OWEALs
/
arm-trusted-firmware
mirror de https://github.com/ARM-software/arm-trusted-firmware


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473
							/*
 * Copyright (c) 2021-2022, ProvenRun S.A.S. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

/*******************************************************************************
 * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a
 * plug-in component to the Secure Monitor, registered as a runtime service. The
 * SPD is expected to be a functional extension of the Secure Payload (SP) that
 * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting
 * the Trusted OS/Applications range to the dispatcher. The SPD will either
 * handle the request locally or delegate it to the Secure Payload. It is also
 * responsible for initialising and maintaining communication with the SP.
 ******************************************************************************/

#include <assert.h>
#include <errno.h>
#include <stddef.h>
#include <string.h>

#include <arch_helpers.h>
#include <bl31/bl31.h>
#include <bl31/interrupt_mgmt.h>
#include <bl_common.h>
#include <common/debug.h>
#include <common/ep_info.h>
#include <drivers/arm/gic_common.h>
#include <lib/el3_runtime/context_mgmt.h>
#include <lib/spinlock.h>
#include <plat/common/platform.h>
#include <pnc.h>
#include "pncd_private.h"
#include <runtime_svc.h>
#include <tools_share/uuid.h>

/*******************************************************************************
 * Structure to keep track of ProvenCore state
 ******************************************************************************/
static pnc_context_t pncd_sp_context;

static bool ree_info;
static uint64_t ree_base_addr;
static uint64_t ree_length;
static uint64_t ree_tag;

static bool pnc_initialized;

static spinlock_t smc_handler_lock;

static int pncd_init(void);

static void context_save(unsigned long security_state)
{
	assert(sec_state_is_valid(security_state));

	cm_el1_sysregs_context_save((uint32_t) security_state);

#if CTX_INCLUDE_FPREGS
	simd_ctx_save((uint32_t)security_state, false);
#endif
}

static void *context_restore(unsigned long security_state)
{
	void *handle;

	assert(sec_state_is_valid(security_state));

	/* Get a reference to the next context */
	handle = cm_get_context((uint32_t) security_state);
	assert(handle);

	/* Restore state */
	cm_el1_sysregs_context_restore((uint32_t) security_state);

#if CTX_INCLUDE_FPREGS
	simd_ctx_restore((uint32_t)security_state);
#endif

	cm_set_next_eret_context((uint32_t) security_state);

	return handle;
}

static uint64_t pncd_sel1_interrupt_handler(uint32_t id,
		uint32_t flags, void *handle, void *cookie);

/*******************************************************************************
 * Switch context to the specified security state and return the targeted
 * handle. Note that the context may remain unchanged if the switch is not
 * allowed.
 ******************************************************************************/
void *pncd_context_switch_to(unsigned long security_state)
{
	unsigned long sec_state_from =
	    security_state == SECURE ? NON_SECURE : SECURE;

	assert(sec_state_is_valid(security_state));

	/* Check if this is the first world switch */
	if (!pnc_initialized) {
		int rc;
		uint32_t flags;

		assert(sec_state_from == SECURE);

		INFO("PnC initialization done\n");

		/*
		 * Register an interrupt handler for S-EL1 interrupts
		 * when generated during code executing in the
		 * non-secure state.
		 */
		flags = 0U;
		set_interrupt_rm_flag(flags, NON_SECURE);
		rc = register_interrupt_type_handler(INTR_TYPE_S_EL1,
				pncd_sel1_interrupt_handler,
				flags);
		if (rc != 0) {
			ERROR("Failed to register S-EL1 interrupt handler (%d)\n",
			      rc);
			panic();
		}

		context_save(SECURE);

		pnc_initialized = true;

		/*
		 * Release the lock before restoring the EL3 context to
		 * bl31_main.
		 */
		spin_unlock(&smc_handler_lock);

		/*
		 * SP reports completion. The SPD must have initiated
		 * the original request through a synchronous entry
		 * into the SP. Jump back to the original C runtime
		 * context.
		 */
		pncd_synchronous_sp_exit(&pncd_sp_context, (uint64_t) 0x0);

		/* Unreachable */
		ERROR("Returned from pncd_synchronous_sp_exit... Should not happen\n");
		panic();
	}

	/* Check that the world switch is allowed */
	if (read_mpidr() != pncd_sp_context.mpidr) {
		if (sec_state_from == SECURE) {
			/*
			 * Secure -> Non-Secure world switch initiated on a CPU where there
			 * should be no Trusted OS running
			 */
			WARN("Secure to Non-Secure switch requested on CPU where ProvenCore is not supposed to be running...\n");
		}

