1 /* 2 * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 /******************************************************************************* 8 * This is the Secure Payload Dispatcher (SPD). The dispatcher is meant to be a 9 * plug-in component to the Secure Monitor, registered as a runtime service. The 10 * SPD is expected to be a functional extension of the Secure Payload (SP) that 11 * executes in Secure EL1. The Secure Monitor will delegate all SMCs targeting 12 * the Trusted OS/Applications range to the dispatcher. The SPD will either 13 * handle the request locally or delegate it to the Secure Payload. It is also 14 * responsible for initialising and maintaining communication with the SP. 15 ******************************************************************************/ 16 #include <arch_helpers.h> 17 #include <assert.h> 18 #include <bl31.h> 19 #include <bl_common.h> 20 #include <context_mgmt.h> 21 #include <debug.h> 22 #include <errno.h> 23 #include <platform.h> 24 #include <runtime_svc.h> 25 #include <stddef.h> 26 #include <tlk.h> 27 #include <uuid.h> 28 #include "tlkd_private.h" 29 30 extern const spd_pm_ops_t tlkd_pm_ops; 31 32 /******************************************************************************* 33 * Per-cpu Secure Payload state 34 ******************************************************************************/ 35 tlk_context_t tlk_ctx; 36 37 /******************************************************************************* 38 * CPU number on which TLK booted up 39 ******************************************************************************/ 40 static uint32_t boot_cpu; 41 42 /* TLK UID: RFC-4122 compliant UUID (version-5, sha-1) */ 43 DEFINE_SVC_UUID(tlk_uuid, 44 0xbd11e9c9, 0x2bba, 0x52ee, 0xb1, 0x72, 45 0x46, 0x1f, 0xba, 0x97, 0x7f, 0x63); 46 47 int32_t tlkd_init(void); 48 49 /******************************************************************************* 50 * Secure Payload Dispatcher setup. The SPD finds out the SP entrypoint and type 51 * (aarch32/aarch64) if not already known and initialises the context for entry 52 * into the SP for its initialisation. 53 ******************************************************************************/ 54 int32_t tlkd_setup(void) 55 { 56 entry_point_info_t *tlk_ep_info; 57 58 /* 59 * Get information about the Secure Payload (BL32) image. Its 60 * absence is a critical failure. 61 */ 62 tlk_ep_info = bl31_plat_get_next_image_ep_info(SECURE); 63 if (!tlk_ep_info) { 64 WARN("No SP provided. Booting device without SP" 65 " initialization. SMC`s destined for SP" 66 " will return SMC_UNK\n"); 67 return 1; 68 } 69 70 /* 71 * If there's no valid entry point for SP, we return a non-zero value 72 * signalling failure initializing the service. We bail out without 73 * registering any handlers 74 */ 75 if (!tlk_ep_info->pc) 76 return 1; 77 78 /* 79 * Inspect the SP image's SPSR and determine it's execution state 80 * i.e whether AArch32 or AArch64. 