blob: a09cd7171d3e0dc44cc76dfc5942bfd4939777a8 [file] [log] [blame]
Achin Gupta4f6ad662013-10-25 09:08:21 +01001/*
Antonio Nino Diaz25cda672019-02-19 11:53:51 +00002 * Copyright (c) 2013-2019, ARM Limited and Contributors. All rights reserved.
Achin Gupta4f6ad662013-10-25 09:08:21 +01003 *
dp-armfa3cf0b2017-05-03 09:38:09 +01004 * SPDX-License-Identifier: BSD-3-Clause
Achin Gupta4f6ad662013-10-25 09:08:21 +01005 */
6
Dan Handley2bd4ef22014-04-09 13:14:54 +01007#include <assert.h>
Sandrine Bailleux467d0572014-06-24 14:02:34 +01008#include <errno.h>
Juan Castillo97dbcf12015-08-17 10:43:27 +01009#include <string.h>
Antonio Nino Diaze0f90632018-12-14 00:18:21 +000010
11#include <arch.h>
Antonio Nino Diaz25cda672019-02-19 11:53:51 +000012#include <arch_features.h>
Antonio Nino Diaze0f90632018-12-14 00:18:21 +000013#include <arch_helpers.h>
14#include <common/bl_common.h>
15#include <common/debug.h>
16#include <drivers/auth/auth_mod.h>
17#include <drivers/io/io_storage.h>
18#include <lib/utils.h>
19#include <lib/xlat_tables/xlat_tables_defs.h>
20#include <plat/common/platform.h>
Achin Gupta4f6ad662013-10-25 09:08:21 +010021
Soby Mathew9fe88042018-03-26 12:43:37 +010022#if TRUSTED_BOARD_BOOT
23# ifdef DYN_DISABLE_AUTH
24static int disable_auth;
25
26/******************************************************************************
27 * API to dynamically disable authentication. Only meant for development
Roberto Vargas025946a2018-09-24 17:20:48 +010028 * systems. This is only invoked if DYN_DISABLE_AUTH is defined.
Soby Mathew9fe88042018-03-26 12:43:37 +010029 *****************************************************************************/
30void dyn_disable_auth(void)
31{
32 INFO("Disabling authentication of images dynamically\n");
33 disable_auth = 1;
34}
35# endif /* DYN_DISABLE_AUTH */
36
37/******************************************************************************
38 * Function to determine whether the authentication is disabled dynamically.
39 *****************************************************************************/
40static int dyn_is_auth_disabled(void)
41{
42# ifdef DYN_DISABLE_AUTH
43 return disable_auth;
44# else
45 return 0;
46# endif
47}
48#endif /* TRUSTED_BOARD_BOOT */
49
Soby Mathewa0fedc42016-06-16 14:52:04 +010050uintptr_t page_align(uintptr_t value, unsigned dir)
Achin Gupta4f6ad662013-10-25 09:08:21 +010051{
Achin Gupta4f6ad662013-10-25 09:08:21 +010052 /* Round up the limit to the next page boundary */
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +010053 if ((value & (PAGE_SIZE - 1U)) != 0U) {
54 value &= ~(PAGE_SIZE - 1U);
Achin Gupta4f6ad662013-10-25 09:08:21 +010055 if (dir == UP)
Soby Mathewa0fedc42016-06-16 14:52:04 +010056 value += PAGE_SIZE;
Achin Gupta4f6ad662013-10-25 09:08:21 +010057 }
58
59 return value;
60}
61
Yatharth Kochar3345a8d2016-09-12 16:08:41 +010062/*******************************************************************************
Soby Mathew7c8af062017-11-10 13:14:40 +000063 * Internal function to load an image at a specific address given
Yatharth Kochar3345a8d2016-09-12 16:08:41 +010064 * an image ID and extents of free memory.
65 *
66 * If the load is successful then the image information is updated.
67 *
68 * Returns 0 on success, a negative error code otherwise.
