interrupt-framework-design.rst 49 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021
  1. Interrupt Management Framework
  2. ==============================
  3. This framework is responsible for managing interrupts routed to EL3. It also
  4. allows EL3 software to configure the interrupt routing behavior. Its main
  5. objective is to implement the following two requirements.
  6. #. It should be possible to route interrupts meant to be handled by secure
  7. software (Secure interrupts) to EL3, when execution is in non-secure state
  8. (normal world). The framework should then take care of handing control of
  9. the interrupt to either software in EL3 or Secure-EL1 depending upon the
  10. software configuration and the GIC implementation. This requirement ensures
  11. that secure interrupts are under the control of the secure software with
  12. respect to their delivery and handling without the possibility of
  13. intervention from non-secure software.
  14. #. It should be possible to route interrupts meant to be handled by
  15. non-secure software (Non-secure interrupts) to the last executed exception
  16. level in the normal world when the execution is in secure world at
  17. exception levels lower than EL3. This could be done with or without the
  18. knowledge of software executing in Secure-EL1/Secure-EL0. The choice of
  19. approach should be governed by the secure software. This requirement
  20. ensures that non-secure software is able to execute in tandem with the
  21. secure software without overriding it.
  22. Concepts
  23. --------
  24. Interrupt types
  25. ~~~~~~~~~~~~~~~
  26. The framework categorises an interrupt to be one of the following depending upon
  27. the exception level(s) it is handled in.
  28. #. Secure EL1 interrupt. This type of interrupt can be routed to EL3 or
  29. Secure-EL1 depending upon the security state of the current execution
  30. context. It is always handled in Secure-EL1.
  31. #. Non-secure interrupt. This type of interrupt can be routed to EL3,
  32. Secure-EL1, Non-secure EL1 or EL2 depending upon the security state of the
  33. current execution context. It is always handled in either Non-secure EL1
  34. or EL2.
  35. #. EL3 interrupt. This type of interrupt can be routed to EL3 or Secure-EL1
  36. depending upon the security state of the current execution context. It is
  37. always handled in EL3.
  38. The following constants define the various interrupt types in the framework
  39. implementation.
  40. .. code:: c
  41. #define INTR_TYPE_S_EL1 0
  42. #define INTR_TYPE_EL3 1
  43. #define INTR_TYPE_NS 2
  44. Routing model
  45. ~~~~~~~~~~~~~
  46. A type of interrupt can be either generated as an FIQ or an IRQ. The target
  47. exception level of an interrupt type is configured through the FIQ and IRQ bits
  48. in the Secure Configuration Register at EL3 (``SCR_EL3.FIQ`` and ``SCR_EL3.IRQ``
  49. bits). When ``SCR_EL3.FIQ``\ =1, FIQs are routed to EL3. Otherwise they are routed
  50. to the First Exception Level (FEL) capable of handling interrupts. When
  51. ``SCR_EL3.IRQ``\ =1, IRQs are routed to EL3. Otherwise they are routed to the
  52. FEL. This register is configured independently by EL3 software for each security
  53. state prior to entry into a lower exception level in that security state.
  54. A routing model for a type of interrupt (generated as FIQ or IRQ) is defined as
  55. its target exception level for each security state. It is represented by a
  56. single bit for each security state. A value of ``0`` means that the interrupt
  57. should be routed to the FEL. A value of ``1`` means that the interrupt should be
  58. routed to EL3. A routing model is applicable only when execution is not in EL3.
  59. The default routing model for an interrupt type is to route it to the FEL in
  60. either security state.
  61. Valid routing models
  62. ~~~~~~~~~~~~~~~~~~~~
  63. The framework considers certain routing models for each type of interrupt to be
  64. incorrect as they conflict with the requirements mentioned in Section 1. The
  65. following sub-sections describe all the possible routing models and specify
  66. which ones are valid or invalid. EL3 interrupts are currently supported only
  67. for GIC version 3.0 (Arm GICv3) and only the Secure-EL1 and Non-secure interrupt
  68. types are supported for GIC version 2.0 (Arm GICv2) (see `Assumptions in
  69. Interrupt Management Framework`_). The terminology used in the following
  70. sub-sections is explained below.
  71. #. **CSS**. Current Security State. ``0`` when secure and ``1`` when non-secure
  72. #. **TEL3**. Target Exception Level 3. ``0`` when targeted to the FEL. ``1`` when
  73. targeted to EL3.
  74. Secure-EL1 interrupts
  75. ^^^^^^^^^^^^^^^^^^^^^
  76. #. **CSS=0, TEL3=0**. Interrupt is routed to the FEL when execution is in
  77. secure state. This is a valid routing model as secure software is in
  78. control of handling secure interrupts.
  79. #. **CSS=0, TEL3=1**. Interrupt is routed to EL3 when execution is in secure
  80. state. This is a valid routing model as secure software in EL3 can
  81. handover the interrupt to Secure-EL1 for handling.
  82. #. **CSS=1, TEL3=0**. Interrupt is routed to the FEL when execution is in
  83. non-secure state. This is an invalid routing model as a secure interrupt
  84. is not visible to the secure software which violates the motivation behind
  85. the Arm Security Extensions.
  86. #. **CSS=1, TEL3=1**. Interrupt is routed to EL3 when execution is in
  87. non-secure state. This is a valid routing model as secure software in EL3
  88. can handover the interrupt to Secure-EL1 for handling.
  89. Non-secure interrupts
  90. ^^^^^^^^^^^^^^^^^^^^^
  91. #. **CSS=0, TEL3=0**. Interrupt is routed to the FEL when execution is in
  92. secure state. This allows the secure software to trap non-secure
  93. interrupts, perform its book-keeping and hand the interrupt to the
  94. non-secure software through EL3. This is a valid routing model as secure
  95. software is in control of how its execution is preempted by non-secure
  96. interrupts.
  97. #. **CSS=0, TEL3=1**. Interrupt is routed to EL3 when execution is in secure
  98. state. This is a valid routing model as secure software in EL3 can save
  99. the state of software in Secure-EL1/Secure-EL0 before handing the
  100. interrupt to non-secure software. This model requires additional
  101. coordination between Secure-EL1 and EL3 software to ensure that the
  102. former's state is correctly saved by the latter.
  103. #. **CSS=1, TEL3=0**. Interrupt is routed to FEL when execution is in
  104. non-secure state. This is a valid routing model as a non-secure interrupt
  105. is handled by non-secure software.