81 */ 82 tlkd_init_tlk_ep_state(tlk_ep_info, 83 (tlk_ep_info->spsr >> MODE_RW_SHIFT) & MODE_RW_MASK, 84 tlk_ep_info->pc, 85 &tlk_ctx); 86 87 /* 88 * All TLK SPD initialization done. Now register our init function 89 * with BL31 for deferred invocation 90 */ 91 bl31_register_bl32_init(&tlkd_init); 92 93 return 0; 94 } 95 96 /******************************************************************************* 97 * This function passes control to the Secure Payload image (BL32) for the first 98 * time on the primary cpu after a cold boot. It assumes that a valid secure 99 * context has already been created by tlkd_setup() which can be directly 100 * used. This function performs a synchronous entry into the Secure payload. 101 * The SP passes control back to this routine through a SMC. 102 ******************************************************************************/ 103 int32_t tlkd_init(void) 104 { 105 entry_point_info_t *tlk_entry_point; 106 107 /* 108 * Get information about the Secure Payload (BL32) image. Its 109 * absence is a critical failure. 110 */ 111 tlk_entry_point = bl31_plat_get_next_image_ep_info(SECURE); 112 assert(tlk_entry_point); 113 114 cm_init_my_context(tlk_entry_point); 115 116 /* 117 * TLK runs only on a single CPU. Store the value of the boot 118 * CPU for sanity checking later. 119 */ 120 boot_cpu = plat_my_core_pos(); 121 122 /* 123 * Arrange for an entry into the test secure payload. 124 */ 125 return tlkd_synchronous_sp_entry(&tlk_ctx); 126 } 127 128 /******************************************************************************* 129 * This function is responsible for handling all SMCs in the Trusted OS/App 130 * range from the non-secure state as defined in the SMC Calling Convention 131 * Document. It is also responsible for communicating with the Secure payload 132 * to delegate work and return results back to the non-secure state. Lastly it 133 * will also return any information that the secure payload needs to do the 134 * work assigned to it. 135 ******************************************************************************/ 136 uint64_t tlkd_smc_handler(uint32_t smc_fid, 137 uint64_t x1, 138 uint64_t x2, 139 uint64_t x3, 140 uint64_t x4, 141 void *cookie, 142 void *handle, 143 uint64_t flags) 144 { 145 cpu_context_t *ns_cpu_context; 146 gp_regs_t *gp_regs; 147 uint32_t ns; 148 uint64_t par; 149 150 /* Passing a NULL context is a critical programming error */ 151 assert(handle); 152 153 /* These SMCs are only supported by a single CPU */ 154 if (boot_cpu != plat_my_core_pos()) 155 SMC_RET1(handle, SMC_UNK); 156 157 /* Determine which security state this SMC originated from */ 158 ns = is_caller_non_secure(flags); 159 160 switch (smc_fid) { 161 162 /* 163 * This function ID is used by SP to indicate that it was 164 * preempted by a non-secure world IRQ. 165 */ 166 case TLK_PREEMPTED: 167 168 if (ns) 169 SMC_RET1(handle, SMC_UNK); 170 171 assert(handle == cm_get_context(SECURE)); 172 cm_el1_sysregs_context_save(SECURE); 173 174 /* Get a reference to the non-secure context */ 175 ns_cpu_context = cm_get_context(NON_SECURE); 176 assert(ns_cpu_context); 177 178 /* 179 * Restore non-secure state. There is no need to save the 180 * secure system register context since the SP was supposed 181 * to preserve it during S-EL1 interrupt handling. 182 */ 183 cm_el1_sysregs_context_restore(NON_SECURE); 184 cm_set_next_eret_context(NON_SECURE); 185 186 SMC_RET1(ns_cpu_context, x1); 187 188 /* 189 * This is a request from the non-secure context to: 190 * 191 * a. register shared memory with the SP for storing it's 192 * activity logs. 193 * b. register shared memory with the SP for passing args 194 * required for maintaining sessions with the Trusted 195 * Applications. 