Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 71c9a5e70d3ce826bc6820f60477e418fb4a4da7 / . / bl1 / bl1_fwu.c
blob: f8b414e3f836f6c90ce121945b73de12673c9255 [file] [log] [blame]
Yatharth Kochar71c9a5e2015-10-10 19:06:53 +0100[diff] [blame^]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <assert.h>
32#include <arch_helpers.h>
33#include <auth_mod.h>
34#include <bl1.h>
35#include <bl_common.h>
36#include <context.h>
37#include <context_mgmt.h>
38#include <debug.h>
39#include <errno.h>
40#include <platform.h>
41#include <platform_def.h>
42#include <smcc_helpers.h>
43#include <string.h>
44#include "bl1_private.h"
45
46/*
47 * Function declarations.
48 */
49static int bl1_fwu_image_copy(unsigned int image_id,
50 uintptr_t image_addr,
51 unsigned int block_size,
52 unsigned int image_size,
53 unsigned int flags);
54static int bl1_fwu_image_auth(unsigned int image_id,
55 uintptr_t image_addr,
56 unsigned int image_size,
57 unsigned int flags);
58static int bl1_fwu_image_execute(unsigned int image_id,
59 void **handle,
60 unsigned int flags);
61static register_t bl1_fwu_image_resume(unsigned int image_id,
62 register_t image_param,
63 void **handle,
64 unsigned int flags);
65static int bl1_fwu_sec_image_done(void **handle,
66 unsigned int flags);
67__dead2 static void bl1_fwu_done(void *cookie, void *reserved);
68
69/*
70 * This keeps track of last executed secure image id.
71 */
72static unsigned int sec_exec_image_id = INVALID_IMAGE_ID;
73
74/*******************************************************************************
75 * Top level handler for servicing FWU SMCs.
76 ******************************************************************************/
77register_t bl1_fwu_smc_handler(unsigned int smc_fid,
78 register_t x1,
79 register_t x2,
80 register_t x3,
81 register_t x4,
82 void *cookie,
83 void *handle,
84 unsigned int flags)
85{
86
87 switch (smc_fid) {
88 case FWU_SMC_IMAGE_COPY:
89 SMC_RET1(handle, bl1_fwu_image_copy(x1, x2, x3, x4, flags));
90
91 case FWU_SMC_IMAGE_AUTH:
92 SMC_RET1(handle, bl1_fwu_image_auth(x1, x2, x3, flags));
93
94 case FWU_SMC_IMAGE_EXECUTE:
95 SMC_RET1(handle, bl1_fwu_image_execute(x1, &handle, flags));
96
97 case FWU_SMC_IMAGE_RESUME:
98 SMC_RET1(handle, bl1_fwu_image_resume(x1, x2, &handle, flags));
99
100 case FWU_SMC_SEC_IMAGE_DONE:
101 SMC_RET1(handle, bl1_fwu_sec_image_done(&handle, flags));
102
103 case FWU_SMC_UPDATE_DONE:
104 bl1_fwu_done(cookie, NULL);
105 /* We should never return from bl1_fwu_done() */
106
107 default:
108 assert(0);
109 break;
110 }
111
112 SMC_RET0(handle);
113}
114
115/*******************************************************************************
116 * This function is responsible for copying secure images in AP Secure RAM.
117 ******************************************************************************/
118static int bl1_fwu_image_copy(unsigned int image_id,
119 uintptr_t image_src,
120 unsigned int block_size,
121 unsigned int image_size,
122 unsigned int flags)
123{
124 uintptr_t base_addr;
125 meminfo_t *mem_layout;
126
127 /* Get the image descriptor. */
128 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id);
129
130 /* Check if we are in correct state. */
131 if ((!image_desc) ||
132 ((image_desc->state != IMAGE_STATE_RESET) &&
133 (image_desc->state != IMAGE_STATE_COPYING))) {
134 WARN("BL1-FWU: Copy not allowed due to invalid state\n");
135 return -EPERM;
136 }
137
138 /* Only Normal world is allowed to copy a Secure image. */
139 if ((GET_SEC_STATE(flags) == SECURE) ||
140 (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE)) {
141 WARN("BL1-FWU: Copy not allowed for Non-Secure "
142 "image from Secure-world\n");
143 return -EPERM;
144 }
145
146 if ((!image_src) || (!block_size)) {
147 WARN("BL1-FWU: Copy not allowed due to invalid image source"
148 " or block size\n");
149 return -ENOMEM;
150 }
151
152 /* Get the image base address. */
153 base_addr = image_desc->image_info.image_base;
154
155 if (image_desc->state == IMAGE_STATE_COPYING) {
156 /*
157 * If last block is more than expected then
158 * clip the block to the required image size.
