diff options
Diffstat (limited to '')
| -rw-r--r-- | services/spd/pncd/pncd_main.c | 471 |
1 files changed, 471 insertions, 0 deletions
diff --git a/services/spd/pncd/pncd_main.c b/services/spd/pncd/pncd_main.c new file mode 100644 index 0000000..99c4aa1 --- /dev/null +++ b/services/spd/pncd/pncd_main.c @@ -0,0 +1,471 @@ +/* + * Copyright (c) 2021-2022, ProvenRun S.A.S. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/******************************************************************************* + * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a + * plug-in component to the Secure Monitor, registered as a runtime service. The + * SPD is expected to be a functional extension of the Secure Payload (SP) that + * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting + * the Trusted OS/Applications range to the dispatcher. The SPD will either + * handle the request locally or delegate it to the Secure Payload. It is also + * responsible for initialising and maintaining communication with the SP. + ******************************************************************************/ + +#include <assert.h> +#include <errno.h> +#include <stddef.h> +#include <string.h> + +#include <arch_helpers.h> +#include <bl31/bl31.h> +#include <bl31/interrupt_mgmt.h> +#include <bl_common.h> +#include <common/debug.h> +#include <common/ep_info.h> +#include <drivers/arm/gic_common.h> +#include <lib/el3_runtime/context_mgmt.h> +#include <lib/spinlock.h> +#include <plat/common/platform.h> +#include <pnc.h> +#include "pncd_private.h" +#include <runtime_svc.h> +#include <tools_share/uuid.h> + +/******************************************************************************* + * Structure to keep track of ProvenCore state + ******************************************************************************/ +static pnc_context_t pncd_sp_context; + +static bool ree_info; +static uint64_t ree_base_addr; +static uint64_t ree_length; +static uint64_t ree_tag; + +static bool pnc_initialized; + +static spinlock_t smc_handler_lock; + +static int pncd_init(void); + +static void context_save(unsigned long security_state) +{ + assert(sec_state_is_valid(security_state)); + + cm_el1_sysregs_context_save((uint32_t) security_state); +#if CTX_INCLUDE_FPREGS + fpregs_context_save(get_fpregs_ctx(cm_get_context(security_state))); +#endif +} + +static void *context_restore(unsigned long security_state) +{ + void *handle; + + assert(sec_state_is_valid(security_state)); + + /* Get a reference to the next context */ + handle = cm_get_context((uint32_t) security_state); + assert(handle); + + /* Restore state */ + cm_el1_sysregs_context_restore((uint32_t) security_state); +#if CTX_INCLUDE_FPREGS + fpregs_context_restore(get_fpregs_ctx(cm_get_context(security_state))); +#endif + + cm_set_next_eret_context((uint32_t) security_state); + + return handle; +} + +static uint64_t pncd_sel1_interrupt_handler(uint32_t id, + uint32_t flags, void *handle, void *cookie); + +/******************************************************************************* + * Switch context to the specified security state and return the targeted + * handle. Note that the context may remain unchanged if the switch is not + * allowed. + ******************************************************************************/ +void *pncd_context_switch_to(unsigned long security_state) +{ + unsigned long sec_state_from = + security_state == SECURE ? NON_SECURE : SECURE; + + assert(sec_state_is_valid(security_state)); + + /* Check if this is the first world switch */ + if (!pnc_initialized) { + int rc; + uint32_t flags; + + assert(sec_state_from == SECURE); + + INFO("PnC initialization done\n"); + + /* + * Register an interrupt handler for S-EL1 interrupts + * when generated during code executing in the + * non-secure state. + */ + flags = 0U; + set_interrupt_rm_flag(flags, NON_SECURE); + rc = register_interrupt_type_handler(INTR_TYPE_S_EL1, + pncd_sel1_interrupt_handler, + flags); + if (rc != 0) { + ERROR("Failed to register S-EL1 interrupt handler (%d)\n", + rc); + panic(); + } + + context_save(SECURE); + + pnc_initialized = true; + + /* + * Release the lock before restoring the EL3 context to + * bl31_main. + */ + spin_unlock(&smc_handler_lock); + + /* + * SP reports completion. The SPD must have initiated + * the original request through a synchronous entry + * into the SP. Jump back to the original C runtime + * context. + */ + pncd_synchronous_sp_exit(&pncd_sp_context, (uint64_t) 0x0); + + /* Unreachable */ + ERROR("Returned from pncd_synchronous_sp_exit... Should not happen\n"); + panic(); + } + + /* Check that the world switch is allowed */ + if (read_mpidr() != pncd_sp_context.mpidr) { + if (sec_state_from == SECURE) { + /* + * Secure -> Non-Secure world switch initiated on a CPU where there + * should be no Trusted OS running + */ + WARN("Secure to Non-Secure switch requested on CPU where ProvenCore is not supposed to be running...