196 * c. open/close sessions 197 * d. issue commands to the Trusted Apps 198 * e. resume the preempted yielding SMC call. 199 */ 200 case TLK_REGISTER_LOGBUF: 201 case TLK_REGISTER_REQBUF: 202 case TLK_OPEN_TA_SESSION: 203 case TLK_CLOSE_TA_SESSION: 204 case TLK_TA_LAUNCH_OP: 205 case TLK_TA_SEND_EVENT: 206 case TLK_RESUME_FID: 207 208 if (!ns) 209 SMC_RET1(handle, SMC_UNK); 210 211 /* 212 * This is a fresh request from the non-secure client. 213 * The parameters are in x1 and x2. Figure out which 214 * registers need to be preserved, save the non-secure 215 * state and send the request to the secure payload. 216 */ 217 assert(handle == cm_get_context(NON_SECURE)); 218 219 /* 220 * Check if we are already processing a yielding SMC 221 * call. Of all the supported fids, only the "resume" 222 * fid expects the flag to be set. 223 */ 224 if (smc_fid == TLK_RESUME_FID) { 225 if (!get_yield_smc_active_flag(tlk_ctx.state)) 226 SMC_RET1(handle, SMC_UNK); 227 } else { 228 if (get_yield_smc_active_flag(tlk_ctx.state)) 229 SMC_RET1(handle, SMC_UNK); 230 } 231 232 cm_el1_sysregs_context_save(NON_SECURE); 233 234 /* 235 * Verify if there is a valid context to use. 236 */ 237 assert(&tlk_ctx.cpu_ctx == cm_get_context(SECURE)); 238 239 /* 240 * Mark the SP state as active. 241 */ 242 set_yield_smc_active_flag(tlk_ctx.state); 243 244 /* 245 * We are done stashing the non-secure context. Ask the 246 * secure payload to do the work now. 247 */ 248 cm_el1_sysregs_context_restore(SECURE); 249 cm_set_next_eret_context(SECURE); 250 251 /* 252 * TLK is a 32-bit Trusted OS and so expects the SMC 253 * arguments via r0-r7. TLK expects the monitor frame 254 * registers to be 64-bits long. Hence, we pass x0 in 255 * r0-r1, x1 in r2-r3, x3 in r4-r5 and x4 in r6-r7. 256 * 257 * As smc_fid is a uint32 value, r1 contains 0. 258 */ 259 gp_regs = get_gpregs_ctx(&tlk_ctx.cpu_ctx); 260 write_ctx_reg(gp_regs, CTX_GPREG_X4, (uint32_t)x2); 261 write_ctx_reg(gp_regs, CTX_GPREG_X5, (uint32_t)(x2 >> 32)); 262 write_ctx_reg(gp_regs, CTX_GPREG_X6, (uint32_t)x3); 263 write_ctx_reg(gp_regs, CTX_GPREG_X7, (uint32_t)(x3 >> 32)); 264 SMC_RET4(&tlk_ctx.cpu_ctx, smc_fid, 0, (uint32_t)x1, 265 (uint32_t)(x1 >> 32)); 266 267 /* 268 * Translate NS/EL1-S virtual addresses. 269 * 270 * x1 = virtual address 271 * x3 = type (NS/S) 272 * 273 * Returns PA:lo in r0, PA:hi in r1. 274 */ 275 case TLK_VA_TRANSLATE: 276 277 /* Should be invoked only by secure world */ 278 if (ns) 279 SMC_RET1(handle, SMC_UNK); 280 281 /* NS virtual addresses are 64-bit long */ 282 if (x3 & TLK_TRANSLATE_NS_VADDR) 283 x1 = (uint32_t)x1 | (x2 << 32); 284 285 if (!x1) 286 SMC_RET1(handle, SMC_UNK); 287 288 /* 289 * TODO: Sanity check x1. This would require platform 290 * support. 291 */ 292 293 /* virtual address and type: ns/s */ 294 par = tlkd_va_translate(x1, x3); 295 296 /* return physical address in r0-r1 */ 297 SMC_RET4(handle, (uint32_t)par, (uint32_t)(par >> 32), 0, 0); 298 299 /* 300 * This is a request from the SP to mark completion of 301 * a yielding function ID. 302 */ 303 case TLK_REQUEST_DONE: 304 if (ns) 305 SMC_RET1(handle, SMC_UNK); 306 307 /* 308 * Mark the SP state as inactive. 