69 ******************************************************************************/
Soby Mathew7c8af062017-11-10 13:14:40 +000070static int load_image(unsigned int image_id, image_info_t *image_data)
Yatharth Kochar3345a8d2016-09-12 16:08:41 +010071{
72 uintptr_t dev_handle;
73 uintptr_t image_handle;
74 uintptr_t image_spec;
75 uintptr_t image_base;
76 size_t image_size;
77 size_t bytes_read;
78 int io_result;
79
80 assert(image_data != NULL);
81 assert(image_data->h.version >= VERSION_2);
82
83 image_base = image_data->image_base;
84
85 /* Obtain a reference to the image by querying the platform layer */
86 io_result = plat_get_image_source(image_id, &dev_handle, &image_spec);
87 if (io_result != 0) {
88 WARN("Failed to obtain reference to image id=%u (%i)\n",
89 image_id, io_result);
90 return io_result;
91 }
92
93 /* Attempt to access the image */
94 io_result = io_open(dev_handle, image_spec, &image_handle);
95 if (io_result != 0) {
96 WARN("Failed to access image id=%u (%i)\n",
97 image_id, io_result);
98 return io_result;
99 }
100
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100101 INFO("Loading image id=%u at address 0x%lx\n", image_id, image_base);
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100102
103 /* Find the size of the image */
104 io_result = io_size(image_handle, &image_size);
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100105 if ((io_result != 0) || (image_size == 0U)) {
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100106 WARN("Failed to determine the size of the image id=%u (%i)\n",
107 image_id, io_result);
108 goto exit;
109 }
110
111 /* Check that the image size to load is within limit */
112 if (image_size > image_data->image_max_size) {
113 WARN("Image id=%u size out of bounds\n", image_id);
114 io_result = -EFBIG;
115 goto exit;
116 }
117
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100118 /*
119 * image_data->image_max_size is a uint32_t so image_size will always
120 * fit in image_data->image_size.
121 */
122 image_data->image_size = (uint32_t)image_size;
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100123
124 /* We have enough space so load the image now */
125 /* TODO: Consider whether to try to recover/retry a partially successful read */
126 io_result = io_read(image_handle, image_base, image_size, &bytes_read);
127 if ((io_result != 0) || (bytes_read < image_size)) {
128 WARN("Failed to load image id=%u (%i)\n", image_id, io_result);
129 goto exit;
130 }
131
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100132 INFO("Image id=%u loaded: 0x%lx - 0x%lx\n", image_id, image_base,
133 (uintptr_t)(image_base + image_size));
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100134
135exit:
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100136 (void)io_close(image_handle);
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100137 /* Ignore improbable/unrecoverable error in 'close' */
138
139 /* TODO: Consider maintaining open device connection from this bootloader stage */
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100140 (void)io_dev_close(dev_handle);
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100141 /* Ignore improbable/unrecoverable error in 'dev_close' */
142
143 return io_result;
144}
145
Antonio Nino Diazd7db8702016-11-22 10:58:30 +0000146static int load_auth_image_internal(unsigned int image_id,
147 image_info_t *image_data,
148 int is_parent_image)
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100149{
150 int rc;
151
152#if TRUSTED_BOARD_BOOT
Soby Mathew9fe88042018-03-26 12:43:37 +0100153 if (dyn_is_auth_disabled() == 0) {
154 unsigned int parent_id;
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100155
Soby Mathew9fe88042018-03-26 12:43:37 +0100156 /* Use recursion to authenticate parent images */
157 rc = auth_mod_get_parent_id(image_id, &parent_id);
158 if (rc == 0) {
159 rc = load_auth_image_internal(parent_id, image_data, 1);
160 if (rc != 0) {
161 return rc;
162 }
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100163 }
164 }
165#endif /* TRUSTED_BOARD_BOOT */
166
167 /* Load the image */
168 rc = load_image(image_id, image_data);
169 if (rc != 0) {
170 return rc;
171 }
172
173#if TRUSTED_BOARD_BOOT
Soby Mathew9fe88042018-03-26 12:43:37 +0100174 if (dyn_is_auth_disabled() == 0) {
175 /* Authenticate it */
176 rc = auth_mod_verify_img(image_id,
177 (void *)image_data->image_base,
178 image_data->image_size);
179 if (rc != 0) {
180 /* Authentication error, zero memory and flush it right away. */
181 zero_normalmem((void *)image_data->image_base,
182 image_data->image_size);
183 flush_dcache_range(image_data->image_base,
184 image_data->image_size);
185 return -EAUTH;
186 }
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100187 }
Soby Mathew7c8af062017-11-10 13:14:40 +0000188#endif /* TRUSTED_BOARD_BOOT */
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100189
190 /*
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100191 * Flush the image to main memory so that it can be executed later by
Soby Mathew7c8af062017-11-10 13:14:40 +0000192 * any CPU, regardless of cache and MMU state. If TBB is enabled, then
193 * the file has been successfully loaded and authenticated and flush
194 * only for child images, not for the parents (certificates).
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100195 */
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100196 if (is_parent_image == 0) {
Antonio Nino Diazd7db8702016-11-22 10:58:30 +0000197 flush_dcache_range(image_data->image_base,
198 image_data->image_size);
199 }
Soby Mathew7c8af062017-11-10 13:14:40 +0000200
Yatharth Kochar3345a8d2016-09-12 16:08:41 +0100201
202 return 0;
203}
204
Antonio Nino Diazd7db8702016-11-22 10:58:30 +0000205/*******************************************************************************
206 * Generic function to load and authenticate an image. The image is actually
207 * loaded by calling the 'load_image()' function. Therefore, it returns the
208 * same error codes if the loading operation failed, or -EAUTH if the
209 * authentication failed. In addition, this function uses recursion to
210 * authenticate the parent images up to the root of trust.