\n"); + } + + /* + * Secure or Non-Secure world wants to switch world but there is no Secure + * software on this core + */ + return cm_get_context((uint32_t) sec_state_from); + } + + context_save(sec_state_from); + + return context_restore(security_state); +} + +/******************************************************************************* + * This function is the handler registered for S-EL1 interrupts by the PNCD. It + * validates the interrupt and upon success arranges entry into the PNC at + * 'pnc_sel1_intr_entry()' for handling the interrupt. + ******************************************************************************/ +static uint64_t pncd_sel1_interrupt_handler(uint32_t id, + uint32_t flags, + void *handle, + void *cookie) +{ + /* Check the security state when the exception was generated */ + assert(get_interrupt_src_ss(flags) == NON_SECURE); + + /* Sanity check the pointer to this cpu's context */ + assert(handle == cm_get_context(NON_SECURE)); + + /* switch to PnC */ + handle = pncd_context_switch_to(SECURE); + + assert(handle != NULL); + + SMC_RET0(handle); +} + +#pragma weak plat_pncd_setup +int plat_pncd_setup(void) +{ + return 0; +} + +/******************************************************************************* + * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type + * (aarch32/aarch64) if not already known and initialises the context for entry + * into the SP for its initialisation. + ******************************************************************************/ +static int pncd_setup(void) +{ + entry_point_info_t *pnc_ep_info; + + /* + * Get information about the Secure Payload (BL32) image. Its + * absence is a critical failure. + * + * TODO: Add support to conditionally include the SPD service + */ + pnc_ep_info = bl31_plat_get_next_image_ep_info(SECURE); + if (!pnc_ep_info) { + WARN("No PNC provided by BL2 boot loader, Booting device without PNC initialization. SMC`s destined for PNC will return SMC_UNK\n"); + return 1; + } + + /* + * If there's no valid entry point for SP, we return a non-zero value + * signalling failure initializing the service. We bail out without + * registering any handlers + */ + if (!pnc_ep_info->pc) { + return 1; + } + + pncd_init_pnc_ep_state(pnc_ep_info, + pnc_ep_info->pc, + &pncd_sp_context); + + /* + * All PNCD initialization done. Now register our init function with + * BL31 for deferred invocation + */ + bl31_register_bl32_init(&pncd_init); + bl31_set_next_image_type(NON_SECURE); + + return plat_pncd_setup(); +} + +/******************************************************************************* + * This function passes control to the Secure Payload image (BL32) for the first + * time on the primary cpu after a cold boot. It assumes that a valid secure + * context has already been created by pncd_setup() which can be directly used. + * It also assumes that a valid non-secure context has been initialised by PSCI + * so it does not need to save and restore any non-secure state. This function + * performs a synchronous entry into the Secure payload. The SP passes control + * back to this routine through a SMC. + ******************************************************************************/ +static int32_t pncd_init(void) +{ + entry_point_info_t *pnc_entry_point; + uint64_t rc = 0; + + /* + * Get information about the Secure Payload (BL32) image. Its + * absence is a critical failure. + */ + pnc_entry_point = bl31_plat_get_next_image_ep_info(SECURE); + assert(pnc_entry_point); + + cm_init_my_context(pnc_entry_point); + + /* + * Arrange for an entry into the test secure payload. It will be + * returned via PNC_ENTRY_DONE case + */ + rc = pncd_synchronous_sp_entry(&pncd_sp_context); + + /* + * If everything went well at this point, the return value should be 0. + */ + return rc == 0; +} + +#pragma weak plat_pncd_smc_handler +/******************************************************************************* + * This