  106. #. **CSS=1, TEL3=1**. Interrupt is routed to EL3 when execution is in
  107. non-secure state. This is an invalid routing model as there is no valid
  108. reason to route the interrupt to EL3 software and then hand it back to
  109. non-secure software for handling.
  110. .. _EL3 interrupts:
  111. EL3 interrupts
  112. ^^^^^^^^^^^^^^
  113. #. **CSS=0, TEL3=0**. Interrupt is routed to the FEL when execution is in
  114. Secure-EL1/Secure-EL0. This is a valid routing model as secure software
  115. in Secure-EL1/Secure-EL0 is in control of how its execution is preempted
  116. by EL3 interrupt and can handover the interrupt to EL3 for handling.
  117. However, when ``EL3_EXCEPTION_HANDLING`` is ``1``, this routing model is
  118. invalid as EL3 interrupts are unconditionally routed to EL3, and EL3
  119. interrupts will always preempt Secure EL1/EL0 execution. See :ref:`exception
  120. handling<interrupt-handling>` documentation.
  121. #. **CSS=0, TEL3=1**. Interrupt is routed to EL3 when execution is in
  122. Secure-EL1/Secure-EL0. This is a valid routing model as secure software
  123. in EL3 can handle the interrupt.
  124. #. **CSS=1, TEL3=0**. Interrupt is routed to the FEL when execution is in
  125. non-secure state. This is an invalid routing model as a secure interrupt
  126. is not visible to the secure software which violates the motivation behind
  127. the Arm Security Extensions.
  128. #. **CSS=1, TEL3=1**. Interrupt is routed to EL3 when execution is in
  129. non-secure state. This is a valid routing model as secure software in EL3
  130. can handle the interrupt.
  131. Mapping of interrupt type to signal
  132. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  133. The framework is meant to work with any interrupt controller implemented by a
  134. platform. A interrupt controller could generate a type of interrupt as either an
  135. FIQ or IRQ signal to the CPU depending upon the current security state. The
  136. mapping between the type and signal is known only to the platform. The framework
  137. uses this information to determine whether the IRQ or the FIQ bit should be
  138. programmed in ``SCR_EL3`` while applying the routing model for a type of
  139. interrupt. The platform provides this information through the
  140. ``plat_interrupt_type_to_line()`` API (described in the
  141. :ref:`Porting Guide`). For example, on the FVP port when the platform uses an
  142. Arm GICv2 interrupt controller, Secure-EL1 interrupts are signaled through the
  143. FIQ signal while Non-secure interrupts are signaled through the IRQ signal.
  144. This applies when execution is in either security state.
  145. Effect of mapping of several interrupt types to one signal
  146. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  147. It should be noted that if more than one interrupt type maps to a single
  148. interrupt signal, and if any one of the interrupt type sets **TEL3=1** for a
  149. particular security state, then interrupt signal will be routed to EL3 when in
  150. that security state. This means that all the other interrupt types using the
  151. same interrupt signal will be forced to the same routing model. This should be
  152. borne in mind when choosing the routing model for an interrupt type.
  153. For example, in Arm GICv3, when the execution context is Secure-EL1/
  154. Secure-EL0, both the EL3 and the non secure interrupt types map to the FIQ
  155. signal. So if either one of the interrupt type sets the routing model so
  156. that **TEL3=1** when **CSS=0**, the FIQ bit in ``SCR_EL3`` will be programmed to
  157. route the FIQ signal to EL3 when executing in Secure-EL1/Secure-EL0, thereby
  158. effectively routing the other interrupt type also to EL3.
  159. Assumptions in Interrupt Management Framework
  160. ---------------------------------------------
  161. The framework makes the following assumptions to simplify its implementation.
  162. #. Although the framework has support for 2 types of secure interrupts (EL3
  163. and Secure-EL1 interrupt), only interrupt controller architectures
  164. like Arm GICv3 has architectural support for EL3 interrupts in the form of
  165. Group 0 interrupts. In Arm GICv2, all secure interrupts are assumed to be
  166. handled in Secure-EL1. They can be delivered to Secure-EL1 via EL3 but they
  167. cannot be handled in EL3.
  168. #. Interrupt exceptions (``PSTATE.I`` and ``F`` bits) are masked during execution
  169. in EL3.
  170. #. Interrupt management: the following sections describe how interrupts are
  171. managed by the interrupt handling framework. This entails:
  172. #. Providing an interface to allow registration of a handler and
  173. specification of the routing model for a type of interrupt.
  174. #. Implementing support to hand control of an interrupt type to its
  175. registered handler when the interrupt is generated.
  176. Both aspects of interrupt management involve various components in the secure
  177. software stack spanning from EL3 to Secure-EL1. These components are described
  178. in the section `Software components`_. The framework stores information
  179. associated with each type of interrupt in the following data structure.
  180. .. code:: c
  181. typedef struct intr_type_desc {
  182. interrupt_type_handler_t handler;
  183. uint32_t flags;
  184. uint32_t scr_el3[2];
  185. } intr_type_desc_t;
  186. The ``flags`` field stores the routing model for the interrupt type in
  187. bits[1:0]. Bit[0] stores the routing model when execution is in the secure
  188. state. Bit[1] stores the routing model when execution is in the non-secure
  189. state. As mentioned in Section `Routing model`_, a value of ``0`` implies that
  190. the interrupt should be targeted to the FEL. A value of ``1`` implies that it
  191. should be targeted to EL3. The remaining bits are reserved and SBZ. The helper
  192. macro ``set_interrupt_rm_flag()`` should be used to set the bits in the
  193. ``flags`` parameter.
  194. The ``scr_el3[2]`` field also stores the routing model but as a mapping of the
  195. model in the ``flags`` field to the corresponding bit in the ``SCR_EL3`` for each
  196. security state.
  197. The framework also depends upon the platform port to configure the interrupt
  198. controller to distinguish between secure and non-secure interrupts. The platform
  199. is expected to be aware of the secure devices present in the system and their
  200. associated interrupt numbers. It should configure the interrupt controller to
  201. enable the secure interrupts, ensure that their priority is always higher than
  202. the non-secure interrupts and target them to the primary CPU. It should also
  203. export the interface described in the :ref:`Porting Guide` to enable
  204. handling of interrupts.