159 */
160 if (image_desc->image_info.copied_size + block_size >
161 image_desc->image_info.image_size) {
162 block_size = image_desc->image_info.image_size -
163 image_desc->image_info.copied_size;
164 WARN("BL1-FWU: Copy argument block_size > remaining image size."
165 " Clipping block_size\n");
166 }
167
168 /* Make sure the image src/size is mapped. */
169 if (bl1_plat_mem_check(image_src, block_size, flags)) {
170 WARN("BL1-FWU: Copy arguments source/size not mapped\n");
171 return -ENOMEM;
172 }
173
174 INFO("BL1-FWU: Continuing image copy in blocks\n");
175
176 /* Copy image for given block size. */
177 base_addr += image_desc->image_info.copied_size;
178 image_desc->image_info.copied_size += block_size;
179 memcpy((void *)base_addr, (const void *)image_src, block_size);
180 flush_dcache_range(base_addr, block_size);
181
182 /* Update the state if last block. */
183 if (image_desc->image_info.copied_size ==
184 image_desc->image_info.image_size) {
185 image_desc->state = IMAGE_STATE_COPIED;
186 INFO("BL1-FWU: Image copy in blocks completed\n");
187 }
188 } else {
189 /* This means image is in RESET state and ready to be copied. */
190 INFO("BL1-FWU: Fresh call to copy an image\n");
191
192 if (!image_size) {
193 WARN("BL1-FWU: Copy not allowed due to invalid image size\n");
194 return -ENOMEM;
195 }
196
197 /*
198 * If block size is more than total size then
199 * assume block size as the total image size.
200 */
201 if (block_size > image_size) {
202 block_size = image_size;
203 WARN("BL1-FWU: Copy argument block_size > image size."
204 " Clipping block_size\n");
205 }
206
207 /* Make sure the image src/size is mapped. */
208 if (bl1_plat_mem_check(image_src, block_size, flags)) {
209 WARN("BL1-FWU: Copy arguments source/size not mapped\n");
210 return -ENOMEM;
211 }
212
213 /* Find out how much free trusted ram remains after BL1 load */
214 mem_layout = bl1_plat_sec_mem_layout();
215 if ((image_desc->image_info.image_base < mem_layout->free_base) ||
216 (image_desc->image_info.image_base + image_size >
217 mem_layout->free_base + mem_layout->free_size)) {
218 WARN("BL1-FWU: Memory not available to copy\n");
219 return -ENOMEM;
220 }
221
222 /* Update the image size. */
223 image_desc->image_info.image_size = image_size;
224
225 /* Copy image for given size. */
226 memcpy((void *)base_addr, (const void *)image_src, block_size);
227 flush_dcache_range(base_addr, block_size);
228
229 /* Update the state. */
230 if (block_size == image_size) {
231 image_desc->state = IMAGE_STATE_COPIED;
232 INFO("BL1-FWU: Image is copied successfully\n");
233 } else {
234 image_desc->state = IMAGE_STATE_COPYING;
235 INFO("BL1-FWU: Started image copy in blocks\n");
236 }
237
238 image_desc->image_info.copied_size = block_size;
239 }
240
241 return 0;
242}
243
244/*******************************************************************************
245 * This function is responsible for authenticating Normal/Secure images.
