GPI 0x%x->0x%x\n",
1278 base, gpi_info.gpi, GPT_GPI_NS);
johpow019d134022021-06-16 17:57:28 -05001279
1280 return 0;
1281}