  205. In the remainder of this document, for the sake of simplicity a Arm GICv2 system
  206. is considered and it is assumed that the FIQ signal is used to generate Secure-EL1
  207. interrupts and the IRQ signal is used to generate non-secure interrupts in either
  208. security state. EL3 interrupts are not considered.
  209. Software components
  210. -------------------
  211. Roles and responsibilities for interrupt management are sub-divided between the
  212. following components of software running in EL3 and Secure-EL1. Each component is
  213. briefly described below.
  214. #. EL3 Runtime Firmware. This component is common to all ports of TF-A.
  215. #. Secure Payload Dispatcher (SPD) service. This service interfaces with the
  216. Secure Payload (SP) software which runs in Secure-EL1/Secure-EL0 and is
  217. responsible for switching execution between secure and non-secure states.
  218. A switch is triggered by a Secure Monitor Call and it uses the APIs
  219. exported by the Context management library to implement this functionality.
  220. Switching execution between the two security states is a requirement for
  221. interrupt management as well. This results in a significant dependency on
  222. the SPD service. TF-A implements an example Test Secure Payload Dispatcher
  223. (TSPD) service.
  224. An SPD service plugs into the EL3 runtime firmware and could be common to
  225. some ports of TF-A.
  226. #. Secure Payload (SP). On a production system, the Secure Payload corresponds
  227. to a Secure OS which runs in Secure-EL1/Secure-EL0. It interfaces with the
  228. SPD service to manage communication with non-secure software. TF-A
  229. implements an example secure payload called Test Secure Payload (TSP)
  230. which runs only in Secure-EL1.
  231. A Secure payload implementation could be common to some ports of TF-A,
  232. just like the SPD service.
  233. Interrupt registration
  234. ----------------------
  235. This section describes in detail the role of each software component (see
  236. `Software components`_) during the registration of a handler for an interrupt
  237. type.
  238. .. _el3-runtime-firmware:
  239. EL3 runtime firmware
  240. ~~~~~~~~~~~~~~~~~~~~
  241. This component declares the following prototype for a handler of an interrupt type.
  242. .. code:: c
  243. typedef uint64_t (*interrupt_type_handler_t)(uint32_t id,
  244. uint32_t flags,
  245. void *handle,
  246. void *cookie);
  247. The ``id`` is parameter is reserved and could be used in the future for passing
  248. the interrupt id of the highest pending interrupt only if there is a foolproof
  249. way of determining the id. Currently it contains ``INTR_ID_UNAVAILABLE``.
  250. The ``flags`` parameter contains miscellaneous information as follows.
  251. #. Security state, bit[0]. This bit indicates the security state of the lower
  252. exception level when the interrupt was generated. A value of ``1`` means
  253. that it was in the non-secure state. A value of ``0`` indicates that it was
  254. in the secure state. This bit can be used by the handler to ensure that
  255. interrupt was generated and routed as per the routing model specified
  256. during registration.
  257. #. Reserved, bits[31:1]. The remaining bits are reserved for future use.
  258. The ``handle`` parameter points to the ``cpu_context`` structure of the current CPU
  259. for the security state specified in the ``flags`` parameter.
  260. Once the handler routine completes, execution will return to either the secure
  261. or non-secure state. The handler routine must return a pointer to
  262. ``cpu_context`` structure of the current CPU for the target security state. On
  263. AArch64, this return value is currently ignored by the caller as the
  264. appropriate ``cpu_context`` to be used is expected to be set by the handler
  265. via the context management library APIs.
  266. A portable interrupt handler implementation must set the target context both in
  267. the structure pointed to by the returned pointer and via the context management
  268. library APIs. The handler should treat all error conditions as critical errors
  269. and take appropriate action within its implementation e.g. use assertion
  270. failures.
  271. The runtime firmware provides the following API for registering a handler for a
  272. particular type of interrupt. A Secure Payload Dispatcher service should use
  273. this API to register a handler for Secure-EL1 and optionally for non-secure
  274. interrupts. This API also requires the caller to specify the routing model for
  275. the type of interrupt.
  276. .. code:: c
  277. int32_t register_interrupt_type_handler(uint32_t type,
  278. interrupt_type_handler handler,
  279. uint64_t flags);
  280. The ``type`` parameter can be one of the three interrupt types listed above i.e.
  281. ``INTR_TYPE_S_EL1``, ``INTR_TYPE_NS`` & ``INTR_TYPE_EL3``. The ``flags`` parameter
  282. is as described in Section 2.
  283. The function will return ``0`` upon a successful registration. It will return
  284. ``-EALREADY`` in case a handler for the interrupt type has already been
  285. registered. If the ``type`` is unrecognised or the ``flags`` or the ``handler`` are
  286. invalid it will return ``-EINVAL``.
  287. Interrupt routing is governed by the configuration of the ``SCR_EL3.FIQ/IRQ`` bits
  288. prior to entry into a lower exception level in either security state. The
  289. context management library maintains a copy of the ``SCR_EL3`` system register for
  290. each security state in the ``cpu_context`` structure of each CPU. It exports the
  291. following APIs to let EL3 Runtime Firmware program and retrieve the routing
  292. model for each security state for the current CPU. The value of ``SCR_EL3`` stored
  293. in the ``cpu_context`` is used by the ``el3_exit()`` function to program the
  294. ``SCR_EL3`` register prior to returning from the EL3 exception level.
  295. .. code:: c
  296. uint32_t cm_get_scr_el3(uint32_t security_state);
  297. void cm_write_scr_el3_bit(uint32_t security_state,
  298. uint32_t bit_pos,
  299. uint32_t value);
  300. ``cm_get_scr_el3()`` returns the value of the ``SCR_EL3`` register for the specified
  301. security state of the current CPU. ``cm_write_scr_el3_bit()`` writes a ``0`` or ``1``
  302. to the bit specified by ``bit_pos``. ``register_interrupt_type_handler()`` invokes
  303. ``set_routing_model()`` API which programs the ``SCR_EL3`` according to the routing
  304. model using the ``cm_get_scr_el3()`` and ``cm_write_scr_el3_bit()`` APIs.
  305. It is worth noting that in the current implementation of the framework, the EL3
  306. runtime firmware is responsible for programming the routing model. The SPD is
  307. responsible for ensuring that the routing model has been adhered to upon
  308. receiving an interrupt.
