Home | History | Annotate | Download | only in common
      1 /*
      2  * Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved.
      3  *
      4  * SPDX-License-Identifier: BSD-3-Clause
      5  */
      6 
      7 #include <arch.h>
      8 #include <arch_helpers.h>
      9 #include <assert.h>
     10 #include <auth_mod.h>
     11 #include <bl_common.h>
     12 #include <debug.h>
     13 #include <errno.h>
     14 #include <io_storage.h>
     15 #include <platform.h>
     16 #include <string.h>
     17 #include <utils.h>
     18 #include <xlat_tables_defs.h>
     19 
     20 uintptr_t page_align(uintptr_t value, unsigned dir)
     21 {
     22 	/* Round up the limit to the next page boundary */
     23 	if (value & (PAGE_SIZE - 1)) {
     24 		value &= ~(PAGE_SIZE - 1);
     25 		if (dir == UP)
     26 			value += PAGE_SIZE;
     27 	}
     28 
     29 	return value;
     30 }
     31 
     32 /******************************************************************************
     33  * Determine whether the memory region delimited by 'addr' and 'size' is free,
     34  * given the extents of free memory.
     35  * Return 1 if it is free, 0 if it is not free or if the input values are
     36  * invalid.
     37  *****************************************************************************/
     38 int is_mem_free(uintptr_t free_base, size_t free_size,
     39 		uintptr_t addr, size_t size)
     40 {
     41 	uintptr_t free_end, requested_end;
     42 
     43 	/*
     44 	 * Handle corner cases first.
     45 	 *
     46 	 * The order of the 2 tests is important, because if there's no space
     47 	 * left (i.e. free_size == 0) but we don't ask for any memory
     48 	 * (i.e. size == 0) then we should report that the memory is free.
     49 	 */
     50 	if (size == 0)
     51 		return 1;	/* A zero-byte region is always free */
     52 	if (free_size == 0)
     53 		return 0;
     54 
     55 	/*
     56 	 * Check that the end addresses don't overflow.
     57 	 * If they do, consider that this memory region is not free, as this
     58 	 * is an invalid scenario.
     59 	 */
     60 	if (check_uptr_overflow(free_base, free_size - 1))
     61 		return 0;
     62 	free_end = free_base + (free_size - 1);
     63 
     64 	if (check_uptr_overflow(addr, size - 1))
     65 		return 0;
     66 	requested_end = addr + (size - 1);
     67 
     68 	/*
     69 	 * Finally, check that the requested memory region lies within the free
     70 	 * region.
     71 	 */
     72 	return (addr >= free_base) && (requested_end <= free_end);
     73 }
     74 
     75 #if !LOAD_IMAGE_V2
     76 /******************************************************************************
     77  * Inside a given memory region, determine whether a sub-region of memory is
     78  * closer from the top or the bottom of the encompassing region. Return the
     79  * size of the smallest chunk of free memory surrounding the sub-region in
     80  * 'small_chunk_size'.
     81  *****************************************************************************/
     82 static unsigned int choose_mem_pos(uintptr_t mem_start, uintptr_t mem_end,
     83 				  uintptr_t submem_start, uintptr_t submem_end,
     84 				  size_t *small_chunk_size)
     85 {
     86 	size_t top_chunk_size, bottom_chunk_size;
     87 
     88 	assert(mem_start <= submem_start);
     89 	assert(submem_start <= submem_end);
     90 	assert(submem_end <= mem_end);
     91 	assert(small_chunk_size != NULL);
     92 
     93 	top_chunk_size = mem_end - submem_end;
     94 	bottom_chunk_size = submem_start - mem_start;
     95 
     96 	if (top_chunk_size < bottom_chunk_size) {
     97 		*small_chunk_size = top_chunk_size;
     98 		return TOP;
     99 	} else {
    100 		*small_chunk_size = bottom_chunk_size;
    101 		return BOTTOM;
    102 	}
    103 }
    104 
    105 /******************************************************************************
    106  * Reserve the memory region delimited by 'addr' and 'size'. The extents of free
    107  * memory are passed in 'free_base' and 'free_size' and they will be updated to
    108  * reflect the memory usage.