246 ******************************************************************************/
247static int bl1_fwu_image_auth(unsigned int image_id,
248 uintptr_t image_src,
249 unsigned int image_size,
250 unsigned int flags)
251{
252 int result;
253 uintptr_t base_addr;
254 unsigned int total_size;
255
256 /* Get the image descriptor. */
257 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id);
258 if (!image_desc)
259 return -EPERM;
260
261 if (GET_SEC_STATE(flags) == SECURE) {
262 if (image_desc->state != IMAGE_STATE_RESET) {
263 WARN("BL1-FWU: Authentication from secure world "
264 "while in invalid state\n");
265 return -EPERM;
266 }
267 } else {
268 if (GET_SEC_STATE(image_desc->ep_info.h.attr) == SECURE) {
269 if (image_desc->state != IMAGE_STATE_COPIED) {
270 WARN("BL1-FWU: Authentication of secure image "
271 "from non-secure world while not in copied state\n");
272 return -EPERM;
273 }
274 } else {
275 if (image_desc->state != IMAGE_STATE_RESET) {
276 WARN("BL1-FWU: Authentication of non-secure image "
277 "from non-secure world while in invalid state\n");
278 return -EPERM;
279 }
280 }
281 }
282
283 if (image_desc->state == IMAGE_STATE_COPIED) {
284 /*
285 * Image is in COPIED state.
286 * Use the stored address and size.
287 */
288 base_addr = image_desc->image_info.image_base;
289 total_size = image_desc->image_info.image_size;
290 } else {
291 if ((!image_src) || (!image_size)) {
292 WARN("BL1-FWU: Auth not allowed due to invalid"
293 " image source/size\n");
294 return -ENOMEM;
295 }
296
297 /*
298 * Image is in RESET state.
299 * Check the parameters and authenticate the source image in place.
300 */
301 if (bl1_plat_mem_check(image_src, image_size, flags)) {
302 WARN("BL1-FWU: Authentication arguments source/size not mapped\n");
303 return -ENOMEM;
304 }
305
306 base_addr = image_src;
307 total_size = image_size;
308
309 /* Update the image size in the descriptor. */
310 image_desc->image_info.image_size = total_size;
311 }
312
313 /*
314 * Authenticate the image.
315 */
316 INFO("BL1-FWU: Authenticating image_id:%d\n", image_id);
317 result = auth_mod_verify_img(image_id, (void *)base_addr, total_size);
318 if (result != 0) {
319 WARN("BL1-FWU: Authentication Failed err=%d\n", result);
320
321 /*
322 * Authentication has failed.
323 * Clear the memory if the image was copied.
324 * This is to prevent an attack where this contains
325 * some malicious code that can somehow be executed later.
326 */
327 if (image_desc->state == IMAGE_STATE_COPIED) {
328 /* Clear the memory.*/
329 memset((void *)base_addr, 0, total_size);
330 flush_dcache_range(base_addr, total_size);
331
332 /* Indicate that image can be copied again*/
333 image_desc->state = IMAGE_STATE_RESET;
334 }
335 return -EAUTH;
336 }
337
338 /* Indicate that image is in authenticated state. */
339 image_desc->state = IMAGE_STATE_AUTHENTICATED;
340
341 /*
342 * Flush image_info to memory so that other
343 * secure world images can see changes.
344 */
345 flush_dcache_range((unsigned long)&image_desc->image_info,
346 sizeof(image_info_t));
347
348 INFO("BL1-FWU: Authentication was successful\n");
349
350 return 0;
351}
352
353/*******************************************************************************
354 * This function is responsible for executing Secure images.
355 ******************************************************************************/
356static int bl1_fwu_image_execute(unsigned int image_id,
357 void **handle,
358 unsigned int flags)
359{
360 /* Get the image descriptor. */
361 image_desc_t *image_desc = bl1_plat_get_image_desc(image_id);
362
363 /*
364 * Execution is NOT allowed if:
365 * Caller is from Secure world OR
366 * Image is Non-Secure OR
367 * Image is Non-Executable OR
368 * Image is NOT in AUTHENTICATED state.
369 */
370 if ((!image_desc) ||
371 (GET_SEC_STATE(flags) == SECURE) ||
372 (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE) ||
373 (GET_EXEC_STATE(image_desc->image_info.h.attr) == NON_EXECUTABLE) ||
374 (image_desc->state != IMAGE_STATE_AUTHENTICATED)) {
375 WARN("BL1-FWU: Execution not allowed due to invalid state/args\n");
376 return -EPERM;
377 }
378
379 INFO("BL1-FWU: Executing Secure image\n");
380
381 /* Save NS-EL1 system registers. */
382 cm_el1_sysregs_context_save(NON_SECURE);
383
384 /* Prepare the image for execution. */
385 bl1_prepare_next_image(image_id);
386
387 /* Update the secure image id. */
388 sec_exec_image_id = image_id;
389
390 *handle = cm_get_context(SECURE);
391 return 0;
392}
393
394/*******************************************************************************
395 * This function is responsible for resuming Secure/Non-Secure images.