  309. .. _spd-int-registration:
  310. Secure payload dispatcher
  311. ~~~~~~~~~~~~~~~~~~~~~~~~~
  312. A SPD service is responsible for determining and maintaining the interrupt
  313. routing model supported by itself and the Secure Payload. It is also responsible
  314. for ferrying interrupts between secure and non-secure software depending upon
  315. the routing model. It could determine the routing model at build time or at
  316. runtime. It must use this information to register a handler for each interrupt
  317. type using the ``register_interrupt_type_handler()`` API in EL3 runtime firmware.
  318. If the routing model is not known to the SPD service at build time, then it must
  319. be provided by the SP as the result of its initialisation. The SPD should
  320. program the routing model only after SP initialisation has completed e.g. in the
  321. SPD initialisation function pointed to by the ``bl32_init`` variable.
  322. The SPD should determine the mechanism to pass control to the Secure Payload
  323. after receiving an interrupt from the EL3 runtime firmware. This information
  324. could either be provided to the SPD service at build time or by the SP at
  325. runtime.
  326. Test secure payload dispatcher behavior
  327. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  328. .. note::
  329. Where this document discusses ``TSP_NS_INTR_ASYNC_PREEMPT`` as being
  330. ``1``, the same results also apply when ``EL3_EXCEPTION_HANDLING`` is ``1``.
  331. The TSPD only handles Secure-EL1 interrupts and is provided with the following
  332. routing model at build time.
  333. - Secure-EL1 interrupts are routed to EL3 when execution is in non-secure
  334. state and are routed to the FEL when execution is in the secure state
  335. i.e **CSS=0, TEL3=0** & **CSS=1, TEL3=1** for Secure-EL1 interrupts
  336. - When the build flag ``TSP_NS_INTR_ASYNC_PREEMPT`` is zero, the default routing
  337. model is used for non-secure interrupts. They are routed to the FEL in
  338. either security state i.e **CSS=0, TEL3=0** & **CSS=1, TEL3=0** for
  339. Non-secure interrupts.
  340. - When the build flag ``TSP_NS_INTR_ASYNC_PREEMPT`` is defined to 1, then the
  341. non secure interrupts are routed to EL3 when execution is in secure state
  342. i.e **CSS=0, TEL3=1** for non-secure interrupts. This effectively preempts
  343. Secure-EL1. The default routing model is used for non secure interrupts in
  344. non-secure state. i.e **CSS=1, TEL3=0**.
  345. It performs the following actions in the ``tspd_init()`` function to fulfill the
  346. requirements mentioned earlier.
  347. #. It passes control to the Test Secure Payload to perform its
  348. initialisation. The TSP provides the address of the vector table
  349. ``tsp_vectors`` in the SP which also includes the handler for Secure-EL1
  350. interrupts in the ``sel1_intr_entry`` field. The TSPD passes control to the TSP at
  351. this address when it receives a Secure-EL1 interrupt.
  352. The handover agreement between the TSP and the TSPD requires that the TSPD
  353. masks all interrupts (``PSTATE.DAIF`` bits) when it calls
  354. ``tsp_sel1_intr_entry()``. The TSP has to preserve the callee saved general
  355. purpose, SP_EL1/Secure-EL0, LR, VFP and system registers. It can use
  356. ``x0-x18`` to enable its C runtime.
  357. #. The TSPD implements a handler function for Secure-EL1 interrupts. This
  358. function is registered with the EL3 runtime firmware using the
  359. ``register_interrupt_type_handler()`` API as follows
  360. .. code:: c
  361. /* Forward declaration */
  362. interrupt_type_handler tspd_secure_el1_interrupt_handler;
  363. int32_t rc, flags = 0;
  364. set_interrupt_rm_flag(flags, NON_SECURE);
  365. rc = register_interrupt_type_handler(INTR_TYPE_S_EL1,
  366. tspd_secure_el1_interrupt_handler,
  367. flags);
  368. if (rc)
  369. panic();
  370. #. When the build flag ``TSP_NS_INTR_ASYNC_PREEMPT`` is defined to 1, the TSPD
  371. implements a handler function for non-secure interrupts. This function is
  372. registered with the EL3 runtime firmware using the
  373. ``register_interrupt_type_handler()`` API as follows
  374. .. code:: c
  375. /* Forward declaration */
  376. interrupt_type_handler tspd_ns_interrupt_handler;
  377. int32_t rc, flags = 0;
  378. set_interrupt_rm_flag(flags, SECURE);
  379. rc = register_interrupt_type_handler(INTR_TYPE_NS,
  380. tspd_ns_interrupt_handler,
  381. flags);
  382. if (rc)
  383. panic();
  384. .. _sp-int-registration:
  385. Secure payload
  386. ~~~~~~~~~~~~~~
  387. A Secure Payload must implement an interrupt handling framework at Secure-EL1
  388. (Secure-EL1 IHF) to support its chosen interrupt routing model. Secure payload
  389. execution will alternate between the below cases.
  390. #. In the code where IRQ, FIQ or both interrupts are enabled, if an interrupt
  391. type is targeted to the FEL, then it will be routed to the Secure-EL1
  392. exception vector table. This is defined as the **asynchronous mode** of
  393. handling interrupts. This mode applies to both Secure-EL1 and non-secure
  394. interrupts.
  395. #. In the code where both interrupts are disabled, if an interrupt type is
  396. targeted to the FEL, then execution will eventually migrate to the
  397. non-secure state. Any non-secure interrupts will be handled as described
  398. in the routing model where **CSS=1 and TEL3=0**. Secure-EL1 interrupts
  399. will be routed to EL3 (as per the routing model where **CSS=1 and
  400. TEL3=1**) where the SPD service will hand them to the SP. This is defined
  401. as the **synchronous mode** of handling interrupts.
  402. The interrupt handling framework implemented by the SP should support one or
  403. both these interrupt handling models depending upon the chosen routing model.
  404. The following list briefly describes how the choice of a valid routing model
  405. (see `Valid routing models`_) effects the implementation of the Secure-EL1
  406. IHF. If the choice of the interrupt routing model is not known to the SPD
  407. service at compile time, then the SP should pass this information to the SPD
  408. service at runtime during its initialisation phase.
  409. As mentioned earlier, an Arm GICv2 system is considered and it is assumed that
  410. the FIQ signal is used to generate Secure-EL1 interrupts and the IRQ signal
  411. is used to generate non-secure interrupts in either security state.