    109  * The caller must ensure the memory to reserve is free and that the addresses
    110  * and sizes passed in arguments are sane.
    111  *****************************************************************************/
    112 void reserve_mem(uintptr_t *free_base, size_t *free_size,
    113 		 uintptr_t addr, size_t size)
    114 {
    115 	size_t discard_size;
    116 	size_t reserved_size;
    117 	unsigned int pos;
    118 
    119 	assert(free_base != NULL);
    120 	assert(free_size != NULL);
    121 	assert(is_mem_free(*free_base, *free_size, addr, size));
    122 
    123 	if (size == 0) {
    124 		WARN("Nothing to allocate, requested size is zero\n");
    125 		return;
    126 	}
    127 
    128 	pos = choose_mem_pos(*free_base, *free_base + (*free_size - 1),
    129 			     addr, addr + (size - 1),
    130 			     &discard_size);
    131 
    132 	reserved_size = size + discard_size;
    133 	*free_size -= reserved_size;
    134 
    135 	if (pos == BOTTOM)
    136 		*free_base = addr + size;
    137 
    138 	VERBOSE("Reserved 0x%zx bytes (discarded 0x%zx bytes %s)\n",
    139 	     reserved_size, discard_size,
    140 	     pos == TOP ? "above" : "below");
    141 }
    142 
    143 static void dump_load_info(uintptr_t image_load_addr,
    144 			   size_t image_size,
    145 			   const meminfo_t *mem_layout)
    146 {
    147 	INFO("Trying to load image at address %p, size = 0x%zx\n",
    148 		(void *)image_load_addr, image_size);
    149 	INFO("Current memory layout:\n");
    150 	INFO("  total region = [base = %p, size = 0x%zx]\n",
    151 		(void *) mem_layout->total_base, mem_layout->total_size);
    152 	INFO("  free region = [base = %p, size = 0x%zx]\n",
    153 		(void *) mem_layout->free_base, mem_layout->free_size);
    154 }
    155 #endif /* LOAD_IMAGE_V2 */
    156 
    157 /* Generic function to return the size of an image */
    158 size_t image_size(unsigned int image_id)
    159 {
    160 	uintptr_t dev_handle;
    161 	uintptr_t image_handle;
    162 	uintptr_t image_spec;
    163 	size_t image_size = 0;
    164 	int io_result;
    165 
    166 	/* Obtain a reference to the image by querying the platform layer */
    167 	io_result = plat_get_image_source(image_id, &dev_handle, &image_spec);
    168 	if (io_result != 0) {
    169 		WARN("Failed to obtain reference to image id=%u (%i)\n",
    170 			image_id, io_result);
    171 		return 0;
    172 	}
    173 
    174 	/* Attempt to access the image */
    175 	io_result = io_open(dev_handle, image_spec, &image_handle);
    176 	if (io_result != 0) {
    177 		WARN("Failed to access image id=%u (%i)\n",
    178 			image_id, io_result);
    179 		return 0;
    180 	}
    181 
    182 	/* Find the size of the image */
    183 	io_result = io_size(image_handle, &image_size);
    184 	if ((io_result != 0) || (image_size == 0)) {
    185 		WARN("Failed to determine the size of the image id=%u (%i)\n",
    186 			image_id, io_result);
    187 	}
    188 	io_result = io_close(image_handle);
    189 	/* Ignore improbable/unrecoverable error in 'close' */
    190 
    191 	/* TODO: Consider maintaining open device connection from this
    192 	 * bootloader stage
    193 	 */
    194 	io_result = io_dev_close(dev_handle);
    195 	/* Ignore improbable/unrecoverable error in 'dev_close' */
    196 
    197 	return image_size;
    198 }
    199 
    200 #if LOAD_IMAGE_V2
    201 
    202 /*******************************************************************************
    203  * Generic function to load an image at a specific address given
    204  * an image ID and extents of free memory.