function is responsible for handling the platform-specific SMCs in the + * Trusted OS/App range as defined in the SMC Calling Convention Document. + ******************************************************************************/ +uintptr_t plat_pncd_smc_handler(uint32_t smc_fid, + u_register_t x1, + u_register_t x2, + u_register_t x3, + u_register_t x4, + void *cookie, + void *handle, + u_register_t flags) +{ + (void) smc_fid; + (void) x1; + (void) x2; + (void) x3; + (void) x4; + (void) cookie; + (void) flags; + + SMC_RET1(handle, SMC_UNK); +} + +/******************************************************************************* + * This function is responsible for handling all SMCs in the Trusted OS/App + * range as defined in the SMC Calling Convention Document. It is also + * responsible for communicating with the Secure payload to delegate work and + * return results back to the non-secure state. Lastly it will also return any + * information that the secure payload needs to do the work assigned to it. + * + * It should only be called with the smc_handler_lock held. + ******************************************************************************/ +static uintptr_t pncd_smc_handler_unsafe(uint32_t smc_fid, + u_register_t x1, + u_register_t x2, + u_register_t x3, + u_register_t x4, + void *cookie, + void *handle, + u_register_t flags) +{ + uint32_t ns; + + /* Determine which security state this SMC originated from */ + ns = is_caller_non_secure(flags); + + assert(ns != 0 || read_mpidr() == pncd_sp_context.mpidr); + + switch (smc_fid) { + case SMC_CONFIG_SHAREDMEM: + if (ree_info) { + /* Do not Yield */ + SMC_RET0(handle); + } + + /* + * Fetch the physical base address (x1) and size (x2) of the + * shared memory allocated by the Non-Secure world. This memory + * will be used by PNC to communicate with the Non-Secure world. + * Verifying the validity of these values is up to the Trusted + * OS. + */ + ree_base_addr = x1 | (x2 << 32); + ree_length = x3; + ree_tag = x4; + + INFO("IN SMC_CONFIG_SHAREDMEM: addr=%lx, length=%lx, tag=%lx\n", + (unsigned long) ree_base_addr, + (unsigned long) ree_length, + (unsigned long) ree_tag); + + if ((ree_base_addr % 0x200000) != 0) { + SMC_RET1(handle, SMC_UNK); + } + + if ((ree_length % 0x200000) != 0) { + SMC_RET1(handle, SMC_UNK); + } + + ree_info = true; + + /* Do not Yield */ + SMC_RET4(handle, 0, 0, 0, 0); + + break; + + case SMC_GET_SHAREDMEM: + if (ree_info) { + x1 = (1U << 16) | ree_tag; + x2 = ree_base_addr & 0xFFFFFFFF; + x3 = (ree_base_addr >> 32) & 0xFFFFFFFF; + x4 = ree_length & 0xFFFFFFFF; + SMC_RET4(handle, x1, x2, x3, x4); + } else { + SMC_RET4(handle, 0, 0, 0, 0); + } + + break; + + case SMC_ACTION_FROM_NS: + if (ns == 0) { + SMC_RET1(handle, SMC_UNK); + } + + if (SPD_PNCD_S_IRQ < MIN_PPI_ID) { + plat_ic_raise_s_el1_sgi(SPD_PNCD_S_IRQ, + pncd_sp_context.mpidr); + } else { + plat_ic_set_interrupt_pending(SPD_PNCD_S_IRQ); + } + + SMC_RET0(handle); + + break; + + case SMC_ACTION_FROM_S: + if (ns != 0) { + SMC_RET1(handle, SMC_UNK); + } + + if (SPD_PNCD_NS_IRQ < MIN_PPI_ID) { + /* + * NS SGI is sent to the same core as the one running + * PNC + */ + plat_ic_raise_ns_sgi(SPD_PNCD_NS_IRQ, read_mpidr()); + } else { + plat_ic_set_interrupt_pending(SPD_PNCD_NS_IRQ); + } + + SMC_RET0(handle); + + break; + + case SMC_YIELD: + assert(handle == cm_get_context(ns != 0 ? NON_SECURE : SECURE)); + handle = pncd_context_switch_to(ns != 0 ? SECURE : NON_SECURE); + + assert(handle != NULL); + + SMC_RET0(handle); + + break; + + default: + INFO("Unknown smc: %x\n", smc_fid); + break; + } + + return plat_pncd_smc_handler(smc_fid, x1, x2, x3, x4, + cookie, handle, flags); +} + +static uintptr_t pncd_smc_handler(uint32_t smc_fid, + u_register_t x1, + u_register_t x2, + u_register_t x3, + u_register_t x4, + void *cookie, + void *handle, + u_register_t flags) +{ + uintptr_t ret; + + /* SMC handling is serialized */ + spin_lock(&smc_handler_lock); + ret = pncd_smc_handler_unsafe(smc_fid, x1, x2, x3, x4, cookie, handle, + flags); + spin_unlock(&smc_handler_lock); + + return ret; +} + +/* Define a SPD runtime service descriptor for fast SMC calls */ +DECLARE_RT_SVC( + pncd_fast, + OEN_TOS_START, + OEN_TOS_END, + SMC_TYPE_FAST, + pncd_setup, + pncd_smc_handler +); + +/* Define a SPD runtime service descriptor for standard SMC calls */ +DECLARE_RT_SVC( + pncd_std, + OEN_TOS_START, + OEN_TOS_END, + SMC_TYPE_YIELD, + NULL, + pncd_smc_handler +); |