309 */ 310 clr_yield_smc_active_flag(tlk_ctx.state); 311 312 /* Get a reference to the non-secure context */ 313 ns_cpu_context = cm_get_context(NON_SECURE); 314 assert(ns_cpu_context); 315 316 /* 317 * This is a request completion SMC and we must switch to 318 * the non-secure world to pass the result. 319 */ 320 cm_el1_sysregs_context_save(SECURE); 321 322 /* 323 * We are done stashing the secure context. Switch to the 324 * non-secure context and return the result. 325 */ 326 cm_el1_sysregs_context_restore(NON_SECURE); 327 cm_set_next_eret_context(NON_SECURE); 328 SMC_RET1(ns_cpu_context, x1); 329 330 /* 331 * This function ID is used only by the SP to indicate it has 332 * finished initialising itself after a cold boot 333 */ 334 case TLK_ENTRY_DONE: 335 if (ns) 336 SMC_RET1(handle, SMC_UNK); 337 338 /* 339 * SP has been successfully initialized. Register power 340 * managemnt hooks with PSCI 341 */ 342 psci_register_spd_pm_hook(&tlkd_pm_ops); 343 344 /* 345 * TLK reports completion. The SPD must have initiated 346 * the original request through a synchronous entry 347 * into the SP. Jump back to the original C runtime 348 * context. 349 */ 350 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 351 352 /* 353 * These function IDs are used only by TLK to indicate it has 354 * finished: 355 * 1. suspending itself after an earlier psci cpu_suspend 356 * request. 357 * 2. resuming itself after an earlier psci cpu_suspend 358 * request. 359 * 3. powering down after an earlier psci system_off/system_reset 360 * request. 361 */ 362 case TLK_SUSPEND_DONE: 363 case TLK_RESUME_DONE: 364 case TLK_SYSTEM_OFF_DONE: 365 366 if (ns) 367 SMC_RET1(handle, SMC_UNK); 368 369 /* 370 * TLK reports completion. TLKD must have initiated the 371 * original request through a synchronous entry into the SP. 372 * Jump back to the original C runtime context, and pass x1 as 373 * return value to the caller 374 */ 375 tlkd_synchronous_sp_exit(&tlk_ctx, x1); 376 377 /* 378 * Return the number of service function IDs implemented to 379 * provide service to non-secure 380 */ 381 case TOS_CALL_COUNT: 382 SMC_RET1(handle, TLK_NUM_FID); 383 384 /* 385 * Return TLK's UID to the caller 386 */ 387 case TOS_UID: 388 SMC_UUID_RET(handle, tlk_uuid); 389 390 /* 391 * Return the version of current implementation 392 */ 393 case TOS_CALL_VERSION: 394 SMC_RET2(handle, TLK_VERSION_MAJOR, TLK_VERSION_MINOR); 395 396 default: 397 break; 398 } 399 400 SMC_RET1(handle, SMC_UNK); 401 } 402 403 /* Define a SPD runtime service descriptor for fast SMC calls */ 404 DECLARE_RT_SVC( 405 tlkd_tos_fast, 406 407 OEN_TOS_START, 408 OEN_TOS_END, 409 SMC_TYPE_FAST, 410 tlkd_setup, 411 tlkd_smc_handler 412 ); 413 414 /* Define a SPD runtime service descriptor for yielding SMC calls */ 415 DECLARE_RT_SVC( 416 tlkd_tos_std, 417 418 OEN_TOS_START, 419 OEN_TOS_END, 420 SMC_TYPE_YIELD, 421 NULL, 422 tlkd_smc_handler 423 ); 424 425 /* Define a SPD runtime service descriptor for fast SMC calls */ 426 DECLARE_RT_SVC( 427 tlkd_tap_fast, 428 429 OEN_TAP_START, 430 OEN_TAP_END, 431 SMC_TYPE_FAST, 432 NULL, 433 tlkd_smc_handler 434 ); 435 436 /* Define a SPD runtime service descriptor for yielding SMC calls */ 437 DECLARE_RT_SVC( 438 tlkd_tap_std, 439 440 OEN_TAP_START, 441 OEN_TAP_END, 442 SMC_TYPE_YIELD, 443 NULL, 444 tlkd_smc_handler 445 ); 446