    205  *
    206  * If the load is successful then the image information is updated.
    207  *
    208  * Returns 0 on success, a negative error code otherwise.
    209  ******************************************************************************/
    210 int load_image(unsigned int image_id, image_info_t *image_data)
    211 {
    212 	uintptr_t dev_handle;
    213 	uintptr_t image_handle;
    214 	uintptr_t image_spec;
    215 	uintptr_t image_base;
    216 	size_t image_size;
    217 	size_t bytes_read;
    218 	int io_result;
    219 
    220 	assert(image_data != NULL);
    221 	assert(image_data->h.version >= VERSION_2);
    222 
    223 	image_base = image_data->image_base;
    224 
    225 	/* Obtain a reference to the image by querying the platform layer */
    226 	io_result = plat_get_image_source(image_id, &dev_handle, &image_spec);
    227 	if (io_result != 0) {
    228 		WARN("Failed to obtain reference to image id=%u (%i)\n",
    229 			image_id, io_result);
    230 		return io_result;
    231 	}
    232 
    233 	/* Attempt to access the image */
    234 	io_result = io_open(dev_handle, image_spec, &image_handle);
    235 	if (io_result != 0) {
    236 		WARN("Failed to access image id=%u (%i)\n",
    237 			image_id, io_result);
    238 		return io_result;
    239 	}
    240 
    241 	INFO("Loading image id=%u at address %p\n", image_id,
    242 		(void *) image_base);
    243 
    244 	/* Find the size of the image */
    245 	io_result = io_size(image_handle, &image_size);
    246 	if ((io_result != 0) || (image_size == 0)) {
    247 		WARN("Failed to determine the size of the image id=%u (%i)\n",
    248 			image_id, io_result);
    249 		goto exit;
    250 	}
    251 
    252 	/* Check that the image size to load is within limit */
    253 	if (image_size > image_data->image_max_size) {
    254 		WARN("Image id=%u size out of bounds\n", image_id);
    255 		io_result = -EFBIG;
    256 		goto exit;
    257 	}
    258 
    259 	image_data->image_size = image_size;
    260 
    261 	/* We have enough space so load the image now */
    262 	/* TODO: Consider whether to try to recover/retry a partially successful read */
    263 	io_result = io_read(image_handle, image_base, image_size, &bytes_read);
    264 	if ((io_result != 0) || (bytes_read < image_size)) {
    265 		WARN("Failed to load image id=%u (%i)\n", image_id, io_result);
    266 		goto exit;
    267 	}
    268 
    269 #if !TRUSTED_BOARD_BOOT
    270 	/*
    271 	 * File has been successfully loaded.
    272 	 * Flush the image to main memory so that it can be executed later by
    273 	 * any CPU, regardless of cache and MMU state.
    274 	 * When TBB is enabled the image is flushed later, after image
    275 	 * authentication.