		/*
		 * Secure or Non-Secure world wants to switch world but there is no Secure
		 * software on this core
		 */
		return cm_get_context((uint32_t) sec_state_from);
	}

	context_save(sec_state_from);

	return context_restore(security_state);
}

/*******************************************************************************
 * This function is the handler registered for S-EL1 interrupts by the PNCD. It
 * validates the interrupt and upon success arranges entry into the PNC at
 * 'pnc_sel1_intr_entry()' for handling the interrupt.
 ******************************************************************************/
static uint64_t pncd_sel1_interrupt_handler(uint32_t id,
		uint32_t flags,
		void *handle,
		void *cookie)
{
	/* Check the security state when the exception was generated */
	assert(get_interrupt_src_ss(flags) == NON_SECURE);

	/* Sanity check the pointer to this cpu's context */
	assert(handle == cm_get_context(NON_SECURE));

	/* switch to PnC */
	handle = pncd_context_switch_to(SECURE);

	assert(handle != NULL);

	SMC_RET0(handle);
}

#pragma weak plat_pncd_setup
int plat_pncd_setup(void)
{
	return 0;
}

/*******************************************************************************
 * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type
 * (aarch32/aarch64) if not already known and initialises the context for entry
 * into the SP for its initialisation.
 ******************************************************************************/
static int pncd_setup(void)
{
	entry_point_info_t *pnc_ep_info;

	/*
	 * Get information about the Secure Payload (BL32) image. Its
	 * absence is a critical failure.
	 *
	 * TODO: Add support to conditionally include the SPD service
	 */
	pnc_ep_info = bl31_plat_get_next_image_ep_info(SECURE);
	if (!pnc_ep_info) {
		WARN("No PNC provided by BL2 boot loader, Booting device without PNC initialization. SMC`s destined for PNC will return SMC_UNK\n");
		return 1;
	}

	/*
	 * If there's no valid entry point for SP, we return a non-zero value
	 * signalling failure initializing the service. We bail out without
	 * registering any handlers
	 */
	if (!pnc_ep_info->pc) {
		return 1;
	}

	pncd_init_pnc_ep_state(pnc_ep_info,
			pnc_ep_info->pc,
			&pncd_sp_context);

	/*
	 * All PNCD initialization done. Now register our init function with
	 * BL31 for deferred invocation
	 */
	bl31_register_bl32_init(&pncd_init);
	bl31_set_next_image_type(NON_SECURE);

	return plat_pncd_setup();
}

/*******************************************************************************
 * This function passes control to the Secure Payload image (BL32) for the first
 * time on the primary cpu after a cold boot. It assumes that a valid secure
 * context has already been created by pncd_setup() which can be directly used.
 * It also assumes that a valid non-secure context has been initialised by PSCI
 * so it does not need to save and restore any non-secure state. This function
 * performs a synchronous entry into the Secure payload. The SP passes control
 * back to this routine through a SMC.
 ******************************************************************************/
static int32_t pncd_init(void)
{
	entry_point_info_t *pnc_entry_point;
	uint64_t rc = 0;

	/*
	 * Get information about the Secure Payload (BL32) image. Its
	 * absence is a critical failure.
	 */
	pnc_entry_point = bl31_plat_get_next_image_ep_info(SECURE);
	assert(pnc_entry_point);

	cm_init_my_context(pnc_entry_point);

	/*
	 * Arrange for an entry into the test secure payload. It will be
	 * returned via PNC_ENTRY_DONE case
	 */
	rc = pncd_synchronous_sp_entry(&pncd_sp_context);

	/*
	 * If everything went well at this point, the return value should be 0.
	 */
	return rc == 0;
}

#pragma weak plat_pncd_smc_handler
/*******************************************************************************
 * This function is responsible for handling the platform-specific SMCs in the
 * Trusted OS/App range as defined in the SMC Calling Convention Document.
 ******************************************************************************/
uintptr_t plat_pncd_smc_handler(uint32_t smc_fid,
		u_register_t x1,
		u_register_t x2,
		u_register_t x3,
		u_register_t x4,
		void *cookie,
		void *handle,
		u_register_t flags)
{
	(void) smc_fid;
	(void) x1;
	(void) x2;
	(void) x3;
	(void) x4;
	(void) cookie;
	(void) flags;

	SMC_RET1(handle, SMC_UNK);
}

/*******************************************************************************
 * This function is responsible for handling all SMCs in the Trusted OS/App
 * range as defined in the SMC Calling Convention Document. It is also
 * responsible for communicating with the Secure payload to delegate work and
 * return results back to the non-secure state. Lastly it will also return any
 * information that the secure payload needs to do the work assigned to it.
 *
 * It should only be called with the smc_handler_lock held.
 ******************************************************************************/
static uintptr_t pncd_smc_handler_unsafe(uint32_t smc_fid,
		u_register_t x1,
		u_register_t x2,
		u_register_t x3,
		u_register_t x4,
		void *cookie,
		void *handle,
		u_register_t flags)
{
	uint32_t ns;