211 ******************************************************************************/
212int load_auth_image(unsigned int image_id, image_info_t *image_data)
213{
Roberto Vargasbc1ae1f2017-09-26 12:53:01 +0100214 int err;
215
216 do {
217 err = load_auth_image_internal(image_id, image_data, 0);
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100218 } while ((err != 0) && (plat_try_next_boot_source() != 0));
Roberto Vargasbc1ae1f2017-09-26 12:53:01 +0100219
220 return err;
Antonio Nino Diazd7db8702016-11-22 10:58:30 +0000221}
222
Sandrine Bailleuxb2e224c2015-09-28 17:03:06 +0100223/*******************************************************************************
224 * Print the content of an entry_point_info_t structure.
225 ******************************************************************************/
226void print_entry_point_info(const entry_point_info_t *ep_info)
227{
Antonio Nino Diazf0b14cf2018-10-04 09:55:23 +0100228 INFO("Entry point address = 0x%lx\n", ep_info->pc);
Soby Mathewa0fedc42016-06-16 14:52:04 +0100229 INFO("SPSR = 0x%x\n", ep_info->spsr);
Sandrine Bailleuxb2e224c2015-09-28 17:03:06 +0100230
231#define PRINT_IMAGE_ARG(n) \
232 VERBOSE("Argument #" #n " = 0x%llx\n", \
233 (unsigned long long) ep_info->args.arg##n)
234
235 PRINT_IMAGE_ARG(0);
236 PRINT_IMAGE_ARG(1);
237 PRINT_IMAGE_ARG(2);
238 PRINT_IMAGE_ARG(3);
Julius Werner8e0ef0f2019-07-09 14:02:43 -0700239#ifdef __aarch64__
Sandrine Bailleuxb2e224c2015-09-28 17:03:06 +0100240 PRINT_IMAGE_ARG(4);
241 PRINT_IMAGE_ARG(5);
242 PRINT_IMAGE_ARG(6);
243 PRINT_IMAGE_ARG(7);
Soby Mathewcdf58cb2016-08-30 13:07:31 +0100244#endif
Sandrine Bailleuxb2e224c2015-09-28 17:03:06 +0100245#undef PRINT_IMAGE_ARG
246}
Antonio Nino Diaz25cda672019-02-19 11:53:51 +0000247
Julius Werner8e0ef0f2019-07-09 14:02:43 -0700248#ifdef __aarch64__
Antonio Nino Diaz25cda672019-02-19 11:53:51 +0000249/*******************************************************************************
250 * Handle all possible cases regarding ARMv8.3-PAuth.
251 ******************************************************************************/
252void bl_handle_pauth(void)
253{
254#if ENABLE_PAUTH
255 /*
256 * ENABLE_PAUTH = 1 && CTX_INCLUDE_PAUTH_REGS = 1
257 *
258 * Check that the system supports address authentication to avoid
259 * getting an access fault when accessing the registers. This is all
260 * that is needed to check. If any of the authentication mechanisms is
261 * supported, the system knows about ARMv8.3-PAuth, so all the registers
262 * are available and accessing them won't generate a fault.
263 *
264 * Obtain 128-bit instruction key A from the platform and save it to the
265 * system registers. Pointer authentication can't be enabled here or the
266 * authentication will fail when returning from this function.
267 */
Antonio Nino Diaze1e78452019-03-01 09:35:26 +0000268 assert(is_armv8_3_pauth_apa_api_present());
Antonio Nino Diaz25cda672019-02-19 11:53:51 +0000269
270 uint64_t *apiakey = plat_init_apiakey();
271
272 write_apiakeylo_el1(apiakey[0]);
273 write_apiakeyhi_el1(apiakey[1]);
274#else /* if !ENABLE_PAUTH */
275
276# if CTX_INCLUDE_PAUTH_REGS
277 /*
278 * ENABLE_PAUTH = 0 && CTX_INCLUDE_PAUTH_REGS = 1
279 *
280 * Assert that the ARMv8.3-PAuth registers are present or an access
281 * fault will be triggered when they are being saved or restored.
282 */
283 assert(is_armv8_3_pauth_present());
284# else
285 /*
286 * ENABLE_PAUTH = 0 && CTX_INCLUDE_PAUTH_REGS = 0
287 *
288 * Pointer authentication is allowed in the Non-secure world, but
289 * prohibited in the Secure world. The Trusted Firmware doesn't save the
290 * registers during a world switch. No check needed.
291 */
292# endif /* CTX_INCLUDE_PAUTH_REGS */
293
294#endif /* ENABLE_PAUTH */
295}
Julius Werner8e0ef0f2019-07-09 14:02:43 -0700296#endif /* __aarch64__ */