  412. Secure payload IHF design w.r.t secure-EL1 interrupts
  413. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  414. #. **CSS=0, TEL3=0**. If ``PSTATE.F=0``, Secure-EL1 interrupts will be
  415. triggered at one of the Secure-EL1 FIQ exception vectors. The Secure-EL1
  416. IHF should implement support for handling FIQ interrupts asynchronously.
  417. If ``PSTATE.F=1`` then Secure-EL1 interrupts will be handled as per the
  418. synchronous interrupt handling model. The SP could implement this scenario
  419. by exporting a separate entrypoint for Secure-EL1 interrupts to the SPD
  420. service during the registration phase. The SPD service would also need to
  421. know the state of the system, general purpose and the ``PSTATE`` registers
  422. in which it should arrange to return execution to the SP. The SP should
  423. provide this information in an implementation defined way during the
  424. registration phase if it is not known to the SPD service at build time.
  425. #. **CSS=1, TEL3=1**. Interrupts are routed to EL3 when execution is in
  426. non-secure state. They should be handled through the synchronous interrupt
  427. handling model as described in 1. above.
  428. #. **CSS=0, TEL3=1**. Secure-EL1 interrupts are routed to EL3 when execution
  429. is in secure state. They will not be visible to the SP. The ``PSTATE.F`` bit
  430. in Secure-EL1/Secure-EL0 will not mask FIQs. The EL3 runtime firmware will
  431. call the handler registered by the SPD service for Secure-EL1 interrupts.
  432. Secure-EL1 IHF should then handle all Secure-EL1 interrupt through the
  433. synchronous interrupt handling model described in 1. above.
  434. Secure payload IHF design w.r.t non-secure interrupts
  435. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  436. #. **CSS=0, TEL3=0**. If ``PSTATE.I=0``, non-secure interrupts will be
  437. triggered at one of the Secure-EL1 IRQ exception vectors . The Secure-EL1
  438. IHF should co-ordinate with the SPD service to transfer execution to the
  439. non-secure state where the interrupt should be handled e.g the SP could
  440. allocate a function identifier to issue a SMC64 or SMC32 to the SPD
  441. service which indicates that the SP execution has been preempted by a
  442. non-secure interrupt. If this function identifier is not known to the SPD
  443. service at compile time then the SP could provide it during the
  444. registration phase.
  445. If ``PSTATE.I=1`` then the non-secure interrupt will pend until execution
  446. resumes in the non-secure state.
  447. #. **CSS=0, TEL3=1**. Non-secure interrupts are routed to EL3. They will not
  448. be visible to the SP. The ``PSTATE.I`` bit in Secure-EL1/Secure-EL0 will
  449. have not effect. The SPD service should register a non-secure interrupt
  450. handler which should save the SP state correctly and resume execution in
  451. the non-secure state where the interrupt will be handled. The Secure-EL1
  452. IHF does not need to take any action.
  453. #. **CSS=1, TEL3=0**. Non-secure interrupts are handled in the FEL in
  454. non-secure state (EL1/EL2) and are not visible to the SP. This routing
  455. model does not affect the SP behavior.
  456. A Secure Payload must also ensure that all Secure-EL1 interrupts are correctly
  457. configured at the interrupt controller by the platform port of the EL3 runtime
  458. firmware. It should configure any additional Secure-EL1 interrupts which the EL3
  459. runtime firmware is not aware of through its platform port.
  460. Test secure payload behavior
  461. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  462. The routing model for Secure-EL1 and non-secure interrupts chosen by the TSP is
  463. described in Section `Secure Payload Dispatcher`__. It is known to the TSPD
  464. service at build time.
  465. .. __: #spd-int-registration
  466. The TSP implements an entrypoint (``tsp_sel1_intr_entry()``) for handling Secure-EL1
  467. interrupts taken in non-secure state and routed through the TSPD service
  468. (synchronous handling model). It passes the reference to this entrypoint via
  469. ``tsp_vectors`` to the TSPD service.
  470. The TSP also replaces the default exception vector table referenced through the
  471. ``early_exceptions`` variable, with a vector table capable of handling FIQ and IRQ
  472. exceptions taken at the same (Secure-EL1) exception level. This table is
  473. referenced through the ``tsp_exceptions`` variable and programmed into the
  474. VBAR_EL1. It caters for the asynchronous handling model.
  475. The TSP also programs the Secure Physical Timer in the Arm Generic Timer block
  476. to raise a periodic interrupt (every half a second) for the purpose of testing
  477. interrupt management across all the software components listed in `Software
  478. components`_.
  479. Interrupt handling
  480. ------------------
  481. This section describes in detail the role of each software component (see
  482. Section `Software components`_) in handling an interrupt of a particular type.
  483. EL3 runtime firmware
  484. ~~~~~~~~~~~~~~~~~~~~
  485. The EL3 runtime firmware populates the IRQ and FIQ exception vectors referenced
  486. by the ``runtime_exceptions`` variable as follows.
  487. #. IRQ and FIQ exceptions taken from the current exception level with
  488. ``SP_EL0`` or ``SP_EL3`` are reported as irrecoverable error conditions. As
  489. mentioned earlier, EL3 runtime firmware always executes with the
  490. ``PSTATE.I`` and ``PSTATE.F`` bits set.
  491. #. The following text describes how the IRQ and FIQ exceptions taken from a
  492. lower exception level using AArch64 or AArch32 are handled.
  493. When an interrupt is generated, the vector for each interrupt type is
  494. responsible for:
  495. #. Saving the entire general purpose register context (x0-x30) immediately
  496. upon exception entry. The registers are saved in the per-cpu ``cpu_context``
  497. data structure referenced by the ``SP_EL3``\ register.
  498. #. Saving the ``ELR_EL3``, ``SP_EL0`` and ``SPSR_EL3`` system registers in the
  499. per-cpu ``cpu_context`` data structure referenced by the ``SP_EL3`` register.
  500. #. Switching to the C runtime stack by restoring the ``CTX_RUNTIME_SP`` value
  501. from the per-cpu ``cpu_context`` data structure in ``SP_EL0`` and
  502. executing the ``msr spsel, #0`` instruction.
  503. #. Determining the type of interrupt. Secure-EL1 interrupts will be signaled
  504. at the FIQ vector. Non-secure interrupts will be signaled at the IRQ
  505. vector. The platform should implement the following API to determine the
  506. type of the pending interrupt.