    276 	 */
    277 	flush_dcache_range(image_base, image_size);
    278 #endif /* TRUSTED_BOARD_BOOT */
    279 
    280 	INFO("Image id=%u loaded: %p - %p\n", image_id, (void *) image_base,
    281 	     (void *) (image_base + image_size));
    282 
    283 exit:
    284 	io_close(image_handle);
    285 	/* Ignore improbable/unrecoverable error in 'close' */
    286 
    287 	/* TODO: Consider maintaining open device connection from this bootloader stage */
    288 	io_dev_close(dev_handle);
    289 	/* Ignore improbable/unrecoverable error in 'dev_close' */
    290 
    291 	return io_result;
    292 }
    293 
    294 static int load_auth_image_internal(unsigned int image_id,
    295 				    image_info_t *image_data,
    296 				    int is_parent_image)
    297 {
    298 	int rc;
    299 
    300 #if TRUSTED_BOARD_BOOT
    301 	unsigned int parent_id;
    302 
    303 	/* Use recursion to authenticate parent images */
    304 	rc = auth_mod_get_parent_id(image_id, &parent_id);
    305 	if (rc == 0) {
    306 		rc = load_auth_image_internal(parent_id, image_data, 1);
    307 		if (rc != 0) {
    308 			return rc;
    309 		}
    310 	}
    311 #endif /* TRUSTED_BOARD_BOOT */
    312 
    313 	/* Load the image */
    314 	rc = load_image(image_id, image_data);
    315 	if (rc != 0) {
    316 		return rc;
    317 	}
    318 
    319 #if TRUSTED_BOARD_BOOT
    320 	/* Authenticate it */
    321 	rc = auth_mod_verify_img(image_id,
    322 				 (void *)image_data->image_base,
    323 				 image_data->image_size);
    324 	if (rc != 0) {
    325 		/* Authentication error, zero memory and flush it right away. */
    326 		zero_normalmem((void *)image_data->image_base,
    327 		       image_data->image_size);
    328 		flush_dcache_range(image_data->image_base,
    329 				   image_data->image_size);
    330 		return -EAUTH;
    331 	}
    332 
    333 	/*
    334 	 * File has been successfully loaded and authenticated.
    335 	 * Flush the image to main memory so that it can be executed later by
    336 	 * any CPU, regardless of cache and MMU state.
    337 	 * Do it only for child images, not for the parents (certificates).
    338 	 */
    339 	if (!is_parent_image) {
    340 		flush_dcache_range(image_data->image_base,
    341 				   image_data->image_size);
    342 	}
    343 #endif /* TRUSTED_BOARD_BOOT */
    344 
    345 	return 0;
    346 }
    347 
    348 /*******************************************************************************
    349  * Generic function to load and authenticate an image. The image is actually
    350  * loaded by calling the 'load_image()' function. Therefore, it returns the
    351  * same error codes if the loading operation failed, or -EAUTH if the
    352  * authentication failed. In addition, this function uses recursion to
    353  * authenticate the parent images up to the root of trust.
    354  ******************************************************************************/
    355 int load_auth_image(unsigned int image_id, image_info_t *image_data)
    356 {
    357 	int err;
    358 
    359 	do {
    360 		err = load_auth_image_internal(image_id, image_data, 0);
    361 	} while (err != 0 && plat_try_next_boot_source());
    362 
    363 	return err;
    364 }
    365 
    366 #else /* LOAD_IMAGE_V2 */
    367 
    368 /*******************************************************************************
    369  * Generic function to load an image at a specific address given an image ID and
    370  * extents of free memory.
    371  *
    372  * If the load is successful then the image information is updated.
    373  *
    374  * If the entry_point_info argument is not NULL then this function also updates:
    375  * - the memory layout to mark the memory as reserved;
    376  * - the entry point information.
    377  *
    378  * The caller might pass a NULL pointer for the entry point if they are not
    379  * interested in this information. This is typically the case for non-executable
    380  * images (e.g. certificates) and executable images that won't ever be executed
    381  * on the application processor (e.g. additional microcontroller firmware).
    382  *
    383  * Returns 0 on success, a negative error code otherwise.