396 ******************************************************************************/
397static register_t bl1_fwu_image_resume(unsigned int image_id,
398 register_t image_param,
399 void **handle,
400 unsigned int flags)
401{
402 image_desc_t *image_desc;
403 unsigned int resume_sec_state;
404
405 if (GET_SEC_STATE(flags) == SECURE) {
406 /* Get the image descriptor for last executed secure image id. */
407 image_desc = bl1_plat_get_image_desc(sec_exec_image_id);
408
409 if ((!image_desc) || (image_desc->state != IMAGE_STATE_EXECUTED)) {
410 WARN("BL1-FWU: Resume not allowed for secure image "
411 "due to invalid state\n");
412 return -EPERM;
413 }
414
415 /* Update the flags. */
416 image_desc->state = IMAGE_STATE_INTERRUPTED;
417 resume_sec_state = NON_SECURE;
418 } else {
419 /* Get the image descriptor for image id to be resumed. */
420 image_desc = bl1_plat_get_image_desc(image_id);
421
422 /* Make sure image is secure and was interrupted. */
423 if ((!image_desc) ||
424 (GET_SEC_STATE(image_desc->ep_info.h.attr) == NON_SECURE) ||
425 (image_desc->state != IMAGE_STATE_INTERRUPTED)) {
426 WARN("BL1-FWU: Resume not allowed for NS image/ invalid state\n");
427 return -EPERM;
428 }
429
430 /* Update the flags. */
431 image_desc->state = IMAGE_STATE_EXECUTED;
432 resume_sec_state = SECURE;
433 }
434
435 /* Save the EL1 system registers of calling world. */
436 cm_el1_sysregs_context_save(GET_SEC_STATE(flags));
437
438 /* Restore the EL1 system registers of resuming world. */
439 cm_el1_sysregs_context_restore(resume_sec_state);
440
441 /* Update the next context. */
442 cm_set_next_eret_context(resume_sec_state);
443
444 INFO("BL1-FWU: Resuming %s world context\n",
445 (resume_sec_state == SECURE) ? "Secure" : "Normal");
446
447 *handle = cm_get_context(resume_sec_state);
448 return image_param;
449}
450
451/*******************************************************************************
452 * This function is responsible for resuming normal world context.
453 ******************************************************************************/
454static int bl1_fwu_sec_image_done(void **handle, unsigned int flags)
455{
456
457 /* Get the image descriptor for last executed secure image id. */
458 image_desc_t *image_desc = bl1_plat_get_image_desc(sec_exec_image_id);
459
460 /*
461 * Make sure caller is from secure world
462 * and the image is in EXECUTED state.
463 */
464 if ((!image_desc) ||
465 (GET_SEC_STATE(flags) == NON_SECURE) ||
466 (image_desc->state != IMAGE_STATE_EXECUTED)) {
467 WARN("BL1-FWU: Done not allowed for NS caller/ invalid state\n");
468 return -EPERM;
469 }
470
471 /* Update the flags. */
472 image_desc->state = IMAGE_STATE_RESET;
473 sec_exec_image_id = INVALID_IMAGE_ID;
474
475 /*
476 * Secure world is done so no need to save the context.
477 * Just restore the Non-Secure context.
478 */
479 cm_el1_sysregs_context_restore(NON_SECURE);
480
481 /* Update the next context. */
482 cm_set_next_eret_context(NON_SECURE);
483
484 INFO("BL1-FWU: Resuming Normal world context\n");
485
486 *handle = cm_get_context(NON_SECURE);
487 return 0;
488}
489
490/*******************************************************************************
491 * This function provides the opportunity for users to perform any
492 * platform specific handling after the Firmware update is done.
493 ******************************************************************************/
494__dead2 static void bl1_fwu_done(void *cookie, void *reserved)
495{
496 NOTICE("BL1-FWU: *******FWU Process Completed*******\n");
497
498 /*
499 * Call platform done function.
500 */
501 bl1_plat_fwu_done(cookie, reserved);
502 assert(0);
503}