  507. .. code:: c
  508. uint32_t plat_ic_get_interrupt_type(void);
  509. It should return either ``INTR_TYPE_S_EL1`` or ``INTR_TYPE_NS``.
  510. #. Determining the handler for the type of interrupt that has been generated.
  511. The following API has been added for this purpose.
  512. .. code:: c
  513. interrupt_type_handler get_interrupt_type_handler(uint32_t interrupt_type);
  514. It returns the reference to the registered handler for this interrupt
  515. type. The ``handler`` is retrieved from the ``intr_type_desc_t`` structure as
  516. described in Section 2. ``NULL`` is returned if no handler has been
  517. registered for this type of interrupt. This scenario is reported as an
  518. irrecoverable error condition.
  519. #. Calling the registered handler function for the interrupt type generated.
  520. The ``id`` parameter is set to ``INTR_ID_UNAVAILABLE`` currently. The id along
  521. with the current security state and a reference to the ``cpu_context_t``
  522. structure for the current security state are passed to the handler function
  523. as its arguments.
  524. The handler function returns a reference to the per-cpu ``cpu_context_t``
  525. structure for the target security state.
  526. #. Calling ``el3_exit()`` to return from EL3 into a lower exception level in
  527. the security state determined by the handler routine. The ``el3_exit()``
  528. function is responsible for restoring the register context from the
  529. ``cpu_context_t`` data structure for the target security state.
  530. Secure payload dispatcher
  531. ~~~~~~~~~~~~~~~~~~~~~~~~~
  532. Interrupt entry
  533. ^^^^^^^^^^^^^^^
  534. The SPD service begins handling an interrupt when the EL3 runtime firmware calls
  535. the handler function for that type of interrupt. The SPD service is responsible
  536. for the following:
  537. #. Validating the interrupt. This involves ensuring that the interrupt was
  538. generated according to the interrupt routing model specified by the SPD
  539. service during registration. It should use the security state of the
  540. exception level (passed in the ``flags`` parameter of the handler) where
  541. the interrupt was taken from to determine this. If the interrupt is not
  542. recognised then the handler should treat it as an irrecoverable error
  543. condition.
  544. An SPD service can register a handler for Secure-EL1 and/or Non-secure
  545. interrupts. A non-secure interrupt should never be routed to EL3 from
  546. from non-secure state. Also if a routing model is chosen where Secure-EL1
  547. interrupts are routed to S-EL1 when execution is in Secure state, then a
  548. S-EL1 interrupt should never be routed to EL3 from secure state. The handler
  549. could use the security state flag to check this.
  550. #. Determining whether a context switch is required. This depends upon the
  551. routing model and interrupt type. For non secure and S-EL1 interrupt,
  552. if the security state of the execution context where the interrupt was
  553. generated is not the same as the security state required for handling
  554. the interrupt, a context switch is required. The following 2 cases
  555. require a context switch from secure to non-secure or vice-versa:
  556. #. A Secure-EL1 interrupt taken from the non-secure state should be
  557. routed to the Secure Payload.
  558. #. A non-secure interrupt taken from the secure state should be routed
  559. to the last known non-secure exception level.
  560. The SPD service must save the system register context of the current
  561. security state. It must then restore the system register context of the
  562. target security state. It should use the ``cm_set_next_eret_context()`` API
  563. to ensure that the next ``cpu_context`` to be restored is of the target
  564. security state.
  565. If the target state is secure then execution should be handed to the SP as
  566. per the synchronous interrupt handling model it implements. A Secure-EL1
  567. interrupt can be routed to EL3 while execution is in the SP. This implies
  568. that SP execution can be preempted while handling an interrupt by a
  569. another higher priority Secure-EL1 interrupt or a EL3 interrupt. The SPD
  570. service should be able to handle this preemption or manage secure interrupt
  571. priorities before handing control to the SP.
  572. #. Setting the return value of the handler to the per-cpu ``cpu_context`` if
  573. the interrupt has been successfully validated and ready to be handled at a
  574. lower exception level.
  575. The routing model allows non-secure interrupts to interrupt Secure-EL1 when in
  576. secure state if it has been configured to do so. The SPD service and the SP
  577. should implement a mechanism for routing these interrupts to the last known
  578. exception level in the non-secure state. The former should save the SP context,
  579. restore the non-secure context and arrange for entry into the non-secure state
  580. so that the interrupt can be handled.
  581. Interrupt exit
  582. ^^^^^^^^^^^^^^
  583. When the Secure Payload has finished handling a Secure-EL1 interrupt, it could
  584. return control back to the SPD service through a SMC32 or SMC64. The SPD service
  585. should handle this secure monitor call so that execution resumes in the
  586. exception level and the security state from where the Secure-EL1 interrupt was
  587. originally taken.
  588. Test secure payload dispatcher Secure-EL1 interrupt handling
  589. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  590. The example TSPD service registers a handler for Secure-EL1 interrupts taken
  591. from the non-secure state. During execution in S-EL1, the TSPD expects that the
  592. Secure-EL1 interrupts are handled in S-EL1 by TSP. Its handler
  593. ``tspd_secure_el1_interrupt_handler()`` expects only to be invoked for Secure-EL1
  594. originating from the non-secure state. It takes the following actions upon being
  595. invoked.
  596. #. It uses the security state provided in the ``flags`` parameter to ensure
  597. that the secure interrupt originated from the non-secure state. It asserts
  598. if this is not the case.
  599. #. It saves the system register context for the non-secure state by calling
  600. ``cm_el1_sysregs_context_save(NON_SECURE);``.
  601. #. It sets the ``ELR_EL3`` system register to ``tsp_sel1_intr_entry`` and sets the
  602. ``SPSR_EL3.DAIF`` bits in the secure CPU context. It sets ``x0`` to
  603. ``TSP_HANDLE_SEL1_INTR_AND_RETURN``. If the TSP was preempted earlier by a non
  604. secure interrupt during ``yielding`` SMC processing, save the registers that
  605. will be trashed, which is the ``ELR_EL3`` and ``SPSR_EL3``, in order to be able
  606. to re-enter TSP for Secure-EL1 interrupt processing. It does not need to
  607. save any other secure context since the TSP is expected to preserve it
  608. (see section `Test secure payload dispatcher behavior`_).
  609. #. It restores the system register context for the secure state by calling
  610. ``cm_el1_sysregs_context_restore(SECURE);``.