    384  ******************************************************************************/
    385 int load_image(meminfo_t *mem_layout,
    386 	       unsigned int image_id,
    387 	       uintptr_t image_base,
    388 	       image_info_t *image_data,
    389 	       entry_point_info_t *entry_point_info)
    390 {
    391 	uintptr_t dev_handle;
    392 	uintptr_t image_handle;
    393 	uintptr_t image_spec;
    394 	size_t image_size;
    395 	size_t bytes_read;
    396 	int io_result;
    397 
    398 	assert(mem_layout != NULL);
    399 	assert(image_data != NULL);
    400 	assert(image_data->h.version == VERSION_1);
    401 
    402 	/* Obtain a reference to the image by querying the platform layer */
    403 	io_result = plat_get_image_source(image_id, &dev_handle, &image_spec);
    404 	if (io_result != 0) {
    405 		WARN("Failed to obtain reference to image id=%u (%i)\n",
    406 			image_id, io_result);
    407 		return io_result;
    408 	}
    409 
    410 	/* Attempt to access the image */
    411 	io_result = io_open(dev_handle, image_spec, &image_handle);
    412 	if (io_result != 0) {
    413 		WARN("Failed to access image id=%u (%i)\n",
    414 			image_id, io_result);
    415 		return io_result;
    416 	}
    417 
    418 	INFO("Loading image id=%u at address %p\n", image_id,
    419 		(void *) image_base);
    420 
    421 	/* Find the size of the image */
    422 	io_result = io_size(image_handle, &image_size);
    423 	if ((io_result != 0) || (image_size == 0)) {
    424 		WARN("Failed to determine the size of the image id=%u (%i)\n",
    425 			image_id, io_result);
    426 		goto exit;
    427 	}
    428 
    429 	/* Check that the memory where the image will be loaded is free */
    430 	if (!is_mem_free(mem_layout->free_base, mem_layout->free_size,
    431 			 image_base, image_size)) {
    432 		WARN("Failed to reserve region [base = %p, size = 0x%zx]\n",
    433 		     (void *) image_base, image_size);
    434 		dump_load_info(image_base, image_size, mem_layout);
    435 		io_result = -ENOMEM;
    436 		goto exit;
    437 	}
    438 
    439 	/* We have enough space so load the image now */
    440 	/* TODO: Consider whether to try to recover/retry a partially successful read */
    441 	io_result = io_read(image_handle, image_base, image_size, &bytes_read);
    442 	if ((io_result != 0) || (bytes_read < image_size)) {
    443 		WARN("Failed to load image id=%u (%i)\n", image_id, io_result);
    444 		goto exit;
    445 	}
    446 
    447 	image_data->image_base = image_base;
    448 	image_data->image_size = image_size;
    449 
    450 	/*
    451 	 * Update the memory usage info.
    452 	 * This is done after the actual loading so that it is not updated when
    453 	 * the load is unsuccessful.
    454 	 * If the caller does not provide an entry point, bypass the memory
    455 	 * reservation.
    456 	 */
    457 	if (entry_point_info != NULL) {
    458 		reserve_mem(&mem_layout->free_base, &mem_layout->free_size,
    459 				image_base, image_size);
    460 		entry_point_info->pc = image_base;
    461 	} else {
    462 		INFO("Skip reserving region [base = %p, size = 0x%zx]\n",
    463 		     (void *) image_base, image_size);
    464 	}
    465 
    466 #if !TRUSTED_BOARD_BOOT
    467 	/*
    468 	 * File has been successfully loaded.
    469 	 * Flush the image to main memory so that it can be executed later by
    470 	 * any CPU, regardless of cache and MMU state.
    471 	 * When TBB is enabled the image is flushed later, after image
    472 	 * authentication.