	/* Determine which security state this SMC originated from */
	ns = is_caller_non_secure(flags);

	assert(ns != 0 || read_mpidr() == pncd_sp_context.mpidr);

	switch (smc_fid) {
	case SMC_CONFIG_SHAREDMEM:
		if (ree_info) {
			/* Do not Yield */
			SMC_RET0(handle);
		}

		/*
		 * Fetch the physical base address (x1) and size (x2) of the
		 * shared memory allocated by the Non-Secure world. This memory
		 * will be used by PNC to communicate with the Non-Secure world.
		 * Verifying the validity of these values is up to the Trusted
		 * OS.
		 */
		ree_base_addr = x1 | (x2 << 32);
		ree_length = x3;
		ree_tag = x4;

		INFO("IN SMC_CONFIG_SHAREDMEM: addr=%lx, length=%lx, tag=%lx\n",
		     (unsigned long) ree_base_addr,
		     (unsigned long) ree_length,
		     (unsigned long) ree_tag);

		if ((ree_base_addr % 0x200000) != 0) {
			SMC_RET1(handle, SMC_UNK);
		}

		if ((ree_length % 0x200000) != 0) {
			SMC_RET1(handle, SMC_UNK);
		}

		ree_info = true;

		/* Do not Yield */
		SMC_RET4(handle, 0, 0, 0, 0);

		break;

	case SMC_GET_SHAREDMEM:
		if (ree_info) {
			x1 = (1U << 16) | ree_tag;
			x2 = ree_base_addr & 0xFFFFFFFF;
			x3 = (ree_base_addr >> 32) & 0xFFFFFFFF;
			x4 = ree_length & 0xFFFFFFFF;
			SMC_RET4(handle, x1, x2, x3, x4);
		} else {
			SMC_RET4(handle, 0, 0, 0, 0);
		}

		break;

	case SMC_ACTION_FROM_NS:
		if (ns == 0) {
			SMC_RET1(handle, SMC_UNK);
		}

		if (SPD_PNCD_S_IRQ < MIN_PPI_ID) {
			plat_ic_raise_s_el1_sgi(SPD_PNCD_S_IRQ,
						pncd_sp_context.mpidr);
		} else {
			plat_ic_set_interrupt_pending(SPD_PNCD_S_IRQ);
		}

		SMC_RET0(handle);

		break;

	case SMC_ACTION_FROM_S:
		if (ns != 0) {
			SMC_RET1(handle, SMC_UNK);
		}

		if (SPD_PNCD_NS_IRQ < MIN_PPI_ID) {
			/*
			 * NS SGI is sent to the same core as the one running
			 * PNC
			 */
			plat_ic_raise_ns_sgi(SPD_PNCD_NS_IRQ, read_mpidr());
		} else {
			plat_ic_set_interrupt_pending(SPD_PNCD_NS_IRQ);
		}

		SMC_RET0(handle);

		break;

	case SMC_YIELD:
		assert(handle == cm_get_context(ns != 0 ? NON_SECURE : SECURE));
		handle = pncd_context_switch_to(ns != 0 ? SECURE : NON_SECURE);

		assert(handle != NULL);

		SMC_RET0(handle);

		break;

	default:
		INFO("Unknown smc: %x\n", smc_fid);
		break;
	}

	return plat_pncd_smc_handler(smc_fid, x1, x2, x3, x4,
				     cookie, handle, flags);
}

static uintptr_t pncd_smc_handler(uint32_t smc_fid,
		u_register_t x1,
		u_register_t x2,
		u_register_t x3,
		u_register_t x4,
		void *cookie,
		void *handle,
		u_register_t flags)
{
	uintptr_t ret;

	/* SMC handling is serialized */
	spin_lock(&smc_handler_lock);
	ret = pncd_smc_handler_unsafe(smc_fid, x1, x2, x3, x4, cookie, handle,
								  flags);
	spin_unlock(&smc_handler_lock);

	return ret;
}

/* Define a SPD runtime service descriptor for fast SMC calls */
DECLARE_RT_SVC(
	pncd_fast,
	OEN_TOS_START,
	OEN_TOS_END,
	SMC_TYPE_FAST,
	pncd_setup,
	pncd_smc_handler
);

/* Define a SPD runtime service descriptor for standard SMC calls */
DECLARE_RT_SVC(
	pncd_std,
	OEN_TOS_START,
	OEN_TOS_END,
	SMC_TYPE_YIELD,
	NULL,
	pncd_smc_handler
);