  611. #. It ensures that the secure CPU context is used to program the next
  612. exception return from EL3 by calling ``cm_set_next_eret_context(SECURE);``.
  613. #. It returns the per-cpu ``cpu_context`` to indicate that the interrupt can
  614. now be handled by the SP. ``x1`` is written with the value of ``elr_el3``
  615. register for the non-secure state. This information is used by the SP for
  616. debugging purposes.
  617. The figure below describes how the interrupt handling is implemented by the TSPD
  618. when a Secure-EL1 interrupt is generated when execution is in the non-secure
  619. state.
  620. |Image 1|
  621. The TSP issues an SMC with ``TSP_HANDLED_S_EL1_INTR`` as the function identifier to
  622. signal completion of interrupt handling.
  623. The TSPD service takes the following actions in ``tspd_smc_handler()`` function
  624. upon receiving an SMC with ``TSP_HANDLED_S_EL1_INTR`` as the function identifier:
  625. #. It ensures that the call originated from the secure state otherwise
  626. execution returns to the non-secure state with ``SMC_UNK`` in ``x0``.
  627. #. It restores the saved ``ELR_EL3`` and ``SPSR_EL3`` system registers back to
  628. the secure CPU context (see step 3 above) in case the TSP had been preempted
  629. by a non secure interrupt earlier.
  630. #. It restores the system register context for the non-secure state by
  631. calling ``cm_el1_sysregs_context_restore(NON_SECURE)``.
  632. #. It ensures that the non-secure CPU context is used to program the next
  633. exception return from EL3 by calling ``cm_set_next_eret_context(NON_SECURE)``.
  634. #. ``tspd_smc_handler()`` returns a reference to the non-secure ``cpu_context``
  635. as the return value.
  636. Test secure payload dispatcher non-secure interrupt handling
  637. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  638. The TSP in Secure-EL1 can be preempted by a non-secure interrupt during
  639. ``yielding`` SMC processing or by a higher priority EL3 interrupt during
  640. Secure-EL1 interrupt processing. When ``EL3_EXCEPTION_HANDLING`` is ``0``, only
  641. non-secure interrupts can cause preemption of TSP since there are no EL3
  642. interrupts in the system. With ``EL3_EXCEPTION_HANDLING=1`` however, any EL3
  643. interrupt may preempt Secure execution.
  644. It should be noted that while TSP is preempted, the TSPD only allows entry into
  645. the TSP either for Secure-EL1 interrupt handling or for resuming the preempted
  646. ``yielding`` SMC in response to the ``TSP_FID_RESUME`` SMC from the normal world.
  647. (See Section `Implication of preempted SMC on Non-Secure Software`_).
  648. The non-secure interrupt triggered in Secure-EL1 during ``yielding`` SMC
  649. processing can be routed to either EL3 or Secure-EL1 and is controlled by build
  650. option ``TSP_NS_INTR_ASYNC_PREEMPT`` (see Section `Test secure payload
  651. dispatcher behavior`_). If the build option is set, the TSPD will set the
  652. routing model for the non-secure interrupt to be routed to EL3 from secure state
  653. i.e. **TEL3=1, CSS=0** and registers ``tspd_ns_interrupt_handler()`` as the
  654. non-secure interrupt handler. The ``tspd_ns_interrupt_handler()`` on being
  655. invoked ensures that the interrupt originated from the secure state and disables
  656. routing of non-secure interrupts from secure state to EL3. This is to prevent
  657. further preemption (by a non-secure interrupt) when TSP is reentered for
  658. handling Secure-EL1 interrupts that triggered while execution was in the normal
  659. world. The ``tspd_ns_interrupt_handler()`` then invokes
  660. ``tspd_handle_sp_preemption()`` for further handling.
  661. If the ``TSP_NS_INTR_ASYNC_PREEMPT`` build option is zero (default), the default
  662. routing model for non-secure interrupt in secure state is in effect
  663. i.e. **TEL3=0, CSS=0**. During ``yielding`` SMC processing, the IRQ
  664. exceptions are unmasked i.e. ``PSTATE.I=0``, and a non-secure interrupt will
  665. trigger at Secure-EL1 IRQ exception vector. The TSP saves the general purpose
  666. register context and issues an SMC with ``TSP_PREEMPTED`` as the function
  667. identifier to signal preemption of TSP. The TSPD SMC handler,
  668. ``tspd_smc_handler()``, ensures that the SMC call originated from the
  669. secure state otherwise execution returns to the non-secure state with
  670. ``SMC_UNK`` in ``x0``. It then invokes ``tspd_handle_sp_preemption()`` for
  671. further handling.
  672. The ``tspd_handle_sp_preemption()`` takes the following actions upon being
  673. invoked:
  674. #. It saves the system register context for the secure state by calling
  675. ``cm_el1_sysregs_context_save(SECURE)``.
  676. #. It restores the system register context for the non-secure state by
  677. calling ``cm_el1_sysregs_context_restore(NON_SECURE)``.
  678. #. It ensures that the non-secure CPU context is used to program the next
  679. exception return from EL3 by calling ``cm_set_next_eret_context(NON_SECURE)``.
  680. #. ``SMC_PREEMPTED`` is set in x0 and return to non secure state after
  681. restoring non secure context.
  682. The Normal World is expected to resume the TSP after the ``yielding`` SMC
  683. preemption by issuing an SMC with ``TSP_FID_RESUME`` as the function identifier
  684. (see section `Implication of preempted SMC on Non-Secure Software`_). The TSPD
  685. service takes the following actions in ``tspd_smc_handler()`` function upon
  686. receiving this SMC:
  687. #. It ensures that the call originated from the non secure state. An
  688. assertion is raised otherwise.
  689. #. Checks whether the TSP needs a resume i.e check if it was preempted. It
  690. then saves the system register context for the non-secure state by calling
  691. ``cm_el1_sysregs_context_save(NON_SECURE)``.
  692. #. Restores the secure context by calling
  693. ``cm_el1_sysregs_context_restore(SECURE)``
  694. #. It ensures that the secure CPU context is used to program the next
  695. exception return from EL3 by calling ``cm_set_next_eret_context(SECURE)``.
  696. #. ``tspd_smc_handler()`` returns a reference to the secure ``cpu_context`` as the
  697. return value.
  698. The figure below describes how the TSP/TSPD handle a non-secure interrupt when
  699. it is generated during execution in the TSP with ``PSTATE.I`` = 0 when the
  700. ``TSP_NS_INTR_ASYNC_PREEMPT`` build flag is 0.