    473 	 */
    474 	flush_dcache_range(image_base, image_size);
    475 #endif /* TRUSTED_BOARD_BOOT */
    476 
    477 	INFO("Image id=%u loaded at address %p, size = 0x%zx\n", image_id,
    478 		(void *) image_base, image_size);
    479 
    480 exit:
    481 	io_close(image_handle);
    482 	/* Ignore improbable/unrecoverable error in 'close' */
    483 
    484 	/* TODO: Consider maintaining open device connection from this bootloader stage */
    485 	io_dev_close(dev_handle);
    486 	/* Ignore improbable/unrecoverable error in 'dev_close' */
    487 
    488 	return io_result;
    489 }
    490 
    491 static int load_auth_image_internal(meminfo_t *mem_layout,
    492 				    unsigned int image_id,
    493 				    uintptr_t image_base,
    494 				    image_info_t *image_data,
    495 				    entry_point_info_t *entry_point_info,
    496 				    int is_parent_image)
    497 {
    498 	int rc;
    499 
    500 #if TRUSTED_BOARD_BOOT
    501 	unsigned int parent_id;
    502 
    503 	/* Use recursion to authenticate parent images */
    504 	rc = auth_mod_get_parent_id(image_id, &parent_id);
    505 	if (rc == 0) {
    506 		rc = load_auth_image_internal(mem_layout, parent_id, image_base,
    507 				     image_data, NULL, 1);
    508 		if (rc != 0) {
    509 			return rc;
    510 		}
    511 	}
    512 #endif /* TRUSTED_BOARD_BOOT */
    513 
    514 	/* Load the image */
    515 	rc = load_image(mem_layout, image_id, image_base, image_data,
    516 			entry_point_info);
    517 	if (rc != 0) {
    518 		return rc;
    519 	}
    520 
    521 #if TRUSTED_BOARD_BOOT
    522 	/* Authenticate it */
    523 	rc = auth_mod_verify_img(image_id,
    524 				 (void *)image_data->image_base,
    525 				 image_data->image_size);
    526 	if (rc != 0) {
    527 		/* Authentication error, zero memory and flush it right away. */
    528 		zero_normalmem((void *)image_data->image_base,
    529 		       image_data->image_size);
    530 		flush_dcache_range(image_data->image_base,
    531 				   image_data->image_size);
    532 		return -EAUTH;
    533 	}
    534 	/*
    535 	 * File has been successfully loaded and authenticated.
    536 	 * Flush the image to main memory so that it can be executed later by
    537 	 * any CPU, regardless of cache and MMU state.
    538 	 * Do it only for child images, not for the parents (certificates).
    539 	 */
    540 	if (!is_parent_image) {
    541 		flush_dcache_range(image_data->image_base,
    542 				   image_data->image_size);
    543 	}
    544 #endif /* TRUSTED_BOARD_BOOT */
    545 
    546 	return 0;
    547 }
    548 
    549 /*******************************************************************************
    550  * Generic function to load and authenticate an image. The image is actually
    551  * loaded by calling the 'load_image()' function. Therefore, it returns the
    552  * same error codes if the loading operation failed, or -EAUTH if the
    553  * authentication failed. In addition, this function uses recursion to
    554  * authenticate the parent images up to the root of trust.
    555  ******************************************************************************/
    556 int load_auth_image(meminfo_t *mem_layout,
    557 		    unsigned int image_id,
    558 		    uintptr_t image_base,
    559 		    image_info_t *image_data,
    560 		    entry_point_info_t *entry_point_info)
    561 {
    562 	int err;
    563 
    564 	do {
    565 		err = load_auth_image_internal(mem_layout, image_id, image_base,
    566 					       image_data, entry_point_info, 0);
    567 	} while (err != 0 && plat_try_next_boot_source());
    568 
    569 	return err;
    570 }
    571 
    572 #endif /* LOAD_IMAGE_V2 */
    573 
    574 /*******************************************************************************
    575  * Print the content of an entry_point_info_t structure.
    576  ******************************************************************************/
    577 void print_entry_point_info(const entry_point_info_t *ep_info)
    578 {
    579 	INFO("Entry point address = %p\n", (void *)ep_info->pc);
    580 	INFO("SPSR = 0x%x\n", ep_info->spsr);
    581 
    582 #define PRINT_IMAGE_ARG(n)					\
    583 	VERBOSE("Argument #" #n " = 0x%llx\n",			\
    584 		(unsigned long long) ep_info->args.arg##n)
    585 
    586 	PRINT_IMAGE_ARG(0);
    587 	PRINT_IMAGE_ARG(1);
    588 	PRINT_IMAGE_ARG(2);
    589 	PRINT_IMAGE_ARG(3);
    590 #ifndef AARCH32
    591 	PRINT_IMAGE_ARG(4);
    592 	PRINT_IMAGE_ARG(5);
    593 	PRINT_IMAGE_ARG(6);
    594 	PRINT_IMAGE_ARG(7);
    595 #endif
    596 #undef PRINT_IMAGE_ARG
    597 }
    598