  701. |Image 2|
  702. .. _sp-synchronous-int:
  703. Secure payload interrupt handling
  704. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  705. The SP should implement one or both of the synchronous and asynchronous
  706. interrupt handling models depending upon the interrupt routing model it has
  707. chosen (as described in section :ref:`Secure Payload <sp-int-registration>`).
  708. In the synchronous model, it should begin handling a Secure-EL1 interrupt after
  709. receiving control from the SPD service at an entrypoint agreed upon during build
  710. time or during the registration phase. Before handling the interrupt, the SP
  711. should save any Secure-EL1 system register context which is needed for resuming
  712. normal execution in the SP later e.g. ``SPSR_EL1``, ``ELR_EL1``. After handling
  713. the interrupt, the SP could return control back to the exception level and
  714. security state where the interrupt was originally taken from. The SP should use
  715. an SMC32 or SMC64 to ask the SPD service to do this.
  716. In the asynchronous model, the Secure Payload is responsible for handling
  717. non-secure and Secure-EL1 interrupts at the IRQ and FIQ vectors in its exception
  718. vector table when ``PSTATE.I`` and ``PSTATE.F`` bits are 0. As described earlier,
  719. when a non-secure interrupt is generated, the SP should coordinate with the SPD
  720. service to pass control back to the non-secure state in the last known exception
  721. level. This will allow the non-secure interrupt to be handled in the non-secure
  722. state.
  723. Test secure payload behavior
  724. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  725. The TSPD hands control of a Secure-EL1 interrupt to the TSP at the
  726. ``tsp_sel1_intr_entry()``. The TSP handles the interrupt while ensuring that the
  727. handover agreement described in Section `Test secure payload dispatcher
  728. behavior`_ is maintained. It updates some statistics by calling
  729. ``tsp_update_sync_sel1_intr_stats()``. It then calls
  730. ``tsp_common_int_handler()`` which.
  731. #. Checks whether the interrupt is the secure physical timer interrupt. It
  732. uses the platform API ``plat_ic_get_pending_interrupt_id()`` to get the
  733. interrupt number. If it is not the secure physical timer interrupt, then
  734. that means that a higher priority interrupt has preempted it. Invoke
  735. ``tsp_handle_preemption()`` to handover control back to EL3 by issuing
  736. an SMC with ``TSP_PREEMPTED`` as the function identifier.
  737. #. Handles the secure timer interrupt interrupt by acknowledging it using the
  738. ``plat_ic_acknowledge_interrupt()`` platform API, calling
  739. ``tsp_generic_timer_handler()`` to reprogram the secure physical generic
  740. timer and calling the ``plat_ic_end_of_interrupt()`` platform API to signal
  741. end of interrupt processing.
  742. The TSP passes control back to the TSPD by issuing an SMC64 with
  743. ``TSP_HANDLED_S_EL1_INTR`` as the function identifier.
  744. The TSP handles interrupts under the asynchronous model as follows.
  745. #. Secure-EL1 interrupts are handled by calling the ``tsp_common_int_handler()``
  746. function. The function has been described above.
  747. #. Non-secure interrupts are handled by calling the ``tsp_common_int_handler()``
  748. function which ends up invoking ``tsp_handle_preemption()`` and issuing an
  749. SMC64 with ``TSP_PREEMPTED`` as the function identifier. Execution resumes at
  750. the instruction that follows this SMC instruction when the TSPD hands control
  751. to the TSP in response to an SMC with ``TSP_FID_RESUME`` as the function
  752. identifier from the non-secure state (see section `Test secure payload
  753. dispatcher non-secure interrupt handling`_).
  754. Other considerations
  755. --------------------
  756. Implication of preempted SMC on Non-Secure Software
  757. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  758. A ``yielding`` SMC call to Secure payload can be preempted by a non-secure
  759. interrupt and the execution can return to the non-secure world for handling
  760. the interrupt (For details on ``yielding`` SMC refer `SMC calling convention`_).
  761. In this case, the SMC call has not completed its execution and the execution
  762. must return back to the secure payload to resume the preempted SMC call.
  763. This can be achieved by issuing an SMC call which instructs to resume the
  764. preempted SMC.
  765. A ``fast`` SMC cannot be preempted and hence this case will not happen for
  766. a fast SMC call.
  767. In the Test Secure Payload implementation, ``TSP_FID_RESUME`` is designated
  768. as the resume SMC FID. It is important to note that ``TSP_FID_RESUME`` is a
  769. ``yielding`` SMC which means it too can be be preempted. The typical non
  770. secure software sequence for issuing a ``yielding`` SMC would look like this,
  771. assuming ``P.STATE.I=0`` in the non secure state :
  772. .. code:: c
  773. int rc;
  774. rc = smc(TSP_YIELD_SMC_FID, ...); /* Issue a Yielding SMC call */
  775. /* The pending non-secure interrupt is handled by the interrupt handler
  776. and returns back here. */
  777. while (rc == SMC_PREEMPTED) { /* Check if the SMC call is preempted */
  778. rc = smc(TSP_FID_RESUME); /* Issue resume SMC call */
  779. }
  780. The ``TSP_YIELD_SMC_FID`` is any ``yielding`` SMC function identifier and the smc()
  781. function invokes a SMC call with the required arguments. The pending non-secure
  782. interrupt causes an IRQ exception and the IRQ handler registered at the
  783. exception vector handles the non-secure interrupt and returns. The return value
  784. from the SMC call is tested for ``SMC_PREEMPTED`` to check whether it is
  785. preempted. If it is, then the resume SMC call ``TSP_FID_RESUME`` is issued. The
  786. return value of the SMC call is tested again to check if it is preempted.
  787. This is done in a loop till the SMC call succeeds or fails. If a ``yielding``
  788. SMC is preempted, until it is resumed using ``TSP_FID_RESUME`` SMC and
  789. completed, the current TSPD prevents any other SMC call from re-entering
  790. TSP by returning ``SMC_UNK`` error.
  791. --------------
  792. *Copyright (c) 2014-2020, Arm Limited and Contributors. All rights reserved.*
  793. .. _SMC calling convention: https://developer.arm.com/docs/den0028/latest
  794. .. |Image 1| image:: ../resources/diagrams/sec-int-handling.png
  795. .. |Image 2| image:: ../resources/diagrams/non-sec-int-handling.png